This is the accessible text file for GAO report number GAO-06-729G
entitled 'Government Auditing Standards: 2006 Revision' which was
released on June 9, 2006.
United States Government Accountability Office:
GAO:
By the Comptroller General of the United States:
June 2006:
Government Auditing Standards:
2006 Revision:
Exposure Draft:
GAO-06-729G:
United States Government Accountability Office:
Washington, DC 20548:
June 2006:
To Audit Officials And Others Interested In Government Auditing
Standards:
GAO invites your comments on the accompanying proposed changes to
Government Auditing Standards (GAGAS), commonly known as the “Yellow
Book.” These changes propose revisions throughout the entire set of
standards. This letter describes the process used by GAO for revising
GAGAS, summarizes the proposed major changes, discusses proposed
effective dates, and provides instructions for submitting comments on
the proposed standards.
Process for Revising GAGAS:
To help ensure that the standards continue to meet the needs of the
audit community and the public it serves, the Comptroller General of
the United States appointed the Advisory Council on Government Auditing
Standards to review the standards and recommend necessary changes. The
Advisory Council includes experts in financial and performance auditing
drawn from all levels of government, private enterprise, public
accounting, and academia. This exposure draft of the standards includes
the Advisory Council’s suggestions for proposed changes. We are
currently requesting public comments on the proposed revisions in the
exposure draft.
Summary of Major Changes:
The proposed 2006 revision to GAGAS will be the fifth revision since
the standards were first issued in 1972. The 2006 Yellow Book exposure
draft seeks to emphasize the critical role of high quality government
audits in achieving credibility and accountability in government. The
overall focus of the proposed 2006 revised standards includes an
increased emphasis on audit quality and ethics and an extensive update
of the performance audit standards to include a specified level of
assurance within the context of risk and materiality. In addition, this
proposed revision modernizes GAGAS, with updates to reflect major
developments in the accountability and audit environment. Finally,
clarifications have been made throughout the standards.
The standards are organized by separate chapters as follows:
Chapter 1 – Use and Application of GAGAS:
Chapter 2 – Auditor’s Ethical Responsibilities:
Chapter 3 – General Standards:
Chapter 4 — Field Work Standards for Financial Audits:
Chapter 5 — Reporting Standards for Financial Audits:
Chapter 6 – General, Field Work, and Reporting Standards for Attestation
Engagements:
Chapter 7 – Field Work Standards for Performance Audits:
Chapter 8 – Reporting Standards for Performance Audits:
Appendix – Explanatory materials that do not represent GAGAS
requirements.
Effective Dates:
When issued in final, the 2006 revision will supersede the 2003
revision of the standards. We anticipate that, when finalized,
standards will become effective for audits beginning on or after July
1, 2007. For financial audits, certain standards issued by the Auditing
Standards Board (ASB) of the American Institute of Certified Public
Accountants have earlier effective dates. For financial audits
performed under GAGAS, the effective dates of the new ASB standards
will apply.
Instructions for Commenting:
The draft of the proposed changes to Government Auditing Standards,
2006 Revision, is only available in electronic format and can be
downloaded from GAO’s Yellow Book Web Page at [hyperlink,
http://www.gao.gov/govaud/ybk01.htm].
We are requesting comments on this draft from audit officials and
financial management at all levels of government, the public accounting
profession, academia, professional organizations, public interest
groups, and other interested parties. To assist you in developing your
comments, specific issues are presented in an enclosure to this letter,
along with a detailed list of proposed changes. We encourage you to
comment on these issues and any additional issues that you note. Please
associate your comments with specific references to issue numbers
and/or paragraph numbers in the proposed standards and provide your
rationale for any proposed changes, along with suggested revised
language. Please send your comments electronically to
yellowbook@gao.gov no later than August 15, 2006.
If you need additional information please call Michael Hrapsky, Senior
Project Manager, Financial Management and Assurance at (202) 512-9535,
or Jeanette Franzel, Director, at (202) 512-9471.
Sincerely yours,
Signed by:
Jeffrey C. Steinhoff:
Managing Director:
Financial Management and Assurance:
Enclosures:
[End of section]
Enclosure 1:
Questions for Commenters:
The following discussion and questions are provided to guide users in
commenting on the proposed 2006 revision of Government Auditing
Standards. We encourage you to comment on these issues and any
additional issues that you note. Please associate your comments with
specific references to issue numbers and/or paragraph numbers in the
proposed standards.
Chapter 1 – Use and Application of GAGAS:
1. The section entitled, “Use of Terminology to Define Professional
Requirements in GAGAS” was added to clarify the auditor’s
responsibilities and to achieve consistency with other standard setting
bodies. This new section is consistent with the AICPA Statement on
Auditing Standards (SAS) No. 102, Defining Professional Requirements in
Statements on Auditing Standards issued by the Auditing Standards Board
(ASB) of the American Institute of CPAs (AICPA) and with the approach
taken by the Public Company Accounting Oversight Board (PCAOB). GAGAS
requirements have also been rewritten in accordance with the
terminology set forth in this section. This approach is intended to
clarify auditors’ responsibilities and assist auditors in applying the
standards.
Please comment on the application and use of this terminology
throughout the proposed revision to GAGAS.
2. The section entitled “Citing Compliance with GAGAS in the Auditor’s
Report” was added to clarify auditor responsibilities and to provide
guidance to auditors in situations where they are unable to follow or
chose not to follow certain standards. Complementary guidance is also
provided in chapters 5 and 8. Please comment on the application and use
of this guidance for citing compliance with GAGAS in auditors’ reports.
Chapter 2 – Auditor’s Ethical Responsibilities:
3. Chapter 2 is devoted solely to emphasizing the ethical
responsibilities of government auditors. In the 2003 revision, GAGAS
made reference to ethical responsibilities throughout Chapter 1. This
2006 revision adds clarity and emphasis to the discussion of ethical
responsibilities of government auditors to uphold and protect the
public trust. This chapter employs a principles-based framework of
concepts that government auditors use to guide all of their work.
Please comment on the framework discussed in this chapter.
Chapter 3 – General Standards:
4. The discussion of nonaudit services and their impact on auditor
independence has been significantly streamlined and reorganized from
the 2003 revision of the standards to provide clarity. The discussion
is in paragraphs 3.30 through 3.35. Additional information on nonaudit
services that are generally unique to government audit organizations is
presented in the appendix, paragraphs A3.02 through A3.03.
Please comment on the description and categorization of nonaudit
services and their impact on auditor independence.
5. The section entitled “Quality Control and Assurance” has been
expanded to describe the elements that should be present in an audit
organization’s system of quality control. The addition of the specific
elements is intended to strengthen the standards and to emphasize
consistency of quality control standards among government audit
organizations.
Please comment on the expanded discussion of audit quality and the
related elements.
6. The section dealing with external peer review includes the following
changes: (1) a transparency requirement that external audit
organizations performing GAGAS audits make their results of an external
peer review public, and (2) revision of peer review time frames based
on risk and the underlying quality assurance system. The transparency
requirement is intended to increase accountability and emphasize the
importance of quality for audit organizations that perform audits under
GAGAS. The revisions to peer review time frames are risk based and
emphasize quality and a rigorous annual inspection program. (The
previous standard set the same requirement for all audit organizations,
regardless of peer review results or the underlying quality assurance
system.)
Please comment on the transparency requirements and the risk-based
approach to peer review time frames.
Chapters 4 and 5 – Financial Audits:
7. The audit documentation standard has been updated and expanded based
on the ASB’s revised standard, SAS No. 103, Audit Documentation.
Paragraphs 4.22 through 4.39 are consistent with the AICPA standard.
Paragraphs 4.40 and 4.41 are additional GAGAS standards to deal with
unique issues associated with auditing in the government environment.
The use of these standards is consistent for attest engagements (chapter
6) and performance audits (chapter 7). The overall goal of these
revisions was consistency with the ASB standard and among the different
types of GAGAS audits.
Please comment on the adoption of this standard.
8. The financial audit reporting standards have been updated to conform
with the ASB’s and PCAOB’s definitions of material weakness and
significant deficiency in internal controls. The definitions and
related guidance are provided in paragraphs 5.13 and 5.14. The overall
goal of adopting these revised definitions is to achieve consistency
with the other standards setters. These definitions may be further
clarified in the future by the other standards-setters, and we will
continue to work closely with them. The application of these new
definitions could affect the number and type of internal control
weaknesses reported in GAGAS audits.
Please comment on additional clarity or guidance that would assist in
implementing these new definitions.
Chapters 7 and 8 – Performance Audits:
9. The standards for performance audits have been significantly revised
to include a specified level of assurance within the context of audit
risk and significance (materiality).
The level of assurance for performance audits is defined in paragraph
1.35 and incorporated throughout the performance audit standards in
chapters 7 and 8. The level of assurance for performance audits is
achieved within the context of significance (materiality) and audit
risk. The description of significance and audit risk is included in
paragraphs 7.04 through 7.06, and the standards in chapters 7 and 8
have been written within this context.
Please comment on the discussion of levels of assurance, significance,
audit risk, and their application throughout the performance audit
standards.
10. Significant discussion has been added to chapters 7 and 8 about the
level of evidence needed to achieve the audit objectives in a
performance audit. This discussion uses the terminology “sufficient,
appropriate evidence” for consistency with other auditing standards
setters. The intent of the discussion of sufficient, appropriate
evidence is to provide clarity and guidance for making professional
judgments about the levels of evidence needed to achieve the audit
objectives.
Please comment on the clarity of the standards and the discussion of
sufficient appropriate evidence.
Overall:
11. The auditor’s responsibility for abuse for financial audits
(paragraphs 4.18 through 4.20), attestation engagements (6.17 through
6.22), and performance audits (7.34) has been clarified, but no change
was made to the auditor’s responsibility for abuse. The changes were in
response to questions received about implementing the standard on
abuse.
Please comment on the clarity of the definition of abuse. Please
include in your comments any specific examples of abuse you have
identified, along with supporting audit reports.
12. An appendix has been added to provide supplemental guidance to
assist auditors in the implementation of GAGAS. This guidance does not
establish any additional auditor requirements.
Please comment on the usefulness and need for the appendix.
[End of enclosure]
Enclosure 2:
Summary of Major Changes:
Chapter 1 – Use and Application of GAGAS:
Introduction and Purpose and Applicability of GAGAS were rewritten to
emphasize the role of auditing in government accountability and the
role of GAGAS in achieving improved government operations and
accountability. (1.01 – 1.05)
Use of Terminology to Define Professional Requirements in GAGAS was
added to modernize, harmonize, and clarify language used in the
standards. (1.06 – 1.12)
* The Public Company Accounting Oversight Board (PCAOB), International
Auditing and Assurance Standards Board (IAASB), and the American
Institute of Certified Public Accountants (AICPA) have adopted similar
standards to clarify auditors’ responsibilities. GAGAS terminology is
consistent with the AICPA’s Statement on Auditing Standards No. 102,
Defining Professional Requirements in Statements on Auditing Standards.
* All chapters were significantly revised to clarify auditors’
responsibilities and to avoid the confusion that existed in previous
versions of GAGAS through the use of the passive voice and other
references that were unclear as to the requirement placed on the
auditors.
Citing Compliance with GAGAS in the Auditors’ Report provides guidance
on citing GAGAS in the auditors’ report when auditors do not comply
with all unconditional or all presumptively mandatory requirements.
(1.13 – 1.15)
Relationship Between GAGAS and Other Professional Standards has been
updated to recognize that other sets of professional standards, such as
those issued by the PCAOB and the IAASB, the Institute of Internal
Auditors, and others can be used in conjunction with GAGAS and provides
related guidance. (1.16 – 1.20)
Types of Government Audits and Attestation Engagements has been
modified to re-write the description of a performance audit to clarify
the level of assurance and evidence needed. The concept of equity as a
potential performance audit objective was incorporated, and examples of
the types of performance audits were updated. (1.21 – 1.42)
Chapter 2 – Auditors’ Ethical Responsibilities:
Chapter 2 has been completely revised to focus solely on audit
organizations’ overall ethics responsibilities and auditors’ need to
observe overarching ethical concepts in performing their work. (2.01 –
2.16) Other materials that had previously been in Chapter 2 have been
included in Chapter 1 of the draft.
* Several of the ethical concepts in this chapter were included in the
2003 GAGAS revision in Chapter 1 under “Auditors’ Responsibilities,”
but they were not separately labeled as ethical responsibilities.
* The revised Chapter 2 describes the following ethical concepts that
auditors use to guide their work:
- the public interest (2.05 – 2.07);
- professional behavior (2.08 – 2.09);
- integrity (2.10 – 2.11);
- objectivity (2.12);
- proper use of government information, resources, and position (2.13 –
2.16);
Chapter 3 – General Standards:
Independence was reorganized and the guidance on nonaudit services was
clarified to facilitate implementing the standard. The standard on
nonaudit services was not changed. Specifically, the discussion of
nonaudit services was moved from “personal” to “organizational”
impairments because it is often the audit organization’s independence
that is impaired rather than that of the individual auditor,
reorganized the guidance into three categories of nonaudit services,
and consolidated and streamlined examples that had previously been
interspersed throughout the independence section. (3.02 – 3.35)
* The three distinct categories of nonaudit services are:
1. Nonaudit services that do not impair auditor independence and,
therefore, do not require compliance with the supplemental safeguards.
(3.30a and 3.31 – 3.32);
2. Nonaudit services that would not impair independence if supplemental
safeguards are implemented. (3.30b and 3.33);
3. Nonaudit services that impair independence (3.30c and 3.34)
* Additional guidance in the appendix was included to deal with
nonaudit services that are frequently conducted by government audit
organizations. (A3.02 – A3.03).
Professional Judgment was expanded to emphasize its importance and
relate it to key steps in performing an audit. (3.36 – 3.45)
Competence was expanded and clarified. (3.46 – 3.58)
Quality Control and Assurance was expanded to describe five elements
that should be present in an audit organization’s system of quality
control: (1) ethics, (2) initiation and continuance of engagements, (3)
human capital, (4) performance and reporting, and (5) monitoring
quality. (3.61)
External Peer Review has been changed to include a transparency
requirement that audit organizations that report externally to third
parties make peer review results publicly available (3.68). The section
also establishes new peer review time frames based on risk and the
underlying quality assurance system (3.69) Audit organizations are
required to have a peer review:
* within 18 months, if the most recent peer review opinion is adverse
or modified, and every 18 months thereafter until the audit
organization receives an unmodified opinion;
* every 3 years if the audit organization has an unmodified peer review
opinion and does not meet the enhanced quality assurance criteria for a
5-year cycle or does not chose a 5-year period;
* every 5 years if the audit organization has an unmodified peer review
opinion and elects to meet the enhanced quality assurance criteria in
3.70;
* developed required enhanced quality assurance criteria for audit
organizations electing a 5-year peer review cycle, including:
- a publicly available description of the audit organization’s quality
assurance system (3.70a);
- an effective annual internal quality inspection process that meets
stated criteria (3.70b), and;
- a publicly available annual written assertion that is consistent with
the results of the audit organization’s monitoring and inspection
processes about the effectiveness of its quality assurance program
[3.70b(3)].
Chapter 4—Field Work Standards for Financial Audits:
The following changes have been made to update and clarify the
standards for field work:
* update of the AICPA field work standards cited to reflect recent
AICPA changes (4.04);
* addition of a clear and prominent discussion on consideration of
fraud and illegal acts which clarifies the existing standard (4.07 –
4.08);
* clarifications to the description of abuse and the existing standard
on the auditors’ responsibility for abuse in a financial audit that is
material, either qualitatively or quantitatively (4.18 – 4.19), and;
* update of the audit documentation standard for consistency with
AICPA’s new standard (4.22 – 4.41).
Chapter 5—Reporting Standards for Financial Audits:
The following changes have been made to update and clarify the
reporting standards:
* update of definitions and terminology for internal control
deficiencies to achieve consistency with PCAOB and AICPA terminology
(5.12 – 5.15);
* clarification of reporting requirements for internal control
deficiencies, illegal acts, violations of provisions of contracts or
grant agreements, or abuse (5.12 – 5.27);
* addition of a section on emphasizing significant matters in the
auditors’ report(5.28 – 5.31);
* addition of a section on reporting on restatement of previously-
issued financial statements (5.32 – 5.38), and;
* clarification of the auditors’ responsibilities for reporting views
of responsible officials (5.39 – 5.44) and for issuing and distributing
reports (5.48 – 5.51).
Chapter 6 – General, Field Work, and Reporting Standards for Attestation
Engagements:
Conforming changes were made to chapter 6 for consistency with changes
in chapters 4 and 5.
Chapter 7 – Field Work Standards for Performance Audits:
The field work standards for performance audits have been significantly
revised within a framework related to significance (materiality), audit
risk, and reasonable assurance. The following changes were made:
* addition of a section on the concept of significance in a performance
audit (7.04 – 7.05);
* addition of a section discussing audit risk (7.06);
* definition of the level of assurance associated with a performance
audit as providing reasonable assurance that auditors have adequate
support to achieve the audit objectives and reach conclusions (7.13);
* clarification throughout chapter 7 of the levels of evidence needed
to achieve audit objectives, recognizing that objectives vary and,
therefore, so will the nature of evidence needed;
* incorporation of the concept of risk into the auditors’ planning and
evaluation process;
* inclusion of a section on information systems controls for the
purpose of assessing audit risk and planning the audit (7.25 – 7.27);
* emphasis of auditors’ professional judgment and the focus of audit
work in relation to the audit objectives;
* clarification of the auditors’ responsibility for responding to
indications of potential fraud (7.31 – 7.33);
* clarification of the auditors’ responsibility for abuse (7.34);
* incorporation throughout the standard of the concept of “sufficient,
appropriate evidence” to replace “sufficient, competent, and relevant
evidence.” This terminology is consistent with other standards setters.
(7.53 – 7.69)
- Appropriateness is defined as a measure of quality, which encompasses
relevance, reliability, and validity in providing support for audit
objectives. (7.56 – 7.62)
- Sufficiency is defined as a measure of quantity and is evaluated
based on the collective audit evidence supporting findings,
conclusions, or recommendations related to the audit objectives. (7.63
– 7.64);
* description of and emphasis on the overall assessment of evidence to
avoid confusion about how to apply the standards (7.65 – 7.69), and;
?? revision of the audit documentation section to conform with chapter
4. (7.74 – 7.92).
Chapter 8 – Reporting Standards for Performance Audits:
The reporting standards were streamlined and conforming changes were
made to reflect changes in Chapter 7. The auditors’ responsibilities
for reporting the views of responsible officials (8.35 – 8.40) and
report issuance and distribution (8.44 – 8.47) were clarified.
Appendix:
An appendix has been added to provide supplemental guidance to assist
auditors in the implementation of GAGAS. This guidance does not
establish additional GAGAS requirements.
[End of enclosure]
Contents:
Letter:
Questions For Commenters:
Summary Of Major Changes:
Chapter 1:
Use And Application Of Gagas:
Introduction:
Purpose and Applicability of GAGAS:
Use of Terminology to Define Professional Requirements in GAGAS:
Citing Compliance with GAGAS in the Auditors’ Report:
Relationship Between GAGAS and Other Professional Standards:
Types of Government Audits and Attestation Engagements:
Financial Audits:
Attestation Engagements:
Performance Audits:
Nonaudit Services Provided by Audit Organizations:
Chapter 2:
Auditors’ Ethical Responsibilities:
Introduction:
Overarching Ethical Concepts:
The Public Interest:
Professional Behavior:
Integrity:
Objectivity:
Proper Use of Government Information, Resources, and Position:
General Standards:
Introduction:
Independence:
Personal Impairments:
External Impairments:
Organizational Independence:
Organizational Independence When Reporting Externally to Third Parties:
Organizational Independence When Reporting Internally to Management (as
an internal audit function):
Organizational Independence When Performing Nonaudit Services:
Professional Judgment:
Competence:
Technical Knowledge and Competence:
Additional Qualifications for Financial Audits and Attestation
Engagements:
Continuing Professional Education:
Quality Control and Assurance:
System of Quality Control:
External Peer Review:
Chapter 4:
Field Work Standards For Financial Audits:
Introduction:
AICPA Field Work Standards:
Additional Considerations for Financial Audits in Government:
Consideration of Potential Fraud in a Financial Statement Audit and
Illegal Acts by Auditees:
Additional GAGAS Standards:
Auditor Communication:
Previous Audits and Attestation Engagements:
Detecting Material Misstatements Resulting from Violations of Contract
Provisions or Grant Agreements, or from Abuse:
Developing Elements of a Finding:
Audit Documentation:
Chapter 5:
Reporting Standards For Financial Audits:
Introduction:
AICPA Reporting Standards:
Additional GAGAS Reporting Standards for Financial Audits:
Reporting Auditors’ Compliance with GAGAS:
Reporting on Internal Control and on Compliance with Laws, Regulations,
and Provisions of Contracts or Grant Agreements:
Reporting Deficiencies in Internal Control, Potential Fraud, Illegal
Acts, Violations of Provisions of Contracts or Grant Agreements, or
Abuse:
Reporting Deficiencies in Internal Control:
Reporting Potential Fraud, Illegal Acts, Violations of Provisions of
Contracts or Grant Agreements, or Abuse:
Direct Reporting of Potential Fraud, Illegal Acts, Violations of
Provisions of Contracts or Grant Agreements, or Abuse:
Emphasizing Significant Matters in the Auditors’ Report:
Reporting on Restatement of Previously-Issued Financial Statements:
Reporting Views of Responsible Officials:
Reporting Privileged and Confidential Information:
Issuing and Distributing Reports:
Chapter 6:
General, Field Work, And Reporting Standards For Attestation
Engagements:
Introduction:
AICPA General and Field Work Standards for Attestation Engagements:
Additional Considerations for Attestation Engagements in Government:
Additional GAGAS Field Work Standards for Attestation Engagements:
Auditor Communication:
Previous Audits and Attestation Engagements:
Internal Control:
Detecting Potential Fraud, Illegal Acts, Violations of Provisions of
Contracts or Grant Agreements, or Abuse That Could Have a Material
Effect on the Subject Matter:
Developing Elements of Findings for Attestation Engagements:
Attest Documentation:
AICPA Reporting Standards for Attestation Engagements:
Additional GAGAS Reporting Standards for Attestation Engagements:
Reporting Auditors’ Compliance with GAGAS:
Reporting Deficiencies in Internal Control, Potential Fraud, Illegal
Acts, Violations of Provisions of Contracts or Grant Agreements, or
Abuse:
Reporting Deficiencies in Internal Control:
Direct Reporting of Potential Fraud, Illegal Acts, Violations of
Provisions of Contracts or Grant Agreements, or Abuse:
Reporting Views of Responsible Officials:
Reporting Privileged and Confidential Information:
Issuing and Distributing Reports:
Chapter 7:
Field Work Standards For Performance Audits:
Introduction:
Significance in a Performance Audit:
Audit Risk:
Sufficient, Appropriate Evidence:
Planning:
Nature and Profile of the Program:
Internal Control:
Information Systems Controls:
Legal and Regulatory Requirements, Contract Provisions, or Grant
Agreements, Potential Fraud, or Abuse:
Legal and Regulatory Requirements, Contracts, and Grants:
Fraud:
Abuse:
Previous Audits and Attestation Engagements:
Identifying Audit Criteria:
Identifying Sources of Audit Evidence and the Amount and Type of
Evidence Required:
Considering Work of Others:
Assigning Staff and Other Resources:
Communicating with Management, Those Charged with Governance, and
Others:
Preparing the Audit Plan:
Supervision:
Obtaining Sufficient, Appropriate Evidence:
Appropriateness:
Sufficiency:
Overall Assessment of Evidence:
Audit Findings:
Audit Documentation:
Chapter 8:
Reporting Standards For Performance Audits:
Introduction:
Reporting:
Report Contents:
Objectives, Scope, and Methodology:
Findings:
Reporting Deficiencies in Internal Control:
Reporting Potential Fraud, Illegal Acts, Violations of Provisions of
Contracts or Grant Agreements, or Abuse:
Direct Reporting of Potential Fraud, Illegal Acts, Violations of
Provisions of Contracts or Grant Agreements, or Abuse:
Conclusions:
Recommendations:
Statement on Compliance with GAGAS:
Reporting Views of Responsible Officials:
Reporting Privileged and Confidential Information:
Report Issuance and Distribution:
Appendix:
Introduction:
Overall Supplemental Guidance:
Examples of Significant Deficiencies in Internal Control:
Examples of Abuse:
Examples of Indicators of Fraud Risk:
Determining Whether Laws, Regulations, or Provisions of Contracts or
Grant Agreements Are Significant to Audit Objectives:
Information to Accompany Chapter 1:
The Role of Those Charged with Governance in Accountability:
Management’s Role in Accountability:
Laws, Regulations, and Guidelines that Require Use of GAGAS:
Information to Accompany Chapters 3:
Nonaudit Services:
Information to Accompany Chapter 7:
Types of Evidence:
Appropriateness of Information in Relation to the Audit Objectives:
Members Of The Comptroller General’s Advisory Council On
Government Auditing Standards:
[End of section]
Chapter 1: Use and Application of GAGAS:
Introduction:
1.01: Government auditing is essential to the government’s
responsibility of accountability to the public. Government audits are
intended to provide an independent, objective, nonpartisan assessment
of the stewardship, performance, and cost of government policies,
programs, and operations.
1.02: The concept of accountability for use of public resources and
government authority is key in our nation’s governing processes.
Government officials entrusted with public resources are responsible
for carrying out public functions efficiently, economically,
effectively, ethically, equitably, [Footnote 1] and legally. Government
managers are responsible for providing reliable and useful information
for accountability of government programs and their operations.
[Footnote 2] Legislators, government officials, and the public need to
know whether (1) government manages public resources and uses its
authority properly and in compliance with laws and regulations, (2)
government programs are achieving their objectives and desired
outcomes, (3) government services are being provided efficiently,
economically, effectively, ethically, and equitably, and (4) government
managers are held fully accountable for their use of public resources.
Government auditing provides independent assessments of that
information for the benefit of those charged with oversight and for the
public.
Purpose and Applicability of GAGAS:
1.03: The professional standards and guidance contained in this
document, often referred to as generally accepted government auditing
standards (GAGAS), are intended for use by auditors [Footnote 3] of
government entities and audit organizations [Footnote 4] to help ensure
that they perform high quality work with competence, integrity,
objectivity, and independence in planning, conducting, and reporting on
government audits. Auditors and audit organizations use GAGAS when
required by law, regulation, contract, grant agreement, or policy.
1.04: The standards and guidance in this document apply to auditors who
conduct audits and attestation engagements of government entities,
programs, activities, and functions, and of government assistance
administered by contractors, nonprofit entities, and other
nongovernmental entities. If auditors hold themselves out as complying
with GAGAS, regardless of whether the auditors are required to follow
such standards, the auditors should follow all applicable GAGAS
standards, and refer to compliance with GAGAS as set forth in
paragraphs 1.13 through 1.15.
1.05: GAGAS contain standards dealing with ethics, independence,
auditors’ professional competence and judgment, quality control, the
performance of field work, and reporting. GAGAS are intended to help
ensure that audits and attestation engagements performed under GAGAS
provide reasonable assurance about the information needed for oversight
and accountability of government programs and operations by requiring
auditors to objectively acquire and evaluate evidence and report the
results. When auditors perform their work in this manner and comply
with GAGAS in reporting the results, their work can lead to improved
government management, decision making and oversight, effective and
efficient operations, and accountability for resources and results.
Government auditing is also a key element in fulfilling the
government’s duty to be accountable to the public.
Use of Terminology to Define Professional Requirements in GAGAS:
1.06: GAGAS contain professional requirements together with related
guidance in the form of explanatory material. [Footnote 5] Auditors
have a responsibility to consider the entire text of GAGAS in carrying
out their work on an engagement and in understanding and applying the
professional requirements of the relevant standards.
1.07: Not every paragraph of GAGAS carries a professional requirement
that the auditors are expected to fulfill. Rather, the professional
requirements are communicated by the language and the meaning of the
words used in GAGAS.
1.08: GAGAS use two categories of professional requirements, identified
by specific terms, to describe the degree of responsibility they impose
on auditors, as follows:
a. Unconditional requirements. The auditor is required to comply with
an unconditional requirement in all cases in which the circumstances
exist to which the unconditional requirement applies. GAGAS use the
words must or is required to indicate an unconditional requirement.
b. Presumptively mandatory requirements. The auditor is also required
to comply with a presumptively mandatory requirement in all cases in
which the circumstances exist to which the presumptively mandatory
requirement applies; however, in rare circumstances, the auditor may
depart from a presumptively mandatory requirement provided the auditor
documents his or her justification for the departure and how the
alternative procedures performed in the circumstances were sufficient
to achieve the objectives of the presumptively mandatory requirement.
GAGAS use the word should to indicate a presumptively mandatory
requirement.
1.09: If GAGAS provide that a procedure or action is one that the
auditor “should consider” the consideration of the procedure or action
is presumptively required, whereas carrying out the procedure or action
is not. The professional requirements of GAGAS are to be understood and
applied in the context of the explanatory material that provides
guidance for their application.
1.10: Explanatory material is defined as the text within GAGAS that
may:
a. provide further explanation and guidance on the professional
requirements; or;
b. identify and describe other procedures or actions relating to the
activities of the auditor.
1.11: Explanatory material that provides further explanation and
guidance on the professional requirements is intended to be descriptive
rather than imperative. That is, it may explain the objective of the
professional requirements (where not otherwise self evident); explain
why the auditor might consider or employ particular procedures,
depending on the circumstances; or provide additional information for
the auditor to consider in exercising professional judgment in
performing the engagement.
1.12: Explanatory material that identifies and describes other
procedures or actions relating to the activities of the auditor is not
intended to impose a professional requirement on the auditor to perform
the suggested procedures or actions. How and whether the auditor
carries out such procedures or actions in the engagement depends on the
exercise of professional judgment in the circumstances consistent with
the objective of the standard. The words may, might, and could are used
to describe these actions and procedures.
Citing Compliance with GAGAS in the Auditors’ Report:
1.13: Auditors should include one of the following types of GAGAS
compliance statements in reports on GAGAS engagements, as appropriate,
based on the provisions of paragraphs 1.14 through 1.15.
a. Unqualified GAGAS compliance statement. The auditors state that the
engagement was performed in accordance with GAGAS.
b. Qualified GAGAS compliance statement. The auditors state that the
engagement was performed in accordance with GAGAS, except for specific
applicable standards that were not followed.
c. Negative GAGAS compliance statement. The auditors state that the
engagement was not performed in accordance with GAGAS.
1.14: When auditors comply with all applicable unconditional and
presumptively mandatory GAGAS requirements, they should include an
unqualified GAGAS compliance statement in the audit report. (See
paragraphs 5.05, 6.47, and 8.33.)
1.15: When auditors did not comply with applicable unconditional and/or
presumptively mandatory requirements, they should assess the
significance of not following the requirement to the scope of the audit
and the auditors’ overall compliance with GAGAS and document the
assessment, along with the reasons for not following the standard.
Based on this assessment, the auditors should determine whether and to
what extent to disclose in the report the applicable standard(s) not
followed, the reasons for not following the standard(s), and how not
following the standards affected, or could have affected the audit. In
addition, auditors should consider modifying the GAGAS compliance
statement as follows. These determinations are a matter of professional
judgment:
a. When auditors do not comply with all unconditional requirements that
are applicable based on the audit objectives, they should determine
whether to include a qualified GAGAS compliance statement or a negative
GAGAS compliance statement in the report.
b. When auditors do not comply with all presumptively mandatory
requirements that are applicable based on the audit objectives, they
should determine whether to include a qualified GAGAS compliance
statement or an unqualified GAGAS compliance statement in the report.
When auditors have justification for not following a presumptively
mandatory requirement, an unqualified GAGAS statement may be
appropriate.
c. When auditors did not comply with multiple presumptively mandatory
requirements, they should determine whether they should include a
negative GAGAS compliance statement in the report.
Relationship Between GAGAS and Other Professional Standards:
1.16: Auditors may use GAGAS in conjunction with professional standards
issued by other authoritative bodies. If there are conflicts between
the standards, and the auditors cannot satisfy both standards, the
auditors should provide disclosure in the auditors’ report about any
standards not followed and the impact on the audit. (See paragraphs
5.06, 6.47 and 8.34)
1.17: Auditors use professional judgment in determining how to follow
GAGAS and the other standards, and how to handle any inconsistencies
between GAGAS and other standards.
1.18: For financial audits, GAGAS incorporate other professional
standards, as follows:
a. The American Institute of Certified Public Accountants (AICPA) has
established professional standards that apply to financial audits and
attestation engagements for nonissuers [Footnote 6] performed by
certified public accountants (CPA). For financial statement audits,
GAGAS incorporate the AICPA’s field work and reporting standards and the
related statements on auditing standards (SAS) unless specifically
excluded or modified by GAGAS. [Footnote 7]
b. The International Auditing and Assurance Standards Board (IAASB) has
established professional standards that apply to financial audits and
attestation engagements that are conducted internationally. Auditors
may use GAGAS in conjunction with the IAASB standards and the related
statements on International Statements on Auditing (ISA).
c. The Public Company Accounting Oversight Board (PCAOB) has established
professional standards that apply to financial audits and attestation
engagements for issuers. Auditors may use GAGAS in conjunction with the
PCAOB standards.
1.19: For attestation engagements, GAGAS incorporate the AICPA’s
general standard on criteria, and the field work and reporting
standards and the related statements on the standards for attestation
engagements (SSAE), unless specifically excluded or modified by GAGAS.
1.20: For performance audits, auditors may use other professional
standards in conjunction with GAGAS, such as the following:
a. International Standards for the Professional Practice of Internal
Auditing, The Institute of Internal Auditors, Inc.;
b. Guiding Principles for Evaluators, American Evaluation Association;
c. The Program Evaluation Standards, Joint Committee on Standards for
Education Evaluation; and;
d. Standards for Educational and Psychological Testing, American
Psychological Association.
Types of Government Audits and Attestation Engagements:
1.21: This section describes the types of audits and attestation
engagements that audit organizations may perform under GAGAS. This
description is not intended to limit or require the types of audits or
attestation engagements that may be performed under GAGAS.
1.22: All engagements begin with objectives, and those objectives
determine the type of work to be performed and the applicable standards
to be followed. The types of work, as defined by their objectives that
are covered by GAGAS, are classified in this document as financial
audits, attestation engagements, and performance audits.
1.23: In some engagements, the standards applicable to the specific
audit objective will be apparent. For example, if the audit objective
is to express an opinion on financial statements, the standards for
financial audits apply. However, some engagements may have multiple or
overlapping objectives. For example, if the objectives are to determine
the reliability of performance measures, this work can be done in
accordance with either the standards for attestation engagements or for
performance audits. In cases where there is a choice between applicable
standards, auditors should evaluate users’ needs and the auditors’
knowledge, skills, and experience in deciding which standards to
follow.
Financial Audits:
1.24: Financial audits provide an independent assessment of whether an
entity’s reported financial condition, results, and use of resources
are presented fairly in accordance with recognized criteria. Reporting
on financial audits performed in accordance with GAGAS also includes
reports on internal control, compliance with laws and regulations, and
provisions of contracts and grant agreements as they relate to
financial transactions, systems, and processes.
1.25: The primary purpose of a financial audit is to provide an opinion
(or disclaim an opinion) about whether an entity’s financial statements
are presented fairly in all material respects in conformity with
generally accepted accounting principles (GAAP), [Footnote 8] or with a
comprehensive basis of accounting other than GAAP. Other types of
financial audits, which provide for different levels of assurance and
entail various scopes of work, may include:
a. providing special reports, such as for specified elements, accounts,
or items of a financial statement; [Footnote 9]
b. reviewing interim financial information;
c. issuing letters for underwriters and certain other requesting
parties;
d. reporting on the processing of transactions by service
organizations; and;
e. auditing compliance with regulations relating to federal award
expenditures and other governmental financial assistance in conjunction
with or as a by-product of a financial statement audit.
1.26: For financial statement audits, GAGAS incorporate the AICPA’s
field work and reporting standards and the related statements on
auditing standards unless specifically excluded or modified by GAGAS.
GAGAS establish ethical responsibilities, independence standards,
general standards, and additional field work and reporting standards
beyond those provided by the AICPA when performing financial audits.
(See chapters 2, 3, 4, and 5 for standards and guidance for auditors
performing a financial audit in accordance with GAGAS.)
1.27: For financial statement audits, GAGAS can also be used in
conjunction with standards issued by the PCAOB or IAASB. (See
paragraphs 1.16–1.18.)
Attestation Engagements:
1.28: The primary purpose of an attestation engagement [Footnote 10] is
to report on a subject matter or management’s assertions about a
subject matter compared with stated criteria. Attestation engagements
can cover a broad range of financial or nonfinancial objectives and may
provide different levels of assurance about the subject matter or
assertion
depending on the users’ needs.
1.29: In an attestation engagement, auditors issue an examination, a
review, or an agreed-upon procedures report on a subject matter or on
an assertion about a subject matter, that is the responsibility of
another party. Attestation engagements can cover a broad range of
financial or nonfinancial objectives and can be part of an audit or a
separate engagement. The three levels of attestation engagements
include the following:
a. Examination: Auditors perform sufficient testing to express an
opinion on whether the subject matter is based on (or in conformity
with) the criteria in all material respects or the assertion is
presented (or fairly stated), in all material respects, based on the
criteria.
b. Review: Auditors perform sufficient testing to express a conclusion
about whether any information came to the auditors’ attention on the
basis of the work performed that indicates the subject matter is not
based on (or in conformity with) the criteria or the assertion is not
presented (or fairly stated) in all material respects based on the
criteria. [Footnote 11]
c. Agreed-Upon Procedures: Auditors perform testing to issue a report
of findings based on specific procedures performed on subject matter.
1.30: The subject matter of an attestation engagement may take many
forms, including historical or prospective performance or condition,
physical characteristics, analyses, internal controls, systems and
processes, or compliance with laws, regulations, contracts, or other
requirements. Possible subjects of attestation engagements could
include reporting on:
a. prospective financial or performance information;
b. quantity, condition, and/or valuation of inventory or assets;
c. management’s discussion and analysis (MD&A) presentation;
d. an entity’s internal control over financial reporting;
e. the effectiveness of an entity’s internal control over compliance
with specified requirements, such as those governing the bidding for,
accounting for, and reporting on grants and contracts;
f. an entity’s compliance with requirements of specified laws,
regulations, rules, contracts, or grants; and;
g. specific procedures performed on a subject matter (agreed-upon
procedures).
1.31: For attestation engagements, GAGAS incorporate the AICPA’s
general standard on criteria, and the field work and reporting
standards and the related Statements on Standards for Attestation
Engagements (SSAE), unless specifically excluded or modified by GAGAS.
GAGAS establish ethical responsibilities, independence standards,
general standards and additional field work and reporting standards
beyond those provided by the AICPA for attestation engagements. (See
chapters 2, 3, and 6 for standards and guidance for auditors performing
an attestation engagement in accordance with GAGAS.)
1.32: As discussed in paragraph 1.19, GAGAS incorporate the AICPA’s
general standard on criteria, the field work and reporting standards
and the related statements on the standards for attestation engagements
when performing attestation engagements.
Performance Audits:
1.33: Performance audits provide assurance or conclusions relating to
audit objectives that provide an evaluation against objective criteria,
such as specific requirements or measures, or good business practices.
[Footnote 12] Performance audits provide objective analysis so that
management and those charged with governance and oversight may improve
program [Footnote 13] performance, operations, reduce costs, facilitate
decision making by parties with responsibility to oversee or initiate
corrective action, and contribute to public accountability. Performance
audits can also provide descriptive information in response to audit
objectives to describe a process or a condition. The term performance
audit includes audits classified by some audit organizations as program
or performance evaluations, program effectiveness and results audits,
economy and efficiency audits, operational audits, management audits,
compliance audits, and value-for-money audits.
1.34: Audit objectives for performance audits may vary widely and may
encompass a variety of objectives, including assessing program economy,
efficiency, effectiveness, results, or equity; internal control;
[Footnote 14] compliance with legal, policy, procedural, or other
requirements; and providing assurance about prospective analyses,
guidance, or summary information. These overall objectives are not
mutually exclusive. Thus, a performance audit may have more than one
overall objective. For example, often a performance audit with an
initial objective of program effectiveness may also involve an
underlying objective of evaluating internal controls to determine the
reasons for a program’s lack of effectiveness or how effectiveness can
be improved.
1.35: Performance audits provide reasonable assurance that the auditors
have sufficient, appropriate evidence concerning the achievement of the
audit objectives and the conclusions reached. For descriptive audit
objectives, the audit provides reasonable assurance about the
descriptive information. The levels of evidence and tests of evidence
will vary based on the audit objectives and conclusions. Objectives for
performance audits range from narrow to broad and may involve specific
evidence or extensive evidence. In some engagements, sufficient,
appropriate evidence is easily obtained, and in others, information may
have limitations. Auditors use professional judgment in determining the
audit scope and methodology needed to address the audit’s objectives,
while providing the appropriate level of assurance that the evidence
obtained is sufficient and appropriate to meet the audit’s objectives.
1.36: A performance audit is a dynamic, iterative process which
includes consideration of the applicable standards taken as a whole
throughout the course of the audit. An ongoing reassessment of the
objectives, audit risk, audit procedures, and evidence during the
course of the audit facilitates the auditors’ determination of what to
report and the proper context for the audit conclusions, including
discussion about the nature, type, and quality of evidence being used
as a basis for the audit conclusions. Performance audit conclusions
logically flow from all of these elements, and include the proper
context based on the underlying evidence.
1.37: The audit objectives for performance audits generally fall into
the following categories: program effectiveness and results, economy
and efficiency, internal control, compliance, and prospective analysis.
1.38: Program effectiveness and results audit objectives are frequently
interrelated with economy and efficiency objectives. Audit objectives
that focus on program effectiveness and results address the
effectiveness of a program and typically measure the extent to which a
program is achieving its goals and objectives. Audit objectives that
focus on economy and efficiency address the costs and resources used to
achieve program results. Examples of audit objectives in these
categories include:
a. assessing the extent to which legislative, regulatory, or
organizational goals and objectives are being achieved;
b. assessing the relative ability of alternative approaches to yield
better program performance or eliminate factors that inhibit program
effectiveness;
c. analyzing the relative cost effectiveness of a program or activity;
[Footnote 15]
d. determining whether a program produced intended results or produced
results that were not consistent with the program’s objectives;
e. determining whether a program provides equitable access to or
distribution of public resources within the context of statutory
parameters;
f. assessing the extent to which programs duplicate, overlap, or
conflict with other related programs;
g. evaluating whether the audited entity is following sound and
equitable procurement practices;
h. assessing the reliability, validity, or relevance of performance
measures concerning program effectiveness and results, or economy and
efficiency;
i. assessing the reliability, validity, or relevance of financial
information related to the performance of a program;
j. determining whether government resources (inputs) are obtained at
reasonable costs while meeting timeliness and quality considerations;
k. determining whether appropriate value was obtained based on the cost
or amount paid;
l. determining whether government services and benefits are accessible
to those citizens who have a right to access those services and
benefits;
m. determining whether and how the government program’s unit costs can
be decreased or its productivity increased; and;
n. analyzing budget proposals or budget requests to assist legislatures
in the budget process.
1.39: Internal control audit objectives relate to an assessment of the
component of an organization’s system of internal control that is
designed to provide reasonable assurance of achieving effective and
efficient operations, reliable financial and performance reporting, and
compliance with applicable laws and regulations. Internal control
objectives are also relevant when determining the cause of
unsatisfactory program performance. Internal control comprises the
plans, methods, and procedures used to meet the organization’s mission,
goals, and objectives. Internal control includes the processes and
procedures for planning, organizing, directing, and controlling
program operations, and management’s system for measuring, reporting,
and monitoring program performance. Examples of audit objectives
related to internal control include an assessment of the extent that
internal control provides reasonable assurance that:
a. organizational missions, goals, and objectives are achieved
effectively and efficiently;
b. resources are used in compliance with laws, regulations, or other
requirements;
c. resources are safeguarded against unauthorized acquisition, use, or
disposition;
d. management information and public reports that are produced, such as
performance measures, are complete, accurate, and consistent to support
performance and decision making;
e. the integrity of computerized information and information systems
are achieved, and;
f. contingency planning for information systems provides essential back-
up to prevent unwarranted disruption of activities and functions the
systems support.
1.40: Compliance audit objectives relate to compliance criteria
established by laws, regulations, contract provisions, grant
agreements, and other requirements [Footnote 16] that could affect the
acquisition, protection, and use of the entity’s resources and the
quantity, quality, timeliness, and cost of services the entity produces
and delivers. Compliance objectives include determining whether:
a. the purpose of the program, the manner in which it is to be
conducted, the services delivered, the outcomes, or the population it
serves are in compliance with laws, regulations, contract provisions,
grant agreements, and other requirements;
b. government services and benefits are distributed or delivered to
citizens based on the citizens’ right to obtain those services and
benefits; and;
c. incurred or proposed costs are in compliance with applicable laws,
regulations, and contract or grant agreement terms.
1.41: Prospective audit objectives provide analysis or conclusions
about information that is based on assumptions about events that may
occur in the future along with possible actions that the audited entity
may take in reaction to the future events. Examples of objectives
pertaining to this work include providing analysis or conclusions
about:
a. current and projected trends and future potential impact on
government programs and services;
b. program or policy alternatives, including forecasting program
outcomes under various assumptions;
c. policy proposals for decision makers;
d. prospective information prepared by management;
e. forecasts that are based on (1) assumptions about expected future
events and (2) management’s expected reaction to those future events;
and;
f. management’s assumptions on which prospective information is based.
1.42: As discussed in paragraphs 1.16 through 1.17 and 1.20, other
professional standards may be used in conjunction with GAGAS when
conducting performance audits.
Nonaudit Services Provided by Audit Organizations:
1.43: GAGAS do not cover nonaudit services since such services are not
audits or attestation engagements. Therefore, auditors should not
report that the nonaudit services were conducted in accordance with
GAGAS. However, audit organizations may report that nonaudit services
were conducted in compliance with the audit organization’s internal
quality control system and/or with any other applicable standards,
guidance, or generally accepted practices. When performing nonaudit
services, audit organizations have a responsibility to communicate with
requestors and other users, as appropriate, in order to clarify that
the scope of work performed does not constitute an audit under GAGAS.
1.44: Audit organizations that provide nonaudit services should
evaluate whether providing nonaudit services creates an independence
impairment either in fact or appearance with respect to the entities
they audit. Further discussion of nonaudit services and potential
impact on auditor independence is included in Chapter 3, paragraphs
3.24 through 3.35 and in the appendix, paragraphs A3.02 through A3.03.
[End of chapter]
Chapter 2: Auditors’ Ethical Responsibilities:
Introduction:
2.01: Because government auditing is essential to government
accountability to the public, government auditors have ethical
responsibilities to uphold and protect the public trust. The public
expects audit organizations and auditors in the government environment
to conduct their audit work in accordance with ethical principles.
Management of the audit organization sets the tone for ethical behavior
throughout the organization by maintaining an ethical culture, clearly
communicating acceptable behavior and expectations to each employee,
and creating a positive work environment. The ethical values maintained
and demonstrated by management and staff are an essential element of a
positive ethical environment for the audit organization.
2.02: While audit organizations have overall responsibility for
creating the environment to promote conducting audit work in accordance
with ethical principles, ethics are also a matter of personal
responsibility. It is essential that government auditors observe
overarching ethical concepts in the performance of their professional
responsibilities. Ethical concepts apply in preserving auditor
independence,17 taking on work that the auditor is competent to
perform, performing high quality work, and following applicable
standards when cited in the audit report. Integrity and objectivity are
maintained when auditors complete their work and make decisions that
are consistent with the broader interest of those relying on the
auditors’ report, including the public.
Overarching Ethical Concepts:
2.03: The overarching ethical concepts contained in the following
sections provide the overall framework for application of the GAGAS
standards, including general standards, field work standards, and
reporting standards for auditors’ use in performing their professional
responsibilities. It is essential that government auditors conduct
their work in such a manner that these concepts are observed throughout
all of their professional activities. Each concept is presented in a
descriptive manner, rather than setting forth a series of requirements,
so that auditors can consider the facts and circumstances of each
situation within the framework of these ethical concepts. Auditors also
have a responsibility to understand and comply with other ethical
requirements or codes of professional conduct, when applicable.
[Footnote 18]
2.04: The ethical concepts that guide the work of government auditors
include:
a. The Public Interest;
b. Professional Behavior;
c. Integrity;
d. Objectivity; and
e. Proper Use of Government Information, Resources and Position.
The Public Interest:
2.05: The public interest is defined as the interests of those relying
on the auditors’ work, including the public. In discharging their
professional responsibilities, auditors observe the principles of
serving the public interest by maintaining the highest degree of
integrity, objectivity, and independence. These principles are
fundamental to the responsibilities of auditors and critical in the
government environment.
2.06: A distinguishing mark of a professional auditor is acceptance of
responsibility toward the public interest. This responsibility is
critical when auditing in the government environment. Therefore, it is
critical that auditors in the government environment act in a way that
will serve the public interest and honor the public trust. GAGAS embody
the concept of accountability for public resources, which is
fundamental to serving the public interest.
2.07: In discharging their professional responsibilities, auditors may
encounter conflicting pressures from management of the audited entity,
various levels of government, and others who rely on the auditors’
work. In resolving those conflicts, auditors have a responsibility to
act with integrity, guided by the precept that when auditors fulfill
their responsibilities, the public interest is best served.
Professional Behavior:
2.08: It is essential that auditors’ professional behavior include
compliance with laws and regulations and acting in a manner consistent
with the high expectations for their profession, while avoiding any
conduct that might bring discredit to their work, including actions
that would cause a reasonable and informed third party, having
knowledge of all relevant information to conclude that the conduct or
work performed by the government auditors or audit organization was
professionally deficient. Professional behavior includes auditors
putting forth an honest effort in the performance of their duties and
carrying out their professional services in accordance with the
relevant technical and professional standards.
2.09: The professional behavior of auditors practicing in the
government environment is expected to be above reproach. Professional
behavior is realized when auditors conduct themselves in a manner that
avoids having their actions and work misinterpreted or that gives the
appearance of being biased or misleading. By observing ethical
principles, auditors promote confidence in the integrity of government
operations and programs.
Integrity:
2.10: Public confidence in government is maintained and enhanced by
accountability professionals such as auditors performing their
professional responsibilities with the highest degree of integrity.
Integrity includes auditors conducting their work with an attitude that
is objective, fact-based, nonpartisan, and non-ideological with regard
to audited entities and users of the auditors’ reports. It is crucial
for auditors to be honest, candid, and constructive with the audited
entity and users of the auditors’ work in the conduct of their work,
within the constraints of the audited entity’s confidentiality laws,
rules, or policies.
2.11: Integrity can accommodate the inadvertent error and the honest
difference of opinion; it cannot accommodate deceit or subordination of
the principles of fairness and objectivity to personal gains. In
applying the principle of integrity, it is essential that auditors
observe both the form and the spirit of the relevant ethical standards.
Objectivity:
2.12: The credibility of government auditing is based on auditors’
objective attitude in discharging their professional responsibilities.
Objectivity includes being independent in fact and appearance when
providing audit and attestation services, maintaining an attitude of
impartiality, having intellectual honesty, and being free of conflicts
of interest. It is crucial that auditors avoid conflicts that may in
fact or appearance impair auditors’ objectivity in performing the audit
or attestation engagement. Maintaining objectivity includes a
continuing assessment of relationships with audited entities and other
stakeholders in the context of the auditors’ responsibility to the
public.
Proper Use of Government Information, Resources, and Position:
2.13: Government information, resources, or positions are to be used
for official purposes and not misused for the auditor’s personal gain
or in a manner that would be contrary to the law or detrimental to the
legitimate interests of the audited entity or the audit organization.
This concept also includes the proper handling of sensitive or
classified information or resources.
2.14: In the government environment, the public’s right to the
transparency of government information has to be balanced with the
proper use of government information. To accomplish this balance, it is
important that auditors exercise prudence in the use of information
acquired in the course of their duties or as a result of professional
and business relationships. Auditors should not disclose any such
information to third parties without proper and specific authority,
unless there is a legal and professional right or obligation to
disclose.
2.15: As government accountability professionals, auditors are
accountable to the public for their own proper use and prudent
management of government resources. It is important that auditors
protect and conserve government resources and not use them for
other than authorized activities.
2.16: It is a fundamental responsibility of government auditors to
conduct themselves in such a manner that they do not misuse their
positions for personal gain. It is important that auditors not take any
action that could be perceived by a knowledgeable person as benefiting
their personal financial interests or those of an immediate or close
family member; a general partner; an organization for which the auditor
serves as an officer, director, trustee, or employee; or a person or
organization with which the auditor is negotiating or has an
arrangement concerning future employment. (See paragraph 3.06 through
3.09 for further discussion of personal impairments to independence.)
[End of chapter]
Chapter 3: General Standards:
Introduction:
3.01: This chapter establishes general standards and provides guidance
for performing financial audits, attestation engagements, [Footnote 19]
and performance audits under GAGAS. These general standards, along with
the overarching ethical concepts presented in chapter 2, establish a
foundation that adds credibility to auditors’ work. Credibility is
essential to all audit organizations performing work that government
leaders and others use for making decisions and achieving government
accountability. Credibility is what the public expects of information
provided by government auditors. These general standards emphasize the
independence of the audit organization and its individual auditors; the
exercise of professional judgment in the performance of work and the
preparation of related reports; the competence of audit staff; audit
quality control and assurance; and external peer reviews.
Independence:
3.02: In all matters relating to the audit work, the audit organization
and the individual auditor, whether government or public, must be free
both in fact and appearance from personal, external, and organizational
impairments to independence.
3.03: Auditors and audit organizations must maintain independence so
that opinions, conclusions, judgments, and recommendations will be
impartial and will be viewed as impartial by knowledgeable third
parties. Auditors have a responsibility to avoid situations that could
lead reasonable and objective third parties with knowledge of the
relevant facts and circumstances to conclude that the auditors are not
able to maintain independence and, thus, are not capable of exercising
objective and impartial judgment on all issues associated with
conducting the audit and reporting on the work.
3.04: When evaluating whether independence impairments exist either in
fact or appearance with respect to the entities for which audit
organizations perform audit or attestation services, audit
organizations consider three general classes of impairments to
independence--personal, external, and organizational. [Footnote 20] If
one or more of these impairments affects an individual auditor’s
capability to perform the work and report results impartially, the
auditor should either decline to perform the work—or in those
situations in which the auditor, because of a legislative requirement
or for other reasons,
cannot decline to perform the work—the auditors must disclose the
impairment or impairments in the scope section of the audit report.
3.05: When auditors use the work of a specialist, [Footnote 21]
auditors should assess the specialist’s ability to perform the work and
report results impartially. In conducting this assessment, auditors
should provide external specialists with the GAGAS independence
requirements and obtain representations from the specialist regarding
the specialist’s independence from the activity or program under audit.
Internal specialists who are members of the audit team should follow
the same standards and processes as the other members of the audit team.
Personal Impairments:
3.06: Auditors participating on an audit assignment must be free from
personal impairments to independence. [Footnote 22] Personal
impairments of staff members result from relationships and beliefs that
might cause auditors to limit the extent of the inquiry, limit
disclosure, or weaken or slant audit findings in any way. Individual
auditors should notify the appropriate officials within their audit
organizations if they have any personal impairments to independence.
Examples of personal impairments of individual auditors include, but
are not limited to, the following:
a. immediate family or close family member [Footnote 23] who is a
director or officer of the audited entity, or as an employee of the
audited entity, is in a position to exert direct and significant
influence over the entity or the program under audit;
b. financial interest that is direct, or is significant though
indirect, in the audited entity or program; [Footnote 24]
c. responsibility for managing an entity or decision making that could
affect operations of the entity or program being audited; for example
as a director, officer, or other senior position of the entity,
activity, or program being audited, or as a member of management
in any decision making, supervisory, or ongoing monitoring function for
the entity, activity, or program under audit;
d. concurrent or subsequent performance of an audit by the same
individual who maintained the official accounting records when such
services involved preparing source documents or originating data, in
electronic or other form; posting transactions (whether coded by
management or not coded); authorizing, executing, or consummating
transactions (for example, approving invoices, payrolls, claims, or
other payments of the entity or program being audited); maintaining an
entity’s bank account or otherwise having custody of the audited
entity’s funds; or otherwise exercising authority on behalf of the
entity, or having authority to do so;
e. preconceived ideas toward individuals, groups, organizations, or
objectives of a particular program that could bias the audit;
f. biases, including those induced by political, ideological, or social
convictions, that result from employment in, or loyalty to, a
particular type of policy, group, organization, or level of government;
and;
g. seeking employment during the conduct of the audit with an audited
organization or an individual or entity with a direct interest in the
outcome of the audit.
3.07: Audit organizations and auditors may encounter many different
circumstances or combination of circumstances that could create a
personal impairment. Therefore, it is impossible to identify every
situation that could result in a personal impairment. Accordingly,
audit organizations should include as part of their internal quality
control system procedures to identify personal impairments and help
ensure compliance with GAGAS independence requirements. At a minimum,
audit organizations should:
a. establish policies and procedures to identify personal impairments
to independence (see paragraph 3.06);
b. communicate the audit organization’s policies and procedures to all
auditors in the organization and help ensure understanding of the
policies and procedures through training or other means such as
auditors periodically acknowledging their understanding;
c. establish internal policies and procedures to monitor compliance
with the audit organization’s policies and procedures;
d. establish a disciplinary mechanism to promote compliance with the
audit organization’s policies and procedures;
e. stress the importance of independence and the expectation that
auditors will always act in the public interest; and;
f. maintain documentation of the steps taken to identify potential
personal independence impairments as well as actions taken to resolve
any impairments.
3.08: When the audit organization identifies a personal impairment to
independence prior to or during an audit, the audit organization should
take action to resolve the impairment in a timely manner. In situations
in which the personal impairment is applicable only to an individual
auditor on a particular assignment, the audit organization may be able
to mitigate the personal impairment by requiring the auditor to
eliminate the personal impairment. For example, the auditor could sell
a financial interest that created the personal impairment, or the audit
organization could remove that auditor from any work on that audit
assignment. If the personal impairment cannot be mitigated through
these means, the audit organization should withdraw from the audit. In
situations in which government auditors cannot withdraw from the audit,
they should follow the requirement in paragraph 3.04.
3.09: If the audit organization identifies a personal impairment to
independence after the audit report is issued, the audit organization
should assess the impact on the audit. The audit organization should
consider whether, given the impact on the audit, to notify regulatory
agencies that have jurisdiction over the audited entity and persons
known to be using the audit report about the independence impairment
and the impact on the audit. Auditors should make such notifications in
writing.
External Impairments:
3.10: Audit organizations must be free from external impairments to
independence. Factors external to the audit organization may restrict
the work or interfere with auditors’ ability to form independent and
objective opinions and conclusions. External impairments to
independence occur when auditors are deterred from acting objectively
and exercising professional skepticism by pressures, actual or
perceived, from management and employees of the audited entity or
oversight organizations. For example, under the following conditions,
auditors may not have complete freedom to make an independent and
objective judgment, thereby adversely affecting the audit:
a. external interference or influence that could improperly limit or
modify the scope of an audit or threaten to do so, including exerting
pressure to reduce inappropriately the extent of work performed in
order to reduce costs or fees;
b. external interference with the selection or application of audit
procedures or in the selection of transactions to be examined;
c. unreasonable restrictions on the time allowed to complete an audit
or issue the report;
d. restriction on access to records, government officials, or other
individuals needed to conduct the audit;
e. external interference over the assignment, appointment, and
promotion of audit personnel;
f. restrictions on funds or other resources provided to the audit
organization that adversely affect the audit organization’s ability to
carry out its responsibilities;
g. authority to overrule or to inappropriately influence the auditors’
judgment as to the appropriate content of the report;
h. threat of replacement over a disagreement with the contents of an
audit report, the auditors’ conclusions, or the application of an
accounting principle or other criteria; and;
i. influences that jeopardize the auditors’ continued employment for
reasons other than incompetence, misconduct, or the need for audit
services.
3.11: Audit organizations should include, as part of their internal
quality control system for compliance with GAGAS independence
requirements, internal policies and procedures for reporting and
resolving external impairments.
Organizational Independence:
3.12: In addition to the preceding paragraphs that address personal and
external impairments, a government audit organization’s ability to
perform the work and report the results impartially can be affected by
its place within government and the structure of the government entity
that the audit organization is assigned to audit as well as by nonaudit
services it has provided to audited entities. Whether performing work
to report externally to third parties outside the audited entity or
internally to top management within the audited entity, audit
organizations must be free from organizational impairments to
independence with respect to the entities they audit.
Organizational Independence When Reporting Externally to Third Parties:
3.13: Government auditors reporting externally to third parties can be
presumed to be free from organizational impairments to independence if
their audit organization is organizationally independent from the
audited entity. Government audit organizations can meet the requirement
for organizational independence in a number of ways.
3.14: First, a government audit organization reporting externally to
third parties may be presumed to be free from organizational
impairments to independence from the audited entity, if the audit
organization is:
a. assigned to a level of government other than the one to which the
audited entity is assigned (federal, state, or local), for example,
federal auditors auditing a state government program, or;
b. assigned to a different branch of government within the same level
of government as the audited entity; for example, legislative auditors
auditing an executive branch program.
3.15: Second, a government audit organization reporting externally to
third parties may also be presumed to be free from organizational
impairments if the audit organization’s head meets any of the following
criteria:
a. directly elected by voters of the jurisdiction being audited;
b. elected or appointed by a legislative body, subject to removal by a
legislative body, and reports the results of audits to and is
accountable to a legislative body;
c. appointed by someone other than a legislative body, so long as the
appointment is confirmed by a legislative body and removal from the
position is subject to oversight or approval by a legislative body,
[Footnote 25] and reports the results of audits to and is accountable to
a legislative body; or;
d. appointed by, accountable to, reports to, and can only be removed by
a statutorily created governing body, the majority of whose members are
independently elected or appointed and come from outside the
organization being audited.
3.16: In addition to the presumptive criteria in paragraphs 3.14 and
3.15, GAGAS recognize that there may be other organizational structures
under which a government audit organization could be considered to be
free from organizational impairments and thereby be considered
organizationally independent for reporting externally. These other
structures provide safeguards to prevent the audited entity from
interfering with the audit organization’s ability to perform the work
and report the results impartially. For an audit organization to be
considered free from organizational impairments for reporting
externally under a structure different from the ones listed in
paragraphs 3.14 and 3.15, the audit organization should have all of the
following safeguards:
a. statutory protections that prevent the abolishment of the audit
organization by the audited entity;
b. statutory protections that require that if the head of the audit
organization is removed from office, the head of the agency reports
this fact and the reasons for the removal to the legislative body;
c. statutory protections that prevent the audited entity from
interfering with the initiation, scope, timing, and completion of any
audit;
d. statutory protections that prevent the audited entity from
interfering with the reporting on any audit, including the findings,
conclusions, and recommendations, or the manner, means, or timing of
the audit organization’s reports;
e. statutory protections that require the audit organization to report
to a legislative body or other independent governing body on a
recurring basis;
f. statutory protections that give the audit organization sole
authority over the selection, retention, advancement, and dismissal of
its staff; and;
g. statutory access to records and documents that relate to the agency,
program, or function being audited and government officials or other
individuals needed to conduct the audit. [Footnote 26]
3.17: If the head of the audit organization concludes that the
organization meets all the safeguards listed in paragraph 3.16, the
audit organization may be considered free from organizational
impairments to independence when reporting the results of its audits
externally to third parties. In such situations, the audit organization
should document how the safeguards discussed in paragraph 3.16 were
satisfied and provide the documentation to those performing quality
control monitoring and to the external peer reviewers to determine
whether all the necessary safeguards have been met.
Organizational Independence When Reporting Internally to Management (as
an internal audit function):
3.18: Certain federal, state, or local government audit organizations
or audit organizations within other government entities employ auditors
to work for management of the audited entities. These auditors may be
subject to administrative direction from persons involved in the
government management process. Such audit organizations are internal
audit organizations and are encouraged to follow the IIA International
Standards for the Professional Practice of Internal Auditing. In
addition, under GAGAS, a government internal audit organization can be
presumed to be free from organizational impairments to independence
when reporting internally to management if the head of the audit
organization meets all of the following criteria:
a. accountable to the head or deputy head of the government entity or
to those charged with governance;
b. reports the results of the audit organization’s work to the head or
deputy head of the government entity and to those charged with
governance;
c. located organizationally outside the staff or line management
function of the unit under audit, and;
d. has access to those charged with governance.
3.19: If the conditions of paragraph 3.18 are met, the audit
organization may be considered free of organizational impairments to
independence to audit internally and report objectively to the entity’s
management and those charged with governance. Further distribution of
reports outside the organization may be made in accordance with
applicable law, rule, regulation, or policy. In these situations,
auditors must clearly disclose in their reports the fact that they are
auditing in their employing organizations.
3.20: The placement of the internal audit organization is essential so
that auditors are sufficiently removed from political pressures such
that they can conduct their audits objectively and report their
findings, opinions, and conclusions objectively without fear of
political repercussions. An internal audit organization’s independence
is enhanced when its personnel system for compensation, job tenure, and
advancement is based on performance.
3.21: The audit organization should report regularly to the entity’s
independent audit committee and/or the appropriate government oversight
body.
3.22: When internal audit organizations that are free of organizational
impairments to independence, under the criteria in paragraph 3.18,
perform audits external to the government entities to which they are
directly assigned, such as auditing contractors or outside party
agreements, and no personal or external impairments exist, they may be
considered independent of the audited entities and free to report
objectively to the heads or deputy heads of the government entities to
which they are assigned, to those charged with governance, and to
parties outside the organizations in accordance with applicable
law, rule, regulation, or policy.
3.23: The audit organization should document the conditions that allow
it to be considered free of organizational impairments to independence
to report internally and provide the documentation to those performing
quality control monitoring and to the external peer reviewers to
determine whether all the necessary safeguards have been met.
Organizational Independence When Performing Nonaudit Services:
3.24: Audit organizations at times perform other professional services
(nonaudit services) that are not performed in accordance with GAGAS.
Audit organizations that provide nonaudit services must evaluate
whether providing nonaudit services creates an independence impairment
either in fact or appearance with respect to entities they audit.
[Footnote 27] Based on the facts and circumstances, auditors exercise
professional judgment in determining whether a nonaudit service would
impair an audit organization’s independence with respect to entities
they audit. Auditors also exercise professional judgment in determining
whether any previously performed nonaudit services would impair an
audit organization’s independence with respect to entities they audit.
Those within the audit organization with sufficient knowledge,
experience, and competence to fully understand the current and future
issues the audit organization may face should make this determination.
3.25: Government audit organizations generally have broad audit
responsibilities and therefore should establish policies and procedures
for accepting engagements to perform nonaudit services so that
independence is not impaired with respect to entities they audit.
[Footnote 28] Independent public accountants may provide audit and
nonaudit services (commonly referred to as consulting) under
contractual commitments to an entity and should consider whether
nonaudit services they have provided or are committed to provide have a
significant or material effect on the subject matter of the audits.
3.26: Nonaudit services are an important consideration in an audit
organization’s internal quality control monitoring and its external
peer reviews. Audit organizations should disclose nonaudit services
described in paragraph 3.30b related to individual audits selected for
review in an internal inspection or peer review and provide the
documentation required by paragraphs 3.35a through 3.35e to
inspectors/reviewers.
Overarching Independence Principles:
3.27: The following two overarching principles apply to auditor
independence when assessing the impact of performing a nonaudit service
for audited entities: (1) audit organizations must not provide nonaudit
services that involve performing management functions or making
management decisions and (2) audit organizations must not audit their
own work or provide nonaudit services in situations where the nonaudit
services are significant/material to the subject matter of audits.
[Footnote 29]
3.28: In considering whether audits performed by the audit organization
can be significantly or materially affected by the nonaudit service,
audit organizations should evaluate (1) ongoing audits; (2) planned
audits; (3) requirements and commitments for providing audits, which
includes laws, regulations, rules, contracts, and other agreements; and
(4) policies placing responsibilities on the audit organization for
providing audit services.
3.29: If requested [Footnote 30] to perform nonaudit services that
would impair the audit organization’s ability to meet either or both of
the overarching independence principles for certain types of audit
work, the audit organization should inform the requestor and the
audited entity that performing the nonaudit service would impair the
auditor’s independence with regard to subsequent audit or attestation
engagements.
Types of Nonaudit Services:
3.30: Nonaudit services generally fall into one of the following
categories: [Footnote 31]
a. Nonaudit services that would not impair auditor independence with
respect to entities they audit and, therefore, do not require
compliance with the supplemental safeguards in paragraph 3.35. (See
paragraph 3.31 through 3.32.)
b. Nonaudit services that do not impair the audit organization’s
independence with respect to entities they audit as long as the
supplemental safeguards in paragraph 3.35 are complied with. (See
paragraph 3.33.)
c. Nonaudit services that would impair the audit organization’s
independence. Compliance with the supplemental safeguards will not
overcome this impairment. (See paragraph 3.34.)
Nonaudit Services That Do Not Impair Auditor Independence:
3.31: In this type of nonaudit service, auditors provide technical
advice based on the auditors’ technical knowledge and expertise. This
type of nonaudit service does not impair auditor independence with
respect to entities they audit and does not require the audit
organization to apply the supplemental safeguards. However, auditor
independence would be impaired if auditors made management decisions or
performed management functions.
3.32: Examples of the types of services in this category include the
following:
a. Participating in activities such as commissions, committees, task
forces, panels, and focus groups as an expert in a purely advisory, non-
voting capacity to:
(1) advise entity management on issues based on the knowledge and
skills of the auditors, and;
(2) address urgent problems or policy issues.
b. Providing tools and methodologies, such as guidance and good
business practices, benchmarking studies, and internal control
assessment methodologies that can be used by management.
c. Providing targeted and limited technical advice to the audited
entity and management to assist them in activities such as (1)
answering technical questions and/or providing training, (2)
implementing audit recommendations, (3) performing internal control
self assessments, and (4) providing information on good business
practices.
Nonaudit Services That Would Not Impair Independence if Supplemental
Safeguards Are Implemented.
3.33: These services would not impair the audit organization’s
independence with respect to the entities they audit so long as they
comply with the supplemental safeguards. Examples of the types of
services in this category include the following:
a. Providing basic accounting assistance limited to services such as
preparing draft financial statements that are based on management’s
chart of accounts and trial balance and any adjusting, correcting, and
closing entries that have been approved by management; preparing draft
notes to the financial statements based on information determined and
approved by management; preparing a trial balance based on management’s
chart of accounts; maintaining depreciation schedules for which
management has determined the method of depreciation, rate of
depreciation, and salvage value of the asset. [Footnote 32]
b. Providing payroll services when payroll is not material to the
subject matter of the audit or to the audit objectives. Such services
are limited to using records and data that have been approved by entity
management.
c. Providing appraisal or valuation services limited to services such
as reviewing the work of the entity or a specialist employed by the
entity where the entity or specialist provides the primary evidence for
the balances recorded in financial statements or other information that
will be audited; valuing an entity’s pension, other post-employment
benefits, or similar liabilities provided management has determined and
taken responsibility for all significant assumptions and data.
d. Preparing an entity’s indirect cost proposal33 or cost allocation
plan provided that the amounts are not material to the financial
statements and management assumes responsibility for all significant
assumptions and data.
e. Providing advisory services on information technology limited to
services such as advising on system design, system installation, and
system security if management, in addition to the safeguards in
paragraph 3.35, acknowledges responsibility for the design,
installation, and internal control over the entity’s system and does
not rely on the auditors’ work as the primary basis for determining (1)
whether to implement a new system, (2) the adequacy of the new system
design, (3) the adequacy of major design changes to an existing system,
and (4) the adequacy of the system to comply with regulatory or other
requirements.
f. Providing human resource services to assist management in its
evaluation of potential candidates when the services are limited to
activities such as serving on an evaluation panel of at least three
individuals to review applications or interviewing candidates to
provide input to management in arriving at a listing of best qualified
applicants to be provided to management.
g. Preparing routine tax filings in accordance with federal tax laws,
rules, and regulations of the Internal Revenue Service, and state and
local tax authorities, and any other applicable tax laws that do not
violate the overarching independence principles. For example, preparing
tax returns, including IRS form 990, “Return of Organization Exempt
from Income Tax,” based on information provided by the audited entity,
providing advice on deposits due to a taxing authority, and
representing an audit entity in IRS matters such as in an IRS audit or
in obtaining IRS rulings or other agreements, ordinarily would be
included in this category of nonaudit services. [Footnote 34]
h. Documenting existing processes and internal controls.
Nonaudit Services That Impair Independence:
3.34: Compliance with the supplemental safeguards will not overcome
independence impairments in this category. By their nature, certain
nonaudit services directly support the entity’s operations and impair
the audit organization’s ability to meet either or both of the
overarching independence principles in paragraph 3.27 for certain types
of audit work.
Examples of the types of services under this category include the
following:
a. Maintaining or preparing the audited entity’s basic accounting
records or maintaining or taking responsibility for basic financial or
other records that the audit organization will audit.
b. Posting transactions (whether coded or not coded) to the entity’s
financial records or to other records that subsequently provide input
to the entity’s financial records.
c. Determining account balances or determining capitalization criteria.
d. Designing, developing, installing, or operating the entity’s
accounting system or other information system that are material or
significant to the subject matter of the audit.
e. Providing payroll services that (1) are material to the subject
matter of the audit or the audit objectives, and/or (2) involve making
management decisions.
f. Providing appraisal or valuation services that exceed the scope
described in paragraph 3.33 c.
g. Recommending a single individual for a specific position that is key
to the entity or program under audit, or otherwise ranking or
influencing management’s selection of the candidate; or conducting an
executive search or a recruiting program for the audited entity.
h. Developing an entity’s performance measurement system when that
system is material or significant to the subject matter of the audit.
i. Performing the entity’s internal control self-assessment process or
developing the internal control system.
j. Developing an entity’s policies, procedures, and internal controls.
k. Providing services that are used as management’s primary basis for
making decisions that are significant to the subject matter under
audit.
l. Internal audit functions, when performed by external auditors.
m. Serving as voting members of an entity’s management committee or
board of directors, making policy decisions that affect future
direction and operation of an entity’s programs, supervising entity
employees, developing programmatic policy, authorizing an entity’s
transactions, or maintaining custody of an entity’s assets. [Footnote
35]
Supplemental Safeguards for Maintaining Auditor Independence When
Performing Nonaudit Services Described in Paragraph 3.33:
3.35: Performing nonaudit services described in paragraph 3.33 will not
impair independence if the overarching independence principles stated
in paragraph 3.27 are not violated. For these nonaudit services, the
audit organization must comply with the following safeguards.
a. The audit organization documents its consideration of the nonaudit
services, including its conclusions about the impact on independence.
b. Before performing nonaudit services, the audit organization
establishes and documents an understanding with the audited entity
regarding the objectives, scope of work, and product or deliverables of
the nonaudit service. The audit organization also establishes and
documents an understanding with the audited entity that its management
is responsible for (1) the subject matter of the nonaudit services, (2)
the substantive outcomes of the work, (3) making any decisions that
involve management functions related to the nonaudit service and
accepting full responsibility for such decisions.
c. The audit organization precludes personnel who provided the nonaudit
services from planning, conducting, or reviewing audit work of the
subject matter of the nonaudit service under the overarching
independence principle that auditors must not audit their own work.
[Footnote 36]
d. The audit organization does not reduce the scope and extent of the
audit work below the level that would be appropriate if the nonaudit
work were performed by an unrelated party.
e. The audit organization’s quality control systems for compliance with
independence requirements should include: (1) policies and procedures
to consider the effect on the ongoing, planned, and future audits when
deciding whether to provide nonaudit services, and (2) a requirement to
document the understanding with management of the audited entity
discussed above. The understanding should be communicated to management
in writing and can be included in the engagement letter. In addition,
the documentation should specifically identify management’s
responsibilities discussed above.
Professional Judgment:
3.36: Auditors must use professional judgment, including professional
skepticism and reasonable care and diligence, in planning and
performing audits and attestation engagements and in reporting the
results.
3.37: As a key component of professional judgment, auditors exercise
professional skepticism, which is an attitude that includes a
questioning mind and a critical assessment of evidence. Professional
skepticism includes a mindset where auditors neither assume that
management is dishonest nor of unquestioned honesty, and auditors
are not to be satisfied with less than persuasive evidence because of a
belief that management is honest.
3.38: Auditors use their professional knowledge, skills, and experience
to diligently perform, in good faith and with integrity, the gathering
of information and the objective evaluation of the sufficiency and
appropriateness of evidence. Professional judgment and competence are
interrelated, since judgments made are dependent upon the competence
of personnel.
3.39: Professional judgment represents the application of the
collective knowledge, skills, and experiences of all the personnel
involved with an audit engagement, as well as the professional judgment
of individual auditors. In addition to personnel directly involved in
the audit, professional judgment may involve collaboration with other
stakeholders, outside experts, and management in the audit
organization.
3.40: Auditors use professional judgment in all aspects of carrying out
professional responsibilities, including following the independence
standards, maintaining objectivity and credibility, assigning competent
audit staff to the engagement, and maintaining appropriate quality
control over the engagement process.
3.41: Auditors also use professional judgment in planning and
performing a GAGAS audit, including determining the type of assignment
to be performed and the standards that apply to the work; defining the
scope of work; selecting the methodology; determining criteria suitable
to the audit objectives; determining the type and amount of data or
information to be gathered; selecting and performing the tests and
procedures; assessing the appropriateness of information and
sufficiency of evidence obtained; and evaluating and reporting the
results of the work.
3.42: Auditors use professional judgment in determining the required
level of the understanding of the audit subject matter and related
circumstances. This includes consideration about whether their
collective experience, training, knowledge, skills, abilities, and
overall understanding are sufficient to assess the risks that the
subject matter under audit may contain a significant inaccuracy or
could be misinterpreted.
3.43: Auditors also consider the risk level of each assignment,
including the risk that they may come to an improper conclusion. Within
the context of this overall audit risk, auditors exercise professional
judgment in determining the sufficiency and appropriateness of
information to be used to support the findings and conclusions based on
the audit objectives and any recommendations reported.
3.44: By its nature, the exercise of professional judgment is
subjective. As such, auditors should document significant decisions
affecting the audit’s objectives, scope, methodology, and findings;
conclusions, and recommendations resulting from professional judgment.
Since professional judgment is subjective, different auditors may
differ as to the audit approach.
3.45: While this standard places responsibility on each auditor and
audit organization to exercise professional judgment in planning and
performing an assignment, it does not imply unlimited responsibility,
nor does it imply infallibility on the part of either the individual
auditor or the audit organization. Absolute assurance is not attainable
because of the nature of evidence and the characteristics of fraud.
Professional judgment does not mean eliminating all possible
limitations or weaknesses associated with a specific audit, but rather
identifying, considering, minimizing, mitigating, and explaining
them.
Competence:
3.46: The staff assigned to perform the audit or attestation engagement
must collectively possess adequate professional competence for the
tasks required.
3.47: Competence is an essential dimension of the human capital
management component of an audit organization’s system of quality
control. (See paragraph 3.61c.) The audit organization’s management
should assess skill needs to consider whether its workforce has the
essential skills that match those necessary to successfully achieve the
audit mandate or scope of audits to be performed. Accordingly, audit
organizations should have a process for recruitment, hiring, continuous
development, assignment, performance evaluation, advancement and
compensation of staff to assist the organization in maintaining a
workforce that has adequate competence. The nature, extent, and
formality of the process will depend on various factors such as the
size of the audit organization, its work, and its structure.
3.48: Competence is derived from a synthesis of education and
experience. It begins with a mastery of the common body of knowledge.
Competencies are not necessarily measured by years of auditing
experience because such a quantitative measurement may not accurately
reflect the kinds of experiences gained by an auditor in any given time
period. Auditors maintain competence through a commitment to learning
and development throughout an auditor’s professional life. Competence
enables an auditor to make sound professional judgments.
3.49: In planning or performing an audit, auditors may employ the
skills and knowledge of a specialist to assist with complex or
subjective issues.
3.50: Auditors have a continuing duty to maintain professional
knowledge and skill to provide competent professional service based on
current developments in applicable technical and professional standards
practice, legislation, and techniques.
Technical Knowledge and Competence:
3.51: Staff members assigned to conduct an audit or attestation
engagement under GAGAS must collectively possess the technical
knowledge, skills, and experience necessary to be competent for the
type of work being performed before beginning work on that assignment.
In assigning personnel to engagements, audit organizations consider
the workload requirements of an engagement, the skills, competence, and
experience needed in relation to the complexity or other needs of an
engagement, and the extent of supervision to be provided. Staff members
should collectively possess:
a. knowledge of GAGAS applicable to the type of work they are assigned
and the education, skills, and experience to apply such knowledge to
the work being performed;
b. general knowledge of the environment in which the audited entity
operates and the subject matter under review;
c. skills to communicate clearly and effectively, both orally and in
writing; and;
d. skills appropriate for the work being performed. For example:
(1) staff or specialists with statistical sampling skills if the work
involves use of statistical sampling;
(2) staff or specialists with information technology skills if the work
involves review of information systems;
(3) staff or specialists with engineering skills if the work involves
review of complex engineering data;
(4) staff or specialists with skills in specialized audit methodologies
or analytical techniques, such as the use of complex survey
instruments, actuarial-based estimates, or statistical analysis tests,
if the work calls for such skills; or;
(5) staff or specialists with skills in specialized subject matters,
such as scientific, medical, environmental, educational, or any other
specialized subject matter, if the work calls for such expertise.
Additional Qualifications for Financial Audits and Attestation
Engagements:
3.52: Auditors performing financial audits in which U.S. auditing
standards for nonissuers are to be followed should be knowledgeable in
generally accepted accounting principles (GAAP) and the AICPA’s
generally accepted auditing standards for field work and reporting and
the related Statements on Auditing Standards (SAS) and any other
accounting principles or basis of accounting used, and they should be
competent in applying these standards and SAS to the task assigned.
Also, if auditors use GAGAS in conjunction with standards of the IAASB
or PCAOB, they should be knowledgeable and competent in applying these
standards.
3.53: Similarly, for attestation engagements in which U.S. attestation
engagement standards are to be followed, GAGAS incorporate the AICPA’s
attestation standards. Auditors should be knowledgeable in the AICPA
general attestation standard related to criteria and the AICPA
attestation standards for field work and reporting and the related
Statements on Standards for Attestation Engagements (SSAE), and they
should be competent in applying these standards and SSAE to the task
assigned.
3.54: Auditors engaged to perform financial audits or attestation
engagements should be licensed certified public accountants or persons
working for a licensed certified public accounting firm or a government
auditing organization. Public accountants and accounting firms are also
subject to licensing requirements provisions of public accountancy law
and rules of the jurisdiction(s) where the audit is being performed, and
the jurisdiction(s) in which the public accountants and their firms are
licensed.
Continuing Professional Education:
3.55: Auditors performing work under GAGAS, including planning,
directing, performing field work, or reporting on an audit or
attestation engagement under GAGAS, must maintain their professional
competence through continuing professional education (CPE). Therefore,
each auditor performing work under GAGAS should complete, every 2
years, at least 80 hours of CPE that enhance the auditor’s professional
proficiency to perform audits and/or attestation engagements. Auditors
should take subjects directly related to government auditing, the
government environment, or the specific or unique environment in which
the audited entity operates for at least 24 of the 80 hours of CPE.
[Footnote 37] Auditors should complete at least 20 hours of the 80 in
any 1 year of the 2-year period.
3.56: CPE programs are structured educational activities with learning
objectives designed to maintain or enhance participants’ knowledge,
skills, and abilities in areas applicable to performing audits or
attestation engagements. Determining what subjects are appropriate for
individual auditors to satisfy both the 80-hour and the 24-hour
requirements is a matter of professional judgment to be exercised by
auditors in consultation with appropriate officials within their audit
organizations. Among the considerations in exercising that judgment are
the auditors’ experience, the responsibilities they assume in
performing GAGAS audits or attestation engagements, and the operating
environment of the audited entity.
3.57: Individual auditors have primary responsibility for improving
their competencies and for meeting CPE requirements. The audit
organization should have quality control procedures to help ensure that
auditors meet the continuing education requirements, including
documentation of the CPE completed. GAO has developed guidance
pertaining to CPE requirements to assist auditors and audit
organizations in exercising professional judgment in complying with the
CPE requirements.[Footnote 38]
3.58: External specialists assisting in performing a GAGAS assignment
should be qualified and should maintain professional competence in
their areas of specialization but are not required to meet the CPE
requirements described here. However, auditors who use the work of
external specialists should assess the professional qualifications of
such specialists and document their findings and conclusions. Internal
specialists who are part of the audit organization and perform as a
member of the audit team, should comply with GAGAS, including the CPE
requirements.
Quality Control and Assurance:
3.59: Each audit organization performing audits and/or attestation
engagements in accordance with GAGAS must have an internal quality
control system in place that is designed to provide reasonable
assurance that the organization and its personnel comply with
professional standards and regulatory and legal requirements, and that
reports issued are in accordance with professional standards.
System of Quality Control:
3.60: An audit organization’s system of quality control encompasses the
audit organization’s structure and the policies adopted and procedures
established to provide the organization with reasonable assurance of
complying with applicable professional standards governing audits and
attestation engagements. The audit organization should design the
nature, extent, and formality of its quality control policies and
procedures to be appropriately comprehensive and suitably designed in
relation to the audit organization’s size, number of offices, the
knowledge and experience of its personnel, the nature and complexity of
the audit work, and appropriate cost-benefit considerations. Thus, the
systems established by individual audit organizations and the extent of
their documentation of the systems will vary based on an audit
organization’s circumstances.
3.61: An audit organization should include policies and procedures in
its system of quality control addressing each of the following
elements:
a. Ethics: Policies and procedures designed to provide reasonable
assurance that the audit organization and its personnel comply with
relevant ethical concepts which include: the public interest;
professional behavior; integrity; objectivity; and proper use of
government information, resources, and position. (See chapter 2 for the
overarching ethical concepts that apply to auditors in conducting their
work in accordance with GAGAS.)
b. Initiation and continuance of audit and attest engagements: Policies
and procedures for the initiation and continuance of audit work,
designed to provide reasonable assurance that the audit organization
will only undertake or continue relationships and engagements where it:
(1) is competent to perform the engagement and has the capabilities,
time and resources to do so;
(2) is independent and can comply with professional standards and
ethical principles; and;
(3) is within the legal mandate or authority of the audit organization.
c. Human capital management: Policies and procedures designed to
provide the audit organization with reasonable assurance that it has
sufficient personnel with the competence necessary to perform its
engagements in accordance with professional standards and regulatory
and legal requirements, and to enable the audit organization to issue
reports that are appropriate in the circumstances. Policies and
procedures related to competence of personnel address the following:
(1) recruitment of qualified personnel;
(2) assignment of personnel with the competence and independence39
needed for specific engagements;
(3) performance evaluation, professional development, continuing
professional education, promotion, and compensation.
d. Engagement performance and reporting: Policies and procedures
designed to provide the audit organization with reasonable assurance
that engagements are performed in accordance with professional
standards and regulatory and legal requirements, and that the audit
organization issues reports that are appropriate in the circumstances
include the following:
(1) information and communication provided to engagement teams so that
team members sufficiently understand the objectives of their work;
(2) processes for engagement planning and supervision;
(3) processes for complying with applicable engagement-related
standards;
(4) reviewing the work performed, the significant judgments made and
the resulting report;
(5) appropriate documentation of the work performed and review of audit
documentation, including appropriate management-level reviews;
(6) communication at the appropriate professional level with
individuals within or outside the audit organization to resolve a
difficult or contentious matter;
(7) procedures for resolving disagreements among team members and
between the team and those consulted; and;
(8) reporting that is appropriate to circumstances associated with the
engagement, is supported by the work performed, and is in accordance
with applicable professional standards and regulatory and legal
requirements.
e. Monitoring of quality: Policies and procedures designed to provide
management of the audit organization with reasonable assurance that the
policies and procedures relating to the system of quality control are
suitably designed and operating effectively in practice. Audit
organizations should have monitoring procedures that include an ongoing
consideration and evaluation of the audit organization’s system of
quality control for achieving the objectives in (a) through (d) above,
including:
(1) relevance and adequacy of the organization’s policies and
procedures;
(2) appropriateness of the organization’s guidance materials, and;
(3) compliance with the organization’s policies and procedures.
3.62: Where practical, audit organizations are strongly encouraged to
implement monitoring procedures that include the enhanced quality
assurance criteria discussed in paragraph 3.70.
3.63: Each audit organization should prepare documentation for its
system of quality control as well as documentation to demonstrate
compliance with its policies and procedures for a period of time
sufficient to enable those performing monitoring procedures and peer
reviews to evaluate the extent of the audit organization’s compliance
with the quality control policies and procedures. The form and content
of such documentation is a matter of judgment.
External Peer Review:
3.64: Audit organizations performing audits and attestation engagements
in accordance with GAGAS must have an external peer review of their
auditing and attestation engagement practices in accordance with the
time frames set forth in paragraph 3.69. [Footnote 40]
3.65: The external peer review must determine whether, during the
period under review, the reviewed audit organization’s internal quality
control system was adequate and whether quality control policies and
procedures, including the monitoring process, were being complied with
to provide the audit organization with reasonable assurance of
conforming with applicable professional standards. Audit organizations
should take remedial, corrective actions as needed based on the results
of the peer review.
3.66: Members of the external peer review team should meet the
following requirements:
a. The review team collectively has current knowledge of GAGAS and of
the government environment relative to the work being reviewed.
b. Each review team member is independent (as defined in GAGAS) of the
audit organization being reviewed, its staff, and the audits and
attestation engagements selected for the external peer review. A review
team or a member of the review team does not review the audit
organization that conducted its audit organization’s most recent
external peer review.
c. The review team collectively has sufficient knowledge of how to
perform a peer review. Such knowledge may be obtained from on-the-job
training, training courses, or a combination of both. Having personnel
on the peer review team with prior experience on a peer review or
internal inspection team is desirable.
3.67: Audit organizations should obtain a peer review that meets the
following requirements:
a. The peer review includes a review of the audit organization’s
internal quality control policies and procedures, including related
monitoring procedures, audit and attestation engagement reports, audit
and attest documentation, and other necessary documents (for example,
independence documentation, CPE records, and personnel management
files related to compliance with hiring, performance evaluation,
advancement, compensation, and assignment policies). The review also
includes interviews with various levels of the reviewed audit
organization’s professional staff to assess their understanding of and
compliance with relevant quality control policies and procedures.
b. The review team uses one of the following approaches to selecting
audits and attestation engagements for review: (1) select audits and
attestation engagements that provide a reasonable cross-section of the
assignments performed by the reviewed audit organization in accordance
with GAGAS or (2) select audits and attestation engagements that
provide a reasonable cross-section of the reviewed audit organization’s
work subject to its quality control system, including assignments
performed in accordance with GAGAS. [Footnote 41]
c. The peer review is sufficiently comprehensive to provide a
reasonable basis for concluding whether the reviewed audit
organization’s system of quality control was complied with to provide
the organization with reasonable assurance of conforming with
professional standards in the conduct of its work, and the peer review
includes consideration of the adequacy and results of the reviewed
audit organization’s monitoring efforts.
d. The review team prepares a written report(s) communicating the
results of the external peer review. The report indicates the scope of
the review, including any limitations thereon, and includes an opinion
on whether the system of quality control of the reviewed audit
organization’s audit and/or attestation engagement practices was
adequately designed based on specified standards or criteria and
whether the audit organization’s quality control policies and
procedures were being complied with during the year reviewed to provide
the audit organization with reasonable assurance of conforming with
professional standards. The report states the professional standards or
criteria to which the reviewed audit organization is being held. The
report also describes the reasons for any modification of the opinion.
When there are matters that resulted in a modification to the opinion,
the report includes a detailed description of the findings and
recommendations, either in the peer review report or in a separate
letter of comment, to enable the reviewed audit organization to take
appropriate actions. The written report refers to the letter of comment
if such a letter is issued along with a modified report.
3.68: An audit organization that reports externally to third parties
should make the results of its most recent external peer review
publicly available; for example, by posting the peer review opinion on
an external Web site. [Footnote 42] Internal audit organizations that
report internally to management should provide a copy of the external
peer review report to those charged with governance. Government audit
organizations should also transmit their external peer review reports
to appropriate oversight bodies. [Footnote 43]
3.69: Audit organizations should have an external peer review conducted
according to the following time frames:
a. within 18 months, if the most recent external peer review opinion is
adverse or modified, with continued peer reviews every 18 months until
the audit organization receives an unmodified opinion;
b. every 3 years if the audit organization has an unmodified peer
review opinion from its recent peer review, and does not qualify for or
does not elect a 5-year period; or;
c. every 5 years if the audit organization’s most recent external peer
review opinion was unmodified and the audit organization elects to meet
the enhanced quality assurance and other criteria in paragraph 3.70.
[Footnote 44]
3.70: The following represents the enhanced quality assurance criteria
for audit organizations that elect a 5-year peer review cycle. Audit
organizations that do not elect a 5-year peer review cycle are strongly
encouraged to adopt these criteria as a means to strengthen quality
assurance. In order to qualify for a 5-year peer review cycle, the audit
organization should meet the following criteria:
a. The audit organization makes public on its Web site a description of
the overall system of quality assurance used to provide the
organization with reasonable assurance of complying with applicable
standards governing audits and attestation engagements. [Footnote 45]
The audit organization provides the description of its system of
quality assurance to the oversight organization’s bodies who receive
the external peer review report under paragraph 3.68.
b. The audit organization has an effective annual internal [Footnote
46] quality inspection process that meets the following criteria:
(1) The objective of the inspection process is to evaluate the adequacy
of the audit organization’s quality control policies and procedures,
and the extent of the audit organization’s compliance with its quality
control policies and procedures.
(2) The annual inspection includes the following elements:
1. a review of selected administrative and personnel records pertaining
to the quality control elements of independence and human capital
management;
2. a review of audit documentation for an appropriately sized,
representative sample of engagements and reports by qualified
management-level individuals and other audit personnel who are not
directly associated with the performance of the engagement;
3. discussions or interviews with the audit organization’s personnel;
4. a summary of the findings from the inspection procedures in a formal
report to top management of the audit organization;
5. a discussion in the report of the systemic causes of any findings
that indicate improvements are needed and recommendations for
corrective actions to be taken or improvements to be made with respect
to the specific engagements reviewed and the audit organization’s
quality control policies and procedures;
6. communication of the identified findings to the appropriate
management officials and personnel of the audit organization;
7. consideration of inspection findings by appropriate management
personnel of the audit organization who are in a position to take
actions necessary, including necessary modifications to the quality
control system, on a timely basis; and;
8. retention of appropriate inspection documentation at least until the
completion of the next peer review.
(3) The audit organization annually makes public a written assertion
about the effectiveness of its internal quality assurance program,
which is consistent with the results of the monitoring and inspection
processes and is provided to the peer reviewers as part of the peer
review process. [Footnote 47] Government audit organizations should
also transmit their written assertions to their oversight
organizations, councils, or
committees.
c. The audit organization’s most recent external peer review included a
review of the effectiveness of the audit organization’s annual
inspection process, and the peer reviewers identified no significant
deficiencies in the internal quality inspection process.
d. The audit organization determines whether it qualifies for the 5-
year peer review cycle and documents the rationale for its decision if
it believes it qualifies. The audit organization may consult with its
external peer reviewers in making this determination.
3.71: Information in external peer review reports and letters of
comment may be relevant to decisions on procuring audit or attestation
engagement services. Therefore, audit organizations seeking to enter
into a contract to perform an assignment in accordance with GAGAS
should provide the following to the party contracting for such
services:
a. the audit organization’s most recent external peer review report and
any letter of comment, and;
b. any subsequent peer review reports and letters of comment received
during the period of the contract.
3.72: Auditors who are relying on another audit organization’s work
should request a copy of the audit organization’s latest peer review
report and any letter of comment, and the audit organization should
provide these documents when requested.
[End of chapter]
Chapter 4: Field Work Standards for Financial Audits:
Introduction:
4.01: This chapter establishes field work standards and provides
guidance for financial audits conducted in accordance with generally
accepted government auditing standards (GAGAS). For financial audits,
GAGAS incorporate the AICPA’s field work and reporting standards and
the related statements on auditing standards unless specifically
excluded or modified by GAGAS. [Footnote 48] This chapter identifies
the AICPA field work standards and prescribes additional standards for
financial audits performed in accordance with GAGAS.
4.02: See paragraphs 1.16 through 1.18 for a discussion about the use
of GAGAS with other financial audit standards.
4.03: See paragraphs 1.24 through 1.27 for an overall description of
the nature and objectives of financial audits.
AICPA Field Work Standards:
4.04: The three AICPA generally accepted standards of field work are as
follows:
a. The auditor must adequately plan the work and must properly
supervise any assistants.
b. The auditor must obtain a sufficient understanding of the entity and
its environment, including its internal control [Footnote 49] to assess
the risk of material misstatement [Footnote 50] of the financial
statements whether due to error or fraud, and to design the nature,
timing, and extent of further audit procedures.
c. The auditor must obtain sufficient appropriate audit evidence by
performing procedures to afford a reasonable basis for an opinion
regarding the financial statements under audit.
Additional Considerations for Financial Audits in Government:
4.05: Additional considerations for financial audits in government
apply in audits of a government entity or an entity that receives
government awards. For example, auditors may need to set lower
materiality levels than in audits in the private sector because of
the public accountability of the audited entity, various legal and
regulatory requirements, and the visibility and sensitivity of
government programs. In applying professional judgment when applying
auditing standards, auditors also consider the needs of users and the
concerns of oversight officials regarding previously identified risks,
previously reported deficiencies in internal control of the audited
entity, and current and emerging risks and uncertainties facing the
government entity or program.
4.06: An important element of financial audits in government is the
reporting of deficiencies in internal control so that the audited
entity can take corrective actions necessary under the circumstances.
(See paragraphs 5.13 through 5.18.) A deficiency in internal control
exists when the design or operation of a control does not allow
management or employees, in the normal course of performing their
assigned functions, to prevent or detect misstatements on a timely
basis. A deficiency in design exists when (a) a control necessary to
meet the control objective is missing or (b) an existing control
is not properly designed so that, even if the control operates as
designed, the control objective is not met. A deficiency in operation
exists when a properly designed control does not operate as designed,
or when the person performing the control does not possess the
necessary authority or qualifications to perform the control
effectively.
Consideration of Potential Fraud in a Financial Statement Audit and
Illegal Acts by Auditees:
4.07: Under both the AICPA standards [Footnote 51] and GAGAS, auditors
should plan and perform the audit to obtain reasonable assurance
[Footnote 52] about whether the financial statements are free of
material misstatement, whether caused by error or fraud. [Footnote 53]
Auditors conduct the audit with a mindset that recognizes the
possibility that a material misstatement due to potential fraud could
be present. However, absolute assurance is not attainable and thus
even a properly planned and performed audit may not detect a material
misstatement resulting from fraud.
4.08: Auditors should design the audit to provide reasonable assurance
of detecting material misstatements resulting from direct and material
illegal acts. [Footnote 54] Auditors also consider the possibility that
indirect illegal acts may have occurred. If specific information comes
to the auditors’ attention that provides evidence concerning the
existence of possible illegal acts that could have a material indirect
effect on the financial statements, the auditors should apply audit
procedures specifically directed to ascertaining (1) whether an illegal
act has occurred [Footnote 55] and (2) the potential financial
statement effect.
Additional GAGAS Standards:
4.09: GAGAS establish field work standards for financial audits in
addition to the requirements contained in the AICPA SAS. Auditors
should comply with these additional standards when citing GAGAS in
their audit reports. The additional GAGAS standards relate to:
a. auditor communication (see paragraphs 4.10 through 4.15);
b. previous audits and attestation engagements (see paragraphs 4.16
through 4.17);
c. detecting material misstatements resulting from violations of
contract provisions or grant agreements, or from abuse (see paragraphs
4.18 through 4.20);
d. developing elements of a finding (see paragraph 4.21); and;
e. audit documentation (see paragraphs 4.22 through 4.41).
Auditor Communication:
4.10: Auditors should communicate information regarding their
responsibilities under GAGAS and the level of assurance to those
charged with governance and to the individuals contracting for or
requesting the audit and document the communications.
4.11: Under AICPA standards and GAGAS, auditors should establish a
written understanding with those charged with governance [Footnote 56]
and communicate with audit committees. Under GAGAS, auditors should
communicate specific information in writing during the planning stages
of a financial audit, including any potential restriction of the
auditors’ reports, to reduce the risk that the needs or expectations of
the parties involved may be misinterpreted. Auditors use professional
judgment when determining the form, content, and frequency of the
communication. Auditors may use an engagement letter or a proposal, if
appropriate, to communicate the information.
4.12: When auditors perform the audit under a contract with a party
other than the officials of the audited entity, or pursuant to a third-
party request, auditors should also communicate in writing with the
individuals contracting for or requesting the audit, such as
contracting officials or members or staff of legislative committees, in
addition to communicating with the audited entity. When auditors are
performing the audit pursuant to a law or regulation and they are
conducting the work directly for the legislative committee who has
oversight for the audited entity, auditors should communicate with
the members or staff of that legislative committee. Auditors should
coordinate communications with the responsible government audit
organization and/or management of the audited entity. If an audit is
terminated before it is completed, auditors should write a memorandum
for the audit documentation that summarizes the results of the work and
explains the reasons why the audit was terminated. In addition,
depending on the facts and circumstances, auditors should consider the
need to communicate the reason for terminating the audit to those
charged with governance, management of the audited entity, the entity
requesting the audit, and other appropriate officials, preferably in
writing.
4.13: When communicating responsibilities under GAGAS and the level of
assurance provided, auditors should specifically address their planned
work and reporting responsibilities related to testing internal control
over financial reporting and compliance with laws, regulations, and
provisions of contracts or grant agreements. During the planning stages
of an audit, auditors should communicate their responsibilities for
testing and reporting on internal control over financial reporting and
compliance with laws, regulations, and provisions of contracts or grant
agreements. Auditors should also communicate the nature of any
additional testing of internal control and compliance required by laws,
regulations, and provisions of contracts or grant agreements, or
otherwise requested, and whether the auditors will provide opinions on
internal control over financial reporting and compliance with laws,
regulations, and provisions of contracts or grant agreements.
4.14: Under financial auditing standards, tests of internal control
over financial reporting and compliance with laws, regulations, and
provisions of contracts or grant agreements in a financial statement
audit contribute to the evidence supporting the auditors’ opinion
on the financial statements or other conclusions regarding financial
data. However, such tests generally are not sufficient in scope to
provide an opinion on the effectiveness of internal control over
financial reporting or compliance with laws, regulations, and
provisions of contracts or grant agreements. To meet certain audit
report users’ needs, laws and regulations sometimes prescribe testing
and reporting on internal control over financial reporting and
compliance with laws, regulations, and provisions of contracts and
grant agreements to supplement coverage of these areas. [Footnote 57]
4.15: Even after auditors perform and report the results of additional
tests of internal control over financial reporting and compliance with
laws, regulations, and provisions of contracts and grant agreements,
those charged with governance, officials of the audited entity or
individuals contracting for or requesting the audit may desire
additional procedures or reporting. Auditors may meet these needs by
performing further tests of internal control and compliance with laws,
regulations, and provisions of contracts or grant agreements as an
attestation engagement (see chapter 6), or a performance audit (see
chapters 7 and 8), to achieve these objectives.
Previous Audits and Attestation Engagements:
4.16: When planning the audit, auditors should determine whether the
results of previous audits and attestation engagements that directly
relate to the objectives of the audit being undertaken have an impact
on the current engagement, including whether related recommendations
have been implemented.
4.17: Auditors should identify previous financial audits, attestation
engagements, performance audits, or other studies related to the
objectives of the audit being undertaken and ask management of the
audited entity to identify corrective actions taken to address
significant findings and recommendations, [Footnote 58] including those
related to
significant deficiencies, including material weaknesses. [Footnote 59]
Detecting Material Misstatements Resulting from Violations of Contract
Provisions or Grant Agreements, or from Abuse:
4.18: The standard related to violations of contract provisions or
grant agreements or abuse for financial audits performed in accordance
with GAGAS is:
a. Auditors should design the audit to provide reasonable assurance of
detecting misstatements resulting from violations of provisions of
contracts or grant agreements that have a material effect on the
determination of financial statement amounts or other financial data
significant to the audit objectives.
b. If during the course of the audit, auditors become aware of
indications of abuse that could be quantitatively or qualitatively
material, auditors should apply audit procedures specifically directed
to ascertain whether material abuse has occurred and the potential
effect on the financial statements or other financial data significant
to the audit objectives. Based on the facts and circumstances, the
auditors may find it helpful to identify specific risks, situations, or
transactions that are susceptible to abuse. In addition, auditors
remain alert throughout the audit to situations or transactions that
could be indicative of abuse. However, because the determination of
abuse is subjective, auditors are not required to provide reasonable
assurance of detecting abuse.
4.19: Abuse involves behavior that is deficient or improper when
compared with behavior that a prudent person would consider reasonable
and necessary business practice given the facts and circumstances.
Abuse also includes misuse of authority or position for personal
financial interests or those of an immediate or close family member or
business partner. Abuse is distinct from fraud, illegal acts, and
violations of provisions of contracts or grant agreements in that abuse
does not necessarily involve violation of laws, regulations, or
provisions of a contract or grant agreement. If auditors encounter such
situations, they should assess the risk of whether these situations or
transactions could be indicative of qualitatively or quantitatively
material abuse. When information comes to the auditors’ attention
(through audit procedures, allegations received through a fraud
hotline, or other means) indicating that material abuse may have
occurred, auditors should perform audit procedures, as necessary, to
(1) determine whether the abuse occurred and, if so, (2) determine its
effect on the financial statements or other financial data. Auditors
assess both quantitative and qualitative factors in making judgments
regarding the materiality of possible abuse.
4.20: In pursuing indications of potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse,
auditors should avoid interfering with potential investigations and/or
legal proceedings. In some circumstances, laws, regulations, or
policies require auditors to report indications of certain types of
potential fraud, illegal acts, violations of provisions of contracts or
grant agreements, or abuse to law enforcement or investigatory
authorities before performing additional audit procedures. In cases
where an investigation is initiated or in process, it may be
appropriate for the auditors to withdraw from or defer further work on
the engagement or a portion of the engagement to avoid interfering with
an investigation.
Developing Elements of a Finding:
4.21: When deficiencies are identified, auditors should plan audit
procedures to develop the elements of a finding necessary to achieve
the audit objectives. Audit findings, such as deficiencies in internal
control, potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse, contain the elements of
criteria, condition, cause, and effect or potential effect. Thus, a
finding or set of findings is complete to the extent that the auditors
believe that the audit objectives are satisfied. (See paragraph
5.16 for a description of the elements of a finding.)
Audit Documentation:
4.22: The auditor must prepare audit documentation in connection with
each engagement in sufficient detail to provide a clear understanding
of the work performed (including the nature, timing, extent, and
results of audit procedures performed), the audit evidence obtained and
its source, and the conclusions reached. Audit documentation:
a. provides the principal support for the statement in the auditor’s
report that the auditor performed the audit in accordance with GAGAS
and any other standards cited, and;
b. provides the principal support for the auditors’ conclusions.
4.23: Audit documentation is an essential element of audit quality.
Although documentation alone does not guarantee audit quality, the
process of preparing sufficient and appropriate documentation
contributes to the quality of an audit.
4.24: The auditor should prepare audit documentation that enables an
experienced auditor, [Footnote 60] having no previous connection to the
audit, to understand:
a. the nature, timing, and extent of auditing procedures performed to
comply with GAGAS and other applicable standards and requirements;
b. the results of the audit procedures performed and the audit evidence
obtained;
c. how the audit evidence relates to the audit conclusions, and;
d. the conclusions reached on significant matters.
4.25: In addition to the audit documentation requirements listed in the
previous paragraph, the auditor should document the following for
financial audits performed under GAGAS:
a. the objectives, scope, and methodology of the audit, and;
b. evidence of supervisory review, before the audit report is issued,
of the work performed that supports findings, conclusions, and
recommendations contained in the audit report.
4.26: Auditors should document matters specific to a particular audit
in the audit documentation file for that audit. Certain matters, such
as auditor independence and staff training, that are not engagement
specific, may be documented either centrally in the audit organization
or in the documentation for the audit.
4.27: The form, content, and extent of audit documentation depend on the
circumstances of the engagement and the audit methodology and tools
used. Oral explanations on their own do not represent sufficient
support for the work the auditor performed or conclusions the auditor
reached but may be used by the auditor to clarify or explain
information contained in the audit documentation. It is, however,
neither necessary nor practicable to document every matter the auditor
considers during the audit.
4.28: The auditor should document significant findings or issues,
actions taken to address them (including any additional evidence
obtained), and the basis for the final conclusions reached. Judging the
significance of a finding or issue requires an objective analysis of
the facts and circumstances.
4.29: The auditor should document discussions of significant findings
or issues with management and others, including the significant
findings or issues discussed, and when and with whom the discussions
took place.
4.30: If the auditor has identified information that contradicts or is
inconsistent with the auditor’s final conclusions regarding a
significant finding or issue, the auditor should document how the
contradiction or inconsistency was addressed in forming the conclusion.
4.31: In documenting the nature, timing, and extent of audit procedures
performed, the auditor should record:
a. who performed the audit work and the date such work was completed,
and;
b. who reviewed specific audit documentation and the date of such
review.
4.32: When the auditor does not comply with applicable unconditional or
presumptively mandatory GAGAS requirements, the auditor should document
the justification for the departure, the impact on the audit, and how
alternative procedures performed in the circumstances were sufficient
to achieve the objectives of the requirements. The auditor should also
follow the requirements in paragraphs 1.13 through 1.15.
4.33: The report should not be dated earlier than the date on which the
auditor has obtained sufficient appropriate audit evidence to support
the reported information, conclusions, or opinions. Among other things,
sufficient appropriate audit evidence includes evidence that the audit
documentation has been reviewed and that the entity’s financial
statements, including disclosures, have been prepared and that
management has asserted that it has taken responsibility for them.
4.34: The audit organization should adopt reasonable procedures to
retain and access audit documentation for a period of time sufficient
to meet the needs of the audit organization and to satisfy any
applicable legal or regulatory requirements for records
retention. Such retention period, however, should not be shorter than
five years [Footnote 61] from the report release date.
4.35: The auditor should complete the assembly of the final audit file
on a timely basis, but within 60 days following the report release date
(document completion date). [Footnote 62] Statutes, regulations, or the
audit organization’s quality control policies may state a
specific time in which the assembly process should be completed.
4.36: At any time prior to the documentation completion date, the
auditor may make changes to the audit documentation to:
a. complete the documentation and assembly of audit evidence that the
auditor has obtained, discussed, and agreed with relevant members of
the audit team prior to the date of the audit report;
b. perform routine file-assembling procedures such as deleting or
discarding superseded documentation and sorting, collating, and cross-
referencing final audit documentation;
c. sign-off on audit documentation completion checklists prior to
completing and archiving the audit documentation, and;
d. add information received after the date of the report, for example,
an original document that was previously faxed.
4.37: After the documentation completion date, the auditors must not
delete or discard audit documentation before the end of the specified
retention period, as discussed in paragraph 4.34. When the auditor
finds it necessary to make an addition (including amendments) to audit
documentation after the documentation completion date, the auditor
should document the addition by including the following in the
documentation:
a. when and by whom such additions were made and, where applicable,
reviewed;
b. the specific reasons for the changes, and;
c. the effect, if any, of the changes on the auditors’ conclusions.
4.38: Audit documentation allows for the review of audit quality by
providing the reviewer with documentation, either in written or
electronic formats, of the evidence supporting the auditors’
significant judgments and conclusions. If audit documentation is
retained only electronically, the audit organization should safeguard
the electronic documentation through sound computer security so that it
is capable of being accessed throughout the specified retention period
established for audit documentation.
4.39: Whether audit documentation is in paper, electronic, or other
media, the integrity, accessibility, and retrievability of the
underlying data may be compromised if the documentation could be
altered, added to, or deleted without the auditors’ knowledge, or
could be permanently lost or damaged. Accordingly, the auditor should
apply appropriate controls for audit documentation to safeguard audit
documentation from alteration, destruction, and unauthorized access.
4.40: Underlying GAGAS audits is the premise that federal, state, and
local government audit organizations and independent accounting firms
engaged to perform a financial audit in accordance with GAGAS cooperate
in auditing programs of common interest so that auditors may use
others’ work and avoid duplication of audit efforts. Auditors should
make appropriate audit staff and individuals, as well as audit
documentation available, upon request, in a timely manner to other
auditors or reviewers. It is also essential that contractual
arrangements for GAGAS audits provide for full and timely access to
audit staff and individuals, as well as audit documentation without
restriction to facilitate reliance by other auditors or reviewers on
the auditors’ work.
4.41: Consistent with applicable laws and regulations, audit
organizations should develop clearly defined policies and criteria to
deal with situations where requests are made by outside parties to
obtain access to audit documentation. The audit organization should
include in its policies and procedures guidance for dealing with
situations where an outside party attempts to obtain indirectly through
the auditor information that it is unable to obtain directly from the
audited entity and how to respond to requests for access to audit
documentation before the audit is complete. The audit organization
should also include flexibility in its policies and procedures to
consider the individual facts and circumstances surrounding such
requests, for instance, cases when granting access or providing certain
information could adversely affect the audit organization’s ability to
successfully perform similar audits in the future.
[End of chapter]
Chapter 5: Reporting Standards for Financial Audits:
Introduction:
5.01: This chapter establishes reporting standards and provides
guidance for financial audits conducted in accordance with generally
accepted government auditing standards (GAGAS). For financial audits,
GAGAS incorporate the AICPA’s field work and reporting standards and
the related statements on auditing standards unless specifically
excluded or modified by GAGAS. [Footnote 63] This chapter identifies
the AICPA reporting standards and prescribes additional standards for
financial audits performed in accordance with GAGAS.
5.02: See paragraphs 1.16 through 1.18 for a discussion about the use
of GAGAS with other financial audit standards.
AICPA Reporting Standards:
5.03: The four AICPA generally accepted standards of reporting are as
follows: [Footnote 64]
[AICPA is currently in the process of revising the reporting standards
to use clarified language. GAO will monitor the status of AICPA’s
efforts in order to include the most up-to-date AICPA standards in the
final 2006 Revision of Government Auditing Standards.]
a. The report shall state whether the financial statements are
presented in accordance with generally accepted accounting principles.
b. The report shall identify those circumstances in which such
principles have not been consistently observed in the current period in
relation to the preceding period.
c. Informative disclosures in the financial statements are to be
regarded as reasonably adequate unless otherwise stated in the report.
d. The report shall either contain an expression of opinion regarding
the financial statements, taken as a whole, or an assertion to the
effect that an opinion cannot be expressed. When an overall opinion
cannot be expressed, the reasons should be stated. In all cases where
an auditor’s name is associated with financial statements, the report
should contain a clear-cut indication of the character of the auditor’s
work, if any, and the degree of responsibility the auditor is taking.
Additional GAGAS Reporting Standards for Financial Audits:
5.04: GAGAS establish additional reporting standards for financial
audits in addition to the requirements contained in the AICPA SAS.
Auditors should comply with these additional standards when citing
GAGAS in their audit reports. The additional GAGAS standards relate to:
a. reporting auditors’ compliance with GAGAS (see paragraphs 5.05
through 5.07);
b. reporting on internal control and on compliance with laws,
regulations, and provisions of contracts or grant agreements (see
paragraphs 5.08 through 5.11);
c. reporting deficiencies in internal control, potential fraud, illegal
acts, violations of provisions of contracts or grant agreements, or
abuse (see paragraphs 5.12 through 5.27);
d. emphasizing significant matters in the auditors’ report (see
paragraphs 5.28 through 5.31);
e. reporting on restatement of previously-issued financial statements
(see paragraphs 5.32 through 5.38);
f. reporting views of responsible officials (see paragraphs 5.39
through 5.44);
g. reporting privileged and confidential information (see paragraphs
5.45 through 5.47); and;
h. issuing and distributing reports (see paragraphs 5.48 through 5.51).
Reporting Auditors’ Compliance with GAGAS 5.05 When auditors comply
with all applicable GAGAS standards, they should include a statement in
the audit report that they performed the audit in accordance with
GAGAS.
5.06: The statement of compliance with GAGAS indicates that the
auditors have complied with all applicable GAGAS general and auditing
standards, including the underlying AICPA standards. If the auditors
did not follow applicable standards, or were not able to follow
applicable standards due to access problems or other scope limitations,
they should follow the requirements in paragraphs 1.13 through 1.15.
5.07: An audited entity receiving a GAGAS audit report may also request
auditors to issue a financial audit report for purposes other than
complying with requirements calling for a GAGAS audit. For example, the
audited entity may need audited financial statements to issue bonds or
for other financing purposes. GAGAS do not prohibit auditors from
issuing a separate report conforming only to the requirements of AICPA
or other standards. When a GAGAS audit is the basis for an auditors’
subsequent report under the other standards, the auditors should
consider including a reference to the GAGAS report, as that report will
contain additional information on internal control, compliance with
laws, regulations, and provisions of contracts or grant agreements,
potential fraud, or abuse that GAGAS require.
Reporting on Internal Control and on Compliance with Laws, Regulations,
and Provisions of Contracts or Grant Agreements:
5.08: When providing an opinion or a disclaimer on financial
statements, auditors should include in their report on the financial
statements either a (1) description of the scope of the auditors’
testing of internal control over financial reporting and compliance with
laws, regulations, and provisions of contracts or grant agreements and
the results of those tests or an opinion, if sufficient work was
performed, or (2) reference to the separate report(s) containing that
information. If auditors report separately, they should include a
reference to the separate report containing this information in their
opinion or disclaimer report and state that the separate report is an
integral part of the audit and important for assessing the results of
the audit.
5.09: For audits of financial statements in which auditors provide an
opinion, auditors should report the scope of their testing of internal
control over financial reporting and of compliance with laws,
regulations, and provisions of contracts or grant agreements. Auditors
should also indicate in the report whether or not the tests they
performed provided sufficient evidence to support an opinion on the
effectiveness of internal control over financial reporting and on
compliance with laws, regulations, and provisions of contracts or grant
agreements.
5.10: Auditors may report on internal control over financial reporting
and on compliance with laws, regulations, and provisions of contracts
or grant agreements in the opinion or disclaimer on the financial
statements or in a separate report or reports. When auditors report on
internal control over financial reporting and compliance as part of the
opinion or disclaimer on the financial statements, they should include
an introduction summarizing key findings in the audit of the financial
statements and the related internal control and compliance work.
Auditors should not issue this introduction as a standalone report.
5.11: When auditors report separately (including separate reports bound
in the same document) on internal control over financial reporting and
compliance with laws and regulations and provisions of contracts or
grant agreements, they should state in the opinion or disclaimer on the
financial statements that they are issuing those additional reports.
They also should state that the reports on internal control over
financial reporting and compliance with laws and regulations and
provisions of contracts or grant agreements are an integral part of a
GAGAS audit and important for assessing the results of the audit.
Reporting Deficiencies in Internal Control, Potential Fraud, Illegal
Acts, Violations of Provisions of Contracts or Grant Agreements, or
Abuse:
5.12: For financial audits, including audits of financial statements in
which auditors provide an opinion or disclaimer, auditors should
report, as applicable to the objectives of the audit, (1) deficiencies
in internal control considered to be material weaknesses or other
significant deficiencies, (2) all instances of potential fraud and
illegal acts unless clearly inconsequential, [Footnote 65] and (3)
material violations of provisions of contracts or grant agreements or
abuse. In some circumstances, auditors should report potential fraud,
illegal acts, violations of provisions of contracts or grant
agreements, or abuse directly to parties external to the audited entity
when other requirements provide for such reporting.
Reporting Deficiencies in Internal Control:
5.13: For all financial audits, auditors should report deficiencies in
internal control considered to be significant deficiencies, including
material weaknesses, as follows:
a. A significant deficiency is a deficiency in internal control, or
combination of deficiencies, that adversely affects the entity’s
ability to initiate, authorize, record, process, or report financial
data reliably in accordance with generally accepted accounting
principles such that there is more than a remote [Footnote 66]
likelihood that a misstatement of the entity’s financial statements
that is more than inconsequential [Footnote 67] will not be prevented
or detected.
b. A material weakness is a significant deficiency, or combination of
significant deficiencies, that results in more than a remote likelihood
that a material misstatement of the financial statements will not be
prevented or detected.
5.14: If control deficiencies are identified, an important part of the
assessment is the consideration of significance of those deficiencies.
In addition to qualitative considerations, auditors evaluate the
following when concluding about the significance of a deficiency in
internal control:
a. the likelihood that a deficiency, or combination of deficiencies,
could result in a misstatement of an account balance or disclosure,
and;
b. the magnitude of the potential misstatement resulting from the
deficiency or deficiencies.
5.15: Auditors should include all material weaknesses and other
significant deficiencies in the auditors’ report on internal control
over financial reporting. (See appendix A.03 for examples of matters
that may be significant deficiencies, including material
weaknesses.)
5.16: To the extent necessary to achieve the audit objectives, in
presenting audit findings such as deficiencies in internal control,
auditors should develop the elements of criteria, condition, cause, and
effect to assist management or oversight officials of the audited
entity in understanding the need for taking corrective action. In
addition, if auditors are able to sufficiently develop the elements of
a finding, they should provide recommendations for corrective action.
Following is guidance for reporting on elements of findings:
a. Criteria: The required or desired state or what is expected from the
program or operation. The criteria are easier to understand when stated
objectively, explicitly, and completely, and the source of the criteria
is identified in the audit report. [Footnote 68[
b. Condition: What the auditors found regarding the actual situation.
Reporting the scope or extent of the condition allows the report user
to gain an accurate perspective.
c. Cause: Evidence on the factor or factors responsible for the
difference between condition and criteria. In reporting the cause,
auditors may consider whether the evidence provides a reasonable and
convincing argument for why the stated cause is the key factor or
factors contributing to the difference as opposed to other possible
causes, such as poorly designed criteria or factors uncontrollable by
program management. The auditors also may consider whether the
identified cause could serve as a basis for the recommendations. Often
the causes of deficiencies in internal control are complex and involve
multiple factors. In some cases, it may not be practical for auditors
to fully develop or identify the causes of deficiencies. However,
analyzing and identifying root causes of internal control deficiencies
is key to making recommendations for corrective action.
d. Effect or potential effect: A clear, logical link to establish the
impact or potential impact of the difference between what the auditors
found (condition) and the required or desired state (criteria). Effect
is easier to understand when it is stated clearly, concisely, and, if
possible, in quantifiable terms. The significance of the reported
effect can be demonstrated through credible evidence.
5.17: Auditors should place their findings in perspective by describing
the nature and extent of the issues being reported and the extent of
the work performed that resulted in the finding. To give the reader a
basis for judging the prevalence and consequences of these findings,
auditors may relate the instances identified to the population or the
number of cases examined and quantify the results in terms of dollar
value, as appropriate. If the results cannot be projected, auditors
should limit their conclusions appropriately.
5.18: When auditors detect deficiencies in internal control that are
not significant deficiencies (or material weaknesses) they should
communicate those deficiencies separately in a management letter to
officials of the audited entity unless the deficiencies are clearly
inconsequential considering both quantitative and qualitative factors.
Auditors should refer to that management letter (or to a management
letter to be issued) in the report on internal control. Auditors use
professional judgment when deciding whether or how to communicate to
officials of the audited entity deficiencies in internal control that
are clearly inconsequential. Auditors should include in their audit
documentation evidence of communications to officials of the audited
entity about deficiencies in internal control found during the audit.
Reporting Potential Fraud, Illegal Acts, Violations of Provisions of
Contracts or Grant Agreements, or Abuse:
5.19: Under AICPA standards and GAGAS, auditors should address the
effect potential fraud or illegal acts may have on the audit report and
to determine that those charged with governance are adequately informed
about the potential fraud or illegal acts. Under GAGAS, auditors should
provide this information in writing and also include reporting on (1)
violations of provisions of contracts or grant agreements that have a
material effect on the determination of financial statement amounts or
other financial data significant to the audit, and (2) abuse that is
material, either quantitatively or qualitatively. [Footnote 69]
Therefore, when auditors conclude, on the basis of evidence obtained,
that any of the following either has occurred or is likely to have
occurred, [Footnote 70] they should include in their audit report the
relevant information about [Footnote 71]:
a. potential fraud and illegal acts that are greater than
inconsequential;
b. material violations of contracts or grant agreements; or;
c. material abuse.
5.20: When reporting instances of potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse,
auditors should place their findings in perspective by describing the
extent of the work performed that resulted in the finding. To give the
reader a basis for judging the prevalence and consequences of these
findings, auditors may relate the instances identified to the
population or to the number of cases examined and quantify the results
in terms of dollar value, as appropriate. If the results cannot be
projected, auditors should limit their conclusions appropriately.
5.21: To the extent necessary to achieve the audit objectives, auditors
should develop in their report the elements of criteria, condition,
cause, and effect when potential fraud, illegal acts, violations of
provisions of contracts or grant agreements, or abuse is found. The
guidance for reporting deficiencies in internal control in paragraph
5.16 is designed to assist auditors in developing the elements of their
findings.
5.22: When auditors detect immaterial violations of provisions of
contracts or grant agreements or abuse, they should communicate those
findings in a management letter to officials of the audited entity
unless the findings are clearly inconsequential to the financial
statements considering both qualitative and quantitative factors.
Auditors should refer to that management letter in their audit report
on compliance (or to a management letter to be issued). Auditors use
professional judgment when determining whether and how to communicate
to officials of the audited entity potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse
that is clearly inconsequential. Auditors should include in their audit
documentation evidence of communications to officials of the audited
entity about potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse found during the audit.
5.23: When auditors conclude that potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse
either have occurred or are likely to have occurred, they may consult
with authorities and/or legal counsel about whether publicly reporting
certain information about the potential fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse would
compromise investigative or legal proceedings. Auditors should limit
their public reporting to matters that would not compromise those
proceedings, such as information that is already a part of the public
record.
Direct Reporting of Potential Fraud, Illegal Acts, Violations of
Provisions of Contracts or Grant Agreements, or Abuse:
5.24: Auditors should report potential fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse directly to
parties outside the audited entity in two circumstances, as discussed
below. [Footnote 72] This reporting is in addition to any legal
requirements for direct reporting of potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse.
Auditors should follow these requirements even if they have resigned or
been dismissed from the audit prior to its completion.
5.25: The audited entity may be required by law or regulation to report
certain potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse to specified external parties,
such as a federal inspector general or a state attorney general. When
auditors have communicated such potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse to
the audited entity and the audited entity fails to report them, then
the auditors should communicate such an awareness to those charged with
governance. When the audited entity does not make the required report
as soon as possible after the auditors’ communication with those
charged with governance, then the auditors should report such potential
fraud, illegal acts, violations of provisions of contracts or grant
agreements, or abuse directly to the external party specified in the
law or regulation.
5.26: When potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse involves awards received
directly or indirectly from a government agency, auditors may have a
duty to report directly if management fails to take remedial steps.
When auditors conclude that such failure is likely to cause them to
depart from the standard report on the financial statements or resign
from the audit, they should communicate that conclusion to those
charged with governance of the audited entity. If the audited entity
does not report the potential fraud, illegal act, violation of
provisions of contracts or grant agreements, or abuse in a timely
manner to the entity that provided the government assistance, the
auditors should report the potential fraud, illegal act, violation of
provisions of contracts or grant agreements, or abuse directly to the
awarding entity.
5.27: Auditors should obtain sufficient, appropriate evidence, such as
confirmation from outside parties, to corroborate assertions by
management that it has reported potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse.
When auditors are unable to do so, they should report such potential
fraud, illegal acts, violations of provisions of contracts or grant
agreements, or abuse directly as discussed above.
Emphasizing Significant Matters in the Auditors’ Report:
5.28: Under both the AICPA standards [Footnote 73] and GAGAS, auditors
may emphasize a matter in the auditors’ report regarding the financial
statements. Due to the unique roles and responsibilities of governments
and government entities, there may be situations where users and
oversight organizations need information that is critical for
understanding the financial statements in relation to the government’s
current and/or future operating environment, as well as information
about unusual events and significant uncertainties. In addition, due to
the unique nature of government responsibilities and operations, there
may be situations where additional information would help facilitate
the readers’ understanding of the information in the auditors’ report.
5.29: Auditors use professional judgment to determine whether to
emphasize a matter in the auditors’ report. Such explanatory material
is presented in a separate paragraph or separate section of the
auditors’ report. Examples of matters that auditors should consider
emphasizing when they become aware that such issues exist include the
following:
a. Concerns or significant uncertainties about the fiscal
sustainability of a government or program or other matters that could
have a significant impact on the financial condition or operations of
the government entity. [Footnote 74] Such concerns or uncertainties may
arise due to revenue and/or expenditure trends; economic dependency on
other governments or other entities; the government’s current
commitments, responsibilities, liabilities, or promises to citizens for
future benefits that are not sustainable over the long-term; deficit
trends; the relationship between the financial information and other key
indicators; and other significant risks and uncertainties that call
into question the longterm sustainability of current government
programs in relation to the resources expected to be available.
b. Unusual or catastrophic events that will likely have a significant
ongoing or future impact on the government’s financial condition or
operations.
c. Significant uncertainties surrounding projections or estimations in
the financial statements.
d. Any other matter that the auditors consider significant for
communication in the auditors’ report to users and oversight bodies.
5.30: Auditors should obtain sufficient, appropriate evidence about any
matter emphasized. In the case of significant uncertainties where
sufficient appropriate evidence may not be available, auditors should
describe the significant uncertainties and the possible impact on the
reported information.
5.31: Auditors should consider emphasizing a matter even if management
has disclosed the issue in the notes to the financial statements. In
such cases, auditors refer to management’s disclosures, describe any
deficiencies in management’s disclosures, and include additional detail
as appropriate. In situations when management has not disclosed the
information, the auditors should encourage management to disclose such
information.
Reporting on Restatement of Previously-Issued Financial Statements:
5.32: Auditors have professional responsibilities when they become
aware of actual or potential misstatements that might have affected
their report on previously-issued financial statements. Under both
AICPA standards [Footnote 75] and GAGAS, auditors have the
following responsibilities related to (1) potential material
misstatements in previously issued financial statements, and (2)
restatement [Footnote 76] of the previously-issued financial
statements:
a. Auditors should determine if the previously-issued financial
statements were materially misstated and should request management’s
cooperation in making this determination.
b. Auditors should determine if (a) the misstatement(s) may affect the
auditors’ report on the previously-issued financial statements and, (b)
persons are currently relying or likely to rely on the financial
statements.
c. Auditors should advise the audited entity to disclose the
misstatement(s) and the related financial statement impact to persons
relying or likely to rely on the financial statements and related
auditors’ report.
d. Auditors should determine whether the audited entity has
appropriately disclosed the misstatement(s).
e. When the audited entity refuses to disclose the misstatement(s),
then:
(1) auditors should notify those charged with governance of the
entity’s refusal to disclose the misstatement;
(2) auditors should notify the audited entity that the related
auditors’ report can no longer be relied upon or associated with the
previously-issued financial statements, and;
(3) auditors should notify oversight or regulatory agencies that have
jurisdiction over the audited entity and persons known to be relying on
the financial statements that the auditors’ report can no longer be
relied upon.
5.33: GAGAS prescribe additional standards for reporting on restatement
of previously issued financial statements. When performing a financial
statement audit in accordance with GAGAS, auditors should comply with
these additional GAGAS standards and with the AICPA standards. The
additional GAGAS standards and guidance are included in paragraphs 5.34
through 5.38.
5.34: The nature or amount of known or likely misstatement(s) in
previously-issued audited financial statements may lead auditors to
believe that the auditors’ report would or could reasonably have been
affected if they had known of the misstatements when they issued the
auditors’ report. When this condition exists, auditors should advise
management to communicate the following information to those charged
with governance, oversight bodies, funding agencies, and others who are
relying or are likely to rely on the financial statements:
a. The nature and cause(s) of the known or likely material
misstatement(s).
b. The amount(s) of known or likely material misstatement(s) and the
related effect(s) on the previously-issued financial statements (e.g.,
disclosure of the specific financial statement(s) and line item(s)
affected). If this information is not known, then the disclosure
includes information that is known and a statement that management
cannot determine the amount(s) and the related effect(s) on the
previously-issued financial statements without further investigation.
c. A notice that (1) previously-issued financial statements will or may
be restated and, therefore, (2) the related auditors’ report is no
longer reliable.
5.35: Auditors should review the adequacy of management’s communication
information about the known or potential material misstatement(s) to
report users, including those charged with governance, oversight bodies
and funding agencies. When performing this review, auditors consider
whether:
a. management acted timely to determine the financial statement effects
of the potential material misstatement(s);
b. management acted timely to communicate with appropriate parties,
and;
c. management disclosed the nature and extent of the known or likely
material misstatement(s) on Internet pages where the agency’s
previously-issued financial statements are published.
Auditors should notify those charged with governance if they believe
that management is unduly delaying its determination of the effect(s)
of the misstatement(s) on previously issued financial statements.
5.36: Also, auditors should evaluate the timeliness and appropriateness
of management’s decision whether to issue restated financial
statements. Management may separately issue the restated financial
statements or may present the restated financial statements on a
comparative basis with those of a subsequent period. Ordinarily,
auditors would expect management to issue restated financial statements
as soon as practicable. However, it may not be necessary for management
to separately issue the restated financial statements and auditors’
report when issuance of the subsequent-period audited financial
statements is imminent. [Footnote 77]
5.37: When management restates previously-issued financial statements,
auditors should perform audit procedures sufficient to reissue or
update the auditors’ report on the restated financial statements.
Auditors should fulfill these responsibilities whether the restated
financial statements are separately issued or presented on a
comparative basis with those of a subsequent period. Auditors should
include the following information in an explanatory paragraph in the
reissued or updated auditors’ report on the re-issued financial
statements:
a. a statement disclosing that the previously-issued financial
statement(s) have been restated;
b. a statement that the previously-issued financial statements were
materially misstated and that the previously-issued auditors’ report
(include report date) is withdrawn and replaced by the auditors’ report
on the restated financial statement(s), and;
c. a reference to the note(s) to the restated financial statements that
discusses the restatement, including:
(1) the nature and cause(s) of the misstatement(s) that led to the need
for restatement, and;
(2) the specific amount(s) of the material misstatement(s) and the
related effect(s) on the previously-issued financial statements (e.g.,
the specific financial statement(s) affected and line items restated)
and the impact on the current-year financial statements.
d. A discussion of any significant internal control deficiency that
failed to prevent or detect the misstatement and what action management
has taken about the deficiency.
5.38: Auditors should notify those charged with governance, oversight
bodies, and funding agencies when management (1) does not take the
necessary steps to promptly inform report users of the situation or (2)
does not restate with appropriate timeliness the financial statements
in circumstances when auditors believe they need to be restated.
Auditors should inform these parties that the auditors will take steps
to prevent future reliance on the auditors’ report. The steps taken
will depend on the facts and circumstances, including legal
considerations.
Reporting Views of Responsible Officials:
5.39: If the auditors’ report discloses deficiencies in internal
control, potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse, auditors should obtain and
report the views of responsible officials concerning the findings,
conclusions, and recommendations, as well as planned corrective
actions.
5.40: One of the most effective ways to provide a report that is fair,
complete, and objective is to provide a draft report for review and
comment by responsible officials of the audited entity and others, as
appropriate. Including the views of responsible officials results in a
report that presents not only the significant deficiencies in internal
control, potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse the auditors identified, but
also the perspectives of the responsible officials of the audited
entity and the corrective actions they plan to take. Auditors should
include in their report a copy of the officials’ written comments
and/or a summary of the comments received. In cases where the audited
entity provides technical comments in addition to its written comments
on the report, auditors use professional judgment in determining
whether to include such comments or disclose in the report that such
comments were provided.
5.41: Auditors ordinarily request that the responsible officials submit
in writing their views on the auditors’ reported findings, conclusions,
and recommendations, as well as management’s planned corrective
actions. However, oral comments are acceptable, and, in some cases, may
be the most expeditious way to obtain comments. Obtaining oral comments
can be effective when, for example, there is a time-critical reporting
date to meet a user’s needs; auditors have worked closely with the
responsible officials throughout the conduct of the work and the
parties are familiar with the findings and issues addressed in the
draft report; or the auditors do not expect major disagreements with
the draft report’s findings, conclusions, and recommendations, or
perceive any major controversies with regard to the issues discussed in
the draft report. If oral comments are provided by the responsible
officials, auditors should prepare a summary of the oral comments and
provide a copy of the summary to the responsible officials to verify
that the comments are accurately stated prior to finalizing the report.
5.42: Auditors should fairly and objectively evaluate and recognize
comments, as appropriate, in the final report. Auditors may note
comments, such as a plan for corrective action, but should not accept
them as justification for dropping a finding or a related
recommendation without sufficient and appropriate evidence.
5.43: When the audited entity’s comments oppose the report’s findings,
conclusions, or recommendations, and are not, in the auditors’ opinion,
valid, or when planned corrective actions do not adequately address the
auditors’ recommendations, the auditors should state objectively their
reasons for disagreeing with the comments or planned corrective
actions. Conversely, the auditors should modify their report as
necessary if they find the comments valid.
5.44: If the audited entity refuses to provide comments or is unable to
provide comments within a reasonable period of time, the auditors may
need to issue the report without receiving comments from the audited
entity. In such cases, the auditors should describe in the report the
reasons that comments from the audited entity are not included.
Reporting Privileged and Confidential Information:
5.45: If certain pertinent information is prohibited from general
disclosure, auditors should disclose in the report that certain
information has been omitted and the requirement that makes the
omission necessary.
5.46: Certain information may be classified or may be otherwise
prohibited from general disclosure by federal, state, or local laws or
regulations. In such circumstances, auditors may issue a separate,
classified or limited-official-use report containing such information
and distribute the report only to persons authorized by law or
regulation to receive it. Additional circumstances associated with
public safety and security concerns could also justify the exclusion of
certain information in the report. For example, detailed information
related to computer security for a particular program may be excluded
from publicly available reports because of the potential damage that
could be caused by the misuse of this information. In such
circumstances, auditors may issue a limited-official use report
containing such information and distribute the report only to those
parties responsible for acting on the auditors’ recommendations. The
auditors may consult with legal counsel regarding any requirements or
other circumstances that may necessitate the omission of certain
information.
5.47: Auditors consider the broad public interest in the program or
activity under review when deciding whether to exclude certain
information from publicly available reports. When circumstances call
for omission of certain information, auditors should evaluate whether
this omission could distort the audit results or conceal improper or
unlawful practices.
Issuing and Distributing Reports:
5.48: Government auditors should submit audit reports to those charged
with governance, to the appropriate officials of the audited entity and
to appropriate officials of the organizations requiring or arranging
for the audits, including external funding organizations [Footnote 78]
such as legislative bodies, unless legal restrictions prevent it.
Auditors should also send copies of the reports to other officials who
have legal oversight authority or who may be responsible for acting on
audit findings and recommendations and to others authorized to receive
such reports. Auditors should clarify whether the report will be made
available for public inspection. If the subject of the audit involves
material that is classified for security purposes or not releasable to
particular parties or the public for other valid reasons, auditors may
limit the report distribution. [Footnote 79] Auditors should document
any limitation on report distribution.
5.49: When nongovernment auditors are engaged to perform an audit under
GAGAS, they should clarify report distribution responsibilities with
the engaging organization. If nongovernment auditors are to make the
distribution, they should reach agreement with the party contracting
for the audit about which officials or organizations should receive
the report and the steps being taken to make the report available to
the public.
5.50: Internal auditors may follow the IIA standards for report
distribution, which state internal auditors also follow any applicable
statutory requirements for distribution. The head of the internal audit
organization should disseminate results to the appropriate parties. The
head of the internal audit organization is responsible for
communicating the final results to parties who are in a position to
take appropriate corrective actions. Distribution of reports outside
the organization ordinarily is made only in accordance with applicable
laws, rules, regulations, or policy.
5.51: If an audit is terminated before it is completed but the auditors
do not issue an audit report, auditors should write a memorandum for
the record that summarizes the results of the work to the date of
termination and explains why the audit was terminated. In addition,
depending on the facts and circumstances, auditors should notify those
charged with governance, management of the audited entity, the entity
requesting the audit, and other appropriate officials about the
termination of the audit, preferably in writing. Auditors should
document this communication.
[End of chapter]
Chapter 6: General, Field Work, and Reporting Standards for Attestation
Engagements:
Introduction:
6.01: This chapter establishes standards and provides guidance for
attestation engagements conducted in accordance with generally accepted
government auditing standards (GAGAS). For attestation engagements,
GAGAS incorporate the AICPA’s general standard on criteria, and the
field work and reporting standards and the related statements on
standards for attestation engagements (SSAE), unless specifically
excluded or modified by GAGAS. [Footnote 800 This chapter identifies
the AICPA general standard on criteria,[ Footnote 81] field work and
reporting standards for attestation engagements and prescribes
additional standards for attestation engagements performed in
accordance with GAGAS.
6.02: See paragraphs 1.16 through 1.17 and 1.19 for a discussion about
the use of GAGAS with other professional standards.
6.03: See paragraphs 1.28 through 1.32 for an overall description of
the nature and objectives of attestation engagements.
AICPA General and Field Work Standards for Attestation Engagements:
6.04: The AICPA general standard related to criteria states the
following:
[AICPA is currently in the process of revising the general standards to
use clarified language. GAO will monitor the status of AICPA’s efforts
in order to include the most up-to-date AICPA standards in the final
2006 Revision of Government Auditing Standards.]
The practitioner [auditor] shall perform an engagement only if he or
she has reason to believe that the subject matter is capable of
evaluation against criteria that are suitable and available to users.
6.05: The two AICPA field work standards for attestation engagements
are as follows:
[AICPA is currently in the process of revising the field work standards
to use clarified language. GAO will monitor the status of AICPA’s
efforts in order to include the most up-to-date AICPA standards in the
final 2006 Revision of Government Auditing Standards.]
a. The work shall be adequately planned and assistants, if any, shall
be properly supervised.
b. Sufficient evidence shall be obtained to provide a reasonable basis
for the conclusion that is expressed in the report.
Additional Considerations for Attestation Engagements in Government:
6.06: Auditors use professional judgment when applying auditing and
attestation standards and guidance to attestation engagements of a
government entity or an entity that receives government awards. For
example, auditors may need to set lower materiality levels than in
attestation engagements in the private sector because of the public
accountability of the audited entity, various legal and regulatory
requirements, and the visibility and sensitivity of government
programs. Auditors also consider the needs of users and the concerns of
oversight official regarding previously identified risks, previously
reported deficiencies in internal control of the entity, and current and
emerging risks and uncertainties facing the government entity or
program.
6.07: An important element of attestation engagements in government is
the reporting of deficiencies in internal control related to the
subject matter or objectives of the engagement so that the entity can
take corrective actions necessary under the circumstances. (See
paragraphs 6.49 through 6.53.) In an attestation engagement, a
deficiency in internal control exists when the design or operation of a
control does not allow management or employees, in the normal course of
performing their assigned functions, to prevent errors in assertions
made by management on a timely basis. A deficiency in design exists
when (a) a control necessary to meet the control objective is missing
or (b) an existing control is not properly designed so that, even if
the control operates as designed, the control objective is not met. A
deficiency in operation exists when a properly designed control does
not operate as designed, or when the person performing the control does
not possess the necessary authority or qualifications to perform the
control effectively.
Additional GAGAS Field Work Standards for Attestation Engagements:
6.08: GAGAS establish attestation engagement field work standards in
addition to the requirements contained in the AICPA SSAE. Auditors
should comply with these additional standards when citing GAGAS in
their attestation engagement reports. The additional GAGAS field work
standards relate to:
a. auditor communication (see paragraphs 6.09 through 6.11);
b. previous audits and attestation engagements (see paragraphs 6.12
through 6.13);
c. internal control (see paragraphs 6.14 through 6.16);
d. detecting potential fraud, illegal acts, violations of contract
provisions or grant agreements, or abuse that could have a material
effect on the subject matter (see paragraphs 6.17 through 6.22);
e. developing elements of findings for attestation engagements
(paragraph 6.23); and;
f. attest documentation (see paragraphs 6.24 through 6.43).
Auditor Communication:
6.09: Auditors should communicate information regarding their
responsibilities under GAGAS related to the subject matter or assertion
about the subject matter, including the level of assurance to those
charged with governance and to the individuals contracting for or
requesting the attestation engagement and document the communications.
6.10: Under AICPA standards and GAGAS, auditors should establish a
written understanding with those charged with governance [Footnote 82]
and communicate with audit committees. Under GAGAS, auditors should
communicate specific information in writing during the planning stages
of an attestation engagement, including any potential restriction of
the attestation reports, to reduce the risk that the needs or
expectations of the parties involved may be misinterpreted. During the
planning stages of an attestation engagement, auditors also should
report (1) the nature, timing, and extent of testing and reporting, and
(2) the level of assurance provided. Auditors use professional judgment
when determining the form, content, and frequency of the communication.
Auditors may use an engagement letter or a proposal, if appropriate, to
communicate the information. If the attestation engagement is part of a
larger audit, this information may be communicated as part of that
audit.
6.11: When auditors perform an attestation engagement under a contract
with a party other than the officials of the audited entity, or
pursuant to a third-party request, auditors should also communicate in
writing with the individuals contracting for or requesting the audit,
such as contracting officials or members or staff of legislative
committees, in addition to communicating with the audited entity. When
auditors are performing the audit pursuant to a law or regulation and
they are conducting the work directly for the legislative committee who
has oversight for the audited entity, auditors should communicate with
the members or staff of that legislative committee. Auditors should
coordinate communications with the responsible government audit
organization and/or management of the audited entity. If an audit is
terminated before it is completed, auditors should write a memorandum
for the audit documentation that summarizes the results of the work and
explains the reasons why the audit was terminated. In addition,
depending on the facts and circumstances, auditors should consider the
need to communicate the reason for terminating the audit to those
charged with governance, management of the audited entity, the entity
requesting the audit, and other appropriate officials, preferably in
writing.
Previous Audits and Attestation Engagements:
6.12: When planning the engagement, auditors should determine whether
the results of previous audits and attestation engagements that
directly relate to the subject matter or the assertion of the
attestation engagement being undertaken have an impact on the current
engagement, including whether related recommendations have been
implemented.
6.13: Auditors should identify previous financial audits, attestation
engagements, performance audits, or other studies related to the
subject matter or assertions of the attestation engagement being
undertaken and ask management of the audited entity to identify
corrective actions taken to address significant findings and
recommendations, [Footnote 83] including those related to significant
deficiencies, including material weaknesses. [Footnote 84]
Internal Control:
6.14: In planning examination-level attestation engagements, auditors
should obtain a sufficient understanding of internal control that is
material to the subject matter or assertion in order to plan the
engagement and design procedures to achieve the objectives of the
attestation engagement.
6.15: Auditors should obtain an understanding of internal control
[Footnote 85] as it relates to the subject matter or assertion to which
the auditors are attesting. The subject matter or assertion may be
financial or nonfinancial, and internal control material to the subject
matter or assertion the auditors are testing may relate to:
a. effectiveness and efficiency of operations, including the use of an
entity’s resources;
b. reliability of financial reporting, including reports on budget
execution and other reports for internal and external use;
c. compliance with applicable laws and regulations, provisions of
contract, or grant agreements; and;
d. safeguarding of assets.
6.16: A deficiency in internal control exists when the design or
operation of a control does not allow management or employees, in the
normal course of performing their assigned functions, to prevent or
detect errors in assertions made by management on a timely basis. A
deficiency in design exists when (a) a control necessary to meet the
control objective is missing or (b) an existing control is not properly
designed so that, even if the control operates as designed, the control
objective is not met. A deficiency in operation exists when a properly
designed control does not operate as designed, or when the person
performing the control does not possess the necessary authority or
qualifications to perform the control effectively.
Detecting Potential Fraud, Illegal Acts, Violations of Provisions of
Contracts or Grant Agreements, or Abuse That Could Have a Material
Effect on the Subject Matter:
6.17: The standard related to potential fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse for
attestation engagements performed in accordance with GAGAS is:
a. In planning examination-level attestation engagements, auditors
should design the engagement to provide reasonable assurance of
detecting potential fraud, illegal acts, or violations of provisions of
contracts or grant agreements that could have a material effect on the
subject matter or assertion of the attestation engagement.
b. In planning review-level attestation engagements, auditors should be
alert to situations or transactions that may be indicative of potential
fraud, illegal acts, and violations of provisions of contracts or grant
agreements.
c. In agreed-upon-procedures-level engagements, auditors perform
limited testing in order to issue a report of finding based on specific
procedures performed on a subject matter. Therefore, auditors are not
expected to provide assurance of detecting potential fraud, illegal
acts, or violations of contract or grant agreements for these types of
engagements.
d. Auditors conduct the attestation engagement with the mindset that
recognizes the possibility that a material misstatement in management’s
assertion could be present. However, absolute assurance is not
attainable and thus even a properly planned and performed examination-
level attestation engagement may not detect a material misstatement
resulting from fraud.
e. For all types of attestation engagements, auditors remain alert to
situations or transactions that may be indicative of material abuse and
follow the requirements in 6.20 through 6.21.
6.18: For examination-level attestation engagements, auditors design
the engagement to provide reasonable assurance of detecting fraud
[Footnote 86], illegal acts, or violations of provisions of contracts
or grant agreements that have a material effect on the subject matter or
assertion of the attestation engagement. Auditors should assess the
risk and possible effects of material fraud, illegal acts, or
violations of provisions of contracts or grant agreements on the
subject matter or assertion of the attestation engagement. Auditors
should document their assessment of risk, and when risk factors are
identified, auditors should also document:
a. those risk factors identified;
b. the auditors’ response to those risk factors, individually or in
combination, and;
c. the auditors’ conclusions.
6.19: For attestation engagements involving review-level reporting,
auditors are alert to situations or transactions that may be indicative
of potential fraud, illegal acts, or violations of provisions of
contracts or grant agreements. When information comes to the auditors’
attention (through audit procedures, allegations received through fraud
hotlines, or other means) indicating that potential fraud, illegal
acts, or violations of provisions of contracts or grant agreements that
could materially affect the results of the attestation engagement
exist, auditors should apply the audit steps and procedures, as
necessary, to (1) determine if potential fraud, illegal acts, or
violations of provisions of contracts or grant agreements are likely to
have occurred and, if so, (2) determine their effect on the results of
the attestation engagement. Because the scope of review-level
engagements is limited, auditors are not expected to provide reasonable
assurance of detecting potential fraud, illegal acts, or violations of
contract or grant agreements for these types of engagements.
6.20: For all types of attestation engagements, if during the course of
the engagement, auditors become aware of indications of abuse that
could be quantitatively or qualitatively material, auditors should
apply audit procedures specifically directed to ascertain whether
material abuse has occurred and the potential effect on the engagement
subject matter or objective. Based on the facts and circumstances,
auditors may find it helpful to identify specific risks, situations, or
transactions that are susceptible to abuse. In addition, auditors
remain alert throughout the engagement to situations or transactions
that could be indicative of abuse. However, because the determination
of abuse is subjective, auditors are not required to provide reasonable
assurance of detecting abuse.
6.21: Abuse involves behavior that is deficient or improper when
compared with behavior that a prudent person would consider reasonable
and necessary business practice given the facts and circumstances.
Abuse also includes misuse of authority or position for personal
financial interest or those of an immediate or close family member or
business partner. Abuse is distinct from fraud, illegal acts, or
violations of provisions of contracts or grant agreements in that abuse
does not necessarily involve violation of laws, regulations, or
provisions of a contract or grant agreement. If auditors encounter such
situations, they should assess the risk of whether these situations or
transactions could be indicative of qualitatively or quantitatively
material abuse. When information comes to the auditors’ attention
(through attest procedures, allegations received through a fraud
hotline, or other means) indicating that material abuse may have
occurred, auditors should perform procedures as necessary to (1)
determine whether the abuse occurred and, if so, (2) determine its
potential effect on the results of the attestation engagement. Auditors
assess both qualitative and qualitative factors in making judgments
regarding the materiality of possible abuse.
6.22: In pursuing indications of potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse,
auditors should avoid interfering with potential investigations, and/or
legal proceedings. In some circumstances, laws, regulations, or
policies require auditors to report indications of certain types of
potential fraud, illegal acts, violations of provisions of contracts or
grant agreements, or abuse to law enforcement or investigatory
authorities before performing additional audit procedures. In cases
where an investigation is initiated or in process, it may be
appropriate for the auditors to withdraw from or defer further work on
the engagement or a portion of the engagement to avoid interfering with
an investigation.
Developing Elements of Findings for Attestation Engagements:
6.23: When deficiencies are identified, auditors should plan audit
procedures to develop the elements of a finding necessary to achieve
the objectives of the attestation engagement. Attest findings, such as
deficiencies in internal control, potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse,
contain the elements of criteria, condition, cause, and effect. The
elements needed for a finding depend on the objectives of the
attestation engagement. Thus, a finding or set of findings is complete
to the extent that the objectives of the attestation engagement are
satisfied. (See paragraphs 6.49 through 6.53 for a description of
deficiencies in internal control and paragraph 6.51 for a description
of the elements of a finding.
Attest Documentation:
6.24: The auditor must prepare attest documentation in connection with
each engagement in sufficient detail to provide a clear understanding
of the work performed (including the nature, timing, extent, and
results of attest procedures performed), the attest evidence obtained
and its source, and the conclusions reached. Attest documentation:
a. provides the principal support for the statement in the auditor’s
report that the auditors performed the attestation engagement in
accordance with GAGAS and any other standards cited, and;
b. provides the principal support for the auditors’ conclusion.
6.25: Attest documentation is an essential element of audit quality.
Although documentation alone does not guarantee audit quality, the
process of preparing sufficient and appropriate documentation
contributes to the quality of an attestation engagement.
6.26: The auditor should prepare attest documentation that enables an
experienced auditor, [Footnote 87] having no previous connection to the
attestation engagement, to understand:
a. the nature, timing, and extent of attest procedures performed to
comply with GAGAS and other applicable standards and requirements;
b. the results of the attest procedures performed and the attest
evidence obtained;
c. how the attest evidence relates to the attestation engagement’s
conclusions, and;
d. the conclusions reached on significant matters.
6.27: In addition to the attest documentation requirements listed in
the previous paragraph, the auditor should document the following for
attestation engagements performed under GAGAS:
a. the objectives, scope, and methodology of the attestation
engagement;
b. evidence of supervisory review, before the attest report is issued,
of the work performed that supports findings, conclusions, and
recommendations contained in the attest report; and;
c. the auditors’ consideration that the planned attestation procedures
are designed to achieve objectives of the attestation engagement when
(1) evidence obtained is highly dependent on computerized information
systems, (2) evidence is material to the objective of the engagement,
and (3) the auditors are not relying on the effectiveness of internal
control over those computerized systems that produced the information.
Auditors should document (1) the rationale for determining the nature,
timing, and extent of planned audit procedures; (2) the kinds and
competence of available evidence produced outside a computerized
information system, and/or plans for direct testing of data produced
from a computerized information system; and (3) the effect on the
attestation engagement report if evidence to be gathered does not
afford a reasonable basis for achieving the objectives of the
engagement.
6.28: Auditors should document matters specific to a particular
attestation engagement in the attest documentation file. Certain
matters, such as auditor independence and staff training, that are not
engagement specific, may be documented either centrally in the
audit organization or in the documentation for the attestation
engagement.
6.29: The form, content, and extent of attest documentation depend on
the circumstances of the engagement and the attest methodology and
tools used. Oral explanations on their own do not represent sufficient
support for the work the auditor performed or conclusions the auditor
reached but may be used by the auditor to clarify or explain
information contained in the attest documentation. It is, however,
neither necessary nor practicable to document every matter the auditor
considers during the attestation engagement.
6.30: The auditor should document significant findings or issues,
actions taken to address them (including any additional evidence
obtained), and the basis for the final conclusions reached. Judging the
significance of a finding or issue requires an objective analysis of
the facts and circumstances.
6.31: The auditor should document discussions of significant findings
or issues with management and others, including the significant
findings or issues discussed, and when and with whom the discussions
took place.
6.32: If the auditor has identified information that contradicts or is
inconsistent with the auditor’s final conclusions regarding a
significant finding or issue, the auditor should document how the
contradiction or inconsistency was addressed in forming the conclusion.
6.33: In documenting the nature, timing, and extent of attest
procedures performed, the auditor should record:
a. who performed the attest work and the date such work was completed,
and;
b. who reviewed specific attest documentation and the date of such
review.
6.34: When the auditor does not comply with applicable unconditional or
presumptively mandatory GAGAS requirements, the auditor should document
the justification for the departure, the impact on the audit, and how
alternative procedures performed in the circumstances were sufficient
to achieve the objectives of the requirements. The auditor should also
follow the requirements in paragraphs 1.13 through 1.15.
6.35: The report should not be dated earlier than the date on which the
auditor has obtained sufficient, appropriate attest evidence to support
the reported information, conclusion, or opinion. Among other things,
attest evidence includes evidence that the attest documentation has
been reviewed and that the entity’s assertions have been prepared and
that management has asserted that it has taken responsibility for them.
6.36: The audit organization should adopt reasonable procedures to
retain and access attest documentation for a period of time sufficient
to meet the needs of the audit organization and to satisfy any
applicable legal or regulatory requirements for records retention.
6.37: The auditor should complete the assembly of the final attestation
engagement file on a timely basis, following the report release date
(documentation completion date). Statutes, regulations, or the audit
organization’s quality control policies may state a specific time in
which the assembly process should be completed.
6.38: At any time prior to the documentation completion date, the
auditor may make changes to the attest documentation to:
a. complete the documentation and assembly of attest evidence that the
auditor has obtained, discussed, and agreed with relevant members of
the attest team prior to the date of the attestation report;
b. perform routine file-assembling procedures such as deleting or
discarding superseded documentation and sorting, collating, and cross-
referencing final attest documentation;
c. sign-off on the attest documentation completion checklists prior to
completing and archiving the attestation engagement file, and;
d. add information received after the date of the report, for example,
an original document that was previously faxed.
6.39: After the documentation completion date, the auditors must not
delete or discard attest documentation before the end of the specified
retention period, as discussed in paragraph 6.36. When auditor finds it
necessary to make an addition (including amendments) to attest
documentation after the documentation completion date, the auditor
should document the addition by including the following in the
documentation:
a. when and by whom such additions were made and where applicable
reviewed;
b. the specific reasons for the changes, and;
c. the effect, if any, of the changes on the auditors’ conclusions.
6.40: Attest documentation allows for the review of audit quality by
providing the reviewer with documentation, either in written or
electronic formats, of the evidence supporting the auditors’
significant judgments and conclusions. If attest documentation is only
retained electronically, the audit organization should safeguard the
electronic documentation through sound computer security so that it is
capable of being accessed throughout the specified retention period
established for attest documentation.
6.41: Whether attest documentation is in paper, electronic, or other
media, the integrity, accessibility, and retrievability of the
underlying data may be compromised if the documentation could be
altered, added to, or deleted without the auditors’ knowledge, or could
be permanently lost or damaged. Accordingly, the auditor should apply
appropriate controls to safeguard attest documentation from alteration,
destruction, and unauthorized access.
6.42: Underlying GAGAS attestation engagements is the premise that
federal, state, and local government audit organizations and
independent accounting firms engaged to perform attestation engagements
in accordance with GAGAS cooperate in auditing programs of common
interest so that auditors may use others’ work and avoid duplication of
efforts. Auditors should make appropriate audit staff and individuals,
as well as attest documentation available, upon request, in a timely
manner to other auditors or reviewers. It is also essential that
contractual arrangements for GAGAS attestation engagements provide for
full and timely access to audit staff and individuals, as well as
attest documentation without restriction to facilitate reliance by
other auditors or reviewers on the auditors’ work.
6.43: Consistent with applicable laws and regulations, audit
organizations should develop clearly defined policies and criteria to
deal with situations where requests are made by outside parties to
obtain access to attest documentation. The audit organization should
include in its policies and procedures guidance for dealing with
situations where an outside party attempts to obtain indirectly through
the auditor information that it is unable to obtain directly from the
audited entity and how to respond to requests for access to audit
documentation before the attestation engagement is complete. The audit
organization should also include flexibility in its policies and
procedures to consider the individual facts and circumstances
surrounding such requests, for instance, cases when granting access or
providing certain information could adversely affect the audit
organization’s ability to successfully perform similar attestation
engagements in the future.
AICPA Reporting Standards for Attestation Engagements:
6.44: As discussed in paragraph 1.29, the AICPA SSAE provide for
different levels of reporting based on the type of assurance the
auditors are providing. [Footnote 88] The four AICPA reporting
standards for all levels of reporting under attestation engagements are
as follows:
[AICPA is currently in the process of revising the reporting standards
to use clarified language. GAO will monitor the status of AICPA’s
efforts in order to include the most up-to-date AICPA standards in the
final 2006 Revision of Government Auditing Standards.]
a. The report shall identify the subject matter or the assertion being
reported on and state the character of the engagement.
b. The report shall state the practitioner’s [auditor’s] conclusions
about the subject matter or the assertion in relation to the criteria
against which the subject matter was evaluated.
c. The report shall state all of the practitioner’s [auditor’s]
significant reservations about the engagement, the subject matter, and,
if applicable, the assertion related thereto.
d. The report shall state that the use of the report is restricted to
specified parties under the following circumstances: [Footnote 89] (1)
when the criteria used to evaluate the subject matter are determined by
the practitioner to be appropriate only for a limited number of parties
who either participated in their establishment or can be presumed to
have an adequate understanding of the criteria, (2) when the criteria
used to evaluate the subject matter are available only to specified
parties, (3) when reporting on subject matter and a written assertion
has not been provided by the responsible party, and (4) when the report
is on an attest engagement to apply agreed-upon procedures to the
subject matter.
Additional GAGAS Reporting Standards for Attestation Engagements:
6.45: GAGAS establish reporting standards for attestation engagements
in addition to the requirements contained in the AICPA SSAE. Auditors
should comply with these additional standards when citing GAGAS in
their attestation engagement reports. The additional GAGAS standards
relate to:
a. reporting auditors’ compliance with GAGAS (see paragraphs 6.46
through 6.48);
b. reporting deficiencies in internal control, potential fraud, illegal
acts, violations of provisions of contracts or grant agreements, or
abuse (see paragraphs 6.50 through 6.57);
c. reporting views of responsible officials (see paragraphs 6.58
through 6.63);
d. reporting privileged and confidential information (see paragraphs
6.64 through 6.66); and;
e. issuing and distributing reports (see paragraphs 6.67 through 6.71).
Reporting Auditors’ Compliance with GAGAS:
6.46: When auditors comply with all applicable GAGAS standards, they
should include a statement in the attestation report that they
performed the engagement in accordance with GAGAS.
6.47: The statement of compliance with GAGAS indicates that the
auditors have complied with all applicable GAGAS general and
attestation engagement standards, including underlying AICPA standards.
If the auditors did not follow applicable standards, or were not able
to follow applicable standards due to access problems or other scope
limitations, they should follow the requirements in paragraphs 1.13
through 1.15.
6.48: GAGAS do not prohibit auditors from issuing a separate report
conforming only to the requirements of other standards. When a GAGAS
attestation engagement is the basis for an auditors’ subsequent report
under the AICPA or other standards, auditors should consider including
a reference to the GAGAS report, as that report will contain additional
information on internal control, compliance with laws, regulations, and
provisions of contracts or grant agreements, potential fraud, or abuse
that GAGAS require.
Reporting Deficiencies in Internal Control, Potential Fraud, Illegal
Acts, Violations of Provisions of Contracts or Grant Agreements, or
Abuse:
6.49: For attestation engagements, auditors should report, as
applicable to the objectives of the engagement, (1) deficiencies in
internal control considered to be material weaknesses or other
significant deficiencies, (2) all instances of potential fraud and
illegal acts unless clearly inconsequential, and (3) violations of
provisions of contracts or grant agreements or abuse that are material
to the subject matter or assertion of the engagement. In some
circumstances, auditors should report potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse
directly to parties external to the entity. (See paragraphs 6.54
through 6.57.)
Reporting Deficiencies in Internal Control:
6.50: For all attestation engagements, auditors should report
deficiencies in internal control considered to be significant
deficiencies, including material weaknesses, as follows:
a. In attestation engagements, a significant deficiency is a deficiency
in internal control, or combination of deficiencies, that adversely
affects the entity’s ability to initiate, authorize, record, process,
or report data reliably in accordance with the applicable criteria or
framework such that there is more than a remote [Footnote 90]
likelihood that a misstatement of the subject matter or assertion that
is more than inconsequential [Footnote 91] will not be prevented or
detected.
b. In attestation engagements, a material weakness is a significant
deficiency, or combination of significant deficiencies, that results in
more than a remote likelihood that a material misstatement will not be
prevented or detected.
6.51: To the extent necessary to achieve the engagement objectives, in
presenting findings such as deficiencies in internal control, auditors
should develop the elements of criteria, condition, cause, and effect
to assist management or oversight officials of the audited entity in
understanding the need for taking corrective action. In addition, if
auditors are able to sufficiently develop the elements of a finding,
they should provide recommendations for corrective action. Following is
guidance for reporting on elements of findings:
a. Criteria: The required or desired state or what is expected from the
program or operation. The criteria are easier to understand when stated
fairly, explicitly, and completely, and the source of the criteria is
identified in the attestation engagement report. [Footnote 92]
b. Condition: What the auditors found regarding the actual situation.
Reporting the scope or extent of the condition allows the report user
to gain an accurate perspective.
c. Cause: Evidence on the factor or factors responsible for the
difference between condition and criteria. In reporting the cause,
auditors may consider whether the evidence provides a reasonable and
convincing argument for why the stated cause is the key factor or
factors contributing to the difference as opposed to other possible
causes, such as poorly designed criteria or factors uncontrollable by
program management. The auditors also may consider whether the
identified cause could serve as a basis for the recommendations. Often
the causes of deficiencies in internal control are complex and
involve multiple factors. In some cases, it may not be practical for
auditors to fully develop or identify the causes of deficiencies.
However, analyzing and identifying root causes of internal control
deficiencies is key to making recommendations for corrective action.
d. Effect or potential effect: A clear, logical link to establish the
impact or potential impact of the difference between what the auditors
found (condition) and the required or desired state (criteria). Effect
is easier to understand when it is stated clearly, concisely, and, if
possible, in quantifiable terms. The significance of the reported
effect can be demonstrated through credible evidence.
6.52: Auditors should place their findings in perspective by describing
the nature and extent of the issues being reported and the extent of
the work performed that resulted in the finding. To give the reader a
basis for judging the prevalence and consequences of these findings,
auditors may relate the instances identified to the population or the
number of cases examined and quantify the results in terms of dollar
value, as appropriate. If the results cannot be projected, auditors
should limit their conclusions appropriately.
6.53: When auditors detect deficiencies in internal control, potential
fraud, illegal acts, violations of provisions of contracts or grant
agreements, or abuse that are not material to the subject matter or
assertion, they should communicate those findings in a management
letter to officials of the audited entity unless they are clearly
inconsequential considering both qualitative and quantitative factors.
Auditors use professional judgment in determining whether and how to
communicate to officials of the audited entity deficiencies in internal
control, potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse that are clearly
inconsequential. Auditors should include in their attest documentation
evidence of communications to officials of the audited entity about
potential fraud, illegal acts, violations of provisions of contracts or
grant agreements, or abuse.
Direct Reporting of Potential Fraud, Illegal Acts, Violations of
Provisions of Contracts or Grant Agreements, or Abuse:
6.54: Auditors should report potential fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse directly to
parties outside the audited entity in two circumstances, as discussed
below. [Footnote 93] This reporting is in addition to any legal
requirements for direct reporting of potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse.
Auditors should follow these requirements even if they have resigned or
been dismissed from the attestation engagement prior to its
completion.
6.55: The audited entity may be required by law or regulation to report
certain potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse to specified external parties,
such as a federal inspector general or a state attorney general. When
auditors have communicated such potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse to
the audited entity and the entity fails to report them, the auditors
should communicate such an awareness to the governing body of the
audited entity. When the audited entity does not make the required
report as soon as possible after the auditors’ communication with the
those charged with governance, the auditors should report such
potential fraud, illegal acts, violations of provisions of contracts or
grant agreements, or abuse directly to the external party specified in
the law or regulation.
6.56: When potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse involves awards received
directly or indirectly from a government agency, auditors may have a
duty to report directly if management fails to take remedial steps.
When auditors conclude that such failure is likely to cause them to
depart from the standard report on the attestation engagement or resign
from the engagement, they should communicate that conclusion to those
charged with governance. If the audited entity does not report the
potential fraud, illegal acts, violations of provisions of contracts or
grant agreements, or abuse in a timely manner to the entity that
provided the government assistance, the auditors should report the
potential fraud, illegal acts, violations of provisions of contracts or
grant agreements, or abuse directly to the awarding entity.
6.57: Auditors should obtain sufficient, appropriate evidence, such as
confirmation from outside parties, to corroborate assertions by
management that it has reported potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse.
When auditors are unable to do so, the auditors should report such
potential fraud, illegal acts, violations of provisions of contracts or
grant agreements, or abuse directly as discussed above.
Reporting Views of Responsible Officials:
6.58: If the auditors’ report on the attestation engagement discloses
deficiencies in internal control, potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse,
auditors should obtain and report the views of responsible officials
concerning the findings, conclusions, and recommendations, as well as
planned corrective actions.
6.59: One of the most effective ways to provide a report that is fair,
complete, and objective is to provide a draft report for review and
comments by responsible officials of the audited entity and others, as
appropriate. Including the views of responsible officials results in a
report that presents not only the significant deficiencies in internal
control, potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse the auditors identified, but
also the perspectives of the responsible official of the audited entity
and the corrective actions they plan to take. Auditors should include in
their report a copy of the officials’ written comments and/or a summary
of the comments received. In cases where the audited entity provides
technical comments in addition to its written comments on the report,
auditors use professional judgment in determining whether to include
such comments or disclose in the report that such comments were
provided.
6.60: Auditors ordinarily request that the responsible officials submit
in writing their views on the auditors’ reported findings, conclusions,
and recommendations, as well as management’s planned corrective
actions. However, oral comments are acceptable, and, in some cases, may
be the most expeditious way to obtain comments. Obtaining oral comments
can be effective when, for example, there is a time-critical reporting
date to meet a user’s needs; auditors have worked closely with the
responsible officials throughout the conduct of the work and the
parties are familiar with the findings and issues addressed in the
draft report; or the auditors do not expect major disagreements with
the draft report’s findings, conclusions, and recommendations, or
perceive any major controversies with regard to the issues discussed in
the draft report. If oral comments are provided by the responsible
officials, auditors should prepare a summary of the oral comments and
provide a copy of the summary to the responsible officials to verify
that the comments are accurately stated prior to finalizing the report.
6.61: Auditors should fairly and objectively evaluate and recognize
comments, as appropriate, in the final report. Auditors may note
comments, such as a plan for corrective action, but should not accept
them as justification for dropping a finding or a related
recommendation without sufficient and appropriate evidence.
6.62: When the entity’s comments oppose the report’s findings,
conclusions, or recommendations, and are not, in the auditors’ opinion,
valid, or when planned corrective actions do not adequately address the
auditors’ recommendations, the auditors should state objectively their
reasons for disagreeing with the comments or planned corrective
actions. Conversely, the auditors should modify their report as
necessary if they find the comments valid.
6.63: If the audited entity refuses to provide comments or is unable to
provide comments within a reasonable period of time, auditors may need
to issue the report without receiving comments from the audited entity.
In such cases, auditors should describe in the report the reasons that
comments from the audited entity are not included.
Reporting Privileged and Confidential Information:
6.64: If certain pertinent information is prohibited from general
disclosure, auditors should disclose in the report that certain
information has been omitted and the requirement that makes the
omission necessary.
6.65: Certain information may be classified or may be otherwise
prohibited from general disclosure by federal, state, or local laws or
regulations. In such circumstances, auditors may issue a separate,
classified or limited-official-use report containing such information
and distribute the report only to persons authorized by law or
regulation to receive it. Additional circumstances associated with
public safety and security concerns could also justify the exclusion of
certain information in the report. For example, detailed information
related to computer security for a particular program may be excluded
from publicly available reports because of the potential damage that
could be caused by the misuse of this information. In such
circumstances, auditors may issue a limited-official use report
containing such information and distribute the report only to those
parties responsible for acting on the auditors’ recommendations. The
auditors may consult with legal counsel regarding any requirements or
other circumstances that may necessitate the omission of certain
information.
6.66: Auditors consider the broad public interest in the program or
activity under review when deciding whether to exclude certain
information from publicly available reports. When circumstances call
for omission of certain information, auditors should evaluate whether
this omission could distort the engagement results or conceal improper
or unlawful practices.
Issuing and Distributing Reports:
6.67: Government auditors should submit attest reports to those charged
with governance, to the appropriate officials of the entity and to
appropriate officials of the organizations requiring or arranging for
the engagement, including external funding organizations such as
legislative bodies, unless legal restrictions prevent it. Auditors
should also send copies of the reports to other officials who have
legal oversight authority or who may be responsible for acting on the
findings and recommendations and to others authorized to receive such
reports. Auditors should clarify whether the report will be made
available for public inspection. If the subject matter of the
attestation engagement involves material that is classified for
security purposes or not releasable to particular parties or the public
for other valid reasons, auditors may limit the report distribution.
[Footnote 94] Auditors should document any limitation on report
distribution.
6.68: Although AICPA standards require that a report on an engagement
to evaluate an assertion based on agreed-upon criteria or on an
engagement to apply agreed-upon procedures should contain a statement
indicating it is intended to be used solely by the parties who have
agreed upon such criteria or procedures, such a statement does not
necessarily limit the report distribution in a government environment.
6.69: When nongovernment auditors are engaged to perform an attestation
engagement under GAGAS, they should clarify report distribution
responsibilities with the engaging organization. If nongovernment
auditors are to make the distribution, they should reach agreement with
the party contracting for the attestation engagement about which
officials or organizations should receive the report and the steps
being taken to make the report available to the public.
6.70: Internal auditors may follow the IIA’s standards for report
distribution, which state internal auditors also follow any applicable
statutory requirements for distribution. The head of the internal audit
organization should disseminate results to the appropriate parties. The
head of the internal audit organization is responsible for
communicating the final results to parties who are in a position to
take appropriate corrective actions. Distribution of reports outside
the organization ordinarily is made only in accordance with applicable
laws, rules, regulations, or policy.
6.71: If an attestation engagement is terminated before it is completed
but the auditors do not issue a report on the attestation engagement,
auditors should write a memorandum for the record that summarizes the
results of the work to the date of termination and explains why the
attestation engagement was terminated. In addition, depending on the
facts and circumstances, auditors should notify those charged with
governance, management of the entity, the entity requesting the
attestation engagement, and other appropriate officials, about the
termination of the engagement, preferably in writing. Auditors should
document this communication.
[End of chapter]
Chapter 7: Field Work Standards for Performance Audits:
Introduction:
7.01: This chapter establishes field work standards and provides
guidance for performance audits conducted in accordance with generally
accepted government auditing standards (GAGAS). The field work
standards for performance audits relate to planning the audit;
supervising staff; obtaining sufficient, appropriate evidence; and
preparing audit documentation.
7.02: See paragraphs 1.16 through 1.17 and 1.20 for a discussion about
the use of GAGAS with other standards.
7.03: See paragraphs 1.33 through 1.42 for an overall description of
the nature and objectives of performance audits and paragraphs 3.36
through 3.45 for a description for professional judgment in these
audits.
Significance in a Performance Audit:
7.04: Auditors use the concept of significance [Footnote 95] throughout
a performance audit. Auditor consider significance when deciding the
type and extent of audit work to perform, when evaluating results of
audit work, and when developing the report. Significance is defined
as the relative importance of a matter within the context in which it
is being considered, including quantitative and qualitative factors.
Such factors include relative magnitude, the nature and effect of the
matter, and the needs and interests of intended users or recipients.
Auditors use professional judgment when considering whether a matter is
significant within the context of the audit objectives. The auditors’
consideration is influenced by the relationship of the matter to the
audit objectives and the auditors’ perception of the needs of users of
the audit reports.
7.05: When making judgments about significance within the context of
the audit objectives, auditors consider the quantitative or qualitative
factors that make it probable that the auditors’ findings, conclusions
or recommendations would be affected by the matter if the matter had
been omitted from the auditors’ analysis. When making judgments about
significance to the needs of report users, auditors consider whether it
is probable that the judgment of a reasonable person relying on the
auditors’ report would have been changed or influenced if the matter
was omitted from the auditors’ analysis and disclosed in the audit
report. This includes the probability that the matter would change or
influence the decisions of intended users of the auditors’ report; or,
as another example, where the context is a judgment about whether to
report a matter to those charged with governance, whether the matter
would be regarded as important by those charged with governance in
carrying out their duties. When reporting on the results of their work,
auditors should disclose material or significant facts relevant to the
objectives of their work and known to them which, if not disclosed,
could mislead knowledgeable users, misrepresent the results, or conceal
significant improper or unlawful practices.
Audit Risk:
7.06: Auditors must plan the audit so that the auditors reduce audit
risk to a level that is sufficiently low for the auditors to provide
reasonable assurance that the evidence is sufficient and appropriate to
achieve the audit objectives and support the conclusions reached. This
determination is a matter of professional judgment. Audit risk is the
risk that auditors may provide improper findings, conclusions,
recommendations, or assurance because, for example, the information
obtained is not sufficient or not appropriate, the audit process was
inadequate, or intentional omissions or misleading information existed
due to misrepresentation or fraud. Factors such as the time frames,
complexity, or sensitivity of the work, size of the program in terms of
dollar amounts and number of citizens served, and access to records are
considered in the risk determination. Audit risk involves qualitative
and quantitative considerations. A component of audit risk is the risk
that auditors will not detect a mistake, inconsistency, or significant
error in the evidence supporting the audit. Auditors can reduce the
audit risk by using additional evidence, higher quality evidence and/or
alternative forms of evidence. When auditors cannot obtain alternative
forms of evidence, they should clearly describe the scope of work and
any limitations in the underlying information, so that (1) readers of
the auditors’ report are provided with a clear understanding as to what
the auditors did or did not do and (2) the findings, conclusions and
recommendations are not misleading. In such cases, auditors should also
follow the guidance in paragraphs 1.06 through 1.15.
Sufficient, Appropriate Evidence:
7.07: The concept of sufficient, appropriate evidence is integral to a
performance audit. Appropriateness is the measure of the quality of
information which encompasses its relevance, reliability, and validity
in providing support for achieving audit objectives. In assessing the
overall appropriateness of information, auditors should assess whether
the information is relevant, valid, and reliable. Sufficiency is a
measure of the quantity of evidence used to support the findings,
conclusions, and recommendations related to the audit objectives. In
determining the sufficiency of evidence, auditors should determine
whether enough evidence exists to persuade a knowledgeable person of the
reasonableness of the findings. Paragraphs 7.53 through 7.69 describe
the auditors’ assessment of appropriateness and sufficiency of
evidence.
Planning:
7.08: Auditors must adequately plan and document the planning of the
work necessary to achieve the audit objectives.
7.09: In planning the audit, auditors should assess significance and
risk in defining the audit objectives, and the scope and methodology to
achieve those objectives. Audit objectives, scope, and methodology are
not determined independently. Auditors determine these three elements
of the audit plan together, as the considerations in determining each
often overlap. Planning is a continuous process throughout the audit.
Therefore, auditors may need to make adjustments to the audit
objectives, scope, and methodology as work is being completed.
7.10: The objectives are what the audit is intended to accomplish. They
identify the audit subject matter and performance aspects to be
included, as well as the potential findings and reporting elements that
the auditors expect to develop. [Footnote 96] Audit objectives can be
thought of as questions about the program [Footnote 97] that auditors
seek to answer based on evidence obtained and assessed against criteria
or best practices.
7.11: Scope is the boundary of the audit and is directly tied to the
audit objectives. The scope defines the subject matter that the
auditors will assess and report on, such as a particular program or
aspect of a program, the period of time reviewed, and the locations
that will be included.
7.12: The methodology describes the nature and extent of audit
procedures for gathering and analyzing information to achieve the
objectives and address the relevant risks. Audit procedures are the
specific steps and tests auditors will carry out to address the audit
objectives. Auditors should design the methodology to provide
sufficient, appropriate evidence to achieve the audit objectives and
reduce audit risk to an acceptable level. Methodology includes both the
nature and extent of audit procedures used to achieve the audit
objectives. Auditors should also evaluate possible issues surrounding
the appropriateness of available information in planning the audit.
7.13: Auditors should plan and conduct performance audits to address
the relevant risks and to provide reasonable assurance that the
auditors have sufficient, appropriate evidence to achieve the audit
objectives while addressing the relevant risks. Thus, the levels of
evidence and tests of evidence will vary based on the audit objectives
and conclusions. Objectives for performance audits range from narrow
issues requiring specific evidence and answers, to broad issues
requiring extensive evidence to general questions which sometimes
require general answers. In some engagements, sufficient, appropriate
evidence is easily obtained, and in others, information may have
limitations. Auditors use professional judgment in determining the
audit scope and methodology needed to answer the audit’s objectives,
while providing the appropriate level of assurance that the obtained
evidence is sufficient and appropriate to meet the audit’s objectives.
7.14: During planning auditors should assess risk and significance by
considering:
a. the nature and profile of the programs and the needs of potential
users of the audit report (see paragraph 7.16 and 7.17);
b. internal control as it relates to the specific objectives and scope
of the audit (see paragraphs 7.18 through 7.24);
c. information systems controls for purposes of assessing audit risk
and planning the audit (see paragraphs 7.25 through 7.27);
d. legal and regulatory requirements, contract provisions, or grant
agreements, potential fraud, or abuse that are significant within the
context of the audit objectives (see paragraphs 7.28 through 7.34);
and;
e. the results of previous audits and attestation engagements that
directly relate to the current audit objectives (see paragraph 7.35).
7.15: During planning, the auditors also should:
a. identify the potential criteria needed to evaluate matters subject
to audit (see paragraph 7.36 through 7.37);
b. identify potential sources of audit evidence and consider the amount
and type of evidence needed given risk and significance (see paragraph
7.38 through 7.39);
c. consider whether the work of other auditors and experts may be used
to satisfy some of the audit objectives (see paragraphs 7.40 through
7.42);
d. assign sufficient staff and specialists with adequate collective
professional competence and identify other resources needed to perform
the audit (see paragraphs 7.43 through 7.44);
e. communicate about planning and performance of the audit to
management officials, those charged with governance, and others as
applicable (see paragraphs 7.45 and 7.46); and;
f. prepare an audit plan (see paragraphs 7.47 through 7.48).
Nature and Profile of the Program:
7.16: Auditors should obtain an understanding of the nature and profile
of the program or program component under audit and the potential use
that will be made of the audit results or report as they plan a
performance audit. The nature and profile of a program include:
a. visibility, sensitivity, and risks associated with the program under
audit;
b. newness of the program or changes in its conditions;
c. the size of the program in terms of total dollars and/or number of
citizens impacted;
d. role of the audit in providing information that can improve public
accountability and decision making (see paragraphs 1.01 and 1.02), and;
e. level and extent of review or other forms of independent oversight.
7.17: Auditors obtain an understanding of the program under audit to
help assess the risks associated with the program and the impact on the
audit objectives, scope and methodology. The auditors’ understanding
may come from knowledge they already have about the program or
knowledge they gain from inquiries and observations they make in
planning the audit. The extent and breadth of those inquiries and
observations will vary among audits based on the audit objectives, as
will the need to understand individual aspects of the program, such as
the following:
a. Laws, regulations, and provisions of contracts or grant agreements:
Government programs usually are created by law and are subject to
specific laws and regulations. For example, laws and regulations
usually set forth what is to be done, who is to do it, the purpose to
be achieved, the population to be served, and related funding
guidelines or restrictions. Government programs may also be subject to
provisions of contracts and grant agreements. Thus, understanding the
laws and the legislative history establishing a program and the
provisions of any contracts or grant agreements can be essential to
understanding the program itself. Obtaining that understanding is also
a necessary step in identifying provisions of laws, regulations,
contracts, or grant agreements that are significant within the context
of the audit objectives.
b. Purpose and goals: Purpose is the result or effect that is intended
or desired from a program’s operation. Legislatures usually establish
the program purpose when they provide authority for the program. Entity
officials may provide more detailed information on program purpose to
supplement the authorizing legislation. Entity officials are sometimes
asked to set goals for program performance and operations, including
both output and outcome goals. Auditors may use the stated program
purpose and goals as criteria for assessing program performance or may
develop additional criteria or best practices to use when assessing
performance.
c. Internal control: Internal control, often referred to as management
controls, in the broadest sense includes the plan, methods, and
procedures adopted by management to meet its missions, goals, and
objectives. Internal control includes the processes for planning,
organizing, directing, and controlling program operations. It includes
the systems for measuring, reporting, and monitoring program
performance. Internal control also serves as a defense in safeguarding
assets and preventing and detecting errors; potential fraud; violations
of laws, regulations, and provisions of contracts and grant agreements;
or abuse. Paragraphs 7.18 through 7.24 contain guidance pertaining to
internal control.
d. Efforts: Efforts are the amount of resources (in terms of money,
material, personnel, etc.) that are put into a program. These resources
may come from within or outside the entity operating the program.
Measures of efforts can have a number of dimensions, such as cost,
timing, and quality. Examples of measures of efforts are dollars,
employee-hours, and square feet of building space.
e. Program operations: Program operations are the strategies,
processes, and activities management uses to convert efforts into
outputs. Program operations are subject to internal control.
f. Outputs: Outputs represent the quantity of goods or services
produced by a program. For example, an output measure for a job
training program could be the number of persons completing training,
and an output measure for an aviation safety inspection program could
be the number of safety inspections completed.
g. Outcomes: Outcomes are accomplishments or results of programs. For
example, an outcome measure for a job training program could be the
percentage of trained persons obtaining a job and still in the work
place after a specified period of time. Examples of outcome measures
for an aviation safety inspection program could be the percentage
reduction in safety problems found in subsequent inspections and/or the
percentage of problems deemed corrected in follow-up inspections. Such
outcome measures show progress in achieving the stated program purposes
of helping unemployable citizens obtain and retain jobs, and improving
the safety of aviation operations. Outcomes may be influenced by
cultural, economic, physical, or technological factors outside the
program. Auditors may use approaches drawn from other disciplines, such
as program evaluation, to isolate the effects of the program from these
other influences. An especially important type of outcome is unexpected
effects which may be negative such as adverse drug reactions, or
positive such as increased private investment in an area of service.
Internal Control:
7.18: Auditors should obtain an understanding of internal control
significant within the context of the audit objectives. For those
internal control objectives that are significant within the context of
the audit objectives, auditors should assess whether specific internal
control procedures have been properly designed and placed in operation
and conduct specific tests of the effectiveness of the internal control
procedures. Based on the test results and the auditors’ assessment, the
auditors consider whether to modify the nature, timing, or extent of
their audit procedures. [Footnote 98] Officials of the audited entity
are responsible for establishing effective internal control. The lack
of administrative continuity in government units because of changes in
elected legislative bodies and in other government officials increases
the need for effective internal control.
7.19: The following discussion of the principal types of internal
control objectives is intended to help auditors better understand
internal controls and determine their significance to the audit
objectives:
a. Effectiveness and efficiency of program operations: Controls over
program operations include policies and procedures that officials of
the audited entity have implemented to provide reasonable assurance
that a program meets its objectives and that unintended actions do not
result. Understanding these controls can help auditors understand the
program operations that convert efforts to outputs or outcomes.
b. Validity and reliability of information: Controls over the validity
and reliability of information include policies and procedures that
officials of the audited entity have implemented to provide themselves
reasonable assurance that operational information they use and report
is valid and reliable and fairly disclosed in reports. These controls
help assure management that it is getting valid and reliable
information about whether programs are operating properly on an ongoing
basis. Understanding these controls can help auditors (1) assess the
risk that the information gathered by the entity may not be valid or
reliable and (2) design appropriate tests of the information
considering the audit objectives.
c. Compliance with applicable laws and regulations and provisions of
contracts or grant agreements: Controls over compliance include
policies and procedures that officials of the audited entity have
implemented to provide reasonable assurance that program implementation
is consistent with laws, regulations, and provisions of contracts or
grant agreements. Understanding the relevant controls concerning
compliance with those laws and regulations and provisions of contracts
or grant agreements that the auditors have determined are significant
can help auditors assess the risk of illegal acts, [Footnote 99]
violations of provisions of contracts or grant agreements, or abuse.
7.20: A subset of these categories of internal control objectives is
the safeguarding of assets and resources. Controls over the
safeguarding of assets and resources include policies and procedures
that officials of the audited entity have implemented to reasonably
prevent or promptly detect unauthorized acquisition, use, or
disposition of assets and resources.
7.21: Auditors can obtain an understanding of internal control[
Footnote 100] through inquiries, observations, inspection of documents
and records, review of other auditors’ reports, or direct tests. The
procedures auditors perform to obtain an understanding of internal
control will vary among audits based on audit objectives and risk. For
instance, poorly controlled or internally risky aspects of a program
have a higher risk of failure, so auditors may want to focus their
efforts in these areas. The extent of these procedures will vary based
on the audit objectives, known or potential internal control risks or
problems, and the auditors’ knowledge about internal control gained in
prior audits.
7.22 For those internal controls that are deemed significant within the
context of the audit objectives, auditors should plan to obtain
sufficient, appropriate evidence to support their assessment about the
effectiveness of those controls. (See paragraph 1.39 for examples of
internal control objectives.)
7.23: In performance audits, a deficiency in internal control exists
when the design or operation of a control does not allow management or
employees, in the normal course of performing their assigned functions,
to prevent or detect (1) impairments of effectiveness or efficiency of
operations (2) misstatements in financial or performance information,
or (3) violations of laws and regulations, on a timely basis.
7.24: Internal auditing is an important part of overall governance,
accountability, and internal control. [Footnote 101] A key role of many
internal audit organizations is to provide assurance that internal
controls in place are adequate to mitigate risks and achieve program
goals and objectives. When an assessment of internal control is called
for, the work of the internal auditors may be used in assessing whether
internal controls are effectively designed and functioning properly,
and to prevent duplication of effort.
Information Systems Controls:
7.25: Auditors should obtain a sufficient understanding of information
systems controls [Footnote 102] necessary to assess audit risk and plan
the audit. This assessment can be done in conjunction with the
auditors’ consideration of internal control as it relates to the
specific objectives and scope of audit (see paragraphs 7.18 through
7.24), or as a separate audit objective or audit procedure, depending
on the nature of the audit. Depending on the significance of
information systems controls to the audit objectives, the extent of
audit procedures to obtain such an understanding may be limited or
extensive. In addition, the nature and extent of audit risk is impacted
by the nature of the hardware and software used, the configuration of
the entity’s systems and networks, and the entity’s information systems
strategy, and the significance of information systems controls to the
audit objectives.
7.26: Auditors should determine the extent of audit procedures related
to information systems controls that are necessary to obtain
sufficient, appropriate evidence to support the audit findings,
conclusions, and recommendations. If auditors determine that it is
necessary to assess the effectiveness of information systems controls
in order to obtain sufficient, appropriate evidence, then such
information systems controls are significant to the audit. In making
this determination, auditors consider the following:
a. The extent to which internal controls that are significant to the
audit are processed by information systems or are dependent on the
reliability of information generated by information systems. As part of
assessing the effectiveness of such controls, auditors also should
assess the effectiveness of information systems controls that impact the
effectiveness of controls that are significant to the audit.
b. The availability of other evidence to support the findings,
conclusions, and recommendations. It may not be possible for auditors
to obtain sufficient, appropriate evidence without assessing the
effectiveness of relevant information systems controls. For example, if
information supporting the findings, conclusions, and recommendations
is generated by information systems or its reliability is dependent on
information systems controls there may not be sufficient supporting or
corroborating information or documentary evidence that is available
other than that produced by the information systems.
c. The relationship of information systems controls to data reliability
testing. To obtain evidence about the reliability of computer-generated
information, auditors may elect to assess the effectiveness of
information systems controls as part of testing the reliability
of the data. If information systems controls are determined to be
effective, the extent of direct testing of supporting documentation may
be reduced.
d. Assessing the effectiveness of information systems controls as an
audit objective. When assessing the effectiveness of information
systems controls is directly a part of an audit objective, auditors
should perform the testing of information systems controls necessary to
achieve the audit objectives. For example, the audit may involve the
effectiveness of information systems controls related to certain
systems, facilities, or organizations.
7.27: If information systems controls are considered to be significant
to the audit, auditors should assess the effectiveness of such
significant controls, including other information systems controls that
impact their effectiveness or the reliability of information used in
performing the significant control. Generally, if information systems
controls are considered significant to the audit, the auditors’
assessment of the effectiveness of information systems controls will
include both application controls and general controls, because
weaknesses in general controls can result in unauthorized changes to
applications and data that can circumvent or impair the effectiveness of
application controls. Application controls, sometimes referred to as
business process controls, are those controls that help ensure the
validity, completeness, accuracy, and confidentiality of transactions
and data during application processing. Examples of application
controls include controls over input, processing, output, master data,
application interfaces, and data management system interfaces.
Information systems general controls are the policies and procedures
that apply to all or a large segment of an entity’s information systems
and help ensure their proper operation. Examples of general controls
include security management, logical and physical access, configuration
management, segregation of duties, and contingency planning. Weaknesses
in general controls can result in unauthorized changes to applications
and data that can circumvent or impair the effectiveness of application
controls.
Legal and Regulatory Requirements, Contract Provisions, or Grant
Agreements, Potential Fraud, or Abuse:
7.28: In pursuing indications of possible fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse,
auditors should avoid interfering with potential investigations, and/or
legal proceedings. In some circumstances, laws, regulations, or
policies require auditors to report and/or refer indications of certain
types of fraud, illegal acts, violations of provisions of contracts or
grant agreements, or abuse to law enforcement or investigatory
authorities before performing procedures. In cases where an
investigation is initiated or in process, it may be appropriate for
auditors to withdraw from or defer further work on the audit or a
portion of the audit in order not to interfere with an investigation.
Legal and Regulatory Requirements, Contracts, and Grants:
7.29: Auditors should determine which laws, regulations, and provisions
of contracts or grant agreements are significant within the context of
the audit objectives and assess the risk that illegal acts or
violations of provisions of contracts or grant agreements could occur.
Based on that risk assessment, the auditors should design and perform
procedures to provide reasonable assurance of detecting instances of
illegal acts or violations of provisions of contracts or grant
agreements that are significant within the context of the audit
objectives.
7.30: The auditors’ assessment of risk may be affected by such factors
as the complexity or newness of the laws, regulations, and provisions
of contracts or grant agreements. The auditors’ assessment of risk also
may be affected by whether the entity has controls that are effective
in preventing or detecting violations of laws, regulations, and
provisions of contracts or grant agreements. If auditors obtain
sufficient, appropriate evidence of the effectiveness of these
controls, they can reduce the extent of their tests of compliance.
Fraud:
7.31: In planning the audit, auditors should assess risks of potential
significant fraud [Footnote 103] within in the context of the audit
objectives. Auditors should discuss with management and the audit team
potential fraud risks, including potential fraud factors such as
individuals’ incentives or pressures to commit fraud, the opportunity
for fraud to occur, and rationalizations or attitudes that could allow
individuals to commit fraud. Auditors gather and assess information
necessary to identify potential fraud risks that are within the scope
of the audit objectives or could affect the results of their audit. For
example, auditors may obtain information through discussion with
officials of the audited entity or through other means to determine the
susceptibility of the program to potential fraud, the status of
internal controls the entity has established to detect and prevent
fraud, or the risk that officials of the audited entity could override
internal control. An attitude of professional skepticism in assessing
these risks will assist auditors in determining which factors or risks
could significantly impact the audit objectives and/or the audit
procedures needed to answer the audit objectives if fraud has occurred
or is likely to have occurred.
7.32: When auditors identify factors or risks related to potential
fraud that they believe are significant within the context of the audit
objectives, they should design procedures to provide reasonable
assurance of detecting potential fraud significant within the context
of the audit objectives. Assessing the risk of potential fraud is an
ongoing process throughout the audit and relates not only to planning
the audit but also to evaluating evidence obtained during the audit.
7.33: When information comes to the auditors’ attention (through audit
procedures, allegations received through fraud hotlines, or other
means) indicating that potential fraud may have occurred, auditors
should determine whether the potential fraud is significant within the
context of the audit objectives. If the potential fraud is significant
within the context of the audit objectives, auditors should extend the
audit steps and procedures, as necessary, to (1) determine if fraud
likely has occurred and (2) if so, determine its effect on the audit
findings. If the potential fraud is not significant within the context
of the audit objectives, the auditors should consider whether to conduct
additional audit work as a separate engagement, or refer the potential
fraud to other parties with oversight responsibility or jurisdiction
over such matters.
Abuse:
7.34: Abuse involves behavior that is deficient or improper when
compared with behavior that a prudent person would consider reasonable
and necessary business practice given the facts and circumstances.
[Footnote 104] Abuse also includes misuse of authority or position for
personal financial interests or those of an immediate or close family
member or business partner. Abuse is distinct from fraud, illegal acts,
or violations of provisions of contracts or grant agreements in that
abuse does not necessarily involve violation of laws, regulations, or
provisions of a contract or grant agreement. If during the course of
the audit, auditors become aware of indications of abuse that could be
quantitatively or qualitatively significant to the program under audit,
auditors should apply audit procedures specifically directed to
ascertain whether significant abuse has occurred and the potential
effect within the context of the audit objectives. Based on the facts
and circumstances, auditors may find it helpful to identify specific
risks or situations that are susceptible to abuse. In addition,
auditors remain alert throughout the audit to situations that could be
indicative of abuse. When information comes to the auditors’ attention
(through audit procedures, allegations received through a fraud
hotline, or other means) indicating that significant abuse may have
occurred, they should perform audit procedures, as necessary, to (1)
determine whether the abuse occurred and, if so, (2) determine its
potential effect on the audit findings. If the abuse is not significant
within the context of the audit objectives, the auditors should
consider whether to expand the scope of the current audit, conduct
additional audit work as a separate engagement, or refer the potential
abuse to other parties with oversight responsibility or jurisdiction
over such matters. Auditors assess both quantitative and qualitative
factors in making judgments regarding the significance of possible
abuse and whether they need to extend the audit steps and procedures.
However, because of the subjectivity involved in determining abuse,
auditors are not required to provide reasonable assurance of
detecting abuse.
Previous Audits and Attestation Engagements:
7.35: Auditors should determine whether the results of previous audits
and attestation engagements that directly relate to the audit
objectives have an impact on the current engagement, including whether
recommendations have been implemented. Auditors should identify
previous financial audits, attestation engagements, performance audits,
or other studies significant within the context of the audit objectives
and ask management of the audited entity to identify corrective actions
taken to address relevant findings, conclusions and recommendations.
Identifying Audit Criteria:
7.36: Auditors should identify audit criteria including the standards,
measures, expectations of what should exist, best practices, and
benchmarks against which performance is compared or evaluated. Criteria
provide a context for evaluating evidence and understanding the
findings, conclusions, and recommendations included in the report.
Auditors should use criteria that are objective, measurable, complete,
and relevant to the objectives of the performance audit.
a. Objectivity –free from bias.
b. Measurability –permit reasonably consistent assessments,
qualitative105 or quantitative, of subject matter.
c. Completeness –include relevant factors that could change a
conclusion about the subject matter.
d. Relevant –related to the subject matter.
7.37: The following are some examples of possible criteria:
a. purpose or goals prescribed by law or regulation or set by officials
of the audited entity;
b. policies and procedures established by officials of the audited
entity;
c. technically developed standards or norms;
d. expert opinions;
e. prior periods’ performance;
f. performance of similar entities;
g. performance in the private sector, or;
h. best practices of leading organizations.
Identifying Sources of Audit Evidence and the Amount and Type of
Evidence Required:
7.38: Auditors should identify potential sources of information that
could be used as audit evidence. Auditors should determine the amount
and type of evidence required to obtain sufficient, appropriate
evidence to meet the audit objectives and adequately plan audit work.
7.39: If auditors believe that it is likely that sufficient,
appropriate evidence will not be available, they should consider
revising the audit objectives or modifying the scope and methodology
and determine alternative procedures to meet the current audit
objectives. Auditors should disclose in the audit report revisions made
to the audit objectives due to the lack of sufficient, appropriate
evidence. Auditors should also evaluate whether the lack of sufficient,
appropriate evidence is due to internal control deficiencies or other
program weaknesses, and whether the lack of sufficient, appropriate
evidence is the basis for audit findings. (See paragraphs 7.53 through
7.69 for standards concerning evidence.
Considering Work of Others:
7.40: Auditors should determine whether other auditors have conducted,
or are conducting, audits of the program that could be relevant to the
current audit objectives. The results of other auditors’ work may be
useful sources of information for planning and performing the audit. If
other auditors have identified areas that warrant further audit work or
follow-up, their work may influence the auditors’ selection of
performance audit objectives, scope, and methodology.
7.41: If other auditors have completed audit work related to the
objectives of the auditors’ current audit, the current auditors may
wish to rely on the work of the other auditors to support findings,
recommendations or conclusions for the current audit and thereby, avoid
duplication of audit efforts. If auditors rely on the work of other
auditors, they should perform procedures regarding the specific work to
be relied on that provide a sufficient basis for that reliance.
Auditors should obtain evidence concerning the other auditors’
qualifications and independence and should determine whether the scope
and quality of the audit work performed by the other auditors is
adequate for reliance in the context of the current audit objectives.
Auditors can accomplish this by reviewing the report, audit plan, or
audit documentation, or by performing supplemental tests of the other
auditors’ work. The nature and extent of evidence needed will depend on
the significance of the other auditors’ work, on the extent to which
the auditors will rely on that work, and whether auditors plan to refer
to that work in their work.
7.42: If the audit objectives necessitate the use of specialized
techniques or methods that require skills or competence that the
auditors do not possess, they may need to rely on the work of
specialists. [Footnote 106] If auditors intend to rely on the work of
specialists, they should obtain an understanding of the qualifications
of the specialists. (See paragraph 3.05 for independence considerations
when relying on the work of others.) Auditors consider the following in
evaluating the professional qualifications of the specialist:
a. the professional certification, license, or other recognition of the
competence of the specialist in his or her field, as appropriate;
b. the reputation and standing of the specialist in the views of peers
and others familiar with the specialist’s capability or performance;
and;
c. the specialist’s experience and published work in the subject
matter.
Assigning Staff and Other Resources:
7.43: Audit management should assign sufficient staff and specialists
with adequate collective professional competence to perform the audit.
Staffing an audit includes, among other things:
a. assigning staff and specialists with the appropriate collective
knowledge, skills, and experience for the job;
b. assigning an adequate number of staff and supervisors to the audit;
c. providing for on-the-job training of staff; and;
d. engaging specialists when necessary.
7.44: If planning to use the work of a specialist, auditors should
determine and articulate nature and scope of the work to be performed
by the specialist, including:
a. the objectives and scope of the specialist’s work;
b. the intended use of the specialist’s work to support the audit
objectives;
c. documentation of the specialist’s procedures and findings so they
can be evaluated and related to other planned audit procedures;
d. the assumptions and methods used; and;
e. a comparison of how the methods and assumptions used compare with
those used in prior, related work.
Communicating with Management, Those Charged with Governance, and
Others:
7.45: Auditors should communicate information about the objectives,
scope and methodology, and timing of the performance audit and planned
reporting to the following individuals:
a. the head of the audited entity;
b. those charged with governance; [Footnote 107]
c. the individual who possesses a sufficient level of authority and
responsibility to implement corrective actions in the program or
activity being audited; and;
d. the individuals contracting for or requesting audit services, such
as contracting officials or legislative members or staff, if
applicable.
7.46: Auditors use professional judgment to determine the form,
content, and frequency of the communication, although written
communication is preferred. Auditors may use an engagement letter to
communicate the information. If an audit is terminated before it is
completed, auditors should write a memorandum for the audit
documentation that summarizes the results of the work and explains the
reasons why the audit was terminated. In addition, depending on the
facts and circumstances, auditors should consider the need to
communicate the reason for terminating the audit to those charged
with governance, management of the audited entity, the entity
requesting the audit, and other appropriate officials, preferably in
writing.
Preparing the Audit Plan:
7.47: Auditors must prepare a written audit plan for each audit. The
form and content of the written audit plan will vary among audits but
may include an audit strategy, audit program or project plan, a
memorandum, design matrix or paper, or other appropriate documentation
of key decisions about the audit objectives, scope, and methodology and
of the auditors’ basis for those decisions. Auditors should update the
plan, as necessary, to reflect any significant changes to the plan made
during the audit.
7.48: A written audit plan provides an opportunity for the audit
organization management to supervise audit planning and to determine
whether:
a. the proposed audit objectives are likely to result in a useful
report;
b. the audit plan adequately addresses relevant risks,
c. the proposed audit scope and methodology are adequate to satisfy the
audit objectives;
d. available evidence is likely to be sufficient and appropriate for
purposes of the audit, and:
e. sufficient staff with adequate collective professional competence
and other resources are available to perform the audit and to meet
expected time frames for completing the work.
Supervision:
7.49: Audit supervisors must properly supervise audit staff.
7.50: Audit supervisors should provide sufficient guidance and
supervision of staff assigned to the audit to accomplish the audit
objectives and follow applicable standards. Audit supervisors should
stay informed about significant problems encountered, review the work
performed, and provide effective on-the-job training.
7.51: Supervision involves clearly communicating to staff members so
they understand what work they are to do, why the work is to be
conducted, and what the work is expected to accomplish. With
experienced staff, supervisors may outline the scope of the work and
leave details to the staff. With less experienced staff, supervisors
may have to specify audit procedures to be performed as well as
techniques for gathering and analyzing data.
7.52: The nature and extent of the review of audit work may vary
depending on a number of factors, such as the size of the audit
organization, the significance of the work, and the experience of the
staff.
Obtaining Sufficient, Appropriate Evidence:
7.53: Auditors must obtain sufficient, appropriate evidence to provide
a reasonable basis for their findings, conclusions, and
recommendations.
7.54: In assessing information, auditors should conclude whether the
evidence taken as a whole is sufficient and appropriate for satisfying
the audit objectives. As audit objectives may vary widely, the level of
work necessary to assess sufficiency and appropriateness may likewise
vary widely. For example, in establishing the appropriateness of
evidence, auditors may test the reliability by obtaining supporting
information, using statistical testing or by obtaining corroborating
evidence. Auditors consider the concepts of audit risk and significance
in evaluating the audit evidence.
7.55: Auditors use professional judgment in determining sufficiency and
appropriateness of evidence. Auditors typically interpret, summarize,
or analyze information in the process of determining its
appropriateness and sufficiency and in reporting the results of
the work. When appropriate, auditors may use statistical methods to
analyze and interpret information to assess its sufficiency and
appropriateness.
Appropriateness:
7.56: Appropriateness is the measure of the quality of evidence, which
encompasses its relevance, reliability, and validity in providing
support for achieving audit objectives. [Footnote 108] In assessing the
overall appropriateness of evidence, auditors consider the relevance,
validity, and reliability of the evidence.
a. Relevance refers to the extent to which the information has a
logical relationship with, and importance to, the issue being
addressed.
b. Validity refers to how well the information actually represents what
the auditors are trying to evaluate.
c. Reliability refers to the consistency of results achieved and
includes the concepts of being verifiable or supported.
7.57: To assess the appropriateness of information, auditors consider
the different types of information and the source of the information.
Evidence may be obtained by observation, inquiry, or inspection. Each
type of evidence [Footnote 109] has its own strengths and weaknesses.
The following contrasts are useful in judging the appropriateness of
information. In each contrast, the first item generally provides a
higher quality of evidence. However, these contrasts are not to be
considered adequate in themselves to determine appropriateness. The
nature and types of evidence required to support auditors’ findings,
conclusions, and recommendations is a matter of the auditors’
professional judgment based on the audit objectives.
a. Evidence obtained when internal control is effective versus
information obtained when internal control is weak or nonexistent.
b. Information obtained through the auditors’ direct physical
examination, observation, computation, and inspection versus
information obtained indirectly.
c. Examination of original documents versus copies.
d. Testimonial information obtained under conditions where persons may
speak freely versus information obtained where the persons may be
intimidated given the circumstances.
e. Testimonial information obtained from an individual who is not
biased and has direct knowledge about the area versus testimonial
information obtained from an individual who is biased or has indirect
or partial knowledge about the area.
f. Information obtained from a knowledgeable, credible, and unbiased
third party versus from management or other officials of the audited
entity.
7.58: Testimonial evidence is often useful in interpreting or
corroborating documentary or physical information. Auditors should
evaluate the objectivity, credibility and reliability of the
testimonial evidence. (See 7.57 d and e above.) Similarly, documentary
evidence is used to help verify, support or challenge testimonial
information.
7.59: Evidence from surveys is generally self-reported information that
is frequently used to obtain information about existing conditions or
programs. Auditors should evaluate the objectivity, credibility, and
reliability of the self-reported information as well as the survey
design and administration.
7.60: When sampling is used, the method of selection that is most
appropriate will depend on the audit objectives. For example, when a
representative sample is appropriate, the use of statistical sampling
approaches would result in stronger evidence than that obtained from
non-statistical techniques. In cases where a representative sample is
not appropriate, a targeted selection may be more effective if the
auditors have isolated certain risk factors or other criteria used to
target the selection.
7.61: Auditors may use data gathered by officials of the audited entity
as part of their evidence. Before auditors use this type of
information, they should determine what the officials of the audited
entity or other auditors did to provide assurance over the reliability
of the information. If the procedures completed by officials of the
audited entity were adequate to support using the information in
relation to the audit objectives and if the results of such work are
current, auditors may be able to use the work to reduce their audit
procedures if, based on testing the work done by agency officials, the
data is sufficient and appropriate, in combination with other evidence.
7.62: When computer-processed information is used to support findings,
conclusions, and recommendations, auditors should perform procedures
for assessing the appropriateness of the information. Auditors should
assess the sufficiency and appropriateness of this type of data
regardless of whether computer-processed information is provided to
auditors or auditors independently extract them. The nature, timing and
extent of audit procedures to assess sufficiency and appropriateness is
affected by the effectiveness of the entity’s internal controls over
the information, including information system controls, and the
significance of the information and the level of detail presented in
the auditors’ findings, conclusions, and recommendations in light of
the audit objectives. Audit procedures to evaluate the effectiveness of
selected system controls includes (1) gaining a detailed understanding
of the system as it relates to the information and (2) identifying and
evaluating the general controls and application controls that are
critical to ensuring the reliability of the information required for the
audit.
The nature and extent of audit procedures to evaluate the effectiveness
of information system controls will vary based on the following:
a. the extent to which the information systems controls are significant
to the auditors’ overall assessment of appropriateness of information;
and;
b. the availability of other evidence to support the auditors’
findings, conclusions, and recommendations.
Sufficiency:
7.63: Sufficiency is a measure of the quantity of evidence used to
support the findings, conclusions, and recommendations related to the
audit objectives. Sufficiency is also dependent on the appropriateness
of the evidence. In determining the sufficiency of evidence, auditors
should determine whether enough evidence exists to support the
findings, conclusions, and recommendations.
7.64: The following presumptions are useful in judging the sufficiency
of evidence. The sufficiency of evidence required to support the
auditors’ findings, conclusions, and recommendations is a matter of the
auditors’ professional judgment.
a. The greater the audit risk, the greater the quantity of evidence
required.
b. Stronger evidence may allow less evidence to be used. The
appropriateness test (see 7.56 through 7.62) is closely interrelated
with decisions about sufficiency.
c. Having a large volume of audit evidence does not compensate for a
lack of relevance, validity and/or reliability.
Overall Assessment of Evidence:
7.65: Auditors use professional judgment to determine whether evidence
is sufficient and appropriate and the nature and extent of testing
necessary, in relation to the objectives of the audit. Professional
judgments about the sufficiency and appropriateness of evidence are
closely intertwined, as auditors interpret the results of audit testing
and evaluate whether the nature and extent of the evidence obtained is
sufficient and appropriate given the audit objectives. Auditors perform
an overall assessment of the collective evidence used to support
findings, conclusions, or recommendations. This overall assessment also
includes the results of any specific assessments conducted to conclude
on the validity and reliability of specific evidence.
7.66: Appropriateness and sufficiency of evidence are relative
concepts, which may be thought of in terms of a continuum, rather than
as absolutes. However, it may be helpful for auditors to consider the
overall appropriateness and sufficiency in terms of:
(1) sufficient and appropriate (2) not sufficient and appropriate, or
(3) of undetermined sufficiency and appropriateness in relation to the
audit objectives. Auditors consider sufficiency and appropriateness in
the context of the findings, conclusions, and recommendations. For
example, even though the auditors may have some uncertainty about the
sufficiency or appropriateness of the evidence, the auditors may
nonetheless determine that there is sufficient and appropriate evidence
given the findings, conclusions, or recommendations. (See paragraph
7.77 through 7.92 for documentation requirements.)
a. Evidence is considered to be sufficient and appropriate when using
the evidence provides the basis for an analysis that achieves the audit
objectives and provides a reasonable basis for their findings,
conclusions, or recommendations.
b. Evidence is considered to be not sufficient and appropriate when (1)
using the evidence carries an unacceptably high risk that it could lead
to an incorrect or improper conclusion or (2) the information has
significant or potentially significant limitations, given the
objectives and intended use of the information.
c. Evidence is considered to be of undetermined sufficiency and
appropriateness when (1) the auditors do not have an adequate basis to
conclude whether it achieves the audit objectives and provides a
reasonable basis for the findings, conclusions, and recommendations or
(2) the information has significant or potentially significant
limitations of unknown impact, given the objectives and the intended
use.
7.67: Auditors should assess the appropriateness and sufficiency of
evidence, in the aggregate, to provide a reasonable basis for the
findings, conclusions, and recommendations. When assessing the
appropriateness and sufficiency of evidence, auditors should evaluate
the expected significance within the context of the audit objectives
and conclusions, available corroborating evidence, and the level of
risk. The steps required to assess information may depend on the nature
of the information, how the information is used in the audit, and the
audit objectives.
7.68: When the auditors’ tests disclose errors in the information, or
when auditors use information of undetermined appropriateness, they
should apply additional procedures, as appropriate. Such procedures
include:
a. seeking independent, corroborating evidence from other sources so
that the evidence is sufficient and appropriate;
b. clearly indicating in the report the limitations of the information,
while refraining from using the information to make unwarranted
findings, conclusions or recommendations, and considering whether to
report the limitations of the information as an audit finding; or;
c. redefining the audit objectives or limiting the audit scope to
eliminate the need to use the information and fully disclosing in the
audit report revisions made to the audit objectives due to the lack of
sufficient, appropriate evidence.
7.69: How the use of information of undetermined sufficiency and
appropriateness affects the auditors’ report depends on the
significance of the information to the auditors’ findings, conclusions,
or recommendations in light of the audit objectives. For example,
auditors may use such information to provide background information. In
cases where auditors use information of undetermined sufficiency and
appropriateness to support audit findings conclusions, or
recommendations, auditors should fully disclose the fact that such
information is being used, assess the impact of using such information,
and use professional judgment to determine whether and to what extent to
qualify the audit findings and conclusions. Auditors use professional
judgment in determining the impact on the audit objectives and
compliance with GAGAS. (See paragraphs 1.13 through 1.15.)
Audit Findings:
7.70: The elements needed for developing a finding depend on the
objectives of the audit. A finding or set of findings is complete to
the extent that the audit objectives are satisfied and the report
clearly relates those objectives to the elements of a finding. Audit
findings often have been regarded as containing the elements of
criteria, condition, cause, and effect. Criteria are discussed in
paragraph 7.36 through 7.37, and the other elements of a finding--
condition, effect, and cause--are discussed in the following
paragraphs:
7.71: Condition: Condition is a situation that exists. The auditors
determine and document condition during the audit. Generally, a
description of the condition is necessary to convey the nature and
extent of the finding to the reader.
7.72: Effect or Potential Effect: The effect or potential effect
identifies the outcomes or consequences of the condition. When the
auditors’ objectives include identifying the actual or potential
consequences of a condition that varies (either positively or
negatively) from the criteria identified in the audit, “effect” is a
measure of those consequences. Auditors often use effect or potential
effect to demonstrate the need for corrective action in response to
identified problems or risks. When the auditors’ objectives include
estimating the extent to which a program has caused changes in
physical, social, or economic conditions, “effect” is a measure of the
impact achieved by the program. In this case, effect is the extent to
which positive or negative changes in actual physical, social, or
economic conditions can be identified and attributed to program
operations.
7.73: Cause: The cause identifies the reason or explanation for the
condition. When the auditors’ objectives include explaining why a
particular type of positive or negative program performance, output, or
outcome identified in the audit occurred, they are referred to as
“cause.” Identifying the cause of problems can assist auditors in making
constructive recommendations for correction. Because problems can
result from a number of plausible factors or multiple causes, the
recommendation can be more persuasive if auditors can clearly
demonstrate and explain with evidence and reasoning the link between
the problems and the factor or factors they have identified as the
cause. When the auditors’ objectives include estimating the program’s
effect on changes in physical, social, or economic conditions, auditors
seek evidence of the extent to which the program itself is the “cause”
of those changes. Auditors may identify deficiencies in internal
control that are significant to the subject matter of the performance
audit as the cause of deficient performance. In reporting this type of
finding, the deficiencies in internal control would be described as the
“cause.” Often the causes of deficiencies in internal control are
complex and involve multiple factors, including fundamental, systemic
root causes. In some cases, it may not be practical or possible for
auditors to fully develop or identify the causes of deficiencies.
However, analyzing and identifying root cause of deficiencies is key to
making recommendations for corrective actions.
Audit Documentation:
7.74: The auditor must prepare audit documentation in connection with
each engagement in sufficient detail to provide a clear understanding
of the work performed (including the nature, timing, extent, and
results of audit procedures performed), the audit evidence obtained and
its source, and the conclusions reached. Audit documentation:
a. provides the principal support for the statement in the auditors’
report that the auditors performed the audit in accordance with GAGAS
and any other standards cited, and;
b. provides the principal support for the auditors’ conclusions.
7.75: Audit documentation is an essential element of audit quality.
Although documentation alone does not guarantee audit quality, the
process of preparing sufficient and appropriate documentation
contributes to the quality of an audit.
7.76: The auditor should prepare audit documentation that enables an
experienced auditor, [Footnote 110] having no previous connection to
the audit, to understand:
a. the nature, timing, and extent of auditing procedures performed to
comply with GAGAS and other applicable legal and regulatory
requirements;
b. the results of the audit procedures performed and the audit evidence
obtained;
c. how the audit evidence supports the audit findings and conclusions,
and;
d. the conclusions reached on significant matters.
7.77: In addition to the audit documentation requirements listed in the
previous paragraph, auditors should document the following for
performance audits:
a. the planning, objectives, scope, and methodology of the audit,
including sampling and other selection criteria used;
b. the auditors’ risk assessment;
c. the auditors’ determination that certain standards did not apply or
that an applicable standard was not followed, the reasons supporting
their determinations, and the known effect that not following the
applicable standard had, or could have had, on the audit;
d. the work performed to support significant judgments, findings,
conclusions and recommendations, including descriptions of transactions
and records examined; [Footnote 111]
e. evidence of supervisory reviews, before the audit report is issued,
of the work performed that supports findings, conclusions, and
recommendations contained in the audit report;
f. work performed as part of the appropriateness assessment, including
the following items, as applicable: testing, information review,
analysis, and knowledge gained related to the quality of the
information;
g. decisions made during the overall assessment of evidence, including
the auditors’ final assessment of whether the information is sufficient
and appropriate for the purposes of the audit;
h. communications with management and others;
i. evidence of communications about deficiencies in internal control
found during the audit;
j. evidence of communications to officials of the audited entity about
instances of potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse;
k. the availability of the report for public inspection; and;
l. if the audit does not result in a report, a memorandum for the
record that summarizes the results of the work and explains the reason
the audit was terminated, and any communications regarding the
termination of the audit.
7.78: Certain matters, such as auditor independence and staff training,
that are not engagement specific, may be documented either centrally in
the audit organization or in the documentation for the audit.
Documentation of matters specific to a particular audit are included in
the audit documentation file for the specific audit.
7.79: The form, content, and extent of audit documentation depend on the
circumstances of the engagement and the audit methodology and tools
used. Oral explanations on their own do not represent sufficient
support for the work the auditor performed or conclusions the auditor
reached but may be used by the auditor to clarify or explain
information contained in the audit documentation. It is, however,
neither necessary nor practicable to document every matter the auditor
deals with during the audit.
7.80: The auditor should document significant findings or issues,
actions taken to address them (including any additional evidence
obtained), and the basis for the final conclusions reached. Judging the
significance of a finding or issue requires an objective analysis of
the facts and circumstances.
7.81: The auditor should document discussions of significant findings
or issues with management and others, including the significant
findings or issues discussed, and when and with whom the discussions
took place.
7.82: If the auditor has identified information that contradicts or is
inconsistent with the auditor’s final conclusions regarding a
significant finding or issue, the auditor should document how the
contradiction or inconsistency was addressed in forming the
conclusion.
7.83: In documenting the nature, timing, and extent of audit procedures
performed, the auditor should record:
a. who performed the audit work and the date such work was completed,
and;
b. who reviewed specific audit documentation and the date of such
review.
7.84: When documenting procedures performed, such as tests of specific
transactions that involve inspection of documents, auditors should
include the identifying characteristics of the specific items tested.
7.85: When the auditor does not comply with applicable unconditional or
presumptively mandatory GAGAS requirements, the auditor should document
the justification or reason for the departure, the impact of the
departure, and whether alternative procedures performed in the
circumstances were sufficient to achieve the objectives of the
requirement. The auditor should also follow the requirements in
paragraphs 1.13 through 1.15.
7.86: Underlying GAGAS audits is the premise that federal, state, and
local government audit organizations and independent accounting firms
engaged to perform performance audits in accordance with GAGAS
cooperate in auditing programs of common interest so that the auditors
may use others’ work and avoid duplication of effort. Auditors should
make appropriate audit staff and individuals, as well as audit
documentation available, upon request, in a timely manner to other
auditors or reviewers. It is also essential that contractual
arrangements for GAGAS audits provide for full and timely access to
audit staff and individuals, as well as audit documentation to
facilitate reliance by other auditors or reviewers on the auditors’
work.
7.87: Consistent with applicable laws and regulations, audit
organizations should develop clearly defined policies and criteria to
deal with situations where requests are made by outside parties to
obtain access to audit documentation. Audit organizations should
develop clearly defined policies and criteria for responding to
requests made by outside parties to obtain access indirectly through
the auditor information that it is unable to obtain directly from the
audited entity and how to respond to requests for access to audit
documentation before the audit is complete. The audit organization
should also include flexibility in its policies and procedures to
consider the individual facts and circumstances surrounding a request,
for instance, cases when granting access or providing certain
information would serve to adversely affect the ability of the audit
organization to successfully perform similar audits in the future.
7.88: The audit organization should adopt reasonable procedures to
retain and access audit documentation for a period of time sufficient
to meet the needs of the audit organization and to satisfy any
applicable legal or regulatory requirements for records retention.
7.89: The auditor should complete the assembly of the final audit file
on a timely basis, following the report release date (documentation
completion date). Statutes, regulations, or the audit organization’s
quality control policies may state a specific time in which the
assembly process should be completed.
7.90: At anytime prior to the documentation completion date, the
auditor may make changes to the audit documentation to:
a. complete the documentation and assembly of audit evidence that the
auditor has obtained, discussed, and agreed with relevant members of
the audit team prior to the date of the audit report;
b. perform routine file-assembling procedures such as deleting or
discarding superseded documentation and sorting, collating, and cross-
referencing final audit documentation;
c. sign-off on file completion checklists prior to completing and
archiving the audit file, and;
d. add information received after the date of the report, for example,
an original document that was previously faxed.
7.91: After the documentation completion date, the auditors should not
delete or discard audit documentation before the end of the specified
retention period, as discussed above in paragraph 7.88. When the
auditor finds it necessary to make an addition (including amendments)
to audit documentation after the documentation completion date, the
auditor should document the addition by including the following in the
documentation:
a. when and by whom such additions were made and, where applicable,
reviewed;
b. an audit trail that clearly shows the specific changes;
c. the specific reasons for the changes, and;
d. the effect, if any, of the changes on the auditors’ conclusions.
7.92: Whether audit documentation is in paper, electronic, or other
media, the integrity, accessibility, and retrievability of the
underlying data may be compromised if the documentation could be
altered, added to, or deleted without the auditors’ knowledge, or if
the documentation could be permanently lost or damaged. Accordingly,
auditors should apply appropriate controls to protect audit
documentation from alteration, destruction, and unauthorized access.
[End of chapter]
Chapter 8: Reporting Standards for Performance Audits:
Introduction:
8.01: This chapter establishes reporting standards and provides
guidance applicable to performance audits conducted in accordance with
generally accepted government auditing standards (GAGAS). The reporting
standards for performance audits relate to the form of the report, the
report contents, and report issuance and distribution.
8.02: See paragraphs 1.16 through 1.17 and 1.20 for a discussion about
the use of GAGAS with other standards.
Reporting:
8.03: Auditors must prepare audit reports communicating the results of
each audit.
8.04: Auditors should utilize a form of the audit report that is
appropriate for its intended use, and should prepare reports in writing
or in some other retrievable form. For example, audit reports also may
be presented on electronic media that are retrievable by report users
and the audit organization, such as video or compact disc formats. The
users’ needs, likely demand, and distribution will influence the form
of the audit report used. In addition to a more traditional
presentation of audit results, such as a chapter report or a letter
report, briefing slides and/or other presentation materials that are
complete and retrievable are considered to be audit reports. Regardless
of form, auditors should comply with all applicable reporting
standards.
8.05: The purpose of audit reports is to (1) communicate the results of
audits to those charged with governance, the appropriate officials of
the audited entity, and the appropriate oversight officials (2) make
the results available to the public, and (3) facilitate follow-up to
determine whether appropriate corrective actions have been taken. The
need to maintain public accountability for government programs demands
that audit reports be retrievable.
8.06: If an audit is terminated before it is completed, auditors should
notify those charged with governance, appropriate officials of the
audited entity, and the entity requesting the audit, and other
appropriate officials about the termination of the audit, preferably in
writing.
Report Contents:
8.07: Auditors should prepare audit reports which include (1) the
objectives, scope, and methodology of the audit; (2) the audit results,
including findings, conclusions, and recommendations, as appropriate;
(3) a reference to compliance with generally accepted government
auditing standards; (4) the views of responsible officials; and (5) if
applicable, the nature of any privileged and confidential information
omitted.
Objectives, Scope, and Methodology:
8.08: Auditors should include in the report a description of the audit
objectives and the scope and methodology used for achieving the audit
objectives. This information is essential for report users to
understand the purpose of the audit and the nature and extent of the
audit work performed, context and perspective as to what is reported,
and any significant limitations in audit objectives, scope, or
methodology.
8.09: Audit objectives for performance audits may vary widely and may
encompass a variety of objectives, as discussed in 1.34. Auditors
should communicate audit objectives in the audit report in a clear,
specific, neutral and unbiased manner that includes relevant
assumptions, including why the audit organization undertook the
assignment and state what the report is expected to accomplish. The
reported audit objectives provide more meaningful information to report
users if they are measurable and feasible and are not presented in a
broad or general manner. To reduce misunderstanding in cases where the
objectives are particularly limited and broader objectives can be
inferred, auditors may state objectives that were not part of the
audit.
8.10: Auditors should clearly describe the scope of the work performed
and any limitations; any applicable standards that were not followed,
the reasons for not following the applicable standards, and how not
following the applicable standards affected or could affect the results
of the work. For example, if the auditors are unable to determine the
appropriateness of evidence, and such evidence is critical to achieving
the audit objectives, auditors should clearly state in the report the
limitations associated with the evidence and refrain from making
unwarranted findings, conclusions or recommendations. Auditors should
address issues that a reasonable person would need to know to
reasonably interpret the findings, conclusions and recommendations in
the report and not be misled.
8.11: To report the methodology used, auditors should clearly explain
the audit work completed to address the audit objectives, including the
evidence gathering and analysis techniques used, in sufficient detail
to allow knowledgeable users of their reports to understand how the
auditors addressed the audit objectives. In situations when extensive
and/or multiple sources of information are used by auditors, the
auditors should consider whether to include a description of the
procedures performed as part of the auditors’ assessment of the
appropriateness of information used as audit evidence. Auditors should
identify any significant assumptions made in conducting the audit;
describe any comparative techniques applied; describe the criteria
used; and, when sampling significantly supports auditors’ findings,
conclusions or recommendations, describe the sample design and state
why it was chosen, including whether the results can be projected to
the intended population.
8.12: In describing the work conducted to accomplish the audit’s
objectives, auditors should, as applicable, explain the relationship
between the population of items sampled and what was audited; identify
organizations, geographic locations, and the period covered; report the
kinds and sources of evidence; and explain any significant limitations
or uncertainties based on the auditors’ overall assessment of the
sufficiency and appropriateness of the evidence in the aggregate.
Auditors should also report any significant constraints imposed on the
audit approach by information limitations or scope impairments,
including demands of access to certain records or individuals.
8.13: How the use of information of undetermined sufficiency and
appropriateness affects the auditors’ report depends on the
significance of the information to the auditors’ findings, conclusions,
or recommendations in light of the audit objectives. For example,
auditors may use such information to provide background information. In
cases where auditors use information of undetermined sufficiency and
appropriateness to support audit findings conclusions, or
recommendations, auditors should fully disclose the fact that such
information is being used, assess the impact of using such
information, and use professional judgment to determine whether and to
what extent to qualify the audit findings and conclusions. If the use
of such information is significant to the auditors’ findings and
conclusions, auditors should determine the impact on the audit
objectives and compliance with GAGAS. (See paragraphs 1.13 through
1.15.)
Findings:
8.14: In the audit report, auditors should present sufficient,
appropriate evidence to support the findings, conclusions and
recommendations in relation to the audit objectives. Auditors should
present findings in a manner to promote adequate understanding of the
matters reported and to provide convincing but fair presentations
in proper perspective that are compelling. Auditors consider the
significance of evidence as they develop the report findings,
conclusions and recommendations. In making judgments about
significance, auditors consider whether the judgment of a reasonable
person relying on the auditors’ report would have been changed or
influenced if the matter had been disclosed in the audit report. This
includes the probability that the matter would change or influence the
decisions of intended users of the auditors’ report; or, as another
example, where the context is a judgment about whether to report a
matter to those charged with governance, whether the matter would be
regarded as important by those charged with governance in carrying out
their duties. Auditors may provide selective background information to
provide the context for the overall message and to help the reader
understand the findings and significance of the issues discussed.
[Footnote 112]
8.15: If information necessary to achieve the audit objectives is not
available or is determined to be not appropriate, auditors may report
the issue as a finding and make related recommendations, if such
information is significant to the performance of the program being
audited. If the limitations of the information are partially or wholly a
result of internal control deficiencies, auditors should recommend
actions necessary to address the deficiencies.
8.16: As discussed in chapter 7, audit findings have often been
regarded as containing the elements of criteria, condition, cause, and
effect. (See 7.36 through 7.37 and 7.70 through 7.73). However, the
elements needed for a finding depend on the audit objectives. For
example, an audit objective may be limited to determining the current
status or condition of implementing legislative requirements, and not
the related cause or effect. Thus, a finding or set of findings is
complete to the extent that the auditors achieve the audit objectives
and the report clearly relates those objectives to the elements of the
finding.
8.17: To the extent necessary to achieve the audit objectives, in
presenting findings, auditors should develop the elements of criteria,
condition, cause, and effect to assist management or oversight
officials of the audited entity in understanding the need for taking
corrective action. In addition, if auditors are able to sufficiently
develop the elements of a finding, they should provide recommendations
for corrective action if they are significant within the context of the
audit objectives. Following is guidance for reporting on elements of
findings:
a. Criteria: The required or desired state and/or what is expected from
the program or operation. The criteria are easier to understand when
stated objectively, explicitly, and completely and when the source of
the criteria is identified in the audit report. [Footnote 113]
b. Condition: What the auditors found regarding the actual situation.
Reporting the scope or extent of the condition allows the report user
to gain an accurate perspective.
c. Cause: Evidence on the factor or factors responsible for the
difference between condition and criteria. In reporting the cause,
auditors may consider whether the evidence provides a reasonable and
convincing argument for why the stated cause is the key factor or
factors contributing to the difference as opposed to other possible
causes, such as poorly designed criteria or factors uncontrollable by
program management. The auditors also may consider whether the
identified cause could serve as a basis for the recommendations. Often
the causes of deficiencies in internal control are complex and involve
multiple factors. In some cases, it may not be practical for auditors
to fully develop or identify all of the causes of deficiencies.
However, analyzing and identifying root causes of internal control
deficiencies are key to making recommendations for corrective action.
d. Effect or potential effect: A clear, logical link to establish the
impact or potential impact of the difference between what the auditors
found (condition) and the required or desired state (criteria). Effect
is easier to understand when it is stated clearly, concisely, and, if
possible, in quantifiable terms. The significance of the reported
effect can be demonstrated through credible evidence.
8.18: Auditors should place their findings in perspective by describing
the nature and extent of the issues being reported and the extent of
the work performed that resulted in the finding. To give the reader a
basis for judging the prevalence and consequences of these findings,
auditors may relate the instances identified to the population or the
number of cases examined and quantify the results in terms of dollar
value, as appropriate. If the results cannot be projected, auditors
should limit their conclusions appropriately.
8.19: Auditors should report deficiencies [Footnote 114] in internal
control that are significant within the context of the objectives of
the performance audit, all instances of potential fraud and illegal
acts unless they are clearly inconsequential, [Footnote 115]
significant violations of provisions of contracts or grant agreements,
and significant abuse.
Reporting Deficiencies in Internal Control:
8.20: Auditors should include in the audit report (1) the scope of
their work on internal control and (2) deficiencies in internal control
that are significant within the context of the audit objectives. When
auditors detect deficiencies in internal control that are not
significant to the objectives of the performance audit, they should
communicate those deficiencies in a separate letter to officials of the
audited entity unless the deficiencies are clearly inconsequential
considering both qualitative and quantitative factors. If the auditors
have communicated deficiencies to officials of the audited entity
during the course of the audit, they should refer to that communication
in the audit report. Whether or how to communicate deficiencies that
are clearly inconsequential to officials of the audited entity is a
matter of the auditors’ professional judgment.
8.21: In a performance audit, auditors may conclude that identified
deficiencies in internal control that are significant within the
context of the audit objectives are the cause of the deficient
performance. In reporting this type of finding, the internal control
deficiency would be described as the cause.
Reporting Potential Fraud, Illegal Acts, Violations of Provisions of
Contracts or Grant Agreements, or Abuse:
8.22: When auditors conclude, based on evidence obtained, that
potential fraud, illegal acts, significant violations of provisions of
contracts or grant agreements, or significant abuse either has occurred
or may have occurred, they should report the matter as a finding.
[Footnote 116]
8.23: When reporting instances of potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse,
auditors should place the findings in perspective by describing the
extent of work performed that resulted in the finding. To give the
reader a basis for judging the prevalence and consequences of these
findings, the auditors may relate the instances identified to the
population or the number of cases examined and quantify the instances
in terms of dollar value, as appropriate. If the results cannot be
projected, auditors should limit their conclusions appropriately.
8.24: When auditors detect potential violations of provisions of
contracts or grant agreements, or abuse that is not significant, they
should communicate those findings in a separate letter to officials of
the audited entity unless the findings are clearly inconsequential,
considering both qualitative and quantitative factors. Auditors should
refer to that letter in the audit report. Whether or how to communicate
potential fraud, illegal acts, violations of provisions of contracts or
grant agreements, or abuse that are clearly inconsequential to
officials of the audited entity is a matter of the auditors’
professional judgment. Auditors should include in their audit
documentation evidence of communications to officials of the audited
entity about deficiencies in potential fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse.
8.25: When auditors conclude that potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse
either have occurred or are likely to have occurred, they may consult
with authorities and/or legal counsel about whether publicly reporting
certain information about the potential fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse would
compromise investigative or legal proceedings. Auditors should limit
their public reporting to matters that would not compromise those
proceedings, such as information that is already a part of the public
record.
Direct Reporting of Potential Fraud, Illegal Acts, Violations of
Provisions of Contracts or Grant Agreements, or Abuse:
8.26: Auditors should report potential fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse directly to
parties outside the audited entity in two circumstances, as discussed
below. [Footnote 117] This reporting is in addition to any legal
requirements for direct reporting of potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse.
Auditors should follow these requirements even if they have resigned or
been dismissed from the audit prior to its completion.
8.27: The audited entity may be required by law or regulation to report
certain potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse to specified external parties,
such as a federal inspector general or a state attorney general.
When auditors have communicated such potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse to
the audited entity and the audited entity fails to report them, then
the auditors should communicate such an awareness to the governing body
of the audited entity. When the audited entity does not make the
required report as soon as possible after the auditors’ communication
with those charged with governance, then the auditors should report
such potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse directly to the external party
specified in the law or regulation.
8.28: When potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse involves awards received
directly or indirectly from a government agency, auditors may have a
duty to report directly if management fails to take remedial steps.
When auditors conclude that such failure is likely to cause them to
report such findings or resign from the audit, they should communicate
that conclusion to those charged with governance of the audited entity.
If the audited entity does not report the potential fraud, illegal act,
violation of provisions of contracts or grant agreements, or abuse in a
timely manner to the entity that provided the government assistance, the
auditors should report the potential fraud, illegal act, violation of
provisions of contracts or grant agreements, or abuse directly to that
entity.
8.29: Auditors should obtain sufficient, appropriate evidence to
corroborate assertions by management that it has reported potential
fraud, illegal acts, violations of provisions of contracts or grant
agreements, or abuse. When auditors are unable to do so, then they
should report such potential fraud, illegal acts, violations of
provisions of contracts or grant agreements, or abuse directly as
discussed above.
Conclusions:
8.30: Auditors should report conclusions related to the audit
objectives and the audit findings and recommendations. Report
conclusions are logical inferences about the program based on the
auditors’ findings, not merely a summary of the findings. The
strength of the auditors’ conclusions depends on the sufficiency, and
appropriateness of the evidence supporting the findings and the
soundness of the logic used to formulate the conclusions. Conclusions
are stronger if they lead to the auditors’ recommendations and convince
the knowledgeable user of the report that action is necessary.
Recommendations:
8.31: Auditors should recommend actions to correct problems identified
during the audit and to improve programs and operations when the
potential for improvement in programs, operations, and performance is
substantiated by the reported findings and conclusions. Auditors should
make recommendations that logically flow from the findings and
conclusions that clearly state the recommended actions.
8.32: Constructive recommendations can encourage improvements in the
conduct of government programs and operations. For recommendations to
be most constructive, auditors should make recommendations that are
directed at resolving the cause of identified problems, action oriented
and specific, and addressed to parties that have the authority to act.
Statement on Compliance with GAGAS:
8.33: When auditors comply with all applicable GAGAS standards, they
should include a statement in the audit report that they performed the
audit in accordance with GAGAS and include the following language in
the report:
We conducted this performance audit in accordance with Generally
Accepted Government Auditing Standards. Those standards require that we
plan and perform the audit to obtain sufficient, appropriate evidence
that provides a reasonable basis for our findings and conclusions based
on our audit objectives. We believe that the evidence obtained provides
a reasonable basis for our findings and conclusions based on our audit
objectives.
8.34: The statement of compliance with GAGAS indicates that the
auditors have complied with all applicable GAGAS general and auditing
standards. When the auditors did not follow applicable standards, or
were not able to follow applicable standards due to access problems or
other scope limitations, they should follow the requirements in
paragraphs 1.13 through 1.15.
Reporting Views of Responsible Officials:
8.35: Auditors should obtain and report the views of responsible
officials [Footnote 118] of the audited program concerning auditors’
findings, conclusions, and recommendations, and planned corrective
actions. Auditors should also include an evaluation of those views in
the report.
8.36: One of the most effective ways to develop a report that is fair,
complete, and objective is to provide a draft report for review and
comment by responsible officials of the audited entity and others, as
appropriate. Including the views of responsible officials results in a
report that presents not only the auditors’ findings, conclusions, and
recommendations, but also the perspectives of the responsible officials
of the audited entity and the corrective actions they plan to take.
Auditors should include in their report a copy of the officials’
written comments or a summary of the comments received along with the
auditors’ evaluation of the comments. In cases when the audited entity
provides technical comments in addition to its written comments on the
report, auditors should use professional judgment in determining
whether to include such comments or disclose in the report that such
comments were provided.
8.37: Auditors ordinarily request that the responsible officials submit
in writing their views on the auditors’ reported findings, conclusions,
and recommendations, as well as management’s planned corrective
actions. However, oral comments are acceptable and, in some cases, may
be the most expeditious way to obtain comments. Obtaining oral comments
can be effective when, for example, there is a time-critical reporting
date to meet a user’s needs; auditors have worked closely with the
responsible officials throughout the conduct of the work and the
parties are familiar with the findings and issues addressed in the
draft report; or the auditors do not expect major disagreements with
the draft report’s findings, conclusions, and recommendations, or
perceive any major controversies with regard to the issues discussed in
the draft report. If oral comments are provided by the responsible
officials, auditors should prepare a summary of the oral comments and
provide a copy of the summary to the responsible officials to verify
that the comments are accurately stated prior to finalizing the report.
8.38 Auditors should fairly and objectively evaluate and recognize
comments, as appropriate, in the final report. Auditors may note
comments, such as a plan for corrective action, but should not accept
them as justification for dropping a finding or a related
recommendation without sufficient and appropriate evidence.
8.39: When the audited entity’s comments are inconsistent or in
conflict with the report’s findings, conclusions, or recommendations
and are not, in the auditors’ opinion, valid, or when planned
corrective actions do not adequately address the auditors’
recommendations, the auditors should evaluate the validity of the
audited entity’s comments. If the auditors disagree with the comments,
they should state in the report their reasons for disagreeing with the
comments or planned corrective actions. Conversely, the auditors should
modify their report as necessary if they find the officials’ comments
to be valid.
8.40: If the audited entity refuses to provide comments or is unable to
provide comments within a reasonable period of time, auditors may need
to issue the report without receiving comments from the audited entity.
In such cases, auditors should describe in the report the reasons that
comments from the audited entity are not included.
Reporting Privileged and Confidential Information:
8.41: If information related to the audit objectives is prohibited from
general disclosure, auditors should disclose in the report that certain
information has been omitted and the requirement that makes the
omission necessary.
8.42: Certain information may be classified or may be otherwise
prohibited from general disclosure by federal, state, or local laws or
regulations. In such circumstances, auditors may issue a separate,
classified or limited-official-use report containing such information
and distribute the report only to persons authorized by law or
regulation to receive it. Additional circumstances associated with
public safety and security concerns could also justify the exclusion of
certain information in the report. For example, detailed information
related to computer security for a particular program may be excluded
from publicly available reports because of the potential damage that
could be caused by the misuse of this information. In such
circumstances, auditors may issue a limited-official use report
containing such information and distribute the report only to those
parties responsible for acting on the auditors’ recommendations. The
auditors may consult with legal counsel regarding any requirements or
other circumstances that may necessitate the omission of certain
information.
8.43: Auditors consider the broader public interest in the program or
activity under review when deciding whether to exclude certain
information from publicly available reports. When circumstances call
for omission of certain information, auditors should evaluate whether
this omission could distort the audit results or conceal improper or
unlawful practices.
Report Issuance and Distribution:
8.44: Government auditors should submit audit reports to those charged
with governance, to the appropriate officials of the audited entity and
to the appropriate officials of the organizations requiring or
arranging for the audits, including external funding organizations,
such as legislative bodies, unless legal restrictions prevent it.
Auditors should also send copies of the reports to other officials who
have legal oversight authority or who may be responsible for acting on
audit findings and recommendations, and to others authorized to receive
such reports. Auditors should clarify whether the report will be made
available for public distribution.
8.45: If the subject of the audit involves material that is classified
for security purposes or is not releasable to particular parties or the
public for other valid reasons, auditors may limit the report
distribution. [Footnote 119] Auditors should document any limitation on
report distribution.
8.46: When nongovernment auditors are engaged to perform the audit
under GAGAS, they should clarify report distribution responsibilities
with the engaging organization. If the nongovernment auditors are to
make the distribution, they should reach agreement with the party
contracting for the audit about which officials or organizations should
receive the report and the steps being taken to make the report
available to the public.
8.47: Internal auditors may follow the IIA standards for report
distribution, which state internal auditors also follow any applicable
statutory requirements for distribution. The head of the internal audit
organization should disseminate results to the appropriate parties. The
head of the internal audit organization is responsible for
communicating the final results to parties who are in a position to
take appropriate corrective actions. Distribution of reports outside
the organization ordinarily is made only in accordance with applicable
laws, rules, regulations, or policy.
[End of chapter]
Appendix:
Introduction:
A.01: The following sections provide supplemental guidance for auditors
and the audited entities to assist in the implementation of GAGAS. The
guidance is not intended to establish additional auditor requirements
but instead is to facilitate auditor implementation of the standards
contained in chapters 1 through 8. The supplemental guidance in the
first section may be of assistance for all types of audits and
engagements covered by GAGAS. Subsequent sections provide supplemental
guidance for specific chapters of GAGAS, as indicated.
Overall Supplemental Guidance:
A.02: Chapters 4 through 8 discuss the field work and reporting
standards for financial audits, attestation engagements, and
performance audits. The identification of significant deficiencies in
internal control, significant abuse, fraud risks, and significant laws,
regulations, or provisions of contract or grant agreements are
important aspects of government auditing. The following discussion is
provided to assist auditors with identifying significant deficiencies
in internal control, abuse, and indicators of fraud risk and to assist
auditors with determining whether laws, regulations, or provisions of
contracts or grant agreements are significant to the audit objectives.
Examples of Significant Deficiencies in Internal Control:
A.03: Auditor requirements for reporting significant deficiencies in
internal control are discussed in paragraphs 5.13 through 5.18, 6.49
through 6.53, and 8.20 through 8.21. The following are examples of
matters that may be significant deficiencies, including material
weaknesses, depending on the facts and circumstances:
a. Ineffective oversight by those charged with governance of the
entity’s financial reporting, performance reporting, or internal
control, or an ineffective overall governance structure.
b. Restatement of previously issued financial statements to reflect the
correction of a material misstatement or significant corrections made
to previously reported performance or operational results.
c. Identification by the auditor of a material misstatement in the
financial statements for the period under audit that was not initially
identified by the entity’s internal control. This includes
misstatements involving estimation and judgment for which the auditor
identifies potential material adjustments and corrections of the
recorded amounts. (This is a strong indicator of a material weakness
even if management subsequently corrects the misstatement.)
d. An ineffective internal audit function or risk assessment function
at an entity for which such functions are important to the monitoring
or risk assessment component of internal control, such as for a very
large or highly complex entity.
e. Identification of fraud of any magnitude on the part of senior
management.
f. Failure by management or those charged with governance to assess the
effect of a significant deficiency previously communicated to them and
either correct it or conclude that it will not be corrected.
g. An ineffective control environment. Control deficiencies in various
other components of internal control could lead the auditor to conclude
that a significant deficiency or material weakness exists in the
control environment.
h. Inadequate provisions for the safeguarding of assets.
i. Evidence of intentional override of internal control by those in
authority to the detriment of the overall objectives of the system.
j. Deficiencies in the design or operation of internal control that
could result in violations of laws, regulations, provisions of
contracts or grant agreements; fraud; or abuse having a direct and
material effect on the financial statements or the audit objective.
Examples of Abuse:
A.04: [Placeholder for discussion of examples of abuse.]
Examples of Indicators of Fraud Risk:
A.05: In some circumstances, conditions such as the following might
indicate a heightened risk of fraud:
a. the entity’s financial stability, viability, or budget is threatened
by economic, programmatic, or entity operating conditions;
b. the nature of the audited entity’s operations provide opportunities
to engage in fraud;
c. inadequate monitoring by management for compliance with policies,
laws, and regulations;
d. the organizational structure is unstable or unnecessarily complex;
e. lack of communication and/or support for ethical standards by
management;
f. management has a willingness to accept unusually high levels of risk
in making significant decisions;
g. a history of impropriety, such as previous issues with fraud, waste,
abuse, or questionable practices, or past audits or investigations with
findings of questionable or criminal activity;
h. operating policies and procedures have not been developed or are
outdated;
i. key documentation is often lacking or does not exist;
j. lack of asset accountability or safeguarding procedures;
k. improper payments;
l. false or misleading information; or;
m. a pattern of large procurements in any budget line with remaining
funds at year end, in order to “use up all of the funds available.”
Determining Whether Laws, Regulations, or Provisions of Contracts or
Grant Agreements Are Significant to Audit Objectives:
A.06: Government programs are subject to many laws, regulations, and
provisions of contracts or grant agreements. At the same time their
significance to audit objectives vary widely, depending on the
objectives of the audit. Auditors may find the following approach
helpful in assessing whether laws, regulations, or provisions of
contracts or grant agreements are significant to audit objectives:
a. Reduce each audit objective to questions about specific aspects of
the program being audited (that is, purpose and goals, internal
control, inputs, program operations, outputs, and outcomes).
b. Identify laws, regulations, and provisions of contracts or grant
agreements that directly relate to specific aspects of the program
included in questions that reflect the audit objectives.
c. Determine if the audit objectives or the auditors’ conclusions could
be significantly affected if violations of those laws, regulations, or
provisions of contracts or grant agreements occurred. If the audit
objectives or audit conclusions could be significantly affected, then
those laws, regulations, and provisions of contracts or grant agreements
are likely to be significant to the audit objectives.
A.07: Auditors may consult with legal counsel to (1) determine those
laws and regulations that are significant to the audit objectives, (2)
design tests of compliance with laws and regulations, or (3) evaluate
the results of those tests. Auditors also may consult with legal
counsel when audit objectives require testing compliance with
provisions of contracts or grant agreements. Depending on the
circumstances of the audit, auditors may consult with others, such as
investigative staff, other audit organizations or government entities
that provided assistance to the audited entity, or applicable law
enforcement authorities, to obtain information on compliance matters.
Information to Accompany Chapter 1:
A1.01: Chapter 1 discusses the use and application of GAGAS and the
role of auditing in government accountability. Those charged with
governance and management of audited organizations also have roles in
government accountability. The discussion which follows is provided to
assist auditors in understanding the roles of others in accountability.
The following section also contains background information on the laws,
regulations and guidelines which require the use of GAGAS. This
information is provided to place the requirements contained in GAGAS
within the context of overall government accountability.
The Role of Those Charged with Governance in Accountability:
A1.02: Those charged with governance are responsible for overseeing the
strategic direction of the entity and obligations related to the
accountability of the entity. This includes overseeing the financial
reporting process, subject matter, or program under audit including
related internal controls. In certain entities covered by GAGAS, those
charged with governance also may be part of the entity’s management. In
some audit entities, multiple parties may be charged with governance,
including oversight bodies, members or staff of legislative committees,
boards of directors, audit committees, or parties contracting for the
audit.
Because the governance structures of government entities and
organizations can vary widely, it may not always be clearly evident who
is charged with key governance functions. In these situations, auditors
evaluate the organizational structure for directing and controlling
operations to achieve the entity’s objectives. This evaluation also
includes how the government entity delegates authority and establishes
accountability for its management personnel.
Management’s Role in Accountability:
A1.03: Officials of the audited entity (for example, managers of a
state or local governmental entity or a nonprofit entity that receives
federal awards) are responsible for:
a. using government resources efficiently, economically, effectively,
equitably, and legally to achieve the purposes for which the resources
were furnished or the program was established; [Footnote 120]
b. complying with applicable laws and regulations, including
identifying the requirements with which the entity and the official
must comply and implementing systems designed to achieve that
compliance;
c. establishing and maintaining effective internal control to help
ensure that appropriate goals and objectives are met; using resources
efficiently, economically, effectively, and equitably, and safeguarding
resources; following laws and regulations; and ensuring that management
and financial information is reliable and properly reported;
d. providing appropriate reports to those who oversee their actions and
to the public in order to be accountable for the resources and
authority used to carry out government programs and the results of
these programs;
e. addressing the findings and recommendations of auditors, and for
establishing and maintaining a process to track the status of such
findings and recommendations; and;
f. following sound procurement practices when contracting for audits
and attestation engagements, including ensuring procedures are in place
for monitoring contract performance.
A1.04: Management of the audited entity is responsible for resolving
audit findings and recommendations and for having a process to track
progress in resolving the findings and recommendations.
A1.05: Management of the audited entity is responsible for taking
timely and appropriate steps to remedy fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse that auditors
report to it.
Laws, Regulations, and Guidelines that Require Use of GAGAS:
A1.06: The following are among the laws, regulations, and guidelines
that require use of GAGAS:
a. The Inspector General Act of 1978, as amended, 5 U.S.C. App. (2000)
requires that the statutorily appointed federal inspectors general
comply with GAGAS for audits of federal establishments, organizations,
programs, activities, and functions. The act further states that the
inspectors general shall take appropriate steps to assure that any work
performed by nonfederal auditors complies with GAGAS.
b. The Chief Financial Officers Act of 1990 (Public Law 101-576), as
expanded by the Government Management Reform Act of 1994 (Public Law
103-356), requires that GAGAS be followed in audits of executive branch
departments’ and agencies’ financial statements.
c. The Single Audit Act Amendments of 1996 (Public Law 104-156) require
that GAGAS be followed in audits of state and local governments and
nonprofit entities that receive federal awards. [Footnote 121] Office
of Management and Budget (OMB) Circular A-133, Audits of States, Local
Governments, and Non-Profit Organizations, which provides the
governmentwide guidelines and policies on performing audits to comply
with the Single Audit Act, also requires the use of GAGAS.
d. The Accountability of Tax Dollars Act of 2002 extends the
requirement to prepare and submit audited financial statements to most
executive agencies not subject to the Chief Financial Officers Act
unless they are exempted by OMB. These covered agencies are required to
follow GAGAS in their financial statement audits, but are not required
to have systems that are compliant with FFMIA.
A1.07: Other laws, regulations, or other authoritative sources could
require the use of GAGAS. For example, auditors at the state and local
levels of government may be required by state and local laws and
regulations to follow GAGAS. Also, auditors may be required by the
terms of an agreement or contract to comply with GAGAS. Auditors may
also be required by federal audit guidelines pertaining to program
requirements, such as those issued for Housing and Urban Development
programs and Student Financial Aid programs.
A1.08: Even if not required to do so, auditors may find it useful to
follow GAGAS in performing audits of federal, state, and local
government programs as well as in performing audits of government
awards administered by contractors, nonprofit entities, and other
nongovernment entities. Many audit organizations not formally required
to do so, both in the United States of America and in other countries,
voluntarily follow GAGAS.
Information to Accompany Chapters 3:
A3.01: Chapter 3 discusses the general standards applicable when
performing financial audits, attestation engagements, and performance
audits under GAGAS. Auditors may also provide professional services,
other than audits and attestation engagements which are sometimes
referred to as consulting services. GAGAS do not cover nonaudit services
since such services are not audits or attestation engagements. If an
audit organization decides to perform nonaudit services, their
independence for performing audits or attestation engagements may be
impacted. Nonaudit services which may impair or do impair auditor
independence are discussed in chapter 3. The following supplemental
guidance is provided to assist auditors and audited entities in
identifying nonaudit services that are often provided by government
audit organizations without impairing their independence with respect
to entities for which they provide audit or attest services by
providing examples of such services.
Nonaudit Services:
A3.02: Government audit organizations frequently are requested to
provide or are required to provide nonaudit services that differ from
the traditional professional services provided to or for an
audit/attest entity. These types of nonaudit services are often
performed in response to a statutory requirement, under the authority
of the audit organization, or for a legislative oversight body or an
independent external organization and generally do not impair auditor
independence. (The requirements for evaluating whether nonaudit
services impair auditor independence are in chapter 3, paragraphs 3.24
through 3.35.)
A3.03: Examples of the types of services under this category include
the following:
a. Providing information or data to a requesting party without auditor
evaluation or verification of the information or data;
b. Developing standards, methodologies, audit guides, audit programs,
or criteria for use throughout the government or for use in certain
specified situations;
c. Collaborating with other professional organizations to advance
auditing of government organizations;
d. Developing question and answer documents to promote understanding of
technical issues or standards;
e. Providing assistance and technical expertise to legislative bodies
or independent external organizations and assisting legislative bodies
by developing questions for use at a hearing;
f. Providing training, speeches, and technical presentations;
g. Developing surveys, collecting responses on behalf of others, and
reporting results as “an independent third party;”
h. Providing oversight assistance in reviewing budget submissions;
i. Contracting for audit services on behalf of an audited entity and
overseeing the audit contract, as long as the overarching principles
are not violated and the auditor under contract reports to the audit
organization and not to management;
j. Assessing the advantages and disadvantages of legislative proposals;
k. Identifying best practices for users in evaluating program or
management system approaches, including financial and information
management systems; and;
l. Audit, investigative, and oversight-related services that do not
involve a full-scope GAGAS audit (but which could be performed as an
audit, if the audit organization elects to do so), such as:
(1) Investigations of alleged fraud, violation of contract provisions
or grant agreements, or abuse;
(2) Review-level work such as sales tax reviews that are designed to
ensure the governmental entity receives from businesses, merchants and
vendors all of the sales taxes to which it is entitled;
(3) Periodic audit recommendation follow-up engagements and reports;
(4) Identifying best practices or leading practices for use in
advancing the practices of government organizations;
(5) Analyzing cross-cutting and emerging issues; and;
(6) Providing forward-looking analysis involving programs.
Information to Accompany Chapter 7:
A7.01: Chapter 7 discusses the field work standards for performance
audits. An integral concept for performance auditing is the use of
sufficient, appropriate evidence based on the audit objectives to
support a sound basis for audit findings, conclusions, and
recommendations. The following discussion is provided to assist
auditors in identifying the various types of evidence and assessing the
appropriateness of information or evidence in relation to the audit
objectives.
Types of Evidence:
A7.02: In terms of its form and how it is collected, evidence may be
categorized as physical, documentary, or testimonial. Physical evidence
is obtained by auditors’ direct inspection or observation of people,
property, or events. Such evidence may be documented in memoranda,
photographs, videos, drawings, charts, maps, or physical samples.
Documentary evidence is obtained in the form of already existing
information such as letters, contracts, accounting records, invoices,
spreadsheets, database extracts, electronically stored information, and
management information on performance. Testimonial evidence is obtained
through inquiries, interviews, focus groups, public forums, or
questionnaires. Auditors frequently use analytical processes including
computations, comparisons, separation of information into components,
and rational arguments to analyze any information gathered to determine
whether it is sufficient and appropriate. [Footnote 122]
Appropriateness of Information in Relation to the Audit Objectives:
A7.03: One of the primary factors influencing the assurance associated
with a performance audit is the appropriateness of the information in
relation to the audit objectives. For example:
a. The audit objectives might focus on verifying specific quantitative
results presented by the audited entity. In these situations, the
performance audit would likely provide reasonable assurance about the
accuracy of the specific amounts in question. This work may include the
possible use of statistical sampling.
b. The audit objectives might focus on the performance of a specific
program or activity in the agency being audited. In this situation, the
auditor may have to use specific information compiled by the agency
being audited in order to answer the audit objectives. In this
situation, the auditor may find it necessary to test the quality of the
information, which includes both its validity and reliability.
c. The audit objectives might focus on information that is used for
widely-accepted purposes and obtained from sources generally recognized
as appropriate. For example, economic statistics issued by government
agencies for purposes such as adjusting for inflation, or other such
information issued by authoritative organizations, may be the best
information available. In such cases, it may not be practical or
necessary for auditors to conduct procedures to verify the information.
These decisions call for professional judgment based on the nature of
the information, its common usage or acceptance, and how it is being
used in the audit. Paragraphs 7.56 through 7.62 in chapter 7 discuss
the factors the auditor should consider.
d. The audit objectives might focus on comparisons or benchmarking
between various government functions or agencies. These types of audits
are especially useful for analyzing the outcomes of various public
policy decisions. In these cases, auditors may perform analyses, such
as comparative statistics of different jurisdictions or changes in
performance over time, where it would be cost prohibitive and/or
impractical to do a verification of the detailed data underlying the
statistics. Clear disclosure as to what extent the comparative
information or statistics were evaluated or corroborated will place the
information in proper context for report users.
e. The audit objectives might focus on trend information. In this
situation, auditors may use overall analytical tests, combined with a
knowledge and understanding of the systems or processes used for
compiling information.
f. The audit objectives might focus on the auditor identifying emerging
and cross-cutting issues using information compiled or self-reported by
agencies. In such cases, it may be helpful for the auditor to consider
the overall appropriateness of the compiled information with other
information available about the program. Other sources of information,
such as Inspector General reports or other external audits may provide
the auditors with information regarding whether any unverified or self-
reported information is consistent with or can be corroborated by these
other external sources of information.
[End of appendix]
Members of the Comptroller General’s Advisory Council on Government
Auditing Standards:
Mr. Jack R. Miller, Chair:
KMPG LLP (Retired):
(member 1997-1998; chair 2001-2008):
The Honorable Ernest A. Almonte:
Office of the Auditor General:
State of Rhode Island:
(member 2001-2008):
Dr. Paul A. Copley:
James Madison University:
(member 2005-2008):
Mr. David Cotton:
Cotton & Co. LLP:
(member 2006-2009):
The Honorable Debra K. Davenport:
Office of the Auditor General:
State of Arizona:
(member 2002-2005):
Ms. Kristine Devine:
Deloitte & Touche, LLP:
(member 2005-2008):
Dr. John H. Engstrom:
Northern Illinois University:
(member 2002-2005):
The Honorable Richard L. Fair:
Office of the State Auditor:
State of New Jersey:
(member 2002-2005):
Dr. Ehsan Feroz:
University of Minnesota Duluth:
(member 2002-2009):
The Honorable Phyllis Fong:
U.S. Department of Agriculture:
(member 2004-2006):
Mr. Alex Fraser:
Standard & Poor’s:
(member 2006-2009):
The Honorable Gregory H. Friedman:
U.S. Department of Energy:
(member 2002-2005):
Mr. Mark Funkhouser:
Office of City Auditor:
Kansas City, Missouri:
(member 2005-2008):
Dr. Michael H. Granof:
University of Texas at Austin:
(member 2005-2008):
Mr. Jerome Heer:
Office of the County Auditor:
Milwaukee, Wisconsin:
(member 2004-2006):
Ms. Marion Higa:
Office of State Auditor:
State of Hawaii:
(member 2006-2009):
The Honorable John P. Higgins, Jr.:
U.S. Department of Education:
(member 2005-2008):
Mr. Russell Hinton:
Office of the State Auditor:
State of Georgia:
(member 2004-2006):
Mr. Richard A. Leach:
United States Navy:
(member 2005-2008):
Mr. Patrick L. McNamee:
PricewaterhouseCoopers, LLP:
(member 2005-2008):
Mr. Rakesh Mohan:
Office of Performance Evaluations:
Idaho State Legislature:
(member 2004-2006):
The Honorable Samuel Mok:
U.S. Department of Labor:
(member 2006-2009):
Mr. Harold L. Monk:
Davis Monk & Company, CPAs:
(member 2002-2009):
Mr. William Monroe:
Office of Auditor General:
State of Florida:
(member 2004-2006):
Mr. Stephen L. Morgan:
Office of the City Auditor:
Austin, Texas:
(member 2001-2008):
Mr. Robert M. Reardon, Jr.:
State Farm Insurance Companies:
(member 2002-2005):
Mr. Brian A. Schebler:
McGladrey & Pullen, LLP:
(member 2005-2008):
Mr. Gerald Silva:
Office of the City Auditor:
San Jose, California:
(member 2002-2009):
Mr. Barry R. Snyder:
Federal Reserve Board:
(member 2001-2008):
Mr. James R. Speer:
JP Associates, Inc.:
(member 2004-2006):
Dr. Daniel Stufflebeam:
Western Michigan University:
(member 2002-2009):
The Honorable Nikki Tinsley:
U. S. Environmental Protection Agency:
(member 2002-2005):
Mr. George Willie:
Bert Smith & Co.:
(member 2004-2006):
GAO Project Team:
Jeffrey C. Steinhoff, Managing Director:
Jeanette M. Franzel, Project Director:
Marcia B. Buchanan, Assistant Director:
Gail F. Vallieres, Assistant Director:
Michael C. Hrapsky, Senior Project Manager:
Heather I. Keister, Senior Auditor:
Maxine L. Hattery, Communications Analyst:
Jennifer V. Allison, Council Administrator:
[End of section]
Footnotes:
[1] The term equity in this context refers to the approaches used by a
government organization to provide services to citizens in a fair
manner within the context of the statutory parameters of the specific
government programs.
[2] For additional information on management’s responsibility, see
appendix paragraphs A1.01-A1.05.
[3] The term “auditor“ throughout this document includes individuals
performing work under GAGAS, and therefore, individuals who may have
the titles auditor, analyst, evaluator, inspector, or other similar
titles.
[4] The term “audit organizations“ is used throughout the standards to
refer to government audit organizations as well as independent public
accounting firms that perform audits using GAGAS.
[5] The terminology used in GAGAS to designate professional
requirements and explanatory material is consistent with the AICPA’s
Statement on Auditing Standard No. 102, Defining Professional
Requirements in Statements on Auditing Standards.
[6] Under the Sarbanes-Oxley Act of 2002 (Public Law 107-204), issuers
(generally, publicly traded companies with securities registered under
the Securities and Exchange Act of 1934) and their public accounting
firms are subject to rules and standards of the Public Company
Accounting Oversight Board. Nonissuer refers to any entity other than
an issuer under Federal securities laws, such as privately held
companies, not-for-profit entities, and government entities.
[7] Because GAGAS incorporate the field work and reporting standards of
the AICPA for financial audits performed in which U.S. auditing
standards are to be followed, auditors are not required to cite
compliance with the AICPA standards when citing compliance with GAGAS,
although both sets of standards may be cited.
[8] The three U.S.-based authoritative bodies for establishing
accounting principles and financial reporting standards are the Federal
Accounting Standards Advisory Board (federal government), the
Governmental Accounting Standards Board (state and local governments),
and the Financial Accounting Standards Board (nongovernmental
entities).
[9] Special reports apply to auditors‘ reports issued in connection
with the following: (1) financial statements that are prepared in
conformity with a comprehensive basis of accounting other than
generally accepted accounting principles; (2) specified elements,
accounts, or items of a financial statement; (3) compliance with
aspects of contractual agreements or regulatory requirements related to
audited financial statements; (4) financial presentations to comply
with contractual agreements or regulatory requirements; or (5)
financial information presented in prescribed forms or schedules that
require a prescribed form of auditors‘ report. (See AICPA Professional
Standards, AU 623.)
[10] For consistency within GAGAS, the word “auditor“ is used to
describe individuals conducting and reporting on attestation
engagements.
[11] As stated in the AICPA SSAEs, auditors should not perform review-
level work for reporting on internal control or compliance with laws
and regulations.
[12] Data gathering without auditor evaluation or verification of the
data is not a performance audit, but a nonaudit service.
[13] The term “program“ is used in this document to include government
entities, organizations, programs, activities, and functions.
[14] The term “internal control“ in this document is synonymous with
the term management control and, unless otherwise stated, covers all
aspects of an entity‘s operations (programmatic, financial, and
compliance).
[15] These objectives focus on combining cost information with
information about outputs or the benefit provided and outcomes or the
results achieved.
[16] Compliance requirements can be either financial or nonfinancial in
nature.
[17] Independence requirements are discussed in chapter 3.
[18] Individual auditors who are members of professional organizations
or are licensed or certified professionals may also be subject to
ethical requirements of those professional organizations or licensing
bodies. Auditors in government audit organizations may also be subject
to government ethics laws and regulations.
[19] See chapter 6 for an additional general standard applicable to an
attestation engagement.
[20] When applicable, auditors also follow the AICPA code of
professional conduct and the code of professional conduct of the state
board with jurisdiction over the practice of the public accountant and
the audit organization. Auditors have a responsibility to be aware of
and comply with any applicable government ethics laws and regulations
and any other ethics requirements (such as those of the state
boards of accountancy) associated with their activities.
[21] Specialists to whom this section applies include, but are not
limited to, actuaries, appraisers, attorneys, engineers, environmental
consultants, medical professionals, statisticians, and geologists.
[22] This includes those who review the work or the report, and all
others within the audit organization who can directly influence the
outcome of the audit. The period covered includes the period covered by
the audit, and the period in which the audit is being performed and
reported.
[23] Immediate family member is a spouse, spouse equivalent, or
dependent (whether or not related). A close family member is a parent,
sibling, or nondependent child.
[24] Auditors are not precluded from auditing pension plans that they
participate in if (1) the auditor has no control over the investment
strategy, benefits, or other management issues associated with the
pension plan and (2) the auditor belongs to such pension plan as part
of his/her employment with the audit organization, provided that the
plan is normally offered to all employees in equivalent employment
positions.
[25] Legislative bodies may exercise their confirmation powers through
a variety of means so long as they are involved in the approval of the
individual to head the audit organization. This involvement can be
demonstrated by approving the individual after the appointment or by
initially selecting or nominating an individual or individuals for
appointment by the appropriate authority.
[26] Statutory authority to issue a subpoena to obtain the needed
records is one way to meet the requirement for statutory access to
records.
[27] GAO has issued further guidance in the form of questions and
answers to assist in implementation of the standards associated with
nonaudit services. This guidance, Government Auditing Standards:
Answers to Independence Standard Questions, GAO-02-870G (Washington,
DC: June 2002), can be found on GAO‘s Government Auditing Standards Web
page [hyperlink, http://www.gao.gov/govaud/ybk01.htm].
[28] See appendix, paragraphs A3.02 through A3.03 for examples of
nonaudit services that are generally unique to government audit
organizations.
[29] The concepts of significance and materiality includes quantitative
as well as qualitative measures in relation to the subject matter of
the audit.
[30] The requestor of nonaudit services could be the management of the
audited entity or a third party such as a legislative oversight body.
[31] See appendix, paragraphs A3.02 through A3.03 for examples of
nonaudit services that are generally unique to government audit
organizations.
[32] If the audit organization has prepared draft financial statements
and notes and performed the financial statement audit, the auditor
obtains documentation from management in which management acknowledges
the audit organization’s role in preparing the financial statements and
related notes and management’s review, approval, and responsibility for
the financial statements and related notes in the management
representation letter. The management representation letter that is
done as part of the audit may be used for this type of documentation.
[33] The Office of Management and Budget prohibits an auditor who
prepared the entity’s indirect cost proposal from conducting the
required audit when indirect costs recovered by the entity during the
prior year exceeded $1 million under OMB Circular A-133, Audits of
States, Local Governments, and Non-Profit Organizations, Subpart
C.305(b), revised June 27, 2003.
[34] An audit organization’s independence for performing financial
statement audits would not be impaired by representing the audited
entity in IRS matters or in obtaining IRS rulings or other agreements.
However, these nonaudit services would impair auditor independence with
respect to performance audits of tax compliance since the audit
organization would be auditing its own work.
[35] Entity assets are intended to include all of the entity’s property
including bank accounts, investment accounts, inventories, equipment or
other assets owned, leased, or otherwise in the entity’s possession,
and financial records, both paper and electronic.
[36] Personnel who provided the nonaudit service are permitted to
convey to the audit assignment team the documentation and knowledge
gained about the audited entity and its operations.
[37] Auditors who are only involved in performing field work but not
involved in planning, directing, or reporting on the audit or
attestation engagement and who charge less than 20 percent of their time
annually to GAGAS audits and attestation engagements are subject to the
24 hour requirement for government related CPE in each 2-year period
but do not have to comply with the remainder of the 80-hour CPE
requirement.
[38] This guidance, Government Auditing Standards: Guidance on GAGAS
Requirements for Continuing Professional Education, GAO-05-586G
(Washington, D.C.: Apr. 2005), can be found on GAO‘s Government
Auditing Standards Web page [hyperlink,
http://www.gao.gov/govaud/ybk01.htm].
[39] See paragraphs 3.06 through 3.09, and 3.35c for specific quality
control requirements related to personal impairments and performing
nonaudit services, respectively.
[40] The external peer review requirement is effective within 3 years
from the date an audit organization begins field work on its first
assignment in accordance with GAGAS. This 3-year period refers to the
cutoff (“as of“) date for the peer review. Generally, peer reviews are
completed within 6 months of the cut-off date. Extensions of these time
frames beyond 3 months after the peer review completion deadline are
granted by GAO, and in cooperation with the cognizant peer review
program, to meet the external peer review requirements for
extraordinary circumstance.
[41] For audit organizations that perform only a small number of GAGAS
audits in relation to other types of audits, at least one or more GAGAS
audits is selected for review. In these cases, one or more GAGAS
audits may represent more than what would be selected when looking at a
cross-section of the audit organization’s work as a whole.
{42] If the audit organization does not have a website, then it uses
the same mechanism it uses to make other information public.
[43] The transparency requirement in paragraph 3.68 does not include
the letter of comment.
[44] Independent public accountants and audit organizations may be
subject to requirements of other professional organizations or
licensing bodies.
[45] This high-level description includes the major policies regarding
ethical requirements, initiation and continuance of audit work, human
capital management, engagement performance and reporting, and
monitoring, as discussed in paragraph 3.61.
[46] The audit organization can use internal or third-party resources
to conduct the inspection. If a third party is used to conduct the
inspection, that party is not independent to conduct the peer review.
[47] Peer reviewers read the assurance statements for each year since
the previous peer review and compare them with the inspection results
for those years. Peer reviewers evaluate management’s assertion and the
underlying monitoring and inspection processes for the year under
review.
[48] To date, the Comptroller General has not excluded any field work
standards or SASs.
[49] The AICPA standards incorporate the concepts contained in Internal
Control - Integrated Framework, published by the Committee of
Sponsoring Organizations of the Treadway Commission (COSO). As
discussed in the COSO framework, internal control consists of five
interrelated components, which are (1) control environment, (2) risk
assessment, (3) control activities, (4) information and communication,
and (5) monitoring. The objectives of internal control relate to (1)
financial reporting, (2) operations, and (3) compliance. Safeguarding
of assets is a subset of these objectives. In that respect, management
designs internal control to provide reasonable assurance that
unauthorized acquisition, use, or disposition of assets will be
prevented or timely detected and corrected. In addition to the COSO
document, the publication, Standards for Internal Control in the
Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov. 1999),
which incorporates the relevant guidance developed by COSO, provides
definitions and fundamental concepts pertaining to internal control at
the federal level and may be useful to other auditors at any level of
government. The related Internal Control Management and Evaluation
Tool, GAO-01-1008G (Washington, D.C.: Aug. 2001), based on the federal
internal control standards, provides a systematic, organized, and
structured approach to assessing the internal control structure.
[50] In accordance with AICPA Statement on Auditing Standards No. 107,
Audit Risk and Materiality in Conducting an Audit, the auditor’s
consideration of materiality is a matter of professional judgment and is
influenced by the auditor’s perception of the needs of users of
financial statements. Materiality is defined as “the magnitude of an
omission or misstatement of accounting information that, in the light of
surrounding circumstances, makes it probable that the judgment of a
reasonable person relying on the information would have been changed or
influenced by the omission or misstatement.“ This definition is
from Financial Accounting Standards Board Statement of Financial
Accounting Concepts No. 2. Qualitative Characteristics of Accounting
Information.
[51] See AICPA Professional Standards, AU 316 (Statement on Auditing
Standards No. 99, Consideration of Fraud in a Financial Statement
Audit).
[52] In accordance with AICPA Statement on Auditing Standard No. 104,
Amendment to Statement on Auditing Standard No. 1, Codification of
Auditing Standards and Procedures (“Due Professional Care in the
Performance of Work“), paragraph 2, “the high, but not absolute, level
of assurance that is intended to be obtained by the auditor is
expressed in the auditor’s report as obtaining reasonable assurance
about whether the financial statements are free of material
misstatement (whether caused by error or fraud).
[53] Two types of misstatements are relevant to the auditors‘
consideration of fraud in an audit of financial statements--
misstatements arising from fraudulent financial reporting and
misstatements arising from misappropriation of assets. The primary
factor that distinguishes fraud from error is whether the
underlying action that results in the misstatement in the financial
statements is intentional or unintentional.
[54] See AICPA Professional Standards, AU 317 (Statement on Auditing
Standards No. 54, Illegal Acts by Clients). Direct and material illegal
acts are violations of laws and regulations having a direct and material
effect on the determination of financial statement amounts.
[55] Whether a particular act is, in fact, illegal may have to await
final determination by a court of law or other adjudicative body. Thus,
auditors may disclose matters that have led them to conclude that an
illegal act is likely to have occurred; they do not make a
determination of illegality.
[56] Those charged with governance are those responsible for overseeing
the strategic direction of the entity and the entity’s fulfillment of
its accountability obligations. In situations in which those charged
with governance are not clearly evident, the auditor documents the
process followed and conclusions reached for identifying the
appropriate individuals to receive the required auditor communications.
(See appendix, paragraph A1.02 for additional information.)
[57] For example, when engaged to perform audits under the Single Audit
Act, as amended, for state and local government entities and nonprofit
entities that receive federal awards, auditors follow Office of
Management and Budget (OMB) Circular No. A-133 on single audits. The
act and circular include specific audit requirements, mainly in the
areas of internal control and compliance with laws and regulations, that
go beyond the requirements in chapters 4 and 5 of GAGAS. Audits
performed pursuant to the Chief Financial Officers Act of 1990, as
expanded by the Government Management Reform Act of 1994 and the
Accountability of Tax Dollars Act of 2002, also have specific audit
requirements prescribed by OMB in the areas of internal control and
compliance. In addition, some state and local governments may have
additional audit requirements that the auditors would need to follow in
planning the audit.
[58] Significant findings and recommendations are those matters that,
if not corrected, could affect the results of the auditors‘ work and
the auditors‘ conclusions and recommendations about those results.
[59] See paragraph 5.13 for definitions of significant deficiency and
material weakness.
[60] An experienced auditor means an individual (whether internal or
external to the audit organization) who possesses the competencies and
skills that would have enabled him or her to perform the audit. These
competencies and skills include an understanding of (a) audit
processes, (b) GAGAS and applicable legal and regulatory requirements,
(c) the environment in which the entity operates, and (d) auditing and
financial reporting issues relevant to the audited entity’s
environment.
[61] The five-year requirement is from AICPA Statement on Auditing
Standards No. 103, Audit Documentation.
[62] The 60-day requirement is from AICPA Statement on Auditing
Standards No. 103, Audit Documentation.
[63] To date, the Comptroller General has not excluded any reporting
standards or SASs.
[64] See AICPA Professional Standards, AU 410 - 431 and 504.
[65] If the auditor is performing an audit in accordance with OMB
Circular No. A-133, Audits of States, Local Governments, and Non-Profit
Organizations, the thresholds for reporting are defined in the
circular. Those reporting thresholds are sufficient to meet the
requirements of GAGAS.
[66] The term “more than remote“ used in the definitions for
significant deficiency and material weakness means “at least reasonably
possible.“ The following definitions apply. (1) Remote—The chance of the
future events or their occurrence is slight. (2) Reasonably
possible—The chance of the future events or their occurrence is more
than remote but less than likely. (3) Probable—The future events are
likely to occur.
[67] “More than inconsequential“ indicates an amount that is less than
material, yet has significance. A misstatement is “inconsequential“ if
a reasonable, objective person would conclude that the misstatement,
either individually or when aggregated with other misstatements, would
clearly be immaterial to the financial statements. If a reasonable,
objective person could not reach such a conclusion, that misstatement
is “more than inconsequential.“
[68] Common sources for criteria include laws, regulations, policies,
procedures, and best or standard practices. The Standards for Internal
Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington,
D.C.: Nov. 1999) and Internal Control--Integrated Framework, published
by the Committee of Sponsoring Organizations of the Treadway Commission
(COSO) are two sources of established criteria auditors can use to
support their judgments and conclusions about internal control. The
related Internal Control Management and Evaluation Tool (GAO-01-1008G,
Aug. 2001), based on the federal internal control standards, provides a
systematic, organized, and structured approach to assessing internal
control.
[69] See paragraph 4.19 for a discussion of abuse.
[70] Whether a particular act is, in fact, illegal may have to await
final determination by a court of law or other adjudicative body. Thus,
when auditors disclose matters that have led them to conclude that an
illegal act is likely to have occurred, they do not make a final
determination of illegality.
[71] Auditors include information about fraud or abuse in the audit
reports required by paragraph 5.08 as applicable to internal control
and compliance with laws, regulations, and provisions of contracts and
grant agreements.
[72] Internal audit organizations do not have a duty to report outside
that entity unless required by law, rule, regulation, or policy. See
paragraph 3.19 for reporting requirements for internal audit
organizations when reporting externally.
[73] See AICPA Professional Standards, AU 508.19.
[74] These types of matters go beyond the auditors’ responsibility in
AU 341 to consider an entity’s ability to continue as a going concern.
[75] See AICPA Professional Standards, AU 561, “Subsequent Discovery of
Facts Existing at the Date of the Auditor’s Report.“
[76] As used in this standard, restatement means the correction of an
error(s) in previously-issued financial statement(s).
[77] For purposes of this standard, imminent means within 90 days of
determining the effect of the misstatement(s) on the previously-issued
financial statements.
[78] See the Single Audit Act, as amended, and Office of Management and
Budget (OMB) Circular No. A-133 on single audits for the distribution
of reports on single audits of state and local governmental entities and
nonprofit organizations that receive federal awards.
[79] See paragraphs 5.45 through 5.47 for additional guidance on
limited report distribution when reports contain privileged or
confidential information.
[80] To date, the Comptroller General has not excluded any field work
standards, reporting standards, or SSAEs.
[81] GAGAS incorporate only one of the AICPA general standards for
attestation engagements.
[82] Those charged with governance are those responsible for overseeing
the strategic direction of the entity and the entity’s fulfillment of
its accountability obligations. In situations in which those charged
with governance are not clearly evident, the auditor documents the
process followed and conclusions reached for identifying the
appropriate individuals to receive the required auditor communications.
(See appendix, paragraph A1.02 for additional information.)
[83] Significant findings and recommendations are those matters that,
if not corrected, could affect the results of the auditors‘ work and
the auditors‘ conclusions and recommendations about those results.
[84] See paragraph 6.50 for definitions of significant deficiency and
material weakness.
[85] Although not applicable to attestation engagements, the AICPA SASs
may provide useful guidance related to internal control for auditors
performing attestation engagements in accordance with GAGAS. In
addition, auditors performing attestation engagements may wish to refer
to the internal control guidance published by the Committee of
Sponsoring Organizations of the Treadway Commission (COSO). The
Standards for Internal Control in the Federal Government, GAO/AIMD-00-
21.3.1 (Washington, D.C.: Nov. 1999), which incorporates the relevant
guidance developed by COSO, provides definitions and fundamental
concepts pertaining to internal control at the federal level and may be
useful to auditors at any level of government. The related Internal
Control Management and Evaluation Tool, GAO-01-1008G (Washington,
D.C.: Aug. 2001) based on the federal internal control standards,
provides a systematic, organized, and structured approach to assessing
internal control.
[86] Fraud is a type of illegal act involving the obtaining of
something of value through willful misrepresentation. Although not
applicable to attestation engagements, the AICPA SASs may provide
useful guidance related to fraud for auditors performing attestation
engagements in accordance with GAGAS.
[87] An experienced auditor means an individual (whether internal or
external to the audit organization) who possesses the competencies and
skills that would have enabled him or her to perform the attestation
engagement. These competencies and skills include an understanding of
(a) attestation engagement processes, (b) GAGAS and applicable legal
and regulatory requirements, (c) the subject matter that the auditor is
engaged to report on, (d) the suitability and availability of criteria,
and (e) issues related to the audited entity’s environment.
[88] See AT sections 101.63 - 101.83.
[89] For application of this standard in the government environment,
see paragraphs 6.67 through 6.71.
[90] The term “more than remote“ used in the definitions for
significant deficiency and material weakness means “at least reasonably
possible.“ The following definitions apply. (1) Remote—The chance of the
future events or their occurrence is slight. (2) Reasonably
possible—The chance of the future events or their occurrence is more
than remote but less than likely. (3) Probably—The future events are
likely to occur.
[91] “More than inconsequential“ indicates an amount that is less than
material, yet has significance. A misstatement is “inconsequential“ if
a reasonable, objective person would conclude that the misstatement,
either individually or when aggregated with other misstatements, would
clearly be immaterial to the financial statements. If a reasonable,
objective person could not reach such a conclusion, that misstatement
is “more than inconsequential.“
[92] Common sources for criteria including laws, regulations, policies,
procedures, best or standard practices. The Standards for Internal
Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington,
D.C.: Nov. 1999) and Internal Control--Integrated Framework, published
by the Committee of Sponsoring Organizations of the Treadway Commission
(COSO) are two sources of established criteria auditors can
use to support their judgments and conclusions about internal control.
The related Internal Control Management and Evaluation Tool (GAO-01-
1008G, Aug. 2001), based on the federal internal control standards,
provides a systematic, organized, and structured approach to assessing
internal control.
[93] Internal audit organizations do not have a duty to report outside
that entity unless required by law, rule, regulation, or policy. See
paragraph 3.19 for reporting requirements for internal audit
organizations when reporting externally.
[94] See paragraphs 6.64 through 6.66 for additional guidance on
limited report distribution when reports contain privileged or
confidential information.
[95] In the performance audit standards, the term “significant“ is
synonymous with “material.“ “Material“ is used in the AICPA standards
for financial audits. The term “significant“ is used in performance
audits where the term “material“ is generally not used.
[96] See discussion of the elements of a finding in paragraphs 7.36
through 7.37 and paragraphs 7.70 through 7.73.
[97] The term “program“ is used in this document to include government
entities, organizations, programs, activities, and functions.
[98] Refer to the internal control guidance contained in Internal
Control--Integrated Framework, published by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO). As discussed in the
COSO framework, internal control consists of five interrelated
components, which are (1) control environment, (2) risk assessment, (3)
control activities, (4) information and communication, and (5)
monitoring. The objectives of internal control relate to (1) financial
reporting, (2) operations, and (3) compliance. Safeguarding of assets
is a subset of these objectives. In that respect, management designs
internal control to provide reasonable assurance that unauthorized
acquisition, use, or disposition of assets will be prevented or timely
detected and corrected. In addition to the COSO document, the
publication, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov. 1999), which incorporates
the relevant guidance developed by COSO, provides definitions and
fundamental concepts pertaining to internal control at the federal
level and may be useful to other auditors at any level of government.
The related Internal Control Management and Evaluation Tool, GAO-01-
1008G (Washington, D.C.: Aug. 2001), based on the federal internal
control standards, provides a systematic, organized, and structured
approach to assessing the internal control structure.
[99] Violations of laws or regulations are illegal acts.
[100] The term “internal control“ in this document is synonymous with
the term management control and, unless otherwise stated, covers all
aspects of an entity‘s operations (programmatic, financial, and
compliance).
[101] Many government entities have these activities identified by
other names, such as inspection, appraisal, investigation, organization
and methods, or management analysis. These activities assist management
by reviewing selected functions.
[102] Information systems controls consist of those internal controls
that are dependent on information systems processing.
[103] Fraud is a type of illegal act involving the obtaining something
of value through willful misrepresentation. Whether an act is, in fact,
fraud is a determination to be made through the judicial or other
adjudicative system and is beyond auditors‘ professional expertise and
responsibility.
[104] For example, in a performance audit of management‘s efficient use
of funds for office building maintenance, auditors might find abuse if
renovation of senior management‘s offices far exceed usual office space
specifications. While auditors might not view the renovation costs as
quantitatively significant to the audit results, these expenses could
be considered qualitatively significant to this audit objective.
[105] Qualitative assessments can include expert judgment and
reasonableness judgments about program performance, for example,
whether program objectives reflect the needs of targeted beneficiaries
and whether program performance adequately meets objectives.
[106] See paragraph 3.51 for a discussion of using specialists in a
GAGAS audit.
[107] Those charged with governance are those responsible for
overseeing the strategic direction of the entity and the entity’s
fulfillment of its accountability obligations. In situations in which
those charged with governance are not clearly evident, the auditor
documents the process followed and conclusions reached for identifying
those charged with governance. (See appendix paragraphs A1.02 through
A1.05.)
[108] See appendix paragraph A7.03 for additional guidance regarding
assessing the appropriateness of information in relation to the audit
objectives.
[109] See appendix paragraph A7.02 for additional guidance regarding
the types of evidence.
[110] An experienced auditor means an individual (whether internal or
external to the audit organization) who possesses the competencies and
skills that would have enabled him or her to perform the performance
audit. These competencies and skills include an understanding of (a)
the performance audit processes, (b) GAGAS and applicable legal and
regulatory requirements, and (c) the subject matter associated with
achieving the audit objectives.
[111] Auditors may meet this requirement by listing file numbers, case
numbers, or other means of identifying specific documents they
examined. They are not required to include copies of documents they
examined as part of the audit documentation, nor are they required to
list detailed information from those documents.
[112] Appropriate background information may include information on how
programs and operations work; the significance of programs and
operations (e.g., dollars, impact, purposes, and past audit work if
relevant); a description of the audited entity‘s responsibilities; and
explanation of terms, organizational structure, and the statutory basis
for the program and operations.
[113] Common sources for criteria include laws, regulations, policies,
procedures, and best or standard practices. The Standards for Internal
Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington,
D.C.: Nov. 1999) and Internal Control--Integrated Framework, published
by the Committee of Sponsoring Organizations of the Treadway Commission
(COSO) are two sources of established criteria auditors can use to
support their judgments and conclusions about internal control. The
related Internal Control Management and Evaluation Tool, GAO-01-1008G
(Washington, D.C.: Aug. 2001), based on the federal internal control
standards, provides a systematic, organized, and structured approach to
assessing internal control.
[114[ As discussed in paragraph 7.23, in performance audits a
deficiency in internal control exists when the design or operation of a
control does not allow management or employees, in the normal course of
performing their assigned functions, to prevent or detect (1)
misstatements in financial or performance information, (2) violations
of laws and regulations, or (3) impairments of effectiveness or
efficiency of operations, on a timely basis.
[115] Whether a particular act is, in fact, illegal may have to await
final determination by a court of law. Thus, when auditors disclose
matters that have led them to conclude that an illegal act is likely to
have occurred, they should take care not to unintentionally imply that
a final determination of illegality has been made.
[116] See paragraphs 8.26 through 8.28 for additional reporting
considerations.
[117] Internal audit organizations do not have a duty to report outside
the entity unless required by law, rule, regulation, or policy. See
paragraph 3.19 for reporting requirements for internal audit
organizations when reporting externally.
[118] Some audits may address audit objectives which cover cross-
cutting issues that transcend specific government agencies. In these
situations, auditors use professional judgment to identify appropriate
officials for the issues addressed by the audit objectives and include
the views of those officials in the audit report.
[119] See paragraphs 8.41 through 8.43 for additional guidance on
limited report distribution.
[120] This responsibility applies to all resources, both financial and
physical, as well as informational resources, whether entrusted to
public officials or others by their own constituencies or by other
levels of government.
[121] Under the Single Audit Act, as amended, federal awards include
federal financial assistance (grants, loans, loan guarantees, property,
cooperative agreements, interest subsidies, insurance, food commodities,
direct appropriations, or other assistance) and cost-reimbursement
contracts.
[122] See paragraphs 7.56 and 7.63 for definitions of appropriate and
sufficient.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "Subscribe to Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, JarmonG@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Paul Anderson, Managing Director, AndersonP1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: