Government Auditing Standards: 2002 Revision (Exposure Draft)	 
(01-JAN-02, GAO-02-340G).					 
								 
GAO released a guide on revised government auditing standards for
auditors and audit organizations when required by law,		 
regulation, agreement, contract, or policy. The standards pertain
to auditors' professional qualifications, the quality of audit	 
effort, and the characteristics of professional and meaningful	 
audit reports.							 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-02-340G					        
    ACCNO:   A02780						        
  TITLE:     Government Auditing Standards: 2002 Revision (Exposure   
Draft)								 
     DATE:   01/01/2002 
  SUBJECT:   Auditing standards 				 
	     Auditing procedures				 
	     Cost accounting standards compliance		 
	     Federal advisory bodies				 
	     Federal agencies					 
	     Internal audits					 
	     Internal auditors					 
	     Internal controls					 
	     Standards evaluation				 
	     Yellow Book					 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-02-340G
     
                  United States General Accounting Office

                    GAO By the Comptroller General of the
                                United States

January 2002

Government Auditing Standards

2002 Revision

Exposure Draft

                                      a

GAO-02-340G

United States General Accounting Office Washington, DC 20548

January 2002

TO AUDIT OFFICIALS AND OTHERS INTERESTED IN GOVERNMENT AUDITING STANDARDS

GAO invites your comments on the accompanying proposed changes to Government
Auditing Standards (GAGAS), commonly known as the "yellow book." These
changes propose revision throughout the entire set of standards except for
the second general standard, independence, which is being revised
separately. The proposed revisions fall into three categories: GAGAS
framework, consistent application of the standards where applicable to the
various types of audits, and strengthening or streamlining the standards.
This letter describes the process followed in revising the standards,
summarizes proposed major changes, outlines the format of this exposure
draft, and requests comments from interested parties on these proposed
revisions.

To help ensure that the standards continue to meet the needs of the audit
community and the public it serves, the Comptroller General of the United
States appointed the Advisory Council on Government Auditing Standards to
review the standards and recommend necessary changes. The Advisory Council
includes experts in financial and performance auditing drawn from all levels
of government, private enterprise, public accounting, and academia. Public
comment is requested on all draft revisions to the standards. This exposure
draft reflects the Advisory Council's advice to the Comptroller General.

To assist you in developing your comments, this letter discusses the
proposed GAGAS framework and encloses a listing of the proposed changes to
GAGAS made for consistent application of the standards or for strengthening
or streamlining the standards.

The types of audits and services and applicable standards are organized by
separate chapters for financial audits, attestation engagements, and
performance audits in order to make the standards user friendly. For
example, the financial audit and attestation chapters are directed at
auditors with a financial audit background and the required knowledge of the
American Institute of Certified Public Accountants' (AICPA) Generally
Accepted Auditing Standards (GAAS) and Attestation Standards. The
performance audit chapters are written to avoid use of terminology drawn
from financial audits.

The financial audit presentation proposes retaining the current format of
separate chapters for field and reporting standards. The term financial
audit is defined to include financial statement audits

          GAO-02-340G Government Auditing Standards Exposure Draft

and other services covered by GAAS and the AICPA's Statements on Auditing
Standards (SASs), which interpret the standards. These other services are
defined in the SASs and include areas such as special reports, reviews of
interim financial information, letters to underwriters and certain other
requesting parties, compliance auditing, and audits of service
organizations.

Attestation engagements are defined as those services performed under the
AICPA's Attestation Standards and the related Statement on Standards for
Attestation Engagements (SSAEs), which interpret the standards. As the
proposed additional GAGAS standards are fewer than for financial audits, the
field and reporting standards are presented in a single chapter.

GAGAS proposes recognizing the overlap between attestation engagement
objectives and performance audit objectives and allowing the services that
overlap to be performed under either set of standards. Therefore, GAGAS
simply proposes to recognize the reality of current practice. Namely,
performance auditors provide these services using performance audit
standards, and financial auditors are likely to provide these services using
the attestation standards. We are not aware of any problems that have arisen
as a result of this practice.

The presentation of the financial audit chapters proposes eliminating the
term "financial related audits" by specifically recognizing the services in
addition to financial statement audits that are covered by the AICPA's
Statements on Auditing Standards in chapters 4 and 5 or by the Statement on
Standards for Attestation Engagements in chapter 6. The term "financial
related audits" was the source of considerable confusion to the users of
GAGAS. By specifically recognizing the services covered by the AICPA's SASs
and SSAEs, we have proposed clarifying what in fact was intended by this
term, but not always understood by the users of GAGAS.

The proposed changes related to performance audits retain the current
presentation of separate chapters for field and reporting standards. The
Advisory Council has recognized that GAGAS applicable to the performance
audit objectives of effectiveness, economy and efficiency, internal control,
and compliance are also applicable to prospective analyses, guidance, or
summary information. Therefore, we have proposed including that latter
objective in the definition of performance audits, as discussed in chapter
2, and in the presentation of field work and reporting standards, in
chapters 7 and 8, applicable to the various objectives of performance
audits. We believe this is a more logical and user friendly presentation
than having a separate chapter discussing the field work and reporting
standards for these objectives that would only tell the auditor to follow
the same standards applicable to other types of performance audit
objectives.

Chapter 2 of this exposure draft discusses nonaudit services provided by
audit organizations that are not covered by GAGAS. These services generally
differ from financial audits, attestation engagements, and performance
audits in that auditors may (1) provide information or data to a requesting
party without providing verification, analysis, or evaluation of the
information or data, and therefore the work does not usually provide a basis
for conclusions, recommendations, or opinions on the information or data, or
(2) perform tasks requested by management that directly support the entity's
operations, such as asset evaluation, actuarial services, or information
system design services. Audit organizations are encouraged to establish
policies for maintaining the

2 GAO-02-340G Government Auditing Standards Exposure Draft

quality of this type of work. This exposure draft does not discuss the
impact of the provision of nonaudit services on auditor independence. That
issue was addressed in the May 2001 exposure draft and comments are
currently being considered.

As previously stated, we are enclosing a numbered listing of the more
significant proposed changes made to the chapters for consistent application
of GAGAS and the proposed changes made to strengthen or streamline GAGAS.
The enclosure includes a reference to the applicable proposed revised
paragraph(s) of GAGAS. The enclosure does not include the proposed
reorganization of the order of presentation to provide a more logical
grouping of the standards by function, such as planning, audit
documentation, report content, and the audit process. This proposed type of
change was primarily made to the presentation of the performance audit
chapters.

Given the extensiveness of the proposed revisions, we plan to issue a new
version of GAGAS that will incorporate existing amendments. We expect this
revision of the standards to supersede the 1994 revision, including
amendments 1 and 2. Thereafter, we intend to continue our policy of issuing
amendments addressing specific issues as needed. We anticipate this revision
of the standards, when finalized, will become effective for financial audits
of periods ending on or after January 1, 2003, and for attestation
engagements and performance audits beginning on or after January 1, 2003.

This draft is being sent to financial management and audit officials at all
levels of government, the public accounting profession, academia,
professional organizations, and public interest groups. We encourage you to
send your comments, whether you wish to comment on the entire document or
only a portion of it. It would be helpful to key your comments to the
specific paragraph numbers, give your rationale for any proposed changes,
and suggest revised language.

Additional copies of this exposure draft can be obtained from the U.S.
General Accounting Office, Room 1100, 700 4th Street, NW, Washington, DC
20548 or by calling (202) 512-6000.

A marked version of the exposure draft is available on the Internet on GAO's
Home Page (www.gao.gov/govaud/ybk01.htm). In the marked version, italicizing
and bolding are used to identify potential added language and striking-out
is used to identify potential deleted language from the 1994 revision of
Government Auditing Standards, as currently amended.

Since GAO is still experiencing delays in mail delivery, it would be
preferable if you sent your comments via e-mail to [email protected]. To
ensure that your comments are considered by the Advisory Council in their
deliberations, please submit them by April 30, 2002. If you need to use the
mail, it would be helpful if you sent your comments both in writing and on
diskette (in Word or ASCII format). Please send any mail to the following
address:

                   Government Auditing Standards Comments
                       U.S. General Accounting Office
                              Room 5X16 (FMA)
                              441 G Street, NW
                            Washington, DC 20548

3 GAO-02-340G Government Auditing Standards Exposure Draft

If you need additional information, please call Marcia Buchanan, Assistant
Director, Financial
Management and Assurance at (202) 512-9321 or Cheryl Clark, Assistant
Director, Financial
Management and Assurance at (202) 512-9377.

Sincerely yours,

Jeffrey C. Steinhoff
Managing Director
Financial Management and Assurance

Enclosures

4 GAO-02-340G Government Auditing Standards Exposure Draft

Enclosure Enclosure

Proposed changes made for consistent application of GAGAS where applicable:

1. For attestation engagements: require the additional GAGAS field work
standards for auditor communication for all levels of work (par. 6.5-6.6);
follow-up (par. 6.8-6.10); audit documentation (par. 6.11-6.17); internal
control for examination level work (par. 6.18-6.19); and fraud, illegal
acts, and other noncompliance for examination level work (par. 6.20-6.22)

2. For attestation engagements: require additional GAGAS reporting standards
for reporting compliance with GAGAS (par. 6.25-6.27); reporting on internal
control and on fraud, illegal acts, and other noncompliance when the work
identifies deficiencies for all levels of attestation engagements (par.
6.28-6.31); views of responsible officials (par. 6.32-6.36); privileged and
confidential information (par. 6.37-6.38); and report issuance and
distribution (par. 6.39-6.43)

3. For performance audits: add a requirement that when using the work of a
specialist, performance auditors be able to articulate the specialist's
objectives, evaluate procedures used, and evaluate the results of the
procedures or use another specialist for these purposes (par. 7.30-7.31)

4. For performance audits: add requirements consistent with Amendment No. 1,
requiring documentation of decisions related to internal control over data
significantly dependent on computerized information systems (par. 7.57), and
Amendment No. 2, Auditor Communication (par. 7.32-7.33)

Proposed changes in requirements to strengthen/streamline GAGAS 
5. Require, as part of the due care standard, that auditors exercise
professional skepticism and perform their work with integrity (par. 3.6-3.7)

6. Require that audit organizations have an human capital management system
(par. 3.10)

7. Require that auditors collectively possess the technical knowledge,
skills, and experience necessary to be competent for the type of work being
performed before beginning work on the assignment (par. 3.12)

8. Specifically state that auditors should have knowledge of GAGAS
applicable to the work they are assigned (par. 3.12 a.) and knowledge of the
specific environment in which the audited entity operates and the subject
matter under review (par. 3.12b.)

9. Require that auditors be proficient in the AICPA Statements on Standards
for Attestation Engagements when performing attestation engagements (par.
3.13 a) and that public auditors be licensed CPAs or work for a licensed CPA
firm if engaged to perform an attestation engagement (par. 3.13b.)

         5 GAO-02-340G Government Auditing Standards Exposure Draft

10. Require that CPE directly contribute to the auditor's professional
proficiency to perform work under GAGAS (par. 3.14)

11. Require external consultants/internal specialists that are responsible
for following GAGAS in planning and directing an assignment, performing
substantial portions of field work, or reporting on the assignment meet CPE
requirements (par. 3.18)

12. Require that the internal quality control system include procedures for
monitoring, on an ongoing basis, whether the policies and procedures related
to the standards are suitably designed and are being effectively applied
(par. 3.20)

13. Require that an audit organization prepare documentation to demonstrate
compliance with its policies and procedures for its system of quality
control (par. 3.21)

14. Specifically state that extensions of quality assurance review
timeframes granted by other professional bodies are not recognized under
GAGAS (par. 3.22, f/n. 7)

15. Require that organizations conducting external peer reviews to have
received an unqualified opinion on the review of their organization's system
of quality controls (par. 3.23b.)

16. Require that peer reviewers have knowledge and training on how to
perform a peer review (par. 3.23c.)

17. Expand what is included in the peer review report (par. 3.23g.)

18. Require auditors to transmit their peer review reports to appropriate
oversight bodies and provide a copy of their peer review report to auditors
using their work (par. 3.25)

19. Specifically incorporate the AICPA's general standard on criteria for
attestation engagements (par. 6.1)

20. Require that audit organizations establish policies and procedures for
custody and retention of audit documentation (par. 4.24, 6.15, 7.67)

21. Require documentation when applicable standards are not followed (par.
4.22b, 6.16b, 7.68b)

22. Permit auditor judgment to exclude reporting certain information (par.
5.34, 6.38, 8.34) and to act with integrity in making this judgment (par.
8.35)

23. Revise the requirement for a written report to requiring a report that
the auditor can make a judgment as the appropriate form (par. 8.3)

24. Require reporting whether the results from a sample can be projected to
the intended population (par. 8.11)

         6 GAO-02-340G Government Auditing Standards Exposure Draft

25. Permit oral agency comments to be equally acceptable as written comments
(par. 5.29, 6.34, 8.30)

26.  Delete the  specific  statement that  external quality  control reviews
conducted through or by other professional bodies meet GAGAS requirements

27. Delete the standard  that requiring auditors to refer significant issues
needing further study

28. Delete the requirement for auditors to report noteworthy accomplishments

         7 GAO-02-340G Government Auditing Standards Exposure Draft

                        C o n t e n t s Page 
LETTER

ENCLOSURE

Proposed Changes Made for Consistent Application of GAGAS
Where Applicable
Proposed Changes in Requirements to Strengthen/Streamline
GAGAS

CHAPTER

1 INTRODUCTION
Purpose
Applicability

Relationship between GAGAS and Other Professional

Standards
Accountability
Roles and Responsibilities

Management's Role
Auditor's Responsibilities
Audit Organization's Responsibilities

                2 TYPES OF GOVERNMENT AUDITS AND ATTESTATION

ENGAGEMENTS
Introduction
Financial Audits
Attestation Engagements
Performance Audits
Nonaudit Services of Audit Organizations

3 GENERAL STANDARDS
Introduction
Independence
Professional Judgment
Competence

Technical Knowledge and Competence
Continuing Professional Education
Quality Control and Assurance

4 FIELD WORK STANDARDS FOR FINANCIAL AUDITS
Introduction
Field Work Standards
Additional GAGAS Field Work Standards
Auditor Communication
Considering the Results of Previous Audits
Noncompliance With Provisions of Contracts and Grant

Agreements

                                     1

                                     5

                                     5

                                     5

12 12 13

15 15 17 17 19 21

22 22 23 24 25 29

31 31 31 32 33 34 36 37

41 41 42 42 43 46

47

         8 GAO-02-340G Government Auditing Standards Exposure Draft

Audit Documentation
Additional Considerations for Financial Audits Performed

In Accordance With GAGAS
Audit Risk and Materiality
Internal Control Over Safeguarding of Assets
Internal Control Over Compliance
Professional Judgment Concerning Possible Fraud

And Illegal Acts

5 REPORTING STANDARDS FOR FINANCIAL AUDITS
Introduction
Reporting Compliance With Generally Accepted

Government Auditing Standards
Reporting on Compliance With Laws and Regulations and
On Internal Control Over Financial Reporting

Scope of Compliance and Internal Control Work
Reporting Deficiencies in Internal Control
Reporting Fraud, Illegal Acts, and Other Noncompliance

Direct Reporting of Fraud and Illegal Acts
Views of Responsible Officials
Privileged and Confidential Information
Report Issuance and Distribution

6 GENERAL, FIELD WORK, AND REPORTING STANDARDS

FOR ATTESTATION ENGAGEMENTS
Introduction
AICPA General and Field Work Standards for Attestation

Engagements
Additional Field Work Standards for Attestation

Engagements
Auditor Communication
Considering the Results of Previous Audits and

Attestation Engagements
Audit Documentation
Internal Control
Fraud, Illegal Acts, and Other Noncompliance

AICPA Reporting Standards For Attestation Engagements
Additional Reporting Standards for Attestation Engagements
Reporting Compliance With Generally Accepted
Government Auditing Standards
Reporting on Internal Control and on Fraud, Illegal

Acts, and Other Noncompliance
Views of Responsible Officials
Privileged and Confidential Information
Report Issuance and Distribution

7 FIELD WORK STANDARDS FOR PERFORMANCE AUDITS
Introduction
Planning

Program Significance
Understanding the Program

48

51 51 52 54

56

57 57

58

60 61 61 63 65 67 68 69

71 71

72

72 73

74 75 78 79 80 81

81

82 83 85 85

87 87 87 89 90

         9 GAO-02-340G Government Auditing Standards Exposure Draft

Internal Control
Considering Legal, Regulatory, and Other Compliance

Requirements
Criteria
Considering the Results of Previous Audits
Identifying Sources of Audit Evidence
Considering Work of Other Auditors
Staff and Other Resources
Communicating With Management and Others
Documenting Planning Decisions

Supervision

Evidence
Audit Findings
Tests of Evidence
Evidence Indicative of Fraud, Illegal Acts, or Other

Noncompliance
Audit Documentation

8 REPORTING STANDARDS FOR PERFORMANCE AUDITS
Introduction
Form
Report Contents

Objectives, Scope and Methodology
Objectives
Scope and Methodology

Audit Results
Findings
Direct Reporting of Fraud and Illegal Acts

Conclusions
Recommendations
Statement on Compliance With Generally Accepted

Government Auditing Standards
Views of Responsible Officials
Privileged and Confidential Information

Report Quality
Timely
Fact-Based
Accurate
Objective
Convincing
Clear
Concise

Report Issuance and Distribution

92

                                 95 97 98 99 99 100 101 102 103 104 105 106

110 112

115 115 115 116 117 117 117 118 119 122 123 123

124 124 125 126 126 127 127 128 129 129 130 130

        10 GAO-02-340G Government Auditing Standards Exposure Draft

                                ABBREVIATIONS

AICPA American Institute of Certified Public Accountants
CPA certified public accountant
FASAB Federal Accounting Standards Advisory Board
FASB Financial Accounting Standards Board
GAAS AICPA's generally accepted auditing standards
GAGAS generally accepted government auditing standards
GASB Governmental Accounting Standards Board
GAO General Accounting Office
OMB Office of Management and Budget
SASs AICPA's statements on auditing standards
SSAEs AICPA's statement on standards for attestation engagements

        11 GAO-02-340G Government Auditing Standards Exposure Draft

                         CHAPTER 1EURINTRODUCTIONEUR

PURPOSE 
1.1 The standards and guidance contained in this document, often referred to
as generally accepted government auditing standards (GAGAS), are intended
for use by government auditors1 to ensure that they maintain integrity,
objectivity, and independence in planning, conducting, and reporting their
work, and are to be followed by auditors and

2

audit organizations when required by law, regulation, contract, agreement,
or policy. The work performed in accordance with GAGAS is referred to as
audits and attestation engagements. This work, which is described in this
chapter and more fully in chapter 2, includes financial audits, attestation
engagements, and performance audits. Users of government audits and
attestation engagements that are performed in accordance with GAGAS should
have confidence that the work is objective and credible.

1.2 The standards and guidance in this document are for audits and
attestation engagements of government entities, programs,3 activities, and
services, and of government assistance administered by contractors,
nonprofit entities, and other nongovernment entities. Adherence to GAGAS can
help ensure that audits and attestation engagements provide credibility to
the information reported by or obtained from management through objectively
acquiring and evaluating evidence. When auditors

1This document addresses the standards that should be used by the
individuals conducting the broad array of work that is described more fully
in chapter 2. Accordingly, the focus of this document is not on the wide
variety of titles that are used by individuals conducting and reporting on
this work, but instead the nature of the work that is being performed. The
term "auditor" throughout this document includes individuals who may be
titled auditor, analyst, evaluator, or a similar position description.

2 Requirements in GAGAS are identified by statements that include the word
"should." Auditors are expected to comply with these requirements if they
apply to the type of work being performed. Auditors are strongly encouraged
to comply with the guidance provided by GAGAS.

3Henceforth, the term "program" will be used in this document to include
government entities, services, and activities.

        12 GAO-02-340G Government Auditing Standards Exposure Draft

perform their work in this manner and comply with GAGAS in reporting the
results, their work can lead to improved government management,
decision-making, and oversight, and can assist in fulfilling the
government's duty to be accountable to the public. GAGAS pertain to
auditors' professional qualifications and the quality of their work, the
performance of field work, and the characteristics of meaningful audit
reporting.

1.3 This chapter describes the applications of GAGAS by auditors and audit
organizations. This chapter also describes the concept of accountability for
public resources and discusses the responsibilities of managers of
government programs, auditors, and audit organizations in the audit process.

APPLICABILITY 
1.4 GAGAS are intended to be followed in performing audits and attestation
engagements. A number of statutes and other mandates require that auditors
follow GAGAS. Where a statute or other mandate does not exist, auditors will
find it useful to use GAGAS in work regarding the use of government funds.
If auditors hold themselves out as following GAGAS, regardless of whether
they are required to follow such standards, they need to justify any
departures from them.

1.5 The following laws, regulations, or guidelines require use of GAGAS:

a. The Inspector General Act of 1978, as amended, 5 U.S.C. App. (2000)
requires that the statutorily-appointed federal inspectors general comply
with GAGAS for audits of federal entities, programs, activities, and
functions. The act further states that the inspectors general should take
appropriate steps to ensure that any work performed by nonfederal auditors
complies with GAGAS.

        13 GAO-02-340G Government Auditing Standards Exposure Draft

b. The Chief Financial Officers Act of 1990 (Public Law 101-576), as
expanded by the Government Management Reform Act of 1994 (Public Law
103-356), requires that GAGAS be followed in audits of federal departments'
and agencies' financial statements.

c. The Single Audit Act Amendments of 1996 (Public Law 104-156) require that
GAGAS be followed in audits of state and local governments and nonprofit
entities that receive federal financial assistance. OMB Circular A-133,
"Audits of States, Local Governments, and Non-profit Organizations," which
provides the governmentwide guidelines and policies on performing audits to
comply with the Single Audit Act, also requires the use of GAGAS.

1.6 Auditors need to be alert to other laws, regulations, or other
authoritative sources that could require the use of GAGAS. For example,
state and local laws and regulations may require auditors at the state and
local levels of government to follow these standards. Also, the terms of an
agreement or contract may require auditors to comply with GAGAS. Federal
audit guidelines pertaining to program requirements, such as those issued
for Housing and Urban Development and Student Financial Aid programs, may
require that GAGAS be followed.

1.7 Even if not required to do so, auditors would find it useful to follow
GAGAS in performing audits of federal, state, and local government programs
as well as in performing audits of government assistance administered by
contractors, nonprofit entities, and other nongovernment entities. Many
audit organizations not formally required to do so, both in the United
States and in other countries, voluntarily follow GAGAS.

1.8 Auditors may provide professional services, other than audits and
attestation engagements, that consist solely of gathering, providing, and
explaining information requested by decision-makers or by providing advice
or assistance to management officials. GAGAS are not applicable to these
other professional services, which are described more fully in chapter 2.
However, providing other professional services may

        14 GAO-02-340G Government Auditing Standards Exposure Draft

affect an audit organization's independence to conduct audits, which is
discussed in chapter 3.

Relationship between GAGAS and Other Professional Standards 
1.9 GAGAS may be used in conjunction with professional standards issued by
other authoritative bodies. For example, the American Institute of Certified
Public Accountants (AICPA) has issued professional standards that apply in
financial audits and attestation engagements. GAGAS incorporate the AICPA's
field work and reporting standards and the related statements on the
standards for financial audits unless specifically excluded, as discussed in
chapters 4 and 5. GAGAS incorporates the AICPA's general standard on
criteria, and the field work and reporting standards and the related
statements on the standards for attestation engagements, unless specifically
excluded, as discussed in chapter 6. To meet the needs of users of
government audits and attestation engagements, GAGAS also prescribe
additional requirements to those provided by the AICPA for these types of
work.

1.10 Other professional standards which may be used by auditors are issued
by such bodies as the Institute of Internal Auditors (Codification of the
Standards for the Institute of Internal Auditors, Inc.), and the American Evaluation
Association, which has developed guiding principles for evaluators (Guiding
Principles for Evaluators, a report from the American Evaluation Association
Task Force on Guiding Principles for Evaluators). These other professional
standards are not incorporated into GAGAS, but can be used in conjunction
with GAGAS.

ACCOUNTABILITY 
1.11 The concept of accountability for public resources is inherent in our
nation's governing processes. Legislators and other government officials,
and the public want to

        15 GAO-02-340G Government Auditing Standards Exposure Draft

know whether (1) government resources are managed properly and used in
compliance with laws and regulations, (2) government programs are achieving
their objectives and desired outcomes, and (3) government programs are being
provided efficiently, economically, and effectively. Managers of these
programs are often asked to render an account of their activities and
related results to legislative bodies and the public.

1.12 Financial audits contribute to making governments more accountable for
the use of public resources. The auditor, in providing an independent report
on whether an entity's financial information is presented fairly in
accordance with recognized criteria, informs users whether they can rely on
the information. Financial audits performed in accordance with GAGAS also
provide information about internal control and compliance with laws and
regulations as they relate to financial transactions, systems, and
processes.

1.13 Attestation engagements also contribute to governments' accountability
for the use of public resources and the delivery of services. In an
attestation engagement, auditors issue an examination, a review, or an
agreed-upon procedures report on the subject matter or on an assertion about
the subject matter, based on or in conformity with criteria, that is the
responsibility of another party. Attestation engagements can cover a broad
range of financial or nonfinancial objectives and provide various levels of
assurance about the subject matter or assertion dependent upon the user's
needs.

1.14 Performance audits also contribute to governments' accountability for
the use of public resources and for the delivery of services. The term
performance audit is used to include a variety of objectives to meet users'
needs. Performance audits provide an independent assessment of the
performance and management of government programs against objective criteria
or an assessment of best practices and other information. Performance audits
provide information to improve program operations and facilitate
decision-making by parties with responsibility to oversee or initiate
corrective action, and improve public accountability. The term performance
audit is used generically to include work classified by some audit
organizations as program evaluations, program

        16 GAO-02-340G Government Auditing Standards Exposure Draft

effectiveness and results audits, economy and efficiency audits, operational
audits, and value-for-money audits.

1.15 Given the importance and complexity of government programs in providing
a variety of public services, auditors are increasingly being called on by
legislative bodies and government agencies to expand the variety of
performance audits to include work that has a prospective focus or provides
guidance, best practice information, or information on issues that affect
multiple programs or entities already studied or under study by an audit
organization. This work may also include an assessment of policy
alternatives, identification of risks and risk mitigation efforts, and a
variety of analytical services to aid government officials in performing
their responsibilities and stewardship of government resources. Such work,
like other performance audits, involves a level of analysis, research, or
evaluation; may provide conclusions and recommendations; and results in a
report.

ROLES AND RESPONSIBILITIES 
1.16 Management and auditors of government programs fulfill essential roles
and responsibilities in ensuring that public resources are used efficiently,
economically, effectively, and legally. Audit organizations also have the
important responsibility for ensuring that auditors can meet their
responsibilities. These unique roles involve sound management practices and
professional audits and attestation engagements.

Management's Role 
1.17 Management entrusted with handling public resources (for example,
managers of a state or local governmental entity or a nonprofit entity that
receives federal assistance) is responsible for applying those resources
efficiently, economically, effectively, and legally to achieve the purposes
for which the resources were furnished or the program was established. This
responsibility applies to all resources, both financial and physical,

        17 GAO-02-340G Government Auditing Standards Exposure Draft

whether entrusted to public officials or others by their own constituencies
or by other levels of government.

1.18 Management entrusted with public resources is responsible for complying
with applicable laws and regulations. That responsibility encompasses
identifying the requirements with which the entity and the official must
comply and implementing systems designed to achieve that compliance.

1.19 Management entrusted with public resources is responsible for
establishing and maintaining effective internal control to ensure that
appropriate goals and objectives are met; resources are received, used
efficiently and effectively, and safeguarded; laws and regulations are
followed; and reliable data are obtained, maintained, and fairly disclosed.
Management is responsible for providing appropriate reports to those who
oversee their actions and to the public in order to be accountable for the
resources used to carry out government programs and the results of these
programs.

1.20 Management is responsible for addressing the findings and
recommendations of auditors, and for establishing and maintaining a process
to track the status of such findings and recommendations.

1.21 Management is responsible for following sound procurement practices
when contracting for audits and attestation engagements, including
procedures for monitoring contract performance, need to be in place. The
objectives and scope of the assignment need to be made clear. In addition to
price, other factors that may be considered in evaluating bid proposals
include the responsiveness of the bidder to the request for proposal; the
experience of the bidder; the availability of the bidder's staff who have
the appropriate professional qualifications and technical abilities; and the
results of the bidder's peer reviews.

        18 GAO-02-340G Government Auditing Standards Exposure Draft

Auditors' Responsibilities 
1.22 Auditors in discharging their professional responsibilities need to
observe the principles of serving the public interest and maintaining the
highest sense of integrity, objectivity, and independence. These principles
are fundamental to the responsibilities of auditors and the auditing
profession.

1.23 Auditors are responsible to accept the obligation to act in a way that
will serve the public interest, honor the public trust, and uphold their
professionalism. A distinguishing mark of a profession is acceptance of its
responsibility to the public. This responsibility is critical when auditing
in the government environment. Because the concept of accountability
underlies GAGAS, this need to serve the public interest is essential for all
work done in accordance with GAGAS.

1.24 Auditors need to make decisions that are consistent with the public
interest in the program or activity under audit. The public interest is
defined as the collective well-being of the community of people and entities
the auditor serves. In discharging their professional responsibilities,
auditors may encounter conflicting pressures from management of the audited
entity, various levels of government, employers, and others who rely on the
objectivity and independence of the auditors. In resolving those conflicts,
auditors are responsible to act with integrity, guided by the precept that
when auditors fulfill their responsibilities to the public, these
individuals' and organizations' interests are best served.

1.25 To maintain and broaden public confidence, auditors need to perform all
professional responsibilities with the highest sense of integrity. Auditors
are responsible to be honest and candid with the audited entity and users of
the auditors' work in the conduct of their work, within the constraints of
the audited entity's confidentiality. Service and the public trust should
not be subordinated to personal gain and advantage. Integrity can
accommodate the inadvertent error and the honest difference of opinion; it
cannot accommodate deceit or subordination of principle. Integrity requires
auditors to

        19 GAO-02-340G Government Auditing Standards Exposure Draft

observe both the form and the spirit of technical and ethical standards;
circumvention of those standards constitutes subordination of judgment.
Integrity also requires auditors to observe the principles of objectivity
and independence.

1.26 Auditors are responsible to maintain objectivity and be free of
conflicts of interest in discharging their professional responsibilities.
Auditors are also responsible to be independent in fact and appearance when
providing audit and attestation services. Objectivity is a state of mind
that requires auditors to be impartial, intellectually honest, and free of
conflicts of interest. Independence precludes relationships that may in fact
or appearance impair an auditor's objectivity in performing the audit. The
maintenance of objectivity and independence requires continuing assessment
of relationships with the audited entities and public responsibility.

1.27 In applying GAGAS, auditors are responsible for using professional
judgment when establishing scope and methodologies for their work,
determining the tests and procedures to be performed, conducting the work,
and reporting the results. Auditors need to maintain integrity and
objectivity when doing their work to make decisions that are consistent with
the broader public interest in the program or activity under review. When
reporting on the results of their work, auditors are responsible for
disclosing all material or significant facts known to them which, if not
disclosed, could mislead knowledgeable users, misrepresent the results, or
conceal improper or unlawful practices.

1.28 Auditors are responsible for helping management and other report users
understand the auditors' responsibilities under GAGAS and other audit
coverage required by law or regulation. To help managers and other report
users understand an audit's objectives, time frames, and data needs,
auditors need to communicate information concerning the planning, conduct,
and reporting of the assignment to the parties involved.

        20 GAO-02-340G Government Auditing Standards Exposure Draft

Audit Organizations' Responsibilities 
1.29 Audit organizations also have the responsibility for ensuring that (1)
independence and objectivity are maintained in all phases of the assignment,
(2) professional judgment is used in planning and performing the work and in
reporting the results, (3) the work is performed by personnel who are
professionally competent, and (4) their systems of quality control are
periodically examined by independent peers to ensure that they have in place
appropriately designed policies, procedures, and practices that are
functioning effectively to meet professional standards.

1.30 While management is responsible for addressing audit and attestation
engagement findings and recommendations and tracking their status of
resolution, audit organizations are responsible for establishing policies
and procedures for follow-up to determine whether previous findings and
recommendations are addressed and are considered in planning future
assignments.

        21 GAO-02-340G Government Auditing Standards Exposure Draft

                              CHAPTER 2 
    TYPES OF GOVERNMENT AUDITS 
INTRODUCTION 
2.1 This chapter describes the types of audits and attestation engagements
that audit organizations perform, or arrange to have performed, of
government, programs,1 and of government assistance administered by
contractors, nonprofit entities, and other nongovernment entities. This
description is not intended to limit or require the types of audits or
attestation engagements that may be performed or arranged to be performed.
In performing work described below in accordance with generally accepted
government auditing standards (GAGAS), auditors should follow the applicable
standards included and incorporated in chapters 3 through 8. This chapter
also describes other professional services that audit organizations provide,
although these services are not covered by GAGAS.

2.2 All assignments begin with objectives, and those objectives determine
the type of work to be performed and the audit standards to be followed. The
types of work, as defined by their objectives that are covered by GAGAS, are
classified in these standards as financial audits, attestation engagements,
and performance audits.

2.3 Assignments may have a combination of objectives that include more than
one type of work described in this chapter or may have objectives limited to
only some aspects of one type of work. Auditors should follow the standards
that are applicable to the individual objectives of the audit or attestation
engagement.

1The term "program" is used to include entities, services, and activities.

        22 GAO-02-340G Government Auditing Standards Exposure Draft

FINANCIAL AUDITS

2.4 Financial audits primarily concern providing reasonable assurance about
whether financial statements are presented fairly in all material respects
in conformity with generally accepted accounting principles (GAAP),2 or with
a comprehensive basis of accounting other than GAAP. Other objectives of
financial audits may include

a. providing special reports for specified elements, accounts, or items of a
financial statement;

b. reviewing interim financial information or segments of financial
statements;

c. issuing letters for underwriters and certain other requesting parties;

d. reporting on the processing of transactions by service organizations; and

e. auditing compliance with regulations relating to governmental financial
assistance.

2.5 Financial audits are performed under the American Institute of Certified
Public Accountants' (AICPA) generally accepted auditing standards for field
work and reporting, as well as the related AICPA Statements on Auditing
Standards (SASs) which interpret the standards and provide guidance on
conducting such work.3 Accordingly, auditors performing financial audits
need to be proficient in applying the AICPA standards and guidance contained
in the SASs. GAGAS prescribe general standards and

2Three authoritative bodies for generally accepted accounting principles
(GAAP) are the Governmental Accounting Standards Board (GASB), the Financial
Accounting Standards Board (FASB), and the Federal Accounting Standards
Advisory Board (FASAB). GASB establishes accounting principles and financial
reporting standards for state and local government entities. FASB
establishes accounting principles and financial reporting standards for
nongovernment entities. FASAB promulgates accounting principles and
financial reporting standards for the federal government.

3GAGAS incorporate all AICPA field work and reporting auditing standards and
the related SASs unless the Comptroller General of the United States
excludes them by formal announcement. To date, the Comptroller General has
not excluded any AICPA field work or reporting auditing standards or any
SASs.

        23 GAO-02-340G Government Auditing Standards Exposure Draft

additional field work and reporting requirements beyond those provided by
the AICPA when performing financial audits. (See chapters 3, 4, and 5 for
standards and guidance for auditors performing a financial audit in
accordance with GAGAS.)

ATTESTATION ENGAGEMENTS 
2.6 Attestation engagements concern examining, reviewing, or performing
agreed upon procedures on a subject matter or an assertion4 about a subject
matter and reporting on the results. The subject matter of an attestation
engagement may take many forms, including historical or prospective
performance or condition, physical characteristics, historical events,
analyses, systems and processes, or behavior. Attestation engagements can
cover a broad range of financial or nonfinancial objectives and can be part
of a financial audit or other type of audit. Examples of objectives of
attestation engagements include reporting on

a. an entity's internal control over financial reporting;

b. an entity's compliance with requirements of specified laws, regulations,
rules, contracts, or grants;

c. the effectiveness of an entity's internal control over compliance with
specified requirements, such as those governing the bidding for, accounting
for, and reporting on grants and contracts;

d. management's discussion and analysis (MD&A) presentation;

e. prospective financial statements or pro forma financial information;

4An assertion is any declaration or set of declarations about whether the
subject matter is based on or in conformity with the criteria selected.

        24 GAO-02-340G Government Auditing Standards Exposure Draft

f. the reliability of performance measures;

g. final contract cost; and

h. allowability and reasonableness of proposed contract amounts.5

2.7 Attestation engagements are performed under the AICPA's attestation
standards, as well as the related AICPA Statements on Standards for
Attestation Engagements (SSAEs) which interpret the standards and provide
guidance on conducting such work.6 Accordingly, auditors performing
attestation engagements need to be proficient in applying the AICPA
standards and guidance contained in the SSAEs. GAGAS prescribe general
standards and additional field work and reporting requirements beyond those
provided by the AICPA for attestation engagements. (See chapters 3 and 6 for
standards and guidance for auditors performing an attestation engagement in
accordance with GAGAS.)

PERFORMANCE AUDITS 
2.8 A performance audit is an objective and systematic examination of
evidence to provide an independent assessment of the performance and
management of a program against objective criteria or an assessment of best
practices and other information. Performance audits provide information to
improve program operations and facilitate decisionmaking by parties with
responsibility to oversee or initiate corrective action, and improve public
accountability. Performance audits encompass a wide variety of

5Some of these examples of attestation engagement objectives are similar to
some of the performance audit objectives listed in paragraphs 2.9 through
2.11. Depending on user needs and the auditor's qualifications, the auditor
may choose to apply performance audit standards in chapters 7 and 8 to the
objectives in paragraph 2.6 instead of following the attestation standards
in chapter 6.

6GAGAS incorporate the AICPA's general attestation standard on criteria and
all the AICPA's field work and reporting attestation standards and the
related SSAEs unless the Comptroller General of the United States excludes
them by formal announcement. To date, the Comptroller General has not
excluded any AICPA field work or reporting attestation standards or SSAEs.

        25 GAO-02-340G Government Auditing Standards Exposure Draft

objectives including objectives related to assessing program effectiveness
and results; economy and efficiency; internal control;7 and compliance with
legal or other requirements; and objectives related to providing prospective
analyses, guidance, or summary information. Performance audits also may
encompass a broad or narrow scope of work and a variety of methodologies;
involve a level of analysis, research, or evaluation; generally provide
conclusions and recommendations; and result in a report. (See chapters 3, 7,
and 8 for standards and guidance for auditors performing a performance audit
in accordance with GAGAS.)

2.9 Program effectiveness and results audit objectives address the
effectiveness of a program and typically measure the extent to which a
program is achieving its goals and objectives. Economy and efficiency audit
objectives concern whether an entity is acquiring, protecting, and using its
resources in the most productive manner to achieve program objectives. These
audit objectives are often interrelated and may be concurrently addressed in
a performance audit. Examples of program effectiveness and results and
economy and efficiency audit objectives include assessing

a. the extent to which legislative, regulatory, or organizational goals and
objectives are being achieved;

b. the relative utility of alternative approaches to yield better program
performance or eliminate factors that inhibit program effectiveness;

c. the relative cost and benefits or cost effectiveness of program
performance;8

d. whether a program produced intended results or produced effects that were
not intended by the program's established or stated objectives;

7The term internal control in this document is synonymous with the term
management control and, unless otherwise stated, covers all aspects of an
entity's operations (programmatic, financial, and compliance).8These
objectives focus on combining cost information with information about
outputs or the benefit provided, and outcomes or the results achieved.

        26 GAO-02-340G Government Auditing Standards Exposure Draft

e. the extent to which programs duplicate, overlap, or conflict with other
related programs;

f. whether the audited entity is following sound procurement practices;

g. the validity and reliability of performance measures concerning program
effectiveness and results, or economy and efficiency; and

h. the financial information related to the performance of a program.

2.10 Internal control audit objectives relate to management's plans,
methods, and procedures used to meet its mission, goals, and objectives.
Internal controls include the processes and procedures for planning,
organizing, directing, and controlling program operations, and the system
put in place for measuring, reporting, and monitoring program performance.
Examples of audit objectives related to internal control include the extent
that internal controls of a program provide reasonable assurance that

a. organizational missions, goals, and objectives are achieved effectively
and efficiently;

b. resources are used in compliance with laws, regulations, or other
requirements;

c. resources are safeguarded against unauthorized acquisition, use, or
disposition;

d. management information and public reports that are produced, such as
performance measures, are complete, accurate, and consistent to document
performance and support decisionmaking;

e. security over computerized information systems will prevent or detect
unauthorized access; and

        27 GAO-02-340G Government Auditing Standards Exposure Draft

f. contingency planning for information systems provides essential back-up
to prevent unwarranted disruption of activities and functions the systems
support.

2.11 Compliance audit objectives relate to compliance criteria established
by laws, regulations, contract provisions, grant agreements, and other
requirements9 that could affect the acquisition, protection, and use of the
entity's resources, and the quantity, quality, timeliness, and cost of
services the entity produces and delivers. Compliance objectives also
concern the purpose of the program, the manner in which it is to be
conducted and services delivered, and the population it serves.

2.12 Audit organizations are increasingly undertaking work that is similar
to the traditional performance audit but may have a prospective focus or may
provide guidance, best practice information, or information on cross-cutting
issues already studied or under study by an audit organization. While this
work generally does not involve assessing specific ongoing programs, it may
use data from relevant audit work for comparative or baseline purposes. This
performance-related work may encompass a broad or narrow range of objectives
and scope of work; use a variety of methodologies; involve a level of
analysis, research, or evaluation; generally provide conclusions and
recommendations; and result in a report. It is also subject to the same
standards as performance audits. Examples of objectives pertaining to this
work include

a. assessing program or policy alternatives, including forecasting program
outcomes under various assumptions;

b. assessing the advantages and disadvantages of legislative proposals;

c. conducting surveys to obtain and analyze views of stakeholders on policy
proposals for decisionmakers;

9 Compliance requirements can be either financial or nonfinancial in nature.

        28 GAO-02-340G Government Auditing Standards Exposure Draft

d. analyzing budget proposals or budget requests to assist legislatures in
the budget process;

e. developing methods or approaches for use in evaluating new or proposed
programs;

f. producing a high-level summary or a report that affects multiple programs
or entities on issues studied or under study by the audit organization; and

g. developing guidance documents such as those based on best practices
research and syntheses for management's use in evaluating program or
management system approaches, including financial and information management
systems.10

NONAUDIT SERVICES OF AUDIT ORGANIZATIONS 
2.13 Audit organizations may also provide nonaudit services that are not
covered by GAGAS. These nonaudit services consist of gathering, providing,
or explaining information requested by decision makers or providing advice
or assistance to management officials. Nonaudit services generally differ
from financial audits, attestation engagements, and performance audits
described above in that auditors provide information or data to a requesting
party without providing verification, analysis, or evaluation of the
information or data, and therefore the work does not usually provide a basis
for conclusions, recommendations, or opinions on the information or data.
These other services may or may not result in a report. Some examples of
these other professional services include

a. assisting a legislative body by developing questions for use at a
hearing;

b. gathering and reporting unverified external or third-party data to aid
legislative and administrative decision making;

10These guidance documents may also be used by auditors in planning and
performing their work.

        29 GAO-02-340G Government Auditing Standards Exposure Draft

c. compiling or reviewing financial statements or other information to
assist entities and management officials;11

d. advising an entity regarding its performance of internal control
self-assessments;

e. providing professional advice to entities and management officials to
assist them in activities such as the design or installation of information
systems and related internal control activities;

f. valuing an entity's pension, other postemployment benefit, or other
similar liabilities;

g. preparing an entity's indirect cost proposal or cost allocation plan;

h. providing human resource services to assist management in its evaluation
of potential candidates; and

i. development of audit methodologies, policies, and procedures.

2.14 GAGAS do not cover nonaudit services described in this chapter as such
services are not audits or attestation engagements. Therefore, auditors
should not report that such services were conducted in accordance with
GAGAS. However, audit organizations are encouraged to establish policies for
maintaining the quality of this type of work, and may wish to disclose in
any product resulting from this work, any other professional standards
followed and the quality control steps taken.

11This type of work is covered under the AICPA's Statements on Standards for
Accounting and Review

Services (SSARS), which are not incorporated into GAGAS since the work
covered by the SSARS are not

considered audits. 30 GAO-02-340G Government Auditing Standards Exposure
Draft

                              CHAPTER 3 
                          GENERAL STANDARDS 
INTRODUCTION 
3.1 This chapter prescribes general standards and provides guidance for
performing financial audits, attestation engagements,1 and performance
audits. These general standards concern the fundamental requirements for
ensuring the credibility of auditors' results. Credibility is essential to
all audit organizations performing work that government leaders and other
users rely on for making decisions, and is what the public expects of
information provided by auditors. These general standards encompass the
independence of the audit organization and its individual auditors; the
exercise of professional judgment in the performance of work and the
preparation of related reports; the competence of audit staff, including
their continuing professional education; and the existence of quality
control systems and external peer reviews.

3.2 These general standards provide the underlying framework that is
critical in effectively applying the field work and reporting standards
described in the following chapters, in performing the detailed work
associated with the assignment, and in preparing related reports and other
products. Therefore, these general standards are required to be followed by
all auditors and audit organizations, both government and nongovernment,
performing work under generally accepted government auditing standards
(GAGAS).

1See chapter 6 for an additional general standard auditors should follow
when performing an attestation engagement.

        31 GAO-02-340G Government Auditing Standards Exposure Draft

INDEPENDENCE 
[Refer to Amendment No. 3, Independence. The following paragraph numbers
will change accordingly.]

PROFESSIONAL JUDGMENT 
3.3 The second general standard is:

Professional judgment should be used in planning and performing audits and
attestation engagements, and in reporting the results.

3.4 This standard requires auditors to observe the principles of serving the
public interest and maintaining the highest sense of integrity, objectivity,
and independence in applying professional judgment2 in all aspects of their
work. This standard also imposes a responsibility upon each auditor within
the audit organization to observe GAGAS. If auditors hold themselves out as
following GAGAS, regardless of whether they are required to follow such
standards, they need to justify any departures from them.

3.5 Auditors should use professional judgment in determining the type of
assignment to be performed and the standards that apply to the work;
establishing the scope of work; selecting the methodology; determining the
type and amount of evidence to be gathered; and choosing the tests and
procedures for their work. Professional judgment also should be applied in
performing the tests and procedures and in evaluating and reporting the
results of the work.

2Professional judgment is synonymous with due professional care as defined
in the American Institute of Certified Public Accountants (AICPA) standards.
While the principles of serving the public interest and maintaining the
highest sense of integrity, objectivity, and independence are not explicitly
stated in the AICPA's due professional care standard, these principles serve
as the framework for all AICPA rules and standards.

        32 GAO-02-340G Government Auditing Standards Exposure Draft

3.6 Professional judgment requires auditors to exercise professional
skepticism, which is an attitude that includes a questioning mind and a
critical assessment of evidence. Auditors use the knowledge, skills, and
experience called for by their profession to diligently perform, in good
faith and with integrity, the gathering of evidence and objective evaluation
of the competency and sufficiency of evidence. Since evidence is gathered
and evaluated throughout the assignment, professional skepticism should be
exercised throughout the assignment.

3.7 Auditors neither assume that management is dishonest nor assume
unquestioned honesty. In exercising professional skepticism, auditors should
not be satisfied with less than persuasive evidence because of a belief that
management is honest.

3.8 The exercise of professional judgment allows the auditor to obtain
reasonable assurance that material misstatements or significant inaccuracies
in data will be detected if they exist. Absolute assurance is not attainable
because of the nature of evidence and the characteristics of fraud.
Therefore, an audit or attestation engagement conducted in accordance with
GAGAS may not detect a material misstatement or significant inaccuracy,
whether from error or fraud. Accordingly, while this standard places
responsibility on each auditor and audit organization to exercise
professional judgment in planning and performing an assignment, it does not
imply unlimited responsibility, nor does it imply infallibility on the part
of either the individual auditor or the audit organization.

COMPETENCE 
3.9 The third general standard is:

The staff assigned to perform the assignment should collectively possess
adequate professional competence for the tasks required.

        33 GAO-02-340G Government Auditing Standards Exposure Draft

3.10 This standard places responsibility on audit organizations to ensure
that each assignment is performed by staff who collectively have the
knowledge, skills, and experience necessary for that assignment. Audit
organizations should have a process, such as a human capital system, for
recruitment, hiring, continuous development, and evaluation of staff to
assist the organization in maintaining a workforce that has adequate
competence.

3.11 The competencies discussed below apply to the knowledge, skills, and
experience of audit organizations as a whole and not necessarily to each
individual auditor. An organization may need to employ individuals or hire
subject matter experts who are knowledgeable, skilled, or experienced in
such areas as accounting, statistics, law, engineering, audit design and
methodology, information technology, public administration, economics,
social sciences, or actuarial science.

Technical Knowledge and Competence 
3.12 Staff members conducting audits and attestation engagements under GAGAS
should collectively possess the technical knowledge, skills, and experience
necessary to be competent for the type of work being performed before
beginning work on an assignment. Auditors should possess

a. knowledge of government auditing standards applicable to the type of work
they are assigned and the education, skills, and experience to apply such
knowledge to the work being performed;

b. knowledge of the specific environment in which the audited entity
operates and the subject matter under review;

c. skills to communicate clearly and effectively, both orally and in
writing; and

d. skills appropriate for the work being performed. For example:

        34 GAO-02-340G Government Auditing Standards Exposure Draft

(1) if the work requires use of statistical sampling, the staff or
consultants to the staff should include persons with statistical sampling
expertise;

(2) if the work requires extensive review of information systems, the staff
or consultants to the staff should include persons with information
technology expertise;

(3) if the work involves review of complex engineering data, the staff or
consultants to the staff should include persons with engineering expertise;
or

(4) if the work involves the use of specialized audit methodologies or
analytical techniques, such as the use of complex survey instruments,
actuarial-based estimates, or statistical analysis tests, the staff or
consultants to the staff should include persons with expertise in those
methodologies.

3.13 The following additional competencies are needed for financial audits.

a. Auditors should be knowledgeable in generally accepted accounting
principles and the AICPA's generally accepted auditing standards for field
work and reporting and the related statements on the standards (SASs) when
performing a financial audit and should be competent in applying these
standards and SASs to the task assigned. Similarly, when performing an
attestation engagement, auditors should be knowledgeable in the AICPA's
general attestation standard related to criteria, and the AICPA's
attestation standards for field work and reporting and the related
statements on the standards for attestation engagements (SSAEs), and should
be competent in applying these standards and SSAEs to the task assigned.

b. Public accountants engaged to perform financial audits or attestation
engagements should be (a) licensed certified public accountants or persons
working for a licensed certified public accounting firm, or (b) public
accountants licensed on or before

        35 GAO-02-340G Government Auditing Standards Exposure Draft

December 31, 1970, or persons working for a public accounting firm licensed
on or before December 31, 1970.3

Continuing Professional Education 
3.14 Auditors performing work under GAGAS need to maintain their
professional competence through continuing professional education (CPE).
Therefore, each auditor performing work under GAGAS should complete, every 2
years, at least 80 hours of CPE which directly contributes to the auditor's
professional proficiency to perform such work. At least 20 hours should be
completed in any 1 year of the 2-year period.

3.15 Continuing education may include such topics as developments in audit
standards and methodology, accounting, assessment of internal control,
principles of management or supervision, information systems management,
statistical sampling, financial statement analysis, evaluation design, and
data analysis. It may also include subjects related to specific fields of
work, such as public administration, public policy and structure, industrial
engineering, finance, economics, social sciences, and information
technology.

3.16 In addition, auditors responsible for planning or directing an
assignment, performing substantial portions of the field work,4 or reporting
on the assignment under GAGAS should complete at least 24 of the 80 hours of
CPE in subjects directly related to the government environment and to
government auditing. If the audited entity operates in a specific or unique
environment, auditors should receive CPE that is related to that
environment.

3Accountants and accounting firms meeting these licensing requirements
should also comply with the applicable provisions of the public accountancy
law and rules of the jurisdiction(s) where the audit is being conducted and
the jurisdiction(s) in which the accountants and their firms are licensed.

4Auditors are considered responsible for "conducting substantial portions of
field work" when, in a given CPE year, time chargeable to audits and
attestation engagements following GAGAS is 20 percent or more of their total
chargeable time.

        36 GAO-02-340G Government Auditing Standards Exposure Draft

3.17 The audit organization is responsible for ensuring that auditors meet
the continuing education requirements. The audit organization should
maintain documentation of the CPE completed. GAO has developed guidance
pertaining to CPE requirements to assist auditors and audit organizations in
exercising professional judgment in complying with the CPE requirements.5

3.18 External consultants and internal experts and specialists should be
qualified and maintain professional competence in their areas of expertise
and/or specialization. However, they are not required to meet the above CPE
requirements unless they are responsible for following GAGAS in planning or
directing the assignment, performing substantial portions of field work, or
reporting on the assignment.

QUALITY CONTROL AND ASSURANCE 
3.19 The fourth general standard is:

Each audit organization performing assignments in accordance with GAGAS
should have an appropriate internal quality control system in place and
should undergo an external peer review.

3.20 The internal quality control system established by the audit
organization should provide reasonable assurance that it is following (1)
adequate quality control policies and procedures, and (2) applicable
government auditing standards. The internal quality control system should
include procedures for monitoring, on an ongoing basis, whether the policies
and procedures related to the standards are suitably designed and are being
effectively applied.

5Interpretation of Continuing Education and Training Requirements, April
1991, Government Printing Office stock number 020-000-00250-6.

        37 GAO-02-340G Government Auditing Standards Exposure Draft

3.21 The nature and extent of an audit organization's internal quality
control system depends on a number of factors, such as its size, the degree
of operating autonomy allowed its personnel and its audit offices, the
nature of its work, its organizational structure, and appropriate
cost-benefit considerations. Thus the systems established by individual
organizations will vary as will the need for, and extent of, their
documentation of the systems. However, each organization should prepare
appropriate documentation to demonstrate compliance with its policies and
procedures for its system of quality control.

3.22 Audit organizations performing assignments in accordance with GAGAS
should have an external peer review conducted at least once every 3 years by
reviewers independent of the organization being reviewed.6 The external peer
review should determine whether the organization's internal quality control
system is in place and operating effectively to provide reasonable assurance
that established policies and procedures and applicable government auditing
standards are being followed.

3.23 An external peer review under this standard should meet the following
requirements.

a. Individuals conducting peer reviews of an audit organization's system of
quality control should have thorough knowledge of GAGAS and of the
government environment relative to the work being reviewed.

b. Reviewers should be independent (as defined in GAGAS) of the audit
organization being reviewed, its staff, and the assignments selected for
review. An organization is not permitted to review the organization that
conducted its most recent external peer review. Also, the employing
organization of the peer reviewers should

6Audit organizations should have an external peer review conducted within 3
years from the date they start (that is, start of field work) their first
assignment in accordance with GAGAS. Subsequent external peer reviews should
be conducted every 3 years. Audit organizations should generally maintain
their review year from review to review. Any extensions of these time frames
to meet the external peer review requirements can only be granted by GAO and
should only be requested for extraordinary circumstances.

        38 GAO-02-340G Government Auditing Standards Exposure Draft

have received an unqualified opinion on the review of their organization's
system of quality controls.

c. Reviewers should have knowledge and training on how to perform a peer
review and should use professional judgment in conducting and reporting the
results of the review.

d. This review should include a review of the organization's internal
quality control policies and procedures, reports, audit documentation, and
other necessary documents (for example, independence statements, outside
employment requests, financial disclosure reports, and CPE documentation).
The review should also include contacts with various levels of the reviewed
organization's professional staff to assess their understanding of and
compliance with relevant quality control policies and procedures.

e. Reviewers should use one of the following approaches to selecting
assignments for review: (1) select assignments that provide a reasonable
cross section of the assignments performed by the reviewed organization in
accordance with GAGAS or (2) select assignments that provide a reasonable
cross section of the reviewed organization's work subject to quality control
requirements, including one or more assignments performed in accordance with
GAGAS.

f. The review should be sufficiently comprehensive to provide a reasonable
basis for concluding whether the reviewed audit organization's system of
quality control was complied with to provide the organization with
reasonable assurance of conforming with professional standards in the
conduct of its work. Reviewers may scale back the peer review procedures
based on the reviewers' evaluation of the adequacy and results of the
reviewed organization's monitoring efforts.

g. Reviewers should prepare a written report(s) communicating the results of
the external peer review. The report should indicate the scope of the
review, including

        39 GAO-02-340G Government Auditing Standards Exposure Draft

any limitations thereon, and should express an opinion on whether the system
of quality control of the reviewed organization was in place and operating
effectively to provide reasonable assurance that established policies and
procedures and applicable government auditing standards are followed. The
report should also describe the reason(s) for any modifications to the
opinion. When there are matters that resulted in a modification to the
standard report, reviewers should report a detailed description of the
findings and recommendations to enable the reviewed organization to take
appropriate actions. To help users of the peer review report understand the
peer review process, each report should be accompanied by an attachment
describing the process, including how peer reviews are planned and
performed.

3.24 Audit organizations seeking to enter into a contract to perform an
assignment in accordance with GAGAS should provide their most recent
external peer review report7 to the party contracting for the audit or
attestation engagement. Information in the external peer review report often
would be relevant to decisions on procuring audit or attestation engagement
services.

3.25 Auditors who are relying on another audit organization's work should
request a copy of the audit organization's peer review report, and the audit
organization should provide the peer review report when requested. Audit
organizations also should transmit their external peer review reports to
appropriate oversight bodies. It is also recommended that the report be made
available to the public in a timely manner.

      7The term "report" does not include separate letters of comment.

        40 GAO-02-340G Government Auditing Standards Exposure Draft

                              CHAPTER 4 
              FIELD WORK STANDARDS FOR FINANCIAL AUDITS 
INTRODUCTION 
4.1 Generally accepted government auditing standards (GAGAS) incorporate the
American Institute of Certified Public Accountants' (AICPA) generally
accepted field work standards for audits and the related AICPA Statements on
Auditing Standards (SASs) unless the Comptroller General of the United
States excludes them by formal announcement.1 This chapter identifies the
AICPA field work standards and prescribes additional standards for applying
the AICPA field work standards for financial audits performed in accordance
with GAGAS. This chapter concludes with guidance that auditors should give
consideration to when performing financial audits in accordance with GAGAS.

4.2 Financial audits consist of all work performed under the AICPA's
generally accepted auditing standards and governed by the AICPA SASs, which
interpret the standards. Such work performed in a government environment
primarily includes audits of financial statements. The SASs also govern
other types of services which may also be performed in a government
environment, such as compliance auditing, issuing special reports,3 audits
of service organizations, reviews of interim

1To date, the Comptroller General has not excluded any field work standards
or statements on auditing standards.

2The term "financial statement" refers to a presentation of financial data,
including accompanying notes, derived from accounting records and intended
to communicate an entity's economic resources or obligations at a point in
time or the changes therein for a period of time in conformity with an
identifiable framework, such as generally accepted accounting principles
(GAAP) or an other comprehensive basis of accounting (OCBOA). Audits of
financial statements include all services governed by the AICPA's SASs for
which the auditors are engaged to provide a level of assurance on the fair
presentation of financial statements in accordance with a stated criteria.

3Special reports apply to auditors' reports issued in connection with the
following: (1) financial statements that are prepared in conformity with a
comprehensive basis of accounting other than generally accepted accounting
principles; (2) specified elements, accounts, or items of a financial
statement; (3) compliance with aspects of contractual agreements or
regulatory requirements related to audited financial statements; (4)
financial presentations to comply with contractual agreements or regulatory
provisions; or (5) financial information presented in prescribed forms or
schedules that require a prescribed form of auditor's report.

        41 GAO-02-340G Government Auditing Standards Exposure Draft

financial information, and issuing letters to underwriters and certain other
requesting parties. These other services may be performed in conjunction
with an audit of financial statements.

FIELD WORK STANDARDS 
4.3 The three AICPA generally accepted standards of field work are as
follows.

a. The work is to be adequately planned, and assistants, if any, are to be
properly supervised.

b. A sufficient understanding of internal control is to be obtained to plan
the audit and to determine the nature, timing, and extent of tests to be
performed.

c. Sufficient competent evidential matter is to be obtained through
inspection, observation, inquiries, and confirmations to afford a reasonable
basis for an opinion regarding the financial statements under audit.

ADDITIONAL GAGAS FIELD 
4.4 GAGAS prescribe additional standards for applying the AICPA three
generally accepted AICPA field work standards which go beyond the
requirements contained in the AICPA's SASs. Auditors must comply with these
additional standards when citing GAGAS in their audit reports. The
additional GAGAS relate to

a. auditor communication (see paragraphs 4.6 through 4.13),

b. considering the results of previous audits (see paragraphs 4.14 through
4.16),

        42 GAO-02-340G Government Auditing Standards Exposure Draft

c. noncompliance with provisions of contracts and grants (see paragraphs
4.17 through 4.19), and

d. audit documentation (see paragraphs 4.20 through 4.24).

4.5 This chapter concludes with guidance auditors should give consideration
to when performing financial audits in accordance with GAGAS for the
following areas:

a. audit risk and materiality (see paragraphs 4.26 and 4.27),

b. internal control over safeguarding of assets (see paragraphs 4.28 through
4.33),

c. internal control over compliance (see paragraphs 4.34 through 4.36), and

d. professional judgment concerning possible fraud and illegal acts (see
paragraphs 4.37 through 4.39).

AUDITOR COMMUNICATION 
4.6 An additional standard related to auditor communication for financial
audits performed in accordance with GAGAS is:

Auditors should communicate information regarding the nature of services and
level of assurance provided to not only officials of the audited entity, but
also to the individuals contracting for or requesting the audit services,
and the audit committee or other equivalent oversight body.

4.7 AICPA standards and GAGAS require auditors to establish an understanding
with the client and to communicate with audit committees. GAGAS broaden the
parties with whom auditors must communicate with during the planning stages
of a financial audit to reduce the risk that the needs or

        43 GAO-02-340G Government Auditing Standards Exposure Draft

expectations of the parties involved may be misinterpreted. Auditors should
use their professional judgment to determine the form, content, and
frequency of the communication, although written communication is preferred,
and should document the communication. Auditors may use an engagement
letter, if appropriate, to communicate the information.

4.8 Auditors should communicate their responsibilities for the engagement to
the appropriate officials of the audited entity, which may include

a. the head of the audited entity,

b. the audit committee or board of directors or other equivalent oversight
body in the absence of an audit committee, and

c. the individual who possesses a sufficient level of authority and
responsibility for the financial reporting process, such as the chief
financial officer.

4.9 In situations where auditors are performing the audit under a contract
with a party other than the officials of the audited entity, or pursuant to
a third-party request, auditors should also communicate with the individuals
contracting for or requesting the audit, such as contracting officials or
legislative members or staff. When auditors are performing the audit
pursuant to a law or regulation, auditors should communicate with the
legislative members or staff who have oversight of the auditee.4 Auditors
should coordinate communications with the responsible government audit
organization and/or management of the audited entity, and may use the
engagement letter to keep interested parties informed.

4.10 In communicating the nature of services and level of assurance
provided, auditors should specifically address their planned work related to
testing compliance with laws and regulations and

4This requirement applies only to situations where the law or regulation
specifically identifies the entity to be audited, such as an audit of a
specific agency's financial statements required by the Chief Financial
Officers Act, as expanded by the Government Management Reform Act of 1994.
Situations where the audit of financial statements mandate applies to
entities not specifically identified, such as audits required by the Single
Audit Act Amendments of 1996, are excluded.

        44 GAO-02-340G Government Auditing Standards Exposure Draft

internal control over financial reporting. During the planning stages of an
audit, auditors should communicate their responsibilities for testing and
reporting on compliance with laws and regulations and internal control over
financial reporting. Such communication should include the nature of any
additional testing of compliance and internal control required by laws and
regulations or otherwise requested, and whether the auditors are planning on
providing opinions on compliance with laws and regulations and internal
control over financial reporting.

4.11 To assist in understanding the limitations of auditors'
responsibilities for testing and reporting on compliance and internal
control over financial reporting, auditors may want to contrast those
responsibilities with other audits of compliance and controls. The
discussion in paragraphs 4.12 and 4.13 may be helpful to auditors in
explaining their responsibilities for testing and reporting on compliance
with laws and regulations and internal control over financial reporting to
officials of the audited entity and other interested parties.

4.12 Tests of compliance with laws and regulations and internal control over
financial reporting in a financial audit contribute to the evidence
supporting the auditors' opinion on the financial statements or other
conclusions regarding financial data. However, such tests generally are not
sufficient in scope to opine on compliance or internal control over
financial reporting. To meet certain audit report users' needs, laws and
regulations sometimes prescribe testing and reporting on compliance and
internal control over financial reporting to supplement coverage of these
areas.5

4.13 Even after auditors perform and report the results of additional tests
of compliance and internal control over financial reporting required by laws
and regulations, some reasonable needs of report users still may be unmet.
Auditors may meet these needs by performing further tests of compliance

5For example, when engaged to perform audits under the Single Audit Act
Amendments of 1996 for state and local government entities and nonprofit
entities that receive federal awards, auditors should be familiar with the
Office of Management and Budget (OMB) Circular A-133 on single audits. The
act and circular include specific audit requirements, mainly in the areas of
compliance with laws and regulations and internal control, that exceed the
minimum audit requirements in the standards in chapters 4 and 5 of this
document. Audits conducted under the Chief Financial Officers Act of 1990,
as expanded by the Government Management Reform Act of 1994, also have
specific audit requirements prescribed by OMB in the areas of compliance and
internal control. Many state and local governments have additional audit
requirements.

        45 GAO-02-340G Government Auditing Standards Exposure Draft

and internal control in either of two ways:6

a. supplemental (or agreed-upon) procedures or

b. examination, resulting in an opinion.

CONSIDERING THE RESULTS 
4.14 An additional standard for financial audits performed in accordance
with GAGAS is:

Auditors should consider the results of previous audits and follow up on
known significant findings and recommendations, including those related to
reportable conditions, identified in previous audits reports that relate to
the objectives of the audit being undertaken.

4.15 Auditors should perform such follow-up to determine whether officials
of the audited entity have taken appropriate corrective actions. In addition
to following up on significant reported findings and recommendations7 from
previous financial audits, auditors should consider significant findings
identified in attestation engagements, performance audits, or other studies
if these findings could materially affect the results of the financial
audit. For example, an audit report on an entity's computerized information
systems may contain significant findings that could relate to the financial
audit if the entity uses such systems to process its accounting information.
In any event, auditors need to make judgments about the extent of follow-up
needed and the appropriate disclosure of uncorrected significant findings
and recommendations from prior audits that affect the audit objectives.

6Such work is generally performed under the AICPA's Statements on Standards
for Attestation Engagements. See
chapter 6 for a discussion of the standards used when performing attestation
engagements.
7Significant findings and recommendations are those matters that, if not
corrected, could affect the results of the auditors'
work and users' conclusions about those results.

        46 GAO-02-340G Government Auditing Standards Exposure Draft

4.16 Providing continuing attention to significant findings and
recommendations is important to ensure that the benefits of audit work are
realized. Ultimately, the benefits of audit work occur when audit findings
are resolved through meaningful and effective corrective action taken in
response to the auditors' findings and recommendations. Officials of the
audited entity are responsible for resolving audit findings and
recommendations directed to them, and for having a process to track their
status. If officials of the audited entity do not have such a process,
auditors may wish to establish their own process.

NONCOMPLIANCE WITH PROVISIONS OF 
4.17 The additional standard related to compliance with provisions of
contracts and grant agreements for financial audits performed in accordance
with GAGAS is:

Auditors should design the audit to provide reasonable assurance of
detecting material misstatements of financial statements or other financial
data resulting from noncompliance with provisions of contracts or grant
agreements that have a direct and material effect on the determination of
financial statement amounts. If specific information comes to the auditors'
attention that provides evidence concerning the existence of possible
noncompliance that could affect financial data significant to the audit
objectives or that could have a material indirect effect on the financial
statements, auditors should apply audit procedures specifically directed to
ascertaining whether noncompliance has occurred or is likely to have
occurred.

4.18 AICPA standards and GAGAS require auditors to assess the risk of
material misstatements of financial statements due to fraud and should
consider that assessment in designing the audit procedures to be performed.8
Auditors are also required to design the audit to provide reasonable
assurance of detecting material misstatements resulting from direct and
material illegal acts to be

8Two types of misstatements are relevant to the auditors' consideration of
fraud in an audit of financial statements- misstatements arising from
fraudulent financial statements and misstatements arising from
misappropriation of assets. The primary factor that distinguishes fraud from
error is whether the underlying action that results in the misstatement in
the financial statements is intentional or unintentional.

        47 GAO-02-340G Government Auditing Standards Exposure Draft

aware of the possibility that indirect illegal acts may have occurred. Under
GAGAS, the term noncompliance, however, has a broader meaning than fraud and
illegal acts. Noncompliance includes not only fraud and illegal acts, but
also violations of provisions of contracts or grant agreements.

4.19 Under GAGAS, auditors have the same responsibilities for detecting
material misstatements arising from other types of noncompliance as they do
for detecting those arising from fraud and illegal acts. Direct and material
noncompliance is noncompliance having a direct and material effect on the
determination of financial statement amounts or could have a significant
effect on other financial data needed to achieve audit objectives. Auditors
should design the audit to provide reasonable assurance of detecting
material misstatements resulting from direct and material noncompliance with
provisions of contracts or grant agreements. Indirect noncompliance is
noncompliance having material but indirect effects on financial statements
or other financial data needed to achieve audit objectives. If specific
information comes to the auditors' attention that provides evidence
concerning the existence of possible noncompliance that could have a
material indirect effect on the financial statements or significant indirect
effect on other financial data need to achieve audit objectives, auditors
should apply audit procedures specifically directed to ascertaining whether
that noncompliance has occurred or is likely to have occurred.

AUDIT DOCUMENTATION 
4.20 An additional standard related to audit documentation for financial
audits performed in accordance with GAGAS is:

Audit documentation should contain sufficient information to enable an
experienced reviewer, who has had no previous connection with the audit, to
ascertain from the audit documentation the evidence that supports the
auditors' significant judgments and conclusions. Audit documentation that
supports significant findings, conclusions, and recommendations should be
complete before auditors issue their report.

        48 GAO-02-340G Government Auditing Standards Exposure Draft

4.21 AICPA standards and GAGAS require auditors to prepare and maintain
audit documentation. The form and content of audit documentation should be
designed to meet the circumstances of the particular audit. The information
contained in audit documentation constitutes the principal record of the
work that the auditors have performed and the conclusions that the auditors
have reached. The quantity, type, and content of audit documentation is a
matter of the auditors' professional judgment.

However, audits performed in accordance with GAGAS are subject to review by
other reviewers and by oversight officials more frequently than audits done
in accordance with AICPA standards. Thus, whereas AICPA standards cite two
main purposes of audit documentation--providing the principal support for
the audit report and aiding auditors in performing and supervising the
audit--audit documentation serves an additional purpose in audits performed
in accordance with GAGAS. Audit documentation allows for the review of audit
quality by providing the reviewer documentation, either in written or
electronic formats, of the evidence supporting the auditors' significant
judgments and conclusions.

4.22 Audit documentation for financial audits performed under GAGAS should
contain the following.

a. The objectives, scope, and methodology, including sampling and other
selection criteria used.

b. Documentation of the auditor's determination that certain additional
government auditing standards do not apply or that an applicable standard
was not followed, the reasons therefore, and the known effect that not
following the standard had, or could have, on the audit.

c. Documentation of the work performed to support significant judgments and
conclusions, including descriptions of transactions and records examined
that would enable an experienced reviewer to examine the same transactions
and records.9

d. Auditors' basis for assessing control risk at the maximum level for
assertions related to material

9Auditors may meet this requirement by listing voucher numbers, check
numbers, or other means of identifying specific documents they examined.
Auditors are not required to include copies of documents they examined as
part of the audit documentation, nor are auditors required to list detailed
information from those documents.

        49 GAO-02-340G Government Auditing Standards Exposure Draft

account balances, transaction classes, and disclosure components of
financial statements when such assertions are significantly dependent upon
computerized information systems by addressing (1) the ineffectiveness of
the design and/or operation of the controls, or (2) the reasons why it would
be inefficient to test the controls.

e. The consideration that the planned audit procedures are designed to
achieve audit objectives when evidential matter obtained is highly dependent
on computerized information systems and is material to the audit objective,
and the auditors are not relying on the effectiveness of internal control
over those computerized systems that produced the information. The audit
documentation should specifically address (1) the rationale for determining
the nature, timing, and extent of planned audit procedures; (2) the kinds
and competence of available evidential matter produced outside a
computerized information system; and (3) the effect on the audit report if
evidential matter to be gathered does not afford a reasonable basis to
achieve the audit objectives.10

f. Evidence of supervisory reviews of the work performed.

4.23 Underlying GAGAS audits is that federal, state, and local governments
and other organizations cooperate in auditing programs of common interest so
that auditors may use others' work and avoid duplicate audit efforts. In
addition, audits performed in accordance with GAGAS are subject to quality
control and assurance reviews. Auditors should make arrangements to make
audit documentation available, upon request, in a timely manner to other
auditors or reviewers. Contractual arrangements for GAGAS audits should
provide for full and timely access to audit documentation to facilitate
reliance by other auditors on the auditors' work, as well as reviews of
audit quality control and assurance.

4.24 Audit organizations should establish reasonable policies and procedures
for the safe custody and retention of audit documentation for a time
sufficient to satisfy legal and administrative requirements. If audit
documentation is only retained electronically, the audit organization should
ensure that the electronic documentation is capable of being accessed
throughout the specified

10This documentation requirement does not increase the auditors'
responsibility for testing internal control but is intended to assist the
auditor in ensuring that audit objectives are met and audit risk is reduced
to an acceptable level.

        50 GAO-02-340G Government Auditing Standards Exposure Draft

retention period established for audit documentation and is safeguarded
through sound computer security.

ADDITIONAL CONSIDERATIONS ACCORDANCE WITH GAGAS 
4.25 As discussed in chapter 1, financial audits contribute to making
governments more accountable for the use of public resources and the
delivery of services. Because of the increased accountability associated
with government audits, auditors performing financial audits in accordance
with GAGAS should consider the following guidance related to audit risk and
materiality (see paragraphs 4.26 and 4.27), internal control over
safeguarding of assets (see paragraphs 4.28 through 4.33), internal control
over compliance (see paragraphs 4.34 through 4.36), and professional
judgment concerning possible fraud and illegal acts (see paragraphs 4.37 and
4.39).

Audit Risk and Materiality 
4.26 The AICPA standards and GAGAS require that the work is to be properly
planned, and auditors should consider audit risk and materiality, among
other matters, in determining the nature, timing, and extent of auditing
procedures and in evaluating the results of those procedures. Auditors'
consideration of audit risk and materiality is a matter of professional
judgment and is influenced by their perception of the needs of a reasonable
person who will rely on the financial statements. Materiality judgments are
made in light of surrounding circumstances and necessarily involve both
quantitative and qualitative considerations.

4.27 In an audit of a government entity or an entity that receives
government assistance, auditors may need to set lower materiality levels
than in audits in the private sector because of the public accountability of
the audited entity, the various legal and regulatory requirements, and the
visibility and sensitivity of government programs, activities, and
functions.

        51 GAO-02-340G Government Auditing Standards Exposure Draft

Internal Control Over 
4.28 Safeguarding of assets is an internal control objective. that is
especially important in performing financial audits of governmental entities
or others receiving government funds.11 Given the public accountability for
stewardship of resources, safeguarding of assets permeates control
objectives and components as defined by the AICPA standards and GAGAS.

4.29 As applied to financial audits, internal control over safeguarding of
assets constitutes a process, effected by an entity's governing body,
management, and other personnel designed to provide reasonable assurance
regarding prevention or timely detection of unauthorized acquisition, use,
or disposition of the entity's assets that could have a material effect on
the financial statements.

4.30 Internal control over the safeguarding of assets relates to the
prevention or timely detection of unauthorized transactions and unauthorized
access to assets that could result in losses that are material to the
financial statements, such as when unauthorized expenditures or investments
are made, unauthorized liabilities are incurred, inventory is stolen, or
assets are converted to personal use. Such controls are designed to help
ensure the use of and access to assets are in accordance with management's
authorization. Authorization includes approval of transactions in accordance
with control activities established by management to safeguard assets, such
as establishing and complying with requirements for extending and monitoring
credit or making investment decisions, and related documentation. Control
over safeguarding of assets is not designed to protect against loss of
assets arising from inefficiency or from management's operating decisions,
such as incurring expenditures for equipment or material that proves to be
unnecessary or unsatisfactory.

4.31 AICPA standards and GAGAS require auditors to obtain a sufficient
understanding of internal control to plan the audit. They also require
auditors to plan the audit to provide reasonable assurance of detecting
material fraud, including material misappropriation of assets. Because
preventing or

11Auditors should apply the guidance contained in this section to other
types of financial audits to the extent it is applicable to the nature of
the engagement.

        52 GAO-02-340G Government Auditing Standards Exposure Draft

detecting material misappropriations is an objective of control over
safeguarding of assets, understanding this type of control can be essential
to planning the audit.

4.32 Control over safeguarding of assets is not limited to preventing or
detecting misappropriations. It also helps prevent or detect other material
losses that could result from unauthorized acquisition, use, or disposition
of assets. Such controls include, for example, the process of assessing the
risk of unauthorized acquisition, use, or disposition of assets and
establishing control activities to help ensure that management directives to
address the risk are carried out. Such control activities would include
permitting acquisition, use, or disposition of assets only in accordance
with management's general or specific authorization, including compliance
with established control activities for such acquisition, use, or
disposition. They would also include comparing existing assets with the
related records at reasonable intervals and taking appropriate action with
respect to any differences. Finally, controls over safeguarding of assets
against unauthorized acquisition, use, or disposition also relate to making
available to management information it needs to carry out its
responsibilities related to prevention or timely detection of such
unauthorized activities, as well as mechanisms to enable management to
monitor the continued effective operation of such controls.

4.33 Understanding the control over safeguarding of assets can help auditors
assess the risk that financial statements could be materially misstated. For
example, an understanding of the audited entity's control over the
safeguarding of assets can help auditors recognize risk factors such as

a. failure to adequately monitor decentralized operations;

b. lack of control over activities, such as lack of separation of duties or
approval for major transactions;

c. lack of control over computerized information systems, such as a lack of
control over access to applications that initiate or control the movement of
assets;

        53 GAO-02-340G Government Auditing Standards Exposure Draft

d. failure to develop or communicate adequate control activities for
security of data or assets, such as allowing unauthorized personnel to have
ready access to data or assets; and

e. failure to investigate significant unreconciled differences between
reconciliations of a control account and subsidiary records.

Internal Control Over Compliance 
4.34 Governmental entities are subject to a variety of laws and regulations
that affect their financial statements or other financial data, which is a
major factor distinguishing governmental accounting from private-sector
accounting. For example, such laws and regulations may address the required
fund structure, procurement or debt limitations, or authority for
transactions. Accordingly, compliance with such laws and regulations may
have a direct and material effect on the determination of amounts in the
financial statements of governmental entities. Likewise, entities that
receive government assistance, such as contractors, nonprofit entities, and
other nongovernmental entities, are also subject to regulations, contract
provisions, or grant agreements that could have a direct and material effect
on their financial statements. Management, of both governmental entities and
others receiving governmental assistance, is responsible for ensuring that
the entity complies with not only the laws and regulations but also contract
provisions and grant agreements applicable to its activities. That
responsibility encompasses the identification of applicable laws,
regulations, contract provisions, and grant agreements, as well as the
establishment of controls designed to provide reasonable assurance that the
entity complies with those laws, regulations, contract provisions, and grant
agreements.

4.35 AICPA standards and GAGAS require auditors to design the audit to
provide reasonable assurance that the financial statements are free of
material misstatements resulting from noncompliance that have a direct and
material effect on the determination of financial statement amounts. To meet
this requirement, auditors should have an understanding of internal control
relevant to financial statement assertions affected by those laws,
regulations, contract provisions, or grant agreements. Auditors may find it
necessary to use the work of legal counsel in (1) determining

        54 GAO-02-340G Government Auditing Standards Exposure Draft

which laws and regulations might have a direct and material effect on the
financial statements, (2) designing tests of compliance with laws and
regulations, and (3) evaluating the results of those tests.12 Auditors also
may find it necessary to use the work of legal counsel when an audit
requires testing compliance with provisions of contracts or grant
agreements. Depending on the circumstances of the audit, auditors may find
it necessary to obtain information on compliance matters from others, such
as investigative staff, audit organizations, and officials of government
entities that provided assistance to the audited entity, and/or the
applicable law enforcement authority.

4.36 AICPA standards and GAGAS require that auditors use their understanding
of internal control relevant to financial statement assertions affected by
laws and regulations to identify types of potential misstatements, consider
factors that affect the risk of material misstatement, and design
substantive tests. GAGAS extends this requirement to include contract
provisions and grant agreements. In applying this requirement, the following
factors may influence the auditors' assessment of control risk:

a. management's awareness or lack of awareness of applicable laws,
regulations, contract provisions, or grant agreements;

b. policy of the audited entity regarding such matters as acceptable
operating practices and codes of conduct; and

c. assignment of responsibility and delegation of authority to deal with
such matters as organizational goals and objectives, operating functions,
and regulatory requirements.

12AICPA standards provide guidance for auditors who use the work of a
specialist who is not a member of their staff.

        55 GAO-02-340G Government Auditing Standards Exposure Draft

Professional Judgment Concerning 
4.37 Under AICPA standards and GAGAS, auditors are responsible for being
aware of the characteristics and types of potentially material fraud that
could be associated with the area being audited so that they can plan the
audit to provide reasonable assurance of detecting material misstatements of
the financial statements due to fraud.

4.38 Auditors should exercise professional judgment in pursuing indications
of possible fraud and illegal acts so as not to interfere with potential
future investigations, legal proceedings, or both. Under some circumstances,
laws, regulations, or policies may require auditors to report indications of
certain types of fraud or illegal acts to law enforcement or investigatory
authorities before extending audit steps and procedures. Auditors may also
be required to withdraw from or defer further work on the audit or a portion
of the audit in order not to interfere with an investigation.

4.39 An audit made in accordance with GAGAS will not guarantee the discovery
of fraud or illegal acts or contingent liabilities resulting from them. Nor
does the subsequent discovery of illegal acts committed during the audit
period mean that the auditors' performance was inadequate, provided the
audit was made in accordance with GAGAS.

        56 GAO-02-340G Government Auditing Standards Exposure Draft

                              CHAPTER 5 
              REPORTING STANDARDS FOR FINANCIAL AUDITS 
INTRODUCTION 
5.1 This chapter presents reporting standards for financial audits, which
include audits of financial statements and other work governed by the
American Institute of Certified Public Accountants' (AICPA) generally
accepted auditing standards and related Statements on Auditing Standards
(SASs). Generally accepted government auditing standards (GAGAS) incorporate
the AICPA field work and reporting standards and related SASs unless the
Comptroller General of the United States excludes them by formal
announcement.1 This chapter identifies the AICPA generally accepted
reporting standards and prescribes for financial audits conducted in
accordance with GAGAS additional reporting standards on

a. reporting compliance with generally accepted government auditing
standards (see paragraphs 5.3 through 5.6),

b. reporting on compliance with laws and regulations and on internal control
over financial reporting (see paragraphs 5.7 through 5.10),

c. reporting deficiencies in internal control (see paragraphs 5.11 through
5.15),

d. reporting fraud, illegal acts, and other noncompliance (see paragraphs
5.16 through 5.26),

e. reporting views of responsible officials (see paragraph 5.27 through
5.31),

1To date, the Comptroller General has not excluded any field work or
reporting standards or statements on auditing standards.

        57 GAO-02-340G Government Auditing Standards Exposure Draft

f. privileged and confidential information (see paragraphs 5.32 through
5.34), and

g. report issuance and distribution. (See paragraphs 5.35 through 5.38).

5.2 The four AICPA generally accepted standards of reporting are as follows.

a. The report shall state whether the financial statements are presented in
accordance with generally accepted accounting principles.

b. The report shall identify those circumstances in which such principles
have not been consistently observed in the current period in relation to the
preceding period.

c. Informative disclosures in the financial statements are to be regarded as
reasonably adequate unless otherwise stated in the report.

d. The report shall either contain an expression of opinion regarding the
financial statements, taken as a whole, or an assertion to the effect that
an opinion cannot be expressed. When an overall opinion cannot be expressed,
the reasons therefor should be stated. In all cases where an auditor's name
is associated with financial statements, the report should contain a
clear-cut indication of the character of the auditor's work, if any, and the
degree of responsibility the auditor is taking.

REPORTING COMPLIANCE WITH GENERALLY STANDARDS 
5.3 An additional reporting standard for financial audits conducted in
accordance with GAGAS is:

        58 GAO-02-340G Government Auditing Standards Exposure Draft

Audit reports should state that the audit was made in accordance with
generally accepted government auditing standards.

5.4 The above statement refers to all the applicable standards that the
auditors should have followed during their audit. The statement referencing
compliance with generally accepted government auditing standards should be
qualified in situations where the auditors did not follow an applicable
standard. In these situations, the auditors should disclose in the scope
section of the report the applicable standard that was not followed, the
reasons therefore, and how not following the standard affected, or could
have affected, the results of the audit.

5.5 When the report on the financial audit is submitted to comply with a
legal, regulatory, or contractual requirement for a GAGAS audit, it should
specifically cite GAGAS. The report on the financial audit may cite AICPA
standards as well as GAGAS.

5.6 An audited entity receiving a GAGAS audit report may also need a
financial audit report for purposes other than to comply with requirements
calling for a GAGAS audit. For example, the audited entity may need audited
financial statements to issue bonds or for other financing purposes. When a
GAGAS audit is the basis for an auditor's subsequent report under the AICPA
standards, it would be advantageous to users of the subsequent report for
the auditor's report to include the information on compliance with laws and
regulations and internal control that is required by GAGAS but not required
by AICPA standards. To reissue essentially the same report omitting the
information regarding compliance with laws and regulations and internal
control is not in the public interest.

        59 GAO-02-340G Government Auditing Standards Exposure Draft

REPORTING ON COMPLIANCE WITH LAWS AND CONTROL 
5.7 An additional reporting standard for financial statement audits2
conducted in accordance with GAGAS is:

When providing an opinion on financial statements, auditors should include
in their report on the financial statements either a (1) description of the
scope of the auditors' testing of compliance with laws and regulations and
internal control over financial reporting and the results of those tests or
an opinion, if sufficient work was performed; or (2) reference to the
separate report(s) containing that information. In presenting the results of
those tests, auditors should report fraud, illegal acts, other material
noncompliance, and reportable conditions in internal control over financial
reporting.

5.8 Auditors may report on compliance with laws and regulations and internal
control over financial reporting in the report on the financial statements
or in separate report(s). When auditors report on compliance and internal
control over financial reporting as part of the report on the financial
statements, auditors should include an introduction summarizing key findings
in the audit of the financial statements and the related compliance and
internal control work. Auditors should not issue this introduction as a
stand-alone report.

5.9 When auditors report separately (including separate reports bound in the
same document) on compliance with laws and regulations and internal control
over financial reporting, the report on the financial statements should
state that the auditors are issuing those additional reports. The report on
the financial statements should also state that the reports on compliance
with laws and regulations and internal control over financial reporting are
an integral part of a GAGAS audit,

2Although the following standard on reporting on compliance with laws and
regulations and on internal control over financial reporting is applicable
to audits of financial statements, the requirement to report deficiencies in
internal control (see paragraphs 5.11 through 5.15) and reporting fraud,
illegal acts, and other noncompliance (see paragraphs 5.16 through 5.26) is
applicable to all financial audits.

        60 GAO-02-340G Government Auditing Standards Exposure Draft

and, in considering the results of the audit, these reports should be read
along with the auditors' report on the financial statements.

Scope of Compliance and Internal Control Work 
5.10 Auditors should report the scope of their testing of compliance with
laws and regulations and of internal control over financial reporting,
including whether or not the tests they performed provided sufficient
evidence to support an opinion on compliance with laws and regulations or
internal control over financial reporting and whether the auditors are
providing such opinions.3

REPORTING DEFICIENCIES IN 
5.11 The additional reporting standard for financial audits conducted in
accordance with GAGAS is:

Auditors should report significant deficiencies in internal control
considered to be reportable conditions as defined in AICPA standards.

5.12 The following are examples of matters that may be reportable
conditions:4

a. absence of appropriate segregation of duties consistent with appropriate
control objectives;

b. absence of appropriate reviews and approvals of transactions, accounting
entries, or systems output;

3Auditors should follow the AICPA's Statements on Standards for Attestation
Engagements when providing opinions on internal control over compliance with
laws and regulations or on internal control over financial reporting. See
chapter 6 for a discussion of the attestation standards.

4AICPA standards define reportable conditions as significant deficiencies in
the design or operation of internal control which could adversely affect the
entity's ability to record, process, summarize, and report financial data
consistent with the assertions of management in the financial statements.

        61 GAO-02-340G Government Auditing Standards Exposure Draft

c. inadequate provisions for the safeguarding of assets;

d. evidence of failure to safeguard assets from loss, damage, or
misappropriation;

e. evidence that a system fails to provide complete and accurate output
consistent with the control objectives of the audited entity because of the
misapplication of control activities;

f. evidence of intentional override of internal control by those in
authority to the detriment of the overall objectives of the system;

g. evidence of failure to perform tasks that are part of internal control,
such as reconciliations not prepared or not timely prepared;

h. absence of a sufficient level of control consciousness within the
organization;

i. significant deficiencies in the design or operation of internal control
that could result in violations of laws and regulations having a direct and
material effect on the financial statements; and

j. failure to follow up and correct previously identified deficiencies in
internal control.

5.13 In reporting on deficiencies in internal control, auditors should
identify those that are individually or in the aggregate considered to be
material weaknesses.5 Auditors should place their findings in proper
perspective by providing a description of the objectives, scope, and
methodology used to conduct the work. To give the reader a basis for judging
the prevalence and

5The AICPA standards define a material weakness as a reportable condition in
which the design or operation of one or more of the internal control
components does not reduce to a relatively low level the risk that
misstatements caused by error or fraud in amounts that would be material in
relation to the financial statements being audited may occur and not be
detected within a timely period by employees in the normal course of
performing their assigned functions.

        62 GAO-02-340G Government Auditing Standards Exposure Draft

consequences of these findings, the instances identified should be related
to the population or the number of cases examined and be quantified in terms
of dollar value, if appropriate. Auditors may include such information in
their audit report or may prepare a separate report. If auditors report
separately, the audit report should contain a reference to the separate
report containing this information6 and state that the separate report is an
integral part of the audit and should be considered in assessing the results
of the audit.

5.14 To the extent possible, auditors should present findings to identify
the elements of criteria, condition, and effect, as well as cause when
problems are found. In addition, auditors should provide recommendations for
corrective action if auditors are able to sufficiently develop the findings.
However, the elements needed for a finding depend entirely on the scope and
objectives of the financial audit, and, as a result, may not always have all
of the elements fully developed. At a minimum, auditors should identify the
condition, criteria, and possible effect to provide sufficient information
to federal, state, and local officials to assist them in taking corrective
action.

5.15 When auditors detect deficiencies in internal control that are not
reportable conditions, they should communicate those deficiencies to
officials of the audited entity, preferably in writing. If the auditors have
communicated other deficiencies in internal control in a management letter
to officials of the audited entity, auditors should refer to that management
letter when they report on internal control. Auditors should include in
their audit documentation evidence of all communications to officials of the
audited entity about deficiencies in internal control.

REPORTING FRAUD, ILLEGAL ACTS, 
5.16 An additional reporting standard for financial audits conducted in
accordance with GAGAS is:

6For audits of financial statements, such information is generally included
in the reports on compliance and internal control over financial reporting.

        63 GAO-02-340G Government Auditing Standards Exposure Draft

Auditors should report fraud, illegal acts, or other material noncompliance.
In some circumstances, auditors should report fraud and illegal acts
directly to parties external to the audited entity.

5.17 AICPA standards and GAGAS require auditors to address the effect fraud
or illegal acts may have on the audit report and to determine that the audit
committee or others with equivalent authority and responsibility are
adequately informed about the fraud or illegal acts. The additional GAGAS
standard does not modify these responsibilities. However, AICPA standards do
not require that this communication be written, nor do they address
communication regarding other noncompliance (violations of other compliance
requirements such as provisions of contracts or grant agreements).

5.18 When auditors conclude, on the basis of evidence obtained, that fraud
or an illegal act either has occurred or is likely to have occurred,7 they
should report the relevant information. Auditors need not report information
about fraud or an illegal act that is clearly inconsequential. Thus,
auditors should include in their report the same information about fraud and
illegal acts that they have informed the audit committees about under AICPA
standards. Auditors should also report other noncompliance that is material
to the audit.

5.19 In reporting material fraud, illegal acts, or other noncompliance, the
auditors should place their findings in proper perspective by providing a
description of the objectives, scope, and methodology used to conduct the
work. To give the reader a basis for judging the prevalence and consequences
of these findings, the instances identified should be related to the
population or the number of cases examined and be quantified in terms of
dollar value, if appropriate. Auditors may include such information in their
audit report or may prepare a separate report. If auditors report
separately, the audit report should contain a reference to the separate
report containing this

7Whether a particular act is, in fact, illegal may have to await final
determination by a court of law or other adjudicative body. Thus, when
auditors disclose matters that have led them to conclude that an illegal act
is likely to have occurred, they should not imply that they have made a
determination of illegality.

        64 GAO-02-340G Government Auditing Standards Exposure Draft

information8 and state that the report is an integral part of the audit and
should be considered in assessing the results of the audit.

5.20 To the extent possible, auditors should present findings to identify
the elements of criteria, condition, and effect, as well as cause when
problems are found. In addition, auditors should provide recommendations for
corrective action if auditors are able to sufficiently develop the findings.
However, the elements needed for a finding depend entirely on the scope and
objectives of the financial audit, and, as a result, may not always have all
of the elements fully developed. At a minimum, auditors should identify the
condition, criteria, and possible effect to provide sufficient information
to federal, state, and local officials to assist them in taking corrective
action. Auditors should also obtain the views of responsible officials of
the audited entity regarding the findings and include this information in
the report as appropriate.

5.21 When auditors detect fraud, illegal acts, or other noncompliance that
do not meet criteria for reporting in paragraph 5.18, they should
communicate those findings to officials of the audited entity, preferably in
writing. If auditors have communicated those findings in a management letter
to officials of the audited entity, auditors should refer to that management
letter when they report on compliance. Auditors may provide less extensive
disclosure of fraud and illegal acts that are not material in either a
quantitative or qualitative sense.9 Auditors should include in their audit
documentation evidence of all communications to officials of the audited
entity about fraud, illegal acts, and other noncompliance.

Direct Reporting of Fraud and Illegal Acts 
5.22 GAGAS require auditors to report fraud or illegal acts directly to
parties outside the audited entity in two circumstances, as discussed below.
These requirements are in addition to any legal

8For audits of financial statements, such information is generally included
in the reports on compliance with laws and regulations and internal control
over financial reporting.

9Paragraphs 4.26 and 4.27 provide guidance on factors that may influence
auditors' materiality judgments in audits of government entities or entities
receiving government assistance. AICPA standards provide guidance on the
interaction of quantitative and qualitative considerations in materiality
judgments.

        65 GAO-02-340G Government Auditing Standards Exposure Draft

requirements for direct reporting of fraud or illegal acts. Auditors should
meet these requirements even if they have resigned or been dismissed from
the audit.10

5.23 Officials of the audited entity may be required by law or regulation to
report certain fraud or illegal acts to specified external parties, such as
a federal inspector general or a state attorney general. If auditors have
communicated such fraud or illegal acts to officials of the audited entity
and they fail to report them, then the auditors should communicate such an
awareness to the governing body of the audited entity. If the officials of
the audited entity do not make the required report as soon as practicable
after the auditors' communication with the entity's governing body, then the
auditors should report the fraud or illegal acts directly to the external
party specified in the law or regulation.

5.24 Management of the audited entity is responsible for taking timely and
appropriate steps to remedy fraud or illegal acts that auditors report to
it. When fraud or an illegal act involves assistance received directly or
indirectly from a government agency, auditors may have a duty to report
directly if management fails to take remedial steps. If auditors conclude
that such failure is likely to cause them to depart from the standard report
on the financial statements or resign from the audit, then they should
communicate that conclusion to the governing body of the audited entity.
Then, if officials of the audited entity do not report the fraud or illegal
act as soon as practicable to the entity that provided the government
assistance, the auditors should report the fraud or illegal act directly to
that entity.

5.25 In both of these situations, auditors should obtain sufficient,
competent, and relevant evidence, such as confirmation with outside parties,
to corroborate assertions by management that it has reported fraud or
illegal acts. If they are unable to do so, then the auditors should report
the fraud or illegal acts directly as discussed above.

5.26 Under some circumstances, laws, regulations, or policies may require
auditors to report promptly indications of certain types of fraud or illegal
acts to law enforcement or investigatory

10Internal audit organizations do not have a duty to report outside that
entity unless required by law, rule, regulation, or policy.

        66 GAO-02-340G Government Auditing Standards Exposure Draft

authorities. When auditors conclude that this type of fraud or illegal act
either has occurred or is likely to have occurred, they should ask those
authorities and/or legal counsel if reporting certain information about that
fraud or illegal act would compromise investigative or legal proceedings.
Auditors should limit their reporting to matters that would not compromise
those proceedings, such as information that is already a part of the public
record.

VIEWS OF RESPONSIBLE OFFICIALS 
5.27 An additional reporting standard for financial audits performed in
accordance with GAGAS is:

If the auditors' report discloses significant deficiencies, auditors should
report the views of responsible officials concerning the findings,
conclusions, and recommendations, as well as corrections planned.

5.28 One of the most effective ways to ensure that a report is fair,
complete, and objective is to obtain advance review and comments by
responsible officials of the audited entity and others, as may be
appropriate. Including the views of responsible officials produces a report
that shows not only what was found and what the auditors think about it but
also what the responsible persons think about it and what they plan to do
about it.

5.29 Auditors should normally request that the responsible officials' views
on significant findings, conclusions, and recommendations be submitted in
writing. Oral comments are acceptable as well, and, in some cases, may be
the only or most expeditious way to obtain comments. Cases in which
obtaining oral comments can be effective include when there is a
time-critical need to meet a user's needs; the auditor has worked closely
with the responsible officials throughout the conduct of the work and the
parties are very familiar with the findings and issues addressed in the
draft product; or the auditor does not expect major disagreements with the
draft report's findings, conclusions, and recommendations, or perceive any
major controversies with regard to the issued discussed in the draft report.
Auditors should prepare a

        67 GAO-02-340G Government Auditing Standards Exposure Draft

summary of the officials' oral comments and provide a copy of the summary to
management of the audited entity to verify that the comments are accurately
stated.

5.30 Comments should be fairly and objectively evaluated and recognized, as
appropriate, in the final report. Comments, such as a promise or plan for
corrective action, should be noted but should not be accepted as
justification for dropping a significant finding or a related
recommendation.

5.31 When the comments oppose the report's findings, conclusions, or
recommendations, and are not, in the auditors' opinion, valid, the auditors
should state their reasons for disagreeing with the comments. The auditors'
disagreement should be stated in a fair and objective manner. Conversely,
the auditors should modify their report as necessary if they find the
comments valid. Auditors may wish to attach the comment letter to the audit
report to provide the reader with both points of view.

PRIVILEGED AND CONFIDENTIAL INFORMATION 
5.32 An additional reporting standard for financial audits conducted in
accordance with GAGAS is:

If certain pertinent information is prohibited from general disclosure, the
audit report should state the nature of the information omitted and the
requirement that makes the omission necessary.

5.33 Certain information may be prohibited from general disclosure by
federal, state, or local laws or regulations. Such information may be
provided on a need-to-know basis in a separate limited official-use report
which is restricted to only persons authorized by law or regulation to

        68 GAO-02-340G Government Auditing Standards Exposure Draft

receive it. The auditors should, when appropriate, consult with legal
counsel regarding any requirements or other circumstances that may
necessitate the omission of certain information.

5.34 Additional circumstances associated with public safety and security
concerns could also justify the exclusion of certain information in the
report. For example, information related to computer security for a
particular program should be excluded from publicly available reports
because of the potential damage that could be caused by the misuse of this
information. In such circumstances, auditors may issue a limited
official-use report containing such information and distribute the report
only to those parties responsible for acting on the auditors'
recommendations. If auditors make the judgment that certain additional
information should be excluded from a publicly available report, they should
state the nature of the information omitted and the reasons that makes the
omission necessary.

REPORT ISSUANCE AND DISTRIBUTION 
5.35 An additional reporting standard for financial audits conducted in
accordance with GAGAS is:

Auditors should submit written audit reports to the appropriate officials of
the audited entity and to the appropriate officials of the organizations
requiring or arranging for the audits, including external funding
organizations such as legislative bodies, unless legal restrictions prevent
it. Auditors should also send copies of the reports to other officials who
have legal oversight authority or who may be responsible for acting on audit
findings and recommendations and to others authorized to receive such
reports. Unless the report is restricted by law or regulation, or contains
privileged and confidential information, auditors should ensure that copies
be made available for public inspection.

        69 GAO-02-340G Government Auditing Standards Exposure Draft

5.36 Audit reports should be distributed in a timely manner to officials
interested in the results.11 Such officials include those designated by law
or regulation to receive such reports, those responsible for acting on the
findings and recommendations, those of other levels of government that have
provided assistance to the audited entity, and legislators. However, if the
subject of the audit involves material that is classified for security
purposes or not releasable to particular parties or the public for other
valid reasons, auditors may limit the report distribution.

5.37 When public accountants are engaged, the engaging organization should
ensure that the report is distributed appropriately. If the public
accountants are to make the distribution, the engagement agreement should
indicate which officials or organizations should receive the report.

5.38 Internal auditors should follow their entity's own arrangements and
statutory requirements for distribution. Usually, they report to their
entity's top managers, who are responsible for distribution of the report.
Further distribution of reports outside the organization should be made in
accordance with applicable laws, rules, regulations, or policy.

11See the Single Audit Act Amendments of 1996 and Office of Management and
Budget (OMB) Circular A-133 on single audits for the distribution of reports
on single audits of state and local governmental entities and nonprofit
organizations that receive federal awards.

        70 GAO-02-340G Government Auditing Standards Exposure Draft

                              CHAPTER 6 
     GENERAL, FIELD WORK, AND REPORTING                              ENGAGEMENTS 
INTRODUCTION 
6.1 In an attestation engagement, auditors issue an examination, a review,
or an agreed-upon procedures report on subject matter, or on an assertion
about the subject matter, that is the responsibility of another party.
Attestation engagements can cover a broad range of financial or nonfinancial
objectives1 and can be part of a financial statement audit or other
engagement. Attestation engagements are governed by the standards for
attestation engagements issued by the American Institute of Certified Public
Accountants (AICPA). Generally accepted government auditing standards
(GAGAS) incorporate for attestation engagements the AICPA's general standard
on criteria, its field work standards, and its reporting standards, as well
as the AICPA Statements on Standards for Attestation Engagements (SSAEs),
which interpret the attestation standards, unless the Comptroller General of
the United States excludes them by formal announcement.2 This chapter
identifies the AICPA's general standard on criteria, 3 field work standards,
and reporting standards and prescribes additional field work and reporting
standards, as well as guidance, for attestation engagements performed in
accordance with GAGAS.

1 See chapter 2 for examples of objectives for attestation engagements.

2 To date, the Comptroller General has not excluded any field work
standards, reporting standards, or statements on standards for attestation
engagements.

3 GAGAS incorporate only one of the AICPA's general standards for
attestation engagements. In addition to this general standard, auditors
should follow the general standards for work performed under GAGAS, as
discussed in chapter 3.

        71 GAO-02-340G Government Auditing Standards Exposure Draft

AICPA GENERAL AND FIELD WORK STANDARDS 
6.2 The AICPA's general standard related to criteria states the following.

The practitioner [auditor] shall perform an engagement only if he or she has
reason to believe that the subject matter is capable of evaluation against
criteria that are suitable and available to users.

6.3 The  two AICPA field  work standards for attestation  engagements are as
follows.

a. The  work shall  be adequately planned  and assistants, if  any, shall be
properly supervised.

b. Sufficient  evidence shall be obtained to  provide a reasonable basis for
the conclusion that is expressed in the report.

ADDITIONAL FIELD  WORK STANDARDS 
6.4  GAGAS   require  additional   field  work  standards   for  attestation
engagements in the following areas:

a. auditor communication (see paragraphs 6.5 and 6.7),

b. considering  the results  of previous audits  and attestation engagements
(see paragraphs 6.8 through 6.10),

c. audit documentation (see paragraphs 6.11 through 6.17),

d. internal control (see paragraphs 6.18 and 6.19), and

        72 GAO-02-340G Government Auditing Standards Exposure Draft

e. fraud, illegal acts, and other noncompliance (see paragraphs 6.20 through
6.22).

Auditor Communication 
6.5 An additional field work standard for attestation engagements performed
in accordance with GAGAS is:

Auditors should communicate information to officials of the audited entity
and the individual contracting for the audit services regarding the nature
and extent of planned testing and reporting on the subject matter or
assertion.

6.6 During the planning stages of an attestation engagement, auditors should
communicate to officials of the audited entity and to individuals requesting
or contracting for the services information regarding the nature and extent
of testing and reporting, including any potential restriction of reports
associated with the different levels of assurance services, to reduce the
risk that the needs or expectations of the parties involved may be
misinterpreted. For example, attestation standards provide for the following
three levels of assurance.

a. Examination: Auditors perform sufficient testing to express an opinion
whether the subject matter is based on (or in conformity with) the criteria
in all material respects or the assertion is presented (or fairly stated),
in all material respects, based on the criteria.

b. Review: Auditors perform sufficient testing to express a conclusion
whether any information came to the auditors' attention on the basis of the
work performed that indicates the subject matter is not based on (or in
conformity with) the criteria or the assertion is not presented (or fairly
stated) in all material respects based on the criteria.4

4 As stated in the AICPA's statements on standards for attestation
engagements, auditors should not perform review-level work for reporting on
internal control or compliance with laws and regulations.

        73 GAO-02-340G Government Auditing Standards Exposure Draft

c. Agreed-upon procedures: Auditors perform testing to issue a report of
findings based on specific procedures performed on subject matter.

6.7 Auditors should use their professional judgment to determine the form
and content of the communication, although written communication is
preferred. Auditors may use an engagement letter, if appropriate, to
communicate the information. If the attestation engagement is part of a
larger audit, this information may be communicated as part of that audit.
Whatever the form of the communication, auditors should include audit
documentation regarding the communication.

Considering the Results of Previous Audits Engagements 
6.8 An additional field work standard for attestation engagements performed
in accordance with GAGAS is:

Auditors should consider the results of previous audits and attestation
engagements and follow up on known significant findings and recommendations
that directly relate to the subject matter of the attestation engagement
being undertaken.

6.9 Auditors should determine whether officials of the audited entity have
taken appropriate corrective actions on known reported significant findings
and recommendations.5 In addition to following up on significant reported
findings and recommendations from previous financial audits or attestation
engagements, auditors should consider significant findings identified in
performance audits and other studies if these findings relate to subject
matter or assertions of the attestation engagement. For example, an audit
report on an entity's computerized information systems may contain
significant findings that could relate to the attestation engagement if the
entity uses such systems to process information about the subject matter or
contained in an assertion about the subject matter. Following up on known
significant findings and

5 Significant findings and recommendations are those matters that, if not
corrected, could affect the results of the auditors' work and users'
conclusions about those results.

        74 GAO-02-340G Government Auditing Standards Exposure Draft

recommendations identified in previous audits, attestation engagements, or
studies can help auditors evaluate the subject matter or the assertion
associated with the attestation engagement.

6.10 Providing continuing attention to significant findings and
recommendations is important to ensure the benefits of audit work are
realized. Ultimately, the benefits of audit work occur when audit findings
are resolved through meaningful and effective corrective action in response
to the auditors' findings and recommendations. Officials of the audited
organization are responsible for resolving audit findings and
recommendations directed to them and for having a process to track their
status. If officials of the audited organization do not have such a process,
auditors may wish to establish their own process.

Audit Documentation 
6.11 The additional field work standard related to audit documentation for
attestation engagements performed in accordance with GAGAS is:

Audit documentation should contain sufficient information to enable an
experienced reviewer, who has had no previous connection with the
attestation engagement, to ascertain from the audit documentation the
evidence that supports the auditors' significant judgments and conclusions.
Audit documentation that supports significant findings, conclusions, and
recommendations should be complete before auditors issue their report.

6.12 AICPA standards and GAGAS require that auditors should prepare and
maintain audit documentation. The form and content of audit documentation
should be designed to meet the circumstances of the particular attestation
engagement. The information contained in audit documentation constitutes the
principal record of the work that the auditors have performed and the
conclusions that the auditors have reached. The quantity, type, and content
of audit documentation is a matter of the auditors' professional judgment.

6.13 GAGAS extend the level of required audit documentation to be sufficient
for an experienced reviewer who has had no previous connection with the
engagement to understand

        75 GAO-02-340G Government Auditing Standards Exposure Draft

the evidence that supports the auditors' significant judgments and
conclusions. Further, such documentation must be complete before auditors
issue their report.

6.14 Attestation engagements done in accordance with GAGAS are subject to
review by other auditors and by oversight officials more frequently than
audits done in accordance with AICPA standards. Thus, whereas AICPA
standards cite two main purposes of audit documentation--providing the
principal support for the audit report and aiding auditors in the conduct
and supervision of the audit--audit documentation serves an additional
purpose in attestation engagements performed in accordance with GAGAS. Audit
documentation allows for the review of audit quality by providing the
reviewer documentation, either in written or electronic formats, of the
evidence supporting the auditors' significant judgments and conclusions.

6.15 Audit organizations should establish reasonable policies and procedures
for the safe custody and retention of audit documentation for a time
sufficient to satisfy legal and administrative requirements. If audit
documentation is only retained electronically, the audit organization should
ensure that the electronic documentation is capable of being accessed
throughout the specified retention period established for audit
documentation and is safeguarded through sound computer security.

6.16 Audit documentation for attestation engagements under GAGAS should
contain the following.

a. The objectives, scope, and methodology, including any sampling criteria
used.

b. Documentation of the auditor's determination that certain additional
government auditing standards do not apply or that an applicable standard
was not followed, the reasons therefore, and the known effect that not
following the standard had, or could have, on the attestation engagement.

        76 GAO-02-340G Government Auditing Standards Exposure Draft

c. Documentation of the work performed to support significant judgments and
conclusions, including descriptions of transactions and records examined
that would enable an experienced reviewer to examine the same transactions
and records.6

d. The consideration that the planned procedures are designed to achieve
objectives of the attestation engagement when evidential matter obtained is
highly dependent on computerized information systems and is material to the
objective of the engagement, and the auditors are not relying on the
effectiveness of internal control over those computerized systems that
produced the information. The audit documentation should specifically
address (1) the rationale for determining the nature, timing, and extent of
planned audit procedures; (2) the kinds and competence of available
evidential matter produced outside a computerized information system; and
(3) the effect on the attestation engagement report if evidential matter to
be gathered does not afford a reasonable basis to achieve the objectives of
the engagement.

e. Evidence of supervisory reviews of the work performed.

6.17 One factor underlying GAGAS audits is that federal, state, and local
governments and other organizations cooperate in auditing programs of common
interest so that auditors may use others' work and avoid duplicate audit
efforts. In addition, attestation engagements performed in accordance with
GAGAS are subject to quality control and assurance reviews. Auditors should
make arrangements to make audit documentation available, upon request, in a
timely manner to other auditors or reviewers. Contractual arrangements for
attestation engagements performed in accordance with GAGAS should provide
for full and timely access to audit documentation to facilitate reliance by
other auditors on the auditors' work, as well as reviews of audit quality
control and assurance.

6 Auditors may meet this requirement by listing voucher numbers, check
numbers, or other means of identifying specific documents they examined.
Auditors are not required to include copies of documents they examined as
part of the audit documentation, nor are auditors required to list detailed
information from those documents.

        77 GAO-02-340G Government Auditing Standards Exposure Draft

Internal Control 
6.18 An additional field work standard for attestation engagements performed
in accordance with GAGAS is:

In planning examination-level attestation engagements, auditors should
obtain a sufficient understanding of internal control that is material to
the subject matter or assertion to plan the engagement and design procedures
to achieve the objectives of the attestation engagement.

6.19 In planning the engagement, auditors should obtain an understanding of
internal control7 as it relates to the subject matter or assertion to which
the auditors are attesting. The subject matter or assertion may be of a
financial or nonfinancial nature, and internal control relevant to the
subject matter or assertion the auditor is testing may relate to

a. effectiveness and efficiency of operations, including the use of an
entity's resources;

b. reliability of financial reporting, including reports on budget execution
and other reports for internal and external use;

c. compliance with applicable laws and regulations; and

d. safeguarding of assets.

7 Although not applicable to attestation engagements, the AICPA statements
on auditing standards may provide useful guidance related to internal
control for auditors performing attestation engagements in accordance with
GAGAS. In addition, auditors performing attestation engagements may wish to
refer to the internal control guidance published by the Committee of
Sponsoring Organizations of the Treadway Commission (COSO). The Standards
for Internal Control in the Federal Government (GAO/AIMD-00-21.3.1, November
1999), which incorporates the relevant guidance developed by COSO, provides
definitions and fundamental concepts pertaining to internal control at the
federal level and may be useful to auditors at any level of government. The
related Internal Control Management and Evaluation Tool (GAO-01-1008G,
August 2001), based on the federal internal control standards, provides a
systematic, organized, and structured approach to assessing the internal
control structure.

        78 GAO-02-340G Government Auditing Standards Exposure Draft

Fraud, Illegal Acts, and Other Noncompliance 
6.20 An additional field work standard for attestation engagements performed
in accordance with GAGAS is:

In planning examination-level attestation engagements, auditors should
design the engagement to provide reasonable assurance of detecting fraud,
illegal acts, or other noncompliance that could have a material effect on
the subject matter or assertion of the attestation engagement.

6.21 Auditors should exercise professional judgment in planning the
engagement by obtaining an understanding of the possible effects of fraud,
illegal acts, or other noncompliance on the subject matter or assertion of
the attestation engagement and by identifying and assessing any associated
risks that could have a material effect on the attestation engagement.8
Auditors should include audit documentation on their assessment of risk,
and, when risk factors are identified as being present, the documentation
should include

a. those risk factors identified, and

b. the auditors' response to those risk factors, individually or in
combination.

6.22 In addition, if during the performance of the attestation engagement,
risk factors or other conditions are identified that cause the auditors to
believe that an additional response is required, such factors or other
conditions, and any future response the auditors concluded was appropriate,
should be documented.

8 Although not applicable to attestation engagements, the AICPA statements
on auditing standards may provide useful guidance related to fraud for
auditors performing attestation engagements in accordance with GAGAS.

        79 GAO-02-340G Government Auditing Standards Exposure Draft

AICPA REPORTING STANDARDS 
6.23 The AICPA standards for attestation engagements provide for three
levels of reporting based on the type of assurance the auditor is providing.
(See paragraph 6.6.) The four AICPA reporting standards for attestation
engagements are as follows.

a. The report shall identify the subject matter or the assertion being
reported on and state the character of the engagement.

b. The report shall state the practitioner's [auditors'] conclusions about
the subject matter or the assertion in relation to the criteria against
which the subject matter was evaluated.

c. The report shall state all of the practitioner's [auditors'] significant
reservations about the engagement, the subject matter, and, if applicable,
the assertion related thereto.

d. The report shall state that the use of the report is restricted to
specified parties under the following circumstances:9 (1) When the criteria
used to evaluate the subject matter are determined by the practitioner to be
appropriate only for a limited number of parties who either participated in
their establishment or can be presumed to have an adequate understanding of
the criteria. (2) When the criteria used to evaluate the subject matter are
available only to specified parties. (3) When reporting on subject matter
and a written assertion has not been provided by the responsible party. (4)
When the report is on an attest engagement to apply agreed-upon procedures
to the subject matter.

9 Auditors should, however, follow the report distribution standard. (See
paragraphs 6.39 through 6.43.)

        80 GAO-02-340G Government Auditing Standards Exposure Draft

ADDITIONAL REPORTING STANDARDS FOR 
6.24 GAGAS require additional reporting standards for attestation
engagements in the following areas:

a. reporting compliance with generally accepted government auditing
standards (see paragraphs 6.25 through 6.27);

b. reporting on internal control and on fraud, illegal acts, and other
noncompliance (see paragraphs 6.28 through 6.31);

c. views of responsible officials (see paragraphs 6.32 through 6.36);

d. privileged and confidential information (see paragraphs 6.37 and 6.38);
and

e. report issuance and distribution (see paragraphs 6.39 through 6.43).

Reporting Compliance With Generally Accepted Standards 
6.25 An additional reporting standard for attestation engagements performed
in accordance with GAGAS is:

Reports on attestation engagements should state that the engagement was made
in accordance with generally accepted government auditing standards.

6.26 The above statement refers to all the applicable standards that the
auditors should have followed during the attestation engagement. The
statement should be qualified in situations where the auditors did not
follow an applicable standard. In these situations, the auditors should
disclose in the scope section of the report the applicable standard that was
not followed, the

        81 GAO-02-340G Government Auditing Standards Exposure Draft

reasons therefore, and how not following the standard affected, or could
have affected, the results of the attestation engagement.

6.27 When the report on the attestation engagement is submitted to comply
with a legal, regulatory, or contractual requirement for a GAGAS audit, it
should specifically cite GAGAS. An audited entity receiving a GAGAS
attestation report may also need a report on the attestation engagement for
purposes other than to comply with requirements calling for a GAGAS audit.
When a GAGAS attestation engagement is the basis for an auditor's subsequent
report under the AICPA standards, it would be advantageous to users of the
subsequent report for the auditor's report to include the information on
compliance with laws and regulations and internal control that is required
by GAGAS but not required by AICPA standards. To reissue essentially the
same report omitting the information regarding compliance with laws and
regulations and internal control is not in the public interest.

Reporting on Internal Control and on Fraud, Noncompliance 
6.28 An additional reporting standard for attestation engagements performed
in accordance with GAGAS is:

The report on an attestation engagement should disclose deficiencies in
internal control, including internal control over compliance with laws and
regulations, that are material to the subject matter or assertion. Fraud,
illegal acts, and other noncompliance often result from the lack, or
circumvention, of internal control. Accordingly, auditors should also
disclose in the report on the attestation engagement instances of fraud,
illegal acts, or other noncompliance that are material to the subject matter
or the assertion.

6.29 Auditors should place their findings in proper perspective by providing
a description of the objectives, scope, and methodology used to conduct the
work. To give the reader a basis for judging the prevalence and consequences
of these findings, the instances identified should be related to the
population or the number of cases examined and be quantified in terms of
dollar

        82 GAO-02-340G Government Auditing Standards Exposure Draft

value, if appropriate. Auditors need not report information about fraud or
an illegal act that is clearly inconsequential. However, these matters
should be brought to the attention of management of the audited entity.

6.30 To the extent possible, auditors should present findings to identify
the elements of criteria, condition, and effect, as well as cause when
problems are found. In addition, auditors should provide recommendations for
corrective action if auditors are able to sufficiently develop the findings.
However, the elements needed for a finding depend entirely on the scope and
objectives of the attestation engagement, and, as a result, may not always
have all of the elements fully developed. At a minimum, auditors should
identify the condition, criteria, and possible effect to provide sufficient
information to federal, state, and local officials to assist them in taking
corrective action.

6.31 When auditors detect deficiencies in internal control that are not
material to the subject matter or assertion or conclude, on the basis of
evidence obtained, that fraud, an illegal act, or other noncompliance either
has occurred or is likely to have occurred,10 they should communicate
relevant information to officials of the audited entity, preferably in
writing. Auditors should include in their audit documentation evidence of
all communications to officials of the audited entity about deficiencies in
internal control or indications of fraud, illegal acts, or other
noncompliance.

Views of Responsible Officials 
6.32 An additional reporting standard for attestation engagements performed
in accordance with GAGAS is:

10 Whether a particular act is, in fact, illegal may have to await final
determination by a court of law. Thus, when auditors disclose matters that
have led them to conclude that an illegal act is likely to have occurred,
they should not imply that they have made a determination of illegality.

        83 GAO-02-340G Government Auditing Standards Exposure Draft

If the auditor's report discloses significant deficiencies, auditors should
report the views of responsible officials concerning the findings,
conclusions, and recommendations, as well as corrections planned.

6.33 One of the most effective ways to ensure that a report is fair,
complete, and objective is to obtain advance review and comments by
responsible officials of the audited entity and others, as may be
appropriate. Including the views of responsible officials produces a report
that shows not only what was found and what the auditors think about it but
also what the responsible persons think about it and what they plan to do
about it.

6.34 Auditors should normally request that the responsible officials' views
on significant findings, conclusions, and recommendations be submitted in
writing. Oral comments are acceptable as well, and, in some cases, may be
the only or most expeditious way to obtain comments. Cases in which
obtaining oral comments can be effective include when there is a
time-critical need to meet a user's needs; the auditors have worked closely
with the responsible officials throughout the conduct of the work and the
parties are very familiar with the findings and issues addressed in the
draft product; or the auditor does not expect major disagreements with the
draft report's findings, conclusions, and recommendations, or perceive any
major controversies with regard to the issues discussed in the draft report.
Auditors should prepare a summary of the officials' oral comments and
provide a copy of the summary to management of the audited entity to verify
that the comments are accurately stated.

6.35 Comments should be fairly and objectively evaluated and recognized, as
appropriate, in the final report. Comments, such as a promise or plan for
corrective action, should be noted but should not be accepted as
justification for dropping a significant finding or a related
recommendation.

6.36 When the comments oppose the report's findings, conclusions, or
recommendations, and are not, in the auditors' opinion, valid, the auditors
should state their reasons for disagreeing with the comments. The auditors'
disagreement should be stated in a fair and objective manner. Conversely,
the auditors should modify their report as necessary if they find the
comments valid.

        84 GAO-02-340G Government Auditing Standards Exposure Draft

Auditors may wish to attach the comment letter to the audit report to
provide the reader with both points of view.

Privileged and Confidential Information 
6.37 An additional reporting standard for attestation engagements performed
in accordance with GAGAS is:

If certain pertinent information is prohibited from general disclosure, the
report on the attestation engagement should state the nature of the
information omitted and the requirement that makes the omission necessary.

6.38 Certain information may be prohibited from general disclosure by
federal, state, or local laws or regulations. Such information may be
provided on a need-to-know basis only to persons authorized by law or
regulation to receive it. Additional circumstances associated with public
safety and security concerns could also justify the exclusion of certain
information in the report. For example, information related to computer
security for a particular program should be excluded from the report because
of the potential damage that could be caused by the misuse of this
information. In such circumstances, auditors may issue a limited
official-use report containing such information and distribute the report
only to those parties responsible for acting on the auditors'
recommendations.

Report Issuance and Distribution 
6.39 An additional reporting standard for attestation engagements performed
in accordance with GAGAS is:

Auditors should submit written reports on the attestation engagement to the
appropriate officials of the audited entity and to the appropriate officials
of the organizations requiring or arranging for the engagement, including
external funding organizations, unless legal restrictions prevent it.
Auditors should also send copies of the reports to other officials

        85 GAO-02-340G Government Auditing Standards Exposure Draft

who have legal oversight authority or who may be responsible for acting on
audit findings and recommendations and to others authorized to receive such
reports. Unless the report is restricted by law or regulation, auditors
should ensure that copies be made available for public inspection.

6.40 Reports should be distributed in a timely manner to officials
interested in the results. Such
officials include those designated by law or regulation to receive such
reports, those responsible
for acting on the findings and recommendations contained in the report,
those of other levels of
government that have provided assistance to the audited entity, and
legislators.

6.41 If the subject of the attestation engagement involves material that is
classified for security
purposes or not releasable to particular parties or the public for other
valid reasons, auditors may
limit the report distribution. Although AICPA standards require that a
report on an engagement
to evaluate an assertion that has been prepared on agreed-upon criteria or
on an engagement to
apply agreed-upon procedures should contain a statement limiting its use to
the parties who have agreed upon such criteria or procedures, such a
statement does not require
that the report distribution be limited.

6.42 When public accountants are engaged, the engaging organization should
ensure that the
report is distributed appropriately. If the public accountants are to make
the distribution, the
engagement agreement should indicate which officials or organizations should
receive the report
and other steps being taken to ensure the availability of the report for
public inspection.

6.43 Internal auditors should follow their entity's own arrangements and
statutory requirements
for distribution. Usually, they report to their entity's top manager, who is
responsible for
distribution of the report. Further distribution of reports outside the
organization should be made
in accordance with applicable laws, rules, regulations, or policy.

        86 GAO-02-340G Government Auditing Standards Exposure Draft

                              CHAPTER 7 
             FIELD WORK STANDARDS FOR PERFORMANCE AUDITS 
INTRODUCTION 
7.1 This chapter prescribes field work standards and provides guidance to
auditors conducting performance audits in accordance with generally accepted
government auditing standards (GAGAS). The field work standards for
performance audits relate to planning the audit, supervising staff,
obtaining sufficient, competent, and relevant evidence, and preparing audit
documentation.

PLANNING 
7.2 The field work standard related to planning for performance audits
conducted in accordance with GAGAS is:

Work is to be adequately planned.

7.3 In planning the audit, auditors should define the audit objectives, as
well as the scope, and methodology to achieve those objectives. Audit
objectives, scope, and methodologies are not determined in isolation.
Auditors determine these three elements of the audit plan together, as the
considerations in determining each often overlap. Planning is a continuous
process throughout the audit. Therefore, auditors should consider the need
to make adjustments to the audit objectives, scope, and methodology as work
is being completed.

7.4 The objectives are what the audit is intended to accomplish. They
identify the audit subjects and performance aspects to be included, as well
as the potential finding and reporting elements

        87 GAO-02-340G Government Auditing Standards Exposure Draft

that the auditors expect to develop.1 Audit objectives can be thought of as
questions about the program2 that auditors seek to answer. (See chapter 2.)

7.5 Scope is the boundary of the audit and should be directly tied to the
audit objectives. For example, the scope defines parameters of the audit
such as the period of time reviewed, the availability of necessary
documentation or records, and the number of locations at which field work
will be conducted.

7.6 The methodology comprises the work involved in gathering and analyzing
data to achieve the objectives. Audit procedures are the specific steps and
tests auditors will carry out to address the audit objectives. Auditors
should design the methodology to provide sufficient, competent, and relevant
evidence to achieve the objectives of the audit. Methodology includes both
the types and extent of audit procedures used to achieve the audit
objectives. Auditors may use different methodologies drawn from a wide
variety of disciplines.3

7.7 Planning should be documented and should include

a. considering the significance of various programs and the needs of
potential users of the audit report (see paragraphs 7.8 and 7.9);

b. obtaining an understanding of the program to be audited (see paragraph
7.10);

1See discussion of the elements of a finding in paragraphs 7.45 through
7.48.

2This chapter uses only the term program; however, the concepts presented
also apply to audits of organizations, activities, and services.

3If the auditor chooses to apply or use standards or methodologies developed
by other professional organizations when performing work under GAGAS, the
auditor should also apply the standards in this chapter as appropriate. Even
if auditors do not follow such other standards and methodologies, they may
still serve as a useful source of guidance to auditors in planning their
work under GAGAS. However, if auditors decide to perform their work in
accordance with the standards for attestation engagements issued by the
AICPA, auditors should apply the additional GAGAS standards for attestation
engagements contained in chapter 6.

        88 GAO-02-340G Government Auditing Standards Exposure Draft

c. obtaining an understanding of internal control as it relates to the
specific objectives and scope of the audit, (see paragraphs 7 .11 through
7.16);

d. designing the audit methodology and procedures to test compliance with
legal and regulatory requirements of the program to be audited that are
significant to the specific objectives and scope of the audit (see
paragraphs 7.17 through 7.20);

e. identifying the criteria needed to evaluate matters subject to audit (see
paragraph 7.21);

f. considering the results of previous audits that could affect the current
audit objectives (see paragraphs 7.22 and 7.23);

g. identifying potential sources of data that could be used as audit
evidence (see paragraph 7.24);

h. considering whether the work of other auditors and experts may be used to
satisfy some of the auditors' objectives (see paragraphs 7.25 and 7.27);

i. providing appropriate and sufficient staff and other resources to perform
the audit (see paragraph 7.28-7.31);

j. communicating general information concerning the planning and conduct of
the audit to management officials responsible for the program being audited,
and others as applicable (see paragraphs 7.32 and 7.33); and

k. documenting planning decisions (see paragraphs 7.34 through 7.36).

Program Significance 
7.8 The significance of a matter is its relative importance to the audit
objectives and potential users of the audit report. Auditors should consider
the significance of a program or program

        89 GAO-02-340G Government Auditing Standards Exposure Draft

component and the potential use that will be made of the audit results or
report as they plan a performance audit. Indicators of significance and/or
use to consider include

a. visibility and sensitivity of the program under audit,

b. newness of the program or changes in its conditions,

c. role of the audit in providing information that can improve public
accountability and decisionmaking, and

d. level and extent of review or other forms of independent oversight.

7.9 One group of users of the auditors' report is government officials who
may have authorized or requested the audit. Another important user of the
auditors' report is the entity being audited, which is responsible for
acting on the auditors' recommendations. Other potential users of the
auditors' report include government legislators or officials (other than
those who may have authorized or requested the audit), the media, interest
groups, and individual citizens. In addition to an interest in the program,
potential users may have an ability to influence the conduct of the program.
An awareness of these potential users' interests and influence can help
auditors understand why the program operates the way it does. This awareness
can also help auditors judge whether possible findings could be significant
to various possible users.

Understanding the Program 
7.10 Auditors should obtain an understanding of the program to be audited to
help assess, among other matters, the significance of possible audit
objectives and the feasibility of achieving them. The auditors'
understanding may come from knowledge they already have about the program or
knowledge they gain from inquiries and observations they make in planning
the audit. The extent and breadth of those inquiries and observations will
vary among audits based on the audit

        90 GAO-02-340G Government Auditing Standards Exposure Draft

objectives, as will the need to understand individual aspects of the
program, such as the following.

a. Laws and regulations: Government programs usually are created by law and
are subject to more specific laws and regulations than the private sector.
For example, laws and regulations usually set forth what is to be done, who
is to do it, the purpose to be achieved, the population to be served, and
how much can be spent on what. Thus, understanding the laws and the
legislative history establishing a program can be essential to understanding
the program itself. Obtaining that understanding is also a necessary step in
identifying provisions of laws and regulations significant to audit
objectives.

b. Purpose and goals: Purpose is the result or effect that is intended or
desired from a program's operation. Legislatures usually establish the
program purpose when they provide authority for the program. Entity
officials may provide more detailed guidance on program purpose to
supplement the authorizing legislation. Entity officials are sometimes asked
to set goals for program performance and operations, including both outcome
and output goals. Auditors may use the stated program purpose and goals as
criteria for assessing program performance or may develop additional
criteria or best practices to compare the program with.

c. Internal control: Internal control, often referred to as management
controls, in the broadest sense includes the plan of organization, methods,
and procedures adopted by management to meet its missions goals and
objectives. Internal control includes the processes for planning,
organizing, directing, and controlling program operations. It includes the
systems for measuring, reporting, and monitoring program performance.
Internal control also serves as the first line of defense in safeguarding
assets and preventing and detecting errors and fraud. Paragraphs 7.11
through 7.16 contain guidance pertaining to internal control.

d. Efforts: Efforts are the amount of resources (in terms of money,
material, personnel, and so forth) that are put into a program. These
resources may come from within or outside the entity operating the program.
Measures of efforts can have a number of dimensions, such as cost,

        91 GAO-02-340G Government Auditing Standards Exposure Draft

timing, and quality. Examples of measures of efforts are dollars,
employee-hours, and square feet of building space.

e. Program operations: Program operations are the strategies, processes, and
activities management uses to convert efforts into outputs. Program
operations are subject to internal control.

f. Outputs: Outputs represent the quantity of a good or service produced by
a program. For example, an output measure for a job training program could
be the number of persons completing training, and an output measure for an
aviation safety inspection program could be the number of safety inspections
completed.

g. Outcomes: Outcomes are accomplishments or results of programs. For
example, an outcome measure for a job training program could be the
percentage of trained persons obtaining a job and still in the work place
after a specified period of time. Examples of outcome measures for an
aviation safety inspection program could be the percentage reduction in
significant safety problems found in subsequent inspections and/or the
percentage of significant problems deemed corrected in follow-up
inspections. Such outcome measures show progress in achieving the stated
program purposes of helping unemployable citizens get and keep jobs and
improving the safety of aviation operations. Auditors should be aware that
outcomes may be influenced by cultural, economic, physical, or technological
factors outside the program. Auditors may use approaches drawn from the
field of program evaluation to try to isolate the effects of the program
from these other influences.

Internal Control 
7.11 Auditors should obtain an understanding of the internal control
environment, as well as specific internal controls, that are significant to
the audit objectives, including internal control over compliance with legal
and regulatory requirements, and consider whether the internal controls have
been placed in operation. Auditors also need to consider whether any
reliance will be placed on internal controls in designing audit procedures.
If so, auditors should include

        92 GAO-02-340G Government Auditing Standards Exposure Draft

specific tests of the effectiveness of internal control and consider the
results in designing audit procedures.4 Management is responsible for
establishing effective internal control. The lack of administrative
continuity in government units because of changes in elected legislative
bodies and in administrative organizations increases the need for effective
internal control.

7.12 The following classification of internal control is intended to help
auditors better understand internal controls and determine their
significance to the audit objectives.

a. Effectiveness and efficiency of program operations: Controls over program
operations include policies and procedures that management has implemented
to reasonably ensure that a program meets its objectives and that unintended
actions do not result, such as improper payments. Understanding these
controls can help auditors understand the program operations that convert
efforts to outputs or outcomes.

b. Validity and reliability of data: Controls over the validity and
reliability of data include policies and procedures that management has
implemented to reasonably ensure that valid and reliable data are obtained,
maintained, and fairly disclosed in reports. These controls help assure
management that it is getting valid and reliable information about whether
programs are operating properly on an ongoing basis. Understanding these
controls can help auditors (1) assess the risk that the data gathered by the
entity may not be valid or reliable and (2) design appropriate tests of the
data.

c. Compliance with applicable laws and regulations: Controls over compliance
with applicable laws and regulations include policies and procedures that
management has implemented to reasonably ensure that program implementation
is consistent with laws and regulations.

4Refer to internal control guidance developed for the private sector,
Internal Control - Integrated Framework, published by the Committee of
Sponsoring Organizations of the Treadway Commission (COSO). The publication,
Standards for Internal Control in the Federal Government
(GAO/AIMD-00-21.3.1, November 1999), which incorporates the relevant
guidance developed by COSO, provides definitions and fundamental concepts
pertaining to internal control at the federal level and may be useful to
other auditors at any level of government. The related Internal Control
Management and Evaluation Tool (GAO-01-1008G, August 2001), based on the
federal internal control standards, provides a systematic, organized, and
structured approach to assessing the internal control structure.

        93 GAO-02-340G Government Auditing Standards Exposure Draft

Understanding the controls relevant to compliance with those laws and
regulations that the auditors have determined are significant can help
auditors assess the risk of illegal acts.

7.13 A subset of these categories of internal control is the safeguarding of
resources. Controls over the safeguarding of resources include policies and
procedures that management has implemented to reasonably prevent or promptly
detect unauthorized acquisition, use, or disposition of resources.

7.14 Auditors can obtain an understanding of internal control through
inquiries, observations, inspection of documents and records, or review of
other auditors' reports. The procedures auditors perform to obtain an
understanding of internal control will vary among audits. One factor
influencing the extent of these procedures is the auditors' knowledge about
internal control gained in prior audits. Also, the need to understand
internal control will depend on the particular aspects of the program the
auditors consider in setting objectives, scope, and methodology. The
following are examples of how the auditors' understanding of internal
control can influence the audit plan.

a. Audit objectives: Poorly controlled aspects of a program have a higher
risk of failure, so they may be more significant than others in terms of
where auditors would want to focus their efforts.

b. Audit scope: Knowledge of the internal control environment and the status
of controls in a certain location may lead auditors to target their efforts
there.

c. Audit methodology: Effective controls over collecting, summarizing, and
reporting data may enable auditors to limit the extent of their direct
testing of data validity and reliability. In contrast, evidence suggesting
ineffective controls may lead auditors to perform more direct testing of the
data, look for data from outside the entity, or develop their own data.

        94 GAO-02-340G Government Auditing Standards Exposure Draft

7.15 When internal controls are significant to the audit objectives,
auditors should plan to obtain sufficient evidence to support their
judgments about those controls.5 The following are examples of circumstances
where internal controls can be significant to audit objectives.

a. In determining the cause of unsatisfactory performance, that
unsatisfactory performance could result from weaknesses in specific internal
controls.

b. When assessing the validity and reliability of performance measures
developed by the audited entity, effective internal control over collecting,
summarizing, and reporting data will help ensure valid and reliable
performance measures.

7.16 Internal auditing is an important part of internal control.6 When an
assessment of internal control is called for, the work of the internal
auditors can be used to help provide reasonable assurance that internal
controls are functioning properly and to prevent duplication of effort.

Considering Legal, Regulatory, and 
7.17 When laws, regulations, and other compliance requirements such as
provisions of contracts or grant agreements are significant to the audit
objectives, auditors should design the audit to provide reasonable assurance
about compliance with them. This requires determining which laws,
regulations, and other compliance requirements are significant to the audit
objectives and assessing the risk that significant noncompliance could
occur.7 Based on that risk assessment, the auditors design and perform
procedures to provide reasonable assurance of detecting

5The Standards for Internal Control in the Federal Government
(GAO/AIMD-00-21.3.1, November 1999) is one source of established criteria
auditors can use to support their judgments and conclusions about internal
control.

6Many government entities have these activities identified by other names,
such as inspection, appraisal, investigation, organization and methods, or
management analysis. These activities assist management by reviewing
selected functions.

7The term noncompliance includes not only illegal acts resulting from
violations of laws and regulations, but also violations of provisions of
contracts or grant agreements.

        95 GAO-02-340G Government Auditing Standards Exposure Draft

significant instances of noncompliance. (See paragraphs 7.59 through 7.63
for a discussion of evidence indicative of fraud, illegal acts, or other
noncompliance.)

7.18 Auditors may find it necessary to work with legal counsel to (1)
determine those laws and regulations that are significant to the audit
objectives, (2) design tests of compliance with laws and regulations, or (3)
evaluate the results of those tests. Auditors also may find it necessary to
rely on the work of legal counsel when audit objectives require testing
compliance with provisions of contracts or grant agreements.8 Depending on
the circumstances of the audit, auditors may find it necessary to obtain
information on compliance matters from others, such as investigative staff,
other audit organizations or government entities that provided assistance to
the audited entity, or the applicable law enforcement authority.

7.19 It is not practical to set precise standards for determining if laws,
regulations, or other compliance requirements are significant to audit
objectives because government programs are subject to many laws,
regulations, and other compliance requirements, and audit objectives vary
widely. However, auditors may find the following approach helpful in making
that determination.

a. Reduce each audit objective to questions about specific aspects of the
program being audited (that is, purpose and goals, internal control,
efforts, program operations, outputs, and outcomes, as discussed in
paragraph 7.10).

b. Identify laws, regulations, and other compliance requirements that
directly relate to specific aspects of the program included in questions
that reflect the audit objectives.

c. Determine if violations of those laws, regulations, or other compliance
requirements could significantly affect the auditors' answers to the
questions that relate to the audit objectives. If they could, then those
laws, regulations, and other compliance requirements are likely to be
significant to the audit objectives.

8Paragraphs 7.25 through 7.27 discuss relying on the work of others.

        96 GAO-02-340G Government Auditing Standards Exposure Draft

7.20 In planning tests of compliance with significant laws, regulations, and
other compliance requirements, auditors should assess the risk that
noncompliance could occur. That risk may be affected by such factors as the
complexity of the laws and regulations or their newness. The auditors'
assessment of risk includes consideration of whether the entity has controls
that are effective in preventing or detecting noncompliance. Management is
responsible for establishing effective controls to ensure compliance with
laws and regulations, as well as other compliance requirements such as
provisions of contracts or grant agreements. If auditors obtain sufficient
evidence of the effectiveness of these controls, they can reduce the extent
of their tests of compliance.

Criteria 
7.21 Criteria are the standards, measures, expectations of what should
exist, best practices, or benchmarks against which performance is compared
or evaluated. Criteria, one of the elements of a finding, provide a context
for understanding the results of the audit. (See paragraphs 7.45 through
7.48 for a discussion on the other elements of a finding.) The audit plan,
where possible, should state the criteria to be used. In selecting criteria,
auditors have a responsibility to use criteria that are reasonable,
attainable, and relevant to the objectives of the performance audit. The
following are some examples of possible criteria:

a. purpose or goals prescribed by law or regulation or set by management,

b. policies and procedures established by management of the audited entity,

c. technically developed standards or norms,

d. expert opinions,

e. prior years' performance,

        97 GAO-02-340G Government Auditing Standards Exposure Draft

f. performance of similar entities,

g. performance in the private sector, or

h. best practices of leading organizations.

Considering the Results of Previous Audits 
7.22 Auditors should consider the results of previous audits and follow-up
on known significant findings and recommendations9 that directly relate to
the audit objectives of the performance audit. Auditors should also be alert
to the status of relevant findings and recommendations identified in other
available audits and studies by other organizations as well. For example, an
audit report on an entity's computerized information systems may contain
significant findings that could relate to the audit if the entity uses such
systems to process its accounting or other information the auditors plan on
using. In any event, auditors need to make judgments about the extent of
follow-up needed and the appropriate disclosure of uncorrected significant
findings and recommendations from prior audits that affect the audit
objectives.

7.23 Providing continuing attention to significant findings and
recommendations is important to ensure that the benefits of audit work are
realized. Ultimately, the benefits of audit work occur when audit findings
are resolved through meaningful and effective corrective action taken in
response to the auditors' findings and recommendations. Officials of the
audited entity are responsible for resolving audit findings and
recommendations directed to them and for having a process to track their
status. If officials of the audited entity do not have such a process,
auditors may wish to establish their own process.

9Significant findings and recommendations are those matters that, if not
corrected, could affect the results of the auditors' work and users'
conclusions about those results.

        98 GAO-02-340G Government Auditing Standards Exposure Draft

Identifying Sources of Audit Evidence 
7.24 In identifying potential sources of data that could be used as audit
evidence, auditors should consider the validity and reliability of these
data, including data collected by the audited entity, data generated by the
auditors, or data provided by third parties, as well as the sufficiency and
relevance of the evidence. (See paragraphs 7.41 through 7.44 for guidance
concerning evidence.)

Considering Work of Other Auditors 
7.25 Auditors should determine if other auditors have previously done, or
are doing, audits of the program or the entity that operates it. Whether
other auditors have done performance audits, financial audits, or
attestation engagements, the other auditors may be useful sources of
information for planning and performing the audit. If other auditors have
identified areas that warrant further study, their work may influence the
auditors' selection of objectives. The availability of other auditors' work
may also influence the selection of methodology, as the auditors may be able
to rely on that work to limit the extent of their own testing.

7.26 If auditors intend to rely on the work of other auditors, they should
perform procedures regarding the specific work to be relied on that provide
a sufficient basis for that reliance. Auditors can obtain evidence
concerning the other auditors' qualifications10 and independence through
prior experience, inquiry, and/or review of the other auditors' external
quality control review report. Auditors can determine the sufficiency,
relevance, and competence of other auditors' evidence by reviewing their
report, audit program, or audit documentation, or by performing supplemental
tests of the other auditors' work. The nature and extent of evidence needed
will depend on the significance of the other auditors' work and on the
extent to which the auditors will rely on that work.

10Auditors from another country engaged to conduct audits in their country

should meet the professional qualifications to practice under that country's
laws and regulations or other acceptable standards, such as those issued by
the International Organization of Supreme Audit Institutions. Also see the
International Federation of Accountants' International Standards on
Auditing.

        99 GAO-02-340G Government Auditing Standards Exposure Draft

7.27 Auditors face similar considerations when using the work of nonauditors
(consultants, experts, specialists, and so forth). In addition, auditors
should obtain an understanding of the methods and significant assumptions
used by the nonauditors. (See paragraph 3.xx for independence considerations
when relying on the work of others.)

Staff and Other Resources 
7.28 Staff planning should include, among other things,

a. assigning staff with the appropriate collective knowledge, skills, and
experience for the job,

b. assigning an adequate number of staff and supervisors to the audit,

c. providing for on-the-job training of staff, and

d. engaging specialists when necessary.

7.29 The availability of staff and other resources and the need for
specialized skills are important considerations in establishing the
objectives, scope, and methodology. For example, limitations on travel funds
may preclude auditors from visiting certain critical locations, or lack of
expertise in a particular methodology or with computerized information
systems may preclude auditors from undertaking certain objectives. Auditors
may be able to overcome such limitations by using staff from any existing
local field offices of the audit entity or by engaging consultants with the
necessary expertise.

7.30 If the use of a specialist is planned, auditors should have sufficient
knowledge to

a. articulate the objectives required of the specialist,

b. evaluate whether the specified procedures will meet auditors' objectives,
and

        100 GAO-02-340G Government Auditing Standards Exposure Draft

c. evaluate the results of the procedures applied as they relate to other
planned audit procedures.

7.31 Auditors without sufficient knowledge to perform the functions listed
above may have to engage a consultant for quality control purposes for the
areas related to the specialist's work.

Communicating With Management and Others 
7.32 Auditors should communicate information about the specific nature of
the audit, as well as general information concerning the planning and
conduct of the performance audit, to the various parties involved in the
audit to help them understand the objectives, time frames, and any data
needs. Such parties may include

a. the head of the audited entity;

b. the audit committee or, in the absence of an audit committee, the board
of directors or other equivalent oversight body;

c. the individual who possesses a sufficient level of authority and
responsibility for the program or activity being audited; and

d. the individuals contracting for or requesting audit services, such as
contracting officials or legislative members or staff, if applicable.

7.33 Auditors should use their professional judgment to determine the form,
content, and frequency of the communication, although written communication
is preferred, and should document the communication. Auditors may use an
engagement letter, if appropriate, to communicate the information.

        101 GAO-02-340G Government Auditing Standards Exposure Draft

Documenting Planning Decisions 
7.34 A written audit plan should be prepared for each audit. The form and
content of the written audit plan will vary among audits but should include
an audit program or project plan, a memorandum, or other appropriate
documentation of key decisions about the audit objectives, scope, and
methodology and of the auditors' basis for those decisions. It should be
updated, as necessary, to reflect any significant changes to the plan made
during the audit.

7.35 Documenting the audit plan is an opportunity for the auditors to review
the work done in planning the audit to determine whether

a. the proposed audit objectives are likely to result in a useful report,

b. the proposed audit scope and methodology are adequate to satisfy the
audit objectives, and

c. sufficient staff and other resources are available to perform the audit
and to meet expected time frames for completing the work.

7.36 Written audit plans may include the following.

a. Information about the legal authority for the audited program, its
history and current objectives, its principal locations, and other
background that can help auditors understand and carry out the audit plan.

b. Information about the responsibilities of each member of the audit team
(such as preparing audit programs, conducting audit work, supervising and
reviewing audit work, drafting reports, handling comments from officials of
the audited program, and processing the final report), which can help
auditors when the work is conducted at several different locations. In these
audits, use of comparable audit methods and procedures can help make the
data obtained from participating locations comparable.

        102 GAO-02-340G Government Auditing Standards Exposure Draft

c. Audit programs describing procedures to accomplish the audit objectives
and providing a systematic basis for assigning work to staff and for
summarizing the work performed.

d. The general format of the audit report and the types of information to be
included, which can help auditors focus their field work on the information
to be reported.

SUPERVISION 
7.37 The second field work standard for performance audits is:

Staff are to be properly supervised.

7.38 Supervision involves directing the efforts of staff assigned to the
audit to ensure that the audit objectives are accomplished. Elements of
supervision include providing sufficient guidance to staff members, keeping
informed of significant problems encountered, reviewing the work performed,
and providing effective on-the-job training.

7.39 Supervisors should satisfy themselves that staff members clearly
understand what work they are to do, why the work is to be conducted, and
what the work is expected to accomplish. With experienced staff, supervisors
may outline the scope of the work and leave details to the staff. With a
less experienced staff, supervisors may have to specify audit procedures to
be performed as well as techniques for gathering and analyzing data.

7.40 The nature of the review of audit work may vary depending on the
significance of the work or the experience of the staff. For example, it may
be appropriate to have experienced staff review much of the work of other
staff with similar experience.

        103 GAO-02-340G Government Auditing Standards Exposure Draft

EVIDENCE 
7.41 The third field work standard for performance audits is:

Sufficient, competent, and relevant evidence is to be obtained to afford a
reasonable basis for the auditors' findings and conclusions.

7.42 A large part of auditors' work on an audit concerns obtaining and
evaluating evidence that ultimately supports their judgments and conclusions
pertaining to the audit objectives. In evaluating evidence, auditors
consider whether they have obtained the evidence necessary to achieve
specific audit objectives. When internal control or compliance requirements
are significant to the audit objectives, auditors should also collect and
evaluate evidence relating to controls or compliance.

7.43 Evidence may be categorized as physical, documentary, testimonial, and
analytical. Physical evidence is obtained by auditors' direct inspection or
observation of people, property, or events. Such evidence may be documented
in memoranda, photographs, drawings, charts, maps, or physical samples.
Documentary evidence consists of created information such as letters,
contracts, accounting records, invoices, and management information on
performance. Testimonial evidence is obtained through inquiries, interviews,
or questionnaires. Analytical evidence includes computations, comparisons,
separation of information into components, and rational arguments.

7.44 The guidance in the following paragraphs is intended to help auditors
judge the quality and quantity of evidence needed to satisfy audit
objectives. Paragraphs 7.45 through 7.48 describe the elements of an audit
finding. Paragraphs 7.49 through 7.58 provide guidance to help auditors
determine what constitutes sufficient, competent, and relevant evidence to
support their findings and conclusions.

        104 GAO-02-340G Government Auditing Standards Exposure Draft

Audit Findings 
7.45 Audit findings often have been regarded as containing the elements of
criteria, condition, and effect, plus cause when problems are found.
However, the elements needed for a finding depend entirely on the objectives
of the audit. Thus, a finding or set of findings is complete to the extent
that the audit objectives are satisfied and the report clearly relates those
objectives to the finding's elements. Criteria are discussed in paragraph
7.21, and the other elements of a finding--condition, effect, and cause--are
discussed in the following paragraphs.

7.46 Condition: Condition is a situation that exists. It has been determined
and documented during the audit.

7.47 Effect: Effect has two meanings, which depend on the audit objectives.
When the auditors' objectives include identifying the actual or potential
consequences of a condition that varies (either positively or negatively)
from the criteria identified in the audit, "effect" is a measure of those
consequences. Auditors often use effect in this sense to demonstrate the
need for corrective action in response to identified problems. When the
auditors' objectives include estimating the extent to which a program has
caused changes in physical, social, or economic conditions, "effect" is a
measure of the impact achieved by the program. Here, effect is the extent to
which positive or negative changes in actual physical, social, or economic
conditions can be identified and attributed to program operations.

7.48 Cause: Like effect, cause also has two meanings, which depend on the
audit objectives. When the auditors' objectives include explaining why a
particular type of positive or negative performance identified in the audit
occurred, the reasons for that performance are referred to as "cause."
Identifying the cause of problems can assist auditors in making constructive
recommendations for correction. Because problems can result from a number of
plausible factors or multiple causes, the recommendation can be more
persuasive if auditors can clearly demonstrate and explain with evidence and
reasoning the link between the problems and the factor or factors they
identified as the underlying cause. When the auditors' objectives include

        105 GAO-02-340G Government Auditing Standards Exposure Draft

estimating the program's effect on changes in physical, social, or economic
conditions, they seek evidence of the extent to which the program itself is
the "cause" of those changes.

Tests of Evidence 
7.49 Evidence should be sufficient, competent, and relevant to support a
sound basis for audit findings, conclusions, and recommendations.

a. Evidence should be sufficient to support the auditors' findings. In
determining the sufficiency of evidence, auditors should ensure that enough
evidence exists to persuade a knowledgeable person of the validity of the
findings. When appropriate, statistical methods may be used to establish
sufficiency.

b. Evidence is competent if it is consistent with fact (that is, evidence is
competent if it is valid and reliable). In assessing the competence of
evidence, auditors should consider such factors as whether the evidence is
accurate, authoritative, timely, and authentic. When appropriate, auditors
may use statistical methods to derive competent evidence.

c. Evidence is relevant if it has a logical, sensible relationship to the
issue being addressed.

7.50 The following presumptions are useful in judging the competence of
evidence. However, these presumptions are not to be considered sufficient in
themselves to determine competence. The amount and kinds of evidence
required to support auditors' conclusions should be based on auditors'
professional judgment.

a. Evidence obtained when internal controls are effective is more competent
than evidence obtained when controls are weak or nonexistent. Auditors
should therefore be particularly careful in cases where controls are weak or
nonexistent.

        106 GAO-02-340G Government Auditing Standards Exposure Draft

b. Evidence obtained through the auditors' direct physical examination,
observation, computation, and inspection is more competent than evidence
obtained indirectly.

c. Original documents provide more competent evidence than do copies.

d. Testimonial evidence obtained under conditions where persons may speak
freely is more competent than testimonial evidence obtained under
compromising conditions (for example, where the persons may be intimidated).

e. Testimonial evidence obtained from an individual who is not biased or has
complete knowledge about the area is more competent than testimonial
evidence obtained from an individual who is biased or has only partial
knowledge about the area.

f. Evidence obtained from a credible third party may in some cases be more
competent than that secured from management or other officials of the
audited entity.

7.51 Auditors may find it useful to obtain written representations
concerning the competence of certain evidence from officials of the audited
entity. Written representations ordinarily confirm oral representations
given to auditors, indicate and document the continuing appropriateness of
such representations, and reduce the possibility of misunderstanding
concerning the matters that are the subject of the representations. Written
representations can take several forms, including having entity management
sign summary documents prepared by the auditors.

7.52 The auditors' approach to determining the sufficiency, competence, and
relevance of evidence depends on the source of the information that
constitutes the evidence. Information sources include original data gathered
by auditors and existing data gathered by either management or a third
party. Data from any of these sources may be obtained from computer-based
systems.

        107 GAO-02-340G Government Auditing Standards Exposure Draft

7.53 Data gathered by auditors: Data gathered by auditors include the
auditors' own observations and measurements. Among the methods for gathering
this type of data are questionnaires, structured interviews, direct
observations, and computations. The design of these methods and the skill of
the auditors applying them are the keys to ensuring that these data
constitute sufficient, competent, and relevant evidence. When these methods
are applied to determine cause, auditors are concerned with eliminating
rival explanations.

7.54 Data gathered by management: Auditors can use data gathered by
management as part of their evidence. However, auditors should determine the
validity and reliability of these data that are significant to the audit
objectives and may do so by direct tests of the data. Auditors can reduce
the direct tests of the data if they test the effectiveness of the entity's
internal controls over the validity and reliability of the data, and these
tests support the conclusion that the controls are effective. The nature and
extent of testing of the data will depend on the significance of the data to
support auditors' findings.

7.55 Data gathered by third parties: The auditors' evidence may also include
data gathered by third parties. In some cases, these data may have been
audited by others, or the auditors may be able to audit the data themselves.
In other cases, however, it will not be practical to obtain evidence of the
data's validity and reliability. How the use of unaudited third-party data
affects the auditors' report depends on the data's significance to the
auditors' findings. For example, in some circumstances, auditors may use
unaudited data to provide background information; however, the use of such
unaudited data would generally not be appropriate to support audit findings
and conclusions.

7.56 Validity and reliability of data from computer-based systems: Auditors
should obtain sufficient, competent, and relevant evidence that
computer-processed data are valid and reliable when those data are
significant to the auditors' findings. This work is necessary regardless of
whether the data are provided to auditors or auditors independently extract
them.11 Auditors

11When computer-processed data are used by the auditor, or included in the
report, for background or informational purposes and are not significant to
the auditors' findings, citing the source of the data and stating that they
were not verified will satisfy the reporting standards for accuracy and
completeness set forth in this statement.

        108 GAO-02-340G Government Auditing Standards Exposure Draft

should determine if other auditors have worked to establish the validity and
reliability of the data or the effectiveness of the controls over the system
that produced the data. If the results of such work is current, auditors may
be able to rely on that work. (See paragraphs 7.25 through 7.27 for
requirements when relying on the work of others.) Auditors may also
determine the validity and reliability of computer-processed data by direct
tests of the data.

7.57 Auditors can reduce the direct tests of the data if they test the
effectiveness of general and application controls over computer-processed
data, and these tests support the conclusion that the controls are
effective. If auditors determine that internal controls over data which are
significantly dependent upon computerized information systems are not
effective or if auditors do not plan to test the effectiveness of such
controls, auditors should include audit documentation regarding the basis
for that conclusion by addressing (1) the reasons why the design or
operation of the controls is ineffective, or (2) the reasons why it is
inefficient to test the controls. In such circumstances, auditors should
also include audit documentation regarding their reasons for concluding that
the planned audit procedures are effectively designed to achieve specific
audit objectives. This documentation should address

a. the rationale for determining the types and extent of planned audit
procedures;

b. the kinds and competence of available evidence produced outside a
computerized information system; and

c. the effect on the audit report if the evidence gathered during the audit
does not allow the auditors to achieve audit objectives.

7.58 When the auditors' tests of data disclose errors in the data, or when
they are unable to obtain sufficient, competent, and relevant evidence about
the validity and reliability of the data, they may find it necessary to

        109 GAO-02-340G Government Auditing Standards Exposure Draft

a. seek evidence from other sources,

b. redefine the audit's objectives to eliminate the need to use the data, or

c. use the data, but clearly indicate in their report the data's limitations
and refrain from making unwarranted conclusions or recommendations.

Evidence Indicative of Fraud, Illegal Acts, 
7.59 Auditors should be alert to situations or transactions that could be
indicative of fraud, illegal acts (violations of laws and regulations), or
other noncompliance (violations of other compliance requirements such as
provisions of contracts or grant agreements). When information comes to the
auditors' attention (through audit procedures, allegations received through
fraud hotlines, or other means) indicating that fraud, illegal acts, or
other noncompliance may have occurred, auditors should consider whether the
possible fraud, illegal acts, or other noncompliance could significantly
affect the audit results. If they could, the auditors should extend the
audit steps and procedures, as necessary, (1) to determine if fraud, illegal
acts, or other noncompliance are likely to have occurred and (2) if so, to
determine their effect on the audit results.

7.60 Auditors' training, experience, and understanding of the program being
audited may provide a basis for recognizing that some acts coming to their
attention may be indicative of fraud, illegal acts, or other noncompliance.
Whether an act is, in fact, illegal is a determination to be made through
the judicial or other adjudicative system and is beyond auditors'
professional expertise and responsibility. However, auditors are responsible
for being aware of vulnerabilities to fraud, illegal acts, or other
noncompliance associated with the area being audited in order to be able to
identify indications that fraud, illegal acts, or other noncompliance may
have occurred. In some circumstances, conditions such as the following might
indicate a heightened risk of fraud, illegal acts, or other noncompliance:

        110 GAO-02-340G Government Auditing Standards Exposure Draft

a. weak management which fails to enforce existing internal control or to
provide adequate oversight over the control process;

b. inadequate separation of duties, especially those that relate to
controlling and safeguarding resources;

c. transactions that are out of the ordinary and are not satisfactorily
explained, such as unexplained adjustments in inventories or other
resources;

d. instances when employees of the audited entity refuse to take vacations
or accept promotions;

e. missing or altered documents, or unexplained delays in providing
information;

f. false or misleading information; or

g. history of impropriety, such as past audits or investigations with
findings of questionable or criminal activity.

7.61 Auditors should exercise professional judgment in pursuing indications
of possible fraud, illegal acts, or other noncompliance so as not to
interfere with potential investigations, legal proceedings, or both. Under
some circumstances, laws, regulations, or policies require auditors to
report indications of certain types of illegal acts to law enforcement or
investigatory authorities before extending audit steps and procedures.
Auditors may also be required to withdraw from or defer further work on the
audit or a portion of the audit in order not to interfere with an
investigation.

7.62 An audit made in accordance with these standards provides reasonable
assurance of detecting fraud, illegal acts, or other noncompliance that
could significantly affect the audit results; it does not guarantee the
discovery of fraud, illegal acts, or other noncompliance. Nor

        111 GAO-02-340G Government Auditing Standards Exposure Draft

does the subsequent discovery of such acts committed during the audit period
necessarily mean that the auditors' performance was inadequate, provided the
audit was made in accordance with these standards.

7.63 Abuse is distinct from illegal acts and other noncompliance. When abuse
occurs, no law, regulation, contract provision, or grant agreement is
violated. Rather, the conduct of a government program falls far short of
societal expectations for prudent program management. Auditors should be
alert to situations or transactions that could be indicative of abuse. When
information comes to the auditors' attention (through audit procedures,
allegations received through a fraud hotline, or other means) indicating
that abuse may have occurred, auditors should consider whether the possible
abuse could significantly affect the audit results. If it could, the
auditors should extend the audit steps and procedures, as necessary, (1) to
determine if the abuse occurred and (2) if so, to determine its effect on
the audit results. However, because the determination of abuse is so
subjective, auditors are not expected to provide reasonable assurance of
detecting it.

AUDIT DOCUMENTATION 
7.64 The fourth field work standard for performance audits is:

Auditors should prepare and maintain audit documentation. Audit
documentation should contain sufficient information to enable an experienced
reviewer, who has had no previous connection with the audit, to ascertain
from the audit documentation the evidence that supports the auditors'
significant judgments and conclusions. Audit documentation that supports
significant findings, conclusions, and recommendations should be complete
before auditors issue their report.

7.65 The form and content of audit documentation should be designed to meet
the circumstances of the particular audit. The information contained in
audit documentation constitutes the

        112 GAO-02-340G Government Auditing Standards Exposure Draft

principal record of the work that the auditors have performed and the
conclusions that the auditors have reached. The quantity, type, and content
of audit documentation is a matter of the auditors' professional judgment.

7.66 Audit documentation serves three main purposes: (1) to provide the
principal support for the auditors' report, (2) to aid auditors in
conducting and supervising the audit, and (3) to allow for the review of
audit quality. This third purpose is important because audits done in
accordance with GAGAS often are subject to review by other auditors and by
oversight officials.

Audit documentation allows for the review of audit quality by providing the
reviewer documentation, either in written or electronic formats, of the
evidence supporting the auditors' significant judgments and conclusions.

7.67 Audit organizations should establish reasonable policies and procedures
for the safe custody and retention of audit documentation for a time
sufficient to satisfy legal and administrative requirements. If audit
documentation is only retained electronically, the audit organization should
ensure that the electronic documentation is capable of being accessed
throughout the specified retention period established for audit
documentation and is safeguarded through sound computer security.

7.68 Audit documentation should contain

a. the objectives, scope, and methodology, including sampling and other
selection criteria used;

b. documentation of the auditors' determination that certain standards do
not apply or that an applicable standard was not followed, the reasons
therefore, and the known effect that not following the standard had, or
could have, on the audit;

        113 GAO-02-340G Government Auditing Standards Exposure Draft

c. documentation of the work performed to support significant judgments and
conclusions, including descriptions of transactions and records examined
that would enable an experienced reviewer to examine the same transactions
and records;12 and

d. evidence of supervisory review of the work performed.

7.69 Underlying GAGAS audits is that federal, state, and local governments
and other organizations cooperate in auditing programs of common interest so
that the auditors may use others' work and avoid duplicate audit efforts. In
addition, audits performed in accordance with GAGAS are subject to quality
control and assurance reviews. Auditors should make arrangements to make
audit documentation available, upon request, in a timely manner to other
auditors or reviewers. Contractual arrangements for GAGAS audits should
provide for full and timely access to audit documentation to facilitate
reliance by other auditors on the auditors' work, as well as reviews of
audit quality control and assurance.

12The nature of this documentation will vary with the nature of the work
performed. For example, when this work includes examination of management's
records, the audit documentation should describe those records so that an
experienced reviewer would be able to examine those same records. Auditors
may meet this requirement by listing file numbers, case numbers, or other
means of identifying specific documents they examined. They are not required
to include in the audit documentation copies of documents they examined, nor
are they required to list detailed information from those documents.

        114 GAO-02-340G Government Auditing Standards Exposure Draft

                              CHAPTER 8 
             REPORTING STANDARDS FOR PERFORMANCE AUDITS 
INTRODUCTION 
8.1 This chapter prescribes reporting standards and provides guidance to
auditors reporting on performance audits in accordance with generally
accepted government auditing standards (GAGAS). The reporting standards for
performance audits relate to the form of the report, the report contents,
report quality, and report issuance and distribution.

FORM 
8.2 The first reporting standard for performance audits is:

Auditors should prepare audit reports communicating the results of each
audit.

8.3 The form of the audit report should be appropriate for its intended use.
Auditors should use their professional judgment including consideration of
users' needs, likely demand, and distribution in determining the form of the
audit report. In addition to a more formal presentation of audit results,
such as a chapter report or a letter report, briefing slides may be
considered audit reports. Audit reports also may be presented on electronic
media that are retrievable by report users and the audit organization, such
as video or compact disk formats. However, to comply with these standards,
audit reports, regardless of form, should comply with all applicable
reporting standards.

        115 GAO-02-340G Government Auditing Standards Exposure Draft

8.4 This standard is not intended to limit or prevent discussion of
findings, judgments, conclusions, and recommendations with persons who have
responsibilities involving the area being audited. On the contrary, such
discussions are encouraged.

8.5 Audit reports (1) communicate the results of audits to officials at
various levels of government, (2) make the results less susceptible to
misunderstanding, (3) make the results available for public inspection, and
(4) facilitate follow-up to determine whether appropriate corrective actions
have been taken. The need to maintain public accountability for government
program demands that audit reports be retrievable.

8.6 When an audit is terminated before it is completed, auditors should
communicate that fact to management of the audited entity, the entity
requesting the audit, and other appropriate officials, preferably in
writing. In the absence of an audit report, auditors should also write a
memorandum for the record that summarizes the results of the work to the
date of termination and explains why the audit was terminated.

REPORT CONTENTS 
8.7 The second reporting standard for performance audits is:

The audit report should include the objectives, scope, and methodology; the
audit results, including findings, conclusions, and recommendations, as
appropriate; a reference to compliance with generally accepted government
auditing standards; the views of responsible officials; and, if applicable,
the nature of any privileged and confidential information omitted.

        116 GAO-02-340G Government Auditing Standards Exposure Draft

Objectives, Scope, and Methodology 
8.8 Auditors should include in the report the audit objectives and the scope
and methodology used for achieving the audit objectives. This information is
needed by report users to understand the purpose of the audit and the nature
of the audit work performed, to provide perspective as to what is reported,
and to understand any significant limitations in audit objectives, scope, or
methodology. Auditors should also report the status of uncorrected
significant findings and recommendations1 from prior audits that affect the
objectives of the current audit.

Objectives 
8.9 Audit objectives should be communicated to knowledgeable users by
reporting the questions that were to be answered in the audit in a clear,
specific, and neutral manner that avoids unstated assumptions. In reporting
the audit objectives, auditors should explain why the audit organization
undertook the assignment and state what the report is to accomplish, and why
the subject matter is important. Articulating what the report is to
accomplish normally involves identifying the audit subject and the aspect of
performance examined. The reported audit objectives provide more meaningful
information to report users if they are measurable and feasible and avoid
being presented in a broad or general manner. To reduce misunderstanding in
cases where the objectives are particularly limited and broader objectives
can be inferred, it may be necessary to state objectives that were not
pursued.

Scope and Methodology 
8.10 In reporting the scope of the audit, auditors should describe the depth
and coverage of work conducted to accomplish the audit's objectives.
Auditors should, as applicable, explain the relationship between the
population of items sampled and what was audited; identify organizations,
geographic locations, and the period covered; report the kinds and sources
of evidence; and explain

1Significant findings and recommendations are those matters, that if not
corrected, could affect the results of the auditors' work and users'
conclusions about those results.

        117 GAO-02-340G Government Auditing Standards Exposure Draft

any problems with the evidence. Auditors should also report significant
constraints imposed on the audit approach by data limitations or scope
impairments.

8.11 To report the methodology used, auditors should clearly explain how the
audit objectives were accomplished including the evidence gathering and
analysis techniques used in sufficient detail to allow knowledgeable users
of their reports to understand the work. This explanation should identify
any significant assumptions made in conducting the audit; describe any
comparative techniques applied; describe the criteria used; and when
sampling significantly supports auditors' findings, describe the sample
design and state why it was chosen, including whether the results can be
projected to the intended population.

8.12 Auditors should attempt to avoid misunderstanding by the report user
concerning the work that was and was not done to achieve the audit
objectives, particularly when the work was limited because of constraints on
time or resources. The auditors' report should clearly describe the scope of
the work performed and any limitations, the applicable standards that were
not followed, and the reasons therefore, and how not following the
applicable standards affected or could affect the results of the work. For
example, if the auditors are unable to determine the reliability of
information from an agency's database, and information from this database is
critical to the audit findings, the report should clearly state the
limitations associated with the information and refrain from making
unwarranted conclusions or recommendations. In these situations, the audit
report should also include the reasons the auditors were unable to perform
this work and the potential impact on the findings if the information is not
reliable.

Audit Results 
8.13 Auditors should report significant findings by providing credible and
convincing evidence that relates to the audit objectives. An audit report is
improved when it provides sufficient contextual sophistication to reflect an
understanding of the issues and an awareness of the external environment,
including sensitivity to relevant trends. The report should provide
selective background information

        118 GAO-02-340G Government Auditing Standards Exposure Draft

to provide the context for the overall message and to help the reader
understand the significance of the issues discussed.2 The report should also
include all significant instances of fraud, illegal acts, or other
noncompliance3 and all significant instances of abuse that were found during
or in connection with the audit and any significant weaknesses in internal
control found during the audit, and where applicable, auditors'
conclusions.4

Findings 
8.14 Auditors should report the significant findings developed in response
to each audit objective. These findings should be supported by sufficient,
competent, and relevant evidence. They also should be presented in a manner
to promote adequate understanding of the matters reported and to provide
convincing but fair presentations in proper perspective.

8.15 As discussed in chapter 7, findings often have been regarded as
containing the elements of criteria, condition, cause, and effect. However,
the elements needed for a finding depend on the audit objectives. Thus, a
finding or set of findings is complete to the extent that the audit
objectives are satisfied and the report clearly relates those objectives to
the elements of the finding.

8.16 Auditors should develop the elements of a finding in the audit report,
as appropriate to satisfy the audit objectives. In reporting on elements of
findings, auditors may find it useful to consider the following guidance on
each finding element.

2Appropriate background information may include information on how
programs/operations work, the significance of programs/operations (i.e.,
dollars, impact, purposes, and past audit work if relevant), a description
of the audited entity's responsibilities, and explanation of terms,
organizational structure, and statutory basis for the program/operations.

3Whether a particular act is, in fact, illegal may have to await final
determination by a court of law. Thus, when auditors disclose matters that
have led them to conclude that an illegal act is likely to have occurred,
they should take care not to imply that they have made a determination of
illegality. See paragraph 8.17 for additional reporting considerations.

4Significant weaknesses in internal controls may be discussed in the report
as an element of a finding. Many times these weaknesses will be described as
the cause of the finding or in "a process finding" will be the condition
element. Paragraphs 7.46 through 7.49 describe the elements of a finding.

        119 GAO-02-340G Government Auditing Standards Exposure Draft

a. Criteria: An audit report is improved when it provides information so
that the report user will be able to determine what is the required or
desired state or what is expected from the program or operation. The
criteria are easier to understand when stated fairly, explicitly, and
completely, and the source of the criteria are identified in the audit
report.5

b. Condition: The audit report is improved when it provides evidence of what
the auditors found regarding the actual situation. Reporting the scope or
extent of the condition allows the report user to gain an accurate
perspective.

c. Cause: The audit report is improved when it provides convincing evidence
on the factor or factors responsible for the difference between condition
and criteria. In reporting the cause, auditors may consider whether the
evidence provides a reasonable and persuasive argument for why the stated
cause is the key factor or factors contributing to the difference as opposed
to other possible causes, such as poorly designed criteria or factors
uncontrollable by program management. The auditors also may consider whether
the identified cause serves as a basis for the recommendations.

d. Effect: The audit report is improved when it provides a clear, logical
link to establish the impact of the difference between what the auditors
found (condition) and what should be (criteria). Effect is easier to
understand when it is stated clearly, concisely, and in concrete terms. The
significance of the reported effect can be demonstrated through credible
evidence.

8.17 When auditors conclude, based on evidence obtained, that significant
fraud, illegal acts, or other noncompliance either has occurred or is likely
to have occurred, they should include in their audit report the relevant
information. The term "noncompliance" comprises illegal acts (violations of
laws and regulations) and violations of provisions of contracts or grant
agreements. When auditors conclude significant abuse has or is likely to
have occurred, they should also include

5Common sources for criteria are laws, regulations, policy, procedures, best
or standard practice, or assertions. The Standards for Internal Control in
the Federal Government (GAO/AIMD-00-21.3.1, November 1999) and Internal
Control-Integrated Framework, published by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO Report) are two sources of
established criteria auditors can use to support their judgments and
conclusions about internal control.

        120 GAO-02-340G Government Auditing Standards Exposure Draft

relevant information in the report. Abuse occurs when the conduct of a
government organization, program, activity, or function falls short of
societal expectations for prudent behavior.

8.18 In reporting significant instances of noncompliance, auditors should
place their findings in perspective. To give the report user a basis for
judging the prevalence and consequences of noncompliance, the instances of
noncompliance should be related to the population or the number of cases
examined and quantified in terms of dollar value, if appropriate. If the
results cannot be projected, the conclusion should be limited to the items
tested.

8.19 In reporting on internal control, auditors should describe the scope of
internal control testing, and in presenting the results of those tests,
report the significant weaknesses.6 Auditors may identify significant
weaknesses in internal control as the cause of deficient performance. In
reporting this type of finding, the control weakness would be described as
the "cause."

8.20 When auditors detect nonsignificant instances of fraud, illegal acts,
or other noncompliance or nonsignificant instances of abuse or weaknesses in
internal control, they should communicate them to the officials of the
audited program, preferably in writing. Auditors should include in their
audit documentation all communications to officials of the audited program
about fraud, illegal acts, or other noncompliance and instances of abuse or
internal control weaknesses. If the auditors have communicated such
instances of fraud, illegal acts, or other noncompliance, abuse, and
internal control weaknesses in a management letter to top management,
auditors should refer to that management letter in the audit report.

6Significant weaknesses are matters coming to the auditors' attention that
they believe should be reported to officials of the audited program because
they could adversely affect the program under audit.

        121 GAO-02-340G Government Auditing Standards Exposure Draft

Direct Reporting of Fraud and Illegal Acts 
8.21 Auditors are responsible for reporting certain fraud and illegal acts
directly to parties outside the audited entity in certain circumstances, as
discussed in the following paragraphs. Auditors should fulfill these
responsibilities even if they have resigned or been dismissed from the
audit.7

8.22 Officials of the audited entity may be required by law or regulation to
report certain fraud and illegal acts to specified external parties such as
a federal inspector general or a state attorney general. If auditors have
communicated such fraud and illegal acts to officials of the audited entity,
and the latter fail to report them, then the auditors should communicate
their awareness of that failure to the audited entity's governing body. If
officials of the audited entity do not make the required report as soon as
practical after the auditors' communication with its governing body, then
the auditors should report the fraud and illegal acts directly to the
external party specified in the law or regulation.

8.23 Auditors should obtain sufficient, competent, and relevant evidence,
such as confirmation with outside parties, to corroborate assertions by
management that it has reported fraud or illegal acts. If they are unable to
do so, then the auditors should report the fraud or illegal acts directly as
discussed above.

8.24 Laws, regulations, or other authority may require auditors to report
promptly indications of fraud or other illegal acts to law enforcement or
investigatory authorities. In such circumstances, when auditors conclude
that fraud or another illegal act either has or is likely to have occurred,
they should refer it to law enforcement or investigatory authorities and ask
those authorities or legal counsel if reporting certain information about
the potential fraud or illegal act would compromise investigative or legal
proceedings. Auditors should limit the extent of their reporting to matters
that would not compromise those proceedings, such as information that is
already a part of the public record.

7Internal audit organizations do not have a duty to report outside that
entity unless required by law, rule, regulation, or policy.

        122 GAO-02-340G Government Auditing Standards Exposure Draft

Conclusions 
8.25 Auditors should report conclusions when called for by the audit
objectives. Conclusions are logical inferences about the program based on
the auditors' findings and should flow from the findings, instead of
representing a summary of them. Conclusions should be clearly stated, not
implied. The strength of the auditors' conclusions depends on the
persuasiveness of the evidence supporting the findings and the soundness of
the logic used to formulate the conclusions. Conclusions are stronger if
they set up the report's recommendations and convince the knowledgeable user
of the report that action is necessary.

Recommendations 
8.26 If warranted, auditors should make recommendations for actions to
improve programs and operations and to correct problem areas identified
during the audit. Auditors should make recommendations when the potential
for improvement in programs, operations, and performance is substantiated by
the reported findings and conclusions. Recommendations should logically flow
from the evidence and need to state clearly the actions to be taken.
Recommendations to effect compliance with laws and regulations and improve
internal control also should be made when significant instances of fraud,
illegal acts, or other noncompliance are noted or significant abuse or
weaknesses in controls are found.

8.27 Constructive recommendations can encourage improvements in the conduct
of government programs and operations. For recommendations to be most
constructive, they should be directed at resolving the cause of identified
problems, action oriented and specific, addressed to parties that have the
authority to act, practical, and, to the extent feasible, cost effective and
measurable.

        123 GAO-02-340G Government Auditing Standards Exposure Draft

Statement on Compliance With Standards 
8.28 Auditors should report that the audit was made in accordance with
generally accepted government auditing standards. The statement of
compliance with GAGAS refers to all the applicable standards that the
auditors should have followed during the audit. The statement should be
qualified in situations in which the auditors did not follow an applicable
standard. In these situations, auditors should report in the scope section
the applicable standard that was not followed, the reasons therefore, and
how not following the standard affected the results of the audit.

Views of Responsible Officials 
8.29 Auditors should report the views of responsible officials of the
audited program concerning auditors' findings, conclusions, and
recommendations. One of the most effective ways to ensure that a report is
fair, complete, and objective is to obtain advance review and comments by
responsible officials of the audited entity and others, as may be
appropriate. Including the views of responsible officials produces a report
that shows not only what was found, and what the auditors think about it,
but also what the officials in the audited entity think about the report and
what they plan to do about it.

8.30 Auditors should normally request that the responsible officials' views
on significant findings, conclusions, and recommendations be submitted in
writing. Oral comments are acceptable as well, and, in some cases, may be
the only or most expeditious way to obtain comments. Cases in which
obtaining oral comments can be effective include when there is a
time-critical need to meet a user's needs; the auditor has worked closely
with the responsible officials throughout the conduct of the work and the
parties are very familiar with the findings and issues addressed in the
draft product; or the auditor does not expect major disagreements with the
draft report's findings, conclusions, and recommendations, or perceive any
major controversies with regard to the issues discussed in the draft report.
Auditors should prepare a summary of the officials' oral comments and
provide a copy

        124 GAO-02-340G Government Auditing Standards Exposure Draft

of the summary to management of the audited entity to verify that the
comments are accurately stated.

8.31 Comments should be fairly and objectively evaluated and recognized, as
appropriate, in the final report. Comments, such as a promise or plan for
corrective action, should be noted but should not be accepted as
justification for dropping a significant finding or a related
recommendation.

8.32 When the audited entity's comments state that the report's findings,
conclusions, or recommendations are inaccurate or misleading and those
comments are not, in the auditors' opinion, valid, the auditors should state
their reasons for disagreeing with the comments. The auditors' disagreement
should be stated in a fair and objective manner. Conversely, the auditors
should modify their report as necessary if they find the comments valid.
Auditors may wish to attach the comment letter to the audit report to
provide the reader with both points of view.

Privileged and Confidential Information 
8.33 If certain information is prohibited from general disclosure, auditors
should report the nature of the information omitted and the requirement that
makes the omission necessary. Certain information may be prohibited from
general disclosure by federal, state, or local laws or regulations. In such
circumstances, auditors may issue a separate limited official use report
containing such information and distribute the report only to persons
authorized by law or regulation to receive it. Auditors should, when
appropriate, consult with legal counsel regarding any requirements or other
circumstances that may necessitate the omission of certain information. If
auditors make the judgment that certain pertinent information should be
excluded from a publicly available report, they should state the nature of
the information omitted and the reasons that make the omission necessary.

8.34 Additional circumstances associated with public safety and security
concerns could also justify the exclusion of certain information in the
report. For example, detailed information related to computer security for a
particular program may be excluded from publicly available reports because

        125 GAO-02-340G Government Auditing Standards Exposure Draft

of the potential damage that could be caused by the misuse of this
information. In such circumstances, auditors may issue a limited official
use report containing such information and distribute the report only to
those parties responsible for acting on the auditors' recommendations. If
auditors make the judgment that certain additional information should be
excluded from a publicly available report, they should state the nature of
the information omitted and the reasons that makes the omission necessary.

8.35 Auditors are expected to act with integrity in judging whether any
information should be excluded from publicly available reports. These
judgments need to be made in a consistent manner with consideration of the
broader public interest in the program or activity under review. Auditors
need to weigh the need to reveal all significant facts known to them which,
if not revealed, could either distort the results or conceal improper or
unlawful practice against any requirements or other circumstances that may
necessitate the omission of certain information.

REPORT QUALITY 
8.36 The third reporting standard for performance audits is:

The reports should be timely, fact-based, accurate, objective, convincing,
clear, and as concise as the subject permits.

Timely 
8.37 To be of maximum use, the audit report needs to provide relevant
information in time to respond to management, legislative officials, and
other users' legitimate needs. Likewise, the information provided in the
report needs to be current. Therefore, auditors should plan for the
appropriate issuance of the report and conduct the audit with these goals in
mind.

        126 GAO-02-340G Government Auditing Standards Exposure Draft

8.38 During the audit, the auditors should consider interim reporting of
significant matters to appropriate entity officials. Such communication,
which may be oral or written, is not a substitute for a final report, but it
does alert officials to matters needing immediate attention and permits them
to correct them before the final report is completed.

Fact-Based 
8.39 Being fact-based requires that the report contains all evidence needed
to satisfy the audit objectives and promotes an adequate and correct
understanding of the matters reported. It also means the report states
information and findings completely, including all necessary facts and
explanations. Giving report users an adequate and correct understanding
means providing perspective on the extent and significance of reported
findings, such as the frequency of occurrence relative to the number of
cases or transactions tested, and the relationship of the findings to the
entity's operations.

8.40 In most cases, a single example of a deficiency is not sufficient to
support a broad conclusion or a related recommendation. All that it supports
is that a deviation, an error, or a weakness existed. Sufficient detailed
supporting data should be included to make convincing presentations.

Accurate 
8.41 Accuracy requires that the evidence presented be true and that findings
be correctly portrayed. The need for accuracy is based on the need to assure
report users that what is reported is credible and reliable. One inaccuracy
in a report can cast doubt on the validity of an entire report and can
divert attention from the substance of the report. Also, use of inaccurate
evidence can damage the credibility of the issuing audit organization and
reduce the effectiveness of its reports.

8.42 The report should include only information, findings, and conclusions
that are supported by competent and relevant evidence in the audit
documentation. If data are significant to the audit

        127 GAO-02-340G Government Auditing Standards Exposure Draft

findings and conclusions, but are not audited, the auditors should clearly
indicate in their report the data's limitations and not make unwarranted
conclusions or recommendations based on those data.

8.43 Reported evidence should demonstrate the correctness and reasonableness
of the matters reported. Correct portrayal means describing accurately the
audit scope and methodology, and presenting findings and conclusions in a
manner consistent with the scope of audit work. The report should not have
errors in logic and reasoning. One way to help ensure accuracy in the report
is to use a quality control process such as referencing. Referencing is a
process in which statements of facts, figures, and dates are traced back to
the supporting working papers by an experienced auditor who is independent
of the audit. This process is designed to ensure that sufficient credible
evidence is present to support the report's conclusions and recommendations.

Objective 
8.44 Objectivity requires that the presentation of the entire report be
balanced in content and tone. A report's credibility is significantly
enhanced when it presents evidence in an unbiased manner so that report
users can be persuaded by the facts. The report should be fair and not
misleading, and should place the audit results in perspective. This means
presenting the audit results impartially and fairly. In describing
shortcomings in performance, auditors should put findings in context. For
example, the audited entity may have faced unusual difficulties or
circumstances.

8.45 The tone of reports should encourage decision makers to act on the
auditors' findings and recommendations. This tone should be balanced by
requiring reports to present sound and logical evidence to support
conclusions, while refraining from using adjectives or adverbs that
characterize evidence in a way that implies criticism or conclusion by
innuendo.

8.46 The report should also recognize the positive aspects of the program
reviewed if applicable to the audit objectives. Inclusion of positive
program aspects may lead to improved performance by other government
organizations that read the report.

        128 GAO-02-340G Government Auditing Standards Exposure Draft

Convincing 
8.47 Being convincing requires that the audit results be responsive to the
audit objectives, the findings be presented persuasively, and the
conclusions and recommendations follow logically from the facts presented.
The information presented should be sufficient to convince the report users
to recognize the validity of the findings, the reasonableness of the
conclusions, and the benefit of implementing the recommendations. Reports
designed in this way can help focus the attention of responsible officials
on the matters that warrant attention and can help stimulate correction.

Clear 
8.48 Clarity requires that the report be easy to read and understand.
Reports should be prepared in language as clear and simple as the subject
permits. Use of straightforward, nontechnical language is essential to
simplicity of presentation. Whenever technical terms, abbreviations, and
acronyms are used, they should be clearly defined.

8.49 Auditors may consider using a summary within the report to capture the
report user's attention and highlight the overall message. If a summary is
used, it generally should focus on the specific answers to the questions in
the audit objectives, summarize the audit's most significant findings and
the report's principal conclusions, and prepare users to anticipate the
major recommendations.

8.50 Logical organization of material, and accuracy and precision in stating
facts and in drawing conclusions, are essential to clarity and
understanding. Effective use of titles and captions and topic sentences
makes the report easier to read and understand. Visual aids (such as
pictures, charts, graphs, and maps) should be used when appropriate to
clarify and summarize complex material.

        129 GAO-02-340G Government Auditing Standards Exposure Draft

Concise 
8.51 Being concise requires that the report be no longer than necessary to
convey and support the message. Extraneous detail detracts from a report,
may even conceal the real message, and may confuse or distract the users.
Also, needless repetition should be avoided. Although room exists for
considerable judgment in determining the content of reports, those that are
fact-based, but still concise, are likely to achieve greater results.

REPORT ISSUANCE AND DISTRIBUTION 
8.52 The fourth reporting standard for performance audits is:

Audit organizations should submit audit reports to the appropriate officials
of the audited program and to the appropriate officials of the organizations
requiring or arranging for the audits, including external funding
organizations, unless legal restrictions prevent it. Copies of the reports
should also be sent to other officials who have legal oversight authority or
who may be responsible for acting on audit findings and recommendations and
to others authorized to receive such reports. Unless the report is
restricted by law or regulation, copies should be made available for public
inspection.

8.53 Audit reports should be distributed in a timely manner to officials
interested in the results. Such officials include those designated by law or
regulation to receive such reports, those responsible for acting on the
findings and recommendations, those of other levels of government who have
provided assistance to the audited entity, and legislators. However, if the
subject of the audit involves material that is classified for security
purposes or is not releasable to particular parties or the public for other
valid reasons, auditors should limit the report distribution.

        130 GAO-02-340G Government Auditing Standards Exposure Draft

8.54 When nongovernment audit organizations are engaged, the engaging
government organization should ensure that the report is distributed
appropriately. If the nongovernment audit organization is to make the
distribution, the engagement agreement should indicate which officials or
organizations should receive the report.

8.55 Internal auditors should follow their entity's own arrangements and
statutory requirements for distribution. Usually, they report to their
entity's top managers, who are responsible for distribution of the report.
Further distribution of reports outside the organization should be made in
accordance with applicable law, rule, regulation, or policy.

        131 GAO-02-340G Government Auditing Standards Exposure Draft
*** End of document. ***