Government Auditing Standards: 2003 Revision (01-JUN-03,
GAO-03-673G).
This is the Government Auditing Standards 2003 revision. This
document outlines standards that contain requirements for auditor
reporting on internal control. The revision supersedes the 1994
revision.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-03-673G
ACCNO: A07371
TITLE: Government Auditing Standards: 2003 Revision
DATE: 06/01/2003
SUBJECT: Auditing procedures
Auditing standards
Cost accounting
Federal advisory bodies
Federal agencies
Internal auditors
Internal audits
Standards evaluation
Yellow Book
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-03-673G
GAO United States General Accounting Office
By the Comptroller General of the United States
June 2003 Goverment Auditing Standards
2003 Revision
GAO- 03- 673G
GAO United States General Accounting Office
By the Comptroller General of the United States
June 2003 Goverment Auditing Standards
2003 Revision This revision of the standards supersedes the 1994 revision,
including amendments 1 through 3. Its provisions are effective for
financial audits and attestation engagements of periods ending on or after
January 1, 2004, and for performance audits beginning on or after January
1, 2004. Early application is permissible.
United States General Accounting Office Washington, DC 20548 Comptroller
General
of the United States
The concept of accountability for public resources is key in our nation*s
governing process and a critical element for a healthy democracy.
Legislators, government officials, and the public want to know whether
government services are being provided efficiently, effectively,
economically, and in compliance with laws and regulations. They also want
to know whether government programs are achieving their objectives and
desired outcomes, and at what cost. Government managers are accountable to
legislative bodies and the public for their activities and related
results. Government auditing is a key element in fulfilling the
government*s duty to be accountable to the people. Auditing allows those
parties and other stakeholders to have confidence in the reported
information on the results of programs or operations, as well as in the
related systems of internal control. Government auditing standards provide
a framework to auditors so that their work can lead to improved government
management, decision- making, oversight and accountability.
These standards are broad statements of auditors* responsibilities. They
provide an overall framework for ensuring that auditors have the
competence, integrity, objectivity, and independence in planning,
conducting, and reporting on their work. Auditors will face many
situations in which they could best serve the public by doing work
exceeding the standards* minimum requirements. As performance and
accountability professionals, we should not strive just to comply with
minimum standards, which represent the floor of acceptable behavior, but
we need to do the right thing according to the facts and circumstances of
each audit situation. I encourage auditors to seek opportunities to do
additional work when and where it is appropriate, particularly in
connection with testing and reporting on internal control.
This is the fourth revision of the overall standards since they were first
issued in 1972. This revision of the standards supersedes the 1994
revision, including amendments 1 through 3. This revision makes changes to
these standards in the following 3 areas:
redefining the types of audits and services covered by the standards,
including an expansion of the definition of performance auditing to
incorporate prospective analyses and other studies and adding attestation
as a separate type of audit,
providing consistency in the field work and reporting requirements among
all types of audits defined under the standards, and
strengthening the standards and clarifying the language in areas that, by
themselves, do not warrant a separate amendment to the standards.
These standards contain requirements for auditor reporting on internal
control, but they do not require the auditor to render an opinion on
internal control. Nevertheless, I encourage auditors to evaluate those
situations where they are reporting on internal control to determine
whether providing an opinion on internal control would add value and be
cost beneficial based on related risks. The Sarbanes- Oxley Act requires
private sector auditors to attest to and report on the assessment made by
management of each publicly traded company on the effectiveness of
internal control over financial reporting. GAO strongly believes that
auditor
Page 2
reporting on internal control is a critical component of monitoring the
effectiveness of an organization*s risk management and accountability
systems. Auditors can better serve their clients and other financial
statement users and better protect the public interest by having a greater
role in providing assurances over the effectiveness of internal control in
deterring fraudulent financial reporting, protecting assets, and providing
an early warning of emerging problems. We believe auditor reporting on
internal control is appropriate and necessary for publicly traded
companies and major public entities. We also believe that such reporting
is appropriate in other cases where management assessment and auditor
examination and reporting on the effectiveness of internal control add
value and mitigate risk in a cost beneficial manner. In this regard, GAO
seeks to lead by example in establishing the
appropriate level of auditor reporting on internal control for federal
agencies, programs, and entities receiving significant amounts of federal
funding. In fact, we already provide opinions on internal control for all
our major federal audit clients, including the consolidated financial
statements of the U. S. Government.
Because of the breadth of the fourth revision to the overall standards,
any new standards are applicable for financial audits and attestation
engagements of periods ending on or after January 1, 2004, and for
performance audits beginning on or after January 1, 2004. Early
application is permissible and encouraged. An electronic version of these
standards can be accessed on the web at www. gao. gov/ govaud/ ybk01. htm.
We have also posted a listing of the major changes from the 1994 Revision
to this web site. Printed copies can be obtained
from the U. S. Government Printing Office. This revision of the standards
currently incorporates the field work and the reporting standards issued
by the American Institute of Certified Public Accountants (AICPA). The
Sarbanes Oxley Act gives the Public Company Accounting Oversight Board
(PCAOB) the authority to set auditing standards to be used by registered
public accounting firms in the preparation and issuance of audit reports
for publicly traded companies. As the PCAOB promulgates auditing standards
for audits of these entities, GAO will continue to closely monitor the
actions of both standard setting bodies and will issue clarifying guidance
as necessary on the incorporation of future standards set by either
standard- setting body.
This revision has gone through an extensive deliberative process including
extensive public comments and input from the Comptroller General*s
Advisory Council on Government Auditing Standards, which includes 21
experts in financial and performance auditing and reporting drawn from all
levels of government, academia, private enterprise, and public accounting.
The views of all parties were thoroughly considered in finalizing the
standards. I thank those who commented and suggested improvements to the
standards. I especially commend the Advisory Council on Government
Auditing Standards and the GAO project team for important contributions to
this revision.
David M. Walker Comptroller General of the United States
June 2003
TABLE OF CONTENTS Chapter 1 Introduction Purpose 1 Applicability 2
Relationship between GAGAS and Other Professional Standards 3
Accountability 4 Roles and Responsibilities 5
Chapter 2 Types of Government Audits and Attestation Engagements
Introduction 9 Financial Audits 9 Attestation Engagements 10 Performance
Audits 11 Nonaudit Services Provided by Audit Organizations 14
Chapter 3 General Standards Introduction 15 Independence 15 Professional
Judgment 28 Competence 30 Quality Control and Assurance 33
Chapter 4 Field Work Standards for Financial Audits Introduction 36 AICPA
Field Work Standards 37 Additional GAGAS Standards 37 Auditor
Communication 38 Considering the Results of Previous Audits and
Attestation Engagements 40 Detecting Material Misstatements Resulting from
Violations of Contract
Provisions or Grant Agreements, and Abuse 41 Developing Elements of a
Finding 43 Audit Documentation 44
Chapter 5 Reporting Standards for Financial Audits Introduction 46 AICPA
Reporting Standards 46 Additional GAGAS Reporting Standards for Financial
Audits 47 Reporting Auditors* Compliance with GAGAS 47 Reporting on
Internal Control and on Compliance with Laws, Regulations, and Provisions
of Contracts or Grant Agreements 48
Reporting Deficiencies in Internal Control, Fraud, Illegal Acts,
Violations of Provisions of Contracts or Grant Agreements, and Abuse 49
Reporting Views of Responsible Officials 54 Reporting Privileged and
Confidential Information 56 Report Issuance and Distribution 56
Chapter 6 General, Field Work, and Reporting Standards for Attestation
Engagements Introduction 58 AICPA General and Field Work Standards for
Attestation Engagements 59 Additional GAGAS Field Work Standards for
Attestation Engagements 59 Auditor Communication 60 Considering the
Results of Previous Audits and Attestation Engagements 61 Internal Control
62 Detecting Fraud, Illegal Acts, Violations of Provisions of Contracts or
Grant
Agreements, and Abuse that Could Have a Material Effect on the Subject
Matter 63 Developing Elements of Findings for Attestation Engagements 65
Attest Documentation 65 AICPA Reporting Standards for Attestation
Engagements 67 Additional GAGAS Reporting Standards for Attestation
Engagements 68 Reporting Auditors* Compliance with GAGAS 69 Reporting
Deficiencies in Internal Control, Fraud, Illegal Acts, Violations of
Provisions of Contracts or Grant Agreements, and Abuse 72 Reporting Views
of Responsible Officials 74 Reporting Privileged and Confidential
Information 74 Report Issuance and Distribution
Chapter 7 Field Work Standards for Performance Audits Introduction 77
Planning 77 Supervision 91 Evidence 92 Audit Documentation 96
Chapter 8 Reporting Standards for Performance Audits Introduction 99 Form
99 Report Contents 100 Report Quality Elements 108 Report Issuance and
Distribution 111
Appendix I Advisory Council on Government Auditing Standards 112
ABBREVIATIONS AICPA American Institute of Certified Public Accountants
COSO Committee of Sponsoring Organizations of the Treadway
Commission CPA certified public accountant CPE continuing professional
education GAAP generally accepted accounting principles GAAS generally
accepted auditing standards GAGAS generally accepted government auditing
standards GAO U. S. General Accounting Office MD& A Management*s
Discussion and Analysis OMB U. S. Office of Management and Budget SAS
AICPA Statements on Auditing Standards SSAE AICPA Statements on Standards
for Attestation Engagements
1 CHAPTER 1
INTRODUCTION Purpose 1.01 The standards and guidance contained in this
document, often referred to as
generally accepted government auditing standards (GAGAS), are intended for
use by government auditors 1 to ensure that they maintain competence,
integrity, objectivity, and independence in planning, conducting, and
reporting their work, and are to be followed by auditors and audit
organizations when required by law, regulation, contract, agreement, or
policy. 2 The work performed in accordance with GAGAS, which is described
in this chapter and more fully in chapter 2, includes financial audits,
attestation engagements, and performance audits. Users of government
audits and attestation engagements that are performed in accordance with
GAGAS should have confidence that the work is objective and credible.
1.02 GAGAS pertain to auditors* professional qualifications and the
quality of their work, the performance of field work, and the
characteristics of meaningful reporting. Adherence to GAGAS can help
ensure that audits and attestation engagements provide credibility to the
information reported by or obtained from officials of the audited entity
through objectively acquiring and evaluating
evidence. When auditors perform their work in this manner and comply with
GAGAS in reporting the results, their work can lead to improved government
management, decision making, and oversight. Government auditing is also a
key element in fulfilling the government*s duty to be accountable to the
public.
1.03 This chapter describes the applications of GAGAS by auditors and
audit organizations. This chapter also describes the concept of
accountability for public resources and discusses the responsibilities of
managers of government programs, auditors, and audit organizations in the
audit process.
1 This document addresses the standards that should be used by the
individuals in audit organizations conducting the broad array of work that
is described more fully in chapter 2. Accordingly, the focus of this
document is not on the wide variety of titles that are used by individuals
conducting and reporting on this work, but instead the nature of the work
that is being
performed. The term *auditor* throughout this document includes
individuals who may be titled auditor, analyst, evaluator, inspector, or
who may have a similar position.
2 Requirements in GAGAS are identified by statements that include the word
*should.* Auditors are expected to comply with these requirements if they
apply to the type of work being performed.
2 Applicability 1.04 The standards and guidance in this document apply to
audits and attestation
engagements of government entities, programs, activities, and functions,
and of government assistance administered by contractors, nonprofit
entities, and other nongovernmental entities. A number of statutes and
other mandates require that auditors follow GAGAS. Where a statute or
other mandate does not exist, auditors will find it useful to follow GAGAS
in work regarding the use of government funds. If auditors hold themselves
out as following GAGAS, regardless of whether the auditors are required to
follow such standards, the auditors need to justify any departures from
GAGAS.
1.05 The following are among the laws, regulations, and guidelines that
require use of GAGAS:
a. The Inspector General Act of 1978, as amended, 5 U. S. C. App. (2000)
requires that the statutorily appointed federal inspectors general comply
with GAGAS for audits of federal establishments, organizations, programs,
3 activities, and functions. The act further states that the inspectors
general shall take appropriate steps to assure that any work performed by
nonfederal auditors complies with GAGAS.
b. The Chief Financial Officers Act of 1990 (Public Law 101- 576), as
expanded by the Government Management Reform Act of 1994 (Public Law 103-
356), requires that GAGAS be followed in audits of executive branch
departments* and agencies* financial statements.
c. The Single Audit Act Amendments of 1996 (Public Law 104- 156) require
that GAGAS be followed in audits of state and local governments and
nonprofit entities that receive federal awards. 4 The Office of Management
and Budget (OMB) Circular A- 133, Audits of States, Local Governments, and
Non- Profit
Organizations, which provides the government- wide guidelines and policies
on performing audits to comply with the Single Audit Act, also requires
the use of GAGAS.
1.06 Auditors need to be alert to other laws, regulations, or other
authoritative sources that could require the use of GAGAS. For example,
state and local laws and regulations may require auditors at the state and
local levels of government to follow GAGAS. Also, the terms of an
agreement or contract may require auditors to comply with GAGAS. Federal
audit guidelines pertaining to program
3 Henceforth, the term *program* will be used in this document to include
government establishments, organizations, programs, activities, and
functions. 4 Under the Single Audit Act, as amended, federal awards
include federal financial assistance (grants, loans, loan guarantees,
property, cooperative agreements, interest subsidies, insurance, food
commodities, direct appropriations, or other assistance) and cost-
reimbursement contracts.
3 requirements, such as those issued for Housing and Urban Development
programs
and Student Financial Aid programs, may also require that GAGAS be
followed.
1.07 Even if not required to do so, auditors may find it useful to follow
GAGAS in performing audits of federal, state, and local government
programs as well as in performing audits of government awards administered
by contractors, nonprofit entities, and other nongovernment entities. Many
audit organizations not formally required to do so, both in the United
States of America and in other countries, voluntarily follow GAGAS.
1.08 Auditors may provide professional services, other than audits and
attestation engagements, that consist solely of gathering, providing, and
explaining information requested by decision makers or by providing advice
or assistance to officials of the audited entity. GAGAS are not applicable
to nonaudit services, which are described more fully in chapter 2.
However, providing nonaudit services may affect an audit organization*s
independence to conduct audits, which
is discussed in chapter 3. Relationship between GAGAS and Other
Professional Standards 1.09 GAGAS may be used in conjunction with
professional standards issued by
other authoritative bodies. For example, the American Institute of
Certified Public Accountants (AICPA) has issued professional standards
that apply in financial audits and attestation engagements performed by
certified public accountants (CPA). GAGAS incorporate the AICPA*s field
work and reporting standards and the related statements on auditing
standards for financial audits unless specifically excluded, as discussed
in chapters 4 and 5. GAGAS incorporate the AICPA*s general standard on
criteria, and the field work and reporting standards and the related
statements on the standards for attestation engagements, unless
specifically excluded, as discussed in chapter 6. To meet the needs of
users of government audits and attestation engagements, GAGAS also
prescribe requirements in addition to those provided by the AICPA for
these types of work.
1.10 Other professional standards that may be used by auditors are issued
by such bodies as the Institute of Internal Auditors (Codification of the
Standards for the Professional Practice of Internal Auditing, The
Institute of Internal Auditors, Inc.) and the American Evaluation
Association (Guiding Principles for Evaluators, a report from the American
Evaluation Association Task Force on Guiding Principles for Evaluators;
The Program Evaluation Standards, Joint Committee on Standards for
Education Evaluation; and Standards for Educational and Psychological
Testing, American Psychological Association.) These other professional
standards are not incorporated into GAGAS, but can be used in conjunction
with GAGAS. To the extent of any inconsistencies between the standards,
GAGAS should prevail as the controlling (authorative) source if GAGAS is
cited in the report.
4 Accountability 1.11 The concept of accountability for public resources
is key in our nation*s
governing processes. Legislators, other government officials, and the
public want to know whether (1) government resources are managed properly
and used in compliance with laws and regulations, (2) government programs
are achieving their objectives and desired outcomes, and (3) government
programs are being provided efficiently, economically, and effectively.
Managers of these programs are accountable to legislative bodies and the
public. Auditors of these programs, when they adhere to GAGAS, provide
reports that enhance the credibility and reliability of the information
that is reported by or obtained from officials of the audited entity.
1.12 Financial audits contribute to making governments more accountable
for the use of public resources. The auditors, in providing an independent
report on whether an entity*s financial information is presented fairly in
accordance with recognized criteria, provide users with statements
concerning the reliability of the information. Financial audits performed
in accordance with GAGAS also provide information about internal control,
compliance with laws and regulations, and provisions of contracts and
grant agreements as they relate to financial transactions, systems, and
processes.
1.13 Attestation engagements also contribute to governments*
accountability for the use of public resources and the delivery of
services. In an attestation engagement, auditors issue an examination, a
review, or an agreed- upon procedures report on a subject matter or on an
assertion about a subject matter, based on or in conformity with criteria
that is the responsibility of another party. Attestation engagements can
cover a broad range of financial or nonfinancial objectives and provide
various levels of assurance about the subject matter or assertion
dependent upon the user*s needs.
1.14 Performance audits also contribute to governments* accountability for
the use of public resources and the delivery of services. The term
performance audit is used to include a variety of objectives to meet
users* needs. Performance audits provide an independent assessment of the
performance and management of government programs against objective
criteria or an assessment of best practices and other information.
Performance audits provide information to improve program operations,
facilitate decision making by parties with responsibility to oversee or
initiate corrective action, and contribute to public accountability. The
term performance audit is used generically to include work classified by
some audit organizations as program evaluations, program effectiveness and
results audits, economy and efficiency audits, operational audits, and
value- for- money audits.
1.15 Given the importance and complexity of government programs in
providing a variety of public services, auditors are increasingly being
called on by legislative
5 bodies and government agencies to expand the variety of performance
audits to
include work that has a prospective focus or provides guidance, best
practice information, or information on issues that affect multiple
programs or entities already studied or under study by an audit
organization. This work may also
include an assessment of policy alternatives, identification of risks and
risk mitigation efforts, and a variety of analytical services to aid
government officials in performing their responsibilities and carrying out
their stewardship of government resources. Such work, like other
performance audits, (1) involves a level of analysis, research, or
evaluation, (2) may provide conclusions and recommendations, and (3)
results in a report.
1.16 Audit organizations may also seek to achieve improvement through
cooperative engagements with affected agencies while continuing to
maintain independence under the standards. Such *constructive engagement*
approaches, where appropriate, can facilitate management improvements on a
real- time basis without compromising the audit organization*s
independence and objectivity. Efforts to provide technical advice and
expertise to agencies for use in responding to current risks, correcting
internal control deficiencies, or responding to the audit organization*s
recommendations are examples of constructive engagements. Constructive
engagement approaches will not impair independence when conducted within
the framework of an audit or as technical advice to agencies. However,
audit organizations need to take care to avoid making management decisions
or to avoid situations that would result in the audit organization
auditing its own work, such as directing agencies to undertake a specific
activity in a specific manner as discussed more fully in chapter 3 of
these standards. By limiting the audit organization*s role in this way,
the overarching principles of independence are not violated.
Roles and Responsibilities 1.17 Officials of the audited entity entrusted
with handling public resources and auditors of government programs fulfill
essential roles and responsibilities in ensuring that public resources are
used efficiently, economically, effectively, and legally. Audit
organizations also have the important responsibility of ensuring that
auditors can meet their responsibilities. These unique roles involve using
sound management practices and providing professional audits and
attestation engagements.
Management*s Role 1.18 Officials of the audited entity (for example,
managers of a state or local governmental entity or a nonprofit entity
that receives federal awards) are responsible for
6
a. applying those resources efficiently, economically, effectively, and
legally to achieve the purposes for which the resources were furnished or
the program was established; 5 b. complying with applicable laws and
regulations, including identifying the
requirements with which the entity and the official must comply and
implementing systems designed to achieve that compliance;
c. establishing and maintaining effective internal control to help ensure
that appropriate goals and objectives are met; resources are used
efficiently, economically, and effectively, and are safeguarded; laws and
regulations are followed; and reliable data are obtained, maintained, and
fairly disclosed;
d. providing appropriate reports to those who oversee their actions and to
the public in order to be accountable for the resources used to carry out
government programs and the results of these programs;
e. addressing the findings and recommendations of auditors, and for
establishing and maintaining a process to track the status of such
findings and recommendations; and
f. following sound procurement practices when contracting for audits and
attestation engagements, including ensuring procedures are in place for
monitoring contract performance. The objectives and scope of the audit or
attestation engagement need to be made clear. In addition to price, other
factors that may be considered in evaluating bid proposals include the
responsiveness of the bidder to the request for proposal; the prior
performance and experience of the bidder; the availability of the bidder*s
staff who have the appropriate professional qualifications and technical
abilities; and the results of the bidder*s peer reviews.
Auditors* Responsibilities 1.19 In discharging their professional
responsibilities, auditors need to observe the principles of serving the
public interest and maintaining the highest degree of integrity,
objectivity, and independence. The public interest is defined as the
collective well- being of the community of people and entities the
auditors serve. These principles are fundamental to the responsibilities
of auditors.
1.20 Auditors should act in a way that will serve the public interest,
honor the public trust, and uphold their professionalism. A distinguishing
mark of a profession is acceptance of its responsibility to the public.
This responsibility is critical when auditing in the government
environment. GAGAS embody the concept of accountability, which is
fundamental to serving the public interest.
5 This responsibility applies to all resources, both financial and
physical, as well as informational resources, whether entrusted to public
officials or others by their own constituencies or by other levels of
government.
7
1.21 Auditors need to make decisions that are consistent with the public
interest in the program or activity under audit. In discharging their
professional responsibilities, auditors may encounter conflicting
pressures from management of the audited entity, various levels of
government, and others who rely on the objectivity and independence of the
auditors. In resolving those conflicts, auditors are responsible for
acting with integrity, guided by the precept that when auditors fulfill
their responsibilities to the public, these individuals* and
organizations* interests are best served.
1.22 To maintain and broaden public confidence, auditors need to perform
all professional responsibilities with the highest degree of integrity.
Auditors need to be professional, objective, fact- based, nonpartisan, and
non- ideological in their relationships with audited entities and users of
the auditors* reports. Auditors should be honest and candid with the
audited entity and users of the auditors* work in the conduct of their
work, within the constraints of the audited entity*s confidentiality laws,
rules, or policies. Auditors need to be prudent in the use of information
acquired in the course of their duties. They should not use such
information for any personal gain or in any manner that would be
detrimental to the legitimate and ethical objectives of the audited
entity.
1.23 Service and the public trust should not be subordinated to personal
gain and advantage. Integrity can accommodate the inadvertent error and
the honest difference of opinion; it cannot accommodate deceit or
subordination of principle. Integrity requires auditors to observe both
the form and the spirit of technical and ethical standards; circumvention
of those standards constitutes subordination of judgment. Integrity also
requires auditors to observe the principles of objectivity and
independence.
1.24 Auditors should be objective and free of conflicts of interest in
discharging their professional responsibilities. Auditors are also
responsible for being independent in fact and appearance when providing
audit and attestation services. Objectivity is a state of mind that
requires auditors to be impartial, intellectually honest, and free of
conflicts of interest. Independence precludes relationships that may in
fact or appearance impair auditors* objectivity in performing the audit or
attestation engagement. The maintenance of objectivity and independence
requires continuing assessment of relationships with the audited entities
in the context of the auditors* responsibility to the public.
1.25 In applying GAGAS, auditors are responsible for using professional
judgment when establishing scope and methodologies for their work,
determining the tests and procedures to be performed, conducting the work,
and reporting the results. Auditors need to maintain integrity and
objectivity when doing their work to make decisions that are consistent
with the broader public interest in the program or activity under review.
When reporting on the results of their work, auditors are responsible for
disclosing all material or significant facts known to them which, if
8 not disclosed, could mislead knowledgeable users, misrepresent the
results, or conceal improper or unlawful practices.
1.26 Auditors are responsible for helping management and other report
users 6 understand the auditors* responsibilities under GAGAS and other
audit or attestation coverage required by law or regulation. To help
managers and other report users understand an engagement*s objectives,
time frames, and data needs, auditors need to communicate information
concerning planning, conduct, and reporting of the engagement to the
parties involved during the planning stages of the audit or attestation
engagement.
Audit Organizations* Responsibilities 1.27 Audit organizations also have
responsibility for ensuring that (1) independence and objectivity are
maintained in all phases of the assignment, (2) professional judgment is
used in planning and performing the work and in reporting the results, (3)
the work is performed by personnel who are professionally competent and
collectively have the necessary skills and knowledge, and (4) an
independent peer review is periodically performed resulting in an opinion
issued as to whether an audit organization*s system of quality control is
designed and being complied with to provide reasonable
assurance of conforming with professional standards.
1.28 While management is responsible for addressing audit and attestation
engagement findings and recommendations and tracking their status of
resolution, audit organizations are responsible for establishing policies
and procedures for follow- up to determine whether previous significant
findings and recommendations are addressed and are considered in planning
future engagements. 6 Other report users may include officials of the
audited entity, the audit committee, the board of directors or other audit
oversight body, management or auditors of granting or funding agencies,
and individuals contracting for or requesting audit services.
9 CHAPTER 2
TYPES OF GOVERNMENT AUDITS AND ATTESTATION ENGAGEMENTS Introduction 2.01
This chapter describes the types of audits and attestation engagements
that
audit organizations perform, or arrange to have performed, of government
entities, programs, and federal awards administered by contractors,
nonprofit entities, and other nongovernment entities. This description is
not intended to limit or require the types of audits or attestation
engagements that may be performed or arranged to be performed. In
performing work described below in accordance with generally accepted
government auditing standards (GAGAS), auditors should follow the
applicable standards included and incorporated in chapters 3 through 8.
This chapter also describes nonaudit services that audit organizations may
provide, although these services are not covered by GAGAS. 2.02 All
engagements begin with objectives, and those objectives determine the
type of work to be performed and the auditing standards to be followed.
The types of work, as defined by their objectives that are covered by
GAGAS, are classified in this document as financial audits, attestation
engagements, and performance audits.
2.03 Engagements may have a combination of objectives that include more
than one type of work described in this chapter or may have objectives
limited to only some aspects of one type of work. Auditors should follow
the standards that are applicable to the individual objectives of the
audit or attestation engagement.
2.04 In some engagements, the applicable standards that apply to the
specific audit objective will be apparent. For example, if the audit
objective is to express an opinion on financial statements, the standards
for financial audits apply. However, for some engagements, there may be
overlap between the applicable objectives. For example, if the objectives
are to determine the reliability of performance measures, this work can be
done in accordance with either the standards for attestation engagements
or for performance audits. In cases where there is a choice between
applicable standards, auditors should consider users* needs and the
auditors* knowledge, skills, and experience in deciding which
standards to follow. Auditors should apply the standards that are
applicable to the type of assignment conducted (the financial audit
standards, the attestation engagement standards, or the performance
auditing standards).
Financial Audits 2.05 Financial audits are primarily concerned with
providing reasonable assurance about whether financial statements are
presented fairly in all material
10 respects in conformity with generally accepted accounting principles
(GAAP), 7 or
with a comprehensive basis of accounting other than GAAP. Other objectives
of financial audits, which provide for different levels of assurance and
entail various scopes of work, may include
a. providing special reports for specified elements, accounts, or items of
a financial statement; 8 b. reviewing interim financial information;
c. issuing letters for underwriters and certain other requesting parties;
d. reporting on the processing of transactions by service organizations;
and
e. auditing compliance with regulations relating to federal award
expenditures and other governmental financial assistance in conjunction
with or as a byproduct of a financial statement audit.
2.06 Financial audits are performed under the American Institute of
Certified Public Accountants* (AICPA) generally accepted auditing
standards for field work and reporting, as well as the related AICPA
Statements on Auditing Standards (SAS). GAGAS prescribe general standards
and additional field work and reporting standards beyond those provided by
the AICPA when performing financial audits. (See chapters 3, 4, and 5 for
standards and guidance for auditors performing a financial audit in
accordance with GAGAS.)
Attestation Engagements 2.07 Attestation engagements 9 concern examining,
reviewing, or performing agreed- upon procedures on a subject matter or an
assertion 10 about a subject 7 The three authoritative bodies for
establishing accounting principles and financial reporting standards are
the Federal Accounting Standards Advisory Board (federal government), the
Governmental Accounting Standards Board (state and local governments), and
the Financial Accounting Standards Board (nongovernmental entities).
8 Special reports apply to auditors* reports issued in connection with the
following: (1) financial statements that are prepared in conformity with a
comprehensive basis of accounting other than generally accepted accounting
principles; (2) specified elements, accounts, or items of a financial
statement; (3) compliance with aspects of contractual agreements or
regulatory requirements related to audited financial statements; (4)
financial presentations to comply with contractual agreements or
regulatory requirements; or (5) financial information presented in
prescribed forms or schedules that require a prescribed form of auditors*
report.
9 For consistency within GAGAS, the word *auditor* is used to describe
individuals conducting and reporting on attestation engagements. 10 An
assertion is any declaration or set of declarations made by management
about whether the subject matter is based on or in conformity with the
criteria selected.
11 matter and reporting on the results. The subject matter of an
attestation
engagement may take many forms, including historical or prospective
performance or condition, physical characteristics, historical events,
analyses, systems and processes, or behavior. Attestation engagements can
cover a broad range of financial or nonfinancial subjects and can be part
of a financial audit or performance audit. Possible subjects of
attestation engagements could include reporting on
a. an entity*s internal control over financial reporting;
b. an entity*s compliance with requirements of specified laws,
regulations, rules, contracts, or grants;
c. the effectiveness of an entity*s internal control over compliance with
specified requirements, such as those governing the bidding for,
accounting for, and reporting on grants and contracts;
d. management*s discussion and analysis (MD& A) presentation;
e. prospective financial statements or pro- forma financial information;
f. the reliability of performance measures;
g. final contract cost;
h. allowability and reasonableness of proposed contract amounts; and
i. specific procedures performed on a subject matter (agreed- upon
procedures).
2.08 Attestation engagements are performed under the AICPA*s attestation
standards, as well as the related AICPA Statements on Standards for
Attestation Engagements (SSAE). GAGAS prescribe general standards and
additional field work and reporting standards beyond those provided by the
AICPA for attestation engagements. (See chapters 3 and 6 for standards and
guidance for auditors performing an attestation engagement in accordance
with GAGAS.)
Performance Audits 2.09 Performance audits entail an objective and
systematic examination of evidence to provide an independent assessment of
the performance and management of a program against objective criteria as
well as assessments that provide a prospective focus or that synthesize
information on best practices or cross- cutting issues. Performance audits
provide information to improve program operations and facilitate decision-
making by parties with responsibility to oversee or initiate corrective
action, and improve public accountability. Performance audits encompass a
wide variety of objectives, including objectives related to
12 assessing program effectiveness and results; economy and efficiency;
internal
control; 11 compliance with legal or other requirements; and objectives
related to providing prospective analyses, guidance, or summary
information. Performance audits may entail a broad or narrow scope of work
and apply a variety of methodologies; involve various levels of analysis,
research, or evaluation; generally provide findings, conclusions, and
recommendations; and result in the issuance of a report. (See chapters 3,
7, and 8 for standards and guidance for auditors performing a performance
audit in accordance with GAGAS.)
2.10 Program effectiveness and results audit objectives address the
effectiveness of a program and typically measure the extent to which a
program is achieving its goals and objectives. Economy and efficiency
audit objectives concern whether an entity is acquiring, protecting, and
using its resources in the most productive manner to achieve program
objectives. Program effectiveness and results audit objectives and economy
and efficiency audit objectives are often interrelated and may be
concurrently addressed in a performance audit. Examples of program
effectiveness and results and economy and efficiency audit objectives
include assessing
a. the extent to which legislative, regulatory, or organizational goals
and objectives are being achieved;
b. the relative ability of alternative approaches to yield better program
performance or eliminate factors that inhibit program effectiveness;
c. the relative cost and benefits or cost effectiveness of program
performance; 12 d. whether a program produced intended results or produced
effects that were not intended by the program*s objectives;
e. the extent to which programs duplicate, overlap, or conflict with other
related programs;
f. whether the audited entity is following sound procurement practices;
g. the validity and reliability of performance measures concerning program
effectiveness and results, or economy and efficiency; and
h. the reliability, validity, or relevance of financial information
related to the performance of a program.
11 The term internal control in this document is synonymous with the term
management control and, unless otherwise stated, covers all aspects of an
entity*s operations (programmatic, financial, and compliance). 12 These
objectives focus on combining cost information with information about
outputs or the benefit provided and outcomes or the results achieved.
13
2.11 Internal control audit objectives relate to management*s plans,
methods, and procedures used to meet its mission, goals, and objectives.
Internal control includes the processes and procedures for planning,
organizing, directing, and controlling program operations, and the system
put in place for measuring, reporting, and monitoring program performance.
Examples of audit objectives related to internal control include the
extent that internal control of a program provides reasonable assurance
that
a. organizational missions, goals, and objectives are achieved effectively
and efficiently; b. resources are used in compliance with laws,
regulations, or other requirements;
c. resources are safeguarded against unauthorized acquisition, use, or
disposition;
d. management information and public reports that are produced, such as
performance measures, are complete, accurate, and consistent to support
performance and decision making;
e. security over computerized information systems will prevent or timely
detect unauthorized access; and
f. contingency planning for information systems provides essential back-
up to prevent unwarranted disruption of activities and functions the
systems support.
2.12 Compliance audit objectives relate to compliance criteria established
by laws, regulations, contract provisions, grant agreements, and other
requirements 13 that could affect the acquisition, protection, and use of
the entity*s resources and
the quantity, quality, timeliness, and cost of services the entity
produces and delivers. Compliance objectives also concern the purpose of
the program, the manner in which it is to be conducted and services
delivered, and the population it serves.
2.13 Audit organizations also undertake work that provides a prospective
focus or may provide guidance, best practice information, and information
that cuts across program or organizational lines, or summary information
on issues already studied or under study by an audit organization.
Examples of objectives pertaining to this work include
a. assessing program or policy alternatives, including forecasting program
outcomes under various assumptions;
b. assessing the advantages and disadvantages of legislative proposals;
c. analyzing views of stakeholders on policy proposals for decision
makers; 13 Compliance requirements can be either financial or nonfinancial
in nature.
14
d. analyzing budget proposals or budget requests to assist legislatures in
the budget process;
e. identifying best practices for users in evaluating program or
management system approaches, including financial and information
management systems; and
f. producing a high- level summary or a report that affects multiple
programs or entities on issues studied or under study by the audit
organization. Nonaudit Services Provided by Audit Organizations 2.14 Audit
organizations may also provide nonaudit services that are not covered
by GAGAS. 14 Nonaudit services generally differ from financial audits,
attestation engagements, and performance audits in that auditors may (1)
perform tasks requested by management that directly support the entity*s
operations, such as developing or implementing accounting systems;
determining account balances; developing internal control systems;
establishing capitalization criteria; processing payroll; posting
transactions; evaluating assets; designing or implementing information
technology or other systems; or performing actuarial studies or (2)
provide information or data to a requesting party without providing
verification, analysis, or evaluation of the information or data, and,
therefore, the work does not usually provide a basis for conclusions,
recommendations, or opinions on the information or data. These services
may or may not result in the issuance of a report. In the case of
nongovernment auditors who conduct audits under GAGAS, the term nonaudit
services is synonymous with consulting services.
2.15 GAGAS do not cover nonaudit services described in this chapter since
such services are not audits or attestation engagements. Therefore,
auditors should not report that nonaudit services were conducted in
accordance with GAGAS. However, audit organizations are encouraged to
establish policies for maintaining the quality of this type of work, and
may wish to disclose such policies in any product resulting from this
work, any other professional standards followed, and the quality control
steps taken.
2.16 Importantly, although GAGAS do not provide standards for conducting
nonaudit services, auditors providing such services need to ensure that
their independence to provide audit services is not impaired by providing
nonaudit services. See chapter 3, general standards on independence.
14 If audit organizations provide nonaudit services, audit organizations
need to consider whether providing these services creates a personal
impairment either in fact of appearance that adversely affects their
independence for conducting audits.
15 CHAPTER 3
GENERAL STANDARDS Introduction 3.01 This chapter prescribes general
standards and provides guidance for
performing financial audits, attestation engagements, 15 and performance
audits. These general standards concern the fundamental requirements for
ensuring the credibility of auditors* results. Credibility is essential to
all audit organizations performing work that government leaders and other
users rely on for making
decisions, and is what the public expects of information provided by
auditors. These general standards encompass the independence of the audit
organization and its individual auditors; the exercise of professional
judgment in the performance of work and the preparation of related
reports; the competence of audit staff, including the need for their
continuing professional education; and the existence of quality control
systems and external peer reviews.
3.02 These general standards provide the underlying framework that is
critical in effectively applying the field work and reporting standards
described in the following chapters when performing the detailed work
associated with audits or attestation engagements and when preparing
related reports and other products. Therefore, these general standards are
required to be followed by all auditors and audit organizations, both
government and nongovernment, performing work under generally accepted
government auditing standards (GAGAS).
Independence 3.03 The general standard related to independence is:
In all matters relating to the audit work, the audit organization and the
individual auditor, whether government or public, should be free both in
fact and appearance from personal, external, and organizational
impairments to independence.
3.04 Auditors and audit organizations have a responsibility to maintain
independence so that opinions, conclusions, judgments, and recommendations
will be impartial and will be viewed as impartial by knowledgeable third
parties. Auditors should avoid situations that could lead reasonable third
parties with knowledge of the relevant facts and circumstances to conclude
that the auditors are not able to maintain independence and, thus, are not
capable of exercising objective and impartial judgment on all issues
associated with conducting and reporting on the work.
15 See chapter 6 for an additional general standard auditors should follow
when performing an attestation engagement.
16
3.05 Auditors need to consider three general classes of impairments to
independence* personal, external, and organizational. 16 If one or more of
these impairments affects an individual auditor*s capability to perform
the work and report results impartially, that auditor should either
decline to perform the work, or in those situations in which the
government auditor, because of a legislative requirement or for other
reasons, cannot decline to perform the work, the impairment or impairments
should be reported in the scope section of the audit report.
3.06 In using the work of a specialist, 17 auditors need to consider the
specialist as a member of the audit team and, accordingly, assess the
specialist*s ability to perform the work and report results impartially.
In conducting this assessment, auditors should provide the specialist with
the GAGAS independence requirements and obtain representations from the
specialist regarding the specialist*s independence from the activity or
program under audit. If the specialist has an impairment to independence,
auditors should not use the work of that specialist.
Personal Impairments 3.07 The audit organization should have an internal
quality control system to help determine whether auditors have any
personal impairments to independence that could affect their impartiality
or the appearance of impartiality. The audit organization needs to be
alert for personal impairments to independence of its staff members.
Personal impairments of staff members result from relationships and
beliefs that might cause auditors to limit the extent of the inquiry,
limit disclosure, or weaken or slant audit findings in any way. Auditors
are responsible for notifying the appropriate officials within their audit
organizations if they have any personal impairments to independence.
Examples of personal impairments of individual auditors include, but are
not limited to, the following:
a. immediate family or close family member 18 who is a director or officer
of the audited entity, or as an employee of the audited entity, is in a
position to exert direct and significant influence over the entity or the
program under audit;
16 Nongovernment auditors should also follow the AICPA code of
professional conduct and the code of professional conduct of the state
board with jurisdiction over the practice of the public accountant and the
audit organization. All auditors should also be aware of and comply with
any applicable government ethics laws and regulations and any other ethics
requirements (such as those of the state boards of accountancy) associated
with their activities.
17 Specialists to whom this section applies include, but are not limited
to, actuaries, appraisers, attorneys, engineers, environmental
consultants, medical professionals, statisticians, and geologists. This
section applies to external consultants and firms performing work for the
audit
organization. 18 Immediate family member is a spouse, spouse equivalent,
or dependent (whether or not related). A close family member is a parent,
sibling, or nondependent child.
17
b. financial interest that is direct, or is significant/ material though
indirect, in the audited entity or program; 19 c. responsibility for
managing an entity or decision making that could affect
operations of the entity or program being audited; for example as a
director, officer, or other senior position of the entity, activity, or
program being audited, or as a member of management in any decision-
making, supervisory, or ongoing monitoring function for the entity,
activity, or program under audit; 20, 21 d. concurrent or subsequent
performance of an audit by the same individual who
maintained the official accounting records when such services involved
preparing source documents or originating data, in electronic or other
form; posting transactions (whether coded by management or not coded);
authorizing, executing, or consummating transactions (for example,
approving invoices, payrolls, claims, or other payments of the entity or
program being audited); maintaining an entity*s bank account or otherwise
having custody of the audited entity*s funds; or otherwise exercising
authority on behalf of the entity, or having authority to do so; 22 e.
preconceived ideas toward individuals, groups, organizations, or
objectives of a
particular program that could bias the audit;
f. biases, including those induced by political, ideological, or social
convictions, that result from employment in, or loyalty to, a particular
type of policy, group, organization, or level of government; and
g. seeking employment with an audited organization during the conduct of
the audit.
19 Auditors are not precluded from auditing pension plans that they
participate in if (1) the auditor has no control over the investment
strategy, benefits, or other management issues associated with the pension
plan and (2) the auditor belongs to such pension plan as part of his/ her
employment
with the audit organization, provided that the plan is normally offered to
all employees in equivalent employment positions. 20 If the auditor has
performed nonaudit services for a client that affect information that is
the subject of the audit, and management is unable or unwilling to take
responsibility for this information, the risk that the auditor may be
perceived to have a personal impairment to independence is increased. See
paragraphs 3.10 through 3.18 for additional guidance on impairments to
independence associated with the scope of services that may be provided by
audit organizations to entities they audit.
21 The auditor needs to be free from this personal impairment for the
period covered by the activity under audit, including any financial
statements being audited, and for the period in which the audit is being
performed and reported. 22 See footnote 21.
18
3.08 Audit organizations and auditors may encounter many different
circumstances or combination of circumstances that could create a personal
impairment. Therefore, it is impossible to identify every situation that
could result in a personal impairment. Accordingly, audit organizations
should include as part of their internal quality control system
requirements to identify personal impairments and assure compliance with
GAGAS independence requirements. At a minimum, audit organizations should
a. establish policies and procedures that will enable the identification
of personal impairments to independence, including whether performing
nonaudit services affects the subject matter of audits and applying
safeguards to appropriately reduce that risk; (See paragraphs 3.10 through
3.18.)
b. communicate the audit organization*s policies and procedures to all
auditors in the organization and assure understanding of requirements
through training or other means such as auditors periodically
acknowledging their understanding;
c. establish internal policies and procedures to monitor compliance with
the audit organization*s policies and procedures;
d. establish a disciplinary mechanism to promote compliance with the audit
organization*s policies and procedures; and
e. stress the importance of independence and the expectation that auditors
will always act in the public interest.
3.09 When the audit organization identifies a personal impairment to
independence, the impairment needs to be resolved in a timely manner. In
situations in which the personal impairment is applicable only to an
individual auditor on a particular assignment, the audit organization may
be able to mitigate the personal impairment by requiring the auditor to
eliminate the personal impairment. For example, the auditor could sell a
financial interest that created the personal impairment, or the audit
organization could remove that auditor from
any work on that audit assignment. 23 If the personal impairment cannot be
mitigated through these means, the audit organization should withdraw from
the audit. In situations in which government auditors cannot withdraw from
the audit, they should follow the requirement in paragraph 3.05.
3.10 Audit organizations that provide other professional services
(nonaudit services) should consider whether providing these services
creates a personal
23 Auditors participating in the audit assignment need to be free from
personal impairments. This includes those who review the work or the
report, and all others within the audit organization who can directly
influence the outcome of the audit.
19 impairment either in fact or appearance that adversely affects their
independence
for conducting audits. 24 3.11 Nonaudit services generally differ from
financial audits, attestation engagements, and performance audits
described in chapter 2 in that auditors may (1) perform tasks requested by
management that directly support the entity*s operations, such as
developing or implementing accounting systems; determining account
balances; 25 developing internal control systems; establishing
capitalization criteria; processing payroll; posting transactions;
evaluating assets; designing or implementing information technology or
other systems; or performing actuarial studies, or (2) provide information
or data to a requesting party without providing verification, analysis, or
evaluation of the information or data, circumstances in which the work
does not usually provide a basis for conclusions, recommendations, or
opinions on the information or data. These other services may or may not
result in a report. In the case of nongovernment auditors who perform
audits of government entities under GAGAS, the term *nonaudit services* is
synonymous with consulting services.
3.12 Audit organizations have the capability of performing a range of
services for their clients. However, in certain circumstances, it is not
appropriate for the audit organization to perform both audit and certain
nonaudit services for the same client. In these circumstances, auditors
and/ or the audited entity will have to make a choice as to which of these
services the audit organization will provide. GAGAS recognize that
nonaudit services are provided by audit organizations and that care needs
to be taken to avoid situations that can impair auditor independence,
either in fact or appearance, when performing financial audits,
attestation engagements, or performance audits in accordance with GAGAS.
3.13 Before an audit organization agrees to perform nonaudit services, it
should carefully consider the requirements of paragraph 3.04 that auditors
should avoid situations that could lead reasonable third parties with
knowledge of the relevant facts and circumstances to conclude that
auditors are not able to maintain independence in conducting audits. In
conducting the assessment, the audit organization should apply two
overarching principles: (1) audit organizations should not provide
nonaudit services that involve performing management functions or making
management decisions and (2) audit organizations should not audit their
own work or provide nonaudit services in situations where the nonaudit
services are significant/ material to the subject matter of audits. If the
audit organization makes the determination that the nonaudit service does
not
24 GAO has issued further guidance in the form of questions and answers to
assist in implementation of the standards associated with nonaudit
services. This guidance, Answers to Independence Standard Questions, can
be found on GAO*s Government Auditing Standards Web page (http:// www.
gao. gov/ govaud/ ybk01.htm). 25 The determination of account balances is
used by management to prepare financial statements,
such as determining for management the balance of accounts receivable or
accounts payable or the value of inventory as of a specific date.
20 violate these principles, it should comply with all the safeguards
stated in
paragraph 3.17.
3.14 Audit organizations should not perform management functions or make
management decisions. Performing management functions or making management
decisions creates a situation that impairs the audit organization*s
independence, both in fact and in appearance, to perform audits of that
subject matter and may affect the audit organization*s independence to
conduct audits of related subject matter. For example, auditors should not
serve as members of an entity*s management committee or board of
directors, make policy decisions that affect future direction and
operation of an entity*s programs, supervise entity employees, develop
programmatic policy, authorize an entity*s transactions, or maintain
custody of an entity*s assets. 26 3.15 Auditors may participate on
committees or task forces in a purely advisory
capacity to advise entity management on issues related to the knowledge
and skills of the auditors without impairing their independence. However,
auditors should not make management decisions or perform management
functions. For example, auditors can provide routine advice to the audited
entity and management to assist them in activities such as establishing
internal controls or implementing audit recommendations and can answer
technical questions and/ or provide training. The decision to follow the
auditors* advice remains with management of the audited entity. These
types of interactions are normal between auditors and officials of the
audited entity given the auditors* technical expertise and the knowledge
auditors gain of the audited entity*s operations. Auditors may also
provide tools and methodologies, such as best practice guides,
benchmarking studies, and internal control assessment methodologies that
can be used by management. By their very nature, these are routine
activities that would not require the audit organization to apply the
safeguards described in paragraph 3.17.
3.16 Audit organizations should not audit their own work or provide
nonaudit services if the services are significant/ material to the subject
matter of audits. In considering whether the nonaudit service can have a
significant or material affect on the subject matter of audits, audit
organizations should consider (1) ongoing audits; (2) planned audits; (3)
requirements and commitments for providing audits, which includes laws,
regulations, rules, contracts, and other agreements; and (4) policies
placing responsibilities on the audit organization for providing audit
services. Government auditors generally have broad audit responsibilities
that may extend to a level of government or a particular entity within a
level of government. Given their broad area of audit responsibility,
government auditors need to be especially careful in providing nonaudit
services to the entity so that their independence is not impaired for
fulfilling their full range of audit responsibilities. Nongovernment audit
organizations may provide audit and
26 Entity assets are intended to include all of the entity*s property
including bank accounts, investment accounts, inventories, equipment or
other assets owned, leased, or otherwise in the entity*s possession, and
financial records, both paper and electronic.
21 nonaudit services (commonly referred to as consulting) under
contractual
commitments to an entity and need to consider whether nonaudit services
they have provided or are committed to provide have a significant or
material effect on the subject matter of audits.
3.17 Audit organizations may perform nonaudit services that do not violate
the principles stated in paragraph 3.13 only if the audit organization and
the audited entity comply with the following safeguards. These safeguards
would not apply in connection with the type of routine activities
described in paragraph 3.15. The intent in this paragraph is not for the
audit organization to apply these safeguards to every interaction it has
with management.
a. The audit organization should document its consideration of the
nonaudit services as discussed in paragraph 3.13, including documentation
for its rationale that providing the nonaudit services does not violate
the two overarching principles.
b. Before performing nonaudit services, the audit organization should
establish and document an understanding with the audited entity regarding
the objectives, scope of work, and product or deliverables of the nonaudit
service. The audit organization should also establish and document an
understanding with management that (1) management is responsible for the
substantive outcomes of the work and, therefore, has a responsibility to
be in a position in fact and appearance to make an informed judgment on
the results of the nonaudit service and (2) the audited entity complies
with the following:
1. designates a management- level individual to be responsible and
accountable for overseeing the nonaudit service,
2. establishes and monitors the performance of the nonaudit service to
ensure that it meets management*s objectives,
3. makes any decisions that involve management functions related to the
nonaudit service and accepts full responsibility for such decisions, and
4. evaluates the adequacy of the services performed and any findings that
result.
c. The audit organization should preclude personnel who provided the
nonaudit services from planning, conducting, or reviewing audit work of
subject matter involving the nonaudit service under the overarching
principle that auditors cannot audit their own work. 27 27 Personnel who
provided the nonaudit service are permitted to convey to the audit
assignment team the knowledge gained about the audited entity and its
operations.
22
d. The audit organization is precluded from reducing the scope and extent
of the audit work below the level that would be appropriate if the
nonaudit work were performed by an unrelated party.
e. The audit organization*s quality control systems for compliance with
independence requirements should include: (1) policies and procedures to
assure consideration of the effect on the ongoing, planned, and future
audits when deciding whether to provide nonaudit services, and (2) a
requirement to have the understanding with management of the audited
entity documented. The understanding should be communicated to management
in writing and can be included in the engagement letter. In addition, the
documentation should specifically identify management*s compliance with
the elements discussed in paragraph 3.17b, including evidence of the
management- level individual responsible for overseeing the nonaudit
service*s qualifications to conduct the required oversight and that the
tasks required of management were performed.
f. By their nature, certain nonaudit services impair the audit
organization*s ability to meet either or both of the overarching
principles in paragraph 3.13 for certain types of audit work. In these
cases, the audit organization should communicate to management of the
audited entity that the audit organization will not be able to perform
subsequent audit work related to the subject matter of the nonaudit
service. It should be clear to management up front that the audit
organization would be in violation of the independence standard if it were
to perform such audit work and that another audit organization that meets
the independence standard will have to be engaged to perform the audit.
For example, if the audit organization has been responsible for designing,
developing, and/ or installing the entity*s accounting system or is
operating the system and then performs a financial statement audit of the
entity, the audit organization would clearly be in violation of the two
overarching principles of the GAGAS independence standard discussed in
paragraph 3.13. Likewise, if the audit organization developed an entity*s
performance measurement system, the audit organization would not be deemed
independent in conducting a performance audit to evaluate whether the
system was adequate. In both of these examples, the audit organization
could decide to perform the nonaudit service but would then not be
independent under GAGAS with regard to the subsequent audit because it
would be in violation of one or both of the two overarching principles. It
becomes a matter of choice for
the audit organization and the audited entity. But the audit organization
cannot maintain independence under GAGAS while providing both the nonaudit
service and performing the audit if either of the two overarching
principles would be violated.
g. For individual audits selected for inspection during a peer review, all
related nonaudit services should be disclosed to the audit organization*s
peer reviewer, and the audit documentation required by paragraphs 3.17a
through 3.17e should be made available for inclusion in the audit
organization*s peer review.
23
3.18 Audit organizations and auditors may encounter many different
circumstances or combinations of circumstances; therefore, it is
impossible to define every situation that could result in an impairment,
as discussed in paragraph 3.12. The following are examples of nonaudit
services performed by an audit organization that typically would not
create an impairment to the audit organization*s independence as long as
(1) auditors avoid situations that would conflict with the two overarching
principles listed in paragraph 3.13 and (2) the audit organization
complies with the safeguards in paragraph 3.17.
a. Providing basic accounting assistance limited to services such as
preparing draft financial statements that are based on management*s chart
of accounts and trial balance and any adjusting, correcting, and closing
entries that have been approved by management; preparing draft notes to
the financial statements based on information determined and approved by
management; preparing a trial balance based on management*s chart of
accounts; maintaining depreciation schedules for which management has
determined the method of depreciation, rate of depreciation, and salvage
value of the asset. 28 The audit organization, however, cannot maintain or
prepare the audited entity*s basic accounting records or maintain or take
responsibility for basic financial or other records that the audit
organization will audit. 29 As part of this prohibition, auditors should
not post transactions (whether coded or not coded) to the entity*s
financial records or to other records that subsequently provide data to
the entity*s financial records.
b. Providing payroll services limited to services such as computing pay
amounts for the entity*s employees based on entity- maintained and
approved time records, salaries or pay rates, and deductions from pay;
generating unsigned payroll checks; transmitting client- approved payroll
data to a financial institution provided management has approved the
transmission and limited the financial institution to making payments only
to previously approved individuals. In cases in which the audit
organization was processing the entity*s entire payroll and payroll was a
material amount to the subject matter of the audit, this would be a
violation of one of the overarching principles in paragraph 3.13, and
auditors would not be deemed independent under GAGAS.
28 If the audit organization has prepared draft financial statements and
notes and performed the financial statement audit, management should
acknowledge the audit organization*s role in preparing the financial
statements and related notes and management*s review, approval, and
responsibility for the financial statements and related notes in the
management representation letter. Likewise, if the audit organization
converts cash- based financial statements to accrualbased financial
statements, management should also acknowledge the audit organization*s
role in reflecting accruals and management*s review, approval, and
responsibility for the accrual adjustments in the management
representation letter. A management representation letter is
required by generally accepted auditing standards (GAAS) and GAGAS. 29
Proposing adjusting and correcting entries that are identified during the
audit is a routine byproduct of audit services that is always permissible
so long as management makes the decision to accept the entries.
24
c. Providing appraisal or valuation services limited to services such as
reviewing the work of the entity or a specialist employed by the entity
where the entity or specialist provides the primary evidence for the
balances recorded in financial
statements or other information that will be audited; valuing an entity*s
pension, other post- employment benefit, or similar liabilities provided
management has determined and taken responsibility for all significant
assumptions and data.
d. Preparing an entity*s indirect cost proposal 30 or cost allocation plan
provided management assumes responsibility for all significant assumptions
and data.
e. Providing advisory services on information technology limited to
services such as advising on system design, system installation, and
system security if management, in addition to the safeguards in paragraph
3.17, acknowledges responsibility for the design, installation, and
internal control over the entity*s system and does not rely on the
auditors* work as the primary basis for determining (1) whether to
implement a new system, (2) the adequacy of the new system design, (3) the
adequacy of major design changes to an existing system, and (4) the
adequacy of the system to comply with regulatory or other requirements.
However, the audit organization should not operate or supervise the
operation of the entity*s information technology system.
f. Providing human resource services to assist management in its
evaluation of potential candidates when the services are limited to
activities such as serving on an evaluation panel to review applications
or interviewing candidates to provide input to management in arriving at a
listing of best qualified applicants to be provided to management. The
auditors should not recommend a single individual for a specific position,
nor should the auditors conduct an executive search or a recruiting
program for the audited entity.
g. Preparing routine tax filings in accordance with federal tax laws,
rules, and regulations of the Internal Revenue Service, and state and
local tax authorities, and any other applicable laws.
h. Gathering and reporting on unverified external or third- party data to
aid legislative and administrative decision making.
i. Advising an entity regarding its performance of internal control
selfassessments.
j. Assisting a legislative body by developing questions for use at a
hearing. 30 The Office of Management and Budget prohibits an auditor who
prepared the entity*s indirect cost proposal from conducting the required
audit when indirect costs recovered by the entity during the prior year
exceeded $1 million under OMB Circular A- 133, Audits of States, Local
Governments, and Non- Profit Organizations, Subpart C. 305( b), revised
June 24, 1997.
25 External Impairments 3.19 Factors external to the audit organization
may restrict the work or interfere
with auditors* ability to form independent and objective opinions and
conclusions. External impairments to independence occur when auditors are
deterred from acting objectively and exercising professional skepticism by
pressures, actual or perceived, from management and employees of the
audited entity or oversight organizations. For example, under the
following conditions, auditors may not have complete freedom to make an
independent and objective judgment and an audit may be adversely affected:
a. external interference or influence that could improperly or imprudently
limit or modify the scope of an audit or threaten to do so, including
pressure to reduce inappropriately the extent of work performed in order
to reduce costs or fees;
b. external interference with the selection or application of audit
procedures or in the selection of transactions to be examined;
c. unreasonable restrictions on the time allowed to complete an audit or
issue the report;
d. interference external to the audit organization in the assignment,
appointment, and promotion of audit personnel;
e. restrictions on funds or other resources provided to the audit
organization that adversely affect the audit organization*s ability to
carry out its responsibilities; f. authority to overrule or to
inappropriately influence the auditors* judgment as
to the appropriate content of the report;
g. threat of replacement over a disagreement with the contents of an audit
report, the auditors* conclusions, or the application of an accounting
principle or other criteria; and
h. influences that jeopardize the auditors* continued employment for
reasons other than incompetence, misconduct, or the need for audit
services.
3.20 An audit organization*s internal quality control system for
compliance with GAGAS independence requirements, as stated in paragraph
3.08, should include internal policies and procedures for reporting and
resolving external impairments.
Organizational Impairments 3.21 In addition to the preceding paragraphs
that address personal and external impairments, a government audit
organization*s ability to perform the work and report the results
impartially can be affected by its place within government and the
structure of the government entity that the audit organization is assigned
to
26 audit. Whether performing work to report externally to third parties
outside the
audited entity or internally to top management within the audited entity,
audit organizations need to be free from organizational impairments to
independence.
Organizational Impairment Considerations when Reporting Externally to
Third Parties
3.22 Government auditors can be presumed to be free from organizational
impairments to independence when reporting externally to third parties if
their audit organization is organizationally independent from the audited
entity. Government audit organizations can meet the requirement for
organizational independence in a number of ways.
3.23 First, a government audit organization may be presumed to be free
from organizational impairments to independence from the audited entity to
report externally, if the audit organization is
a. assigned to a level of government other than the one to which the
audited entity is assigned (federal, state, or local), for example, a
federal auditor auditing a state government program, or
b. assigned to a different branch of government within the same level of
government as the audited entity; for example, a legislative auditor
auditing an executive branch program.
3.24 Second, a government audit organization may also be presumed to be
free from organizational impairments for external reporting if the audit
organization*s head meets any of the following criteria:
a. directly elected by voters of the jurisdiction being audited;
b. elected or appointed by a legislative body subject to removal by a
legislative body, and reports the results of audits to and is accountable
to a legislative body;
c. appointed by someone other than a legislative body, so long as the
appointment is confirmed by a legislative body and removal from the
position is subject to oversight or approval by a legislative body, 31 and
reports the results of audits to and is accountable to a legislative body;
or
d. appointed by, accountable to, reports to, and can only be removed by a
statutorily created governing body, the majority of whose members are
independently elected or appointed and come from outside the organization
being audited.
31 Legislative bodies may exercise their confirmation powers through a
variety of means as long as they are involved in the approval of the
individual to head the audit organization. This involvement can be
demonstrated by approving the individual after the appointment or by
initially selecting or nominating an individual or individuals for
appointment by the appropriate authority.
27
3.25 In addition to the presumptive criteria in paragraphs 3.23 and 3.24,
GAGAS recognize that there may be other organizational structures under
which a government audit organization could be considered to be free from
organizational impairments and thereby be considered organizationally
independent for reporting externally. These other structures should
provide sufficient safeguards to prevent the audited entity from
interfering with the audit organization*s ability to perform the work and
report the results impartially. For an audit organization to be considered
free from organizational impairments for reporting externally under a
structure different from the ones listed in paragraphs 3.23 and 3.24, the
audit organization should have all of the following safeguards:
a. statutory protections that prevent the abolishment of the audit
organization by the audited entity;
b. statutory protections that require that if the head of the audit
organization is removed from office, the head of the agency should report
this fact and the reasons for the removal to the legislative body;
c. statutory protections that prevent the audited entity from interfering
with the initiation, scope, timing, and completion of any audit;
d. statutory protections that prevent the audited entity from interfering
with the reporting on any audit, including the findings, conclusions, and
recommendations, or the manner, means, or timing of the audit
organization*s reports;
e. statutory protections that require the audit organization to report to
a legislative body or other independent governing body on a recurring
basis;
f. statutory protections that give the audit organization sole authority
over the selection, retention, advancement, and dismissal of its staff;
and
g. statutory access to records and documents that relate to the agency,
program, or function being audited. 32 3.26 If the head of the audit
organization concludes that the organization meets
all the safeguards listed in paragraph 3.25, the audit organization should
be considered free from organizational impairments to independence when
reporting the results of its audits externally to third parties. The audit
organization should document the statutory provisions in place that allow
it to meet these safeguards. Those provisions should be reviewed during an
external peer review to ensure that all the necessary safeguards have been
met.
32 Statutory authority to issue a subpoena to obtain the needed records is
one way to meet the requirement for statutory access to records.
28 Organizational Impairment Considerations
when Reporting Internally to Management
3.27 Certain federal, state, or local government audit organizations or
audit organizations within other government entities, such as public
colleges, universities, and hospitals, employ auditors to work for
management of the audited entities. These auditors may be subject to
administrative direction from persons involved in the government
management process. Such audit organizations are internal audit
organizations. A government internal audit organization can be presumed to
be free from organizational impairments to independence when reporting
internally to management if the head of the audit organization meets all
of the following criteria:
a. accountable to the head or deputy head of the government entity,
b. required to report the results of the audit organization*s work to the
head or deputy head of the government entity, and
c. located organizationally outside the staff or line management function
of the unit under audit.
3.28 If the conditions of paragraph 3.27 are met, the audit organization
should be considered free of organizational impairments to independence to
audit internally and report objectively to the entity*s management.
Further distribution of reports outside the organization should only be
made in accordance with applicable law, rule, regulation, or policy. In
these situations, the fact that the auditors are auditing in their
employing organizations should be clearly reflected in the auditors*
reports. 3.29 Auditors need to be sufficiently removed from political
pressures to ensure
that they can conduct their audits objectively and report their findings,
opinions, and conclusions objectively without fear of political
repercussions. Whenever feasible, auditors within internal audit
organizations should be under a personnel system in which compensation,
training, job tenure, and advancement are based on merit.
3.30 The audit organization*s independence is enhanced when it also
reports regularly to the entity*s independent audit committee and/ or the
appropriate government oversight body.
3.31 When internal audit organizations that are free of organizational
impairments to independence, under the criteria in paragraph 3.27, perform
audits external to the government entities to which they are directly
assigned, such as auditing contractors or outside party agreements, and no
personal or external impairments exist, they may be considered independent
of the audited entities and free to report objectively to the heads or
deputy heads of the government entities to
29 which they are assigned and to parties outside the organizations in
accordance
with applicable law, rule, regulation, or policy.
3.32 The audit organization should document the conditions that allow it
to be considered free of organizational impairments to independence to
report internally. Those conditions should be reviewed during the peer
review to ensure that all the necessary safeguards have been met.
Professional Judgment 3.33 The general standard related to professional
judgment is:
Professional judgment should be used in planning and performing audits and
attestation engagements and in reporting the results.
3.34 This standard requires auditors to exercise reasonable care and
diligence and to observe the principles of serving the public interest and
maintaining the highest degree of integrity, objectivity, and independence
in applying professional judgment to all aspects of their work. This
standard also imposes a responsibility upon each auditor performing work
under GAGAS to observe GAGAS. If auditors state they are performing their
work in accordance with GAGAS, they should justify any departures from
GAGAS.
3.35 Auditors should use professional judgment in determining the type of
assignment to be performed and the standards that apply to the work;
defining the scope of work; selecting the methodology; determining the
type and amount of evidence to be gathered; and choosing the tests and
procedures for their work. Professional judgment also should be applied in
performing the tests and procedures and in evaluating and reporting the
results of the work.
3.36 Professional judgment requires auditors to exercise professional
skepticism, which is an attitude that includes a questioning mind and a
critical assessment of evidence. Auditors use the knowledge, skills, and
experience called for by their profession to diligently perform, in good
faith and with integrity, the gathering of evidence and the objective
evaluation of the sufficiency, competency, and relevancy of evidence.
Since evidence is gathered and evaluated throughout the assignment,
professional skepticism should be exercised throughout the assignment.
3.37 Auditors neither assume that management is dishonest nor assume
unquestioned honesty. In exercising professional skepticism, auditors
should not be satisfied with less than persuasive evidence because of a
belief that management is honest.
3.38 The exercise of professional judgment allows auditors to obtain
reasonable assurance that material misstatements or significant
inaccuracies in data will likely be detected if they exist. Absolute
assurance is not attainable because of the
30 nature of evidence and the characteristics of fraud. Therefore, an
audit or
attestation engagement conducted in accordance with GAGAS may not detect a
material misstatement or significant inaccuracy, whether from error or
fraud, illegal acts, or violations of provisions of contracts or grant
agreements. Accordingly, while this standard places responsibility on each
auditor and audit organization to exercise professional judgment in
planning and performing an assignment, it does not imply unlimited
responsibility, nor does it imply infallibility on the part of either the
individual auditor or the audit organization.
Competence 3.39 The general standard related to competence is:
The staff assigned to perform the audit or attestation engagement should
collectively possess adequate professional competence for the tasks
required.
3.40 This standard places responsibility on audit organizations to ensure
that each audit or attestation engagement is performed by staff who
collectively have the knowledge, skills, and experience necessary for that
assignment. Accordingly, audit organizations should have a process for
recruitment, hiring, continuous development, and evaluation of staff to
assist the organization in maintaining a workforce that has adequate
competence. The nature, extent, and formality of the process will depend
on various factors such as the size of the audit organization, its work,
and its structure.
3.41 The competencies discussed below apply to the knowledge, skills, and
experience of audit organizations and not necessarily to each individual
auditor. An audit organization may need to employ personnel or hire
specialists who are knowledgeable, skilled, or experienced in such areas
as accounting, statistics, law, engineering, audit design and methodology,
information technology, public administration, economics, social sciences,
or actuarial science.
Technical Knowledge and Competence 3.42 Audit organizations should ensure
that staff members assigned to conduct an audit or attestation engagement
under GAGAS should collectively possess the technical knowledge, skills,
and experience necessary to be competent for the type of work being
performed before beginning work on that assignment. Staff
members should collectively possess
a. knowledge of GAGAS applicable to the type of work they are assigned and
the education, skills, and experience to apply such knowledge to the work
being performed;
31
b. general knowledge of the environment in which the audited entity
operates and the subject matter under review;
c. skills to communicate clearly and effectively, both orally and in
writing; and
d. skills appropriate for the work being performed. For example:
(1) if the work requires use of statistical sampling, the staff or
specialists should include persons with statistical sampling skills;
(2) if the work requires extensive review of information systems, the
staff or specialists should include persons with information technology
skills;
(3) if the work involves review of complex engineering data, the staff or
specialists should include persons with engineering skills; or
(4) if the work involves the use of specialized audit methodologies or
analytical techniques, such as the use of complex survey instruments,
actuarial- based estimates, or statistical analysis tests, the staff or
specialists should include persons with skills in those methodologies or
techniques.
Additional Qualifications for Financial Audits and Attestation Engagements
3.43 Auditors performing financial audits should be knowledgeable in
generally accepted accounting principles (GAAP) 33 and the AICPA*s
generally accepted auditing standards for field work and reporting and the
related Statements on Auditing Standards (SAS), and they should be
competent in applying these standards and SASs to the task assigned.
Similarly, when performing an attestation engagement, auditors should be
knowledgeable in the AICPA general attestation standard related to
criteria, and the AICPA attestation standards for field work and reporting
and the related Statements on Standards for Attestation Engagements
(SSAE), and they should be competent in applying these standards and SSAEs
to the task assigned.
3.44 Auditors engaged to perform financial audits or attestation
engagements should be licensed certified public accountants or persons
working for a licensed certified public accounting firm or a government
auditing organization. 34 Public accountants and accounting firms meeting
licensing requirements should also
33 If GAAP is not the basis of accounting being used on a particular
assignment, then auditors should be knowledgeable about the appropriate
accounting principles used, such as regulatory accounting principles. 34
Public accountants licensed on or before December 31, 1970, or persons
working for a public accounting firm licensed on or before December 31,
1970, are also considered qualified under this standard.
32 comply with the applicable provisions of the public accountancy law and
rules of
the jurisdiction( s) where the audit is being performed and the
jurisdiction( s) in which the public accountants and their firms are
licensed.
Continuing Professional Education 3.45 Auditors performing work under
GAGAS, including planning, directing, performing field work, or reporting
on an audit or attestation engagement under GAGAS, need to maintain their
professional competence through continuing professional education (CPE).
Therefore, each auditor performing work under GAGAS should complete, every
2 years, at least 80 hours of CPE that directly enhance the auditor*s
professional proficiency to perform audits and/ or attestation
engagements. 35 At least 24 of the 80 hours of CPE should be in subjects
directly related to government auditing, the government environment, or
the specific or unique environment in which the audited entity operates.
36 At least 20 hours of the 80 should be completed in any 1 year of the 2-
year period.
3.46 CPE may include a variety of topics that contribute to auditors*
proficiency to perform audits and/ or attestation engagements, such as
developments in auditing standards and methodology, accounting principles,
assessment of internal control, principles of management or supervision,
information systems management, audit sampling, financial statement
analysis, evaluation design, and data analysis. It may also include
subjects related to specific fields of work, such as public
administration, public policy and structure, industrial engineering,
finance, economics, social sciences, and information technology.
3.47 The audit organization is responsible for ensuring that auditors meet
the continuing education requirements and should maintain documentation of
the CPE completed. The U. S. General Accounting Office (GAO) has developed
guidance pertaining to CPE requirements to assist auditors and audit
organizations in exercising professional judgment in complying with the
CPE requirements. 37 3.48 External and internal specialists assisting in
performing a GAGAS
assignment should be qualified and should maintain professional competence
in 35 Although staff members must collectively possess the technical
knowledge, skills, and experience necessary to be competent for the type
of work being performed before beginning work on a GAGAS assignment as
discussed in paragraph 3.42, individual auditors have 2 years from the
date they start an audit or attestation engagement conducted under GAGAS
to comply with the CPE requirements. 36 Staff members not involved in
planning, directing, or reporting on the audit or attestation engagement,
and who charge less than 20 percent annually of their time to audits and
attestation engagements following GAGAS, do not have to comply with the
24- hour CPE requirement.
37 This guidance, Interpretation of Continuing Education and Training
Requirements, can be found on GAO*s Government Auditing Standards Web page
(http:// www. gao. gov/ govaud/ ybk01. htm).
33 their areas of specialization but are not required to meet the CPE
requirements
described here. However, auditors who use the work of external and
internal specialists should ensure that such specialists are qualified in
their areas of specialization and should document such assurance.
Quality Control and Assurance 3.49 The general standard related to quality
control and assurance is:
Each audit organization performing audits and/ or attestation engagements
in accordance with GAGAS should have an appropriate internal quality
control system in place and should undergo an external peer review.
3.50 An audit organization*s system of quality control encompasses the
audit organization*s structure and the policies adopted and procedures
established to provide the organization with reasonable assurance of
complying with applicable standards governing audits and attestation
engagements. An audit organization*s internal quality control system
should include procedures for monitoring, on an ongoing basis, whether the
policies and procedures related to the standards are suitably designed and
are being effectively applied.
3.51 The nature and extent of an audit organization*s internal quality
control system depends on a number of factors, such as its size, the
degree of operating autonomy allowed its personnel and its audit offices,
the nature of its work, its organizational structure, and appropriate
cost- benefit considerations. Thus, the systems established by individual
audit organizations will vary as will the need for, and extent of, their
documentation of the systems. However, each audit organization should
prepare appropriate documentation for its system of quality control to
demonstrate compliance with its policies and procedures. The form and
content of such documentation is a matter of judgment. Documentation of
compliance should be retained for a period of time sufficient to enable
those performing monitoring procedures and peer reviews to evaluate the
extent of the audit organization*s compliance with the quality control
policies and procedures.
3.52 Audit organizations performing audits and attestation engagements in
accordance with GAGAS should have an external peer review of their
auditing and attestation engagement practices at least once every 3 years
by reviewers independent of the audit organization being reviewed. 38 The
external peer review should determine whether, during the period under
review, the reviewed audit organization*s internal quality control system
was adequate and whether quality
38 Audit organizations should have an external peer review conducted
within 3 years from the date they start (that is, start of field work)
their first assignment in accordance with GAGAS. Subsequent external peer
reviews should be conducted every 3 years. Extensions of these time frames
beyond 3 months to meet the external peer review requirements can only be
granted by GAO and should only be requested for extraordinary
circumstances.
34 control policies and procedures were being complied with to provide the
audit
organization with reasonable assurance of conforming with applicable
professional standards. Audit organizations should take remedial,
corrective actions as needed based on the results of the peer review.
3.53 Members of the external peer review team should meet the following
requirements:
a. Each review team member should have current knowledge of GAGAS and of
the government environment relative to the work being reviewed.
b. Each review team member should be independent (as defined in GAGAS) of
the audit organization being reviewed, its staff, and the audits and
attestation engagements selected for the external peer review. A review
team or a member of the review team is not permitted to review the audit
organization that conducted its audit organization*s most recent external
peer review.
c. Each review team member should have knowledge on how to perform a peer
review. Such knowledge may be obtained from on- the- job training,
training courses, or a combination of both.
3.54 The peer review should meet the following requirements:
a. The peer review should include a review of the audit organization*s
internal quality control policies and procedures, including related
monitoring procedures, audit and attestation engagement reports, audit and
attest documentation, and other necessary documents (for example,
independence documentation, CPE records, and personnel management files
related to compliance with hiring, performance evaluation, and assignment
policies). The review should also include interviews with various levels
of the reviewed audit organization*s professional staff to assess their
understanding of and compliance with relevant quality control policies and
procedures.
b. The review team should use one of the following approaches to selecting
audits and attestation engagements for review: (1) select audits and
attestation engagements that provide a reasonable cross section of the
assignments performed by the reviewed audit organization in accordance
with GAGAS or (2) select audits and attestation engagements that provide a
reasonable cross section of the reviewed audit organization*s work subject
to quality control requirements, including one or more assignments
performed in accordance with GAGAS.
c. The peer review should be sufficiently comprehensive to provide a
reasonable basis for concluding whether the reviewed audit organization*s
system of quality control was complied with to provide the organization
with reasonable assurance of conforming with professional standards in the
conduct of its work. The review team should consider the adequacy and
results of the reviewed audit organization*s monitoring efforts to
efficiently plan its peer review procedures.
35
d. The review team should prepare a written report( s) communicating the
results of the external peer review. The report should indicate the scope
of the review, including any limitations thereon, and should express an
opinion on whether the system of quality control of the reviewed audit
organization*s audit and/ or attestation engagement practices was adequate
and was being complied with during the year reviewed to provide the audit
organization with reasonable assurance of conforming with professional
standards for audits and attestation engagements. The report should state
the professional standards 39 to which the reviewed audit organization is
being held. The report should also describe the reasons for any
modification of the opinion. When there are matters that resulted in a
modification to the opinion, reviewers should report a detailed
description of the findings and recommendations, either in the peer review
report or in a separate letter of comment or management letter, to enable
the reviewed audit organization to take appropriate actions. The written
report should refer to the letter of comment or management letter if such
a letter is issued along with a modified report.
3.55 Audit organizations seeking to enter into a contract to perform an
assignment in accordance with GAGAS should provide their most recent
external peer review report and any letter of comment, and any subsequent
peer review reports and letters of comment received during the period of
the contract, to the party contracting for the audit or attestation
engagement. Information in the external peer review report and letter of
comment is often relevant to decisions on procuring audit or attestation
engagement services. Auditors who are relying on another audit
organization*s work should request a copy of the audit organization*s peer
review report and any letter of comment, and the audit organization should
provide the peer review report and letter of comment when requested.
3.56 Government audit organizations also should transmit their external
peer review reports to appropriate oversight bodies. It is also
recommended that, upon request, the peer review report and letter of
comment be made available to the public in a timely manner.
39 *Professional standards* refers to both the auditing standards and
quality control standards used by the reviewed audit organization.
36 CHAPTER 4
FIELD WORK STANDARDS FOR FINANCIAL AUDITS Introduction 4.01 This chapter
prescribes field work standards and provides guidance for
financial audits performed in accordance with generally accepted
government auditing standards (GAGAS). Financial audits consist of all
work performed under the American Institute of Certified Public
Accountants* (AICPA) generally accepted auditing standards and governed by
the AICPA Statements on Auditing Standards (SAS). GAGAS incorporate the
AICPA generally accepted field work standards for audits and the related
SASs unless the Comptroller General of the United States excludes them by
formal announcement. 40 This chapter identifies the AICPA field work
standards and prescribes additional standards for financial audits
performed in accordance with GAGAS.
4.02 Financial audits performed in a government environment primarily
include audits of financial statements. 41 The SASs also govern and
provide guidance for other types of financial audits which may be
performed in a government environment, such as compliance auditing,
issuing special reports, 42 audits of service organizations, reviews of
interim financial information, and issuing letters to underwriters and
certain other requesting parties. These other services may be performed in
conjunction with an audit of financial statements.
40 To date, the Comptroller General has not excluded any field work
standards or SASs. 41 The term *financial statements* refers to a
presentation of financial data, including accompanying notes, derived from
accounting records and intended to communicate an entity*s economic
resources or obligations at a point in time or the changes for a period of
time in conformity with an identifiable framework, such as generally
accepted accounting principles (GAAP) or another comprehensive basis of
accounting. Audits of financial statements include all services governed
by the AICPA SASs for which the auditors are engaged to provide a level of
assurance on the fair presentation of financial statements in accordance
with stated criteria.
42 The term *special report* applies to auditors* reports issued in
connection with the following: (1) financial statements that are prepared
in conformity with a comprehensive basis of accounting other than GAAP;
(2) specified elements, accounts, or items of a financial statement; (3)
compliance with aspects of contractual agreements or regulatory
requirements related to audited
financial statements; (4) financial presentations to comply with
contractual agreements or regulatory provisions; or (5) financial
information presented in prescribed forms or schedules that require a
prescribed form of auditor*s report. Under GAGAS, an audit of financial
statements prepared in conformity with a comprehensive basis of accounting
other than GAAP (item 1 above) would be subject to the same GAGAS
requirements applicable to audits of financial statements prepared in
conformity with GAAP.
37 AICPA Field Work Standards 4.03 The three AICPA generally accepted
standards of field work are as follows.
a. The work is to be adequately planned, and assistants, if any, are to be
properly supervised. b. A sufficient understanding of internal control 43
is to be obtained to plan
the audit and to determine the nature, timing, and extent of tests to be
performed. c. Sufficient competent evidential matter is to be obtained
through
inspection, observation, inquiries, and confirmations to afford a
reasonable basis for an opinion regarding the financial statements under
audit.
4.04 Auditors should use professional judgment and consider the needs of
users in applying the AICPA standards and related guidance to audits of a
government entity or an entity that receives government awards. For
example, auditors may need to set lower materiality levels than in audits
in the private sector because of the public accountability of the audited
entity, various legal and regulatory requirements, and the visibility and
sensitivity of government programs. Also, auditors need to be sensitive to
the concerns of oversight officials regarding previously reported internal
control deficiencies of the audited entity and, accordingly, may need to
test the effectiveness of internal controls that have been changed in
response to reported deficiencies even if auditors do not plan to rely on
the effectiveness of such internal controls.
Additional GAGAS Standards 4.05 GAGAS prescribe additional standards for
financial audits that go beyond the requirements contained in the AICPA
SASs. Auditors must comply with these additional standards when citing
GAGAS in their audit reports. The additional GAGAS standards relate to
a. auditor communication (see paragraphs 4.06 through 4.13); 43 The AICPA
standards incorporate the concepts contained in Internal Control *
Integrated Framework, published by the Committee of Sponsoring
Organizations (COSO) of the Treadway Commission. Internal control consists
of five interrelated components, which are (1) control environment, (2)
risk assessment, (3) control activities, (4) information and
communication, and (5) monitoring. The objectives of internal control
relate to (1) financial reporting, (2) operations, and (3) compliance.
Safeguarding of assets is a subset of these objectives. In that respect,
internal control should be designed to provide reasonable assurance
regarding prevention of or prompt
detection of unauthorized acquisition, use, or disposition of assets.
38
b. considering the results of previous audits and attestation engagements
(see paragraphs 4.14 through 4.16);
c. detecting material misstatements resulting from violations of contract
provisions or grant agreements and abuse (see paragraphs 4.17 through
4.19);
d. pursuing indications of fraud, illegal acts, violations of contract
provisions or grant agreements, or abuse (paragraph 4.20);
e. developing elements of a finding for financial audits (see paragraph
4.21); and
f. audit documentation (see paragraphs 4.22 through 4.26). Auditor
Communication 4.06 The standard related to auditor communication for
financial audits performed in accordance with GAGAS is: Auditors should
communicate information regarding the nature, timing, and extent of
planned testing and reporting and the level of assurance provided to
officials of the audited entity and to the individuals contracting for or
requesting the audit.
4.07 AICPA standards and GAGAS require auditors to establish an
understanding with the client and to communicate with audit committees.
GAGAS broaden the parties with whom auditors must communicate and require
auditors to communicate specific information during the planning stages of
a financial audit, including any potential restriction of the auditors*
reports, to reduce the risk that the needs or expectations of the parties
involved may be misinterpreted. Auditors should use their professional
judgment to determine the form, content, and frequency of the
communication, although written communication is preferred. Auditors may
use an engagement letter, if appropriate, to communicate the information.
Auditors should document the communication in their audit documentation.
4.08 Auditors should communicate their responsibilities for the engagement
to the appropriate officials of the audited entity, including
a. the head of the audited entity,
b. the audit committee or board of directors or other equivalent oversight
body in the absence of an audit committee, and
c. the individual who possesses a sufficient level of authority and
responsibility for the financial reporting process, such as the chief
financial officer.
39
4.09 In situations in which auditors are performing the audit under a
contract with a party other than the officials of the audited entity, or
pursuant to a thirdparty request, auditors should also communicate with
the individuals contracting for or requesting the audit, such as
contracting officials or members or staff of legislative committees. When
auditors are performing the audit pursuant to a law or regulation,
auditors should communicate with the members or staff of legislative
committees who have oversight of the auditee. 44 Auditors should
coordinate communications with the responsible government audit
organization and/ or management of the audited entity and may use the
engagement letter to keep interested parties informed. If an audit is
terminated before it is completed, auditors should write a memorandum for
the record that summarizes the results
of the work and explains the reasons why the audit was terminated. In
addition, auditors should communicate the reason for terminating the audit
to management of the audited entity, the entity requesting the audit, and
other appropriate officials, preferably in writing. This communication
should be documented.
4.10 In communicating the nature of services and level of assurance
provided, auditors should specifically address their planned work and
reporting related to testing internal control over financial reporting and
compliance with laws, regulations, and provisions of contracts or grant
agreements. During the planning stages of an audit, auditors should
communicate their responsibilities for testing and reporting on internal
control over financial reporting and compliance with laws, regulations,
and provisions of contracts or grant agreements. Such communication should
include the nature of any additional testing of internal control and
compliance required by laws, regulations, and provisions of contracts or
grant agreements, or otherwise requested, and whether the auditors are
planning on providing opinions on internal control over financial
reporting and compliance with laws, regulations, and provisions of
contracts or grant agreements.
4.11 To assist in understanding the limitations of auditors*
responsibilities for testing and reporting on internal control over
financial reporting and compliance with laws, regulations, and provisions
of contracts or grant agreements, auditors may want to contrast those
responsibilities with other audits of internal control
and compliance. The discussion in paragraphs 4.12 and 4.13 may be helpful
to auditors in explaining their responsibilities for testing and reporting
on internal control over financial reporting and compliance to officials
of the audited entity and other interested parties.
4.12 Tests of internal control over financial reporting and compliance
with laws, regulations, and provisions of contracts or grant agreements in
a financial
44 This requirement applies only to situations where the law or regulation
specifically identifies the entity to be audited, such as an audit of a
specific agency*s financial statements required by the Chief Financial
Officers Act of 1990, as expanded by the Government Management Reform Act
of 1994. Situations in which the mandate to audit financial statements
applies to entities not
specifically identified, such as audits required by the Single Audit Act
Amendments of 1996, are excluded.
40 statement audit contribute to the evidence supporting the auditors*
opinion on the
financial statements or other conclusions regarding financial data.
However, such tests generally are not sufficient in scope to opine on
internal control over financial reporting or compliance with laws,
regulations, and provisions of contracts or grant agreements. To meet
certain audit report users* needs, laws and regulations sometimes
prescribe testing and reporting on internal control over financial
reporting and compliance with laws, regulations, and provisions of
contracts and grant agreements to supplement coverage of these areas. 45
4.13 Even after auditors perform and report the results of additional
tests of
internal control over financial reporting and compliance with laws,
regulations, and provisions of contracts and grant agreements, some
reasonable needs of officials of the audited entity or individuals
contracting for or requesting the audit still may be unmet. Auditors may
meet these needs by performing further tests of internal control and
compliance with laws, regulations, and provisions of contracts or grant
agreements using the AICPA Statements on Standards for Attestation
Engagements and additional GAGAS requirements (see chapter 6), or the
performance audit standards (see chapters 7 and 8), to achieve these
objectives.
Considering the Results of Previous Audits and Attestation Engagements
4.14 The standard related to considering the results of previous audits
and attestation engagements for financial audits performed in accordance
with GAGAS is:
Auditors should consider the results of previous audits and attestation
engagements and follow up on known significant findings and
recommendations that directly relate to the objectives of the audit being
undertaken.
4.15 Auditors should inquire of officials of the audited entity to
identify previous financial audits, attestation engagements, performance
audits, or other studies
45 For example, when engaged to perform audits under the Single Audit Act
Amendments of 1996 for state and local government entities and nonprofit
entities that receive federal awards, auditors should be familiar with the
Office of Management and Budget (OMB) Circular A- 133 on single audits.
The act and circular include specific audit requirements, mainly in the
areas of internal control and compliance with laws and regulations, that
exceed the minimum audit requirements in the standards in chapters 4 and 5
of this document. Audits performed under the Chief Financial
Officers Act of 1990, as expanded by the Government Management Reform Act
of 1994, also have specific audit requirements prescribed by OMB in the
areas of internal control and compliance. In addition, some state and
local governments may have additional audit requirements that the auditors
would need to consider in planning the audit.
41 related to the objectives of the audit being undertaken and to identify
corrective
actions taken to address significant findings and recommendations, 46
including those related to reportable conditions. For example, an audit
report on an entity*s computerized information systems may contain
significant findings that could relate to the financial audit if the
entity uses such systems to process its accounting information. Auditors
should use professional judgment in determining (1) prior periods to be
considered, (2) the level of work necessary to follow up on significant
findings and recommendations that affect the audit, and (3) the effect on
the risk assessment and audit procedures in planning the current audit.
4.16 Providing continuing attention to significant findings and
recommendations is important to ensure that the benefits of the auditors*
work are realized. Ultimately, the benefits of audit work occur when
management of the audited entity takes meaningful and effective corrective
action in response to the auditors* findings and recommendations.
Management of the audited entity is responsible for resolving audit
findings and recommendations directed to them and for having
a process to track their status. If management of the audited entity does
not have such a process, auditors may wish to establish their own process.
Detecting Material Misstatements Resulting from Violations of Contract
Provisions or Grant Agreements, and Abuse 4.17 The standard related to
violations of contract provisions or grant agreements and abuse for
financial audits performed in accordance with GAGAS is:
a. Auditors should design the audit to provide reasonable assurance of
detecting material misstatements resulting from violations of provisions
of contracts or grant agreements that have a direct and material effect on
the determination of financial statement amounts or other financial data
significant to the audit objectives. If specific information comes to the
auditors* attention that provides evidence concerning the existence of
possible violations of provisions of contracts or grant agreements that
could have a material indirect effect on the determination of financial
statement amounts or other financial data significant to the audit
objectives, auditors should apply audit procedures specifically directed
to ascertain whether violations of provisions of contracts or grant
agreements have occurred or are likely to have occurred. 46 Significant
findings and recommendations are those matters that, if not corrected,
could affect the results of the auditors* work and the auditors*
conclusions and recommendations about those results.
42
b. Auditors should be alert to situations or transactions that could be
indicative of abuse, and if indications of abuse exist that could
significantly affect the financial statement amounts or other financial
data, auditors should apply audit procedures specifically directed to
ascertain whether abuse has occurred and the effect on the financial
statement amounts or other financial data.
4.18 AICPA standards and GAGAS require auditors to assess the risk of
material misstatements of financial statement amounts or other financial
data significant 47 to the audit objectives due to fraud and to consider
that assessment in designing
the audit procedures to be performed. 48 Auditors are also required to
design the audit to provide reasonable assurance of detecting material
misstatements resulting from direct and material illegal acts (violations
of laws and regulations) and to be aware of the possibility that indirect
illegal acts 49 may have occurred. 50 Under GAGAS, auditors have the same
responsibilities for detecting material misstatements arising from
violations of provisions of contracts or grant
agreements as they do for detecting those arising from fraud and illegal
acts. Auditors should design the audit to provide reasonable assurance of
detecting material misstatements resulting from direct and material
violations of provisions of contracts or grant agreements. If specific
information comes to the auditors* attention that provides evidence
concerning the existence of possible violations of provisions of contracts
or grant agreements that could have a material indirect effect on the
financial statements or significant indirect effect on other financial
data needed to achieve audit objectives, auditors should apply audit
procedures specifically directed to ascertain whether violations have
occurred or are likely to have occurred.
4.19 Abuse is distinct from fraud, illegal acts, and violations of
provisions of contracts or grant agreements. When abuse occurs, no law,
regulation, or provision of a contract or grant agreement is violated.
Rather, the conduct of a
47 The terms *material* and *significant* are synonymous under GAGAS.
*Material* is used in the AICPA standards in relation to audits of
financial statements. *Significant* is used in relation to other types of
audits governed by GAGAS, such as performance audits, where the term
*material* is generally not used.
48 Two types of misstatements are relevant to the auditors* consideration
of fraud in an audit of financial statements* misstatements arising from
fraudulent financial reporting and misstatements arising from
misappropriation of assets. The primary factor that distinguishes fraud
from error is whether the underlying action that results in the
misstatement in the financial statements is intentional or unintentional.
49 Indirect illegal acts are violations of laws and regulations having
material but indirect effects on the financial statements. 50 Whether a
particular act is, in fact, illegal may have to await final determination
by a court of law or other adjudicative body. Thus, when auditors disclose
matters that have led them to conclude that an illegal act is likely to
have occurred, they should not imply that they have made a determination
of illegality.
43 program or entity falls far short of behavior that is expected to be
reasonable and
necessary business practices by a prudent person. 51 Auditors should be
alert to situations or transactions that could be indicative of abuse.
When information comes to the auditors* attention (through audit
procedures, allegations received through a fraud hotline, or other means)
indicating that abuse may have occurred, auditors should consider whether
the possible abuse could affect the financial statement amounts or other
financial data significantly. If indications of possible abuse exist that
significantly affect the financial statement amounts or other financial
data, the auditors should extend the audit steps and procedures, as
necessary, to (1) determine whether the abuse occurred and, if so, (2)
determine its effect on the financial statement amounts or other financial
data. Auditors should consider both quantitative and qualitative factors
in making judgments regarding the materiality of possible abuse and
whether they need to extend the audit steps and procedures. However,
because the determination of abuse is subjective, auditors are not
expected to provide reasonable assurance of detecting abuse.
4.20 Auditors should exercise professional judgment in pursuing
indications of possible fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse, in order not to interfere with
potential investigations, legal proceedings, or both. Under some
circumstances, laws, regulations, or policies require auditors to report
indications of certain types of fraud, illegal acts, violations of
provisions of contracts or grant agreements, and abuse to law enforcement
or investigatory authorities before extending audit steps and procedures.
Auditors may also be required to withdraw from or defer further work on
the engagement or a portion of the engagement in order not to interfere
with an investigation.
Developing Elements of a Finding 4.21 Audit findings, such as deficiencies
in internal control, fraud, illegal acts, violations of provisions of
contracts or grant agreements, and abuse, have often been regarded as
containing the elements of criteria, condition, and effect, plus cause
when problems are found. However, the elements needed for a finding depend
entirely on the objectives of the audit. Thus, a finding or set of
findings is complete to the extent that the audit objectives are
satisfied. When problems are identified, to the extent possible, auditors
should plan audit procedures to develop the elements of a finding to
facilitate developing the auditors* report. (See paragraph 5.15 for a
description of the elements of a finding.)
51 For example, in a financial statement audit, auditors might find abuse
when examining sensitive payments such as travel of senior management
officials to locations chosen for personal reasons rather than less costly
locations which would have been appropriate to satisfy the business
objectives of the travel. While auditors generally will not view travel
expenses of senior management officials as quantitatively material to the
financial statements, this expense generally would be considered
qualitatively material to the financial statements.
44 Audit Documentation 4.22 The standard related to audit documentation
for financial audits performed
in accordance with GAGAS is:
Audit documentation related to planning, conducting, and reporting on the
audit should contain sufficient information to enable an experienced
auditor who has had no previous connection with the audit to ascertain
from the audit documentation the evidence that supports the auditors*
significant judgments and conclusions. Audit documentation should contain
support for findings, conclusions, and recommendations before
auditors issue their report. 4.23 AICPA standards and GAGAS require
auditors to prepare and maintain audit documentation. The form and content
of audit documentation should be designed to meet the circumstances of the
particular audit. The information contained in audit documentation
constitutes the principal record of the work that the auditors have
performed in accordance with professional standards and the conclusions
that the auditors have reached. The quantity, type, and content of audit
documentation are a matter of the auditors* professional judgment.
4.24 Audit documentation serves to (1) provide the principal support for
the auditors* report, (2) aid auditors in conducting and supervising the
audit, and (3) allow for the review of audit quality. The preparation of
audit documentation should be appropriately detailed to provide a clear
understanding of its purpose and source and the conclusions the auditors
reached, and it should be appropriately organized to provide a clear link
to the findings, conclusions, and recommendations contained in the audit
report. Audit documentation for financial audits performed under GAGAS
should contain the following additional audit documentation requirements
not explicitly addressed in the AICPA standards or elsewhere in GAGAS:
a. the objectives, scope, and methodology of the audit.
b. the auditors* determination that certain additional government auditing
standards do not apply or that an applicable standard was not followed,
the reasons therefor, and the known effect that not following the
applicable standard had, or could have had, on the audit.
c. the auditors* consideration that the planned audit procedures are
designed to achieve audit objectives when evidential matter obtained is
highly dependent on computerized information systems and is material to
the objective of the audit and that the auditors are not relying on the
effectiveness of internal control over those computerized systems that
produced the information. The audit documentation should specifically
address (1) the rationale for determining the nature, timing, and extent
of planned audit procedures; (2) the kinds and
45 competence of available evidential matter produced outside a
computerized
information system and/ or plans for direct testing of data produced from
a computerized information system; and (3) the effect on the audit report
if evidential matter to be gathered does not afford a reasonable basis for
achieving the objectives of the audit. 52 d. evidence of supervisory
review, before the audit report is issued, of the work performed that
supports findings, conclusions, and recommendations contained
in the audit report.
4.25 Underlying GAGAS audits is the premise that federal, state, and local
governments and other organizations cooperate in auditing programs of
common interest so that auditors may use others* work and avoid
duplication of audit efforts. Auditors should make arrangements to make
audit documentation available, upon request, in a timely manner to other
auditors or reviewers. Contractual arrangements for GAGAS audits should
provide for full and timely access to audit documentation to facilitate
reliance by others on the auditors* work.
4.26 Audit organizations need to adequately safeguard the audit
documentation associated with any particular engagement. Audit
organizations should develop clearly defined policies and criteria to deal
with situations where requests are made by outside parties to obtain
access to audit documentation, especially in connection with situations
where an outside party attempts to obtain indirectly through the auditor
what they are unable to obtain directly from the audited
entity. Such policies will need to consider applicable laws and
regulations applying to the audit organizations or the audited entity.
52 This documentation requirement does not increase the auditors*
responsibility for testing internal control but is intended to assist the
auditors in ensuring that audit objectives are met and audit risk is
reduced to an acceptable level.
46 CHAPTER 5
REPORTING STANDARDS FOR FINANCIAL AUDITS Introduction 5.01 This chapter
prescribes reporting standards and provides guidance for
financial audits performed in accordance with generally accepted
government auditing standards (GAGAS). Financial audits consist of all
work performed under the American Institute of Certified Public
Accountants* (AICPA) generally accepted auditing standards and related
Statements on Auditing Standards (SAS). GAGAS incorporate the AICPA
reporting standards and SASs unless the Comptroller General of the United
States excludes them by formal announcement. 53 This chapter identifies
the AICPA reporting standards and
prescribes additional standards for financial audits performed in
accordance with GAGAS.
5.02 Financial audits performed in a government environment primarily
include audits of financial statements. The AICPA SASs also govern and
provide guidance for other types of financial audits that may be performed
in a government environment, such as compliance auditing, issuing special
reports, audits of service organizations, reviews of interim financial
information, and issuing letters to underwriters and certain other
requesting parties. These other services may be performed in conjunction
with an audit of financial statements.
AICPA Reporting Standards 5.03 The four AICPA generally accepted standards
of reporting are as follows.
a. The report shall state whether the financial statements are presented
in accordance with generally accepted accounting principles.
b. The report shall identify those circumstances in which such principles
have not been consistently observed in the current period in relation to
the preceding period.
c. Informative disclosures in the financial statements are to be regarded
as reasonably adequate unless otherwise stated in the report.
d. The report shall either contain an expression of opinion regarding the
financial statements, taken as a whole, or an assertion to the effect that
an opinion cannot be expressed. When an overall opinion cannot be
expressed, the reasons therefor should be stated. In all cases where an
auditor*s name is associated with financial statements, the report should
53 To date, the Comptroller General has not excluded any reporting
standards or SASs.
47
contain a clear- cut indication of the character of the auditor*s work, if
any, and the degree of responsibility the auditor is taking.
Additional GAGAS Reporting Standards for Financial Audits 5.04 GAGAS
prescribe additional reporting standards for financial audits that go
beyond the requirements contained in the AICPA SASs. Auditors must comply
with these additional standards when citing GAGAS in their audit reports.
The additional GAGAS standards relate to
a. reporting auditors* compliance with GAGAS (see paragraphs 5.05 through
5.07);
b. reporting on internal control and on compliance with laws, regulations,
and provisions of contracts or grant agreements (see paragraphs 5.08
through 5.11);
c. reporting deficiencies in internal control, fraud, illegal acts,
violations of provisions of contracts or grant agreements, and abuse (see
paragraphs 5.12 through 5.25);
d. reporting views of responsible officials (see paragraph 5.26 through
5.30);
e. reporting privileged and confidential information (see paragraphs 5.31
through 5.33); and
f. report issuance and distribution (see paragraphs 5.34 through 5.38).
Reporting Auditors* Compliance with GAGAS 5.05 The standard related to
reporting auditors* compliance with GAGAS for financial audits performed
in accordance with GAGAS is:
Audit reports should state that the audit was performed in accordance with
GAGAS.
5.06 When the report on the financial audit is submitted to comply with a
legal, regulatory, or contractual requirement for a GAGAS audit, or when
GAGAS are voluntarily followed, the report should specifically cite GAGAS
and may also cite AICPA standards. *GAGAS* refers to all the applicable
standards that the auditors should follow during the audit, and the
statement of compliance should be qualified in situations in which the
auditors did not follow an applicable standard. In these situations, the
auditors should disclose in the scope section of the report the applicable
standard that was not followed, the reasons therefor, and how not
following the standard affected, or could have affected, the results of
the audit. In assessing the impact on the results of the audit of not
following an applicable
48 standard, auditors may need to qualify the assurances provided,
disclaim from providing any assurances, or withdraw from the audit.
5.07 An audited entity receiving a GAGAS audit report may also request
auditors to issue a financial audit report for purposes other than
complying with requirements calling for a GAGAS audit. For example, the
audited entity may need audited financial statements to issue bonds or for
other financing purposes. GAGAS do not prohibit auditors from issuing a
separate report conforming only to the requirements of AICPA standards.
When a GAGAS audit is the basis for an auditor*s subsequent report under
the AICPA standards, it would be advantageous
to users of the subsequent report for the auditors* report to include the
information on internal control, compliance with laws, regulations, and
provisions of contracts or grant agreements, fraud, and abuse that is
required by GAGAS but not required by AICPA standards.
Reporting on Internal Control and on Compliance with Laws, Regulations,
and Provisions of Contracts or Grant Agreements 5.08 The standard related
to reporting on internal control and compliance for financial statement
audits performed in accordance with GAGAS is:
When providing an opinion or a disclaimer on financial statements,
auditors should include in their report on the financial statements either
a (1) description of the scope of the auditors* testing of internal
control over financial reporting and compliance with laws, regulations,
and provisions of contracts or grant agreements and the results of those
tests or an opinion, if sufficient work was performed or (2) reference to
the separate report( s) containing that information. If auditors report
separately, the opinion or disclaimer should contain a reference to the
separate report containing this information and state that the separate
report is an integral part of the audit and should be considered in
assessing the results of the audit.
5.09 For audits of financial statements in which auditors provide an
opinion or disclaimer, auditors should report the scope of their testing
of internal control over financial reporting and of compliance with laws,
regulations, and provisions of contracts or grant agreements including
whether or not the tests they performed provided sufficient evidence to
support an opinion on the effectiveness of internal control over financial
reporting and on compliance with laws, regulations, and provisions of
contracts or grant agreements.
5.10 Auditors may report on internal control over financial reporting and
on compliance with laws, regulations, and provisions of contracts or grant
agreements in the opinion or disclaimer on the financial statements or in
a separate report or reports. When auditors report on internal control
over financial
49 reporting and compliance as part of the opinion or disclaimer on the
financial
statements, they should include an introduction summarizing key findings
in the audit of the financial statements and the related internal control
and compliance work. Auditors should not issue this introduction as a
stand- alone report.
5.11 When auditors report separately (including separate reports bound in
the same document) on internal control over financial reporting and
compliance with laws and regulations and provisions of contracts or grant
agreements, the opinion or disclaimer on the financial statements should
state that the auditors are issuing those additional reports. The opinion
or disclaimer on the financial statements should also state that the
reports on internal control over financial reporting and compliance with
laws and regulations and provisions of contracts or grant agreements are
an integral part of a GAGAS audit and should be considered in assessing
the results of the audit. Reporting Deficiencies in Internal Control,
Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant
Agreements, and Abuse 5.12 The standard related to reporting deficiencies
in internal control, fraud,
illegal acts, violations of provisions of contracts or grant agreements,
and abuse for financial audits performed in accordance with GAGAS is:
For financial audits, including audits of financial statements in which
the auditor provides an opinion or disclaimer, auditors should report, as
applicable to the objectives of the audit, (1) deficiencies in internal
control considered to be reportable conditions as defined in AICPA
standards, (2) all instances of fraud and illegal acts unless clearly
inconsequential, 54 and (3) significant violations of provisions of
contracts or grant agreements and abuse. In some circumstances, auditors
should report fraud, illegal acts, violations of provisions of contracts
or grant agreements, and abuse directly to parties external to the audited
entity.
54 If the auditor is performing an audit in accordance with OMB Circular
A- 133, Audits of States, Local Governments, and Non- Profit
Organizations, the thresholds for reporting are defined in the circular.
These reporting thresholds are sufficient to meet the requirements of
GAGAS.
50 Reporting Deficiencies in Internal Control 5.13 For all financial
audits, auditors should report deficiencies in internal control
considered to be reportable conditions as defined in AICPA standards. 55
The following are examples of matters that may be reportable conditions:
a. absence of appropriate segregation of duties consistent with
appropriate control objectives;
b. absence of appropriate reviews and approvals of transactions,
accounting entries, or systems output;
c. inadequate provisions for the safeguarding of assets;
d. evidence of failure to safeguard assets from loss, damage, or
misappropriation;
e. evidence that a system fails to provide complete and accurate output
consistent with the control objectives of the audited entity because of
the misapplication of control activities;
f. evidence of intentional override of internal control by those in
authority to the detriment of the overall objectives of the system;
g. evidence of failure to perform tasks that are a significant part of
internal control, such as reconciliations not prepared or not timely
prepared;
h. a weakness in the control environment at an entity such as the absence
of a sufficient positive and supportive attitude towards internal control
by management within the organization;
i. deficiencies in the design or operation of internal control that could
result in violations of laws, regulations, provisions of contracts or
grant agreements; fraud; or abuse having a direct and material effect on
the financial statements or the audit objectives; and
j. failure to follow up and correct previously identified deficiencies in
internal control.
5.14 When reporting deficiencies in internal control, auditors should
identify those reportable conditions that are individually or in the
aggregate considered to
55 AICPA standards define reportable conditions as significant
deficiencies in the design or operation of internal control that could
adversely affect the entity*s ability to record, process, summarize, and
report financial data consistent with the assertions of management in the
financial statements.
51 be material weaknesses. 56 Auditors should place their findings in
proper
perspective by providing a description of the work performed that resulted
in the finding. To give the reader a basis for judging the prevalence and
consequences of these findings, the instances identified should be related
to the population or the number of cases examined and be quantified in
terms of dollar value, if appropriate.
5.15 To the extent possible, in presenting audit findings such as
deficiencies in internal control, auditors should develop the elements of
criteria, condition, cause, and effect to assist management or oversight
officials of the audited entity in understanding the need for taking
corrective action. In addition, if auditors are able to sufficiently
develop the findings, they should provide recommendations for corrective
action. Following is guidance for reporting on elements of findings.
a. Criteria: An audit report is improved when it provides information so
that the report user will be able to determine what is the required or
desired state or what is expected from the program or operation. The
criteria are easier to understand when stated fairly, explicitly, and
completely, and the source of the criteria is identified in the audit
report. 57 b. Condition: The audit report is improved when it provides
evidence of what the
auditors found regarding the actual situation. Reporting the scope or
extent of the condition allows the report user to gain an accurate
perspective.
c. Cause: The audit report is improved when it provides persuasive
evidence on the factor or factors responsible for the difference between
condition and criteria. In reporting the cause, auditors may consider
whether the evidence provides a reasonable and convincing argument for why
the stated cause is the key factor or factors contributing to the
difference as opposed to other possible causes, such as poorly designed
criteria or factors uncontrollable by program management. The auditors
also may consider whether the identified cause could serve as a basis for
the recommendations.
56 The AICPA standards define a material weakness as a reportable
condition in which the design or operation of one or more of the internal
control components does not reduce to a relatively low level the risk that
misstatements caused by error or fraud in amounts that would be material
in relation to the financial statements being audited may occur and not be
detected within a timely period by employees in the normal course of
performing their assigned functions.
57 Common sources for criteria include laws, regulations, policy,
procedures, and best or standard practice. The Standards for Internal
Control in the Federal Government, GAO/ AIMD- 00- 21. 3. 1 (Washington, D.
C.: Nov. 1999) and Internal Control* Integrated Framework, published by
the Committee of Sponsoring Organizations of the Treadway Commission
(COSO) are two sources of established criteria auditors can use to support
their judgments and conclusions about internal control. The related
Internal Control Management and Evaluation Tool (GAO- 01- 1008G, Aug.
2001), based on the federal internal control standards, provides a
systematic, organized, and structured approach to assessing the internal
control structure.
52
d. Effect: The audit report is improved when it provides a clear, logical
link to establish the impact of the difference between what the auditors
found (condition) and what should be (criteria). Effect is easier to
understand when it is stated clearly, concisely, and, if possible, in
quantifiable terms. The significance of the reported effect can be
demonstrated through credible evidence.
5.16 When auditors detect deficiencies in internal control that are not
reportable conditions, they should communicate those deficiencies
separately in a management letter to officials of the audited entity
unless the deficiencies are clearly inconsequential considering both
quantitative and qualitative factors. Auditors should refer to that
management letter in the report on internal control.
Auditors should use their professional judgment in deciding whether or how
to communicate to officials of the audited entity deficiencies in internal
control that are clearly inconsequential. Auditors should include in their
audit documentation evidence of all communications to officials of the
audited entity about deficiencies in internal control found during the
audit.
Reporting Fraud, Illegal Acts, Violations of Provisions of Contracts or
Grant Agreements, and Abuse 5.17 AICPA standards and GAGAS require
auditors to address the effect fraud or illegal acts may have on the audit
report and to determine that the audit committee or others with equivalent
authority and responsibility are adequately informed about the fraud or
illegal acts. GAGAS further require that this information be in writing
and also include reporting on significant violations of provisions of
contracts or grant agreements and significant abuse. 58 Therefore, when
auditors conclude, on the basis of evidence obtained, that fraud, an
illegal act, a significant violation of a contract or grant agreement, or
significant abuse either has occurred or is likely to have occurred, 59
they should include in their audit report the relevant information. 60
5.18 When reporting instances of fraud, illegal acts, violations of
provisions of
contracts or grant agreements, or abuse, auditors should place their
findings in proper perspective by providing a description of the work
performed that resulted in the finding. To give the reader a basis for
judging the prevalence and consequences of these findings, the instances
identified should be related to the
58 See paragraph 4.19 for a discussion of abuse. 59 Whether a particular
act is, in fact, illegal may have to await final determination by a court
of law or other adjudicative body. Thus, when auditors disclose matters
that have led them to conclude that an illegal act is likely to have
occurred, they should not unintentionally imply that a final determination
of illegality has been made.
60 Auditors should include information about fraud or abuse in the audit
reports required by paragraph 5.08 as applicable to internal control and
compliance with laws, regulations, and provisions of contracts and grant
agreements.
53 population or the number of cases examined and be quantified in terms
of dollar
value, if appropriate. If the results cannot be projected, auditors should
limit their conclusion to the items tested.
5.19 To the extent possible, auditors should develop in their report the
elements of criteria, condition, effect, and cause when fraud, illegal
acts, violations of provisions of contracts or grant agreements, or abuse
is found. Auditors should develop their findings following the guidance
for reporting deficiencies in internal control in paragraph 5.15.
5.20 When auditors detect violations of provisions of contracts or grant
agreements or abuse that is not material, they should communicate those
findings in a management letter to officials of the audited entity unless
the findings are clearly inconsequential considering both qualitative and
quantitative factors. Auditors should refer to that management letter in
their audit report on compliance. Auditors should use their professional
judgment in determining whether and how to communicate to officials of the
audited entity fraud, illegal acts, violations of provisions of contracts
or grant agreements, or abuse that is clearly inconsequential. Auditors
should include in their audit documentation evidence of all communications
to officials of the audited entity about fraud, illegal acts, violations
of provisions of contracts or grant agreements, and abuse.
Direct Reporting of Fraud, Illegal Acts, Violations of Provisions of
Contracts or Grant Agreements, and Abuse 5.21 GAGAS require auditors to
report fraud, illegal acts, violations of provisions of contracts or grant
agreements, and abuse directly to parties outside the audited entity in
two circumstances, as discussed below. 61 These requirements are in
addition to any legal requirements for direct reporting of fraud, illegal
acts, violations of provisions of contracts or grant agreements, or abuse.
Auditors should meet these requirements even if they have resigned or been
dismissed from the audit prior to its completion.
5.22 The audited entity may be required by law or regulation to report
certain fraud, illegal acts, violations of provisions of contracts or
grant agreements, or abuse to specified external parties, such as a
federal inspector general or a state attorney general. If auditors have
communicated such fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse to the
audited entity and the audited entity fails to report them, then the
auditors should communicate such an awareness to the governing body of the
audited entity. If the audited entity does not make the required report as
soon as practicable after the auditors* communication with the entity*s
governing body, then the auditors 61 Internal audit organizations do not
have a duty to report outside that entity unless required by law, rule,
regulation, or policy. See paragraph 3. 28 for reporting requirements for
internal audit organizations when reporting externally.
54 should report such fraud, illegal acts, violations of provisions of
contracts or grant
agreements, or abuse directly to the external party specified in the law
or regulation. 5.23 Management of the audited entity is responsible for
taking timely and
appropriate steps to remedy fraud, illegal acts, violations of provisions
of contracts or grant agreements, or abuse that auditors report to it.
When fraud, illegal acts, violations of provisions of contracts or grant
agreements, or abuse involves awards received directly or indirectly from
a government agency, auditors may have a duty to report directly if
management fails to take remedial steps. If auditors conclude that such
failure is likely to cause them to depart from the standard report on the
financial statements or resign from the audit, they
should communicate that conclusion to the governing body of the audited
entity. Then, if the audited entity does not report the fraud, illegal
act, violation of provisions of contracts or grant agreements, or abuse as
soon as practicable to the entity that provided the government assistance,
the auditors should report the fraud, illegal act, violation of provisions
of contracts or grant agreements, or abuse directly to that entity.
5.24 In these situations, auditors should obtain sufficient, competent,
and relevant evidence, such as confirmation from outside parties, to
corroborate assertions by management that it has reported fraud, illegal
acts, violations of provisions of contracts or grant agreements, or abuse.
If they are unable to do so, then the auditors should report such fraud,
illegal acts, violations of provisions of contracts or grant agreements,
or abuse directly as discussed above.
5.25 Laws, regulations, or policies may require auditors to report
promptly indications of certain types of fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse to law
enforcement or investigatory authorities. In such circumstances, when
auditors conclude that this type of fraud, illegal acts, violations of
provisions of contracts or grant agreements, or abuse either has occurred
or is likely to have occurred, they should ask those authorities and/ or
legal counsel if publicly reporting certain information about the
potential fraud, illegal acts, violations of provisions of contracts or
grant agreements, or abuse would compromise investigative or legal
proceedings. Auditors should limit their public reporting to matters that
would not compromise those proceedings, such as information that is
already a part of the public record.
Reporting Views of Responsible Officials 5.26 The standard related to
reporting the views of responsible officials for financial audits
performed in accordance with GAGAS is:
If the auditors* report discloses deficiencies in internal control, fraud,
illegal acts, violations of provisions of contracts or grant agreements,
or abuse, auditors should obtain and report the views of responsible
officials
55
concerning the findings, conclusions, and recommendations, as well as
planned corrective actions.
5.27 One of the most effective ways to ensure that a report is fair,
complete, and objective is to obtain advance review and comments by
responsible officials of the audited entity and others, as may be
appropriate. Including the views of responsible officials results in a
report that presents not only the deficiencies in internal control, fraud,
illegal acts, violations of provisions of contracts or grant provisions,
or abuse the auditors identified but also what the responsible officials
of the audited entity think about the deficiencies in internal control,
fraud, illegal acts, violations of provisions of contracts or grant
provisions, or abuse and what corrective actions officials of the audited
entity plan to take. Auditors should include in their report a copy of the
officials* written comments or a summary of the comments received.
5.28 Auditors should normally request that the responsible officials
submit in writing their views on the auditors* reported findings,
conclusions, and recommendations, as well as management*s planned
corrective actions. Oral comments are acceptable as well, and, in some
cases, may be the only or most expeditious way to obtain comments. Cases
in which obtaining oral comments can be effective include when there is a
time- critical requirement to meet a user*s needs; auditors have worked
closely with the responsible officials throughout the conduct of the work
and the parties are very familiar with the findings and issues addressed
in the draft report; or the auditors do not expect major disagreements
with the draft report*s findings, conclusions, and recommendations, or
perceive any major controversies with regard to the issues discussed in
the draft report. Auditors should prepare a summary of the officials* oral
comments and provide a copy of the summary to officials of the audited
entity to verify that the comments are accurately stated prior to
finalizing the report.
5.29 Comments should be fairly and objectively evaluated and recognized,
as appropriate, in the final report. Comments, such as a promise or plan
for corrective action, should be noted but should not be accepted as
justification for deleting a significant finding or a related
recommendation.
5.30 When the audited entity*s comments oppose the report*s findings,
conclusions, or recommendations, and are not, in the auditors* opinion,
valid, or when planned corrective actions do not adequately address the
auditors* recommendations, the auditors should state their reasons for
disagreeing with the comments or planned corrective actions. The auditors*
disagreement should be stated in a fair and objective manner. Conversely,
the auditors should modify their report as necessary if they find the
comments valid.
56 Reporting Privileged and Confidential Information 5.31 The standard
related to reporting privileged and confidential information for
financial audits performed in accordance with GAGAS is:
If certain pertinent information is prohibited from general disclosure,
the audit report should state the nature of the information omitted and
the requirement that makes the omission necessary.
5.32 Certain information may be prohibited from general disclosure by
federal, state, or local laws or regulations. In such circumstances,
auditors may issue a separate limited- official- use report containing
such information and distribute the report only to persons authorized by
law or regulation to receive it. Additional circumstances associated with
public safety and security concerns could also justify the exclusion of
certain information in the report. For example, detailed information
related to computer security for a particular program may be excluded from
publicly available reports because of the potential damage that could be
caused by the misuse of this information. In such circumstances, auditors
may issue a limited- official- use report containing such information and
distribute the report only to those parties responsible for acting on the
auditors* recommendations. The auditors should, when appropriate, consult
with legal counsel regarding any requirements or other circumstances that
may necessitate the omission of certain information.
5.33 Auditors* judgments that certain information should be excluded from
publicly available reports should be made in a manner consistent with
consideration of the broader public interest in the program or activity
under review. Auditors need to weigh the need to reveal all significant
facts known to them that, if not revealed, could either distort the
results or conceal improper or unlawful practice against any requirements
or other circumstances that may necessitate the omission of certain
information. If auditors make the judgment that certain information should
be excluded from a publicly available report, they should state the
general nature of the information omitted and the reasons that make the
omission necessary in the report.
Report Issuance and Distribution 5.34 The standard related to report
issuance and distribution for financial audits performed in accordance
with GAGAS is:
Government auditors should submit audit reports to the appropriate
officials of the audited entity and to appropriate officials of the
organizations requiring or arranging for the audits, including external
funding organizations such as legislative bodies, unless legal
restrictions prevent it. Auditors should also send copies of the reports
to other
57
officials who have legal oversight authority or who may be responsible for
acting on audit findings and recommendations and to others authorized to
receive such reports. Unless the report is restricted by law or
regulation, or contains privileged and confidential information, auditors
should clarify that copies are made available for public inspection.
Nongovernment auditors should clarify report distribution responsibilities
with the party contracting for the audit and follow the agreements
reached.
5.35 Audit reports should be distributed in a timely manner to officials
interested in the results. 62 Such officials include those designated by
law or regulation to receive such reports, those responsible for acting on
the findings and recommendations contained in the report, those in other
levels of government that have provided assistance to the audited entity,
and legislators. However, if the subject of the audit involves material
that is classified for security purposes or not releasable to particular
parties or the public for other valid reasons, auditors should limit the
report distribution. See paragraphs 5.31 through 5.33 for additional
guidance on limited report distribution when reports contain privileged or
confidential information. The availability of the report for public
inspection should be documented in the audit documentation.
5.36 When public accountants are engaged to conduct an audit under GAGAS,
they should clarify report distribution responsibilities with the engaging
organization. If the public accountants are to make the distribution, the
engagement agreement should indicate which officials or organizations
should receive the report and other steps being taken to ensure the
availability of the report for public inspection. The availability of the
report for public inspection should be documented in the audit
documentation.
5.37 Internal auditors should follow their entity*s own arrangements and
statutory requirements for distribution. Usually, they report to their
entity*s head or deputy head, who are responsible for distribution of the
report. Further distribution of reports outside the organization should be
made in accordance with applicable laws, rules, regulations, or policy.
5.38 If an audit is terminated before it is completed but the auditors do
not issue
an audit report, auditors should write a memorandum for the record that
summarizes the results of the work to the date of termination and explains
why the audit was terminated. In addition, auditors should communicate the
reasons for terminating the audit to management of the audited entity, the
entity requesting the audit, and other appropriate officials, preferably
in writing. This communication should be documented.
62 See the Single Audit Act Amendments of 1996 and Office of Management
and Budget (OMB) Circular A- 133 on single audits for the distribution of
reports on single audits of state and local governmental entities and
nonprofit organizations that receive federal awards.
58 CHAPTER 6
GENERAL, FIELD WORK, AND REPORTING STANDARDS FOR ATTESTATION ENGAGEMENTS
Introduction 6.01 This chapter prescribes standards and provides guidance
for attestation engagements performed in accordance with generally
accepted government auditing standards (GAGAS). Attestation engagements
consist of work governed by the American Institute of Certified Public
Accountants* (AICPA) standards for attestation engagements. GAGAS
incorporate the AICPA general standard on criteria, its field work
standards, and its reporting standards for attestation engagements, as
well as the AICPA Statements on Standards for Attestation Engagements
(SSAE), unless the Comptroller General of the United States excludes them
by formal announcement. 63 This chapter identifies the AICPA general
standard on criteria, 64 field work standards, and reporting standards for
attestation engagements and prescribes additional standards for
attestation engagements performed in accordance with GAGAS. In addition to
the AICPA general standard on criteria, auditors should also follow all of
the general standards for work performed under GAGAS, as discussed in
chapter 3.
6.02 In an attestation engagement, auditors issue an examination, a
review, or an agreed- upon procedures report on a subject matter, or an
assertion about a subject matter, that is the responsibility of another
party. Attestation engagements can cover a broad range of financial or
nonfinancial objectives 65 and can be part of an audit or a separate
engagement. The three levels of attestation engagements include the
following.
a. Examination: Auditors perform sufficient testing to express an opinion
on whether the subject matter is based on (or in conformity with) the
criteria in all material respects or the assertion is presented (or fairly
stated), in all material respects, based on the criteria.
b. Review: Auditors perform sufficient testing to express a conclusion
about whether any information came to the auditors* attention on the basis
of the work performed that indicates the subject matter is not based on
(or in conformity
63 To date, the Comptroller General has not excluded any field work
standards, reporting standards, or SSAEs. 64 GAGAS incorporate only one of
the AICPA general standards for attestation engagements. 65 See chapter 2
for examples of subjects of attestation engagements.
59 with) the criteria or the assertion is not presented (or fairly stated)
in all material
respects based on the criteria. 66 c. Agreed- Upon Procedures: Auditors
perform testing to issue a report of findings based on specific procedures
performed on subject matter. AICPA General and Field Work Standards for
Attestation Engagements 6.03 The AICPA general standard related to
criteria states the following: The practitioner [auditor] shall perform an
engagement only if he or she
has reason to believe that the subject matter is capable of evaluation
against criteria that are suitable and available to users.
6.04 The two AICPA field work standards for attestation engagements are as
follows: a. The work shall be adequately planned and assistants, if any,
shall be
properly supervised. b. Sufficient evidence shall be obtained to provide a
reasonable basis for the conclusion that is expressed in the report.
Additional GAGAS Field Work Standards For Attestation Engagements 6.05
GAGAS prescribe additional attestation engagement field work standards
that go beyond the requirements contained in the AICPA SSAEs. Auditors
must comply with these additional standards when citing GAGAS in their
attestation engagement reports. The additional GAGAS field work standards
relate to:
a. auditor communication (see paragraphs 6.06 through 6.09);
b. considering the results of previous audits and attestation engagements
(see paragraphs 6.10 through 6.12);
c. internal control (see paragraphs 6.13 and 6.14);
d. detecting fraud, illegal acts, violations of contract provisions or
grant agreements, and abuse that could have a material effect on the
subject matter (see paragraphs 6.15 through 6.20);
66 As stated in the AICPA SSAEs, auditors should not perform review- level
work for reporting on internal control or compliance with laws and
regulations.
60
e. developing elements of findings for attestation engagements (paragraph
6.21); and f. attest documentation (see paragraphs 6.22 through 6.26).
Auditor Communication 6.06 The standard related to auditor communication
for attestation engagements performed in accordance with GAGAS is:
Auditors should communicate information regarding the nature, timing, and
extent of planned testing and reporting on the subject matter or assertion
about the subject matter, including the level of assurance provided, to
officials of the audited entity and to the individuals contracting for or
requesting the attestation engagement.
6.07 During the planning stages of an attestation engagement, auditors
should communicate to officials of the audited entity and to individuals
contracting for or requesting the services information regarding the
nature, timing, and extent of testing and reporting including the level of
assurance provided and any potential restriction of reports associated
with the different levels of assurance services, to reduce the risk that
the needs or expectations of the parties involved may be misinterpreted.
See paragraph 6.02 for a discussion of the levels of attestation services.
Auditors should use their professional judgment to determine the form and
content of the communication, although written communication is preferred.
Auditors may use an engagement letter, if appropriate, to communicate the
information. If the attestation engagement is part of a larger audit, this
information may be communicated as part of that audit. Auditors should
document the communication in their attest documentation.
6.08 Auditors should communicate their responsibilities for the engagement
to the appropriate officials of the audited entity, including
a. the head of the audited entity,
b. the audit committee or board of directors or other equivalent oversight
body in the absence of an audit committee, and
c. the individual who possesses a sufficient level of authority and
responsibility for the subject matter or the assertion.
6.09 In situations where auditors are performing the engagement under a
contract with a party other than the officials of the audited entity, or
pursuant to a thirdparty request, auditors should also communicate with
the individuals contracting for or requesting the engagement, such as
contracting officials or legislative
61 members or staff. When auditors are performing the engagement pursuant
to a
law or regulation, auditors should communicate with the legislative
members or staff who have oversight of the auditee. 67 Auditors should
coordinate communications with the responsible government audit
organization and/ or management of the audited entity, and may use the
engagement letter to keep interested parties informed. If an engagement is
terminated before it is completed, auditors should write a memorandum for
the record that summarizes the results of the work and explains why the
engagement was terminated. In addition, auditors should communicate the
reason for terminating the engagement to management of the audited entity,
the entity requesting the engagement, and other appropriate officials,
preferably in writing. This communication should be documented.
Considering the Results of Previous Audits and Attestation Engagements
6.10 The standard related to considering the results of previous audits
and attestation engagements for attestation engagements performed in
accordance with GAGAS is:
Auditors should consider the results of previous audits and attestation
engagements and follow up on known significant findings and
recommendations that directly relate to the subject matter or the
assertion of the attestation engagement being undertaken.
6.11 Auditors should inquire of officials of the audited entity to
identify previous financial audits, attestation engagements, performance
audits, or other studies related to the subject matter or assertions of
the attestation engagement being undertaken and to identify corrective
actions taken to address significant findings and recommendations. 68 For
example, an audit report on an entity*s computerized information systems
may contain significant findings that could relate to the attestation
engagement if the entity uses such systems to process information
about the subject matter or contained in an assertion about the subject
matter. Following up on known significant findings and recommendations
identified in previous audits, attestation engagements, or studies can
help auditors evaluate the subject matter or the assertion associated with
the attestation engagement. Auditors should use professional judgment in
determining (1) prior periods to be considered, (2) the level of work
necessary to follow up on significant findings
67 This requirement applies only to situations in which the law or
regulation specifically identifies the entity to be subject to an
attestation engagement. Situations in which the mandate to have an
attestation engagement not specifically identified, such as attestation
engagements required by the U. S. Department of Education, are excluded.
68 Significant findings and recommendations are those matters that, if not
corrected, could affect the results of the auditors* work and the
auditors* conclusions and recommendations regarding those results.
62 and recommendations that affect the attestation engagement, and (3) the
effect on
the risk assessment and attestation procedures in planning the current
attestation engagement.
6.12 Providing continuing attention to significant findings and
recommendations is important to ensure that the benefits of the auditors*
work are realized. Ultimately, the benefits of auditors* work occur when
management of the audited entity takes meaningful and effective corrective
action in response to the auditors* findings and recommendations.
Management of the audited entity is responsible for resolving findings and
recommendations directed to them and for having a
process to track their status. If management of the audited entity does
not have such a process, auditors may wish to establish their own process.
Internal Control 6.13 The standard related to internal control for
examination- level attestation engagements performed in accordance with
GAGAS is:
In planning examination- level attestation engagements, auditors should
obtain a sufficient understanding of internal control that is material to
the subject matter or assertion to plan the engagement and design
procedures to achieve the objectives of the attestation engagement.
6.14 In planning an examination- level attestation engagement, auditors
should obtain an understanding of internal control 69 as it relates to the
subject matter or assertion to which the auditors are attesting. The
subject matter or assertion may be of a financial or nonfinancial nature,
and internal control material to the subject matter or assertion the
auditor is testing may relate to
a. effectiveness and efficiency of operations, including the use of an
entity*s resources;
b. reliability of financial reporting, including reports on budget
execution and other reports for internal and external use;
69 Although not applicable to attestation engagements, the AICPA SASs may
provide useful guidance related to internal control for auditors
performing attestation engagements in accordance with GAGAS. In addition,
auditors performing attestation engagements may wish to refer to the
internal control guidance published by the Committee of Sponsoring
Organizations of
the Treadway Commission (COSO). The Standards for Internal Control in the
Federal Government, GAO/ AIMD- 00- 21. 3. 1 (Washington, D. C.: Nov.
1999), which incorporates the relevant guidance developed by COSO,
provides definitions and fundamental concepts pertaining to internal
control at the federal level and may be useful to auditors at any level of
government. The
related Internal Control Management and Evaluation Tool, GAO- 01- 1008G
(Washington, D. C.: Aug. 2001) based on the federal internal control
standards, provides a systematic, organized, and structured approach to
assessing the internal control structure.
63
c. compliance with applicable laws and regulations, provisions of
contract, or grant agreements; and
d. safeguarding of assets. Detecting Fraud, Illegal Acts, Violations of
Provisions of Contracts or Grant Agreements, and Abuse that Could Have a
Material Effect on the Subject Matter 6.15 The standard related to fraud,
illegal acts, violations of provisions of
contracts or grant agreements, and abuse for attestation engagements
performed in accordance with GAGAS is:
a. In planning examination- level attestation engagements, auditors should
design the engagement to provide reasonable assurance of detecting fraud,
illegal acts, or violations of provisions of contracts or grant agreements
that could have a material effect on the subject matter or assertion of
the attestation engagement, and should be alert to situations or
transactions that could be indicative of abuse.
b. In planning review- level or agreed- upon- procedure- level attestation
engagements, auditors should be alert to situations or transactions that
could be indicative of fraud, illegal acts, violations of provisions of
contracts or grant agreements, and if indications of fraud, illegal acts,
violations of provisions of contracts or grant agreements, exist that
could materially affect the subject matter or assertion, auditors should
apply procedures specifically directed to ascertain whether violations of
provisions of contracts or grant agreements, and if indications of fraud,
illegal acts, violations of provisions of contracts or grant agreements,
has occurred and the effect on the subject matter or assertion.
c. Auditors should be alert to situations or transactions that could be
indicative of abuse, and if indications of abuse exist that could
significantly affect the results of the attestation engagement, auditors
should apply audit procedures specifically directed to ascertain whether
abuse has occurred and the effect on the results of the attestation
engagement.
6.16 Auditors should exercise professional judgment in planning an
examinationlevel attestation engagement by obtaining an understanding of
the possible effects of fraud, 70 illegal acts, or violations of
provisions of contracts or grant agreements
70 Fraud is a type of illegal act involving the obtaining of something of
value through willful misrepresentation. Although not applicable to
attestation engagements, the AICPA SASs may provide useful guidance
related to fraud for auditors performing attestation engagements in
accordance with GAGAS.
64 on the subject matter or assertion of the attestation engagement and by
identifying and assessing any associated risks that could have a material
effect on the attestation engagement. Auditors should include attest
documentation on their assessment of risk, and, when risk factors are
identified as being present, the documentation should include
a. those risk factors identified, and
b. the auditors* response to those risk factors, individually or in
combination.
6.17 In addition, if during the performance of the attestation engagement,
risk factors or other conditions are identified that cause the auditors to
believe that an additional response is required, such factors or other
conditions, and any future response the auditors conclude is appropriate,
should be documented.
6.18 For attestation engagements involving review- level or agreed-
uponprocedure- level of reporting, auditors should be alert to situations
or transactions that could be indicative of fraud, illegal acts, or
violations of provisions of contracts or grant agreements. When
information comes to the auditors* attention (through audit procedures,
allegations received through fraud hotlines, or other means) indicating
that fraud, illegal acts, or violations of provisions of contracts or
grant agreements may have occurred, auditors should consider whether the
possible fraud, illegal acts, or violation of provisions of contracts or
grant agreements could materially affect the results of the attestation
engagement. If such acts could materially affect the results of the
engagement, auditors should extend the audit steps and procedures, as
necessary, to (1) determine if fraud, illegal acts, or violations of
provisions of contracts or grant agreements are likely to have occurred
and, if so, (2) determine their effect on the results of the attestation
engagement. Because the scope of review- level and agreed- uponprocedures-
level engagements is limited, auditors are not expected to provide
reasonable assurance of detecting fraud, illegal acts, or violations of
contract or grant agreements for these types of engagements.
6.19 Abuse is distinct from fraud, illegal acts, or violations of
provisions of contracts or grant agreements. When abuse occurs, no law,
regulation, or provision of a contract or grant agreement is violated.
Rather, the conduct of a government program or entity falls far short of
behavior that is expected to be reasonable and necessary business
practices by a prudent person. 71 For all levels of attestation
engagements, auditors should be alert to situations or transactions that
could be indicative of abuse. When information comes to the auditors*
71 For example, in an attestation engagement that has as its subject
reporting on an entity*s internal controls over compliance with specified
requirements governing the procurement of motor vehicles, auditors might
find abuse when considering purchases of passenger cars for official
senior management use if costly luxury cars were purchased when less
expensive models would have been appropriate. While auditors generally
will not view the procurement of costly luxury cars as quantitatively
significant to the subject matter, this action generally would be
considered qualitatively significant to the subject matter or assertion.
65 attention (through audit procedures, allegations received through a
fraud hotline,
or other means) indicating that abuse may have occurred, auditors should
consider whether the possible abuse could affect the assertion
significantly. Auditors should consider both quantitative and qualitative
factors in making judgments regarding the significance of possible abuse
and whether they need to extend the audit steps and procedures. If
indications of the possible abuse exist that significantly affect the
results of the attestation engagement, the auditors should extend the
audit steps and procedures, as necessary, to (1) determine whether the
abuse occurred and, if so, (2) determine its effect on the results of the
attestation engagement. However, because the determination of abuse is so
subjective, auditors are not expected to provide reasonable assurance of
detecting abuse. 6.20 Auditors should exercise professional judgment in
pursuing indications of
possible fraud, illegal acts, violations of provisions of contracts or
grant agreements, or abuse, in order not to interfere with potential
investigations, legal proceedings, or both. Under some circumstances,
laws, regulations, or policies require auditors to report indications of
certain types of fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse to law enforcement or
investigatory authorities before extending audit steps and procedures.
Auditors may also be required to withdraw from or defer further work on
the engagement or a portion of the engagement in order not to interfere
with an investigation.
Developing Elements of Findings for Attestation Engagements 6.21 Attest
findings, such as deficiencies in internal control, illegal acts,
violations of provisions of contracts or grant agreements, and abuse, have
often been regarded as containing the elements of criteria, condition, and
effect, plus cause when problems are found. However, the elements needed
for a finding depend entirely on the objectives of the attestation
engagement. Thus, a finding or set of findings is complete to the extent
that the objectives of the attestation engagement are satisfied. When
problems are identified, to the extent possible, auditors should plan
attest procedures to develop the elements of a finding to facilitate
developing the auditors* report. (See paragraph 6.34 for a description of
the elements of a finding.) Attest Documentation 6.22 The standard related
to attest documentation for attestation engagements
performed in accordance with GAGAS is:
Attest documentation related to planning, conducting, and reporting on the
attestation engagement should contain sufficient information to
66
enable an experienced auditor who has had no previous connection with the
attestation engagement to ascertain from the attest documentation the
evidence that supports the auditors* significant judgments and
conclusions. Attest documentation should contain support for findings,
conclusions, and recommendations before auditors issue their report.
6.23 AICPA standards and GAGAS require that auditors prepare and maintain
attest documentation. The form and content of attest documentation should
be designed to meet the circumstances of the particular attestation
engagement. The
information contained in attest documentation constitutes the principal
record of the work that the auditors have performed in accordance with
professional standards and the conclusions that the auditors have reached.
The quantity, type, and content of attest documentation are a matter of
the auditors* professional judgment.
6.24 Attest documentation serves to (1) provide the principal support for
the auditors* report, (2) aid auditors in conducting and supervising the
attestation engagement, and (3) allow for the review of the quality of the
attestation engagement. The preparation of attest documentation should be
appropriately detailed to provide a clear understanding of its purpose and
source and the conclusions the auditors reached, and it should be
appropriately organized to provide a clear link to the findings,
conclusions, and recommendations contained in the auditors* report. Attest
documentation for attestation engagements performed under GAGAS should
contain the following additional attest documentation requirements not
explicitly addressed in the AICPA SSAEs or elsewhere in GAGAS:
a. the objectives, scope, and methodology of the attestation engagement,
including any sampling and other selection criteria used;
b. the auditor*s determination that certain additional government auditing
standards do not apply or that an applicable standard was not followed,
the reasons therefor, and the known effect that not following the
applicable standard had, or could have had, on the attestation engagement;
c. the work performed to support significant judgments and conclusions,
including descriptions of transactions and records examined; 72 d. the
auditors* consideration that the planned attestation procedures are
designed to achieve objectives of the attestation engagement when
evidential matter obtained is highly dependent on computerized information
systems and is material to the objective of the engagement, and the
auditors are not relying on the effectiveness of internal control over
those computerized systems that
72 Auditors may meet this requirement by listing voucher numbers, check
numbers, or other means of identifying specific documents they examined.
Auditors are not required to include copies of documents they examined as
part of the attest documentation, nor are auditors required to list
detailed information from those documents.
67 produced the information. The attest documentation should specifically
address
(1) the rationale for determining the nature, timing, and extent of
planned audit procedures; (2) the kinds and competence of available
evidential matter produced outside a computerized information system, and/
or plans for direct testing of data produced from a computerized
information system; and (3) the effect on the attestation engagement
report if evidential matter to be gathered does not afford a reasonable
basis for achieving the objectives of the engagement; and
e. evidence of supervisory reviews, before the report on the attestation
engagement is issued, of the work performed that supports findings,
conclusions, and recommendations contained in the report.
6.25 Underlying GAGAS attestation engagements is the premise that federal,
state, and local governments and other organizations cooperate in auditing
programs of common interest so that auditors may use others* work and
avoid duplication of efforts. Auditors should make arrangements to make
attest documentation available, upon request, in a timely manner to other
auditors or reviewers. Contractual arrangements for GAGAS attestation
engagements should provide for full and timely access to attest
documentation to facilitate reliance by others on the auditors* work.
6.26 Audit organizations need to adequately safeguard the audit
documentation associated with any particular engagement. Audit
organizations should develop clearly defined policies and criteria to deal
with situations where requests are made by outside parties to obtain
access to audit documentation, especially in connection with situations
where an outside party attempts to obtain indirectly through the auditor
what they are unable to obtain directly from the audited
entity. Such policies will need to consider applicable laws and
regulations applying to the audit organizations or the audited entity.
AICPA Reporting Standards for Attestation Engagements 6.27 As discussed in
paragraph 6.02, the AICPA SSAEs provide for different levels of reporting
based on the type of assurance the auditors are providing. The four AICPA
reporting standards for all levels of reporting under attestation
engagements are as follows:
a. The report shall identify the subject matter or the assertion being
reported on and state the character of the engagement.
b. The report shall state the practitioner*s [auditors*] conclusions about
the subject matter or the assertion in relation to the criteria against
which the subject matter was evaluated.
68
c. The report shall state all of the practitioner*s [auditors*]
significant reservations about the engagement, the subject matter, and, if
applicable, the assertion related thereto.
d. The report shall state that the use of the report is restricted to
specified parties under the following circumstances: 73 (1) when the
criteria used to evaluate the subject matter are determined by the
practitioner to be appropriate only for a limited number of parties who
either participated in their establishment or can be presumed to have an
adequate understanding of the criteria, (2) when the criteria used to
evaluate the subject matter are available only to specified parties, (3)
when reporting on subject matter and a written assertion has not been
provided by the responsible party, and (4) when the report is on an attest
engagement to apply agreed- upon procedures to the subject matter.
Additional GAGAS Reporting Standards for Attestation Engagements 6.28
GAGAS prescribe additional reporting standards for attestation engagements
that go beyond the requirements contained in the AICPA SSAEs. Auditors
must comply with these additional standards when citing GAGAS in their
attestation engagement reports. The additional GAGAS standards relate to
a. reporting auditors* compliance with GAGAS (see paragraphs 6.29 through
6.31);
b. reporting deficiencies in internal control, fraud, illegal acts,
violations of provisions of contracts or grant agreements, and abuse (see
paragraphs 6.32 through 6.40);
c. reporting views of responsible officials (see paragraphs 6.41 through
6.45);
d. reporting privileged and confidential information (see paragraphs 6.46
through 6.48); and
e. report issuance and distribution (see paragraphs 6.49 through 6.54).
Reporting Auditors* Compliance with GAGAS 6.29 The standard related to
reporting auditors* compliance with GAGAS for attestation engagements
performed in accordance with GAGAS is:
73 Auditors should, however, follow the report distribution standard (see
paragraphs 6. 49 through 6.54).
69
Reports on attestation engagements should state that the engagement was
made in accordance with GAGAS.
6.30 When the report on the attestation engagement is submitted to comply
with a legal, regulatory, or contractual requirement, or when GAGAS are
voluntarily used, the report should specifically cite GAGAS and may cite
AICPA standards as well. The statement referencing compliance with GAGAS
refers to all the applicable standards that the auditors should have
followed during the attestation engagement, and the statement of
compliance should be qualified in situations in which the auditors did not
follow an applicable standard. In these situations, the auditors should
disclose in the scope section of the report the applicable standard that
was not followed, the reasons therefor, and how not following the standard
affected, or could have affected, the results of the attestation
engagement. In assessing the impact of not following an applicable
standard on the results of the attestation engagement, auditors may need
to qualify the assurances provided, disclaim from providing any
assurances, or withdraw from the engagement.
6.31 An audited entity receiving a GAGAS report on an attestation
engagement may also need a report on the attestation engagement for
purposes other than complying with requirements calling for a GAGAS
attestation engagement. GAGAS do not prohibit auditors from issuing a
separate report conforming only to the requirements of AICPA standards.
When a GAGAS attestation engagement is the basis for an auditors*
subsequent report under the AICPA standards, it would be advantageous to
users of the subsequent report for the auditors* report to include the
information on internal control and fraud, illegal acts, violations of
provisions of contracts and grant agreements, and abuse that are required
by GAGAS but not required by AICPA standards.
Reporting Deficiencies in Internal Control, Fraud, Illegal Acts,
Violations of Provisions of Contracts or Grant Agreements, and Abuse 6.32
The standard related to reporting deficiencies in internal control; fraud,
illegal acts, violations of provisions of contracts or grant agreements,
and abuse for attestation engagements performed in accordance with GAGAS
is:
The report on an attestation engagement should disclose (1) deficiencies
in internal control, including internal control over compliance with laws,
regulations, and provisions of contracts or grant agreements that are
material to the subject matter or assertion, (2) all instances of fraud
and illegal acts unless clearly inconsequential, and (3) violations of
provisions of contracts or grant agreements and abuse that are material to
the
subject matter or assertion of the engagement. In some circumstances,
auditors should report fraud, illegal acts, violations of provisions of
70
contracts or grant agreements, and abuse directly to parties external to
the audited entity.
6.33 When reporting deficiencies in internal control or instances of
fraud, illegal acts, 74 violations of provisions of contracts or grant
agreements, or abuse, auditors should place their findings in proper
perspective by providing a description of the work performed that resulted
in the finding. To give the reader a basis for judging the prevalence and
consequences of these findings, the deficiencies or instances identified
should be related to the population or the number of cases examined and be
quantified in terms of dollar value, if appropriate. If the results cannot
be projected, auditors should limit their conclusion to the items tested.
6.34 To the extent possible, in presenting findings, auditors should
develop the elements of criteria, condition, cause, and effect to assist
management or oversight officials of the audited entity in understanding
the need for taking corrective action. In addition, if auditors are able
to sufficiently develop the findings, auditors should provide
recommendations for corrective action. Following is guidance for reporting
on elements of findings.
a. Criteria: An attestation engagement report is improved when it provides
information so that the report user will be able to determine what is the
required or desired state or what is expected from the program or
operation. The criteria are easier to understand when stated fairly,
explicitly, and completely, and the source of the criteria is identified
in the attestation engagement report. 75 b. Condition: The attestation
engagement report is improved when it provides
evidence of what the auditors found regarding the actual situation.
Reporting the scope or extent of the condition allows the report user to
gain an accurate perspective. c. Cause: The attestation engagement report
is improved when it provides
persuasive evidence on the factor or factors responsible for the
difference between condition and criteria. In reporting the cause,
auditors may consider whether the evidence provides a reasonable and
convincing argument for why the stated cause is the key factor or factors
contributing to the difference as opposed
74 Whether a particular act is, in fact, illegal may have to await final
determination by a court of law. Thus, when auditors disclose matters that
have led them to conclude that an illegal act is likely to have occurred,
they should not unintentionally imply that a final determination of
illegality has been made.
75 Common sources for criteria are laws, regulations, policy, procedures,
best or standard practices, or assertions. The Standards for Internal
Control in the Federal Government, GAO/ AIMD- 00- 21.3.1 (Washington, D.
C.: Nov. 1999) and Internal Control* Integrated Framework, published by
the Committee of Sponsoring Organizations of the Treadway Commission
(COSO) are two sources of established criteria auditors can use to support
their judgments and conclusions about internal control. The related
Internal Control Management and Evaluation Tool (GAO- 01- 1008G, Aug.
2001), based on the federal internal control standards, provides a
systematic, organized, and structured approach to assessing the internal
control structure.
71 to other possible causes, such as poorly designed criteria or factors
uncontrollable by program management. The auditors also may consider
whether the identified cause could serve as a basis for the
recommendations.
d. Effect: The attestation engagement report is improved when it provides
a clear, logical link to establish the impact of the difference between
what the auditors found (condition) and what should be (criteria). Effect
is easier to understand when it is stated clearly, concisely, and, if
possible, in quantifiable terms. The significance of the reported effect
can be demonstrated through credible evidence.
6.35 When auditors detect internal control deficiencies, fraud, illegal
acts, violations of provisions of contracts or grant agreements, or abuse
that is not material to the subject matter or assertion, they should
communicate those findings to the audited entity in a management letter,
unless they are clearly inconsequential, considering both qualitative and
quantitative factors. The auditor should refer to the management letter in
the report on the attestation engagement. Auditors should use their
professional judgment in determining whether and how to communicate to
officials of the audited entity internal control deficiencies, fraud,
illegal acts, violations of provisions of contracts or grant agreements,
or abuse that are clearly inconsequential. Auditors should include in
their attest documentation evidence of all communication to officials of
the audited entity about fraud, illegal acts, violations of provisions of
contracts or grant agreements, and abuse.
Direct Reporting of Fraud, Illegal Acts, Violations of Provisions of
Contracts or Grant Agreements, and Abuse 6.36 GAGAS require auditors to
report fraud, illegal acts, violations of provisions of contracts or grant
agreements, and abuse directly to parties outside the audited entity in
two circumstances, as discussed below. 76 These requirements are in
addition to any legal requirements for direct reporting of fraud, illegal
acts, violations of provisions of contracts or grant agreements, or abuse.
Auditors should meet these requirements even if they have resigned or been
dismissed from the attestation engagement prior to its completion. 6.37
The audited entity may be required by law or regulation to report certain
fraud, illegal acts, violations of provisions of contracts or grant
agreements, or abuse to specified external parties, such as a federal
inspector general or a state attorney general. If auditors have
communicated such fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse to the
audited entity and the entity fails to report them, then the auditors
should communicate 76 Internal audit organizations do not have a duty to
report outside that entity unless required by law, rule, regulation, or
policy. See paragraph 3. 28 for reporting requirements for internal audit
organizations when reporting externally.
72 such an awareness to the governing body of the audited entity. If the
audited
entity does not make the required report as soon as practicable after the
auditors* communication with the entity*s governing body, then the
auditors should report such fraud, illegal acts, violations of provisions
of contracts or grant agreements, or abuse directly to the external party
specified in the law or regulation.
6.38 Officials of the audited entity are responsible for taking timely and
appropriate steps to remedy fraud, illegal acts, violations of provisions
of contracts or grant agreements, or abuse that auditors report to them.
When fraud, illegal acts, violations of provisions of contracts or grant
agreements, or abuse involves assistance received directly or indirectly
from a government agency, auditors may have a duty to report directly if
management fails to take remedial steps. If auditors conclude that such
failure is likely to cause them to depart from the standard report on the
attestation engagement or resign from the engagement,
they should communicate that conclusion to the governing body of the
audited entity. Then, if the audited entity does not report the fraud,
illegal acts, violations of provisions of contracts or grant agreements,
or abuse as soon as practicable to the entity that provided the government
assistance, the auditors should report the fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse directly to that
entity.
6.39 In these situations, auditors should obtain sufficient, competent,
and relevant evidence, such as confirmation from outside parties, to
corroborate assertions by management that management has reported fraud,
illegal acts, violations of provisions of contracts or grant agreements,
or abuse. If they are
unable to do so, the auditors should report the fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse
directly as discussed above.
6.40 Laws, regulations, or policies may require auditors to report
promptly indications of certain types of fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse to law
enforcement or investigatory authorities. In such circumstances, when
auditors conclude that this type of fraud, illegal acts, violations of
provisions of contracts or grant agreements, or abuse either has occurred
or is likely to have occurred, they should ask those authorities and/ or
legal counsel if publicly reporting certain information about the
potential fraud, illegal acts, violations of provisions of contracts or
grant agreements, or abuse would compromise investigative or legal
proceedings. Auditors should limit their public reporting to matters that
would not compromise those proceedings, such as information that is
already a part of the public record.
Reporting Views of Responsible Officials 6.41 The standard related to
reporting the views of responsible officials for attestation engagements
performed in accordance with GAGAS is:
73
If the auditors* report on the attestation engagement discloses
deficiencies in internal control, fraud, illegal acts, violations of
provisions of contracts or grant agreements, or abuse, auditors should
obtain and report the views of responsible officials concerning the
findings, conclusions, and recommendations, as well as planned corrective
actions.
6.42 One of the most effective ways to ensure that a report is fair,
complete, and objective is to obtain advance review and comments by
responsible officials of the audited entity and others, as may be
appropriate. Including the views of responsible officials results in a
report that presents not only the deficiencies in internal control, fraud,
illegal acts, violations of provisions of contracts or grant agreements,
or abuse the auditors identified, but also what the responsible officials
of the audited entity think about the deficiencies in internal control,
fraud, illegal acts, violations of provisions of contracts or grant
agreements, or abuse and what corrective actions the officials plan to
take. Auditors should include in their report a copy of the officials*
written comments or a summary of the comments received.
6.43 Auditors should normally request that the responsible officials
submit in writing their views on the auditors* reported findings,
conclusions, and recommendations, as well as management*s planned
corrective actions. Oral comments are acceptable as well, and, in some
cases, may be the only or most expeditious way to obtain comments. Cases
in which obtaining oral comments can be effective include circumstances in
which there is a time- critical requirement to meet a user*s needs; the
auditors have worked closely with the responsible officials throughout the
conduct of the work and the parties are familiar with the findings and
issues addressed in the draft product; or the auditors do not expect major
disagreements with the draft report*s findings, conclusions, and
recommendations, or perceive any major controversies with regard to the
issues discussed in the draft report. Before finalizing the report,
auditors should prepare a summary of the officials* oral comments and
provide a copy of the summary to officials of the audited entity to verify
that the comments are accurately stated.
6.44 Comments should be fairly and objectively evaluated and recognized,
as appropriate, in the final report. Comments, such as a promise or plan
for corrective action, should be noted but should not be accepted as
justification for deleting a significant finding or a related
recommendation.
6.45 When the audited entity*s comments oppose the report*s findings,
conclusions, or recommendations, and are not, in the auditors* opinion,
valid, or when planned corrective actions do not adequately address the
auditors* recommendations, the auditors should state their reasons for
disagreeing with the comments or planned corrective actions. The auditors*
disagreement should be stated in a fair and objective manner. Conversely,
the auditors should modify their report as necessary if they find the
comments valid.
74 Reporting Privileged and Confidential Information 6.46 The standard
related to reporting privileged and confidential information for
attestation engagements performed in accordance with GAGAS is:
If certain pertinent information is prohibited from general disclosure,
the report on the attestation engagement should state the nature of the
information omitted and the requirement that makes the omission necessary.
6.47 Certain information may be prohibited from general disclosure by
federal, state, or local laws or regulations. In such circumstances,
auditors may issue a separate limited- official- use report containing
such information and distribute the report only to persons authorized by
law or regulation to receive it. Additional circumstances associated with
public safety and security concerns could also justify the exclusion of
certain information in the report. For example, detailed information
related to computer security for a particular program may be excluded from
publicly available reports if potential damage could be caused by the
misuse of this information. In such circumstances, auditors may issue a
limited- official- use report containing such information and distribute
the report only to those parties responsible for acting on the auditors*
recommendations. The auditors should, when appropriate, consult with legal
counsel regarding any requirements or other circumstances that may
necessitate the omission of certain information.
6.48 Auditors* judgments that certain information should be excluded from
publicly available reports should be made in a manner consistent with
consideration of the broader public interest in the program or activity
under review. Auditors need to weigh the need to reveal all significant
facts known to them that, if not revealed, could either distort the
results or conceal improper or unlawful practice against any requirements
or other circumstances that may necessitate the omission of certain
information. If auditors make the judgment that certain information should
be excluded from a publicly available report, they should state the
general nature of the information omitted and the reasons that make the
omission necessary in the report.
Report Issuance and Distribution 6.49 The standard related to report
issuance and distribution for attestation engagements performed in
accordance with GAGAS is:
Government auditors should submit reports on the attestation engagement to
the appropriate officials of the audited entity and to the appropriate
officials of the organizations requiring or arranging for the engagement,
including external funding organizations such as legislative bodies,
unless legal restrictions prevent it. Auditors should also send
75
copies of the reports to other officials who have legal oversight
authority or who may be responsible for acting on the findings and
recommendations and to others authorized to receive such reports. Unless
the report is restricted by law or regulation, or contains privileged or
confidential information, auditors should clarify that copies are made
available for public inspection. Nongovernment auditors should clarify
report distribution responsibilities with the party contracting for the
audit and follow the agreements reached.
6.50 Reports on attestation engagements should be distributed in a timely
manner to officials interested in the results. Such officials include
those designated by law or regulation to receive such reports, those
responsible for acting on the findings and recommendations contained in
the reports, those in other levels of government that have provided
assistance to the audited entity, and legislators. However, if the subject
matter or assertion of the attestation engagement involves material that
is classified for security purposes or not releasable to particular
parties or the public for other valid reasons, auditors should limit the
report distribution. The availability of the report for public inspection
should be documented in the audit documentation.
6.51 Although AICPA standards require that a report on an engagement to
evaluate an assertion based on agreed- upon criteria or on an engagement
to apply agreed- upon procedures should contain a statement limiting its
use to the parties who have agreed upon such criteria or procedures, such
a statement does not require that the report distribution be limited. (See
paragraphs 6.46 through 6.48 for additional guidance on limited report
distribution.) The availability of the report for public inspection should
be documented in the audit documentation.
6.52 When nongovernment auditors are engaged to conduct an attestation
engagement under GAGAS, they should clarify report distribution
responsibilities with the engaging organization. If the public accountants
are to make the distribution, the engagement agreement should indicate
which officials or organizations should receive the report and the steps
being taken to ensure the availability of the report for public
inspection. The availability of the report for public inspection should be
documented in the audit documentation.
6.53 Internal auditors should follow their entity*s own arrangements and
statutory requirements for distribution. Usually, they report to their
entity*s head or deputy head, who is responsible for distribution of the
report. Further distribution of reports outside the organization should be
made in accordance with applicable laws, rules, regulations, or policy.
6.54 If an attestation engagement is terminated before it is completed but
the
auditors do not issue a report on the engagement, auditors should write a
memorandum for the record that summarizes the results of the work to the
date of termination and explains why the attestation engagement was
terminated. In addition, auditors should communicate the reasons for
terminating the attest
76 engagement to management of the audited entity, the entity requesting
the
attestation engagement, and other appropriate officials, preferably in
writing. This communication should be documented.
77 CHAPTER 7
FIELD WORK STANDARDS FOR PERFORMANCE AUDITS Introduction 7.01 This chapter
prescribes field work standards and provides guidance to
auditors conducting performance audits in accordance with generally
accepted government auditing standards (GAGAS). The field work standards
for performance audits relate to planning the audit; supervising staff;
obtaining sufficient, competent, and relevant evidence; and preparing
audit documentation.
Planning 7.02 The field work standard related to planning for performance
audits performed in accordance with GAGAS is:
Work is to be adequately planned. 7.03 In planning the audit, auditors
should define the audit objectives, as well as the scope and methodology
to achieve those objectives. Audit objectives, scope, and methodologies
are not determined in isolation. Auditors determine these three elements
of the audit plan together, as the considerations in determining each
often overlap. Planning is a continuous process throughout the audit.
Therefore, auditors should consider the need to make adjustments to the
audit objectives, scope, and methodology as work is being completed.
7.04 The objectives are what the audit is intended to accomplish. They
identify the audit subjects and performance aspects to be included, as
well as the potential finding and reporting elements that the auditors
expect to develop. 77 Audit objectives can be thought of as questions
about the program 78 that auditors seek to answer. (See paragraph 2.09.)
7.05 Scope is the boundary of the audit and should be directly tied to the
audit objectives. For example, the scope defines parameters of the audit
such as the period of time reviewed, the availability of necessary
documentation or records, and the locations at which field work will be
performed. 7.06 The methodology comprises the work involved in gathering
and analyzing
data to achieve the objectives. Audit procedures are the specific steps
and tests auditors will carry out to address the audit objectives.
Auditors should design the methodology to provide sufficient, competent,
and relevant evidence to achieve
77 See discussion of the elements of a finding in paragraph 7. 28 and
paragraphs 7.62 through 7. 65. 78 This chapter uses only the term
*program;* however, the concepts presented also apply to audits of
entities, activities, and services.
78 the objectives of the audit. Methodology includes both the types and
extent of
audit procedures used to achieve the audit objectives.
7.07 Planning should be documented and should include
a. considering the significance of various programs and the needs of
potential users of the audit report (see paragraphs 7.08 and 7.09);
b. obtaining an understanding of the program to be audited (see paragraph
7.10);
c. obtaining an understanding of internal control as it relates to the
specific objectives and scope of the audit (see paragraphs 7.11 through
7.16);
d. designing methodology and procedures to detect significant violations
of legal and regulatory requirements, contract provisions, or grant
agreements (see paragraphs 7.17 through 7.27);
e. identifying the criteria needed to evaluate matters subject to audit
(see paragraph 7.28);
f. considering the results of previous audits and attestation engagements
that could affect the current audit objectives (see paragraphs 7.29 and
7.30);
g. identifying potential sources of data that could be used as audit
evidence (see paragraph 7.31);
h. considering whether the work of other auditors and experts may be used
to satisfy some of the audit objectives (see paragraphs 7.32 through
7.34);
i. providing appropriate and sufficient staff and other resources to
perform the audit (see paragraphs 7.35 through 7.38);
j. communicating general information concerning the planning and
performance of the audit to management officials responsible for the
program being audited and others as applicable (see paragraphs 7.39 and
7.40); and
k. preparing an audit plan (see paragraphs 7.41 through 7.43). Program
Significance 7.08 The significance of a matter is its relative importance
to the audit objectives
and potential users of the audit report. Auditors should consider the
significance of a program or program component and the potential use that
will be made of the audit results or report as they plan a performance
audit. Indicators of significance and/ or use to consider include
a. visibility and sensitivity of the program under audit,
79
b. newness of the program or changes in its conditions,
c. role of the audit in providing information that can improve public
accountability and decision making, and
d. level and extent of review or other forms of independent oversight.
7.09 One group of users of the auditors* report is government officials
who may have authorized or requested the audit. Other important users of
the auditors* report are the entity being audited and legislative bodies,
which are responsible for acting on the auditors* recommendations. Other
potential users of the auditors* report include government legislators or
officials (other than those who may have authorized or requested the
audit), the media, interest groups, and individual citizens. In addition
to an interest in the program, potential users may have an ability to
influence the conduct of the program. An awareness of these potential
users* interests and influence can help auditors understand why the
program operates the way it does. This awareness can also help auditors
judge whether possible findings could be significant to various possible
users.
Understanding the Program 7.10 Auditors should obtain an understanding of
the program to be audited to help assess, among other matters, the
significance of possible audit objectives and the feasibility of achieving
them. The auditors* understanding may come from knowledge they already
have about the program or knowledge they gain from inquiries and
observations they make in planning the audit. The extent and breadth of
those inquiries and observations will vary among audits based on the audit
objectives, as will the need to understand individual aspects of the
program, such as the following.
a. Laws, regulations, and provisions of contracts or grant agreements:
Government programs usually are created by law and are subject to specific
laws and regulations. For example, laws and regulations usually set forth
what is to be done, who is to do it, the purpose to be achieved, the
population to be served, and how much can be spent on what. Government
programs may also be subject to provisions of contracts and grant
agreements. Thus, understanding the laws and the legislative history
establishing a program and the provisions of any contracts or grant
agreements can be essential to understanding the program itself. Obtaining
that understanding is also a necessary step in identifying provisions of
laws, regulations, contracts, or grant agreements significant to audit
objectives.
b. Purpose and goals: Purpose is the result or effect that is intended or
desired from a program*s operation. Legislatures usually establish the
program purpose when they provide authority for the program. Entity
officials may provide more detailed guidance on program purpose to
supplement the authorizing legislation.
Entity officials are sometimes asked to set goals for program performance
and
80 operations, including both output and outcome goals. Auditors may use
the stated
program purpose and goals as criteria for assessing program performance or
may develop additional criteria or best practices to compare the program
against.
c. Internal control: Internal control, often referred to as management
controls, in the broadest sense includes the plan of organization,
methods, and procedures adopted by management to meet its missions, goals,
and objectives. Internal control includes the processes for planning,
organizing, directing, and controlling program operations. It includes the
systems for measuring, reporting, and monitoring program performance.
Internal control also serves as the first line of defense in safeguarding
assets and preventing and detecting errors, fraud, and violations of laws,
regulations, and provisions of contracts and grant agreements.
Paragraphs 7.11 through 7.16 contain guidance pertaining to internal
control.
d. Efforts: Efforts are the amount of resources (in terms of money,
material, personnel, etc.) that are put into a program. These resources
may come from within or outside the entity operating the program. Measures
of efforts can have a number of dimensions, such as cost, timing, and
quality. Examples of measures of efforts are dollars, employee- hours, and
square feet of building space.
e. Program operations: Program operations are the strategies, processes,
and activities management uses to convert efforts into outputs. Program
operations are subject to internal control.
f. Outputs: Outputs represent the quantity of goods or services produced
by a program. For example, an output measure for a job training program
could be the number of persons completing training, and an output measure
for an aviation safety inspection program could be the number of safety
inspections completed.
g. Outcomes: Outcomes are accomplishments or results of programs. For
example, an outcome measure for a job training program could be the
percentage of trained persons obtaining a job and still in the work place
after a specified period of time. Examples of outcome measures for an
aviation safety inspection program could be the percentage reduction in
significant safety problems found in subsequent inspections and/ or the
percentage of significant problems deemed corrected in follow- up
inspections. Such outcome measures show progress in
achieving the stated program purposes of helping unemployable citizens
obtain and retain jobs, and improving the safety of aviation operations.
Auditors should be aware that outcomes may be influenced by cultural,
economic, physical, or technological factors outside the program. Auditors
may use approaches drawn from other disciplines, such as program
evaluation, to try to isolate the effects of the program from these other
influences.
Considering Internal Control 7.11 The lack of administrative continuity in
government units because of changes in elected legislative bodies and in
other government officials increases
81 the need for effective internal control. Auditors should obtain an
understanding of
internal control significant to the audit objectives and consider whether
specific internal control procedures have been properly designed and
placed in operation. Auditors also need to consider whether they plan to
modify the nature, timing, or extent of their audit procedures based on
the effectiveness of internal controls. If so, auditors should include
specific tests of the effectiveness of internal control and consider the
results in designing audit procedures. 79 Officials of the audited entity
are responsible for establishing effective internal control.
7.12 The following discussion of internal control objectives is intended
to help auditors better understand internal controls and determine their
significance to the audit objectives.
a. Effectiveness and efficiency of program operations: Controls over
program operations include policies and procedures that officials of the
audited entity have implemented to reasonably ensure that a program meets
its objectives and that unintended actions do not result. Understanding
these controls can help auditors understand the program operations that
convert efforts to outputs or outcomes.
b. Validity and reliability of data: Controls over the validity and
reliability of data include policies and procedures that officials of the
audited entity have implemented to reasonably ensure that valid and
reliable data are obtained, maintained, and fairly disclosed in reports.
These controls help assure management that it is getting valid and
reliable information about whether programs are operating properly on an
ongoing basis. Understanding these controls can help auditors (1) assess
the risk that the data gathered by the entity may not be valid or reliable
and (2) design appropriate tests of the data.
c. Compliance with applicable laws and regulations and provisions of
contracts or grant agreements: Controls over compliance include policies
and procedures that officials of the audited entity have implemented to
reasonably ensure that program implementation is consistent with laws,
regulations, and provisions of contracts or grant agreements.
Understanding the relevant controls concerning
79 Refer to the internal control guidance contained in Internal Control*
Integrated Framework,
published by the Committee of Sponsoring Organizations of the Treadway
Commission (COSO). As discussed in the COSO study, internal control
consists of five interrelated components, which are (1) control
environment, (2) risk assessment, (3) control activities, (4) information
and communication, and (5) monitoring. The objectives of internal control
relate to (1) financial
reporting, (2) operations, and (3) compliance. Safeguarding of assets is a
subset of these objectives. In that respect, internal control should be
designed to provide reasonable assurance regarding prevention of or prompt
detection of unauthorized acquisition, use, or disposition of assets. In
addition to the COSO document, the publication, Standards for Internal
Control in the Federal Government, GAO/ AIMD- 00- 21.3. 1 (Washington, D.
C.: Nov. 1999), which incorporates the relevant guidance developed by
COSO, provides definitions and fundamental concepts pertaining
to internal control at the federal level and may be useful to other
auditors at any level of government. The related Internal Control
Management and Evaluation Tool, GAO- 01- 1008G (Washington, D. C.: Aug.
2001), based on the federal internal control standards, provides a
systematic, organized, and structured approach to assessing the internal
control structure.
82 compliance with those laws and regulations and provisions of contracts
or grant
agreements that the auditors have determined are significant can help
auditors assess the risk of illegal acts 80 and violations of provisions
of contracts or grant agreements.
7.13 A subset of these categories of internal control objectives is the
safeguarding of resources. Controls over the safeguarding of resources
include policies and procedures that officials of the audited entity have
implemented to reasonably prevent or promptly detect unauthorized
acquisition, use, or disposition of resources.
7.14 Auditors can obtain an understanding of internal control through
inquiries, observations, inspection of documents and records, or review of
other auditors* reports. The procedures auditors perform to obtain an
understanding of internal control will vary among audits. One factor
influencing the extent of these procedures is the auditors* knowledge
about internal control gained in prior audits. Also, the need to
understand internal control will depend on the particular aspects of the
program the auditors consider in setting objectives, scope, and
methodology. The following are examples of how the auditors* understanding
of internal control can influence the audit plan.
a. Audit objectives: Poorly controlled aspects of a program have a higher
risk of failure, so they may be more significant than others in terms of
where auditors may want to focus their efforts.
b. Audit scope: Knowledge that internal controls are not properly designed
or placed in operation at a certain location may lead auditors to target
their efforts there.
c. Audit methodology: Effective controls at the audited entity over
collecting, summarizing, and reporting data may enable auditors to limit
the extent of their direct testing of data validity and reliability. In
contrast, evidence suggesting ineffective controls may lead auditors to
perform more direct testing of the data, look for data from outside the
entity, or develop their own data.
7.15 When internal controls are significant to the audit objectives,
auditors should plan to obtain sufficient evidence to support their
judgments about those controls. The following are examples of
circumstances in which internal controls can be significant to audit
objectives.
a. In determining the cause of unsatisfactory performance, auditors may
consider that unsatisfactory performance could result from deficiencies in
internal controls.
80 Violations of laws or regulations are illegal acts.
83
b. When assessing the validity and reliability of performance measures
developed by the audited entity, effective internal control by the audited
entity over collecting, summarizing, and reporting data will help ensure
that the performance measures are valid and reliable.
7.16 Internal auditing is an important part of internal control. 81 When
an assessment of internal control is called for, the work of the internal
auditors can be used to help provide reasonable assurance that internal
controls are effectively designed and functioning properly, and to prevent
duplication of effort.
Designing the Audit to Detect Violations of Legal and Regulatory
Requirements, Contract Provisions, or Grant Agreement, Fraud, and Abuse
7.17 When laws, regulations, or provisions of contracts or grant
agreements are significant to the audit objectives, auditors should design
the audit methodology and procedures to provide reasonable assurance of
detecting violations that could have a significant effect on the audit
results. Auditors should determine which laws, regulations, and provisions
of contracts or grant agreements are significant
to the audit objectives and assess the risk that illegal acts or
violations of provisions of contracts or grant agreements could occur.
Based on that risk assessment, the auditors design and perform procedures
to provide reasonable assurance of detecting significant instances of
illegal acts or violations of provisions of contracts or grant agreements.
Auditors should include audit documentation on their assessment of risk.
7.18 It is not practical to set precise standards for determining whether
laws, regulations, or provisions of contracts or grant agreements are
significant to audit objectives because government programs are subject to
many laws, regulations, and provisions of contracts or grant agreements,
and audit objectives vary widely. However, auditors may find the following
approach helpful in making that determination.
a. Reduce each audit objective to questions about specific aspects of the
program being audited (that is, purpose and goals, internal control,
efforts, program operations, outputs, and outcomes, as discussed in
paragraph 7.10).
b. Identify laws, regulations, and provisions of contracts or grant
agreements that directly relate to specific aspects of the program
included in questions that reflect the audit objectives.
c. Determine if violations of those laws, regulations, or provisions of
contracts or grant agreements could significantly affect the auditors*
answers to the questions
81 Many government entities have these activities identified by other
names, such as inspection, appraisal, investigation, organization and
methods, or management analysis. These activities assist management by
reviewing selected functions.
84 that relate to the audit objectives. If they could, then those laws,
regulations, and
provisions of contracts or grant agreements are likely to be significant
to the audit objectives.
7.19 Auditors may find it necessary to rely on the work of legal counsel
to (1) determine those laws and regulations that are significant to the
audit objectives, (2) design tests of compliance with laws and
regulations, or (3) evaluate the results of those tests. 82 Auditors also
may find it necessary to rely on the work of legal counsel when audit
objectives require testing compliance with provisions of contracts or
grant agreements. Depending on the circumstances of the audit, auditors
may find it necessary to obtain information on compliance matters from
others, such as investigative staff, other audit organizations or
government
entities that provided assistance to the audited entity, or the applicable
law enforcement authority.
7.20 In planning tests of compliance with significant laws, regulations,
and provisions of contracts or grant agreements, auditors should assess
the risk that violations could occur. That risk may be affected by such
factors as the complexity or newness of the laws, regulations, and
provisions of contracts or grant agreement. The auditors* assessment of
risk includes consideration of whether the entity has controls that are
effective in preventing or detecting violations of laws, regulations, and
provisions of contracts or grant agreements. If auditors obtain sufficient
evidence of the effectiveness of these controls, they can reduce the
extent of their tests of compliance.
7.21 In planning the audit, auditors should consider risks due to fraud 83
that could significantly 84 affect their audit objectives and the results
of their audit. The audit team should discuss potential fraud risks,
considering fraud factors such as individuals* incentives or pressures to
commit fraud, the opportunity for fraud to occur, and rationalizations or
attitudes that could allow individuals to commit fraud. Auditors should
gather and assess information necessary to identify fraud risks which
could be relevant to the audit objectives or affect the results of their
audit. For example, auditors may need to obtain information through
discussion with officials of the audited entity or through other means to
determine the susceptibility of the program to fraud, the status of
internal controls the entity has established to detect and prevent fraud,
or the risk that officials of the audited entity could override internal
control. Auditors should exercise professional skepticism in assessing
these risks to determine which factors or risks could 82 Paragraphs 7.32
through 7.34 discuss relying on the work of others.
83 Fraud is a type of illegal act involving the obtaining something of
value through willful misrepresentation. 84 The terms *material* and
*significant* are synonymous under GAGAS. *Material* is used in the AICPA
standards in relation to audits of financial statements. *Significant* is
used in relation to other types of audits governed by GAGAS, such as
performance audits, where the term *material* is generally not used.
85 significantly affect the results of their work if fraud has occurred or
is likely to
have occurred. 7.22 When auditors identify factors or risks related to
fraud that they believe could significantly affect the audit objectives or
the results of the audit, auditors should respond by designing procedures
to provide reasonable assurance of detecting fraud significant to the
audit objectives. Auditors should prepare audit documentation related to
their identification and assessment of and response to fraud risks.
Auditors should also be aware that assessing the risk of fraud is an
ongoing process throughout the audit and relates not only to planning the
audit but also to evaluating evidence obtained during the audit. 7.23
Auditors should also be alert to situations or transactions that could be
indicative of fraud. When information comes to the auditors* attention
(through audit procedures, allegations received through fraud hotlines, or
other means) indicating that fraud may have occurred, auditors should
consider whether the possible fraud could significantly affect the audit
results. If the fraud could significantly affect the audit results,
auditors should extend the audit steps and procedures, as necessary, to
(1) determine if fraud likely has occurred and (2) if so, determine its
effect on the audit results.
7.24 Auditors* training, experience, and understanding of the program
being audited may provide a basis for recognizing that some acts coming to
their attention may be indicative of fraud. Whether an act is, in fact,
fraud is a determination to be made through the judicial or other
adjudicative system and is beyond auditors* professional expertise and
responsibility. However, auditors are responsible for being aware of
vulnerabilities to fraud associated with the area being audited in order
to be able to identify indications that fraud may have occurred. In some
circumstances, conditions such as the following might indicate a
heightened risk of fraud:
a. weak management that fails to enforce existing internal control or to
provide adequate oversight over the control process;
b. inadequate separation of duties, especially those that relate to
controlling and safeguarding resources;
c. transactions that are out of the ordinary and are not satisfactorily
explained, such as unexplained adjustments in inventories or other
resources;
d. instances when employees of the audited entity refuse to take vacations
or accept promotions;
e. missing or altered documents, or unexplained delays in providing
information;
f. false or misleading information; or
86
g. a history of impropriety, such as past audits or investigations with
findings of questionable or criminal activity.
7.25 Abuse is distinct from fraud, illegal acts, or violations of
provisions of contracts or grant agreements. When abuse occurs, no law,
regulation, or provision of a contract or grant agreement is violated.
Rather, the conduct of a government program or entity falls far short of
behavior that is expected to be reasonable and necessary business
practices by a prudent person. 85 Auditors
should be alert to situations or transactions that could be indicative of
abuse. When information comes to the auditors* attention (through audit
procedures, allegations received through a fraud hotline, or other means)
indicating that abuse may have occurred, auditors should consider whether
the possible abuse affects the audit results significantly. If indications
of abuse exist that significantly affect the audit results, the auditors
should extend the audit steps and procedures, as necessary, to (1)
determine whether the abuse occurred and, if so, (2) determine its effect
on the audit results. However, because the determination of abuse is
subjective, auditors are not expected to provide reasonable assurance of
detecting it. Auditors should consider both quantitative and qualitative
factors in making judgments regarding the significance of possible abuse
and whether they need to
extend the audit steps and procedures.
7.26 Auditors should exercise professional judgment in pursuing
indications of possible fraud, illegal acts, violations of provisions of
contracts or grant agreement, or abuse in order to not interfere with
potential investigations, legal proceedings, or both. Under some
circumstances, laws, regulations, or policies require auditors to report
indications of certain types of fraud, illegal acts, violations of
provisions of contracts or grant agreements, or abuse to law enforcement
or investigatory authorities before extending audit steps and procedures.
Auditors may also be required to withdraw from or defer further work on
the audit or a portion of the audit in order not to interfere with an
investigation.
7.27 An audit made in accordance with these standards provides reasonable
assurance of detecting illegal acts, violations of provisions of contracts
or grant agreements, or fraud that could significantly affect the audit
results; however, it does not guarantee the discovery of illegal acts,
violations of provisions of contracts or grant agreements, or fraud. Nor
does the subsequent discovery of illegal acts, violations of contracts or
grant agreements, or fraud committed during the audit period necessarily
mean that the auditors* performance was inadequate, provided the audit was
made in accordance with these standards.
85 For example, in a performance audit of management*s efficient use of
funds for office building maintenance, auditors might find abuse if
renovation of senior management*s offices far exceed usual office space
specifications. While auditors might not view the renovation costs as
quantitatively significant to the audit results, these expenses would be
considered qualitatively significant to this audit objective.
87 Identifying Audit Criteria 7.28 Criteria are the standards, measures,
expectations of what should exist, best
practices, and benchmarks against which performance is compared or
evaluated. Criteria, one of the elements of a finding, provide a context
for understanding the results of the audit. (See paragraphs 7.62 through
7.65 for a discussion on the other elements of a finding.) The audit plan,
where possible, should state the criteria to be used. In selecting
criteria, auditors have a responsibility to use criteria that are
reasonable, attainable, and relevant to the objectives of the performance
audit. The following are some examples of possible criteria:
a. purpose or goals prescribed by law or regulation or set by officials of
the audited entity,
b. policies and procedures established by officials of the audited entity
of the audited entity,
c. technically developed standards or norms,
d. expert opinions,
e. prior periods* performance,
f. performance of similar entities,
g. performance in the private sector, or
h. best practices of leading organizations. Considering the Results of
Previous Audits and Attestation Engagements 7.29 Auditors should consider
the results of previous audits and attestation
engagements and follow up on known significant findings and
recommendations 86 identified in previous audit reports that directly
relate to the objectives of the audit being undertaken. Auditors should
inquire of officials of the audited entity to identify previous financial
audits, attestation engagements, performance audits, or other studies
related to the objectives of the audit being undertaken and to identify
corrective actions taken to address significant findings and
recommendations. For example, an audit report on an entity*s computerized
information systems may contain significant findings that could relate to
the performance audit if the entity uses such systems to process its
accounting or
other information the auditors plan on using. Auditors should use
professional 86 Significant findings and recommendations are those matters
that, if not corrected, could affect the results of the auditors* work and
the auditors* conclusions and recommendations about those results.
88 judgment in determining (1) prior periods to be considered, (2) the
level of work
necessary to follow up on significant findings and recommendations that
affect the audit, and (3) the risk assessment used in planning the current
audit and designing audit procedures to be performed.
7.30 Providing continuing attention to significant findings and
recommendations is important to ensure that the benefits of audit work are
realized. Ultimately, the benefits of audit work occur when officials of
the audited entity take meaningful and effective corrective action in
response to the auditors* findings and recommendations. Officials of the
audited entity are responsible for resolving audit findings and
recommendations directed to them and for having a process to track their
status. If the audited entity does not have such a process, auditors may
wish to establish their own process.
Identifying Sources of Audit Evidence 7.31 In identifying potential
sources of data that could be used as audit evidence, auditors should
consider the validity and reliability of the data, including data
collected by the audited entity, data generated by the auditors, or data
provided by third parties, as well as the sufficiency and relevance of the
evidence. (See paragraphs 7.48 through 7.65 for standards and guidance
concerning evidence.)
Considering Work of Others 7.32 Auditors should determine whether other
auditors have previously done, or are doing, audits of the program or the
entity that operates it. Whether other auditors have done performance
audits, financial audits, or attestation engagements, the other auditors
may be useful sources of information for planning and performing the
audit. If other auditors have identified areas that warrant further study,
their work may influence the auditors* selection of performance audit
objectives. The availability of other auditors* work may also influence
the selection of methodology, since the auditors may be able to rely on
that work to limit the extent of their own testing.
7.33 If auditors intend to rely on the work of other auditors, they should
perform procedures regarding the specific work to be relied on that
provide a sufficient basis for that reliance. Auditors should obtain
evidence concerning the other auditors* qualifications and independence
through prior experience, inquiry, and/ or review of the other auditors*
external quality control review report. Auditors should determine the
sufficiency, relevance, and competence of other auditors* evidence by
reviewing their report, audit program, or audit documentation, or by
performing supplemental tests of the other auditors* work. The nature and
extent of evidence needed will depend on the significance of the other
auditors* work, on the extent to which the auditors will rely on that
work, and whether auditors will refer to that work in their work.
89
7.34 Auditors face similar considerations when using the work of
nonauditors (such as specialists). In addition, auditors should obtain an
understanding of the methods and significant assumptions used by the
nonauditors. (See paragraph 3.06 for independence considerations when
relying on the work of others.)
Assigning Staff and Other Resources 7.35 Staff planning should include,
among other things:
a. assigning staff with the appropriate collective knowledge, skills, and
experience for the job;
b. assigning an adequate number of staff and supervisors to the audit;
c. providing for on- the- job training of staff; and
d. engaging specialists when necessary. 7.36 The availability of staff and
other resources and the need for specialized skills are important
considerations in establishing the audit objectives, scope, and
methodology. For example, limitations on travel funds may preclude
auditors from visiting certain critical locations, or lack of appropriate
expertise in a particular methodology or with computerized information
systems may preclude auditors from undertaking certain objectives.
Auditors may be able to overcome such limitations by engaging specialists
with the necessary expertise.
7.37 If the use of a specialist is planned, auditors should have
sufficient knowledge to
a. articulate the objectives required of the specialist,
b. evaluate whether the specified procedures will meet auditors*
objectives, and
c. evaluate the results of the procedures applied as they relate to other
planned audit procedures. 7.38 Auditors without sufficient knowledge to
perform the functions listed above
should consider alternative measures for ensuring audit quality related to
the specialist*s work, such as engaging another specialist to review the
specialist*s work.
Communicating with Management and Others 7.39 Auditors should communicate
information about the specific nature of the performance audit, as well as
general information concerning the planning and conduct of the audit and
reporting* such as the form of the report and any potential restrictions
on the report* to the various parties involved in the audit to
90 help them understand the objectives, time frames, and any data needs.
Parties
involved may include:
a. the head of the audited entity;
b. the audit committee or, in the absence of an audit committee, the board
of directors or other equivalent oversight body;
c. the individual who possesses a sufficient level of authority and
responsibility for the program or activity being audited; and
d. the individuals contracting for or requesting audit services, such as
contracting officials or legislative members or staff, if applicable.
7.40 Auditors should use their professional judgment to determine the
form, content, and frequency of the communication, although written
communication is preferred. Auditors may use an engagement letter, if
appropriate, to communicate the information. Auditors should include the
communication in the audit documentation. If the audit does not result in
a product, auditors should document the audit by preparing a memorandum
for the record that summarizes the results of the work and explain the
reason the audit was terminated. If the audit is terminated before it is
completed, auditors should communicate the reason for terminating it to
management of the audited entity, the entity requesting the audit, and
other appropriate officials, preferably in writing. This communication
should be documented.
Preparing the Audit Plan 7.41 A written audit plan should be prepared for
each audit. The form and content of the written audit plan will vary among
audits but should include an audit program or project plan, a memorandum,
or other appropriate documentation of key decisions about the audit
objectives, scope, and methodology and of the auditors* basis for those
decisions. It should be updated, as necessary, to reflect any significant
changes to the plan made during the audit.
7.42 Documenting the audit plan is an opportunity for the auditors to
review the work done in planning the audit to determine whether
a. the proposed audit objectives are likely to result in a useful report,
b. the proposed audit scope and methodology are adequate to satisfy the
audit objectives, and
c. sufficient staff and other resources are available to perform the audit
and to meet expected time frames for completing the work.
7.43 Written audit plans may include:
91
a. information about the legal authority for the audited program, its
history and current objectives, its principal locations, and other
background that can help auditors understand and carry out the audit plan;
b. information about the responsibilities of each member of the audit team
(such as preparing audit programs, conducting audit work, supervising and
reviewing audit work, drafting reports, handling comments from officials
of the audited program, and processing the final report), which can help
auditors when the work is conducted at several different locations. In
these audits, use of comparable audit methods and procedures can help make
the data obtained from participating locations comparable;
c. audit programs describing procedures to accomplish the audit objectives
and providing a systematic basis for assigning work to staff and for
summarizing the work performed; and
d. the general format of the audit report and the types of information to
be included, which can help auditors focus their field work on the
information to be reported.
Supervision 7.44 The field work standard related to supervision for
performance audits performed in accordance with GAGAS is:
Staff are to be properly supervised. 7.45 Supervision involves directing
the efforts of staff assigned to the audit to ensure that the audit
objectives are accomplished. Elements of supervision include providing
sufficient guidance to staff members, staying informed about significant
problems encountered, reviewing the work performed, and providing
effective on- the- job training.
7.46 Supervisors should satisfy themselves that staff members clearly
understand what work they are to do, why the work is to be conducted, and
what the work is expected to accomplish. With experienced staff,
supervisors may outline the scope of the work and leave details to the
staff. With less experienced staff, supervisors may have to specify audit
procedures to be performed as well as techniques for gathering and
analyzing data.
7.47 Reviews of audit work should be documented. The nature and extent of
the review of audit work may vary depending on a number of factors, such
as the size of the audit organization, the significance of the work, and
the experience of the staff.
92 Evidence 7.48 The field work standard related to evidence for
performance audits
performed in accordance with GAGAS is:
Sufficient, competent, and relevant evidence is to be obtained to provide
a reasonable basis for the auditors* findings and conclusions.
7.49 A large part of auditors* work on an audit concerns obtaining and
evaluating evidence that ultimately supports their judgments and
conclusions pertaining to the audit objectives. In evaluating evidence,
auditors consider whether they have obtained the evidence necessary to
achieve specific audit objectives. When internal control or compliance
requirements are significant to the audit objectives, auditors should also
collect and evaluate evidence relating to controls or compliance. 7.50
Evidence may be categorized as physical, documentary, testimonial, and
analytical. Physical evidence is obtained by auditors* direct inspection
or observation of people, property, or events. Such evidence may be
documented in memoranda, photographs, drawings, charts, maps, or physical
samples. Documentary evidence consists of created information such as
letters, contracts, accounting records, invoices, and management
information on performance. Testimonial evidence is obtained through
inquiries, interviews, or questionnaires. Analytical evidence includes
computations, comparisons, separation of information into components, and
rational arguments.
7.51 The guidance in the following paragraphs is intended to help auditors
judge the quality and quantity of evidence needed to satisfy audit
objectives. Paragraphs 7.52 through 7.61 are intended to help auditors
determine what constitutes sufficient, competent, and relevant evidence to
support their findings and conclusions. Paragraphs 7.62 through 7.65
describe the elements of an audit finding.
Tests of Evidence 7.52 Evidence should be sufficient, competent, and
relevant to support a sound basis for audit findings, conclusions, and
recommendations.
a. Evidence should be sufficient to support the auditors* findings. In
determining the sufficiency of evidence, auditors should ensure that
enough evidence exists to persuade a knowledgeable person of the validity
of the findings. When appropriate, statistical methods may be used to
establish sufficiency.
b. Evidence is competent if it is valid, reliable, and consistent with
fact. In assessing the competence of evidence, auditors should consider
such factors as
93 whether the evidence is accurate, authoritative, timely, and authentic.
When
appropriate, auditors may use statistical methods to derive competent
evidence.
c. Evidence is relevant if it has a logical relationship with, and
importance to, the issue being addressed.
7.53 The following presumptions are useful in judging the competence of
evidence. However, these presumptions are not to be considered sufficient
in themselves to determine competence. The amount and kinds of evidence
required to support auditors* conclusions should be based on auditors*
professional judgment.
a. Evidence obtained when internal controls are effective is more
competent than evidence obtained when controls are weak or nonexistent.
Auditors should be particularly careful in cases where controls are weak
or nonexistent and should, therefore, plan alternative audit procedures to
corroborate such evidence.
b. Evidence obtained through the auditors* direct physical examination,
observation, computation, and inspection is more competent than evidence
obtained indirectly.
c. Examination of original documents provides more competent evidence than
do copies.
d. Testimonial evidence obtained under conditions where persons may speak
freely is more competent than testimonial evidence obtained under
compromising conditions (for example, where the persons may be
intimidated).
e. Testimonial evidence obtained from an individual who is not biased or
has complete knowledge about the area is more competent than testimonial
evidence obtained from an individual who is biased or has only partial
knowledge about the area.
f. Evidence obtained from a credible third party may in some cases be more
competent than that secured from management or other officials of the
audited entity.
7.54 Auditors may find it useful to obtain written representations
concerning the competence and completeness of certain evidence from
officials of the audited entity. Written representations ordinarily
confirm oral representations given to auditors, indicate and document the
continuing appropriateness of such representations, and reduce the
possibility of misunderstanding concerning the matters that are the
subject of the representations. Written representations can take several
forms, including summary documents prepared by the auditors and signed by
the entity*s management. If officials of the audited entity refuse to
provide a written representation that the auditors have requested, the
auditors should consider the effects of the refusal on results of the
audit.
94
7.55 The auditors* approach to determining the sufficiency, competence,
and relevance of evidence depends on the source of the information that
constitutes the evidence. Information sources include original data
gathered by auditors and existing data gathered by either officials of the
audited entity or a third party. Data from any of these sources may be
obtained from computer- based systems. (See paragraphs 7.63 through 7.65
for additional documentation requirements when using information from a
computer- based system.)
7.56 Data gathered by auditors: Data gathered by auditors include the
auditors* own observations and measurements. Among the methods for
gathering this type of data are questionnaires, structured interviews,
direct observations, and computations. The design of these methods and the
skill of the auditors applying them are the keys to ensuring that these
data constitute sufficient, competent, and relevant evidence. When these
methods are applied to determine cause, auditors are concerned with
eliminating conflicting explanations.
7.57 Data gathered by management: Auditors can use data gathered by
officials of the audited entity as part of their evidence. However,
auditors should determine the validity and reliability of data that are
significant to the audit objectives and may do so by direct tests of the
data. Auditors can reduce the direct tests of the data if they test the
effectiveness of the entity*s internal controls over the validity and
reliability of the data and these tests support the conclusion that the
controls are effective. The nature and extent of data testing will depend
on the significance of the data to support the auditors* findings. How the
use of unaudited data gathered by officials of the audited entity affect
the auditors* report depends on the data*s significance to the auditors*
findings. For example, in some circumstances, auditors may use unaudited
data to provide background information; however, the use of such unaudited
data would generally not be appropriate to support audit findings and
conclusions.
7.58 Data gathered by third parties: The auditors* evidence may also
include data gathered by third parties. In some cases, these data may have
been audited by others, or the auditors may be able to audit the data
themselves. In other cases, however, it will not be practical to obtain
evidence of the data*s validity and reliability. How the use of unaudited
third- party data affects the auditors* report depends on the data*s
significance to the auditors* findings. For example, in some
circumstances, auditors may use unaudited data to provide background
information; however, the use of such unaudited data would generally not
be appropriate to support audit findings and conclusions.
7.59 Validity and reliability of data from computer- based systems:
Auditors should obtain sufficient, competent, and relevant evidence that
computerprocessed data are valid and reliable when these data are
significant to the auditors* findings. This work is necessary regardless
of whether the data are provided to auditors or auditors independently
extract them. Auditors should determine if officials of the audited entity
or other auditors have worked to
95 establish the validity and reliability of the data or the effectiveness
of the controls
over the system that produced the data. If the results of such work are
current, auditors may be able to rely on that work. (See paragraphs 7.32
through 7.34 for requirements when relying on the work of others.)
Auditors may also determine the validity and reliability of computer-
processed data by direct tests of the data.
7.60 Auditors can reduce the direct tests of the data if they test the
effectiveness of general and application controls over computer- processed
data and these tests support the conclusion that the controls are
effective. If auditors determine that internal controls over data that are
significantly dependent upon computerized information systems are not
effective or if auditors do not plan to test the effectiveness of such
controls, auditors should include audit documentation regarding the basis
for that conclusion by addressing (1) the reasons why the design or
operation of the controls is ineffective, or (2) the reasons why it is
inefficient to test the controls. In such circumstances, auditors should
also include audit documentation regarding their reasons for concluding
that the planned audit procedures, such as direct tests of the data, are
effectively designed to achieve specific audit objectives. This
documentation should address:
a. the rationale for determining the types and extent of planned audit
procedures;
b. the kinds and competence of available evidence produced outside a
computerized information system; and
c. the effect on the audit report if the evidence gathered during the
audit does not allow the auditors to achieve audit objectives.
7.61 When the auditors* tests of data disclose errors in the data, or when
they are unable to obtain sufficient, competent, and relevant evidence
about the validity and reliability of the data, they may find it necessary
to a. seek evidence from other sources,
b. redefine the audit*s objectives to eliminate the need to use the data,
or
c. use the data, but clearly indicate in their report the data*s
limitations and refrain from making unwarranted conclusions or
recommendations.
Audit Findings 7.62 Audit findings often have been regarded as containing
the elements of criteria, condition, and effect, plus cause when problems
are found. However, the elements needed for a finding depend entirely on
the objectives of the audit. Thus, a finding or set of findings is
complete to the extent that the audit objectives are satisfied and the
report clearly relates those objectives to the elements of a finding.
Criteria are discussed in paragraph 7.28, and the other elements of a
finding* condition, effect, and cause* are discussed in the following
paragraphs.
96
7.63 Condition: Condition is a situation that exists. It has been
determined and documented during the audit.
7.64 Effect: Effect has two meanings that depend on the audit objectives.
When the auditors* objectives include identifying the actual or potential
consequences of a condition that varies (either positively or negatively)
from the criteria identified in the audit, *effect* is a measure of those
consequences. Auditors often use effect in this sense to demonstrate the
need for corrective action in response to identified problems. When the
auditors* objectives include estimating the extent to which a program has
caused changes in physical, social, or economic conditions, *effect* is a
measure of the impact achieved by the program. Here, effect is the extent
to which positive or negative changes in actual physical, social, or
economic conditions can be identified and attributed to program
operations.
7.65 Cause: Like effect, cause also has two meanings that depend on the
audit objectives. When the auditors* objectives include explaining why a
particular type of positive or negative performance identified in the
audit occurred, the reasons for that performance are referred to as
*cause.* Identifying the cause of problems can assist auditors in making
constructive recommendations for correction. Because problems can result
from a number of plausible factors or multiple causes, the recommendation
can be more persuasive if auditors can clearly demonstrate and explain
with evidence and reasoning the link between the problems and the factor
or factors they have identified as the cause. When the auditors*
objectives include estimating the program*s effect on changes in physical,
social, or economic conditions, auditors seek evidence of the extent to
which the program itself is the *cause* of those changes. Auditors may
identify significant deficiencies in internal control as the cause of
deficient performance. In reporting this type of finding, the internal
control deficiency would be described as the *cause.*
Audit Documentation 7.66 The field work standard related to audit
documentation for performance audits performed in accordance with GAGAS
is:
Auditors should prepare and maintain audit documentation. Audit
documentation related to planning, conducting, and reporting on the audit
should contain sufficient information to enable an experienced auditor,
who has had no previous connection with the audit, to ascertain from the
audit documentation the evidence that supports the auditors* significant
judgments and conclusions. Audit documentation should contain support for
findings, conclusions, and recommendations before auditors issue their
report.
97
7.67 The form and content of audit documentation should be designed to
meet the circumstances of the particular audit. The information contained
in audit documentation constitutes the principal record of the work that
the auditors have performed in accordance with standards and the
conclusions that the auditors have reached. The quantity, type, and
content of audit documentation are a matter of the auditors* professional
judgment.
7.68 Audit documentation serves to (1) provide the principal support for
the auditors* report, (2) aid auditors in conducting and supervising the
audit, and (3) allow for the review of audit quality. Audit documentation
should be appropriately detailed to provide a clear understanding of its
purpose and source and the conclusions the auditors reached, and it should
be appropriately organized to provide a clear link to the findings,
conclusions, and recommendations contained in the audit report. Audit
documentation for performance audits should contain the following audit
documentation not explicitly addressed elsewhere in GAGAS:
a. the objectives, scope, and methodology of the audit, including sampling
and other selection criteria used;
b. the auditors* determination that certain standards do not apply or that
an applicable standard was not followed, the reasons therefor, and the
known effect that not following the applicable standard had, or could have
had, on the audit;
c. the work performed to support significant judgments and conclusions,
including descriptions of transactions and records examined; 87 and d.
evidence of supervisory reviews, before the audit report is issued, of the
work performed that supports findings, conclusions, and recommendations
contained
in the audit report.
7.69 Audit organizations should establish reasonable policies and
procedures for the safe custody and retention of audit documentation for a
time sufficient to satisfy legal and administrative requirements. Audit
documentation allows for the review of audit quality by providing the
reviewer with documentation, either in written or electronic formats, of
the evidence supporting the auditors* significant judgments and
conclusions. If audit documentation is only retained electronically, the
audit organization should ensure that the electronic documentation is
capable of being accessed throughout the specified retention period
established for audit documentation and that it is safeguarded through
sound computer security.
7.70 Underlying GAGAS audits is the premise that federal, state, and local
governments and other organizations cooperate in auditing programs of
common interest so that the auditors may use others* work and avoid
duplication of effort.
87 Auditors may meet this requirement by listing file numbers, case
numbers, or other means of identifying specific documents they examined.
They are not required to include copies of documents they examined as part
of the audit documentation, nor are they required to list detailed
information from those documents.
98 Auditors should make arrangements to make audit documentation
available, upon
request, in a timely manner to other auditors or reviewers. Contractual
arrangements for GAGAS audits should provide for full and timely access to
audit documentation to facilitate reliance by others on the auditors*
work.
7.71 Audit organizations need to adequately safeguard the audit
documentation associated with any particular engagement. Audit
organizations should develop clearly defined policies and criteria to deal
with situations where requests are made by outside parties to obtain
access to audit documentation, especially in connection with situations
where an outside party attempts to obtain indirectly through the auditor
what they are unable to obtain directly from the audited
entity. Such policies will need to consider applicable laws and
regulations applying to the audit organizations or the audited entity.
99 CHAPTER 8
REPORTING STANDARDS FOR PERFORMANCE AUDITS Introduction 8.01 This chapter
prescribes reporting standards and provides guidance to
auditors reporting on performance audits in accordance with generally
accepted government auditing standards (GAGAS). The reporting standards
for performance audits relate to the form of the report, the report
contents, report quality, and report issuance and distribution.
Form 8.02 The reporting standard related to the form of the report for
performance audits performed in accordance with GAGAS is:
Auditors should prepare audit reports communicating the results of each
audit.
8.03 The form of the audit report should be appropriate for its intended
use, but should be written or in some other retrievable form. Auditors
should use their professional judgment including consideration of users*
needs, likely demand, and distribution in determining the form of the
audit report. In addition to a more formal presentation of audit results,
such as a chapter report or a letter report, briefing
slides may be considered audit reports. Audit reports also may be
presented on electronic media that are retrievable by report users and the
audit organization, such as video or compact disc formats. However,
regardless of form, audit reports should comply with all applicable
reporting standards. 8.04 This standard is not intended to limit or
prevent discussion of findings, judgments, conclusions, and
recommendations with persons who have responsibilities involving the area
being audited. On the contrary, such discussions are encouraged.
8.05 Audit reports (1) communicate the results of audits to officials at
various levels of government, (2) make the results less susceptible to
misunderstanding, (3) make the results available for public inspection,
and (4) facilitate follow- up to determine whether appropriate corrective
actions have been taken. The need to maintain public accountability for
government programs demands that audit reports be retrievable.
8.06 If an audit is terminated before it is completed but the auditors do
not issue an audit report, auditors should follow the requirements in
paragraph 7.40.
100 Report Contents 8.07 The reporting standard related to the contents of
the report for performance
audits conducted in accordance with GAGAS is:
The audit report should include the objectives, scope, and methodology;
the audit results, including findings, conclusions, and recommendations,
as appropriate; a reference to compliance with generally accepted
government auditing standards; the views of responsible officials; and, if
applicable, the nature of any privileged and confidential information
omitted.
Objectives, Scope, and Methodology 8.08 Auditors should include in the
report the audit objectives and the scope and methodology used for
achieving the audit objectives. This information is needed by report users
to understand the purpose of the audit and the nature of the audit work
performed, to provide perspective as to what is reported, and to
understand any significant limitations in audit objectives, scope, or
methodology.
8.09 Audit objectives should be communicated in the audit report in a
clear, specific, and neutral manner that avoids unstated assumptions.
Auditors should explain why the audit organization undertook the
assignment and state what the report is to accomplish and why the subject
matter is important. Articulating what the report is to accomplish
normally involves identifying the audit subject and the aspect of
performance examined. The reported audit objectives provide more
meaningful information to report users if they are measurable and feasible
and avoid being presented in a broad or general manner. To reduce
misunderstanding in cases where the objectives are particularly limited
and broader objectives can be inferred, it may be necessary to state
objectives that were not pursued.
8.10 In reporting the scope of the audit, auditors should describe the
depth and coverage of work conducted to accomplish the audit*s objectives.
Auditors should, as applicable, explain the relationship between the
population of items sampled and what was audited; identify organizations,
geographic locations, and the period covered; report the kinds and sources
of evidence; and explain any problems with the evidence. Auditors should
also report significant constraints imposed on the audit approach by data
limitations or scope impairments, including demands of access to certain
records or individuals.
8.11 To report the methodology used, auditors should clearly explain how
the audit objectives were accomplished, including the evidence gathering
and analysis techniques used, in sufficient detail to allow knowledgeable
users of their reports to understand the work. This explanation should
identify any significant assumptions made in conducting the audit;
describe any comparative techniques applied; describe the criteria used;
and, when sampling significantly supports
101 auditors* findings, describe the sample design and state why it was
chosen,
including whether the results can be projected to the intended population.
8.12 Auditors should attempt to avoid misunderstanding by the report user
concerning the work that was and was not done to achieve the audit
objectives, particularly when the work was limited because of constraints
on time or resources. The auditors* report should clearly describe the
scope of the work performed and any limitations; any applicable standards
that were not followed, and the reasons therefor; and how not following
the applicable standards affected or could affect the results of the work.
For example, if the auditors are unable to determine the reliability of
information from an agency*s database, and information from this database
is critical to achieving the audit objectives, the report should clearly
state the limitations associated with the information and refrain from
making unwarranted conclusions or recommendations. In these situations,
the audit report should also include the reasons the auditors were unable
to perform this work and the potential impact on the findings if the
information is not reliable. 88 Findings 8.13 Auditors should report
findings by providing credible evidence that relates to
the audit objectives. These findings should be supported by sufficient,
competent, and relevant evidence. They also should be presented in a
manner to promote adequate understanding of the matters reported and to
provide convincing but fair presentations in proper perspective. The audit
report should provide selective background information to provide the
context for the overall message and to help the reader understand the
findings and significance of the issues discussed. 89 8.14 As discussed in
chapter 7, audit findings have often been regarded as
containing the elements of criteria, condition, cause, and effect.
However, the elements needed for a finding depend on the audit objectives.
For example, an audit objective may be limited to determining the current
status or condition of implementing legislative requirements, and not the
related cause or effect. Thus, a finding or set of findings is complete to
the extent that the audit objectives are satisfied and the report clearly
relates those objectives to the elements of the
finding.
8.15 To the extent possible, in presenting findings, auditors should
develop the elements of criteria, condition, cause, and effect to assist
officials of the audited
88 When computer- processed data are included in the report for background
or informational purposes and are not significant to the auditors*
findings, citing the source of the data and stating that they were not
verified will satisfy the reporting standards.
89 Appropriate background information may include information on how
programs and operations work; the significance of programs and operations
(e. g., dollars, impact, purposes, and past audit work if relevant); a
description of the audited entity*s responsibilities; and explanation of
terms, organizational structure, and the statutory basis for the program
and operations.
102 entity or oversight officials of the audited entity in understanding
the need for
taking corrective action. In addition, if auditors are able to
sufficiently develop the findings, auditors should provide recommendations
for corrective action. Following is guidance for reporting on elements of
findings.
a. Criteria provides information so that the report user will be able to
determine what is the required or desired state or what is expected from
the program or operation. The criteria are easier to understand when
stated fairly, explicitly, and completely and when the source of the
criteria is identified in the audit report. 90 b. Condition provides
evidence on what the auditors found regarding the actual
situation. Reporting the scope or extent of the condition allows the
report user to gain an accurate perspective.
c. Cause provides persuasive evidence on the factor or factors responsible
for the difference between condition and criteria. In reporting the cause,
auditors may consider whether the evidence provides a reasonable and
convincing argument for why the stated cause is the key factor or factors
contributing to the difference as opposed to other possible causes, such
as poorly designed criteria or factors uncontrollable by program
management. The auditors also may consider whether the identified cause
could serves as a basis for the recommendations.
d. Effect provides a clear, logical link to establish the impact of the
difference between what the auditors found (condition) and what should be
(criteria). Effect is easier to understand when it is stated clearly,
concisely, and, if possible, in quantifiable terms. The significance of
the reported effect can be demonstrated through credible evidence.
8.16 The audit report should also include any significant deficiencies 91
in internal control, all instances of fraud and illegal acts unless they
are clearly inconsequential, 92 significant violations of provisions of
contracts or grant agreements, and significant abuse.
90 Common sources for criteria include laws, regulations, policies,
procedures, and best or standard practices. The Standards for Internal
Control in the Federal Government, GAO/ AIMD- 00- 21. 3. 1 (Washington, D.
C.: Nov. 1999) and Internal Control* Integrated Framework, published by
the Committee of Sponsoring Organizations of the Treadway Commission
(COSO) are two sources of established criteria auditors can use to support
their judgments and conclusions about internal control. The related
Internal Control Management and Evaluation Tool, GAO- 01- 1008G
(Washington, D. C., Aug. 2001), based on the
federal internal control standards, provides a systematic, organized, and
structured approach to assessing the internal control structure.
91 Significant deficiencies are those matters coming to the auditor*s
attention that, in the auditor*s judgment, affect the results of the
auditors* work and the auditors* conclusions and recommendations about
those results.
92 Whether a particular act is, in fact, illegal may have to await final
determination by a court of law. Thus, when auditors disclose matters that
have led them to conclude that an illegal act is likely to have occurred,
they should take care not to unintentionally imply that a final
determination of illegality has been made.
103 Internal Control Deficiencies
8.17 Auditors should include in the audit report the scope of their work
on internal control and any significant deficiencies found during the
audit. When auditors detect deficiencies in internal control that are not
significant, they should communicate those deficiencies in a separate
letter to officials of the audited entity unless the deficiencies are
clearly inconsequential considering both qualitative and quantitative
factors. If the auditors have communicated deficiencies in a separate
letter to officials of the audited entity, they should refer to that
letter in the audit report. Auditors should use professional judgment in
determining whether or how to communicate deficiencies that are clearly
inconsequential to officials of the audited entity. Auditors should
include in their audit documentation evidence of all communications about
internal control deficiencies found during the audit.
8.18 In a performance audit, auditors may identify significant
deficiencies in internal control as the cause of deficient performance. In
reporting this type of finding, the internal control weakness would be
described as the cause.
Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant
Agreements, and Abuse
8.19 When auditors conclude, based on evidence obtained, that fraud,
illegal acts, significant violations of provisions of contracts or grant
agreements, or significant abuse either has occurred or is likely to have
occurred, they should include in
their audit report relevant information. 93 Abuse occurs when the conduct
of a government program or entity falls far short of behavior that is
expected to be reasonable and necessary business practices by a prudent
person.
8.20 When reporting instances of fraud, illegal acts, violations of
provisions of contracts or grant agreements, and abuse, auditors should
place their findings in proper perspective by providing a description of
the work conducted that resulted in the finding. To give the reader a
basis for judging the prevalence and consequences of these findings, the
instances identified should be related to the population or the number of
cases examined and be quantified in terms of dollar value, if appropriate.
If the results cannot be projected, auditors should limit their conclusion
to the items tested. 8.21 When auditors detect violations of provisions of
contracts or grant
agreements or abuse that is not significant, they should communicate those
findings in a separate letter to officials of the audited entity unless
the findings are clearly inconsequential, considering both qualitative and
quantitative factors. If the auditors have communicated instances of
fraud, illegal acts, violations of provisions of contracts or grant
agreements, or abuse in a separate letter to 93 See paragraphs 8. 22
through 8. 26 for additional reporting considerations.
104 officials of the audited entity, auditors should refer to that letter
in the audit
report. Auditors should use their professional judgment in determining
whether and how to communicate to officials of the audited entity fraud,
illegal acts, violations of provisions of contracts or grant agreements,
and abuse that are clearly inconsequential. Auditors should include in
their audit documentation evidence of all communications to officials of
the audited entity about instances of fraud, illegal acts, violations of
provisions of contracts or grant agreements, and abuse.
Direct Reporting of Fraud, Illegal Acts, Violations of Provisions of
Contracts or Grant Agreements, and Abuse
8.22 GAGAS require auditors to report fraud, illegal acts, violations of
provisions of contracts or grant agreements, and abuse directly to parties
outside the audited entity in certain circumstances, as discussed below.
94 These requirements are in addition to any legal requirements for direct
reporting of fraud, illegal acts, violations of provisions of contracts or
grant agreements, and abuse. Auditors should meet these requirements even
if they have resigned or been dismissed from the audit.
8.23 The audited entity may be required by law or regulation to report
certain fraud, illegal acts, violations of provisions of contracts or
grant agreements, or abuse to specified external parties, such as a
federal inspector general or a state attorney general. If auditors have
communicated such fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse to the
audited entity and it fails to report them, then the auditors should
communicate their awareness of that failure to the governing body of the
audited entity. If the audited entity does not make the required report as
soon as practicable after the auditors* communication with the entity*s
governing body, then the auditors should report such fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse
directly to the external party specified in the law or regulation.
8.24 Officials of the audited entity are responsible for taking timely and
appropriate steps to remedy fraud, illegal acts, violations of provisions
of contracts or grant agreements, or abuse that auditors report to them.
When fraud, illegal acts, violations of provisions of contracts or grant
agreements, or abuse involves assistance received directly or indirectly
from a government agency, auditors may have a duty to report such fraud,
illegal acts, violations of provisions of contracts or grant agreements,
or abuse directly to that government agency if officials of the audited
entity fail to take remedial steps. If auditors conclude that such failure
is likely to cause them to report such findings or resign from the audit,
they should communicate that conclusion to the governing body of the
94 Internal audit organizations do not have a duty to report outside the
entity unless required by law, rule, regulation, or policy. See paragraph
3.28 for reporting requirements for internal audit organizations when
reporting externally.
105 audited entity. Then, if the audited entity does not report the fraud,
illegal act, violation of provisions of contracts or grant agreements, or
abuse as soon as
practicable to the entity that provided the government assistance, the
auditors should report the fraud, illegal act, violation of provisions of
contracts or grant agreements, or abuse directly to that entity.
8.25 In these situations, auditors should obtain sufficient, competent,
and relevant evidence, such as confirmation with outside parties, to
corroborate assertions by officials of the audited entity that the
officials have reported fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse. If the officials are unable to do
so, then the auditors should report such fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse directly as
discussed above.
8.26 Laws, regulations, or other authority may require auditors to report
promptly indications of certain types of fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse to law
enforcement or investigatory authorities. In such circumstances, when
auditors conclude that fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse either has occurred or is likely
to have occurred, they should ask those authorities or legal counsel if
publicly reporting certain information about the potential fraud, illegal
acts, violations of provisions of contracts or grant agreements, or abuse
would compromise investigative or legal proceedings. Auditors should limit
the extent of their public reporting to matters that would not compromise
those proceedings, such as information that is already a part of the
public record.
Conclusions 8.27 Auditors should report conclusions when called for by the
audit objectives and the results of the audit. Conclusions are logical
inferences about the program based on the auditors* findings and should
represent more than just a summary of the findings. Conclusions should be
clearly stated, not implied. The strength of the auditors* conclusions
depends on the persuasiveness of the evidence supporting the findings and
the soundness of the logic used to formulate the conclusions. Conclusions
are stronger if they set up the report*s recommendations and convince the
knowledgeable user of the report that action is necessary.
Recommendations 8.28 If warranted, auditors should make recommendations
for actions to correct problems identified during the audit and to improve
programs and operations. Auditors should make recommendations when the
potential for improvement in programs, operations, and performance is
substantiated by the reported findings and conclusions. Recommendations
should logically flow from the findings and conclusions and need to state
clearly the actions to be taken. Recommendations to effect compliance with
laws and regulations and improve internal control also should be made when
significant instances of possible fraud, illegal acts, or
106 violations of provisions of contracts or grant agreements are noted or
abuse or
deficiencies in internal control are found.
8.29 Constructive recommendations can encourage improvements in the
conduct of government programs and operations. For recommendations to be
most constructive, they should be directed at resolving the cause of
identified problems, action oriented and specific, addressed to parties
that have the authority to act, practical and, to the extent feasible,
cost effective and measurable.
Statement on Compliance with GAGAS 8.30 Auditors should report that the
audit was made in accordance with GAGAS. The statement of compliance with
GAGAS refers to all the applicable standards that the auditors should have
followed during the audit. The statement referencing compliance with GAGAS
should be qualified in situations in which the auditors did not follow an
applicable standard. In these situations, auditors should disclose in the
scope section of the report the applicable standard that was not followed,
the reasons therefor, and how not following the standard affected, or
could have affected, the results of the audit. In assessing the impact of
not following an applicable standard on the results of the audit, auditors
may need to qualify any assurances, disclaim from providing any
assurances, or withdraw from the audit.
Reporting Views of Responsible Officials 8.31 Auditors should report the
views of responsible officials of the audited program concerning auditors*
findings, conclusions, and recommendations, as well as planned corrective
actions. One of the most effective ways to ensure that a report is fair,
complete, and objective is to obtain advance review and comments by
responsible officials of the audited entity and others, as may be
appropriate. Including the views of responsible officials results in a
report that presents not only the auditors* findings, conclusions, and
recommendations, but also what the responsible officials of the audited
entity think about the audit results and what corrective actions officials
of the audited entity plan to take. Auditors should
include in their report a copy of the officials* written comments or a
summary of the comments received.
8.32 Auditors should normally request that the responsible officials
submit in writing their views on reported findings, conclusions, and
recommendations as well as management*s planned corrective actions. Oral
comments are acceptable as well and, in some cases, may be the only or
most expeditious way to obtain comments. Cases in which obtaining oral
comments can be effective include when there is a time- critical
requirement to meet a user*s needs; the auditors have worked closely with
the responsible officials throughout the conduct of the work and the
parties are very familiar with the findings and issues addressed in the
draft report; or the auditors do not expect major disagreements with the
draft
107 report*s findings, conclusions, and recommendations, or perceive any
major
controversies with regard to the issues discussed in the draft report.
Auditors should prepare a summary of the officials* oral comments and
provide a copy of the summary to officials of the audited entity to verify
that the comments are accurately stated prior to finalizing the report.
8.33 Comments should be fairly and objectively evaluated and recognized,
as appropriate, in the final report. Comments, such as a promise or plan
for corrective action, should be noted but should not be accepted as
justification for dropping a finding or a related recommendation.
8.34 When the audited entity*s comments oppose the report*s findings,
conclusions, or recommendations and are not, in the auditors* opinion,
valid, or when planned corrective actions do not adequately address the
auditors* recommendations, the auditors should state their reasons for
disagreeing with the comments or planned corrective actions. The auditors*
disagreement should be stated in a fair and objective manner. Conversely,
the auditors should modify their report as necessary if they find the
comments valid.
Reporting Privileged and Confidential Information 8.35 If certain
pertinent information is prohibited from general disclosure, the audit
report should state the nature of the information omitted and the
requirement that makes the omission necessary.
8.36 Certain information may be prohibited from general disclosure by
federal, state, or local laws or regulations. In such circumstances,
auditors may issue a separate limited- official- use report containing
such information and distribute the report only to persons authorized by
law or regulation to receive it. Additional circumstances associated with
public safety and security concerns could also justify the exclusion of
certain information in the report. For example, detailed information
related to computer security for a particular program may be excluded from
publicly available reports because of the potential damage that could be
caused by the misuse of this information. In such circumstances, auditors
may issue a limited- official- use report containing such information and
distribute the report only to those parties responsible for acting on the
auditors* recommendations. The auditors should, when appropriate, consult
with legal counsel regarding any requirements or other circumstances that
may necessitate the omission of certain information.
8.37 Auditors* judgments that certain information should be excluded from
publicly available reports should be made in a manner consistent with
consideration of the broader public interest in the program or activity
under review. Auditors need to weigh the need to reveal all significant
facts known to them that if not revealed, could either distort the results
or conceal improper or unlawful practices against any requirements or
other circumstances that may necessitate the omission of certain
information. If auditors make the judgment
108 that certain information should be excluded from a publicly available
report, they
should state the general nature of the information omitted and the reasons
that make the omission necessary in the report.
Report Quality Elements 8.38 The reporting standard related to report
quality for performance audits performed in accordance with GAGAS is:
The report should be timely, complete, accurate, objective, convincing,
clear, and as concise as the subject permits.
Timely 8.39 To be of maximum use, the audit report needs to provide
relevant information in time to respond to officials of the audited
entity, legislative officials, and other users* legitimate needs.
Likewise, the information provided in the report needs to be current.
Therefore, auditors should plan for the appropriate issuance of the report
and conduct the audit with these goals in mind.
8.40 During the audit, the auditors should consider interim reporting of
significant matters to appropriate entity officials. Such communication,
which may be oral or written, is not a substitute for a final report, but
it does alert officials to matters needing immediate attention and permits
them to take corrective action before the final report is completed.
Complete 8.41 Being complete requires that the report contain all evidence
needed to satisfy the audit objectives and promote an adequate and correct
understanding of the matters reported. It also means the report states
information and findings completely, including all necessary facts and
explanations. Giving report users an adequate and correct understanding
means providing perspective on the extent and significance of reported
findings, such as the frequency of occurrence relative to the number of
cases or transactions tested and the relationship of the findings to the
entity*s operations.
8.42 In most cases, a single example of a deficiency is not sufficient to
support a broad conclusion or a related recommendation. All that it
supports is that a deviation, an error, or a weakness existed. Sufficient
detailed supporting data should be included to make convincing
presentations.
Accurate 8.43 Accuracy requires that the evidence presented be true and
that findings be correctly portrayed. The need for accuracy is based on
the need to assure report
109 users that what is reported is credible and reliable. One inaccuracy
in a report can
cast doubt on the reliability of an entire report and can divert attention
from the substance of the report. Also, use of inaccurate evidence can
damage the credibility of the issuing audit organization and reduce the
effectiveness of its reports.
8.44 The report should include only information, findings, and conclusions
that are supported by sufficient, competent, and relevant evidence in the
audit documentation. If data are significant to the audit findings and
conclusions, but are not audited, the auditors should clearly indicate in
their report the data*s limitations and not make unwarranted conclusions
or recommendations based on those data.
8.45 Evidence included in audit reports should demonstrate the correctness
and reasonableness of the matters reported. Correct portrayal means
describing accurately the audit scope and methodology and presenting
findings and conclusions in a manner consistent with the scope of audit
work. The report also should not have errors in logic and reasoning. One
way to help ensure that the audit report meets these reporting standards
is to use a quality control process such as referencing. Referencing is a
process in which an experienced auditor who is independent of the audit
verifies that statements of facts, figures, and dates are correctly
reported, that the findings are adequately supported by the audit
documentation, and that the conclusions and recommendations flow logically
from the support.
Objective 8.46 Objectivity requires that the presentation of the entire
report be balanced in content and tone. A report*s credibility is
significantly enhanced when it presents evidence in an unbiased manner so
that report users can be persuaded by the facts. The report should be fair
and not misleading and should place the audit results in perspective. This
means presenting the audit results impartially and fairly. In describing
shortcomings in performance, auditors should put findings in context. For
example, the audited entity may have faced unusual difficulties or
circumstances.
8.47 The tone of reports should encourage decision makers to act on the
auditors* findings and recommendations. This tone should be balanced by
requiring reports to present sound and logical evidence to support
conclusions while refraining from using adjectives or adverbs that
characterize evidence in a way that implies criticism or unsupported
conclusions.
8.48 The report should recognize the positive aspects of the program
reviewed if applicable to the audit objectives. Inclusion of positive
program aspects may lead to improved performance by other government
organizations that read the report. Such information allows for a fairer
presentation of the situation by providing appropriate balance to the
report. In addition, inclusion of such accomplishments
110 may lead to improved performance by other government organizations
that read
the report. Convincing 8.49 Being convincing requires that the audit
results be responsive to the audit objectives, that the findings be
presented persuasively, and that the conclusions and recommendations
follow logically from the facts presented. The information presented
should be sufficient to convince the report users to recognize the
validity of the findings, the reasonableness of the conclusions, and the
benefit of implementing the recommendations. Reports designed in this way
can help focus the attention of responsible officials on the matters that
warrant attention and can provide an incentive for taking corrective
action.
Clear 8.50 Clarity requires that the report be easy to read and
understand. Reports should be prepared in language as clear and simple as
the subject permits. Use of straightforward, nontechnical language is
essential to simplicity of presentation. Whenever technical terms,
abbreviations, and acronyms are used, they should be clearly defined.
8.51 Auditors may consider using a summary within the report to capture
the report user*s attention and highlight the overall message. If a
summary is used, it generally should focus on the specific answers to the
questions in the audit objectives, summarize the audit*s most significant
findings and the report*s principal conclusions, and prepare users to
anticipate the major recommendations.
8.52 Logical organization of material, and accuracy and precision in
stating facts and in drawing conclusions, are essential to clarity and
understanding. Effective use of titles and captions and topic sentences
makes the report easier to read and understand. Visual aids (such as
pictures, charts, graphs, and maps) should be used when appropriate to
clarify and summarize complex material. Concise 8.53 Being concise
requires that the report be no longer than necessary to convey
and support the message. Extraneous detail detracts from a report, may
even conceal the real message, and may confuse or distract the users.
Also, needless repetition should be avoided. Although room exists for
considerable judgment in determining the content of reports, those that
are fact- based but concise are likely to achieve greater results.
111 Report Issuance and Distribution 8.54 The reporting standard related
to report issuance and distribution for
performance audits performed in accordance with GAGAS is:
Government auditors should submit audit reports to the appropriate
officials of the audited entity and to the appropriate officials of the
organizations requiring or arranging for the audits, including external
funding organizations, such as legislative bodies, unless legal
restrictions prevent it. Auditors should also send copies of the reports
to other officials who have legal oversight authority or who may be
responsible for acting on audit findings and recommendations and to others
authorized to receive such reports. Unless the report is restricted by law
or regulation, or contains privileged or confidential information,
auditors should clarify that copies are made available for public
inspection. Nongovernment
auditors should clarify report distribution responsibilities with the
party contracting for the audit and follow the agreements reached.
8.55 Audit reports should be distributed in a timely manner to officials
interested in the results. Such officials include those designated by law
or regulation to receive such reports, those responsible for acting on the
findings and recommendations contained in the report, those in other
levels of government who have provided assistance to the audited entity,
and legislators. However, if the subject of the audit involves material
that is classified for security purposes or is not releasable to
particular parties or the public for other valid reasons, auditors should
limit the report distribution. (See paragraphs 8.35 through 8.37 for
additional guidance on limited report distribution.) The availability of
the report for public inspection should be documented in the audit
documentation.
8.56 When nongovernment auditors are engaged to perform the audit under
GAGAS, they should clarify report distribution responsibilities with the
engaging organization. If the nongovernment auditors are to make the
distribution, the engagement agreement should indicate which officials or
organizations should receive the report and any other steps being taken to
ensure the availability of the report for public inspection. The
availability of the report for public inspection should be documented in
the audit documentation.
8.57 Internal auditors should follow their entity*s own arrangements and
statutory requirements for distribution. Usually, they report to their
entity*s head or deputy head, who is responsible for distribution of the
report. Further distribution of reports outside the organization should be
made in accordance with applicable laws, rules, regulations, or policy.
112 Appendix I Advisory Council on Government Auditing Standards
Advisory Council Members
Mr. Jack R. Miller, Chair KMPG Peat Marwick LLP (member 1997- 1998; chair
2001- 2003)
Mr. Richard C. Tracy, Former Chair Office of City Auditor Portland, Oregon
(member 1997- 1998; chair 1999- 2000)
The Honorable James B. Thomas, Former Chair Office of the Chief Inspector
General State of Florida (chair 1997- 1998)
Mr. Ernest A. Almonte Office of the Auditor General State of Rhode Island
(member 2001- 2003)
Mr. Robert H. Attmore Office of the Comptroller New York State (member
1997- 1999)
The Honorable Thomas R. Bloom Defense Finance and Accounting Service
(member 1997- 2000)
The Honorable June Gibbs Brown U. S. Department of Health and Human
Services (member 1997- 1999)
The Honorable Ralph Campbell, Jr. Office of the State Auditor State of
North Carolina (member 2000- 2003)
113 Mr. Donald H. Chapin
Consultant (member 1997- 1998)
Ms. Patricia A. Dalton U. S. Department of Labor (member 1997- 1999)
Ms. Debra K. Davenport Office of the Auditor General State of Arizona
(member 2003- 2005)
Dr. John H. Engstrom University of Northern Illinois (member 2003- 2005)
The Honorable Bert T. Edwards U. S. Department of Interior (member 2000-
2002)
Mr. Richard Fair Office of the State Auditor State of New Jersey (member
2003- 2005)
Dr. Ehsan Feroz University of Minnesota (member 2003- 2005)
The Honorable Gaston L. Gianni, Jr. Federal Deposit Insurance Corporation
(member 1999- 2001)
Ms. Barbara J. Hinton Office of the Legislative Post Auditor State of
Kansas (member 1999- 2001)
Mr. David G. Hitchcock Standards & Poor*s (member 1999- 2001)
Dr. Jesse W. Hughes Consultant (member 2000- 2002)
114 Dr. Rhoda C. Icerman
Florida State University (member 2001- 2003)
Mr. Norwood J. Jackson, Jr. U. S. Office of Management and Budget (member
1997- 2000)
Mr. Auston G. Johnson Office of the State Auditor State of Utah (member
2000- 2002)
The Honorable Margaret B. Kelly Office of the State Auditor State of
Missouri (member 1997- 1998)
Dr. Daniel G. Kyle Office of the Legislative Auditor State of Louisiana
(member 1997- 1998)
Mr. Philip A. Leone Joint Legislative Audit and Review Commission
Commonwealth of Virginia (member 1997- 2000)
Mr. George A. Lewis Broussard, Poche, Lewis & Breaux (member 1997- 2000)
Ms. Nora J. E. Masters Deliotte & Touche LLP (member 1997- 1999)
Mr. Sam M. McCall Office of the City Auditor Tallahassee, Florida (member
1997- 1998; 2000- 2002)
Mr. Harold Monk Davis, Monk & Company, CPAs (member 2003- 2005)
115 Mr. Stephen L. Morgan
Office of the City Auditor Austin, Texas (member 2001- 2003)
The Honorable Everett L. Mosley U. S. Agency for International Development
(member 2001- 2003)
Mr. Bruce A. Myers Office of the Legislative Auditor State of Maryland
(member 1999- 2001)
Dr. Kathryn E. Newcomer George Washington University (member 1999- 2001)
Mr. Robert Reardon, Jr. State Farm Insurance (member 2003- 2005)
Ms. Roberta Reese Office of the Controller State of Nevada (member 1997-
1999)
Mr. George A. Scott Deloitte & Touche LLP (member 1999- 2001)
Mr. Gerald Silva Office of the City Auditor City of San Jose, California
(member 2003- 2005)
The Honorable Kurt R. Sjoberg Office of the State Auditor State of
California (member 1997- 2000)
Mr. Barry R. Snyder Federal Reserve Board (member 2001- 2003)
116 Dr. Daniel Stufflebeam Western Michigan University
(member 2003- 2005) Dr. Paul M. Thompson AMBAC Indemnity Corporation
(member 1997- 1998)
Mr. Cornelius E. Tierney George Washington University (member 1997- 1999)
The Honorable Nikki Tinsley U. S. Environmental Protection Agency (member
2003- 2005)
Ms. Leslie E. Ward Office of the City Auditor Kansas City, Missouri
(member 1999- 2001)
The Honorable Jacquelyn L. Williams- Bridgers U. S. Department of State
(member 2000- 2002)
Dr. Earl R. Wilson University of Missouri- Columbia (member 1999- 2001)
GAO Project Team Jeffrey C. Steinhoff, Managing Director Jeanette M.
Franzel, Director Marcia B. Buchanan, Assistant Director Cheryl E. Clark,
Assistant Director Michael C. Hrapsky, Project Manager
Robert W. Gramling, Consultant
INDEX
abuse attestation engagement 6.15, 6.19- 6.20, 6.32- 6.40 defined 4.19,
6.19, 7.25, 8.19
financial audit 4.17, 4.19, 4.20, 5.12, 5.17- 5.25 performance audit 7.25-
7.26, 8.19- 8.26 pursuing indications of 4.20, 6.20, 7.26 reporting 5.12,
5.17- 5.25, 6.32- 6.40, 8.19- 8.26 reporting, direct 5.21- 5.25, 6.36-
6.40, 8.22- 8.26 accountability 1.11- 1.16 AICPA standards attestation
engagement 2.08, 6.01, 6.03- 6.04, 6.23, 6.27, 6.51
financial audit 2.06, 4.01- 4.02, 4.03- 4.04, 5.01- 5.02, 5. 03, 5.17
relationship to GAGAS 1.09- 1.10, 4.01, 5.01, 6.01 American Institute of
Certified Public Accountants (see AICPA standards) attestation engagements
1.13, 2.07- 2.08, 6.01- 6.54 abuse 6.15, 6.19- 6.20, 6.32- 6.40
communication, auditor 6.06- 6.09, 6.35, 6.54
compliance with GAGAS, reporting auditors* 6.29- 6.31 conclusions 6.27b
corrective actions 6.11- 6.12, 6.34, 6.41- 6.45 defined 1.13, 2.07, 6.02
distribution, report issuance and 6.46- 6.48, 6.49- 6.54 distribution,
restricted 6.27d, 6.47, 6. 50- 6.51 documentation access to 6.25- 6.26
attest 6.07, 6.16- 6.17, 6.22- 6.26, 6.35, 6.54 of communication 6.07,
6.09, 6.35, 6.54 of risk assessment 6.16- 6.17 safeguarding 6. 26 findings
6.21, 6.33- 6.35
fraud and illegal acts 6.15- 6.18, 6.20, 6.32- 6.40 internal control 2.11,
6.13- 6.14, 6.32- 6.35 levels 6.02 agreed- upon- procedures 6.02c, 6.15,
6. 18, 6.27d, 6.51 examination 6.02a, 6.13- 6. 14, 6.15- 6.16 review
6.02b, 6.15, 6. 18
planning 6.13- 6.14, 6.15- 6.16 previous engagements, considering results
of 6.10- 6.12 privileged and confidential information 6.46- 6.48
recommendations 6.34 reporting 6.27- 6.54 reporting, direct 6.36- 6.40
qualifications for auditors, additional 3.43- 3.44 scope 6.30, 6.31, 6.34,
6.43, 6.51 termination 6.54
users (of the audit report) 6.03, 6.31, 6.34 views of responsible
officials 6.41- 6.45
violations of provisions of contracts or grant agreements 6.15- 6.18,
6.20, 6.32- 6.35, 6.36- 6.40 work of others, considering 6.25 audited
entity, requirements and responsibilities of (see
also management*s role; officials, responsibilities of) 5.22- 5.23 audit
objectives (see objectives) audit organizations* responsibilities (see
also under
independence;) 1.27- 1.28, 3.38 auditors, qualifications of (see
competence) auditors* responsibilities 1.19- 1.26, 3.38, 4.11, 4.18 audit
procedures (see under procedures) audits and attestation engagements,
types of (see also attestation engagements; financial audits; performance
audits) 2.01- 2.16 cause 5.15c, 6.34c, 7.15, 7.65, 8.15c, 8.18 comments
(see letters to officials, comment; views of responsible officials)
communication, auditor (see also under attestation
engagements; financial audits; performance audits) 1.26, 3.17e- 3. 17f
competence (see also continuing professional education) 3.39- 3.48
technical knowledge 3.42 qualifications for financial audits and
attestation
engagements, additional 3.43- 3.44 compliance 2.12, 4.12- 4.13, 5.08-
5.11, 7.12c, 7.19- 7.20,
7.49 tests of 4.12- 4.13, 5.08- 5.09, 7.07d, 7.19- 7.20 compliance with
GAGAS (see under GAGAS) computer- based systems, data from 7.59- 7.61
conclusions 6.27b, 8.27, 8. 47, 8.49 condition 5.15b, 6.34b, 7.63, 8.15b
conditions, reportable (see reportable conditions under attestation
engagements; financial audits; performance
audits) confidential information (see privileged and confidential
information under attestation engagements, financial audits, performance
audits) conflict of interest (see independence) constructive engagement
1.16
consulting services (see nonaudit services) continuing professional
education (CPE) (see also documentation, continuing professional
education) 3.45- 3.48 corrective actions (see under attestation
engagements; financial audits; performance audits) criteria 5.15a, 6.34a,
7.28, 8.15a, 8. 42
data (see also evidence) 7.31, 7.55- 7.61 sources of 7.31, 7.55- 7.59
tests of 7.60- 7.61 unaudited 8.44 validity and reliability of 7.12b,
7.15, 7. 57, 7.59 diligence (see professional judgment) direct reporting
(see under attestation engagements;
financial audits; performance audits) distribution, limited (see under
attestation engagements; financial audits; performance audits)
distribution, report issuance and 5.31- 5.33, 5.34- 5.38, 6.46- 6.48,
6.49- 6.54, 8.36, 8.54- 8.57 documentation access to 3.17g, 4.25- 4. 26,
6.25- 6.26, 7.69- 7.71 attestation engagement 6.07, 6.09, 6.16- 6.17,
6.22- 6.26, 6.35, 6. 50-
6.51, 6.54 audit plan 7.41- 7.43 of audit reviews 7.47 of communication
4.07, 4.09, 5.16, 5.20, 5.38, 6.07, 6.09, 6.35,
6.54, 7.40, 8.17, 8.21 of continuing professional education 3.47 of
evidence 7.54, 7.60 financial audit 4.07, 4.09, 4.22- 4.26, 5.16, 5.20,
5.35- 5. 36,
5.38 independence 3.17a- 3.17e, 3.26, 3.32 peer review 3.17g, 3.54
performance audit 7.07, 7.17, 7.22, 7.40- 7.43, 7.47, 7.54, 7.60,
7.63, 7.66- 7.71, 8.17, 8.21, 8.45, 8.55- 8. 56 of planning 7.07 quality
control 3.51 of risk assessment 6.16- 6.17, 7.17, 7.22 safeguarding 4.26,
6.26, 7.69, 7.71 of specialists* qualifications 3.49 economy and
efficiency (see objectives, types of) effect 5.15d, 6.34d, 7.64, 8.15d
effectiveness (see objectives, types of) engagement letter (see under
letters to officials) evidence (see also data) attestation engagement
6.04, 6.34b- 6. 34c, 6.39 financial audits 4.03, 4.12, 5.15, 5.24
performance audit 7.31, 7.48- 7.51, 7.52- 7.65, 8.13, 8.15, 8.25,
8.41- 8.47 tests of 7.52- 7.61 types of 7.50 external quality control
review (see peer review) field work 4.01- 4.26, 6.04, 6.05, 7.01- 7.71
financial audits 1.12, 2.05- 2.06, 4.01- 4.26, 5.01- 5.38 abuse 4.17,
4.19, 4.20, 5.12, 5.17- 5.25 communication, auditor 4.06- 4.13, 5.16,
5.20, 5.22- 5.23, 5.38 compliance 4.10- 4.13, 5.08- 5.11 compliance with
GAGAS, reporting auditors* 5.05- 5.07 conclusions 5.18 corrective actions
4.15- 4.16, 5.15, 5.26- 5.30 defined 1.12, 2.05, 4.02
distribution, limited 5.32, 5.35 distribution, report issuance and 5.31-
5.33, 5.34- 5.38 documentation access to 4.25- 4.26
audit 4.22- 4.26 of communication 4.07, 4.09, 5.16, 5.20, 5.38
safeguarding 4. 26 field work 4.01- 4.26
findings 4.21, 5.14-. 15, 5.18- 5.20 fraud and illegal acts 4.18, 4.20,
5.12, 5.17- 5.19, 5.21- 5.25
internal control 4.03, 4.04, 4.10- 4.13, 5.08- 5. 11, 5.12- 5.16 material
misstatement 4.17- 4.18 material weakness 5.14 previous engagements,
considering results of 4.04, 4.14- 4.16 privileged and confidential
information 5.31- 5.33 procedures, audit (see also methodology and
procedures) 4.17- 4.20, 4.23, 4.26 reportable conditions 5.12- 5.14
reporting 5.01- 5.38 reporting, direct 5.12, 5.21- 5.25 qualifications for
auditors, additional 3.43- 3.44 scope 5.06, 5.08- 5.09 termination 4.09,
5.38 users (of the audit report) 4.04, 5.07, 5.15, 5.28 views of
responsible officials 5.26- 5.30 violations of provisions of contracts or
grant agreements 4.17- 4.18, 4.20, 5.12, 5.17- 5.25
findings 4.21, 5.14- 5.15, 5.18- 5.20, 6.21, 6.33- 6. 35, 7.28, 7.62-
7.65, 8.13- 8.16 findings, elements of 5.15, 6.34, 7.28, 7.62- 7.65, 8.14-
8.15
follow- up (see also previous engagements, considering results of, under
attestation engagements, financial audits, performance audits) 1.28 fraud
and illegal acts attestation engagement 6.15- 6.18, 6.20, 6.32- 6.35,
6.36- 6.40
financial audit 4.18, 4.20, 5.12, 5.17- 5.19, 5.21- 5.25 performance audit
7.17- 7.24, 7.26- 7.27, 8.16, 8.19- 8.26 pursuing indications of 4.20,
6.20, 7.26 reporting 5.12, 5.17- 5.19, 5.21- 5.25, 6.32- 6.40, 8. 19-
8.26 reporting, direct 5.21- 5.25, 6.36- 6.40, 8.22- 8.26 GAGAS (generally
accepted government auditing standards; see also individual standards)
1.01- 1.03, 3.02
applicability 1.04- 1.08 attestation engagement 1.09, 2.08, 6.01, 6.05,
6.25, 6.28, 6.29- 6. 31 compliance with, reporting auditors* 2.15, 5.05-
5.07, 6.29- 6.31, 8.30 financial audit 1.09, 2.06, 4.01, 4.05, 5.01, 5.04,
5.05- 5. 07 laws, regulations, and guidelines requiring 1.05- 1.06 and
nonaudit services 2.14- 2.16 performance audit 7.01, 8.01, 8.30
professional judgment 3.34 relationship to other standards 1.09- 1.10, ,
4.01, 5.01, 6.01 illegal acts (see fraud and illegal acts) independence
3.03- 3.32 external impairments 3.19- 3.20
nonaudit services, impairment from 3.07, 3.10- 3.17 organizational
impairments 3.21- 3.32 organizations, responsibilities of audit 3.07-
3.10, 3.12- 3.14, 3.16- 3.18, 3.20 reporting 3.22- 3.32 personal
impairments 3.07- 3.18, 3.19 professional judgment 3.33- 3.38 specialists,
using work of 3.06 internal auditing 3.27- 3.29, 3.31, 5.37, 6.53, 7.16,
8.57 internal control 2.11
attestation engagement 6.13- 6.14, 6.32- 6.35 and compliance 4.10- 4.13,
5.08- 5.11, 6.32 components of 4.03 (fn)
deficiencies 5.12- 5.16, 6.32- 6.35, 7.65, 8.16, 8.17- 8. 18 financial
audit 4.03- 4.04, 4.10- 4.13, 5.08- 5.11, 5.12- 5.16 management*s role
1.18 performance audit 7.10c, 7.11- 7.16, 7.49, 7.65, 8.16, 8.17- 8. 18
safeguarding resources 7. 13 tests of 4.12- 4.13, 5.08- 5.09, 7.60
understanding 7.14
internal quality control system (see also quality control and assurance)
3.07- 3.08, 3.17e, 3.20, 3.49- 3.52 issuance and distribution, report (see
distribution, report issuance and, under attestation engagements,
financial audits, performance audits) laws, regulations, and provisions of
contracts or grant
agreements (see also fraud and illegal acts; violations of provisions of
contracts or grant agreements) 7.10a, 7.12c, 7.17- 7.20, 8.23, 8.26 legal
counsel 7.19 letters to officials comment 3.54d- 3.56
on deficiencies not significant 8.17, 8.21 engagement 3.17e, 4.07- 4. 09,
6.07- 6.09, 7.40 management 3.54d, 5.16, 5. 20, 6.35 limited official use
(see distribution, limited, under
attestation engagements, financial audits, performance audits) management
controls (see internal control) management*s role (see also audited
entity, requirements
and responsibilities of; officials, responsibilities of) 1.17, 1.18, 1.28,
3.17b, 4.16 material misstatements, detecting 4.17- 4.18 material weakness
5.14 methodology and procedures (see also procedures, audit) 7.03, 7.06,
7.14, 7.17- 7.27, 7.32, 8.08, 8.11 nonaudit services 1.08, 2.14- 2.16,
3.08a, 3.10- 3.18 objectives 2.02- 2.04, 2.09- 2.13
compliance 2.12, 7.12c economy and efficiency 2.10, 7.12a effectiveness
and results 2.10, 7.12a internal control 2.11, 7.12- 7.16 performance
audit 2.09- 2.13, 7.03- 7.04, 7.12- 7.16, 7.18a, 8.08-
8.09 prospective 2.13 types of 2.10- 2.13 objectivity (see auditors*
responsibilities; audit organizations* responsibilities; independence)
officials, reporting views of responsible (see views of responsible
officials, reporting) officials, responsibilities of (see also audited
entity,
requirements and responsibilities of; management*s role) 6.12, 6.30, 8.24
peer review (see also under documentation) 1.27, 3.17g, 3. 26, 3.32, 3.49,
3.52- 3.56 performance audits 1.14- 1.15, 2.09- 2.13, 7.01- 7.71, 8.01-
8.57
abuse 7.25- 7.26, 8.19- 8.26
accomplishments, reporting 8.48 communication, auditor 7.39- 7.40, 8.17,
8.21, 8.40 compliance 2.12, 7.07d, 7. 12c, 7.19- 7.20, 7.49
compliance with GAGAS, auditors* 8.30 conclusions 8.20, 8.27, 8.47, 8.49
corrective actions 7.29- 7.30, 7.64, 8.05, 8.15, 8.31- 8.34, 8. 40,
8.49, definition of 2.09 distribution, limited 8.36, 8.55 distribution,
report issuance and 8.36, 8.54- 8.57 documentation access to 7.69- 7.71
audit 7.22, 7.60, 7.66- 7.71 audit plan 7.41- 7.43 of audit reviews 7.47
of communication 7.40, 8.17, 8.21 of evidence 7.54, 7.60 of planning 7.07
of risk assessment 7.17, 7.22 safeguarding 7.69, 7.71 field work 7.01-
7.71 findings 7.28, 7.62- 7.65, 8.13- 8.16, 8.20 fraud and illegal acts
7.17, 7.21- 7.24, 7.26- 7.27, 8.16, 8.19- 8. 26,
8.28 internal control 2.11, 7.10c, 7. 11- 7.16, 7.49, 7.65, 8.16, 8.17-
8.18 methodology and procedures 7.03, 7.06, 7.14c, 7.17- 27, 7.32, 8.08,
8.11 objectives 2.10- 2.13, 7.03- 7.04, 7.12- 7.16, 7.18a, 8.08-
8.09 planning 7.02- 7.43 plan, preparing an audit 7.03, 7.14, 7.28, 7.41-
7.43 previous engagements, considering results of 7.29- 7.30
privileged and confidential information 8.35- 8.37 program significance
7.08- 7.09 program, understanding 7.10, 7.12 recommendations 8.28- 8.29
referencing 8.45 report contents 8.07- 8.37, 8.46
elements 8.38- 8.53 form 8.02- 8.06 reporting 8.01- 8.57
accurate 8.43- 8.45 clear 8.50- 8.52 complete 8.41- 8.42 concise 8.53
convincing 8.49 objective 8.46- 8.48 timely 8.39- 8.40 tone 8.46- 8.47
reporting, direct 8.22- 8.26 reporting, interim 8.40 scope 7.03, 7.05,
7.14, 7.36, 8.08, 8.10, 8.12, 8.17,
8.30, 8.45
significance 7.08 staffing 7.35- 7.38 supervision 7.44- 7.47 termination
of audit 7.40, 8.06 users (of the audit report) 7.07a, 7.08- 7. 09, 8.03,
8.08- 8.09, 8.11- 8.12,
8.15, 8.27, 8.32, 8.39, 8.41, 8.43, 8.49, 8.51, 8.53 views of responsible
officials 8.31- 8.34 violations of provisions of contracts or grant
agreements 7.17- 7.20, 7.26- 7.27, 8.16, 8.19- 8.21, 8. 22-
8.26 work of others, considering 7.32- 7.34, 7.70 planning 6.13- 6.14,
6.15- 6.16, 7.02- 7.43 previous engagements, considering results of (see
also work of others, considering) 4.04, 4.14- 4.16, 6.10- 6.12, 7.29- 7.30
privileged and confidential information (see under attestation
engagements; financial audits; performance audits) procedures, audit (see
also methodology and procedures) 4.17- 4.20, 4.23, 4.26 procurement for
audits 1.18f` professional judgment 1.25, 3.33- 3.38, 4.04 program (see
also performance audits) aspects 7.10, 7.12a
significance 7.08- 7.09 program audits (see performance audits) quality
control and assurance (see also internal quality
control system; see also under documentation) 3.49- 3.56 recommendations
6.34, 8.28- 8.29 referencing (see under performance audits) reportable
conditions (see under financial audits) reporting (see also under
attestation engagements;
financial audits; performance audits) 1.26, 3.22- 3.26, 3.27- 3.32, 5.01-
5.38, 6. 27- 6.54, 8.01- 8.57
risk assessment 4.15, 4.18, 6.16- 6.17, 7.20- 7.22, 7.24 roles and
responsibilities (see also audited entity, requirements and
responsibilities of; audit organizations* responsibilities; auditors*
responsibilities; management*s role; officials, responsibilities of) 1.17-
1.28 safeguarding resources (see under performance audits) scope 3.05,
5.06, 5.08- 5.09, 6.30, 7.03, 7.05, 7.14,
7.36, 8.08, 8.10, 8.12, 8.17, 8.30, 8.45 significance 7.08 significance,
program (see under program) specialists, use of (see also under
documentation) 3.06, 3.49, 7.37 standards, general (see also AICPA, GAGAS)
3.01- 3.56 supervision 7.44- 7.47 third- party engagements 3.22- 3.36,
4.09, 6.09 users (of the audit report) (see also under financial audits,
performance audits) 1.01, 1.22, 1.25- 1.26, 2.04, 3.01 views of
responsible officials 5.26- 5.30,6.41- 6. 45, 8.31- 8.34 violations of
legal and regulatory requirements 7.17- 7.27
violations of provisions of contracts or grant agreements attestation
engagement 6.15- 6.18, 6.20, 6.32- 6.35, 6.36- 6.40 financial audit 4.17-
4.18, 4.20, 5.12, 5.17- 5.25 performance audit 7.17- 7.27, 8.16, 8.19-
8.21, 8.22- 8.26 pursuing indications of 4.20, 6.20, 7.26 reporting 5.12,
5.17- 5.25, 6.32- 6.40, 8.19- 8.26 reporting, direct 5.21- 5.25, 6.36-
6.40, 8.22- 8.26 working papers, requirements (see documentation) work of
others, considering (see also previous
engagements, considering the results of) 6.25, 7.32- 7.34, 7.70
*** End of document. ***