Government Auditing Standards: 2006 Revision (Exposure Draft)	 
(01-JUN-06, GAO-06-729G).					 
                                                                 
This is the Exposure Draft of the Government Auditing Standards  
2006 revision. This document outlines standards that contain	 
requirements for auditor reporting on internal control. The	 
revision supersedes the 2003 revision.				 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-729G					        
    ACCNO:   A55400						        
  TITLE:     Government Auditing Standards: 2006 Revision (Exposure   
Draft)								 
     DATE:   06/01/2006 
  SUBJECT:   Auditing procedures				 
	     Auditing standards 				 
	     Cost accounting					 
	     Federal advisory bodies				 
	     Federal agencies					 
	     Internal auditors					 
	     Internal audits					 
	     Standards evaluation				 
	     Yellow Book					 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-729G

                 United States Government Accountability Office

                By the Comptroller General of the United States

GAO

June 2006 Government

Auditing

                                   Standards

2006 Revision Exposure Draft

GAO-06-729G

United States Government Accountability Office Washington, DC 20548

June 2006

TO AUDIT OFFICIALS AND OTHERS INTERESTED IN GOVERNMENT AUDITING STANDARDS

GAO invites your comments on the accompanying proposed changes to
Government Auditing Standards(GAGAS), commonly known as the "Yellow Book."
These changes propose revisions throughout the entire set of standards.
This letter describes the process used by GAO for revising GAGAS,
summarizes the proposed major changes, discusses proposed effective dates,
and provides instructions for submitting comments on the proposed
standards.

Process for Revising GAGAS

To help ensure that the standards continue to meet the needs of the audit
community and the public it serves, the Comptroller General of the United
States appointed the Advisory Council on Government Auditing Standards to
review the standards and recommend necessary changes. The Advisory Council
includes experts in financial and performance auditing drawn from all
levels of government, private enterprise, public accounting, and academia.
This exposure draft of the standards includes the Advisory Council's
suggestions for proposed changes. We are currently requesting public
comments on the proposed revisions in the exposure draft.

Summary of Major Changes

The proposed 2006 revision to GAGAS will be the fifth revision since the
standards were first issued in 1972. The 2006 Yellow Book exposure draft
seeks to emphasize the critical role of high quality government audits in
achieving credibility and accountability in government. The overall focus
of the proposed 2006 revised standards includes an increased emphasis on
audit quality and ethics and an extensive update of the performance audit
standards to include a specified level of assurance within the context of
risk and materiality. In addition, this proposed revision modernizes
GAGAS, with updates to reflect major developments in the accountability
and audit environment. Finally, clarifications have been made throughout
the standards.

The standards are organized by separate chapters as follows:

Chapter 1 - Use and Application of GAGAS

Chapter 2 - Auditor's Ethical Responsibilities

Chapter 3 - General Standards

Chapter 4-Field Work Standards for Financial Audits

            GAO-06-729G Government Auditing Standards Exposure Draft

Chapter 5-Reporting Standards for Financial Audits

Chapter 6 - General, Field Work, and Reporting Standards for Attestation

Engagements

Chapter 7 - Field Work Standards for Performance Audits

Chapter 8 - Reporting Standards for Performance Audits

Appendix - Explanatory materials that do not represent GAGAS requirements.

Effective Dates

When issued in final, the 2006 revision will supersede the 2003 revision
of the standards. We anticipate that, when finalized, standards will
become effective for audits beginning on or after July 1, 2007. For
financial audits, certain standards issued by the Auditing Standards Board
(ASB) of the American Institute of Certified Public Accountants have
earlier effective dates. For financial audits performed under GAGAS, the
effective dates of the new ASB standards will apply.

Instructions for Commenting

The draft of the proposed changes to Government Auditing Standards, 2006
Revision,is only available in electronic format and can be downloaded from
GAO's Yellow Book Web Page at http://www.gao.gov/govaud/ybk01.htm.

We are requesting comments on this draft from audit officials and
financial management at all levels of government, the public accounting
profession, academia, professional organizations, public interest groups,
and other interested parties. To assist you in developing your comments,
specific issues are presented in an enclosure to this letter, along with a
detailed list of proposed changes. We encourage you to comment on these
issues and any additional issues that you note. Please associate your
comments with specific references to issue numbers and/or paragraph
numbers in the proposed standards and provide your rationale for any
proposed changes, along with suggested revised language. Please send your
comments electronically to [email protected] no later than August 15,
2006.

If you need additional information please call Michael Hrapsky, Senior
Project Manager, Financial Management and Assurance at (202) 512-9535, or
Jeanette Franzel, Director, at (202) 512-9471.

Sincerely yours,

Jeffrey C. Steinhoff Managing Director Financial Management and Assurance

Enclosures

            GAO-06-729G Government Auditing Standards Exposure Draft

ii

                            Enclosure 1 Enclosure 1

                            Questions for Commenters

The following discussion and questions are provided to guide users in
commenting on the proposed 2006 revision of Government Auditing Standards.
We encourage you to comment on these issues and any additional issues that
you note. Please associate your comments with specific references to issue
numbers and/or paragraph numbers in the proposed standards.

  Chapter 1 - Use and Application of GAGAS

1. The section entitled, "Use of Terminology to Define Professional
Requirements in GAGAS" was added to clarify the auditor's responsibilities
and to achieve consistency with other standard setting bodies. This new
section is consistent with the AICPA Statement on Auditing Standards (SAS)
No. 102, Defining Professional Requirements in Statements on Auditing
Standards issued by the Auditing Standards Board (ASB) of the American
Institute of CPAs (AICPA) and with the approach taken by the Public
Company Accounting Oversight Board (PCAOB). GAGAS requirements have also
been rewritten in accordance with the terminology set forth in this
section. This approach is intended to clarify auditors' responsibilities
and assist auditors in applying the standards.

Please comment on the application and use of this terminology throughout
the proposed revision to GAGAS.

2. The section entitled "Citing Compliance with GAGAS in the Auditor's
Report" was added to clarify auditor responsibilities and to provide
guidance to auditors in situations where they are unable to follow or
chose not to follow certain standards. Complementary guidance is also
provided in chapters 5 and 8.

Please comment on the application and use of this guidance for citing
compliance with GAGAS in auditors' reports.

  Chapter 2 - Auditor's Ethical Responsibilities

3. Chapter 2 is devoted solely to emphasizing the ethical responsibilities
of government auditors. In the 2003 revision, GAGAS made reference to
ethical responsibilities throughout Chapter 1. This 2006 revision adds
clarity and emphasis to the discussion of ethical responsibilities of
government auditors to uphold and protect the public trust. This chapter
employs a principles-based framework of concepts that government auditors
use to guide all of their work.

Please comment on the framework discussed in this chapter.

GAO-06-729G Government Auditing Standards Exposure Draft

iii Enclosure 1 Enclosure 1

  Chapter 3 - General Standards

    impact on auditor
        independence has been significantly streamlined and reorganized from
        the 2003 revision of the standards to provide clarity. The discussion
        is in paragraphs 3.30 through 3.35. Additional information on
        nonaudit services that are generally unique to government audit
        organizations is presented in the appendix, paragraphs A3.02 through
        A3.03.
    
        related elements.
rance system.

The transparency requirement is intended to increase accountability and
emphasize the importance of quality for audit organizations that perform
audits under GAGAS. The revisions to peer review time frames are risk
based and emphasize quality and a rigorous annual inspection program. (The
previous standard set the same requirement for all audit organizations,
regardless of peer review results or the underlying quality assurance
system.)

Please comment on the transparency requirements and the risk-based
approach to peer review time frames.

Chapters 4 and 5 - Financial Audits

7. The audit documentation standard has been updated and expanded based on
the ASB's revised standard, SAS No. 103, Audit Documentation. Paragraphs
4.22 through

4.39 are consistent with the AICPA standard. Paragraphs 4.40 and 4.41 are
additional GAGAS standards to deal with unique issues associated with
auditing in the government environment. The use of these standards is
consistent for attest engagements (chapter 6) and performance audits
(chapter 7). The overall goal of these revisions was consistency with the
ASB standard and among the different types of GAGAS audits.

Please comment on the adoption of this standard.

GAO-06-729G Government Auditing Standards Exposure Draft

iv Enclosure 1 Enclosure 1

8. The financial audit reporting standards have been updated to conform
with the ASB's and PCAOB's definitions of material weakness and
significant deficiency in internal controls. The definitions and related
guidance are provided in paragraphs 5.13 and 5.14. The overall goal of
adopting these revised definitions is to achieve consistency with the
other standards setters. These definitions may be further clarified in the
future by the other standards-setters, and we will continue to work
closely with them. The application of these new definitions could affect
the number and type of internal control weaknesses reported in GAGAS
audits.

Please comment on additional clarity or guidance that would assist in
implementing these new definitions.

Chapters 7 and 8 - Performance Audits

9. The standards for performance audits have been significantly revised to
include a specified level of assurance within the context of audit risk
and significance (materiality).

The level of assurance for performance audits is defined in paragraph 1.35
and incorporated throughout the performance audit standards in chapters 7
and 8. The level of assurance for performance audits is achieved within
the context of significance (materiality) and audit risk. The description
of significance and audit risk is included in paragraphs 7.04 through
7.06, and the standards in chapters 7 and 8 have been written within this
context.

Please comment on the discussion of levels of assurance, significance,
audit risk, and their application throughout the performance audit
standards.

10. Significant discussion has been added to chapters 7 and 8 about the
level of evidence needed to achieve the audit objectives in a performance
audit. This discussion uses the terminology "sufficient, appropriate
evidence" for consistency with other auditing standards setters. The
intent of the discussion of sufficient, appropriate evidence is to provide
clarity and guidance for making professional judgments about the levels of
evidence needed to achieve the audit objectives.

Please comment on the clarity of the standards and the discussion of
sufficient appropriate evidence.

GAO-06-729G Government Auditing Standards Exposure Draft

v Enclosure 1 Enclosure 1

  Overall

    17 through
        6.22), and performance audits (7.34) has been clarified, but no
        change was made to the auditor's responsibility for abuse. The
        changes were in response to questions received about implementing the
        standard on abuse.
     your comments any specific examples of abuse you have
        identified, along with supporting audit reports.
any Accounting Oversight Board (PCAOB), International
       Auditing and Assurance Standards Board (IAASB), and the American
       Institute of Certified Public Accountants (AICPA) have adopted similar
       standards to clarify auditors' responsibilities. GAGAS terminology is
       consistent with the AICPA's Statement on Auditing Standards No. 102,
       Defining Professional Requirements in Statements on Auditing
       Standards.
     o All chapters were significantly revised to clarify auditors'
       responsibilities and to avoid the confusion that existed in previous
       versions of GAGAS through the use of the passive voice and other
       references that were unclear as to the requirement placed on the
       auditors.

Citing Compliance with GAGAS in the Auditors' Report provides guidance on
citing GAGAS in the auditors' report when auditors do not comply with all
unconditional or all presumptively mandatory requirements. (1.13 - 1.15)

Relationship Between GAGAS and Other Professional Standards has been
updated to recognize that other sets of professional standards, such as
those issued by the PCAOB and the IAASB, the Institute of Internal
Auditors, and others can be used in conjunction with GAGAS and provides
related guidance. (1.16 - 1.20)

Types of Government Audits and Attestation Engagements has been modified
to re-write the description of a performance audit to clarify the level of
assurance and evidence needed. The concept of equity as a potential
performance audit objective was incorporated, and examples of the types of
performance audits were updated. (1.21 - 1.42)

  Chapter 2 - Auditors' Ethical Responsibilities

Chapter 2 has been completely revised to focus solely on audit
organizations' overall ethics responsibilities and auditors' need to
observe overarching ethical concepts in performing their work. (2.01 -
2.16) Other materials that had previously been in Chapter 2 have been
included in Chapter 1 of the draft.

o  Several of the ethical concepts in this chapter were included in the
2003 GAGAS revision in Chapter 1 under "Auditors' Responsibilities," but
they were not separately labeled as ethical responsibilities.

vii

Enclosure 2 Enclosure 2

o  The revised Chapter 2 describes the following ethical concepts that
auditors use to guide their work:

 standard on
nonaudit services was not changed. Specifically, the discussion of
nonaudit services was moved from "personal" to "organizational"
impairments because it is often the audit organization's independence that
is impaired rather than that of the individual auditor, reorganized the
guidance into three categories of nonaudit services, and consolidated and
streamlined examples that had previously been interspersed throughout the
independence section. (3.02 - 3.35)

        * The three distinct categories of nonaudit services are:
        * 1. Nonaudit services that do not impair auditor independence and,
          therefore, do not require compliance with the supplemental
          safeguards. (3.30a and
        * 3.31 - 3.32)
           nce was expanded to describe five elements that
should be present in an audit organization's system of quality control:
(1) ethics, (2) initiation and continuance of engagements, (3) human
capital, (4) performance and reporting, and

(5) monitoring quality. (3.61)

viii

Enclosure 2 Enclosure 2

External Peer Review has been changed to include a transparency
requirement that audit organizations that report externally to third
parties make peer review results publicly available (3.68). The section
also establishes new peer review time frames based on risk and the
underlying quality assurance system (3.69) Audit organizations are
required to have a peer review

     o within 18 months, if the most recent peer review opinion is adverse or
       modified, and every 18 months thereafter until the audit organization
       receives an unmodified opinion
     o every 3 years if the audit organization has an unmodified peer review
       opinion and does not meet the enhanced quality assurance criteria for
       a 5-year cycle or does not chose a 5-year period
     o every 5 years if the audit organization has an unmodified peer review
       opinion and elects to meet the enhanced quality assurance criteria in
       3.70.
          * developed required enhanced quality assurance criteria for audit
            organizations electing a 5-year peer review cycle, including
             en assertion that is
                 consistent with the results of the audit organization's
                 monitoring and inspection processes about the effectiveness
                 of its quality assurance program [3.70b(3)].

  Chapter 4-Field Work Standards for Financial Audits

The following changes have been made to update and clarify the standards
for field work:

        * update of the AICPA field work standards cited to reflect recent
          AICPA changes
        * (4.04)
     o addition of a clear and prominent discussion on consideration of fraud
       and illegal acts which clarifies the existing standard (4.07 - 4.08),
     o clarifications to the description of abuse and the existing standard
       on the auditors' responsibility for abuse in a financial audit that is
       material, either qualitatively or quantitatively (4.18 - 4.19), and
     o update of the audit documentation standard for consistency with
       AICPA's new standard (4.22 - 4.41).

ix

                            Enclosure 2 Enclosure 2

  Chapter 5-Reporting Standards for Financial Audits

The following changes have been made to update and clarify the reporting
standards:

     o update of definitions and terminology for internal control
       deficiencies to achieve consistency with PCAOB and AICPA terminology
       (5.12 - 5.15),
     o clarification of reporting requirements for internal control
       deficiencies, illegal acts, violations of provisions of contracts or
       grant agreements, or abuse (5.12 - 5.27),
          * addition of a section on emphasizing significant matters in the
            auditors' report
          * (5.28 - 5.31),
     o addition of a section on reporting on restatement of previously-issued
       financial statements (5.32 - 5.38), and
     o clarification of the auditors' responsibilities for reporting views of
       responsible officials (5.39 - 5.44) and for issuing and distributing
       reports (5.48 - 5.51).

  Chapter 6 - General, Field Work, and Reporting Standards for Attestation
  Engagements

Conforming changes were made to chapter 6 for consistency with changes in
chapters 4 and 5.

  Chapter 7 - Field Work Standards for Performance Audits

The field work standards for performance audits have been significantly
revised within a framework related to significance (materiality), audit
risk, and reasonable assurance. The following changes were made:

o  addition of a section on the concept of significance in a performance
audit (7.04 - 7.05),

     o addition of a section discussing audit risk (7.06),
     o definition of the level of assurance associated with a performance
       audit as providing reasonable assurance that auditors have adequate
       support to achieve the audit objectives and reach conclusions (7.13),
     o clarification throughout chapter 7 of the levels of evidence needed to
       achieve audit objectives, recognizing that objectives vary and,
       therefore, so will the nature of evidence needed,
     o incorporation of the concept of risk into the auditors' planning and
       evaluation process,
     o inclusion of a section on information systems controls for the purpose
       of assessing audit risk and planning the audit (7.25 - 7.27),
     o emphasis of auditors' professional judgment and the focus of audit
       work in relation to the audit objectives,
     o clarification of the auditors' responsibility for responding to
       indications of potential fraud (7.31 - 7.33),
     o clarification of the auditors' responsibility for abuse (7.34),

x

                            Enclosure 2 Enclosure 2

        * incorporation throughout the standard of the concept of
          "sufficient, appropriate evidence" to replace "sufficient,
          competent, and relevant evidence." This terminology is consistent
          with other standards setters. (7.53 - 7.69)
            ity in providing
                support for audit objectives.
            2)
            7.92)

Chapter 8 - Reporting Standards for Performance Audits

The reporting standards were streamlined and conforming changes were made
to reflect changes in Chapter 7. The auditors' responsibilities for
reporting the views of responsible officials (8.35 - 8.40) and report
issuance and distribution (8.44 - 8.47) were clarified.

  Appendix

An appendix has been added to provide supplemental guidance to assist
auditors in the implementation of GAGAS. This guidance does not establish
additional GAGAS requirements.

xi

                                    CONTENTS

LETTER...................................................................................................
i
QUESTIONS FOR
COMMENTERS.............................................................
iii
SUMMARY OF MAJOR
CHANGES............................................................. vii
CHAPTER
1................................................................................................................1
USE AND APPLICATION OF GAGAS
......................................................................1
Introduction
..............................................................................................................1
Purpose and Applicability of
GAGAS.......................................................................1
Use of Terminology to Define Professional Requirements in GAGAS
...................3
Citing Compliance with GAGAS in the Auditors' Report
.......................................5
Relationship Between GAGAS and Other Professional Standards
........................6
Types of Government Audits and Attestation
Engagements..................................8
Financial Audits
........................................................................................................................
9
Attestation
Engagements.......................................................................................................
10
Performance
Audits................................................................................................................
12
Nonaudit Services Provided by Audit
Organizations......................................................... 18
CHAPTER
2..............................................................................................................19
AUDITORS' ETHICAL
RESPONSIBILITIES..........................................................19
Introduction
............................................................................................................19
Overarching Ethical Concepts
................................................................................20
The Public Interest
.................................................................................................................
21
Professional Behavior
............................................................................................................
21
Integrity....................................................................................................................................
22
Objectivity
...............................................................................................................................
22
Proper Use of Government Information, Resources, and Position
................................. 23
GENERAL STANDARDS
.........................................................................................25
Introduction
............................................................................................................25

xii

Independence...........................................................................................................25
Personal Impairments
............................................................................................................27
External Impairments
............................................................................................................30
Organizational Independence
...............................................................................................
31
Organizational Independence When Reporting Externally to Third Parties:
....................... 32
Organizational Independence When Reporting Internally to Management (as an
internal audit function)
.......................................................................................................................
34
Organizational Independence When Performing Nonaudit Services
................................... 36
Professional
Judgment............................................................................................45
Competence
.............................................................................................................47
Technical Knowledge and Competence
..............................................................................
48
Additional Qualifications for Financial Audits and Attestation
Engagements............... 49
Continuing Professional Education
.....................................................................................
50
Quality Control and Assurance
..............................................................................52
System of Quality Control
.....................................................................................................
52
External Peer
Review.............................................................................................................
55
CHAPTER
4..............................................................................................................63
CHAPTER
4..............................................................................................................63
FIELD WORK STANDARDS FOR FINANCIAL AUDITS
.......................................63
Introduction
............................................................................................................63
AICPA Field Work Standards
.................................................................................63
Additional Considerations for Financial Audits in Government
...................................... 64
Consideration of Potential Fraud in a Financial Statement Audit and
Illegal Acts by Auditees
...................................................................................................................................
65
Additional GAGAS
Standards.................................................................................66
Auditor Communication
........................................................................................................
67
Previous Audits and Attestation
Engagements...................................................................69
Detecting Material Misstatements Resulting from Violations of Contract
Provisions or Grant Agreements, or from
Abuse........................................................................................
70
Developing Elements of a Finding
.......................................................................................
71
Audit
Documentation.............................................................................................................72
CHAPTER
5..............................................................................................................78
REPORTING STANDARDS FOR FINANCIAL AUDITS
.........................................78
Introduction
............................................................................................................78

xiii

AICPA Reporting Standards
...................................................................................78
Additional GAGAS Reporting Standards for Financial
Audits.............................79
Reporting Auditors' Compliance with GAGAS
................................................................... 80
Reporting on Internal Control and on Compliance with Laws, Regulations,
and Provisions of Contracts or Grant
Agreements....................................................................
81
Reporting Deficiencies in Internal Control, Potential Fraud, Illegal Acts,
Violations of Provisions of Contracts or Grant Agreements, or Abuse
.................................................. 82
Reporting Deficiencies in Internal
Control...........................................................................
82
Reporting Potential Fraud, Illegal Acts, Violations of Provisions of
Contracts or Grant Agreements, or
Abuse...........................................................................................................
86
Direct Reporting of Potential Fraud, Illegal Acts, Violations of
Provisions of Contracts or Grant Agreements, or
Abuse.................................................................................................
88
Emphasizing Significant Matters in the Auditors' Report
................................................. 89
Reporting on Restatement of Previously-Issued Financial Statements
.......................... 91
Reporting Views of Responsible Officials
...........................................................................
95
Reporting Privileged and Confidential
Information........................................................... 97
Issuing and Distributing Reports
..........................................................................................
97
CHAPTER
6............................................................................................................100
GENERAL, FIELD WORK, AND REPORTING STANDARDS FOR ATTESTATION
ENGAGEMENTS....................................................................................................100
Introduction
..........................................................................................................100
AICPA General and Field Work Standards for Attestation Engagements
........100
Additional Considerations for Attestation Engagements in
Government..................... 101
Additional GAGAS Field Work Standards for Attestation
Engagements..........102
Auditor Communication
......................................................................................................
103
Previous Audits and Attestation
Engagements.................................................................104
Internal Control
....................................................................................................................
105
Detecting Potential Fraud, Illegal Acts, Violations of Provisions of
Contracts or Grant Agreements, or Abuse That Could Have a Material Effect
on the Subject Matter ....... 106
Developing Elements of Findings for Attestation
Engagements.................................... 109
Attest Documentation
..........................................................................................................
110
AICPA Reporting Standards for Attestation
Engagements................................116
Additional GAGAS Reporting Standards for Attestation
Engagements............117
Reporting Auditors' Compliance with GAGAS
................................................................. 117
Reporting Deficiencies in Internal Control, Potential Fraud, Illegal Acts,
Violations of Provisions of Contracts or Grant Agreements, or Abuse
................................................ 118
Reporting Deficiencies in Internal
Control.........................................................................
118
Direct Reporting of Potential Fraud, Illegal Acts, Violations of
Provisions of Contracts or Grant Agreements, or
Abuse...............................................................................................
121
Reporting Views of Responsible Officials
.........................................................................
123
Reporting Privileged and Confidential
Information......................................................... 124
Issuing and Distributing Reports
........................................................................................
125

xiv

CHAPTER
7............................................................................................................127
FIELD WORK STANDARDS FOR PERFORMANCE
AUDITS..............................127
Introduction
..........................................................................................................127
Significance in a Performance
Audit....................................................................127
Audit Risk
..............................................................................................................128
Sufficient, Appropriate
Evidence.........................................................................129
Planning
.................................................................................................................129
Nature and Profile of the Program
.....................................................................................
132
Internal Control
....................................................................................................................
135
Information Systems Controls
............................................................................................
138
Legal and Regulatory Requirements, Contract Provisions, or Grant
Agreements, Potential Fraud, or
Abuse....................................................................................................
140
Legal and Regulatory Requirements, Contracts, and Grants
.............................................. 141
Fraud
...................................................................................................................................
141
Abuse
..................................................................................................................................
143
Previous Audits and Attestation
Engagements.................................................................144
Identifying Audit
Criteria.....................................................................................................
144
.................................................................................................................................................
145 Identifying Sources of Audit Evidence and the Amount and Type of
Evidence Required Considering Work of
Others................................................................................................146
Assigning Staff and Other
Resources.................................................................................
147
Communicating with Management, Those Charged with Governance, and Others
.... 148
Preparing the Audit Plan
.....................................................................................................
149
Supervision
............................................................................................................150
Obtaining Sufficient, Appropriate Evidence
.......................................................151
Appropriateness....................................................................................................................
151
Sufficiency
.............................................................................................................................
154
Overall Assessment of Evidence
........................................................................................
155
Audit
Findings.......................................................................................................................
158
Audit Documentation
............................................................................................159
CHAPTER
8............................................................................................................166
REPORTING STANDARDS FOR PERFORMANCE AUDITS
...............................166
Introduction
..........................................................................................................166

xv

Reporting
...............................................................................................................166
Report Contents
....................................................................................................167
Objectives, Scope, and Methodology
.................................................................................
167
Findings
.................................................................................................................................
169
Reporting Deficiencies in Internal
Control.........................................................................
172
Reporting Potential Fraud, Illegal Acts, Violations of Provisions of
Contracts or Grant Agreements, or
Abuse.........................................................................................................
173
Direct Reporting of Potential Fraud, Illegal Acts, Violations of
Provisions of Contracts or Grant Agreements, or
Abuse...............................................................................................
174
Conclusions
...........................................................................................................................
175
Recommendations................................................................................................................
176
Statement on Compliance with GAGAS
............................................................................
176
Reporting Views of Responsible Officials
.........................................................................
177
Reporting Privileged and Confidential
Information......................................................... 179
Report Issuance and Distribution
........................................................................180
APPENDIX
.............................................................................................................181
Introduction
..........................................................................................................181
Overall Supplemental Guidance
...........................................................................181
Examples of Significant Deficiencies in Internal Control
............................................... 181
Examples of
Abuse...............................................................................................................
183
Examples of Indicators of Fraud Risk
...............................................................................
183
Determining Whether Laws, Regulations, or Provisions of Contracts or Grant
Agreements Are Significant to Audit Objectives
.............................................................. 184
Information to Accompany Chapter
1..................................................................185
The Role of Those Charged with Governance in Accountability
................................... 186
Management's Role in
Accountability................................................................................
186
Laws, Regulations, and Guidelines that Require Use of
GAGAS.................................... 188
Information to Accompany Chapters 3
................................................................189
Nonaudit
Services.................................................................................................................
190
Information to Accompany Chapter
7..................................................................192
Types of Evidence
................................................................................................................
192
Appropriateness of Information in Relation to the Audit Objectives
............................ 193
MEMBERS OF THE COMPTROLLER GENERAL'S ADVISORY COUNCIL ON GOVERNMENT
AUDITING STANDARDS................................................... 196

xvi

  Chapter 1 Use and Application of GAGAS

Introduction

s.
     Legislators, government officials, and the public need to know whether
       (1) government manages public resources and uses its authority
       properly and in compliance with laws and regulations, (2) government
       programs are achieving their objectives and desired outcomes, (3)
       government services are being provided efficiently, economically,
       effectively, ethically, and equitably, and

(4) government managers are held fully accountable for their use of public
resources. Government auditing provides independent assessments of that
information for the benefit of those charged with oversight and for the
public.

  Purpose and Applicability of GAGAS

1.03 The professional standards and guidance contained in this document,
often referred to as generally accepted government auditing standards
(GAGAS), are intended

1

The term equity in this context refers to the approaches used by a
government organization to provide services to citizens in a fair manner
within the context of the statutory parameters of the specific government
programs.

2

For additional information on management's responsibility, see appendix
paragraphs A1.01-A1.05.

for use by auditors3 of government entities and audit organizations4 to
help ensure that they perform high quality work with competence,
integrity, objectivity, and independence in planning, conducting, and
reporting on government audits. Auditors and audit organizations use GAGAS
when required by law, regulation, contract, grant agreement, or policy.

s should follow all applicable GAGAS
       standards, and refer to compliance with GAGAS as set forth in
       paragraphs 1.13 through 1.15.
ersight and
       accountability of government programs and operations by requiring
       auditors to objectively acquire and evaluate evidence and report the
       results. When auditors perform their work in this manner and comply
       with GAGAS in reporting the results, their work can lead to improved
       government management, decision making and oversight, effective and
       efficient operations, and accountability for resources and results.
       Government auditing is also a key element in fulfilling the
       government's duty to be accountable to the public.

3

The term "auditor" throughout this document includes individuals
performing work under GAGAS, and therefore, individuals who may have the
titles auditor, analyst, evaluator, inspector, or other similar titles.

4

The term "audit organizations" is used throughout the standards to refer
to government audit organizations as well as independent public accounting
firms that perform audits using GAGAS.

  Use of Terminology to Define Professional Requirements in GAGAS

cted to fulfill. Rather, the professional
       requirements are communicated by the language and the meaning of the
       words used in GAGAS.
itional requirements. The auditor is required to comply with
           an unconditional requirement in all cases in which the
           circumstances exist to which the unconditional requirement
           applies. GAGAS use the words mustor is required to indicate an
           unconditional requirement.

b.
           Presumptively mandatory requirements. The auditor is also required
           to comply with a presumptively mandatory requirement in all cases
           in which the circumstances exist to which the presumptively
           mandatory requirement applies; however, in rare circumstances, the
           auditor may depart from a presumptively mandatory requirement
           provided the auditor documents his or her justification for the
           departure and how the alternative procedures performed in the
           circumstances were sufficient to achieve the objectives of the
           presumptively mandatory requirement. GAGAS use the word shouldto
           indicate a presumptively mandatory requirement.

The terminology used in GAGAS to designate professional requirements and
explanatory material is consistent with the AICPA's Statement on Auditing
Standard No. 102, Defining Professional Requirements in Statements on
Auditing Standards.

 guidance for their application.
. That is, it may explain the objective of the
       professional requirements (where not otherwise selfevident); explain
       why the auditor might consider or employ particular procedures,
       depending on the circumstances; or provide additional information for
       the auditor to consider in exercising professional judgment in
       performing the engagement.
r is not intended to
       impose a professional requirement on the auditor to perform the
       suggested procedures or actions. How and whether the auditor carries
       out such procedures or actions in the engagement depends on the
       exercise of professional judgment in the circumstances consistent with
       the objective of the standard. The words may, might, and could are
       used to describe these actions and procedures.

  Citing Compliance with GAGAS in the Auditors' Report

1.13 Auditors should include one of the following types of GAGAS
compliance statements in reports on GAGAS engagements, as appropriate,
based on the provisions of paragraphs 1.14 through 1.15.

a.
           Unqualified GAGAS compliance statement. The auditors state that
           the engagement was performed in accordance with GAGAS.

b.
           Qualified GAGAS compliance statement. The auditors state that the
           engagement was performed in accordance with GAGAS, except for
           specific applicable standards that were not followed.

c.
           Negative GAGAS compliance statement. The auditors state that the
           engagement was not performed in accordance with GAGAS.

unconditional and/or
       presumptively mandatory requirements, they should assess the
       significance of not following the requirement to the scope of the
       audit and the auditors' overall compliance with GAGAS and document the
       assessment, along with the reasons for not following the standard.
       Based on this assessment, the auditors should determine whether and to
       what extent to disclose in the report the applicable standard(s) not
       followed, the reasons for not following the standard(s), and how not
       following the standards affected, or could have affected the audit. In
       addition, auditors should consider modifying the GAGAS compliance
       statement as follows. These determinations are a matter of
       professional judgment:

a.
           When auditors do not comply with all unconditional requirements
           that are applicable based on the audit objectives, they should
           determine whether to include a qualified GAGAS compliance
           statement or a negative GAGAS compliance statement in the report.

b.
           When auditors do not comply with all presumptively mandatory
           requirements that are applicable based on the audit objectives,
           they should determine whether to include a qualified GAGAS
           compliance statement or an unqualified GAGAS compliance statement
           in the report. When auditors have justification for not following
           a presumptively mandatory requirement, an unqualified GAGAS
           statement may be appropriate.

c.
           When auditors did not comply with multiple presumptively mandatory
           requirements, they should determine whether they should include a
           negative GAGAS compliance statement in the report.

  Relationship Between GAGAS and Other Professional Standards

    the standards, and the auditors cannot satisfy both standards, the
       auditors should provide disclosure in the auditors' report about any
       standards not followed and the impact on the audit. (See paragraphs
       5.06, 6.47 and 8.34)
rds,
       as follows:

a. The American Institute of Certified Public Accountants (AICPA) has
established professional standards that apply to financial audits and
attestation engagements for nonissuers6 performed by certified public
accountants (CPA). For financial statement audits, GAGAS incorporate the
AICPA's field work and reporting standards and the related statements on
auditing standards (SAS) unless specifically excluded or modified by
GAGAS.7

b.
           The International Auditing and Assurance Standards Board (IAASB)
           has established professional standards that apply to financial
           audits and attestation engagements that are conducted
           internationally. Auditors may use GAGAS in conjunction with the
           IAASB standards and the related statements on International
           Statements on Auditing (ISA).

c.
           The Public Company Accounting Oversight Board (PCAOB) has
           established professional standards that apply to financial audits
           and attestation engagements for issuers. Auditors may use GAGAS in
           conjunction with the PCAOB standards.

     in conjunction with GAGAS, such as the following:

a. International Standards for the Professional Practice of Internal
Auditing, The Institute of Internal Auditors, Inc.;

6

Under the Sarbanes-Oxley Act of 2002 (Public Law 107-204), issuers
(generally, publicly traded companies with securities registered under the
Securities and Exchange Act of 1934) and their public accounting firms are
subject to rules and standards of the Public Company Accounting Oversight
Board. Nonissuer refers to any entity other than an issuer under Federal
securities laws, such as privately held companies, not-for-profit
entities, and government entities.

7

Because GAGAS incorporate the field work and reporting standards of the
AICPA for financial audits performed in which U.S. auditing standards are
to be followed, auditors are not required to cite compliance with the
AICPA standards when citing compliance with GAGAS, although both sets of
standards may be cited.

b.
           Guiding Principles for Evaluators, American Evaluation
           Association;

c.
           The Program Evaluation Standards, Joint Committee on Standards for
           Education Evaluation; and

d.
           Standards for Educational and Psychological Testing, American
           Psychological Association.

  Types of Government Audits and Attestation Engagements

 is
       not intended to limit or require the types of audits or attestation
       engagements that may be performed under GAGAS.
engagements, the standards applicable to the specific audit
       objective will be apparent. For example, if the audit objective is to
       express an opinion on financial statements, the standards for
       financial audits apply. However, some engagements may have multiple or
       overlapping objectives. For example, if the objectives are to
       determine the reliability of performance measures, this work can be
       done in accordance with either the standards for attestation
       engagements or for performance audits. In cases where there is a
       choice between applicable standards, auditors should evaluate users'
       needs and the auditors' knowledge, skills, and experience in deciding
       which standards to follow.

Financial Audits

financial audits performed in accordance with GAGAS also includes
       reports on internal control, compliance with laws and regulations, and
       provisions of contracts and grant agreements as they relate to
       financial transactions, systems, and processes.
y accepted accounting principles (GAAP),8 or with a
       comprehensive basis of accounting other than GAAP. Other types of
       financial audits, which provide for different levels of assurance and
       entail various scopes of work, may include:

a.
           providing special reports, such as for specified elements,
           accounts, or items of a financial statement;9

b.
           reviewing interim financial information;

c.
           issuing letters for underwriters and certain other requesting
           parties;

d.
           reporting on the processing of transactions by service
           organizations; and

8

The three U.S.-based authoritative bodies for establishing accounting
principles and financial reporting standards are the Federal Accounting
Standards Advisory Board (federal government), the Governmental Accounting
Standards Board (state and local governments), and the Financial
Accounting Standards Board (nongovernmental entities).

9

Special reports apply to auditors` reports issued in connection with the
following: (1) financial statements that are prepared in conformity with a
comprehensive basis of accounting other than generally accepted accounting
principles; (2) specified elements, accounts, or items of a financial
statement; (3) compliance with aspects of contractual agreements or
regulatory requirements related to audited financial statements;

(4)
           financial presentations to comply with contractual agreements or
           regulatory requirements; or (5) financial information presented in
           prescribed forms or schedules that require a prescribed form of
           auditors` report. (See AICPA Professional Standards, AU 623.)

e.
           auditing compliance with regulations relating to federal award
           expenditures and other governmental financial assistance in
           conjunction with or as a by-product of a financial statement
           audit.

corporate the AICPA's field
       work and reporting standards and the related statements on auditing
       standards unless specifically excluded or modified by GAGAS. GAGAS
       establish ethical responsibilities, independence standards, general
       standards, and additional field work and reporting standards beyond
       those provided by the AICPA when performing financial audits. (See
       chapters 2, 3, 4, and 5 for standards and guidance for auditors
       performing a financial audit in accordance with GAGAS.)
 provide
       different levels of assurance about the subject matter or assertion
       depending on the users' needs.
e engagement. The three levels of attestation engagements
       include the following:

For consistency within GAGAS, the word "auditor" is used to describe
individuals conducting and reporting on attestation engagements.

a.
           Examination: Auditors perform sufficient testing to express an
           opinion on whether the subject matter is based on (or in
           conformity with) the criteria in all material respects or the
           assertion is presented (or fairly stated), in all material
           respects, based on the criteria.

b.
           Review: Auditors perform sufficient testing to express a
           conclusion about whether any information came to the auditors'
           attention on the basis of the work performed that indicates the
           subject matter is not based on (or in conformity with) the
           criteria or the assertion is not presented (or fairly stated) in
           all material respects based on the criteria.11

c.
           Agreed-Upon Procedures: Auditors perform testing to issue a report
           of findings based on specific procedures performed on subject
           matter.

1.30 The subject matter of an attestation engagement may take many forms,
including historical or prospective performance or condition, physical
characteristics, analyses, internal controls, systems and processes, or
compliance with laws, regulations, contracts, or other requirements.
Possible subjects of attestation engagements could include reporting on:

a.
           prospective financial or performance information;

b.
           quantity, condition, and/or valuation of inventory or assets;

c.
           management's discussion and analysis (MD&A) presentation;

d.
           an entity's internal control over financial reporting;

As stated in the AICPA SSAEs, auditors should not perform review-level
work for reporting on internal control or compliance with laws and
regulations.

e.
           the effectiveness of an entity's internal control over compliance
           with specified requirements, such as those governing the bidding
           for, accounting for, and reporting on grants and contracts;

f.
           an entity's compliance with requirements of specified laws,
           regulations, rules, contracts, or grants; and

g.
           specific procedures performed on a subject matter (agreed-upon
           procedures).

ard on criteria, and the field work and reporting standards and
       the related Statements on Standards for Attestation Engagements
       (SSAE), unless specifically excluded or modified by GAGAS. GAGAS
       establish ethical responsibilities, independence standards, general
       standards and additional field work and reporting standards beyond
       those provided by the AICPA for attestation engagements. (See chapters
       2, 3, and 6 for standards and guidance for auditors performing an
       attestation engagement in accordance with GAGAS.)
ific requirements or measures, or good business practices.12
Performance audits provide objective analysis so that management and those
charged with governance and oversight may improve

Data gathering without auditor evaluation or verification of the data is
not a performance audit, but a nonaudit service.

13

program performance, operations, reduce costs, facilitate decision making
by parties with responsibility to oversee or initiate corrective action,
and contribute to public accountability. Performance audits can also
provide descriptive information in response to audit objectives to
describe a process or a condition. The term performance audit includes
audits classified by some audit organizations as program or performance
evaluations, program effectiveness and results audits, economy and
efficiency audits, operational audits, management audits, compliance
audits, and value-for-money audits.

ety of objectives, including assessing program
       economy, efficiency, effectiveness, results, or equity; internal
       control;14 compliance with legal, policy, procedural, or other
       requirements; and providing assurance about prospective analyses,
       guidance, or summary information. These overall objectives are not
       mutually exclusive. Thus, a performance audit may have more than one
       overall objective. For example, often a performance audit with an
       initial objective of program effectiveness may also involve an
       underlying objective of evaluating internal controls to determine the
       reasons for a program's lack of effectiveness or how effectiveness can
       be improved.
ce about the
       descriptive information. The levels of evidence and tests of evidence
       will vary based on the audit objectives and conclusions. Objectives
       for performance audits range from narrow to broad and may involve
       specific evidence or extensive evidence. In some engagements,
       sufficient, appropriate evidence is easily obtained, and in others,
       information may have limitations. Auditors use professional judgment
       in determining the audit scope and methodology needed to address the
       audit's

13

The term "program" is used in this document to include government
entities, organizations, programs, activities, and functions.

14

The term "internal control" in this document is synonymous with the term
management control and, unless otherwise stated, covers all aspects of an
entity`s operations (programmatic, financial, and compliance).

objectives, while providing the appropriate level of assurance that the
evidence obtained is sufficient and appropriate to meet the audit's
objectives.

     audit facilitates the auditors' determination of what to report and
       the proper context for the audit conclusions, including discussion
       about the nature, type, and quality of evidence being used as a basis
       for the audit conclusions. Performance audit conclusions logically
       flow from all of these elements, and include the proper context based
       on the underlying evidence.
cus on economy and efficiency address the costs and resources used
       to achieve program results. Examples of audit objectives in these
       categories include:

a.
           assessing the extent to which legislative, regulatory, or
           organizational goals and objectives are being achieved;

b.
           assessing the relative ability of alternative approaches to yield
           better program performance or eliminate factors that inhibit
           program effectiveness;

c.
           analyzing the relative cost effectiveness of a program or
           activity;15

d.
           determining whether a program produced intended results or
           produced results that were not consistent with the program's
           objectives;

e.
           determining whether a program provides equitable access to or
           distribution of public resources within the context of statutory
           parameters;

f.
           assessing the extent to which programs duplicate, overlap, or
           conflict with other related programs;

g.
           evaluating whether the audited entity is following sound and
           equitable procurement practices;

h.
           assessing the reliability, validity, or relevance of performance
           measures concerning program effectiveness and results, or economy
           and efficiency;

i.
           assessing the reliability, validity, or relevance of financial
           information related to the performance of a program;

j.
           determining whether government resources (inputs) are obtained at
           reasonable costs while meeting timeliness and quality
           considerations;

k.
           determining whether appropriate value was obtained based on the
           cost or amount paid;

l.
           determining whether government services and benefits are
           accessible to those citizens who have a right to access those
           services and benefits;

15 These objectives focus on combining cost information with information
about outputs or the benefit provided and outcomes or the results
achieved.

m.
           determining whether and how the government program's unit costs
           can be decreased or its productivity increased; and

n.
           analyzing budget proposals or budget requests to assist
           legislatures in the budget process.

1.39 Internal control audit objectives relate to an assessment of the
component of an organization's system of internal control that is designed
to provide reasonable assurance of achieving effective and efficient
operations, reliable financial and performance reporting, and compliance
with applicable laws and regulations. Internal control objectives are also
relevant when determining the cause of unsatisfactory program performance.
Internal control comprises the plans, methods, and procedures used to meet
the organization's mission, goals, and objectives. Internal control
includes the processes and procedures for planning, organizing, directing,
and controlling program operations, and management's system for measuring,
reporting, and monitoring program performance. Examples of audit
objectives related to internal control include an assessment of the extent
that internal control provides reasonable assurance that:

a.
           organizational missions, goals, and objectives are achieved
           effectively and efficiently;

b.
           resources are used in compliance with laws, regulations, or other
           requirements;

c.
           resources are safeguarded against unauthorized acquisition, use,
           or disposition;

d.
           management information and public reports that are produced, such
           as performance measures, are complete, accurate, and consistent to
           support performance and decision making;

e.
           the integrity of computerized information and information systems
           are achieved, and

f.
           contingency planning for information systems provides essential
           back-up to prevent unwarranted disruption of activities and
           functions the systems support.

1.40 Compliance audit objectives relate to compliance criteria established
by laws, regulations, contract provisions, grant agreements, and other
requirements16 that could affect the acquisition, protection, and use of
the entity's resources and the quantity, quality, timeliness, and cost of
services the entity produces and delivers. Compliance objectives include
determining whether

a.
           the purpose of the program, the manner in which it is to be
           conducted, the services delivered, the outcomes, or the population
           it serves are in compliance with laws, regulations, contract
           provisions, grant agreements, and other requirements;

b.
           government services and benefits are distributed or delivered to
           citizens based on the citizens' right to obtain those services and
           benefits; and

c.
           incurred or proposed costs are in compliance with applicable laws,
           regulations, and contract or grant agreement terms.

1.41 Prospective audit objectives provide analysis or conclusions about
information that is based on assumptions about events that may occur in
the future along with possible actions that the audited entity may take in
reaction to the future events. Examples of objectives pertaining to this
work include providing analysis or conclusions about:

a.
           current and projected trends and future potential impact on
           government programs and services;

b.
           program or policy alternatives, including forecasting program
           outcomes under various assumptions;

c.
           policy proposals for decision makers;

d.
           prospective information prepared by management;

e.
           forecasts that are based on (1) assumptions about expected future
           events and (2) management's expected reaction to those future
           events; and

f.
           management's assumptions on which prospective information is
           based.

Compliance requirements can be either financial or nonfinancial in nature.

1.42 As discussed in paragraphs 1.16 through 1.17 and 1.20, other
professional standards may be used in conjunction with GAGAS when
conducting performance audits.

Nonaudit Services Provided by Audit Organizations

 entities they audit.
       Further discussion of nonaudit services and potential impact on
       auditor independence is included in Chapter 3, paragraphs 3.24 through
       3.35 and in the appendix, paragraphs A3.02 through A3.03.

  Chapter 2 Auditors' Ethical Responsibilities

Introduction

nd staff are an essential
       element of a positive ethical environment for the audit organization.
ter 3.

  Overarching Ethical Concepts

ors
       include:

a.
           The Public Interest;

b.
           Professional Behavior;

c.
           Integrity;

d.
           Objectivity; and

e.
           Proper Use of Government Information, Resources and Position.

Individual auditors who are members of professional organizations or are
licensed or certified professionals may also be subject to ethical
requirements of those professional organizations or licensing bodies.
Auditors in government audit organizations may also be subject to
government ethics laws and regulations.

The Public Interest

in the
       government environment.
 is essential that auditors' professional behavior include
compliance with laws and regulations and acting in a manner consistent
with the high expectations for their profession, while avoiding any
conduct that might bring discredit to their work, including actions that
would cause a reasonable and informed third party, having knowledge of all
relevant information to conclude that the conduct or work performed by the
government auditors or audit organization was professionally deficient.
Professional behavior includes auditors putting forth an honest effort in
the performance of their duties and carrying out their professional
services in accordance with the relevant technical and professional
standards.

2.09 The professional behavior of auditors practicing in the government
environment is expected to be above reproach. Professional behavior is
realized when auditors conduct themselves in a manner that avoids having
their actions and work misinterpreted or that gives the appearance of
being biased or misleading. By observing ethical principles, auditors
promote confidence in the integrity of government operations and programs.

Integrity

inion; it cannot accommodate deceit or subordination
       of the principles of fairness and objectivity to personal gains. In
       applying the principle of integrity, it is essential that auditors
       observe both the form and the spirit of the relevant ethical
       standards.

Objectivity

2.12 The credibility of government auditing is based on auditors'
objective attitude in discharging their professional responsibilities.
Objectivity includes being independent in fact and appearance when
providing audit and attestation services, maintaining an attitude of
impartiality, having intellectual honesty, and being free of conflicts of
interest. It is crucial that auditors avoid conflicts that may in fact or
appearance impair auditors' objectivity in performing the audit or
attestation engagement. Maintaining objectivity includes a continuing
assessment of relationships with audited entities and other stakeholders
in the context of the auditors' responsibility to the public.

Proper Use of Government Information, Resources, and Position

.
       This concept also includes the proper handling of sensitive or
       classified information or resources.
t auditors exercise prudence in the use of information acquired in
       the course of their duties or as a result of professional and business
       relationships. Auditors should not disclose any such information to
       third parties without proper and specific authority, unless there is a
       legal and professional right or obligation to disclose.
ts or those of an immediate or close family

member; a general partner; an organization for which the auditor serves as
an officer, director, trustee, or employee; or a person or organization
with which the auditor is negotiating or has an arrangement concerning
future employment. (See paragraph 3.06 through 3.09 for further discussion
of personal impairments to independence.)

                          Chapter 3 General Standards

Introduction

3.01 This chapter establishes general standards and provides guidance for
performing financial audits, attestation engagements,19 and performance
audits under GAGAS. These general standards, along with the overarching
ethical concepts presented in chapter 2, establish a foundation that adds
credibility to auditors' work. Credibility is essential to all audit
organizations performing work that government leaders and others use for
making decisions and achieving government accountability. Credibility is
what the public expects of information provided by government auditors.
These general standards emphasize the independence of the audit
organization and its individual auditors; the exercise of professional
judgment in the performance of work and the preparation of related
reports; the competence of audit staff; audit quality control and
assurance; and external peer reviews.

  Independence

 an
attestation engagement.

independence and, thus, are not capable of exercising objective and
impartial judgment on all issues associated with conducting the audit and
reporting on the work.

izations perform audit or attestation services, audit
       organizations consider three general classes of impairments to
       independence--personal, external, and organizational.20 If one or more
       of these impairments affects an individual auditor's capability to
       perform the work and report results impartially, the auditor should
       either decline to perform the work-or in those situations in which the
       auditor, because of a legislative requirement or for other reasons,
       cannot decline to perform the work-the auditors must disclose the
       impairment or impairments in the scope section of the audit report.
cialist's
       independence from the activity or program under audit. Internal
       specialists who are members of the audit team should follow the same
       standards and processes as the other members of the audit team.

20

When applicable, auditors also follow the AICPA code of professional
conduct and the code of professional conduct of the state board with
jurisdiction over the practice of the public accountant and the audit
organization. Auditors have a responsibility to be aware of and comply
with any applicable government ethics laws and regulations and any other
ethics requirements (such as those of the state boards of accountancy)
associated with their activities.

21

Specialists to whom this section applies include, but are not limited to,
actuaries, appraisers, attorneys, engineers, environmental consultants,
medical professionals, statisticians, and geologists.

Personal Impairments

3.06 Auditors participating on an audit assignment must be free from
personal impairments to independence. 22 Personal impairments of staff
members result from relationships and beliefs that might cause auditors to
limit the extent of the inquiry, limit disclosure, or weaken or slant
audit findings in any way. Individual auditors should notify the
appropriate officials within their audit organizations if they have any
personal impairments to independence. Examples of personal impairments of
individual auditors include, but are not limited to, the following:

a.
           immediate family or close family member23 who is a director or
           officer of the audited entity, or as an employee of the audited
           entity, is in a position to exert direct and significant influence
           over the entity or the program under audit;

b.
           financial interest that is direct, or is significant though
           indirect, in the audited entity or

program;24

c. responsibility for managing an entity or decision making that could
affect operations of the entity or program being audited; for example as a
director, officer, or other senior position of the entity, activity, or
program being audited, or as a member of management in any decision
making, supervisory, or ongoing monitoring function for the entity,
activity, or program under audit;

22

This includes those who review the work or the report, and all others
within the audit organization who can directly influence the outcome of
the audit. The period covered includes the period covered by the audit,
and the period in which the audit is being performed and reported.

23

Immediate family member is a spouse, spouse equivalent, or dependent
(whether or not related). A close family member is a parent, sibling, or
nondependent child.

24

Auditors are not precluded from auditing pension plans that they
participate in if (1) the auditor has no control over the investment
strategy, benefits, or other management issues associated with the pension
plan and (2) the auditor belongs to such pension plan as part of his/her
employment with the audit organization, provided that the plan is normally
offered to all employees in equivalent employment positions.

d.
           concurrent or subsequent performance of an audit by the same
           individual who maintained the official accounting records when
           such services involved preparing source documents or originating
           data, in electronic or other form; posting transactions (whether
           coded by management or not coded); authorizing, executing, or
           consummating transactions (for example, approving invoices,
           payrolls, claims, or other payments of the entity or program being
           audited); maintaining an entity's bank account or otherwise having
           custody of the audited entity's funds; or otherwise exercising
           authority on behalf of the entity, or having authority to do so;

e.
           preconceived ideas toward individuals, groups, organizations, or
           objectives of a particular program that could bias the audit;

f.
           biases, including those induced by political, ideological, or
           social convictions, that result from employment in, or loyalty to,
           a particular type of policy, group, organization, or level of
           government; and

g.
           seeking employment during the conduct of the audit with an audited
           organization or an individual or entity with a direct interest in
           the outcome of the audit.

3.07 Audit organizations and auditors may encounter many different
circumstances or combination of circumstances that could create a personal
impairment. Therefore, it is impossible to identify every situation that
could result in a personal impairment. Accordingly, audit organizations
should include as part of their internal quality control system procedures
to identify personal impairments and help ensure compliance with GAGAS
independence requirements. At a minimum, audit organizations should:

a.
           establish policies and procedures to identify personal impairments
           to independence (see paragraph 3.06);

b.
           communicate the audit organization's policies and procedures to
           all auditors in the organization and help ensure understanding of
           the policies and procedures through training or other means such
           as auditors periodically acknowledging their understanding;

c.
           establish internal policies and procedures to monitor compliance
           with the audit organization's policies and procedures;

d.
           establish a disciplinary mechanism to promote compliance with the
           audit organization's policies and procedures;

e.
           stress the importance of independence and the expectation that
           auditors will always act in the public interest; and

f.
           maintain documentation of the steps taken to identify potential
           personal independence impairments as well as actions taken to
           resolve any impairments.

 audit assignment. If the personal impairment cannot be mitigated
       through these means, the audit organization should withdraw from the
       audit. In situations in which government auditors cannot withdraw from
       the audit, they should follow the requirement in paragraph 3.04.
nt to
       independence after the audit report is issued, the audit organization
       should assess the impact on the audit. The audit organization should
       consider whether, given the impact on the audit, to notify

regulatory agencies that have jurisdiction over the audited entity and
persons known to be using the audit report about the independence
impairment and the impact on the audit. Auditors should make such
notifications in writing.

External Impairments

3.10 Audit organizations must be free from external impairments to
independence. Factors external to the audit organization may restrict the
work or interfere with auditors' ability to form independent and objective
opinions and conclusions. External impairments to independence occur when
auditors are deterred from acting objectively and exercising professional
skepticism by pressures, actual or perceived, from management and
employees of the audited entity or oversight organizations. For example,
under the following conditions, auditors may not have complete freedom to
make an independent and objective judgment, thereby adversely affecting
the audit:

a.
           external interference or influence that could improperly limit or
           modify the scope of an audit or threaten to do so, including
           exerting pressure to reduce inappropriately the extent of work
           performed in order to reduce costs or fees;

b.
           external interference with the selection or application of audit
           procedures or in the selection of transactions to be examined;

c.
           unreasonable restrictions on the time allowed to complete an audit
           or issue the report;

d.
           restriction on access to records, government officials, or other
           individuals needed to conduct the audit;

e.
           external interference over the assignment, appointment, and
           promotion of audit personnel;

f.
           restrictions on funds or other resources provided to the audit
           organization that adversely affect the audit organization's
           ability to carry out its responsibilities;

g.
           authority to overrule or to inappropriately influence the
           auditors' judgment as to the appropriate content of the report;

h.
           threat of replacement over a disagreement with the contents of an
           audit report, the auditors' conclusions, or the application of an
           accounting principle or other criteria; and

i.
           influences that jeopardize the auditors' continued employment for
           reasons other than incompetence, misconduct, or the need for audit
           services.

3.11 Audit organizations should include, as part of their internal quality
control system for compliance with GAGAS independence requirements,
internal policies and procedures for reporting and resolving external
impairments.

Organizational Independence

3.12 In addition to the preceding paragraphs that address personal and
external impairments, a government audit organization's ability to perform
the work and report the results impartially can be affected by its place
within government and the structure of the government entity that the
audit organization is assigned to audit as well as by nonaudit services it
has provided to audited entities. Whether performing work to report
externally to third parties outside the audited entity or internally to
top management within the audited entity, audit organizations must be free
from organizational impairments to independence with respect to the
entities they audit.

Organizational Independence When Reporting Externally to Third Parties:

ation reporting externally to third
       parties may be presumed to be free from organizational impairments to
       independence from the audited entity, if the audit organization is:

a.
           assigned to a level of government other than the one to which the
           audited entity is assigned (federal, state, or local), for
           example, federal auditors auditing a state government program, or

b.
           assigned to a different branch of government within the same level
           of government as the audited entity; for example, legislative
           auditors auditing an executive branch program.

3.15 Second, a government audit organization reporting externally to third
parties may also be presumed to be free from organizational impairments if
the audit organization's head meets any of the following criteria:

a.
           directly elected by voters of the jurisdiction being audited;

b.
           elected or appointed by a legislative body, subject to removal by
           a legislative body, and reports the results of audits to and is
           accountable to a legislative body;

c.
           appointed by someone other than a legislative body, so long as the
           appointment is confirmed by a legislative body and removal from
           the position is subject to oversight or

approval by a legislative body,25 and reports the results of audits to and
is accountable to a legislative body; or

d. appointed by, accountable to, reports to, and can only be removed by a
statutorily created governing body, the majority of whose members are
independently elected or appointed and come from outside the organization
being audited.

3.16 In addition to the presumptive criteria in paragraphs 3.14 and 3.15,
GAGAS recognize that there may be other organizational structures under
which a government audit organization could be considered to be free from
organizational impairments and thereby be considered organizationally
independent for reporting externally. These other structures provide
safeguards to prevent the audited entity from interfering with the audit
organization's ability to perform the work and report the results
impartially. For an audit organization to be considered free from
organizational impairments for reporting externally under a structure
different from the ones listed in paragraphs 3.14 and 3.15, the audit
organization should have all of the following safeguards:

a.
           statutory protections that prevent the abolishment of the audit
           organization by the audited entity;

b.
           statutory protections that require that if the head of the audit
           organization is removed from office, the head of the agency
           reports this fact and the reasons for the removal to the
           legislative body;

c.
           statutory protections that prevent the audited entity from
           interfering with the initiation, scope, timing, and completion of
           any audit;

Legislative bodies may exercise their confirmation powers through a
variety of means so long as they are involved in the approval of the
individual to head the audit organization. This involvement can be
demonstrated by approving the individual after the appointment or by
initially selecting or nominating an individual or individuals for
appointment by the appropriate authority.

d.
           statutory protections that prevent the audited entity from
           interfering with the reporting on any audit, including the
           findings, conclusions, and recommendations, or the manner, means,
           or timing of the audit organization's reports;

e.
           statutory protections that require the audit organization to
           report to a legislative body or other independent governing body
           on a recurring basis;

f.
           statutory protections that give the audit organization sole
           authority over the selection, retention, advancement, and
           dismissal of its staff; and

g.
           statutory access to records and documents that relate to the
           agency, program, or function being audited and government
           officials or other individuals needed to conduct the audit.26

3.17 If the head of the audit organization concludes that the organization
meets all the safeguards listed in paragraph 3.16, the audit organization
may be considered free from organizational impairments to independence
when reporting the results of its audits externally to third parties. In
such situations, the audit organization should document how the safeguards
discussed in paragraph 3.16 were satisfied and provide the documentation
to those performing quality control monitoring and to the external peer
reviewers to determine whether all the necessary safeguards have been met.

Organizational Independence When Reporting Internally to Management (as an
internal audit function)

3.18 Certain federal, state, or local government audit organizations or
audit organizations within other government entities employ auditors to
work for management of the audited entities. These auditors may be subject
to administrative direction from persons involved in the government
management process. Such audit organizations are

Statutory authority to issue a subpoena to obtain the needed records is
one way to meet the requirement for statutory access to records.

internal audit organizations and are encouraged to follow the IIA
International Standards for the Professional Practice of Internal
Auditing. In addition, under GAGAS, a government internal audit
organization can be presumed to be free from organizational impairments to
independence when reporting internally to management if the head of the
audit organization meets all of the following criteria:

a.
           accountable to the head or deputy head of the government entity or
           to those charged with governance,

b.
           reports the results of the audit organization's work to the head
           or deputy head of the government entity and to those charged with
           governance,

c.
           located organizationally outside the staff or line management
           function of the unit under audit, and

d.
           has access to those charged with governance.

may be considered free of organizational impairments to independence
       to audit internally and report objectively to the entity's management
       and those charged with governance. Further distribution of reports
       outside the organization may be made in accordance with applicable
       law, rule, regulation, or policy. In these situations, auditors must
       clearly disclose in their reports the fact that they are auditing in
       their employing organizations.
rectly assigned, such as auditing contractors or outside party
       agreements, and no personal or external impairments exist, they may be
       considered independent of the audited entities and free to report
       objectively to the heads or deputy heads of the government entities to
       which they are assigned, to those charged with governance, and to
       parties outside the organizations in accordance with applicable law,
       rule, regulation, or policy.
it service would impair an audit
organization's independence with respect to entities they audit. Auditors
also exercise professional

27

GAO has issued further guidance in the form of questions and answers to
assist in implementation of the standards associated with nonaudit
services. This guidance, Government Auditing Standards: Answers to
Independence Standard Questions, GAO-02-870G (Washington, DC: June 2002),
can be found on GAO`s Government Auditing Standards Web page
(http://www.gao.gov/govaud/ybk01.htm).

judgment in determining whether any previously performed nonaudit services
would impair an audit organization's independence with respect to entities
they audit. Those within the audit organization with sufficient knowledge,
experience, and competence to fully understand the current and future
issues the audit organization may face should make this determination.

 consider whether nonaudit services
       they have provided or are committed to provide have a significant or
       material effect on the subject matter of the audits.
s should disclose nonaudit services
       described in paragraph 3.30b related to individual audits selected for
       review in an internal inspection or peer review and provide the
       documentation required by paragraphs 3.35a through 3.35e to
       inspectors/reviewers.

Overarching Independence Principles

3.27 The following two overarching principles apply to auditor
independence when assessing the impact of performing a nonaudit service
for audited entities: (1) audit organizations must not provide nonaudit
services that involve performing management functions or making management
decisions and (2) audit organizations must not audit

See appendix, paragraphs A3.02 through A3.03 for examples of nonaudit
services that are generally unique to government audit organizations.

their own work or provide nonaudit services in situations where the
nonaudit services are significant/material to the subject matter of
audits.29

anization can
       be significantly or materially affected by the nonaudit service, audit
       organizations should evaluate (1) ongoing audits; (2) planned audits;
       (3) requirements and commitments for providing audits, which includes
       laws, regulations, rules, contracts, and other agreements; and (4)
       policies placing responsibilities on the audit organization for
       providing audit services.
f the audit.

30

The requestor of nonaudit services could be the management of the audited
entity or a third party such as a legislative oversight body.

31

See appendix, paragraphs A3.02 through A3.03 for examples of nonaudit
services that are generally unique to government audit organizations.

b.
           Nonaudit services that do not impair the audit organization's
           independence with respect to entities they audit as long as the
           supplemental safeguards in paragraph 3.35 are complied with. (See
           paragraph 3.33.)

c.
           Nonaudit services that would impair the audit organization's
           independence. Compliance with the supplemental safeguards will not
           overcome this impairment. (See paragraph 3.34.)

Nonaudit Services That Do Not Impair Auditor Independence

this category include the
       following:

a. Participating in activities such as commissions, committees, task
forces, panels, and focus groups as an expert in a purely advisory,
non-voting capacity to:

(1)
           advise entity management on issues based on the knowledge and
           skills of the auditors, and

(2)
           address urgent problems or policy issues.

b.
           Providing tools and methodologies, such as guidance and good
           business practices, benchmarking studies, and internal control
           assessment methodologies that can be used by management.

c.
           Providing targeted and limited technical advice to the audited
           entity and management to assist them in activities such as (1)
           answering technical questions and/or providing training, (2)
           implementing audit recommendations, (3) performing internal
           control selfassessments, and (4) providing information on good
           business practices.

Nonaudit Services That Would Not Impair Independence if Supplemental
Safeguards Are Implemented.

3.33 These services would not impair the audit organization's independence
with respect to the entities they audit so long as they comply with the
supplemental safeguards. Examples of the types of services in this
category include the following:

a.
           Providing basic accounting assistance limited to services such as
           preparing draft financial statements that are based on
           management's chart of accounts and trial balance and any
           adjusting, correcting, and closing entries that have been approved
           by management; preparing draft notes to the financial statements
           based on information determined and approved by management;
           preparing a trial balance based on management's chart of accounts;
           maintaining depreciation schedules for which management has
           determined the method of depreciation, rate of depreciation, and
           salvage value of the asset.32

b.
           Providing payroll services when payroll is not material to the
           subject matter of the audit or to the audit objectives. Such
           services are limited to using records and data that have been
           approved by entity management.

If the audit organization has prepared draft financial statements and
notes and performed the financial statement audit, the auditor obtains
documentation from management in which management acknowledges the audit
organization's role in preparing the financial statements and related
notes and management's review, approval, and responsibility for the
financial statements and related notes in the management representation
letter. The management representation letter that is done as part of the
audit may be used for this type of documentation.

c.
           Providing appraisal or valuation services limited to services such
           as reviewing the work of the entity or a specialist employed by
           the entity where the entity or specialist provides the primary
           evidence for the balances recorded in financial statements or
           other information that will be audited; valuing an entity's
           pension, other post-employment benefits, or similar liabilities
           provided management has determined and taken responsibility for
           all significant assumptions and data.

d.
           Preparing an entity's indirect cost proposal33 or cost allocation
           plan provided that the amounts are not material to the financial
           statements and management assumes responsibility for all
           significant assumptions and data.

e.
           Providing advisory services on information technology limited to
           services such as advising on system design, system installation,
           and system security if management, in addition to the safeguards
           in paragraph 3.35, acknowledges responsibility for the design,
           installation, and internal control over the entity's system and
           does not rely on the auditors' work as the primary basis for
           determining (1) whether to implement a new system, (2) the
           adequacy of the new system design, (3) the adequacy of major
           design changes to an existing system, and (4) the adequacy of the
           system to comply with regulatory or other requirements.

f.
           Providing human resource services to assist management in its
           evaluation of potential candidates when the services are limited
           to activities such as serving on an evaluation panel of at least
           three individuals to review applications or interviewing
           candidates to provide input to management in arriving at a listing
           of best qualified applicants to be provided to management.

g.
           Preparing routine tax filings in accordance with federal tax laws,
           rules, and regulations of the Internal Revenue Service, and state
           and local tax authorities, and any

The Office of Management and Budget prohibits an auditor who prepared the
entity's indirect cost proposal from conducting the required audit when
indirect costs recovered by the entity during the prior year exceeded $1
million under OMB Circular A-133, Audits of States, Local Governments, and
Non-Profit Organizations, Subpart C.305(b), revised June 27, 2003.

other applicable tax laws that do not violate the overarching independence
principles. For example, preparing tax returns, including IRS form 990,
"Return of Organization Exempt from Income Tax," based on information
provided by the audited entity, providing advice on deposits due to a
taxing authority, and representing an audit entity in IRS matters such as
in an IRS audit or in obtaining IRS rulings or other agreements,
ordinarily would be included in this category of nonaudit services.34

h. Documenting existing processes and internal controls.

Nonaudit Services That Impair Independence

3.34 Compliance with the supplemental safeguards will not overcome
independence impairments in this category. By their nature, certain
nonaudit services directly support the entity's operations and impair the
audit organization's ability to meet either or both of the overarching
independence principles in paragraph 3.27 for certain types of audit work.

Examples of the types of services under this category include the
following:

a.
           Maintaining or preparing the audited entity's basic accounting
           records or maintaining or taking responsibility for basic
           financial or other records that the audit organization will audit.

b.
           Posting transactions (whether coded or not coded) to the entity's
           financial records or to other records that subsequently provide
           input to the entity's financial records.

An audit organization's independence for performing financial statement
audits would not be impaired by representing the audited entity in IRS
matters or in obtaining IRS rulings or other agreements. However, these
nonaudit services would impair auditor independence with respect to
performance audits of tax compliance since the audit organization would be
auditing its own work.

c.
           Determining account balances or determining capitalization
           criteria.

d.
           Designing, developing, installing, or operating the entity's
           accounting system or other information system that are material or
           significant to the subject matter of the audit.

e.
           Providing payroll services that (1) are material to the subject
           matter of the audit or the audit objectives, and/or (2) involve
           making management decisions.

f.
           Providing appraisal or valuation services that exceed the scope
           described in paragraph

3.33 c.

g.
           Recommending a single individual for a specific position that is
           key to the entity or program under audit, or otherwise ranking or
           influencing management's selection of the candidate; or conducting
           an executive search or a recruiting program for the audited
           entity.

h.
           Developing an entity's performance measurement system when that
           system is material or significant to the subject matter of the
           audit.

i.
           Performing the entity's internal control self-assessment process
           or developing the internal control system.

j.
           Developing an entity's policies, procedures, and internal
           controls.

k.
           Providing services that are used as management's primary basis for
           making decisions that are significant to the subject matter under
           audit.

l.
           Internal audit functions, when performed by external auditors.

m.
           Serving as voting members of an entity's management committee or
           board of directors, making policy decisions that affect future
           direction and operation of an entity's programs,

supervising entity employees, developing programmatic policy, authorizing
an entity's transactions, or maintaining custody of an entity's assets.35

Supplemental Safeguards for Maintaining Auditor Independence When
Performing Nonaudit Services Described in Paragraph 3.33

3.35 Performing nonaudit services described in paragraph 3.33 will not
impair independence if the overarching independence principles stated in
paragraph 3.27 are not violated. For these nonaudit services, the audit
organization must comply with the following safeguards.

a.
           The audit organization documents its consideration of the nonaudit
           services, including its conclusions about the impact on
           independence.

b.
           Before performing nonaudit services, the audit organization
           establishes and documents an understanding with the audited entity
           regarding the objectives, scope of work, and product or
           deliverables of the nonaudit service. The audit organization also
           establishes and documents an understanding with the audited entity
           that its management is responsible for (1) the subject matter of
           the nonaudit services, (2) the substantive outcomes of the work,
           (3) making any decisions that involve management functions related
           to the nonaudit service and accepting full responsibility for such
           decisions.

c.
           The audit organization precludes personnel who provided the
           nonaudit services from planning, conducting, or reviewing audit
           work of the subject matter of the nonaudit service under the
           overarching independence principle that auditors must not audit
           their own work.36

35

Entity assets are intended to include all of the entity's property
including bank accounts, investment accounts, inventories, equipment or
other assets owned, leased, or otherwise in the entity's possession, and
financial records, both paper and electronic.

36

Personnel who provided the nonaudit service are permitted to convey to the
audit assignment team the documentation and knowledge gained about the
audited entity and its operations.

d.
           The audit organization does not reduce the scope and extent of the
           audit work below the level that would be appropriate if the
           nonaudit work were performed by an unrelated party.

e.
           The audit organization's quality control systems for compliance
           with independence requirements should include: (1) policies and
           procedures to consider the effect on the ongoing, planned, and
           future audits when deciding whether to provide nonaudit services,
           and (2) a requirement to document the understanding with
           management of the audited entity discussed above. The
           understanding should be communicated to management in writing and
           can be included in the engagement letter. In addition, the
           documentation should specifically identify management's
           responsibilities discussed above.

  Professional Judgment

ponent of professional judgment, auditors exercise
       professional skepticism, which is an attitude that includes a
       questioning mind and a critical assessment of evidence. Professional
       skepticism includes a mindset where auditors neither assume that
       management is dishonest nor of unquestioned honesty, and auditors are
       not to be satisfied with less than persuasive evidence because of a
       belief that management is honest.
   an audit engagement, as well as the professional judgment of
       individual auditors. In addition to personnel directly involved in the
       audit, professional judgment may involve collaboration with other
       stakeholders, outside experts, and management in the audit
       organization.
ects of carrying out
       professional responsibilities, including following the independence
       standards, maintaining objectivity and credibility, assigning
       competent audit staff to the engagement, and maintaining appropriate
       quality control over the engagement process.
f the audit subject matter and related
       circumstances. This includes consideration about whether their
       collective experience, training, knowledge, skills, abilities, and
       overall understanding are sufficient to assess the risks that the
       subject matter under audit may contain a significant inaccuracy or
       could be misinterpreted.
gnment, it does not imply unlimited responsibility,
       nor does it imply infallibility on the part of either the individual
       auditor or the audit organization. Absolute assurance is not
       attainable because of the nature of evidence and the characteristics
       of fraud. Professional judgment does not mean eliminating all possible
       limitations or weaknesses associated with a specific audit, but rather
       identifying, considering, minimizing, mitigating, and explaining them.

  Competence

ce that has
       adequate competence. The nature, extent, and formality of the process
       will depend on various factors such as the size of the audit
       organization, its work, and its structure.
ncies
       are not necessarily measured by years of auditing experience because
       such a quantitative measurement may not accurately reflect the kinds
       of experiences gained by an auditor in any given time period. Auditors
       maintain competence through a commitment to learning and development
       throughout an auditor's professional life. Competence enables an
       auditor to make sound professional judgments.
technical knowledge, skills, and
experience necessary to be competent for the type of work being performed
before beginning work on that assignment. In assigning personnel to
engagements, audit organizations consider the workload requirements of an
engagement, the skills, competence, and experience needed in relation to
the complexity or other needs of an engagement, and the extent of
supervision to be provided. Staff members should collectively possess:

a.
           knowledge of GAGAS applicable to the type of work they are
           assigned and the education, skills, and experience to apply such
           knowledge to the work being performed;

b.
           general knowledge of the environment in which the audited entity
           operates and the subject matter under review;

c.
           skills to communicate clearly and effectively, both orally and in
           writing; and

d.
           skills appropriate for the work being performed. For example:

(1)
           staff or specialists with statistical sampling skills if the work
           involves use of statistical sampling;

(2)
           staff or specialists with information technology skills if the
           work involves review of information systems;

(3)
           staff or specialists with engineering skills if the work involves
           review of complex engineering data;

(4)
           staff or specialists with skills in specialized audit
           methodologies or analytical techniques, such as the use of complex
           survey instruments, actuarial-based estimates, or statistical
           analysis tests, if the work calls for such skills; or

(5)
           staff or specialists with skills in specialized subject matters,
           such as scientific, medical, environmental, educational, or any
           other specialized subject matter, if the work calls for such
           expertise.

Additional Qualifications for Financial Audits and Attestation Engagements

ation engagements in which U.S. attestation
       engagement standards are to be followed, GAGAS incorporate the AICPA's
       attestation standards. Auditors should be knowledgeable in the AICPA
       general attestation standard related to criteria and the AICPA
       attestation standards for field work and reporting and the related
       Statements on Standards for Attestation Engagements (SSAE), and they
       should be competent in applying these standards and SSAE to the task
       assigned.
refore, each auditor
performing work under GAGAS should complete, every 2 years, at least 80
hours of CPE that enhance the auditor's professional proficiency to
perform audits and/or attestation engagements. Auditors should take
subjects directly related to government auditing, the government
environment, or the specific or unique environment in which the audited
entity operates for at least 24 of the 80 hours of CPE.37 Auditors should
complete at least 20 hours of the 80 in any 1 year of the 2-year period.

Auditors who are only involved in performing field work but not involved
in planning, directing, or reporting on the audit or attestation
engagement and who charge less than 20 percent of their time annually to
GAGAS audits and attestation engagements are subject to the 24 hour
requirement for government related CPE in each 2-year period but do not
have to comply with the remainder of the 80-hour CPE requirement.

e exercised by
       auditors in consultation with appropriate officials within their audit
       organizations. Among the considerations in exercising that judgment
       are the auditors' experience, the responsibilities they assume in
       performing GAGAS audits or attestation engagements, and the operating
       environment of the audited entity.
the audit organization and perform as a
       member of the audit team, should comply with GAGAS, including the CPE
       requirements.

This guidance, Government Auditing Standards: Guidance on GAGAS
Requirements for Continuing Professional Education, GAO-05-586G
(Washington, D.C.: Apr. 2005), can be found on GAO`s Government Auditing
Standards Web page (http://www.gao.gov/govaud/ybk01.htm).

  Quality Control and Assurance

3.59 Each audit organization performing audits and/or attestation
engagements in accordance with GAGAS must have an internal quality control
system in place that is designed to provide reasonable assurance that the
organization and its personnel comply with professional standards and
regulatory and legal requirements, and that reports issued are in
accordance with professional standards.

System of Quality Control

suitably designed in
       relation to the audit organization's size, number of offices, the
       knowledge and experience of its personnel, the nature and complexity
       of the audit work, and appropriate cost-benefit considerations. Thus,
       the systems established by individual audit organizations and the
       extent of their documentation of the systems will vary based on an
       audit organization's circumstances.
 and has the capabilities,
           time and resources to do so,

(2)
           is independent and can comply with professional standards and
           ethical principles, and

(3)
           is within the legal mandate or authority of the audit
           organization.

c.
           Human capital management: Policies and procedures designed to
           provide the audit organization with reasonable assurance that it
           has sufficient personnel with the competence necessary to perform
           its engagements in accordance with professional standards and
           regulatory and legal requirements, and to enable the audit
           organization to issue reports that are appropriate in the
           circumstances. Policies and procedures related to competence of
           personnel address the following:

(1)
           recruitment of qualified personnel;

(2)
           assignment of personnel with the competence and independence39
           needed for specific engagements;

See paragraphs 3.06 through 3.09, and 3.35c for specific quality control
requirements related to personal impairments and performing nonaudit
services, respectively.

(3)
           performance evaluation, professional development, continuing
           professional education, promotion, and compensation.

d.
           Engagement performance and reporting: Policies and procedures
           designed to provide the audit organization with reasonable
           assurance that engagements are performed in accordance with
           professional standards and regulatory and legal requirements, and
           that the audit organization issues reports that are appropriate in
           the circumstances include the following:

(1)
           information and communication provided to engagement teams so that
           team members sufficiently understand the objectives of their work;

(2)
           processes for engagement planning and supervision;

(3)
           processes for complying with applicable engagement-related
           standards;

(4)
           reviewing the work performed, the significant judgments made and
           the resulting report;

(5)
           appropriate documentation of the work performed and review of
           audit documentation, including appropriate management-level
           reviews;

(6)
           communication at the appropriate professional level with
           individuals within or outside the audit organization to resolve a
           difficult or contentious matter;

(7)
           procedures for resolving disagreements among team members and
           between the team and those consulted; and

(8)
           reporting that is appropriate to circumstances associated with the
           engagement, is supported by the work performed, and is in
           accordance with applicable professional standards and regulatory
           and legal requirements.

e.
           Monitoring of quality: Policies and procedures designed to provide
           management of the audit organization with reasonable assurance
           that the policies and procedures relating to the system of quality
           control are suitably designed and operating effectively in
           practice. Audit organizations should have monitoring procedures
           that include an ongoing consideration and evaluation of the audit
           organization's system of quality control for achieving the
           objectives in (a) through (d) above, including

(1)
           relevance and adequacy of the organization's policies and
           procedures,

(2)
           appropriateness of the organization's guidance materials, and

(3)
           compliance with the organization's policies and procedures.

ystem of
       quality control as well as documentation to demonstrate compliance
       with its policies and procedures for a period of time sufficient to
       enable those performing monitoring procedures and peer reviews to
       evaluate the extent of the audit organization's compliance with the
       quality control policies and procedures. The form and content of such
       documentation is a matter of judgment.

External Peer Review

3.64 Audit organizations performing audits and attestation engagements in
accordance with GAGAS must have an external peer review of their auditing
and attestation engagement practices in accordance with the time frames
set forth in paragraph 3.69.40

         The review team collectively has current knowledge of GAGAS and of
           the government environment relative to the work being reviewed.

b.
           Each review team member is independent (as defined in GAGAS) of
           the audit organization being reviewed, its staff, and the audits
           and attestation engagements selected for the external peer review.
           A review team or a member of the review team does not review the
           audit organization that conducted its audit organization's most
           recent external peer review.

c.
           The review team collectively has sufficient knowledge of how to
           perform a peer review. Such knowledge may be obtained from
           on-the-job training, training courses, or a combination of both.
           Having personnel on the peer review team with prior experience on
           a peer review or internal inspection team is desirable.

The external peer review requirement is effective within 3 years from the
date an audit organization begins field work on its first assignment in
accordance with GAGAS. This 3-year period refers to the cutoff ("as of")
date for the peer review. Generally, peer reviews are completed within 6
months of the cut-off date. Extensions of these time frames beyond 3
months after the peer review completion deadline are granted by GAO, and
in cooperation with the cognizant peer review program, to meet the
external peer review requirements for extraordinary circumstances.

3.67 Audit organizations should obtain a peer review that meets the
following requirements:

a.
           The peer review includes a review of the audit organization's
           internal quality control policies and procedures, including
           related monitoring procedures, audit and attestation engagement
           reports, audit and attest documentation, and other necessary
           documents (for example, independence documentation, CPE records,
           and personnel management files related to compliance with hiring,
           performance evaluation, advancement, compensation, and assignment
           policies). The review also includes interviews with various levels
           of the reviewed audit organization's professional staff to assess
           their understanding of and compliance with relevant quality
           control policies and procedures.

b.
           The review team uses one of the following approaches to selecting
           audits and attestation engagements for review: (1) select audits
           and attestation engagements that provide a reasonable
           cross-section of the assignments performed by the reviewed audit
           organization in accordance with GAGAS or (2) select audits and
           attestation engagements that provide a reasonable cross-section of
           the reviewed audit organization's work subject to its quality
           control system, including assignments performed in accordance with

GAGAS.41

c. The peer review is sufficiently comprehensive to provide a reasonable
basis for concluding whether the reviewed audit organization's system of
quality control was complied with to provide the organization with
reasonable assurance of conforming with professional standards in the
conduct of its work, and the peer review includes consideration of the
adequacy and results of the reviewed audit organization's monitoring
efforts.

For audit organizations that perform only a small number of GAGAS audits
in relation to other types of audits, at least one or more GAGAS audits is
selected for review. In these cases, one or more GAGAS audits may
represent more than what would be selected when looking at a cross-section
of the audit organization's work as a whole.

d. The review team prepares a written report(s) communicating the results
of the external peer review. The report indicates the scope of the review,
including any limitations thereon, and includes an opinion on whether the
system of quality control of the reviewed audit organization's audit
and/or attestation engagement practices was adequately designed based on
specified standards or criteria and whether the audit organization's
quality control policies and procedures were being complied with during
the year reviewed to provide the audit organization with reasonable
assurance of conforming with professional standards. The report states the
professional standards or criteria to which the reviewed audit
organization is being held. The report also describes the reasons for any
modification of the opinion. When there are matters that resulted in a
modification to the opinion, the report includes a detailed description of
the findings and recommendations, either in the peer review report or in a
separate letter of comment, to enable the reviewed audit organization to
take appropriate actions. The written report refers to the letter of
comment if such a letter is issued along with a modified report.

it
       organizations should also transmit their external peer review reports
       to appropriate oversight bodies. 43
er information public.

43

The transparency requirement in paragraph 3.68 does not include the letter
of comment.

a.
           within 18 months, if the most recent external peer review opinion
           is adverse or modified, with continued peer reviews every 18
           months until the audit organization receives an unmodified
           opinion;

b.
           every 3 years if the audit organization has an unmodified peer
           review opinion from its recent peer review, and does not qualify
           for or does not elect a 5-year period; or

c.
           every 5 years if the audit organization's most recent external
           peer review opinion was unmodified and the audit organization
           elects to meet the enhanced quality assurance and other criteria
           in paragraph 3.70.44

3.70 The following represents the enhanced quality assurance criteria for
audit organizations that elect a 5-year peer review cycle. Audit
organizations that do not elect a 5-year peer review cycle are strongly
encouraged to adopt these criteria as a means to strengthen quality
assurance. In order to qualify for a 5-year peer review cycle, the audit
organization should meet the following criteria:

a. The audit organization makes public on its Web site a description of
the overall system of quality assurance used to provide the organization
with reasonable assurance of complying with applicable standards governing
audits and attestation engagements.45 The audit organization provides the
description of its system of quality assurance to the oversight
organization's bodies who receive the external peer review report under
paragraph 3.68.

44

Independent public accountants and audit organizations may be subject to
requirements of other professional organizations or licensing bodies.

45

This high-level description includes the major policies regarding ethical
requirements, initiation and continuance of audit work, human capital
management, engagement performance and reporting, and monitoring, as
discussed in paragraph 3.61.

b. The audit organization has an effective annual internal46 quality
inspection process that meets the following criteria:

(1)
           The objective of the inspection process is to evaluate the
           adequacy of the audit organization's quality control policies and
           procedures, and the extent of the audit organization's compliance
           with its quality control policies and procedures.

(2)
           The annual inspection includes the following elements:

tal
       management;
rnal or third-party resources to
conduct the inspection. If a third party is used to conduct the
inspection, that party is not independent to conduct the peer review.

ary modifications to the quality
       control system, on a timely basis; and
    process.

d.
           The audit organization determines whether it qualifies for the
           5-year peer review cycle and documents the rationale for its
           decision if it believes it qualifies. The audit organization may
           consult with its external peer reviewers in making this
           determination.

3.71 Information in external peer review reports and letters of comment
may be relevant to decisions on procuring audit or attestation engagement
services. Therefore, audit organizations seeking to enter into a contract
to perform an assignment in accordance with GAGAS should provide the
following to the party contracting for such services:

Peer reviewers read the assurance statements for each year since the
previous peer review and compare them with the inspection results for
those years. Peer reviewers evaluate management's assertion and the
underlying monitoring and inspection processes for the year under review.

a.
           the audit organization's most recent external peer review report
           and any letter of comment, and

b.
           any subsequent peer review reports and letters of comment received
           during the period of the contract.

3.72 Auditors who are relying on another audit organization's work should
request a copy of the audit organization's latest peer review report and
any letter of comment, and the audit organization should provide these
documents when requested.

              Chapter 4 Field Work Standards for Financial Audits

                                  Introduction

generally accepted
       government auditing standards (GAGAS). For financial audits, GAGAS
       incorporate the AICPA's field work and reporting standards and the
       related statements on auditing standards unless specifically excluded
       or modified by GAGAS.48 This chapter identifies the AICPA field work
       standards and prescribes additional standards for financial audits
       performed in accordance with GAGAS.


b.
           The auditor must obtain a sufficient understanding of the entity
           and its environment, including its internal control49 to assess
           the risk of material misstatement50 of the financial statements
           whether due to error or fraud, and to design the nature, timing,
           and extent of further audit procedures.

c.
           The auditor must obtain sufficient appropriate audit evidence by
           performing

procedures to afford a reasonable basis for an opinion regarding the
financial statements

under audit.

Additional Considerations for Financial Audits in Government

4.05 Additional considerations for financial audits in government apply in
audits of a

government entity or an entity that receives government awards. For
example, auditors

may need to set lower materiality levels than in audits in the private
sector because of

the public accountability of the audited entity, various legal and
regulatory requirements,

and the visibility and sensitivity of government programs. In applying
professional

judgment when applying auditing standards, auditors also consider the
needs of users

49

The AICPA standards incorporate the concepts contained in Internal
Control-Integrated Framework, published by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO). As discussed in the COSO
framework, internal control consists of five interrelated components,
which are (1) control environment, (2) risk assessment, (3) control
activities, (4) information and communication, and

(5) monitoring. The objectives of internal control relate to (1) financial
reporting, (2) operations, and (3) compliance. Safeguarding of assets is a
subset of these objectives. In that respect, management designs internal
control to provide reasonable assurance that unauthorized acquisition,
use, or disposition of assets will be prevented or timely detected and
corrected. In addition to the COSO document, the publication, Standards
for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1
(Washington, D.C.: Nov. 1999), which incorporates the relevant guidance
developed by COSO, provides definitions and fundamental concepts
pertaining to internal control at the federal level and may be useful to
other auditors at any level of government. The related Internal Control
Management and Evaluation Tool, GAO-01-1008G (Washington, D.C.: Aug.
2001), based on the federal internal control standards, provides a
systematic, organized, and structured approach to assessing the internal
control structure.

50

In accordance with AICPA Statement on Auditing Standards No. 107, Audit
Risk and Materiality in Conducting an Audit, the auditor's consideration
of materiality is a matter of professional judgment and is influenced by
the auditor's perception of the needs of users of financial statements.
Materiality is defined as "the magnitude of an omission or misstatement of
accounting information that, in the light of surrounding circumstances,
makes it probable that the judgment of a reasonable person relying on the
information would have been changed or influenced by the omission or
misstatement." This definition is from Financial Accounting Standards
Board Statement of Financial Accounting Concepts No. 2. Qualitative
Characteristics of Accounting Information.

and the concerns of oversight officials regarding previously identified
risks, previously reported deficiencies in internal control of the audited
entity, and current and emerging risks and uncertainties facing the
government entity or program.

4.06 An important element of financial audits in government is the
reporting of deficiencies in internal control so that the audited entity
can take corrective actions necessary under the circumstances. (See
paragraphs 5.13 through 5.18.) A deficiency in internal control exists
when the design or operation of a control does not allow management or
employees, in the normal course of performing their assigned functions, to
prevent or detect misstatements on a timely basis. A deficiency in design
exists when

(a) a control necessary to meet the control objective is missing or (b) an
existing control is not properly designed so that, even if the control
operates as designed, the control objective is not met. A deficiency in
operation exists when a properly designed control does not operate as
designed, or when the person performing the control does not possess the
necessary authority or qualifications to perform the control effectively.

Consideration of Potential Fraud in a Financial Statement Audit and
Illegal Acts by Auditees

4.07 Under both the AICPA standards51 and GAGAS, auditors should plan and
perform the audit to obtain reasonable assurance52 about whether the
financial statements are free of material misstatement, whether caused by
error or fraud.53 Auditors conduct the audit with a mindset that
recognizes the possibility that a material misstatement due to

51 See AICPA Professional Standards, AU 316 (Statement on Auditing
Standards No. 99, Consideration of Fraud in a Financial Statement Audit).

52

In accordance with AICPA Statement on Auditing Standard No. 104, Amendment
to Statement on Auditing Standard No. 1, Codification of Auditing
Standards and Procedures ("DueProfessional Care in the Performance of
Work"),paragraph 2, "the high, but not absolute, level of assurance that
is intended to be obtained by the auditor is expressed in the auditor's
report as obtaining reasonable assurance about whether the financial
statements are free of material misstatement (whether caused by error or
fraud).

53

Two types of misstatements are relevant to the auditors` consideration of
fraud in an audit of financial statements--misstatements arising from
fraudulent financial reporting and misstatements arising from
misappropriation of assets. The primary factor that distinguishes fraud
from error is whether the underlying action that results in the
misstatement in the financial statements is intentional or unintentional.

potential fraud could be present. However, absolute assurance is not
attainable and thus even a properly planned and performed audit may not
detect a material misstatement resulting from fraud.

4.08 Auditors should design the audit to provide reasonable assurance of
detecting material misstatements resulting from direct and material
illegal acts.54 Auditors also consider the possibility that indirect
illegal acts may have occurred. If specific information comes to the
auditors' attention that provides evidence concerning the existence of
possible illegal acts that could have a material indirect effect on the
financial statements, the auditors should apply audit procedures
specifically directed to ascertaining (1) whether an illegal act has
occurred 55 and (2) the potential financial statement effect.

Additional GAGAS Standards

4.09 GAGAS establish field work standards for financial audits in addition
to the requirements contained in the AICPA SAS. Auditors should comply
with these additional standards when citing GAGAS in their audit reports.
The additional GAGAS standards relate to

a.
           auditor communication (see paragraphs 4.10 through 4.15);

b.
           previous audits and attestation engagements (see paragraphs 4.16
           through 4.17);

54 See AICPA Professional Standards, AU 317 (Statement on Auditing
Standards No. 54, Illegal Acts by Clients). Direct and material illegal
acts are violations of laws and regulations having a direct and material
effect on the determination of financial statement amounts.

Whether a particular act is, in fact, illegal may have to await final
determination by a court of law or other adjudicative body. Thus, auditors
may disclose matters that have led them to conclude that an illegal act is
likely to have occurred; they do not make a determination of illegality.

c.
           detecting material misstatements resulting from violations of
           contract provisions or grant agreements, or from abuse (see
           paragraphs 4.18 through 4.20);

d.
           developing elements of a finding (see paragraph 4.21); and

e.
           audit documentation (see paragraphs 4.22 through 4.41).

Auditor Communication

ting for or
       requesting the audit and document the communications.
     individuals contracting for or requesting the audit, such as
       contracting officials or members or staff of legislative committees,
       in addition to communicating with the audited entity. When auditors
       are performing the audit pursuant

Those charged with governance are those responsible for overseeing the
strategic direction of the entity and the entity's fulfillment of its
accountability obligations. In situations in which those charged with
governance are not clearly evident, the auditor documents the process
followed and conclusions reached for identifying the appropriate
individuals to receive the required auditor communications. (See appendix,
paragraph A1.02 for additional information.)

to a law or regulation and they are conducting the work directly for the
legislative committee who has oversight for the audited entity, auditors
should communicate with the members or staff of that legislative
committee. Auditors should coordinate communications with the responsible
government audit organization and/or management of the audited entity. If
an audit is terminated before it is completed, auditors should write a
memorandum for the audit documentation that summarizes the results of the
work and explains the reasons why the audit was terminated. In addition,
depending on the facts and circumstances, auditors should consider the
need to communicate the reason for terminating the audit to those charged
with governance, management of the audited entity, the entity requesting
the audit, and other appropriate officials, preferably in writing.

ally address their planned
       work and reporting responsibilities related to testing internal
       control over financial reporting and compliance with laws,
       regulations, and provisions of contracts or grant agreements. During
       the planning stages of an audit, auditors should communicate their
       responsibilities for testing and reporting on internal control over
       financial reporting and compliance with laws, regulations, and
       provisions of contracts or grant agreements. Auditors should also
       communicate the nature of any additional testing of internal control
       and compliance required by laws, regulations, and provisions of
       contracts or grant agreements, or otherwise requested, and whether the
       auditors will provide opinions on internal control over financial
       reporting and compliance with laws, regulations, and provisions of
       contracts or grant agreements.
er
       financial reporting and compliance with laws, regulations, and
       provisions of contracts or grant agreements in a financial statement
       audit contribute to the evidence supporting the auditors' opinion on
       the financial statements or other conclusions regarding financial
       data. However, such tests generally are not sufficient in scope to
       provide an opinion on the effectiveness of internal control over
       financial reporting or compliance with laws, regulations, and

provisions of contracts or grant agreements. To meet certain audit report
users' needs, laws and regulations sometimes prescribe testing and
reporting on internal control over financial reporting and compliance with
laws, regulations, and provisions of contracts and grant agreements to
supplement coverage of these areas.57

4.15 Even after auditors perform and report the results of additional
tests of internal control over financial reporting and compliance with
laws, regulations, and provisions of contracts and grant agreements, those
charged with governance, officials of the audited entity or individuals
contracting for or requesting the audit may desire additional procedures
or reporting. Auditors may meet these needs by performing further tests of
internal control and compliance with laws, regulations, and provisions of
contracts or grant agreements as an attestation engagement (see chapter
6), or a performance audit (see chapters 7 and 8), to achieve these
objectives.

Previous Audits and Attestation Engagements

  the objectives of the audit being undertaken have an impact on the
       current engagement, including whether related recommendations have
       been implemented.
nagement Reform Act of 1994 and the Accountability of Tax Dollars Act of
2002, also have specific audit requirements prescribed by OMB in the areas
of internal control and compliance. In addition, some state and local
governments may have additional audit requirements that the auditors would
need to follow in planning the audit.

taken to address significant findings and recommendations,58 including
those related to significant deficiencies, including material
weaknesses.59

Detecting Material Misstatements Resulting from Violations of Contract
Provisions or Grant Agreements, or from Abuse

4.18 The standard related to violations of contract provisions or grant
agreements or abuse for financial audits performed in accordance with
GAGAS is:

a.
           Auditors should design the audit to provide reasonable assurance
           of detecting misstatements resulting from violations of provisions
           of contracts or grant agreements that have a material effect on
           the determination of financial statement amounts or other
           financial data significant to the audit objectives.

b.
           If during the course of the audit, auditors become aware of
           indications of abuse that could be quantitatively or qualitatively
           material, auditors should apply audit procedures specifically
           directed to ascertain whether material abuse has occurred and the
           potential effect on the financial statements or other financial
           data significant to the audit objectives. Based on the facts and
           circumstances, the auditors may find it helpful to identify
           specific risks, situations, or transactions that are susceptible
           to abuse. In addition, auditors remain alert throughout the audit
           to situations or transactions that could be indicative of abuse.
           However, because the determination of abuse is subjective,
           auditors are not required to provide reasonable assurance of
           detecting abuse.

4.19 Abuse involves behavior that is deficient or improper when compared
with behavior that a prudent person would consider reasonable and
necessary business practice given the facts and circumstances. Abuse also
includes misuse of authority or position for personal financial interests
or those of an immediate or close family member

58

Significant findings and recommendations are those matters that, if not
corrected, could affect the results of the auditors` work and the
auditors` conclusions and recommendations about those results.

59

See paragraph 5.13 for definitions of significant deficiency and material
weakness.

or business partner. Abuse is distinct from fraud, illegal acts, and
violations of provisions of contracts or grant agreements in that abuse
does not necessarily involve violation of laws, regulations, or provisions
of a contract or grant agreement. If auditors encounter such situations,
they should assess the risk of whether these situations or transactions
could be indicative of qualitatively or quantitatively material abuse.
When information comes to the auditors' attention (through audit
procedures, allegations received through a fraud hotline, or other means)
indicating that material abuse may have occurred, auditors should perform
audit procedures, as necessary, to (1) determine whether the abuse
occurred and, if so, (2) determine its effect on the financial statements
or other financial data. Auditors assess both quantitative and qualitative
factors in making judgments regarding the materiality of possible abuse.

4.20 In pursuing indications of potential fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse, auditors should
avoid interfering with potential investigations and/or legal proceedings.
In some circumstances, laws, regulations, or policies require auditors to
report indications of certain types of potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse to law
enforcement or investigatory authorities before performing additional
audit procedures. In cases where an investigation is initiated or in
process, it may be appropriate for the auditors to withdraw from or defer
further work on the engagement or a portion of the engagement to avoid
interfering with an investigation.

Developing Elements of a Finding

ficiencies are identified, auditors should plan audit
       procedures to develop the elements of a finding necessary to achieve
       the audit objectives. Audit findings, such as deficiencies in internal
       control, potential fraud, illegal acts, violations of provisions of
       contracts or grant agreements, or abuse, contain the elements of
       criteria, condition, cause, and effect or potential effect. Thus, a
       finding or set of findings is complete to the extent that the auditors
       believe that the audit objectives are satisfied. (See paragraph
  provides the principal support for the statement in the auditor's
           report that the auditor performed the audit in accordance with
           GAGAS and any other standards cited, and

b.
           provides the principal support for the auditors' conclusions.

      documentation alone does not guarantee audit quality, the process of
       preparing sufficient and appropriate documentation contributes to the
       quality of an audit.
latory requirements, (c) the environment in which
the entity operates, and (d) auditing and financial reporting issues
relevant to the audited entity's environment.

d. the conclusions reached on significant matters.

4.25 In addition to the audit documentation requirements listed in the
previous paragraph, the auditor should document the following for
financial audits performed under GAGAS :

a.
           the objectives, scope, and methodology of the audit, and

b.
           evidence of supervisory review, before the audit report is issued,
           of the work performed that supports findings, conclusions, and
           recommendations contained in the audit report.

by the auditor to clarify or explain
       information contained in the audit documentation. It is, however,
       neither necessary nor practicable to document every matter the auditor
       considers during the audit.
vidence obtained),
       and the basis for the final conclusions reached. Judging the
       significance of a finding or issue requires an objective analysis of
       the facts and circumstances.
the date of such
           review.

 achieve the objectives of the requirements. The auditor
       should also follow the requirements in paragraphs 1.13 through 1.15.
61 from the report release date.

s quality control policies may state a specific time in
       which the assembly process should be completed.
assembling procedures such as deleting or
           discarding superseded documentation and sorting, collating, and
           cross-referencing final audit documentation,

c.
           sign-off on audit documentation completion checklists prior to
           completing and archiving the audit documentation, and

d.
           add information received after the date of the report, for
           example, an original document that was previously faxed.

4.37 After the documentation completion date, the auditors must not delete
or discard audit documentation before the end of the specified retention
period, as discussed in paragraph 4.34. When the auditor finds it
necessary to make an addition (including

61

The five-year requirement is from AICPA Statement on Auditing Standards
No. 103, Audit Documentation.

62

The 60-day requirement is from AICPA Statement on Auditing Standards No.
103, Audit Documentation.

amendments) to audit documentation after the documentation completion
date, the auditor should document the addition by including the following
in the documentation:

a.
           when and by whom such additions were made and, where applicable,
           reviewed,

b.
           the specific reasons for the changes, and

c.
           the effect, if any, of the changes on the auditors' conclusions.

, of the evidence supporting the auditors'
       significant judgments and conclusions. If audit documentation is
       retained only electronically, the audit organization should safeguard
       the electronic documentation through sound computer security so that
       it is capable of being accessed throughout the specified retention
       period established for audit documentation.
ation available, upon request, in a timely manner to other
       auditors or reviewers. It is also essential that contractual
       arrangements for GAGAS audits provide for full and timely

access to audit staff and individuals, as well as audit documentation
without restriction to facilitate reliance by other auditors or reviewers
on the auditors' work.

4.41 Consistent with applicable laws and regulations, audit organizations
should develop clearly defined policies and criteria to deal with
situations where requests are made by outside parties to obtain access to
audit documentation. The audit organization should include in its policies
and procedures guidance for dealing with situations where an outside party
attempts to obtain indirectly through the auditor information that it is
unable to obtain directly from the audited entity and how to respond to
requests for access to audit documentation before the audit is complete.
The audit organization should also include flexibility in its policies and
procedures to consider the individual facts and circumstances surrounding
such requests, for instance, cases when granting access or providing
certain information could adversely affect the audit organization's
ability to successfully perform similar audits in the future.

               Chapter 5 Reporting Standards for Financial Audits

                                  Introduction

   related statements on auditing standards unless specifically excluded
       or modified by GAGAS.63 This chapter identifies the AICPA reporting
       standards and prescribes additional standards for financial audits
       performed in accordance with GAGAS.
ndards of reporting are as
follows:64

[AICPA is currently in the process of revising the reporting standardsto
use clarified language. GAO will monitor the status of AICPA's efforts in
order to include the most up-to-date AICPA standards in the final 2006
Revision of Government Auditing Standards.]

a. The report shall state whether the financial statements are presented
in accordance with generally accepted accounting principles.

To date, the Comptroller General has not excluded any reporting standards
or SASs. 64 See AICPA Professional Standards, AU 410 - 431 and 504.

b.
           The report shall identify those circumstances in which such
           principles have not been consistently observed in the current
           period in relation to the preceding period.

c.
           Informative disclosures in the financial statements are to be
           regarded as reasonably adequate unless otherwise stated in the
           report.

d.
           The report shall either contain an expression of opinion regarding
           the financial statements, taken as a whole, or an assertion to the
           effect that an opinion cannot be expressed. When an overall
           opinion cannot be expressed, the reasons should be stated. In all
           cases where an auditor's name is associated with financial
           statements, the report should contain a clear-cut indication of
           the character of the auditor's work, if any, and the degree of
           responsibility the auditor is taking.

Additional GAGAS Reporting Standards for Financial Audits

5.04 GAGAS establish additional reporting standards for financial audits
in addition to the requirements contained in the AICPA SAS. Auditors
should comply with these additional standards when citing GAGAS in their
audit reports. The additional GAGAS standards relate to:

a.
           reporting auditors' compliance with GAGAS (see paragraphs 5.05
           through 5.07);

b.
           reporting on internal control and on compliance with laws,
           regulations, and provisions of contracts or grant agreements (see
           paragraphs 5.08 through 5.11);

c.
           reporting deficiencies in internal control, potential fraud,
           illegal acts, violations of provisions of contracts or grant
           agreements, or abuse (see paragraphs 5.12 through 5.27);

d.
           emphasizing significant matters in the auditors' report (see
           paragraphs 5.28 through 5.31);

e.
           reporting on restatement of previously-issued financial statements
           (see paragraphs

5.32 through 5.38);

f.
           reporting views of responsible officials (see paragraphs 5.39
           through 5.44);

g.
           reporting privileged and confidential information (see paragraphs
           5.45 through 5.47); and

h.
           issuing and distributing reports (see paragraphs 5.48 through
           5.51).

Reporting Auditors' Compliance with GAGAS

ors comply with all applicable GAGAS standards, they should
       include a statement in the audit report that they performed the audit
       in accordance with GAGAS.
separate report conforming only to the requirements of
       AICPA or other standards. When a GAGAS audit is the basis for an
       auditors' subsequent report under the other standards, the auditors
       should consider including a reference to the GAGAS report, as that
       report will contain additional information on internal control,
       compliance with laws, regulations, and provisions of contracts or
       grant agreements, potential fraud, or abuse that GAGAS require.

Reporting on Internal Control and on Compliance with Laws, Regulations,
and Provisions of Contracts or Grant Agreements

ests or an opinion, if sufficient work was
       performed, or (2) reference to the separate report(s) containing that
       information. If auditors report separately, they should include a
       reference to the separate report containing this information in their
       opinion or disclaimer report and state that the separate report is an
       integral part of the audit and important for assessing the results of
       the audit.
ts or grant agreements. Auditors
       should also indicate in the report whether or not the tests they
       performed provided sufficient evidence to support an opinion on the
       effectiveness of internal control over financial reporting and on
       compliance with laws, regulations, and provisions of contracts or
       grant agreements.
 standalone
       report.
ements that they are issuing those additional
       reports. They also should state that the reports on internal control
       over financial reporting and compliance with laws and regulations and
       provisions of contracts or grant agreements are an integral part of a
       GAGAS audit and important for assessing the results of the audit.

Reporting Deficiencies in Internal Control, Potential Fraud, Illegal Acts,
Violations of Provisions of Contracts or Grant Agreements, or Abuse

5.12 For financial audits, including audits of financial statements in
which auditors provide an opinion or disclaimer, auditors should report,
as applicable to the objectives of the audit, (1) deficiencies in internal
control considered to be material weaknesses or other significant
deficiencies, (2) all instances of potential fraud and illegal acts unless
clearly inconsequential,65 and (3) material violations of provisions of
contracts or grant agreements or abuse. In some circumstances, auditors
should report potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse directly to parties external to
the audited entity when other requirements provide for such reporting.

Reporting Deficiencies in Internal Control

5.13 For all financial audits, auditors should report deficiencies in
internal control considered to be significant deficiencies, including
material weaknesses, as follows:

65

If the auditor is performing an audit in accordance with OMB Circular No.
A-133, Audits of States, Local Governments, and Non-Profit Organizations,
the thresholds for reporting are defined in the circular. Those reporting
thresholds are sufficient to meet the requirements of GAGAS.

a.
           A significant deficiency is a deficiency in internal control, or
           combination of deficiencies, that adversely affects the entity's
           ability to initiate, authorize, record, process, or report
           financial data reliably in accordance with generally accepted
           accounting principles such that there is more than a remote66
           likelihood that a misstatement of the entity's financial
           statements that is more than inconsequential67 will not be
           prevented or detected.

b.
           A material weakness is a significant deficiency, or combination of
           significant deficiencies, that results in more than a remote
           likelihood that a material misstatement of the financial
           statements will not be prevented or detected.

5.14 If control deficiencies are identified, an important part of the
assessment is the consideration of significance of those deficiencies. In
addition to qualitative considerations, auditors evaluate the following
when concluding about the significance of a deficiency in internal
control:

a.
           the likelihood that a deficiency, or combination of deficiencies,
           could result in a misstatement of an account balance or
           disclosure, and

b.
           the magnitude of the potential misstatement resulting from the
           deficiency or deficiencies.

5.15 Auditors should include all material weaknesses and other significant
deficiencies in the auditors' report on internal control over financial
reporting. (See appendix A.03

The term "more than remote" used in the definitions for significant
deficiency and material weakness means "at least reasonably possible." The
following definitions apply. (1) Remote-The chance of the future events or
their occurrence is slight. (2) Reasonably possible-The chance of the
future events or their occurrence is more than remote but less than
likely. (3) Probable-The future events are likely to occur. 67 "More than
inconsequential" indicates an amount that is less than material, yet has
significance. A misstatement is "inconsequential" if a reasonable,
objective person would conclude that the misstatement, either individually
or when aggregated with other misstatements, would clearly be immaterial
to the financial statements. If a reasonable, objective person could not
reach such a conclusion, that misstatement is "more than inconsequential."

for examples of matters that may be significant deficiencies, including
material weaknesses.)

5.16 To the extent necessary to achieve the audit objectives, in
presenting audit findings such as deficiencies in internal control,
auditors should develop the elements of criteria, condition, cause, and
effect to assist management or oversight officials of the audited entity
in understanding the need for taking corrective action. In addition, if
auditors are able to sufficiently develop the elements of a finding, they
should provide recommendations for corrective action. Following is
guidance for reporting on elements of findings:

a.
           Criteria: The required or desired state or what is expected from
           the program or operation. The criteria are easier to understand
           when stated objectively, explicitly, and completely, and the
           source of the criteria is identified in the audit report.68

b.
           Condition: What the auditors found regarding the actual situation.
           Reporting the scope or extent of the condition allows the report
           user to gain an accurate perspective.

c.
           Cause: Evidence on the factor or factors responsible for the
           difference between condition and criteria. In reporting the cause,
           auditors may consider whether the evidence provides a reasonable
           and convincing argument for why the stated cause is the key factor
           or factors contributing to the difference as opposed to other
           possible causes, such as poorly designed criteria or factors
           uncontrollable by program management. The auditors also may
           consider whether the identified cause could serve as a basis for
           the recommendations. Often the causes of deficiencies in internal
           control are complex and involve multiple factors. In some cases,
           it may not be practical for auditors to fully develop or identify
           the causes of deficiencies. However, analyzing and identifying
           root

68

Common sources for criteria include laws, regulations, policies,
procedures, and best or standard practices. The Standards for Internal
Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.:
Nov. 1999) and Internal Control--Integrated Framework, published by the
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
are two sources of established criteria auditors can use to support their
judgments and conclusions about internal control. The related Internal
Control Management and Evaluation Tool (GAO-01-1008G, Aug. 2001), based on
the federal internal control standards, provides a systematic, organized,
and structured approach to assessing internal control.

causes of internal control deficiencies is key to making recommendations
for corrective action.

d. Effect or potential effect: A clear, logical link to establish the
impact or potential impact of the difference between what the auditors
found (condition) and the required or desired state (criteria). Effect is
easier to understand when it is stated clearly, concisely, and, if
possible, in quantifiable terms. The significance of the reported effect
can be demonstrated through credible evidence.

ect deficiencies in internal control that are not
       significant deficiencies (or material weaknesses) they should
       communicate those deficiencies separately in a management letter to
       officials of the audited entity unless the deficiencies are clearly
       inconsequential considering both quantitative and qualitative factors.
       Auditors should refer to that management letter (or to a management
       letter to be issued) in the report on internal control. Auditors use
       professional judgment when deciding whether or how to communicate to
       officials of the audited entity deficiencies in internal control that
       are clearly inconsequential. Auditors should include in their audit
       documentation evidence of communications to officials of the audited
       entity about deficiencies in internal control found during the audit.

Reporting Potential Fraud, Illegal Acts, Violations of Provisions of
Contracts or Grant Agreements, or Abuse

5.19 Under AICPA standards and GAGAS, auditors should address the effect
potential fraud or illegal acts may have on the audit report and to
determine that those charged with governance are adequately informed about
the potential fraud or illegal acts. Under GAGAS, auditors should provide
this information in writing and also include reporting on

(1)
           violations of provisions of contracts or grant agreements that
           have a material effect on the determination of financial statement
           amounts or other financial data significant to the audit, and (2)
           abuse that is material, either quantitatively or qualitatively.69
           Therefore, when auditors conclude, on the basis of evidence
           obtained, that any of the following either has occurred or is
           likely to have occurred,70 they should include in their audit
           report the relevant information about71

a.
           potential fraud and illegal acts that are greater than
           inconsequential;

b.
           material violations of contracts or grant agreements; or

c.
           material abuse.

5.20 When reporting instances of potential fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse, auditors should
place their findings in perspective by describing the extent of the work
performed that resulted in the finding. To give the reader a basis for
judging the prevalence and consequences of these findings, auditors may
relate the instances identified to the population or to the number of
cases

69

See paragraph 4.19 for a discussion of abuse.

70

Whether a particular act is, in fact, illegal may have to await final
determination by a court of law or other adjudicative body. Thus, when
auditors disclose matters that have led them to conclude that an illegal
act is likely to have occurred, they do not make a final determination of
illegality.

71

Auditors include information about fraud or abuse in the audit reports
required by paragraph 5.08 as applicable to internal control and
compliance with laws, regulations, and provisions of contracts and grant
agreements.

examined and quantify the results in terms of dollar value, as
appropriate. If the results cannot be projected, auditors should limit
their conclusions appropriately.

itors
       should develop in their report the elements of criteria, condition,
       cause, and effect when potential fraud, illegal acts, violations of
       provisions of contracts or grant agreements, or abuse is found. The
       guidance for reporting deficiencies in internal control in paragraph
       5.16 is designed to assist auditors in developing the elements of
       their findings.
    of the audited entity potential fraud, illegal acts, violations of
       provisions of contracts or grant agreements, or abuse that is clearly
       inconsequential. Auditors should include in their audit documentation
       evidence of communications to officials of the audited entity about
       potential fraud, illegal acts, violations of provisions of contracts
       or grant agreements, or abuse found during the audit.
ents, or abuse directly to
       parties outside the audited entity in two circumstances, as discussed
       below.72 This reporting is in addition to any legal requirements for
       direct reporting of potential fraud, illegal acts, violations of
       provisions of contracts or grant agreements, or abuse. Auditors should
       follow these requirements even if they have resigned or been dismissed
       from the audit prior to its completion.
grant agreements, or abuse directly to the external party specified
       in the law or regulation.
management fails to take remedial steps.
       When auditors conclude that such failure is likely to cause them to
       depart from the standard report on the financial statements or resign
       from the audit, they should communicate that conclusion to those
       charged with governance of the audited entity. If the audited entity
       does not report the potential fraud, illegal act, violation of
       provisions

Internal audit organizations do not have a duty to report outside that
entity unless required by law, rule, regulation, or policy. See paragraph
3.19 for reporting requirements for internal audit organizations when
reporting externally.

of contracts or grant agreements, or abuse in a timely manner to the
entity that provided the government assistance, the auditors should report
the potential fraud, illegal act, violation of provisions of contracts or
grant agreements, or abuse directly to the awarding entity.

5.27 Auditors should obtain sufficient, appropriate evidence, such as
confirmation from outside parties, to corroborate assertions by management
that it has reported potential fraud, illegal acts, violations of
provisions of contracts or grant agreements, or abuse. When auditors are
unable to do so, they should report such potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse
directly as discussed above.

Emphasizing Significant Matters in the Auditors' Report

r in the auditors' report. Such explanatory material is presented
       in a separate paragraph or separate section of the auditors' report.
       Examples of matters that auditors should consider emphasizing when
       they become aware that such issues exist include the following:

73 See AICPA Professional Standards, AU 508.19

a.
           Concerns or significant uncertainties about the fiscal
           sustainability of a government or program or other matters that
           could have a significant impact on the financial condition or
           operations of the government entity.74 Such concerns or
           uncertainties may arise due to revenue and/or expenditure trends;
           economic dependency on other governments or other entities; the
           government's current commitments, responsibilities, liabilities,
           or promises to citizens for future benefits that are not
           sustainable over the long-term; deficit trends; the relationship
           between the financial information and other key indicators; and
           other significant risks and uncertainties that call into question
           the longterm sustainability of current government programs in
           relation to the resources expected to be available.

b.
           Unusual or catastrophic events that will likely have a significant
           ongoing or future impact on the government's financial condition
           or operations.

c.
           Significant uncertainties surrounding projections or estimations
           in the financial statements.

d.
           Any other matter that the auditors consider significant for
           communication in the auditors' report to users and oversight
           bodies.

iously-Issued Financial Statements

5.32 Auditors have professional responsibilities when they become aware of
actual or potential misstatements that might have affected their report on
previously-issued financial statements. Under both AICPA standards75 and
GAGAS, auditors have the following responsibilities related to (1)
potential material misstatements in previouslyissued financial statements,
and (2) restatement76 of the previously-issued financial statements:

a.
           Auditors should determine if the previously-issued financial
           statements were materially misstated and should request
           management's cooperation in making this determination.

b.
           Auditors should determine if (a) the misstatement(s) may affect
           the auditors' report on the previously-issued financial statements
           and, (b) persons are currently relying or likely to rely on the
           financial statements.

c.
           Auditors should advise the audited entity to disclose the
           misstatement(s) and the related financial statement impact to
           persons relying or likely to rely on the financial statements and
           related auditors' report.

d.
           Auditors should determine whether the audited entity has
           appropriately disclosed the misstatement(s).

75See AICPA Professional Standards, AU 561, "Subsequent Discovery of Facts
Existing at the Date of the Auditor's Report."

As used in this standard, restatement means the correction of an error(s)
in previously-issued financial statement(s).

e. When the audited entity refuses to disclose the misstatement(s), then:

(1)
           auditors should notify those charged with governance of the
           entity's refusal to disclose the misstatement,

(2)
           auditors should notify the audited entity that the related
           auditors' report can no longer be relied upon or associated with
           the previously-issued financial statements, and

(3)
           auditors should notify oversight or regulatory agencies that have
           jurisdiction over the audited entity and persons known to be
           relying on the financial statements that the auditors' report can
           no longer be relied upon.

ely misstatement(s) in
       previously-issued audited financial statements may lead auditors to
       believe that the auditors' report would or could reasonably have been
       affected if they had known of the misstatements when they issued the
       auditors' report. When this condition exists, auditors should advise
       management to communicate the following information to those charged
       with governance, oversight bodies, funding agencies, and others who
       are relying or are likely to rely on the financial statements:

a.
           The nature and cause(s) of the known or likely material
           misstatement(s).

b.
           The amount(s) of known or likely material misstatement(s) and the
           related effect(s) on the previously-issued financial statements
           (e.g., disclosure of the specific financial statement(s) and line
           item(s) affected). If this information is not known, then the

disclosure includes information that is known and a statement that
management cannot determine the amount(s) and the related effect(s) on the
previously-issued financial statements without further investigation.

c. A notice that (1) previously-issued financial statements will or may be
restated and, therefore, (2) the related auditors' report is no longer
reliable.

5.35 Auditors should review the adequacy of management's communication
information about the known or potential material misstatement(s) to
report users, including those charged with governance, oversight bodies
and funding agencies. When performing this review, auditors consider
whether:

a.
           management acted timely to determine the financial statement
           effects of the potential material misstatement(s),

b.
           management acted timely to communicate with appropriate parties,
           and

c.
           management disclosed the nature and extent of the known or likely
           material misstatement(s) on Internet pages where the agency's
           previously-issued financial statements are published.

Auditors should notify those charged with governance if they believe that
management is unduly delaying its determination of the effect(s) of the
misstatement(s) on previouslyissued financial statements.

5.36 Also, auditors should evaluate the timeliness and appropriateness of
management's decision whether to issue restated financial statements.
Management may separately issue the restated financial statements or may
present the restated financial statements on a comparative basis with
those of a subsequent period. Ordinarily, auditors would expect management
to issue restated financial statements as soon as practicable. However, it
may not be necessary for management to separately issue the restated
financial statements and auditors' report when issuance of the
subsequent-period audited financial statements is imminent.77

5.37 When management restates previously-issued financial statements,
auditors should perform audit procedures sufficient to reissue or update
the auditors' report on the restated financial statements. Auditors should
fulfill these responsibilities whether the restated financial statements
are separately issued or presented on a comparative basis with those of a
subsequent period. Auditors should include the following information in an
explanatory paragraph in the reissued or updated auditors' report on the
re-issued financial statements:

a.
           a statement disclosing that the previously-issued financial
           statement(s) have been restated,

b.
           a statement that the previously-issued financial statements were
           materially misstated and that the previously-issued auditors'
           report (include report date) is withdrawn and replaced by the
           auditors' report on the restated financial statement(s), and

c.
           a reference to the note(s) to the restated financial statements
           that discusses the restatement, including

(1)
           the nature and cause(s) of the misstatement(s) that led to the
           need for restatement, and

(2)
           the specific amount(s) of the material misstatement(s) and the
           related effect(s) on the previously-issued financial statements
           (e.g., the specific financial statement(s) affected and line items
           restated) and the impact on the current-year financial statements.

d.
           A discussion of any significant internal control deficiency that
           failed to prevent or detect the misstatement and what action
           management has taken about the deficiency.

For purposes of this standard, imminent means within 90 days of
determining the effect of the misstatement(s) on the previously-issued
financial statements.

5.38 Auditors should notify those charged with governance, oversight
bodies, and funding agencies when management (1) does not take the
necessary steps to promptly inform report users of the situation or (2)
does not restate with appropriate timeliness the financial statements in
circumstances when auditors believe they need to be restated. Auditors
should inform these parties that the auditors will take steps to prevent
future reliance on the auditors' report. The steps taken will depend on
the facts and circumstances, including legal considerations.

Reporting Views of Responsible Officials

rs' report discloses deficiencies in internal control,
       potential fraud, illegal acts, violations of provisions of contracts
       or grant agreements, or abuse, auditors should obtain and report the
       views of responsible officials concerning the findings, conclusions,
       and recommendations, as well as planned corrective actions.
2. One of the most effective ways to provide a report that is fair,
       complete, and objective is to provide a draft report for review and
       comment by responsible officials of the audited entity and others, as
       appropriate. Including the views of responsible officials results in a
       report that presents not only the significant deficiencies in internal
       control, potential fraud, illegal acts, violations of provisions of
       contracts or grant agreements, or abuse the auditors identified, but
       also the perspectives of the responsible officials of the audited
       entity and the corrective actions they plan to take. Auditors should
       include in their report a copy of the officials' written comments
       and/or a summary of the comments received. In cases where the audited
       entity provides technical comments in addition to its written comments
       on the report, auditors use professional judgment in determining
       whether to include such comments or disclose in the report that such
       comments were provided.
 in some cases,
       may be the most expeditious way to obtain comments. Obtaining oral
       comments can be effective when, for example, there is a time-critical
       reporting date to meet a user's needs; auditors have worked closely
       with the responsible officials throughout the conduct of the work and
       the parties are familiar with the findings and issues addressed in the
       draft report; or the auditors do not expect major disagreements with
       the draft report's findings, conclusions, and recommendations, or
       perceive any major controversies with regard to the issues discussed
       in the draft report. If oral comments are provided by the responsible
       officials, auditors should prepare a summary of the oral comments and
       provide a copy of the summary to the responsible officials to verify
       that the comments are accurately stated prior to finalizing the
       report.
  comments, as appropriate, in the final report. Auditors may note
       comments, such as a plan for corrective action, but should not accept
       them as justification for dropping a finding or a related
       recommendation without sufficient and appropriate evidence.
 conclusions, or recommendations, and are not, in the auditors'
       opinion, valid, or when planned corrective actions do not adequately
       address the auditors' recommendations, the auditors should state
       objectively their reasons for disagreeing with the comments or planned
       corrective actions. Conversely, the auditors should modify their
       report as necessary if they find the comments valid.
omitted and the requirement that makes the
       omission necessary.
formation
       and distribute the report only to persons authorized by law or
       regulation to receive it. Additional circumstances associated with
       public safety and security concerns could also justify the exclusion
       of certain information in the report. For example, detailed
       information related to computer security for a particular program may
       be excluded from publicly available reports because of the potential
       damage that could be caused by the misuse of this information. In such
       circumstances, auditors may issue a limited-official-use report
       containing such information and distribute the report only to those
       parties responsible for acting on the auditors' recommendations. The
       auditors may consult with legal counsel regarding any requirements or
       other circumstances that may necessitate the omission of certain
       information.
ring or arranging for the
audits, including external funding organizations78 such as legislative
bodies, unless legal restrictions prevent it. Auditors should also send
copies of the reports to other officials who have legal oversight
authority or who may be responsible for acting on audit findings and
recommendations and to others authorized to receive such reports. Auditors
should clarify whether the report will be made available for public
inspection. If the subject of the audit involves material that is
classified for security purposes or not releasable to particular parties
or the public for other valid reasons, auditors may limit the report
distribution.79 Auditors should document any limitation on report
distribution.

ry requirements for distribution. The head of the internal
       audit organization should disseminate results to the appropriate
       parties. The head of the internal audit organization is responsible
       for communicating the final results to parties who are in a position
       to take appropriate corrective actions. Distribution of reports
       outside the organization ordinarily is made only in accordance with
       applicable laws, rules, regulations, or policy.
 of Management and Budget
(OMB) Circular No. A-133 on single audits for the distribution of reports
on single audits of state and local governmental entities and nonprofit
organizations that receive federal awards.

79

See paragraphs 5.45 through 5.47 for additional guidance on limited report
distribution when reports contain privileged or confidential information.

audit, and other appropriate officials about the termination of the audit,
preferably in writing. Auditors should document this communication.

     Chapter 6 General, Field Work, and Reporting Standards for Attestation
                                  Engagements

  Introduction

ed
       statements on standards for attestation engagements (SSAE), unless
       specifically excluded or modified by GAGAS.80 This chapter identifies
       the AICPA general standard on criteria,81 field work and reporting
       standards for attestation engagements and prescribes additional
       standards for attestation engagements performed in accordance with
       GAGAS.
 not excluded any field work
standards, reporting standards, or SSAEs.

81

GAGAS incorporate only one of the AICPA general standards for attestation
engagements.

up-to-date AICPA standards in the final 2006 Revision of Government
Auditing Standards.]

The practitioner [auditor] shall perform an engagement only if he or she
has reason to believe that the subject matter is capable of evaluation
against criteria that are suitable and available to users.

6.05 The two AICPA field work standards for attestation engagements are as
follows:

[AICPA is currently in the process of revising the field work standards to
use clarified language. GAO will monitor the status of AICPA's efforts in
order to include the most up-to-date AICPA standards in the final 2006
Revision of Government Auditing Standards.]

a.
           The work shall be adequately planned and assistants, if any, shall
           be properly supervised.

b.
           Sufficient evidence shall be obtained to provide a reasonable
           basis for the conclusion that is expressed in the report.

Additional Considerations for Attestation Engagements in Government

station engagements in government is the
       reporting of deficiencies in internal control related to the subject
       matter or objectives of the engagement so that the entity can take
       corrective actions necessary under the circumstances. (See paragraphs
       6.49 through 6.53.) In an attestation engagement, a deficiency in
       internal control exists when the design or operation of a control does
       not allow management or employees, in the normal course of performing
       their assigned functions, to prevent errors in assertions made by
       management on a timely basis. A deficiency in design exists when (a) a
       control necessary to meet the control objective is missing or (b) an
       existing control is not properly designed so that, even if the control
       operates as designed, the control objective is not met. A deficiency
       in operation exists when a properly designed control does not operate
       as designed, or when the person performing the control does not
       possess the necessary authority or qualifications to perform the
       control effectively.

  Additional GAGAS Field Work Standards for Attestation Engagements

6.08 GAGAS establish attestation engagement field work standards in
addition to the requirements contained in the AICPA SSAE. Auditors should
comply with these additional standards when citing GAGAS in their
attestation engagement reports. The additional GAGAS field work standards
relate to:

a.
           auditor communication (see paragraphs 6.09 through 6.11);

b.
           previous audits and attestation engagements (see paragraphs 6.12
           through 6.13);

c.
           internal control (see paragraphs 6.14 through 6.16);

d.
           detecting potential fraud, illegal acts, violations of contract
           provisions or grant agreements, or abuse that could have a
           material effect on the subject matter (see paragraphs 6.17 through
           6.22);

e.
           developing elements of findings for attestation engagements
           (paragraph 6.23); and

f.
           attest documentation (see paragraphs 6.24 through 6.43).

Auditor Communication

e parties involved may be misinterpreted. During the planning
       stages of an attestation engagement, auditors also should report (1)
       the nature, timing, and extent of testing and reporting, and (2) the
       level of assurance provided. Auditors use professional judgment when
       determining the form, content, and frequency of the communication.
       Auditors may use an engagement letter or a proposal, if appropriate,
       to communicate the information. If the attestation engagement is part
       of a larger audit, this information may be communicated as part of
       that audit.
he entity's fulfillment of its
accountability obligations. In situations in which those charged with
governance are not clearly evident, the auditor documents the process
followed and conclusions reached for identifying the appropriate
individuals to receive the required auditor communications. (See appendix,
paragraph A1.02 for additional information.)

audit, such as contracting officials or members or staff of legislative
committees, in addition to communicating with the audited entity. When
auditors are performing the audit pursuant to a law or regulation and they
are conducting the work directly for the legislative committee who has
oversight for the audited entity, auditors should communicate with the
members or staff of that legislative committee. Auditors should coordinate
communications with the responsible government audit organization and/or
management of the audited entity. If an audit is terminated before it is
completed, auditors should write a memorandum for the audit documentation
that summarizes the results of the work and explains the reasons why the
audit was terminated. In addition, depending on the facts and
circumstances, auditors should consider the need to communicate the reason
for terminating the audit to those charged with governance, management of
the audited entity, the entity requesting the audit, and other appropriate
officials, preferably in writing.

Previous Audits and Attestation Engagements

ngagement being
       undertaken and ask management of the audited entity to identify
       corrective actions taken to address significant findings and
       recommendations,83 including those related to significant
       deficiencies, including material weaknesses.84

83

Significant findings and recommendations are those matters that, if not
corrected, could affect the results of the auditors` work and the
auditors` conclusions and recommendations about those results.

84

See paragraph 6.50 for definitions of significant deficiency and material
weakness.

Internal Control

ing of internal control85 as it
       relates to the subject matter or assertion to which the auditors are
       attesting. The subject matter or assertion may be financial or
       nonfinancial, and internal control material to the subject matter or
       assertion the auditors are testing may relate to:

a.
           effectiveness and efficiency of operations, including the use of
           an entity's resources;

b.
           reliability of financial reporting, including reports on budget
           execution and other reports for internal and external use;

c.
           compliance with applicable laws and regulations, provisions of
           contract, or grant agreements; and

d.
           safeguarding of assets.

6.16 A deficiency in internal control exists when the design or operation
of a control does not allow management or employees, in the normal course
of performing their assigned functions, to prevent or detect errors in
assertions made by management on a

Although not applicable to attestation engagements, the AICPA SASs may
provide useful guidance related to internal control for auditors
performing attestation engagements in accordance with GAGAS. In addition,
auditors performing attestation engagements may wish to refer to the
internal control guidance published by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO). The Standards for
InternalControl in the Federal Government, GAO/AIMD-00-21.3.1 (Washington,
D.C.: Nov. 1999), which incorporates the relevant guidance developed by
COSO, provides definitions and fundamental concepts pertaining to internal
control at the federal level and may be useful to auditors at any level of
government. The related Internal Control Management and Evaluation Tool,
GAO-01-1008G (Washington, D.C.: Aug. 2001) based on the federal internal
control standards, provides a systematic, organized, and structured
approach to assessing internal control.

timely basis. A deficiency in design exists when (a) a control necessary
to meet the control objective is missing or (b) an existing control is not
properly designed so that, even if the control operates as designed, the
control objective is not met. A deficiency in operation exists when a
properly designed control does not operate as designed, or when the person
performing the control does not possess the necessary authority or
qualifications to perform the control effectively.

Detecting Potential Fraud, Illegal Acts, Violations of Provisions of
Contracts or Grant Agreements, or Abuse That Could Have a Material Effect
on the Subject Matter

6.17 The standard related to potential fraud, illegal acts, violations of
provisions of contracts or grant agreements, or abuse for attestation
engagements performed in accordance with GAGAS is:

a.
           In planning examination-level attestation engagements, auditors
           should design the engagement to provide reasonable assurance of
           detecting potential fraud, illegal acts, or violations of
           provisions of contracts or grant agreements that could have a
           material effect on the subject matter or assertion of the
           attestation engagement.

b.
           In planning review-level attestation engagements, auditors should
           be alert to situations or transactions that may be indicative of
           potential fraud, illegal acts, and violations of provisions of
           contracts or grant agreements.

c.
           In agreed-upon-procedures-level engagements, auditors perform
           limited testing in order to issue a report of finding based on
           specific procedures performed on a subject matter. Therefore,
           auditors are not expected to provide assurance of detecting
           potential fraud, illegal acts, or violations of contract or grant
           agreements for these types of engagements.

d.
           Auditors conduct the attestation engagement with the mindset that
           recognizes the possibility that a material misstatement in
           management's assertion could be present.

However, absolute assurance is not attainable and thus even a properly
planned and performed examination-level attestation engagement may not
detect a material misstatement resulting from fraud.

e. For all types of attestation engagements, auditors remain alert to
situations or transactions that may be indicative of material abuse and
follow the requirements in 6.20 through 6.21.

6.18 For examination-level attestation engagements, auditors design the
engagement to provide reasonable assurance of detecting fraud86, illegal
acts, or violations of provisions of contracts or grant agreements that
have a material effect on the subject matter or assertion of the
attestation engagement. Auditors should assess the risk and possible
effects of material fraud, illegal acts, or violations of provisions of
contracts or grant agreements on the subject matter or assertion of the
attestation engagement. Auditors should document their assessment of risk,
and when risk factors are identified, auditors should also document:

a.
           those risk factors identified,

b.
           the auditors' response to those risk factors, individually or in
           combination, and

c.
           the auditors' conclusions.

6.19 For attestation engagements involving review-level reporting,
auditors are alert to situations or transactions that may be indicative of
potential fraud, illegal acts, or violations of provisions of contracts or
grant agreements. When information comes to the auditors' attention
(through audit procedures, allegations received through fraud

Fraud is a type of illegal act involving the obtaining of something of
value through willful misrepresentation. Although not applicable to
attestation engagements, the AICPA SASs may provide useful guidance
related to fraud for auditors performing attestation engagements in
accordance with GAGAS.

hotlines, or other means) indicating that potential fraud, illegal acts,
or violations of provisions of contracts or grant agreements that could
materially affect the results of the attestation engagement exist,
auditors should apply the audit steps and procedures, as necessary, to (1)
determine if potential fraud, illegal acts, or violations of provisions of
contracts or grant agreements are likely to have occurred and, if so, (2)
determine their effect on the results of the attestation engagement.
Because the scope of review-level engagements is limited, auditors are not
expected to provide reasonable assurance of detecting potential fraud,
illegal acts, or violations of contract or grant agreements for these
types of engagements.

 if during the course of the
       engagement, auditors become aware of indications of abuse that could
       be quantitatively or qualitatively material, auditors should apply
       audit procedures specifically directed to ascertain whether material
       abuse has occurred and the potential effect on the engagement subject
       matter or objective. Based on the facts and circumstances, auditors
       may find it helpful to identify specific risks, situations, or
       transactions that are susceptible to abuse. In addition, auditors
       remain alert throughout the engagement to situations or transactions
       that could be indicative of abuse. However, because the determination
       of abuse is subjective, auditors are not required to provide
       reasonable assurance of detecting abuse.
acts and circumstances. Abuse
       also includes misuse of authority or position for personal financial
       interest or those of an immediate or close family member or business
       partner. Abuse is distinct from fraud, illegal acts, or violations of
       provisions of contracts or grant agreements in that abuse does not
       necessarily involve violation of laws, regulations, or provisions of a
       contract or grant agreement. If auditors encounter such situations,
       they should assess the risk of whether these situations or
       transactions could be indicative of qualitatively or quantitatively
       material abuse. When information comes to the auditors' attention
       (through attest procedures, allegations received through

a fraud hotline, or other means) indicating that material abuse may have
occurred, auditors should perform procedures as necessary to (1) determine
whether the abuse occurred and, if so, (2) determine its potential effect
on the results of the attestation engagement. Auditors assess both
qualitative and qualitative factors in making judgments regarding the
materiality of possible abuse.

6.22 In pursuing indications of potential fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse, auditors should
avoid interfering with potential investigations, and/or legal proceedings.
In some circumstances, laws, regulations, or policies require auditors to
report indications of certain types of potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse to law
enforcement or investigatory authorities before performing additional
audit procedures. In cases where an investigation is initiated or in
process, it may be appropriate for the auditors to withdraw from or defer
further work on the engagement or a portion of the engagement to avoid
interfering with an investigation.

Developing Elements of Findings for Attestation Engagements

6.23 When deficiencies are identified, auditors should plan audit
procedures to develop the elements of a finding necessary to achieve the
objectives of the attestation engagement. Attest findings, such as
deficiencies in internal control, potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse,
contain the elements of criteria, condition, cause, and effect. The
elements needed for a finding depend on the objectives of the attestation
engagement. Thus, a finding or set of findings is complete to the extent
that the objectives of the attestation engagement are satisfied. (See
paragraphs 6.49 through 6.53 for a description of deficiencies in internal
control and paragraph 6.51 for a description of the elements of a finding.

Attest Documentation

6.24 The auditor must prepare attest documentation in connection with each
engagement in sufficient detail to provide a clear understanding of the
work performed (including the nature, timing, extent, and results of
attest procedures performed), the attest evidence obtained and its source,
and the conclusions reached. Attest documentation:

a.
           provides the principal support for the statement in the auditor's
           report that the auditors performed the attestation engagement in
           accordance with GAGAS and any other standards cited, and

b.
           provides the principal support for the auditors' conclusion.

ernal or external
to the audit organization) who possesses the competencies and skills that
would have enabled him or her to perform the attestation engagement. These
competencies and skills include an understanding of (a) attestation
engagement processes, (b) GAGAS and applicable legal and regulatory
requirements, (c) the subject matter that the auditor is engaged to report
on, (d) the suitability and availability of criteria, and (e) issues
related to the audited entity's environment.

b.
           the results of the attest procedures performed and the attest
           evidence obtained,

c.
           how the attest evidence relates to the attestation engagement's
           conclusions, and

d.
           the conclusions reached on significant matters.

6.27 In addition to the attest documentation requirements listed in the
previous paragraph, the auditor should document the following for
attestation engagements performed under GAGAS:

a.
           the objectives, scope, and methodology of the attestation
           engagement;

b.
           evidence of supervisory review, before the attest report is
           issued, of the work performed that supports findings, conclusions,
           and recommendations contained in the attest report; and

c.
           the auditors' consideration that the planned attestation
           procedures are designed to achieve objectives of the attestation
           engagement when (1) evidence obtained is highly dependent on
           computerized information systems, (2) evidence is material to the
           objective of the engagement, and (3) the auditors are not relying
           on the effectiveness of internal control over those computerized
           systems that produced the information. Auditors should document
           (1) the rationale for determining the nature, timing, and extent
           of planned audit procedures; (2) the kinds and competence of
           available evidence produced outside a computerized information
           system, and/or plans for direct testing of data produced from a
           computerized information system; and (3) the effect on the
           attestation engagement report if evidence to be gathered does not
           afford a reasonable basis for achieving the objectives of the
           engagement.

6.28 Auditors should document matters specific to a particular attestation
engagement in the attest documentation file. Certain matters, such as
auditor independence and staff training, that are not engagement specific,
may be documented either centrally in the audit organization or in the
documentation for the attestation engagement.

tent of attest documentation depend on the
       circumstances of the engagement and the attest methodology and tools
       used. Oral explanations on their own do not represent sufficient
       support for the work the auditor performed or conclusions the auditor
       reached but may be used by the auditor to clarify or explain
       information contained in the attest documentation. It is, however,
       neither necessary nor practicable to document every matter the auditor
       considers during the attestation engagement.
reached. Judging the
       significance of a finding or issue requires an objective analysis of
       the facts and circumstances.
s not comply with applicable unconditional or
       presumptively mandatory GAGAS requirements, the auditor should
       document the justification for the departure, the impact on the audit,
       and how alternative procedures performed in the circumstances were
       sufficient to achieve the objectives of the requirements. The auditor
       should also follow the requirements in paragraphs 1.13 through 1.15.
tutes, regulations, or the audit
       organization's quality control policies may state a specific time in
       which the assembly process should be completed.
original document that was previously faxed.

6.39 After the documentation completion date, the auditors must not delete
or discard attest documentation before the end of the specified retention
period, as discussed in paragraph 6.36. When auditor finds it necessary to
make an addition (including amendments) to attest documentation after the
documentation completion date, the auditor should document the addition by
including the following in the documentation:

a.
           when and by whom such additions were made and where applicable
           reviewed,

b.
           the specific reasons for the changes, and

c.
           the effect, if any, of the changes on the auditors' conclusions.

 electronically, the audit organization should safeguard the
       electronic documentation through sound computer security so that it is
       capable of being accessed throughout the specified retention period
       established for attest documentation.
ms of common
       interest so that auditors may use others' work and avoid duplication
       of efforts. Auditors should make appropriate audit staff and
       individuals, as well as attest documentation available, upon request,
       in a timely manner to other auditors or reviewers. It is also
       essential that contractual arrangements for GAGAS attestation
       engagements provide for full and timely access to audit staff and
       individuals, as well as attest documentation without restriction to
       facilitate reliance by other auditors or reviewers on the auditors'
       work.
tempts to obtain indirectly through the auditor
       information that it is unable to obtain directly from the audited
       entity and how to respond to requests for access to audit
       documentation before the attestation engagement is complete. The audit
       organization should also include flexibility in its policies and
       procedures to consider the individual facts and circumstances
       surrounding such requests, for instance, cases when granting access or
       providing certain information could adversely affect the audit
       organization's ability to successfully perform similar attestation
       engagements in the future.

  AICPA Reporting Standards for Attestation Engagements

6.44 As discussed in paragraph 1.29, the AICPA SSAE provide for different
levels of reporting based on the type of assurance the auditors are
providing.88 The four AICPA reporting standards for all levels of
reporting under attestation engagements are as follows:

[AICPA is currently in the process of revising the reporting standardsto
use clarified language. GAO will monitor the status of AICPA's efforts in
order to include the most up-to-date AICPA standards in the final 2006
Revision of Government Auditing Standards.]

a.
           The report shall identify the subject matter or the assertion
           being reported on and state the character of the engagement.

b.
           The report shall state the practitioner's [auditor's] conclusions
           about the subject matter or the assertion in relation to the
           criteria against which the subject matter was evaluated.

c.
           The report shall state all of the practitioner's [auditor's]
           significant reservations about the engagement, the subject matter,
           and, if applicable, the assertion related thereto.

d.
           The report shall state that the use of the report is restricted to
           specified parties under the following circumstances:89 (1) when
           the criteria used to evaluate the subject matter are determined by
           the practitioner to be appropriate only for a limited number of
           parties who either participated in their establishment or can be
           presumed to have an adequate understanding of the criteria, (2)
           when the criteria used to evaluate the subject matter are
           available only to specified parties, (3) when reporting on subject
           matter and a written

88 See AT sections 101.63 - 101.83. For application of this standard in
the government environment, see paragraphs 6.67 through 6.71.

assertion has not been provided by the responsible party, and (4) when the
report is on an attest engagement to apply agreed-upon procedures to the
subject matter.

  Additional GAGAS Reporting Standards for Attestation Engagements

6.45 GAGAS establish reporting standards for attestation engagements in
addition to the requirements contained in the AICPA SSAE. Auditors should
comply with these additional standards when citing GAGAS in their
attestation engagement reports. The additional GAGAS standards relate to:

a.
           reporting auditors' compliance with GAGAS (see paragraphs 6.46
           through 6.48);

b.
           reporting deficiencies in internal control, potential fraud,
           illegal acts, violations of provisions of contracts or grant
           agreements, or abuse (see paragraphs 6.50 through 6.57);

c.
           reporting views of responsible officials (see paragraphs 6.58
           through 6.63);

d.
           reporting privileged and confidential information (see paragraphs
           6.64 through 6.66); and

e.
           issuing and distributing reports (see paragraphs 6.67 through
           6.71).

Reporting Auditors' Compliance with GAGAS

ditors
       have complied with all applicable GAGAS general and attestation
       engagement standards,

including underlying AICPA standards. If the auditors did not follow
applicable standards, or were not able to follow applicable standards due
to access problems or other scope limitations, they should follow the
requirements in paragraphs 1.13 through

1.15.

6.48 GAGAS do not prohibit auditors from issuing a separate report
conforming only to the requirements of other standards. When a GAGAS
attestation engagement is the basis for an auditors' subsequent report
under the AICPA or other standards, auditors should consider including a
reference to the GAGAS report, as that report will contain additional
information on internal control, compliance with laws, regulations, and
provisions of contracts or grant agreements, potential fraud, or abuse
that GAGAS require.

Reporting Deficiencies in Internal Control, Potential Fraud, Illegal Acts,
Violations of Provisions of Contracts or Grant Agreements, or Abuse

6.49 For attestation engagements, auditors should report, as applicable to
the objectives of the engagement, (1) deficiencies in internal control
considered to be material weaknesses or other significant deficiencies,
(2) all instances of potential fraud and illegal acts unless clearly
inconsequential, and (3) violations of provisions of contracts or grant
agreements or abuse that are material to the subject matter or assertion
of the engagement. In some circumstances, auditors should report potential
fraud, illegal acts, violations of provisions of contracts or grant
agreements, or abuse directly to parties external to the entity. (See
paragraphs 6.54 through 6.57.)

Reporting Deficiencies in Internal Control

6.50 For all attestation engagements, auditors should report deficiencies
in internal control considered to be significant deficiencies, including
material weaknesses, as follows:

a.
           In attestation engagements, a significant deficiency is a
           deficiency in internal control, or combination of deficiencies,
           that adversely affects the entity's ability to initiate,
           authorize, record, process, or report data reliably in accordance
           with the applicable criteria or framework such that there is more
           than a remote90 likelihood that a misstatement of the subject
           matter or assertion that is more than inconsequential91 will not
           be prevented or detected.

b.
           In attestation engagements, a material weakness is a significant
           deficiency, or combination of significant deficiencies, that
           results in more than a remote likelihood that a material
           misstatement will not be prevented or detected.

6.51 To the extent necessary to achieve the engagement objectives, in
presenting findings such as deficiencies in internal control, auditors
should develop the elements of criteria, condition, cause, and effect to
assist management or oversight officials of the audited entity in
understanding the need for taking corrective action. In addition, if
auditors are able to sufficiently develop the elements of a finding, they
should provide recommendations for corrective action. Following is
guidance for reporting on elements of findings:

a. Criteria: The required or desired state or what is expected from the
program or operation. The criteria are easier to understand when stated
fairly, explicitly, and

The term "more than remote" used in the definitions for significant
deficiency and material weakness means "at least reasonably possible." The
following definitions apply. (1) Remote-The chance of the future events or
their occurrence is slight. (2) Reasonably possible-The chance of the
future events or their occurrence is more than remote but less than
likely. (3) Probably-The future events are likely to occur.

91 "More than inconsequential" indicates an amount that is less than
material, yet has significance. A misstatement is "inconsequential" if a
reasonable, objective person would conclude that the misstatement, either
individually or when aggregated with other misstatements, would clearly be
immaterial to the financial statements. If a reasonable, objective person
could not reach such a conclusion, that misstatement is "more than
inconsequential."

completely, and the source of the criteria is identified in the
attestation engagement

report.92

b.
           Condition: What the auditors found regarding the actual situation.
           Reporting the scope or extent of the condition allows the report
           user to gain an accurate perspective.

c.
           Cause: Evidence on the factor or factors responsible for the
           difference between condition and criteria. In reporting the cause,
           auditors may consider whether the evidence provides a reasonable
           and convincing argument for why the stated cause is the key factor
           or factors contributing to the difference as opposed to other
           possible causes, such as poorly designed criteria or factors
           uncontrollable by program management. The auditors also may
           consider whether the identified cause could serve as a basis for
           the recommendations. Often the causes of deficiencies in internal
           control are complex and involve multiple factors. In some cases,
           it may not be practical for auditors to fully develop or identify
           the causes of deficiencies. However, analyzing and identifying
           root causes of internal control deficiencies is key to making
           recommendations for corrective action.

d.
           Effect or potential effect: A clear, logical link to establish the
           impact or potential impact of the difference between what the
           auditors found (condition) and the required or desired state
           (criteria). Effect is easier to understand when it is stated
           clearly, concisely, and, if possible, in quantifiable terms. The
           significance of the reported effect can be demonstrated through
           credible evidence.

6.52 Auditors should place their findings in perspective by describing the
nature and extent of the issues being reported and the extent of the work
performed that resulted in the finding. To give the reader a basis for
judging the prevalence and consequences of

Common sources for criteria including laws, regulations, policies,
procedures, best or standard practices. The Standards for InternalControl
in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov.
1999) and Internal Control--Integrated Framework, published by the
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
are two sources of established criteria auditors can use to support their
judgments and conclusions about internal control. The related Internal
Control Management and Evaluation Tool(GAO-01-1008G, Aug. 2001), based on
the federal internal control standards, provides a systematic, organized,
and structured approach to assessing internal control.

these findings, auditors may relate the instances identified to the
population or the number of cases examined and quantify the results in
terms of dollar value, as appropriate. If the results cannot be projected,
auditors should limit their conclusions appropriately.

6.53 When auditors detect deficiencies in internal control, potential
fraud, illegal acts, violations of provisions of contracts or grant
agreements, or abuse that are not material to the subject matter or
assertion, they should communicate those findings in a management letter
to officials of the audited entity unless they are clearly inconsequential
considering both qualitative and quantitative factors. Auditors use
professional judgment in determining whether and how to communicate to
officials of the audited entity deficiencies in internal control,
potential fraud, illegal acts, violations of provisions of contracts or
grant agreements, or abuse that are clearly inconsequential. Auditors
should include in their attest documentation evidence of communications to
officials of the audited entity about potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse.

Direct Reporting of Potential Fraud, Illegal Acts, Violations of
Provisions of

Contracts or Grant Agreements, or Abuse

6.54 Auditors should report potential fraud, illegal acts, violations of
provisions of contracts or grant agreements, or abuse directly to parties
outside the audited entity in two circumstances, as discussed below.93
This reporting is in addition to any legal requirements for direct
reporting of potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse. Auditors should follow these
requirements even if they have resigned or been dismissed from the
attestation engagement prior to its completion.

Internal audit organizations do not have a duty to report outside that
entity unless required by law, rule, regulation, or policy. See paragraph
3.19 for reporting requirements for internal audit organizations when
reporting externally.

ney general. When
       auditors have communicated such potential fraud, illegal acts,
       violations of provisions of contracts or grant agreements, or abuse to
       the audited entity and the entity fails to report them, the auditors
       should communicate such an awareness to the governing body of the
       audited entity. When the audited entity does not make the required
       report as soon as possible after the auditors' communication with the
       those charged with governance, the auditors should report such
       potential fraud, illegal acts, violations of provisions of contracts
       or grant agreements, or abuse directly to the external party specified
       in the law or regulation.
ps.
       When auditors conclude that such failure is likely to cause them to
       depart from the standard report on the attestation engagement or
       resign from the engagement, they should communicate that conclusion to
       those charged with governance. If the audited entity does not report
       the potential fraud, illegal acts, violations of provisions of
       contracts or grant agreements, or abuse in a timely manner to the
       entity that provided the government assistance, the auditors should
       report the potential fraud, illegal acts, violations of provisions of
       contracts or grant agreements, or abuse directly to the awarding
       entity.
illegal acts,
       violations of provisions of contracts or grant agreements, or abuse,
       auditors should obtain and report the views of responsible officials
       concerning the findings, conclusions, and recommendations, as well as
       planned corrective actions.
    complete, and objective is to provide a draft report for review and
       comments by responsible officials of the audited entity and others, as
       appropriate. Including the views of responsible officials results in a
       report that presents not only the significant deficiencies in internal
       control, potential fraud, illegal acts, violations of provisions of
       contracts or grant agreements, or abuse the auditors identified, but
       also the perspectives of the responsible official of the audited
       entity and the corrective actions they plan to take. Auditors should
       include in their report a copy of the officials' written comments
       and/or a summary of the comments received. In cases where the audited
       entity provides technical comments in addition to its written comments
       on the report, auditors use professional judgment in determining
       whether to include such comments or disclose in the report that such
       comments were provided.
ts. Obtaining oral
       comments can be effective when, for example, there is a time-critical
       reporting date to meet a user's needs; auditors have worked closely
       with the responsible officials throughout the conduct of the work and
       the parties are familiar with the findings and issues addressed in the
       draft report; or the auditors do not expect major disagreements with
       the draft report's findings, conclusions, and recommendations, or
       perceive any major controversies with regard to the issues discussed
       in the draft report. If oral

comments are provided by the responsible officials, auditors should
prepare a summary of the oral comments and provide a copy of the summary
to the responsible officials to verify that the comments are accurately
stated prior to finalizing the report.

lan for corrective action, but should not accept
       them as justification for dropping a finding or a related
       recommendation without sufficient and appropriate evidence.
corrective actions do not adequately address the
       auditors' recommendations, the auditors should state objectively their
       reasons for disagreeing with the comments or planned corrective
       actions. Conversely, the auditors should modify their report as
       necessary if they find the comments valid.
d or may be otherwise prohibited
       from general disclosure by federal, state, or local laws or
       regulations. In such circumstances, auditors may issue a separate,
       classified or limited-official-use report containing such information
       and distribute the report only to persons authorized by law or
       regulation to receive it. Additional circumstances associated with
       public safety and security concerns could also

justify the exclusion of certain information in the report. For example,
detailed information related to computer security for a particular program
may be excluded from publicly available reports because of the potential
damage that could be caused by the misuse of this information. In such
circumstances, auditors may issue a limited-official-use report containing
such information and distribute the report only to those parties
responsible for acting on the auditors' recommendations. The auditors may
consult with legal counsel regarding any requirements or other
circumstances that may necessitate the omission of certain information.

6.66 Auditors consider the broad public interest in the program or
activity under review when deciding whether to exclude certain information
from publicly available reports. When circumstances call for omission of
certain information, auditors should evaluate whether this omission could
distort the engagement results or conceal improper or unlawful practices.

Issuing and Distributing Reports

or
       the engagement, including external funding organizations such as
       legislative bodies, unless legal restrictions prevent it. Auditors
       should also send copies of the reports to other officials who have
       legal oversight authority or who may be responsible for acting on the
       findings and recommendations and to others authorized to receive such
       reports. Auditors should clarify whether the report will be made
       available for public inspection. If the subject matter of the
       attestation engagement involves material that is classified for
       security purposes or not releasable to particular parties or the
       public for other valid reasons, auditors may limit the report
       distribution.94 Auditors should document any limitation on report
       distribution.
res should contain a statement
       indicating it is intended to be used solely by the parties who have
       agreed upon such criteria or procedures, such a statement does not
       necessarily limit the report distribution in a government environment.
 GAGAS, they should clarify report distribution
       responsibilities with the engaging organization. If nongovernment
       auditors are to make the distribution, they should reach agreement
       with the party contracting for the attestation engagement about which
       officials or organizations should receive the report and the steps
       being taken to make the report available to the public.
 laws, rules, regulations, or policy.
tion engagement was terminated. In addition, depending on the
       facts and circumstances, auditors should notify those charged with
       governance, management of the entity, the entity requesting the
       attestation engagement, and other appropriate officials, about the
       termination of the engagement, preferably in writing. Auditors should
       document this communication.

See paragraphs 6.64 through 6.66 for additional guidance on limited report
distribution when reports contain privileged or confidential information.

             Chapter 7 Field Work Standards for Performance Audits

Introduction

documentation.
  audits.

  Significance in a Performance Audit

7.04 Auditors use the concept of significance95 throughout a performance
audit. Auditor consider significance when deciding the type and extent of
audit work to perform, when evaluating results of audit work, and when
developing the report. Significance is defined as the relative importance
of a matter within the context in which it is being considered, including
quantitative and qualitative factors. Such factors include relative
magnitude, the nature and effect of the matter, and the needs and
interests of intended users or recipients. Auditors use professional
judgment when considering whether a matter is

In the performance audit standards, the term "significant" is synonymous
with "material." "Material" is used in the AICPA standards for financial
audits. The term "significant" is used in performance audits where the
term "material" is generally not used.

significant within the context of the audit objectives. The auditors'
consideration is influenced by the relationship of the matter to the audit
objectives and the auditors' perception of the needs of users of the audit
reports.

7.05 When making judgments about significance within the context of the
audit objectives, auditors consider the quantitative or qualitative
factors that make it probable that the auditors' findings, conclusions or
recommendations would be affected by the matter if the matter had been
omitted from the auditors' analysis. When making judgments about
significance to the needs of report users, auditors consider whether it is
probable that the judgment of a reasonable person relying on the auditors'
report would have been changed or influenced if the matter was omitted
from the auditors' analysis and disclosed in the audit report. This
includes the probability that the matter would change or influence the
decisions of intended users of the auditors' report; or, as another
example, where the context is a judgment about whether to report a matter
to those charged with governance, whether the matter would be regarded as
important by those charged with governance in carrying out their duties.
When reporting on the results of their work, auditors should disclose
material or significant facts relevant to the objectives of their work and
known to them which, if not disclosed, could mislead knowledgeable users,
misrepresent the results, or conceal significant improper or unlawful
practices.

  Audit Risk

7.06 Auditors must plan the audit so that the auditors reduce audit risk
to a level that is sufficiently low for the auditors to provide reasonable
assurance that the evidence is sufficient and appropriate to achieve the
audit objectives and support the conclusions reached. This determination
is a matter of professional judgment. Audit risk is the risk that auditors
may provide improper findings, conclusions, recommendations, or assurance
because, for example, the information obtained is not sufficient or not
appropriate, the audit process was inadequate, or intentional omissions or
misleading information existed due to misrepresentation or fraud. Factors
such as the time frames, complexity, or sensitivity of the work, size of
the program in terms of dollar amounts and number of citizens served, and
access to records are considered in the risk determination. Audit risk
involves qualitative and quantitative considerations. A component of audit
risk is the risk that auditors will not detect a mistake, inconsistency,
or significant error in the evidence supporting the audit. Auditors can
reduce the audit risk by using additional evidence, higher quality
evidence and/or alternative forms of evidence. When auditors cannot obtain
alternative forms of evidence, they should clearly describe the scope of
work and any limitations in the underlying information, so that (1)
readers of the auditors' report are provided with a clear understanding as
to what the auditors did or did not do and (2) the findings, conclusions
and recommendations are not misleading. In such cases, auditors should
also follow the guidance in paragraphs 1.06 through 1.15.

  Sufficient, Appropriate Evidence

7.07 The concept of sufficient, appropriate evidence is integral to a
performance audit. Appropriateness is the measure of the quality of
information which encompasses its relevance, reliability, and validity in
providing support for achieving audit objectives. In assessing the overall
appropriateness of information, auditors should assess whether the
information is relevant, valid, and reliable. Sufficiency is a measure of
the quantity of evidence used to support the findings, conclusions, and
recommendations related to the audit objectives. In determining the
sufficiency of evidence, auditors should determine whether enough evidence
exists to persuade a knowledgeable person of the reasonableness of the
findings. Paragraphs 7.53 through 7.69 describe the auditors' assessment
of appropriateness and sufficiency of evidence.

  Planning

the work
       necessary to achieve the audit objectives.
elements
       of the audit plan together, as the considerations in determining each
       often overlap. Planning is a continuous process throughout the audit.
       Therefore, auditors may need to make adjustments to the audit
       objectives, scope, and methodology as work is being completed.
 seek to answer based
       on evidence obtained and assessed against criteria or best practices.

       Auditors should also evaluate possible issues surrounding the
       appropriateness of available information in planning the audit.

96

See discussion of the elements of a finding in paragraphs 7.36 through 7.37 and
                            paragraphs 7.70 through

7.73.

97

The term "program" is used in this document to include government
entities, organizations, programs, activities, and functions.

ssurance that the obtained
       evidence is sufficient and appropriate to meet the audit's objectives.
 the current audit objectives (see paragraph
           7.35).

7.15 During planning, the auditors also should:

a.
           identify the potential criteria needed to evaluate matters subject
           to audit (see paragraph 7.36 through 7.37);

b.
           identify potential sources of audit evidence and consider the
           amount and type of evidence needed given risk and significance
           (see paragraph 7.38 through 7.39);

c.
           consider whether the work of other auditors and experts may be
           used to satisfy some of the audit objectives (see paragraphs 7.40
           through 7.42);

d.
           assign sufficient staff and specialists with adequate collective
           professional competence and identify other resources needed to
           perform the audit (see paragraphs

7.43 through 7.44);

e.
           communicate about planning and performance of the audit to
           management officials, those charged with governance, and others as
           applicable (see paragraphs 7.45 and 7.46); and

f.
           prepare an audit plan (see paragraphs 7.47 through 7.48).

Nature and Profile of the Program

7.16 Auditors should obtain an understanding of the nature and profile of
the program or program component under audit and the potential use that
will be made of the audit results or report as they plan a performance
audit. The nature and profile of a program include:

a.
           visibility, sensitivity, and risks associated with the program
           under audit,

b.
           newness of the program or changes in its conditions,

c.
           the size of the program in terms of total dollars and/or number of
           citizens impacted,

d.
           role of the audit in providing information that can improve public
           accountability and decision making (see paragraphs 1.01 and 1.02),
           and

e.
           level and extent of review or other forms of independent
           oversight.

7.17 Auditors obtain an understanding of the program under audit to help
assess the risks associated with the program and the impact on the audit
objectives, scope and methodology. The auditors' understanding may come
from knowledge they already have about the program or knowledge they gain
from inquiries and observations they make in planning the audit. The
extent and breadth of those inquiries and observations will vary among
audits based on the audit objectives, as will the need to understand
individual aspects of the program, such as the following:

a.
           Laws, regulations, and provisions of contracts or grant
           agreements: Government programs usually are created by law and are
           subject to specific laws and regulations. For example, laws and
           regulations usually set forth what is to be done, who is to do it,
           the purpose to be achieved, the population to be served, and
           related funding guidelines or restrictions. Government programs
           may also be subject to provisions of contracts and grant
           agreements. Thus, understanding the laws and the legislative
           history establishing a program and the provisions of any contracts
           or grant agreements can be essential to understanding the program
           itself. Obtaining that understanding is also a necessary step in
           identifying provisions of laws, regulations, contracts, or grant
           agreements that are significant within the context of the audit
           objectives.

b.
           Purpose and goals: Purpose is the result or effect that is
           intended or desired from a program's operation. Legislatures
           usually establish the program purpose when they provide authority
           for the program. Entity officials may provide more detailed
           information on program purpose to supplement the authorizing
           legislation. Entity officials are sometimes asked to set goals for
           program performance and operations,

including both output and outcome goals. Auditors may use the stated
program purpose and goals as criteria for assessing program performance or
may develop additional criteria or best practices to use when assessing
performance.

c.
           Internal control: Internal control, often referred to as
           management controls, in the broadest sense includes the plan,
           methods, and procedures adopted by management to meet its
           missions, goals, and objectives. Internal control includes the
           processes for planning, organizing, directing, and controlling
           program operations. It includes the systems for measuring,
           reporting, and monitoring program performance. Internal control
           also serves as a defense in safeguarding assets and preventing and
           detecting errors; potential fraud; violations of laws,
           regulations, and provisions of contracts and grant agreements; or
           abuse. Paragraphs 7.18 through 7.24 contain guidance pertaining to
           internal control.

d.
           Efforts: Efforts are the amount of resources (in terms of money,
           material, personnel, etc.) that are put into a program. These
           resources may come from within or outside the entity operating the
           program. Measures of efforts can have a number of dimensions, such
           as cost, timing, and quality. Examples of measures of efforts are
           dollars, employee-hours, and square feet of building space.

e.
           Program operations: Program operations are the strategies,
           processes, and activities management uses to convert efforts into
           outputs. Program operations are subject to internal control.

f.
           Outputs: Outputs represent the quantity of goods or services
           produced by a program. For example, an output measure for a job
           training program could be the number of persons completing
           training, and an output measure for an aviation safety inspection
           program could be the number of safety inspections completed.

g.
           Outcomes: Outcomes are accomplishments or results of programs. For
           example, an outcome measure for a job training program could be
           the percentage of trained persons

obtaining a job and still in the work place after a specified period of
time. Examples of outcome measures for an aviation safety inspection
program could be the percentage reduction in safety problems found in
subsequent inspections and/or the percentage of problems deemed corrected
in follow-up inspections. Such outcome measures show progress in achieving
the stated program purposes of helping unemployable citizens obtain and
retain jobs, and improving the safety of aviation operations. Outcomes may
be influenced by cultural, economic, physical, or technological factors
outside the program. Auditors may use approaches drawn from other
disciplines, such as program evaluation, to isolate the effects of the
program from these other influences. An especially important type of
outcome is unexpected effects which may be negative such as adverse drug
reactions, or positive such as increased private investment in an area of
service.

Internal Control

7.18 Auditors should obtain an understanding of internal control
significant within the context of the audit objectives. For those internal
control objectives that are significant within the context of the audit
objectives, auditors should assess whether specific internal control
procedures have been properly designed and placed in operation and conduct
specific tests of the effectiveness of the internal control procedures.
Based on the test results and the auditors' assessment, the auditors
consider whether to modify the nature, timing, or extent of their audit
procedures.98 Officials of the audited entity are responsible for
establishing effective internal control. The lack of administrative

Refer to the internal control guidance contained in Internal
Control--Integrated Framework, published by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO). As discussed in the COSO
framework, internal control consists of five interrelated components,
which are (1) control environment, (2) risk assessment, (3) control
activities, (4) information and communication, and (5) monitoring. The
objectives of internal control relate to (1) financial reporting, (2)
operations, and (3) compliance. Safeguarding of assets is a subset of
these objectives. In that respect, management designs internal control to
provide reasonable assurance that unauthorized acquisition, use, or
disposition of assets will be prevented or timely detected and corrected.
In addition to the COSO document, the publication, Standards for Internal
Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.:
Nov. 1999), which incorporates the relevant guidance developed by COSO,
provides definitions and fundamental concepts pertaining to internal
control at the federal level and may be useful to other auditors at any
level of government. The related Internal Control Management and
Evaluation Tool, GAO-01-1008G (Washington, D.C.: Aug. 2001), based on the
federal internal control standards, provides a systematic, organized, and
structured approach to assessing the internal control structure.

continuity in government units because of changes in elected legislative
bodies and in other government officials increases the need for effective
internal control.

7.19 The following discussion of the principal types of internal control
objectives is intended to help auditors better understand internal
controls and determine their significance to the audit objectives:

a.
           Effectiveness and efficiency of program operations: Controls over
           program operations include policies and procedures that officials
           of the audited entity have implemented to provide reasonable
           assurance that a program meets its objectives and that unintended
           actions do not result. Understanding these controls can help
           auditors understand the program operations that convert efforts to
           outputs or outcomes.

b.
           Validity and reliability of information: Controls over the
           validity and reliability of information include policies and
           procedures that officials of the audited entity have implemented
           to provide themselves reasonable assurance that operational
           information they use and report is valid and reliable and fairly
           disclosed in reports. These controls help assure management that
           it is getting valid and reliable information about whether
           programs are operating properly on an ongoing basis. Understanding
           these controls can help auditors (1) assess the risk that the
           information gathered by the entity may not be valid or reliable
           and (2) design appropriate tests of the information considering
           the audit objectives.

c.
           Compliance with applicable laws and regulations and provisions of
           contracts or grant agreements: Controls over compliance include
           policies and procedures that officials of the audited entity have
           implemented to provide reasonable assurance that program
           implementation is consistent with laws, regulations, and
           provisions of contracts or grant agreements. Understanding the
           relevant controls concerning compliance with those laws and
           regulations and provisions of contracts or grant agreements that
           the auditors have

determined are significant can help auditors assess the risk of illegal
acts,99 violations of provisions of contracts or grant agreements, or
abuse.

ed acquisition, use, or disposition of
       assets and resources.
ort their assessment about the
       effectiveness of those controls. (See paragraph 1.39 for examples of
       internal control objectives.)
igned
       functions, to prevent or detect (1) impairments of effectiveness or
       efficiency of operations (2) misstatements in financial or performance

99

Violations of laws or regulations are illegal acts.

100

The term "internal control" in this document is synonymous with the term
management control and, unless otherwise stated, covers all aspects of an
entity`s operations (programmatic, financial, and compliance).

information, or (3) violations of laws and regulations, on a timely basis.

7.24 Internal auditing is an important part of overall governance,
accountability, and internal control.101 A key role of many internal audit
organizations is to provide assurance that internal controls in place are
adequate to mitigate risks and achieve program goals and objectives. When
an assessment of internal control is called for, the work of the internal
auditors may be used in assessing whether internal controls are
effectively designed and functioning properly, and to prevent duplication
of effort.

Information Systems Controls

jectives and scope of audit (see paragraphs 7.18 through 7.24), or
       as a separate audit objective or audit procedure, depending on the
       nature of the audit. Depending on the significance of information
       systems controls to the audit objectives, the extent of audit
       procedures to obtain such an understanding may be limited or
       extensive. In addition, the nature and extent of audit risk is
       impacted by the nature of the hardware and software used, the
       configuration of the entity's systems and networks, and the entity's
       information systems strategy, and the significance of information
       systems controls to the audit objectives.
ness of information systems controls in order to obtain

101

Many government entities have these activities identified by other names,
such as inspection, appraisal, investigation, organization and methods, or
management analysis. These activities assist management by reviewing
selected functions.

102

Information systems controls consist of those internal controls that are
dependent on information systems processing.

sufficient, appropriate evidence, then such information systems controls
are significant to the audit. In making this determination, auditors
consider the following:

a.
           The extent to which internal controls that are significant to the
           audit are processed by information systems or are dependent on the
           reliability of information generated by information systems. As
           part of assessing the effectiveness of such controls, auditors
           also should assess the effectiveness of information systems
           controls that impact the effectiveness of controls that are
           significant to the audit.

b.
           The availability of other evidence to support the findings,
           conclusions, and recommendations. It may not be possible for
           auditors to obtain sufficient, appropriate evidence without
           assessing the effectiveness of relevant information systems
           controls. For example, if information supporting the findings,
           conclusions, and recommendations is generated by information
           systems or its reliability is dependent on information systems
           controls there may not be sufficient supporting or corroborating
           information or documentary evidence that is available other than
           that produced by the information systems.

c.
           The relationship of information systems controls to data
           reliability testing. To obtain evidence about the reliability of
           computer-generated information, auditors may elect to assess the
           effectiveness of information systems controls as part of testing
           the reliability of the data. If information systems controls are
           determined to be effective, the extent of direct testing of
           supporting documentation may be reduced.

d.
           Assessing the effectiveness of information systems controls as an
           audit objective. When assessing the effectiveness of information
           systems controls is directly a part of an audit objective,
           auditors should perform the testing of information systems
           controls necessary to achieve the audit objectives. For example,
           the audit may involve the effectiveness of information systems
           controls related to certain systems, facilities, or organizations.

7.27 If information systems controls are considered to be significant to
the audit, auditors should assess the effectiveness of such significant
controls, including other information systems controls that impact their
effectiveness or the reliability of information used in performing the
significant control. Generally, if information systems controls are
considered significant to the audit, the auditors' assessment of the
effectiveness of information systems controls will include both
application controls and general controls, because weaknesses in general
controls can result in unauthorized changes to applications and data that
can circumvent or impair the effectiveness of application controls.
Application controls, sometimes referred to as business process controls,
are those controls that help ensure the validity, completeness, accuracy,
and confidentiality of transactions and data during application
processing. Examples of application controls include controls over input,
processing, output, master data, application interfaces, and data
management system interfaces. Information systems general controls are the
policies and procedures that apply to all or a large segment of an
entity's information systems and help ensure their proper operation.
Examples of general controls include security management, logical and
physical access, configuration management, segregation of duties, and
contingency planning. Weaknesses in general controls can result in
unauthorized changes to applications and data that can circumvent or
impair the effectiveness of application controls.

Legal and Regulatory Requirements, Contract Provisions, or Grant
Agreements, Potential Fraud, or Abuse

7.28 In pursuing indications of possible fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse, auditors should
avoid interfering with potential investigations, and/or legal proceedings.
In some circumstances, laws, regulations, or policies require auditors to
report and/or refer indications of certain types of fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse to law
enforcement or investigatory authorities before performing procedures. In
cases where an investigation is initiated or in process, it may be
appropriate for auditors to withdraw from or defer further work on the
audit or a portion of the audit in order not to interfere with an
investigation.

Legal and Regulatory Requirements, Contracts, and Grants

 are significant within the context of
       the audit objectives and assess the risk that illegal acts or
       violations of provisions of contracts or grant agreements could occur.
       Based on that risk assessment, the auditors should design and perform
       procedures to provide reasonable assurance of detecting instances of
       illegal acts or violations of provisions of contracts or grant
       agreements that are significant within the context of the audit
       objectives.
ndividuals' incentives
or pressures to commit fraud, the opportunity for fraud to occur,

Fraud is a type of illegal act involving the obtaining something of value
through willful misrepresentation. Whether an act is, in fact, fraud is a
determination to be made through the judicial or other adjudicative system
and is beyond auditors` professional expertise and responsibility.

and rationalizations or attitudes that could allow individuals to commit
fraud. Auditors gather and assess information necessary to identify
potential fraud risks that are within the scope of the audit objectives or
could affect the results of their audit. For example, auditors may obtain
information through discussion with officials of the audited entity or
through other means to determine the susceptibility of the program to
potential fraud, the status of internal controls the entity has
established to detect and prevent fraud, or the risk that officials of the
audited entity could override internal control. An attitude of
professional skepticism in assessing these risks will assist auditors in
determining which factors or risks could significantly impact the audit
objectives and/or the audit procedures needed to answer the audit
objectives if fraud has occurred or is likely to have occurred.

ud
       that they believe are significant within the context of the audit
       objectives, they should design procedures to provide reasonable
       assurance of detecting potential fraud significant within the context
       of the audit objectives. Assessing the risk of potential fraud is an
       ongoing process throughout the audit and relates not only to planning
       the audit but also to evaluating evidence obtained during the audit.
urisdiction over such matters.

Abuse

7.34 Abuse involves behavior that is deficient or improper when compared
with behavior that a prudent person would consider reasonable and
necessary business practice given the facts and circumstances.104 Abuse
also includes misuse of authority or position for personal financial
interests or those of an immediate or close family member or business
partner. Abuse is distinct from fraud, illegal acts, or violations of
provisions of contracts or grant agreements in that abuse does not
necessarily involve violation of laws, regulations, or provisions of a
contract or grant agreement. If during the course of the audit, auditors
become aware of indications of abuse that could be quantitatively or
qualitatively significant to the program under audit, auditors should
apply audit procedures specifically directed to ascertain whether
significant abuse has occurred and the potential effect within the context
of the audit objectives. Based on the facts and circumstances, auditors
may find it helpful to identify specific risks or situations that are
susceptible to abuse. In addition, auditors remain alert throughout the
audit to situations that could be indicative of abuse. When information
comes to the auditors' attention (through audit procedures, allegations
received through a fraud hotline, or other means) indicating that
significant abuse may have occurred, they should perform audit procedures,
as necessary, to (1) determine whether the abuse occurred and, if so, (2)
determine its potential effect on the audit findings. If the abuse is not
significant within the context of the audit objectives, the auditors
should consider whether to expand the scope of the current audit, conduct
additional audit work as a separate engagement, or refer the potential
abuse to other parties with oversight responsibility or jurisdiction over
such matters. Auditors assess both quantitative and qualitative factors in
making judgments regarding the significance of possible abuse and whether
they need to extend the audit steps and procedures. However, because of
the subjectivity involved in determining abuse, auditors are not required
to provide reasonable assurance of detecting abuse.

For example, in a performance audit of management`s efficient use of funds
for office building maintenance, auditors might find abuse if renovation
of senior management`s offices far exceed usual office space
specifications. While auditors might not view the renovation costs as
quantitatively significant to the audit results, these expenses could be
considered qualitatively significant to this audit objective.

Previous Audits and Attestation Engagements

7.35 Auditors should determine whether the results of previous audits and
attestation engagements that directly relate to the audit objectives have
an impact on the current engagement, including whether recommendations
have been implemented. Auditors should identify previous financial audits,
attestation engagements, performance audits, or other studies significant
within the context of the audit objectives and ask management of the
audited entity to identify corrective actions taken to address relevant
findings, conclusions and recommendations.

Identifying Audit Criteria

7.36 Auditors should identify audit criteria including the standards,
measures, expectations of what should exist, best practices, and
benchmarks against which performance is compared or evaluated. Criteria
provide a context for evaluating evidence and understanding the findings,
conclusions, and recommendations included in the report. Auditors should
use criteria that are objective, measurable, complete, and relevant to the
objectives of the performance audit.

a.
           Objectivity -free from bias.

b.
           Measurability -permit reasonably consistent assessments,
           qualitative105 or quantitative, of subject matter.

c.
           Completeness -include relevant factors that could change a
           conclusion about the subject matter

d.
           Relevant -related to the subject matter.

Qualitative assessments can include expert judgment and reasonableness
judgments about program performance, for example, whether program
objectives reflect the needs of targeted beneficiaries and whether program
performance adequately meets objectives.

7.37 The following are some examples of possible criteria:

a.
           purpose or goals prescribed by law or regulation or set by
           officials of the audited entity,

b.
           policies and procedures established by officials of the audited
           entity,

c.
           technically developed standards or norms,

d.
           expert opinions,

e.
           prior periods' performance,

f.
           performance of similar entities,

g.
           performance in the private sector, or

h.
           best practices of leading organizations.

Identifying Sources of Audit Evidence and the Amount and Type of Evidence
Required

they should consider revising the
       audit objectives or modifying the scope and methodology and determine
       alternative procedures to meet the current audit objectives. Auditors
       should disclose in the audit report revisions made to the audit
       objectives due to the lack of sufficient, appropriate evidence.
       Auditors should also evaluate whether the

lack of sufficient, appropriate evidence is due to internal control
deficiencies or other program weaknesses, and whether the lack of
sufficient, appropriate evidence is the basis for audit findings. (See
paragraphs 7.53 through 7.69 for standards concerning evidence.

Considering Work of Others

rk of the other auditors to support findings, recommendations
       or conclusions for the current audit and thereby, avoid duplication of
       audit efforts. If auditors rely on the work of other auditors, they
       should perform procedures regarding the specific work to be relied on
       that provide a sufficient basis for that reliance. Auditors should
       obtain evidence concerning the other auditors' qualifications and
       independence and should determine whether the scope and quality of the
       audit work performed by the other auditors is adequate for reliance in
       the context of the current audit objectives. Auditors can accomplish
       this by reviewing the report, audit plan, or audit documentation, or
       by performing supplemental tests of the other auditors' work. The
       nature and extent of evidence needed will depend on the significance
       of the other auditors' work, on the extent to which the auditors will
       rely on that work, and whether auditors plan to refer to that work in
       their work.
ain an understanding of the qualifications of
the specialists. (See paragraph 3.05 for independence considerations when
relying on the work of others.) Auditors consider the following in
evaluating the professional qualifications of the specialist:

a.
           the professional certification, license, or other recognition of
           the competence of the specialist in his or her field, as
           appropriate;

b.
           the reputation and standing of the specialist in the views of
           peers and others familiar with the specialist's capability or
           performance; and

c.
           the specialist's experience and published work in the subject
           matter.

Assigning Staff and Other Resources

7.43 Audit management should assign sufficient staff and specialists with
adequate collective professional competence to perform the audit. Staffing
an audit includes, among other things:

a.
           assigning staff and specialists with the appropriate collective
           knowledge, skills, and experience for the job;

b.
           assigning an adequate number of staff and supervisors to the
           audit;

c.
           providing for on-the-job training of staff; and

d.
           engaging specialists when necessary.

See paragraph 3.51 for a discussion of using specialists in a GAGAS audit.

7.44 If planning to use the work of a specialist, auditors should
determine and articulate nature and scope of the work to be performed by
the specialist, including

a.
           the objectives and scope of the specialist's work;

b.
           the intended use of the specialist's work to support the audit
           objectives;

c.
           documentation of the specialist's procedures and findings so they
           can be evaluated and related to other planned audit procedures;

d.
           the assumptions and methods used; and

e.
           a comparison of how the methods and assumptions used compare with
           those used in prior, related work.

Communicating with Management, Those Charged with Governance, and Others

7.45 Auditors should communicate information about the objectives, scope
and methodology, and timing of the performance audit and planned reporting
to the following individuals:

a.
           the head of the audited entity;

b.
           those charged with governance;107

c.
           the individual who possesses a sufficient level of authority and
           responsibility to

Those charged with governance are those responsible for overseeing the
strategic direction of the entity and the entity's fulfillment of its
accountability obligations. In situations in which those charged with
governance are not clearly evident, the auditor documents the process
followed and conclusions reached for identifying those charged with
governance. (See appendix paragraphs A1.02 through A1.05.)

implement corrective actions in the program or activity being audited; and

d. the individuals contracting for or requesting audit services, such as
contracting officials or legislative members or staff, if applicable.

7.46 Auditors use professional judgment to determine the form, content,
and frequency of the communication, although written communication is
preferred. Auditors may use an engagement letter to communicate the
information. If an audit is terminated before it is completed, auditors
should write a memorandum for the audit documentation that summarizes the
results of the work and explains the reasons why the audit was terminated.
In addition, depending on the facts and circumstances, auditors should
consider the need to communicate the reason for terminating the audit to
those charged with governance, management of the audited entity, the
entity requesting the audit, and other appropriate officials, preferably
in writing.

Preparing the Audit Plan

egy, audit program or project plan, a
       memorandum, design matrix or paper, or other appropriate documentation
       of key decisions about the audit objectives, scope, and methodology
       and of the auditors' basis for those decisions. Auditors should update
       the plan, as necessary, to reflect any significant changes to the plan
       made during the audit.
audit objectives and
       follow applicable standards. Audit supervisors should stay informed
       about significant problems encountered, review the work performed, and
       provide effective on-the-job training.
 to be conducted,
       and what the work is expected to accomplish. With experienced staff,
       supervisors may outline the scope of the work and leave details to the
       staff. With less experienced staff, supervisors may have to specify
       audit procedures to be performed as well as techniques for gathering
       and analyzing data.
 to assess sufficiency and appropriateness may
       likewise vary widely. For example, in establishing the appropriateness
       of evidence, auditors may test the reliability by obtaining supporting
       information, using statistical testing or by obtaining corroborating
       evidence. Auditors consider the concepts of audit risk and
       significance in evaluating the audit evidence.
s to the extent to which the information has a
           logical relationship with, and importance to, the issue being
           addressed.

b.
           Validity refers to how well the information actually represents
           what the auditors are trying to evaluate.

c.
           Reliability refers to the consistency of results achieved and
           includes the concepts of being verifiable or supported.

7.57 To assess the appropriateness of information, auditors consider the
different types of information and the source of the information. Evidence
may be obtained by observation, inquiry, or inspection. Each type of
evidence109 has its own strengths and weaknesses. The following contrasts
are useful in judging the appropriateness of information. In each
contrast, the first item generally provides a higher quality of evidence.
However, these contrasts are not to be considered adequate in themselves
to determine appropriateness. The nature and types of evidence required to
support auditors' findings, conclusions, and recommendations is a matter
of the auditors' professional judgment based on the audit objectives.

a.
           Evidence obtained when internal control is effective versus
           information obtained when internal control is weak or nonexistent.

b.
           Information obtained through the auditors' direct physical
           examination, observation, computation, and inspection versus
           information obtained indirectly.

c.
           Examination of original documents versus copies.

d.
           Testimonial information obtained under conditions where persons
           may speak freely versus information obtained where the persons may
           be intimidated given the circumstances.

e.
           Testimonial information obtained from an individual who is not
           biased and has direct knowledge about the area versus testimonial
           information obtained from an individual who is biased or has
           indirect or partial knowledge about the area.

f.
           Information obtained from a knowledgeable, credible, and unbiased
           third party versus from management or other officials of the
           audited entity.

See appendix paragraph A7.02 for additional guidance regarding the types
of evidence.

s generally self-reported information that is
       frequently used to obtain information about existing conditions or
       programs. Auditors should evaluate the objectivity, credibility, and
       reliability of the self-reported information as well as the survey
       design and administration.
ion that is most
       appropriate will depend on the audit objectives. For example, when a
       representative sample is appropriate, the use of statistical sampling
       approaches would result in stronger evidence than that obtained from
       non-statistical techniques. In cases where a representative sample is
       not appropriate, a targeted selection may be more effective if the
       auditors have isolated certain risk factors or other criteria used to
       target the selection.
rk are current,
       auditors may be able to use the work to

reduce their audit procedures if, based on testing the work done by agency
officials, the data is sufficient and appropriate, in combination with
other evidence.

7.62 When computer-processed information is used to support findings,
conclusions, and recommendations, auditors should perform procedures for
assessing the appropriateness of the information. Auditors should assess
the sufficiency and appropriateness of this type of data regardless of
whether computer-processed information is provided to auditors or auditors
independently extract them. The nature, timing and extent of audit
procedures to assess sufficiency and appropriateness is affected by the
effectiveness of the entity's internal controls over the information,
including information system controls, and the significance of the
information and the level of detail presented in the auditors' findings,
conclusions, and recommendations in light of the audit objectives. Audit
procedures to evaluate the effectiveness of selected system controls
includes (1) gaining a detailed understanding of the system as it relates
to the information and (2) identifying and evaluating the general controls
and application controls that are critical to ensuring the reliability of
the information required for the audit.

The nature and extent of audit procedures to evaluate the effectiveness of
information system controls will vary based on the following:

a.
           the extent to which the information systems controls are
           significant to the auditors' overall assessment of appropriateness
           of information; and

b.
           the availability of other evidence to support the auditors'
           findings, conclusions, and recommendations.

Sufficiency

7.63 Sufficiency is a measure of the quantity of evidence used to support
the findings, conclusions, and recommendations related to the audit
objectives. Sufficiency is also dependent on the appropriateness of the
evidence. In determining the sufficiency of evidence, auditors should
determine whether enough evidence exists to support the findings,
conclusions, and recommendations.

7.64 The following presumptions are useful in judging the sufficiency of
evidence. The sufficiency of evidence required to support the auditors'
findings, conclusions, and recommendations is a matter of the auditors'
professional judgment.

a.
           The greater the audit risk, the greater the quantity of evidence
           required.

b.
           Stronger evidence may allow less evidence to be used. The
           appropriateness test (see

7.56 through 7.62) is closely interrelated with decisions about
sufficiency.

c. Having a large volume of audit evidence does not compensate for a lack
of relevance, validity and/or reliability.

Overall Assessment of Evidence

he objectives of the audit. Professional
       judgments about the sufficiency and appropriateness of evidence are
       closely intertwined, as auditors interpret the results of audit
       testing and evaluate whether the nature and extent of the evidence
       obtained is sufficient and appropriate given the audit objectives.
       Auditors perform an overall assessment of the collective evidence used
       to support findings, conclusions, or recommendations. This overall
       assessment also includes the results of any specific assessments
       conducted to conclude on the validity and reliability of specific
       evidence.
           (3) of undetermined sufficiency and appropriateness in relation to
           the audit objectives. Auditors consider sufficiency and
           appropriateness in the context of the findings, conclusions, and
           recommendations. For example, even though the auditors may have
           some uncertainty about the sufficiency or appropriateness of the
           evidence, the auditors may nonetheless determine that there is
           sufficient and appropriate evidence given the findings,
           conclusions, or recommendations. (See paragraph 7.77 through 7.92
           for documentation requirements.)

a.
           Evidence is considered to be sufficient and appropriate when using
           the evidence provides the basis for an analysis that achieves the
           audit objectives and provides a reasonable basis for their
           findings, conclusions, or recommendations.

b.
           Evidence is considered to be not sufficient and appropriate when
           (1) using the evidence carries an unacceptably high risk that it
           could lead to an incorrect or improper conclusion or (2) the
           information has significant or potentially significant
           limitations, given the objectives and intended use of the
           information.

c.
           Evidence is considered to be of undetermined sufficiency and
           appropriateness when

(1)
           the auditors do not have an adequate basis to conclude whether it
           achieves the audit objectives and provides a reasonable basis for
           the findings, conclusions, and recommendations or (2) the
           information has significant or potentially significant limitations
           of unknown impact, given the objectives and the intended use.

es so
           that the evidence is sufficient and appropriate;

b.
           clearly indicating in the report the limitations of the
           information, while refraining from using the information to make
           unwarranted findings, conclusions or recommendations, and
           considering whether to report the limitations of the information
           as an audit finding; or

c.
           redefining the audit objectives or limiting the audit scope to
           eliminate the need to use the information and fully disclosing in
           the audit report revisions made to the audit objectives due to the
           lack of sufficient, appropriate evidence.

7.69 How the use of information of undetermined sufficiency and
appropriateness affects the auditors' report depends on the significance
of the information to the auditors' findings, conclusions, or
recommendations in light of the audit objectives. For example, auditors
may use such information to provide background information. In cases where
auditors use information of undetermined sufficiency and appropriateness
to support audit findings conclusions, or recommendations, auditors should
fully disclose the fact that such information is being used, assess the
impact of using such information, and use professional judgment to
determine whether and to what extent to qualify the audit findings and
conclusions. Auditors use professional judgment in determining the impact
on the audit objectives and compliance with GAGAS. (See paragraphs 1.13
through 1.15.)

Audit Findings

e extent
       that the audit objectives are satisfied and the report clearly relates
       those objectives to the elements of a finding. Audit findings often
       have been regarded as containing the elements of criteria, condition,
       cause, and effect. Criteria are discussed in paragraph 7.36 through
       7.37, and the other elements of a finding--condition, effect, and
       cause--are discussed in the following paragraphs:
eria identified in the audit, "effect" is a measure of those
       consequences. Auditors often use effect or potential effect to
       demonstrate the need for corrective action in response to identified
       problems or risks. When the auditors' objectives include estimating
       the extent to which a program has caused changes in physical, social,
       or economic conditions, "effect" is a measure of the impact achieved
       by the program. In this case, effect is the extent to which positive
       or negative changes in actual physical, social, or economic conditions
       can be identified and attributed to program operations.
 as the cause. When the auditors' objectives
include estimating the program's effect on changes in physical, social, or
economic conditions, auditors seek evidence of the extent to which the
program itself is the "cause" of those changes. Auditors may identify
deficiencies in internal control that are significant to the subject
matter of the performance audit as the cause of deficient performance. In
reporting this type of finding, the deficiencies in internal control would
be described as the "cause." Often the causes of deficiencies in internal
control are complex and involve multiple factors, including fundamental,
systemic root causes. In some cases, it may not be practical or possible
for auditors to fully develop or identify the causes of deficiencies.
However, analyzing and identifying root cause of deficiencies is key to
making recommendations for corrective actions.

  Audit Documentation

7.74 The auditor must prepare audit documentation in connection with each
engagement in sufficient detail to provide a clear understanding of the
work performed (including the nature, timing, extent, and results of audit
procedures performed), the audit evidence obtained and its source, and the
conclusions reached. Audit documentation:

a.
           provides the principal support for the statement in the auditors'
           report that the auditors performed the audit in accordance with
           GAGAS and any other standards cited, and

b.
           provides the principal support for the auditors' conclusions.

sufficient and appropriate documentation contributes to the
       quality of an audit.

b.
           the auditors' risk assessment;

c.
           the auditors' determination that certain standards did not apply
           or that an applicable standard was not followed, the reasons
           supporting their determinations, and the known effect that not
           following the applicable standard had, or could have had, on the
           audit;

An experienced auditor means an individual (whether internal or external
to the audit organization) who possesses the competencies and skills that
would have enabled him or her to perform the performance audit. These
competencies and skills include an understanding of (a) the performance
audit processes, (b) GAGAS and applicable legal and regulatory
requirements, and (c) the subject matter associated with achieving the
audit objectives.

d.
           the work performed to support significant judgments, findings,
           conclusions and recommendations, including descriptions of
           transactions and records examined;111

e.
           evidence of supervisory reviews, before the audit report is
           issued, of the work performed that supports findings, conclusions,
           and recommendations contained in the audit report;

f.
           work performed as part of the appropriateness assessment,
           including the following items, as applicable: testing, information
           review, analysis, and knowledge gained related to the quality of
           the information;

g.
           decisions made during the overall assessment of evidence,
           including the auditors' final assessment of whether the
           information is sufficient and appropriate for the purposes of the
           audit;

h.
           communications with management and others;

i.
           evidence of communications about deficiencies in internal control
           found during the audit;

j.
           evidence of communications to officials of the audited entity
           about instances of potential fraud, illegal acts, violations of
           provisions of contracts or grant agreements, or abuse;

k.
           the availability of the report for public inspection; and

Auditors may meet this requirement by listing file numbers, case numbers,
or other means of identifying specific documents they examined. They are
not required to include copies of documents they examined as part of the
audit documentation, nor are they required to list detailed information
from those documents.

l. if the audit does not result in a report, a memorandum for the record
that summarizes the results of the work and explains the reason the audit
was terminated, and any communications regarding the termination of the
audit.

file for the specific audit.
d others, including the significant findings
       or issues discussed, and when and with whom the discussions took
       place.
ontradiction or inconsistency was addressed in forming the
       conclusion.
ould also follow the requirements in
       paragraphs 1.13 through 1.15.
at the auditors
       may use others' work and avoid duplication of effort. Auditors should
       make appropriate audit staff and individuals, as well as audit
       documentation available, upon request, in a timely manner to other
       auditors or reviewers. It is also essential that contractual
       arrangements for GAGAS audits provide for full and timely access to
       audit staff and individuals, as well as audit documentation to
       facilitate reliance by other auditors or reviewers on the auditors'
       work.
rectly from the audited
entity and how to respond to requests for access to audit documentation
before the audit is complete. The audit organization should also include
flexibility in its policies and procedures to consider the individual
facts and circumstances surrounding a request, for instance, cases when
granting access or providing certain information would serve to adversely
affect the ability of the audit organization to successfully perform
similar audits in the future.

, and agreed with relevant members
           of the audit team prior to the date of the audit report,

b.
           perform routine file-assembling procedures such as deleting or
           discarding superseded documentation and sorting, collating, and
           cross-referencing final audit documentation,

c.
           sign-off on file completion checklists prior to completing and
           archiving the audit file, and

d.
           add information received after the date of the report, for
           example, an original document that was previously faxed.

7.91 After the documentation completion date, the auditors should not
delete or discard audit documentation before the end of the specified
retention period, as discussed above in paragraph 7.88. When the auditor
finds it necessary to make an addition (including amendments) to audit
documentation after the documentation completion date, the auditor should
document the addition by including the following in the documentation:

a.
           when and by whom such additions were made and, where applicable,
           reviewed,

b.
           an audit trail that clearly shows the specific changes,

c.
           the specific reasons for the changes, and

d.
           the effect, if any, of the changes on the auditors' conclusions.

7.92 Whether audit documentation is in paper, electronic, or other media,
the integrity, accessibility, and retrievability of the underlying data
may be compromised if the documentation could be altered, added to, or
deleted without the auditors' knowledge, or if the documentation could be
permanently lost or damaged. Accordingly, auditors should apply
appropriate controls to protect audit documentation from alteration,
destruction, and unauthorized access.

              Chapter 8 Reporting Standards for Performance Audits

  Introduction

hat are retrievable by report users and
       the audit organization, such as video or compact disc formats. The
       users' needs, likely demand, and distribution will influence the form
       of the audit report used. In addition to a more traditional
       presentation of audit results, such as a chapter report or a letter
       report, briefing slides and/or other presentation materials that are
       complete and retrievable are considered to be audit reports.
       Regardless of form, auditors should comply with all applicable
       reporting standards.
.07 Auditors should prepare audit reports which include (1) the
objectives, scope, and methodology of the audit; (2) the audit results,
including findings, conclusions, and recommendations, as appropriate; (3)
a reference to compliance with generally accepted government auditing
standards; (4) the views of responsible officials; and (5) if applicable,
the nature of any privileged and confidential information omitted.

Objectives, Scope, and Methodology

ted audit objectives

provide more meaningful information to report users if they are measurable
and feasible and are not presented in a broad or general manner. To reduce
misunderstanding in cases where the objectives are particularly limited
and broader objectives can be inferred, auditors may state objectives that
were not part of the audit.


       evidence gathering and analysis techniques used, in sufficient detail
       to allow knowledgeable users of their reports to understand how the
       auditors addressed the audit objectives. In situations when extensive
       and/or multiple sources of information are used by auditors, the
       auditors should consider whether to include a description of the
       procedures performed as part of the auditors' assessment of the
       appropriateness of information used as audit evidence. Auditors should
       identify any significant assumptions made in conducting the audit;
       describe any comparative techniques applied; describe the criteria
       used; and, when sampling significantly supports auditors' findings,
       conclusions or recommendations, describe the sample design and state
       why it was chosen, including whether the results can be projected to
       the intended population.
fficiency and appropriateness of the evidence
in the aggregate. Auditors should also report any significant constraints
imposed on the audit approach by information limitations or scope
impairments, including demands of access to certain records or
individuals.

8.13 How the use of information of undetermined sufficiency and
appropriateness affects the auditors' report depends on the significance
of the information to the auditors' findings, conclusions, or
recommendations in light of the audit objectives. For example, auditors
may use such information to provide background information. In cases where
auditors use information of undetermined sufficiency and appropriateness
to support audit findings conclusions, or recommendations, auditors should
fully disclose the fact that such information is being used, assess the
impact of using such information, and use professional judgment to
determine whether and to what extent to qualify the audit findings and
conclusions. If the use of such information is significant to the
auditors' findings and conclusions, auditors should determine the impact
on the audit objectives and compliance with GAGAS. (See paragraphs 1.13
through 1.15.)

Findings

8.14 In the audit report, auditors should present sufficient, appropriate
evidence to support the findings, conclusions and recommendations in
relation to the audit objectives. Auditors should present findings in a
manner to promote adequate understanding of the matters reported and to
provide convincing but fair presentations in proper perspective that are
compelling. Auditors consider the significance of evidence as they develop
the report findings, conclusions and recommendations. In making judgments
about significance, auditors consider whether the judgment of a reasonable
person relying on the auditors' report would have been changed or
influenced if the matter had been disclosed in the audit report. This
includes the probability that the matter would change or influence the
decisions of intended users of the auditors' report; or, as another
example, where the context is a judgment about whether to report a matter
to those charged with governance, whether the matter would be regarded as
important by those charged with governance in carrying out their duties.
Auditors may provide selective background information to provide the
context for the overall message and to help the reader understand the
findings and significance of the issues discussed.112

s significant to the performance of the program being
       audited. If the limitations of the information are partially or wholly
       a result of internal control deficiencies, auditors should recommend
       actions necessary to address the deficiencies.
ng the elements of criteria, condition, cause, and effect.
       (See 7.36 through 7.37 and 7.70 through 7.73). However, the elements
       needed for a finding depend on the audit objectives. For example, an
       audit objective may be limited to determining the current status or
       condition of implementing legislative requirements, and not the
       related cause or effect. Thus, a finding or set of findings is
       complete to the extent that the auditors achieve the audit objectives
       and the report clearly relates those objectives to the elements of the
       finding.
hould provide recommendations for corrective
       action if they

Appropriate background information may include information on how programs
and operations work; the significance of programs and operations (e.g.,
dollars, impact, purposes, and past audit work if relevant); a description
of the audited entity`s responsibilities; and explanation of terms,
organizational structure, and the statutory basis for the program and
operations.

are significant within the context of the audit objectives. Following is
guidance for reporting on elements of findings:

a.
           Criteria: The required or desired state and/or what is expected
           from the program or operation. The criteria are easier to
           understand when stated objectively, explicitly, and completely and
           when the source of the criteria is identified in the audit
           report.113

b.
           Condition: What the auditors found regarding the actual situation.
           Reporting the scope or extent of the condition allows the report
           user to gain an accurate perspective.

c.
           Cause: Evidence on the factor or factors responsible for the
           difference between condition and criteria. In reporting the cause,
           auditors may consider whether the evidence provides a reasonable
           and convincing argument for why the stated cause is the key factor
           or factors contributing to the difference as opposed to other
           possible causes, such as poorly designed criteria or factors
           uncontrollable by program management. The auditors also may
           consider whether the identified cause could serve as a basis for
           the recommendations. Often the causes of deficiencies in internal
           control are complex and involve multiple factors. In some cases,
           it may not be practical for auditors to fully develop or identify
           all of the causes of deficiencies. However, analyzing and
           identifying root causes of internal control deficiencies are key
           to making recommendations for corrective action.

d.
           Effect or potential effect: A clear, logical link to establish the
           impact or potential impact of the difference between what the
           auditors found (condition) and the required or desired state
           (criteria). Effect is easier to understand when it is stated
           clearly, concisely,

113

Common sources for criteria include laws, regulations, policies,
procedures, and best or standard practices. The Standards for Internal
Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.:
Nov. 1999) and Internal Control--Integrated Framework, published by the
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
are two sources of established criteria auditors can use to support their
judgments and conclusions about internal control. The related Internal
Control Management and Evaluation Tool,GAO-01-1008G (Washington, D.C.:
Aug. 2001), based on the federal internal control standards, provides a
systematic, organized, and structured approach to assessing internal
control.

and, if possible, in quantifiable terms. The significance of the reported
effect can be demonstrated through credible evidence.

potential fraud and illegal acts unless they
       are clearly inconsequential,115 significant violations of provisions
       of contracts or grant agreements, and significant abuse.

Reporting Deficiencies in Internal Control

8.20 Auditors should include in the audit report (1) the scope of their
work on internal control and (2) deficiencies in internal control that are
significant within the context of the audit objectives. When auditors
detect deficiencies in internal control that are not significant to the
objectives of the performance audit, they should communicate those
deficiencies in a separate letter to officials of the audited entity
unless the deficiencies are clearly inconsequential considering both
qualitative and quantitative factors. If the auditors have communicated
deficiencies to officials of the audited entity during the

114

As discussed in paragraph 7.23, in performance audits a deficiency in
internal control exists when the design or operation of a control does not
allow management or employees, in the normal course of performing their
assigned functions, to prevent or detect (1) misstatements in financial or
performance information, (2) violations of laws and regulations, or (3)
impairments of effectiveness or efficiency of operations, on a timely
basis.

115

Whether a particular act is, in fact, illegal may have to await final
determination by a court of law. Thus, when auditors disclose matters that
have led them to conclude that an illegal act is likely to have occurred,
they should take care not to unintentionally imply that a final
determination of illegality has been made.

course of the audit, they should refer to that communication in the audit
report. Whether or how to communicate deficiencies that are clearly
inconsequential to officials of the audited entity is a matter of the
auditors' professional judgment.

8.21 In a performance audit, auditors may conclude that identified
deficiencies in internal control that are significant within the context
of the audit objectives are the cause of the deficient performance. In
reporting this type of finding, the internal control deficiency would be
described as the cause.

Reporting Potential Fraud, Illegal Acts, Violations of Provisions of
Contracts or

Grant Agreements, or Abuse

ignificant violations of provisions of contracts
       or grant agreements, or significant abuse either has occurred or may
       have occurred, they should report the matter as a finding.116
mmunicate those findings in a separate letter to officials of the
       audited entity unless the findings are clearly inconsequential,
       considering both qualitative and quantitative factors. Auditors should

See paragraphs 8.26 through 8.28 for additional reporting considerations.

refer to that letter in the audit report. Whether or how to communicate
potential fraud, illegal acts, violations of provisions of contracts or
grant agreements, or abuse that are clearly inconsequential to officials
of the audited entity is a matter of the auditors' professional judgment.
Auditors should include in their audit documentation evidence of
communications to officials of the audited entity about deficiencies in
potential fraud, illegal acts, violations of provisions of contracts or
grant agreements, or abuse.

8.25 When auditors conclude that potential fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse either have
occurred or are likely to have occurred, they may consult with authorities
and/or legal counsel about whether publicly reporting certain information
about the potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse would compromise investigative or
legal proceedings. Auditors should limit their public reporting to matters
that would not compromise those proceedings, such as information that is
already a part of the public record.

Direct Reporting of Potential Fraud, Illegal Acts, Violations of
Provisions of

Contracts or Grant Agreements, or Abuse

to
       parties outside the audited entity in two circumstances, as discussed
       below.117 This reporting is in addition to any legal requirements for
       direct reporting of potential fraud, illegal acts, violations of
       provisions of contracts or grant agreements, or abuse. Auditors should
       follow these requirements even if they have resigned or been dismissed
       from the audit prior to its completion.
ud,
illegal acts, violations of provisions of contracts or grant agreements,
or abuse to the audited entity and the audited entity fails to report
them, then the auditors should communicate such an awareness to the
governing body of the audited entity. When the audited entity does not
make the required report as soon as possible after the auditors'
communication with those charged with governance, then the auditors should
report such potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse directly to the external party
specified in the law or regulation.

 from the audit, they should communicate
       that conclusion to those charged with governance of the audited
       entity. If the audited entity does not report the potential fraud,
       illegal act, violation of provisions of contracts or grant agreements,
       or abuse in a timely manner to the entity that provided the government
       assistance, the auditors should report the potential fraud, illegal
       act, violation of provisions of contracts or grant agreements, or
       abuse directly to that entity.
uld report conclusions related to the audit objectives
and the audit findings and recommendations. Report conclusions are logical
inferences about the program based on the auditors' findings, not merely a
summary of the findings. The strength of the auditors' conclusions depends
on the sufficiency, and appropriateness of the evidence supporting the
findings and the soundness of the logic used to formulate the conclusions.
Conclusions are stronger if they lead to the auditors' recommendations and
convince the knowledgeable user of the report that action is necessary.

Recommendations

ded actions.
ble
basis for our findings and conclusions based on our audit objectives.

8.34 The statement of compliance with GAGAS indicates that the auditors
have complied with all applicable GAGAS general and auditing standards.
When the auditors did not follow applicable standards, or were not able to
follow applicable standards due to access problems or other scope
limitations, they should follow the requirements in paragraphs 1.13
through 1.15.

Reporting Views of Responsible Officials

      appropriate. Including the views of responsible officials results in a
       report that presents not only the auditors' findings, conclusions, and
       recommendations, but also the perspectives of the responsible
       officials of the audited entity and the corrective actions they plan
       to take. Auditors should include in their report a copy of the
       officials' written comments or a summary of the comments received
       along with the auditors' evaluation of the comments. In cases when the
       audited entity provides technical comments in addition to its written
       comments on the report, auditors should

Some audits may address audit objectives which cover cross-cutting issues
that transcend specific government agencies. In these situations, auditors
use professional judgment to identify appropriate officials for the issues
addressed by the audit objectives and include the views of those officials
in the audit report.

use professional judgment in determining whether to include such comments
or disclose in the report that such comments were provided.

raft report. If oral comments are provided by the responsible
       officials, auditors should prepare a summary of the oral comments and
       provide a copy of the summary to the responsible officials to verify
       that the comments are accurately stated prior to finalizing the
       report.

       comments. If the auditors disagree with the comments, they should
       state in the report their reasons for disagreeing with the comments or
       planned corrective actions. Conversely, the auditors should modify
       their report as necessary if they find the officials' comments to be
       valid.
be classified or may be otherwise prohibited
       from general disclosure by federal, state, or local laws or
       regulations. In such circumstances, auditors may issue a separate,
       classified or limited-official-use report containing such information
       and distribute the report only to persons authorized by law or
       regulation to receive it. Additional circumstances associated with
       public safety and security concerns could also justify the exclusion
       of certain information in the report. For example, detailed
       information related to computer security for a particular program may
       be excluded from publicly available reports because of the potential
       damage that could be caused by the misuse of this information. In such
       circumstances, auditors may issue a limited-official-use report
       containing such information and distribute the report only to those
       parties responsible for acting on the auditors' recommendations. The
       auditors may consult with legal counsel regarding any requirements or
       other circumstances that may necessitate the omission of certain
       information.
eports to other officials who have
       legal oversight authority or who may be responsible for acting on
       audit findings and recommendations, and to others authorized to
       receive such reports. Auditors should clarify whether the report will
       be made available for public distribution.
 organization. If the nongovernment auditors are to make
       the distribution, they should reach agreement with the party
       contracting for the audit about which officials or organizations
       should receive the report and the steps being taken to make the report
       available to the public.
ted report
distribution.

                                    Appendix

Introduction

A.01 The following sections provide supplemental guidance for auditors and
the audited entities to assist in the implementation of GAGAS. The
guidance is not intended to establish additional auditor requirements but
instead is to facilitate auditor implementation of the standards contained
in chapters 1 through 8. The supplemental guidance in the first section
may be of assistance for all types of audits and engagements covered by
GAGAS. Subsequent sections provide supplemental guidance for specific
chapters of GAGAS, as indicated.

  Overall Supplemental Guidance

A.02 Chapters 4 through 8 discuss the field work and reporting standards
for financial audits, attestation engagements, and performance audits. The
identification of significant deficiencies in internal control,
significant abuse, fraud risks, and significant laws, regulations, or
provisions of contract or grant agreements are important aspects of
government auditing. The following discussion is provided to assist
auditors with identifying significant deficiencies in internal control,
abuse, and indicators of fraud risk and to assist auditors with
determining whether laws, regulations, or provisions of contracts or grant
agreements are significant to the audit objectives.

Examples of Significant Deficiencies in Internal Control

A.03 Auditor requirements for reporting significant deficiencies in
internal control are discussed in paragraphs 5.13 through 5.18, 6.49
through 6.53, and 8.20 through 8.21. The following are examples of matters
that may be significant deficiencies, including material weaknesses,
depending on the facts and circumstances:

a.
           Ineffective oversight by those charged with governance of the
           entity's financial reporting, performance reporting, or internal
           control, or an ineffective overall governance structure.

b.
           Restatement of previously issued financial statements to reflect
           the correction of a material misstatement or significant
           corrections made to previously reported performance or operational
           results.

c.
           Identification by the auditor of a material misstatement in the
           financial statements for the period under audit that was not
           initially identified by the entity's internal control. This
           includes misstatements involving estimation and judgment for which
           the auditor identifies potential material adjustments and
           corrections of the recorded amounts. (This is a strong indicator
           of a material weakness even if management subsequently corrects
           the misstatement.)

d.
           An ineffective internal audit function or risk assessment function
           at an entity for which such functions are important to the
           monitoring or risk assessment component of internal control, such
           as for a very large or highly complex entity.

e.
           Identification of fraud of any magnitude on the part of senior
           management.

f.
           Failure by management or those charged with governance to assess
           the effect of a significant deficiency previously communicated to
           them and either correct it or conclude that it will not be
           corrected.

g.
           An ineffective control environment. Control deficiencies in
           various other components of internal control could lead the
           auditor to conclude that a significant deficiency or material
           weakness exists in the control environment.

h.
           Inadequate provisions for the safeguarding of assets.

i.
           Evidence of intentional override of internal control by those in
           authority to the detriment of the overall objectives of the
           system.

j.
           Deficiencies in the design or operation of internal control that
           could result in violations of laws, regulations, provisions of
           contracts or grant agreements; fraud; or abuse having a direct and
           material effect on the financial statements or the audit
           objective.

Examples of Abuse

A.04 [Placeholder for discussion of examples of abuse.]

Examples of Indicators of Fraud Risk

A.05 In some circumstances, conditions such as the following might
indicate a heightened risk of fraud:

a.
           the entity's financial stability, viability, or budget is
           threatened by economic, programmatic, or entity operating
           conditions;

b.
           the nature of the audited entity's operations provide
           opportunities to engage in fraud;

c.
           inadequate monitoring by management for compliance with policies,
           laws, and regulations;

d.
           the organizational structure is unstable or unnecessarily complex;

e.
           lack of communication and/or support for ethical standards by
           management;

f.
           management has a willingness to accept unusually high levels of
           risk in making significant decisions;

g.
           a history of impropriety, such as previous issues with fraud,
           waste, abuse, or questionable practices, or past audits or
           investigations with findings of questionable or criminal activity;

h.
           operating policies and procedures have not been developed or are
           outdated;

i.
           key documentation is often lacking or does not exist;

j.
           lack of asset accountability or safeguarding procedures;

k.
           improper payments;

l.
           false or misleading information; or

m.
           a pattern of large procurements in any budget line with remaining
           funds at year end, in order to "use up all of the funds
           available."

Determining Whether Laws, Regulations, or Provisions of Contracts or Grant
Agreements Are Significant to Audit Objectives

A.06 Government programs are subject to many laws, regulations, and
provisions of contracts or grant agreements. At the same time their
significance to audit objectives vary widely, depending on the objectives
of the audit. Auditors may find the following approach helpful in
assessing whether laws, regulations, or provisions of contracts or grant
agreements are significant to audit objectives:

a.
           Reduce each audit objective to questions about specific aspects of
           the program being audited (that is, purpose and goals, internal
           control, inputs, program operations, outputs, and outcomes).

b.
           Identify laws, regulations, and provisions of contracts or grant
           agreements that directly relate to specific aspects of the program
           included in questions that reflect the audit objectives.

c.
           Determine if the audit objectives or the auditors' conclusions
           could be significantly affected if violations of those laws,
           regulations, or provisions of contracts or grant agreements
           occurred. If the audit objectives or audit conclusions could be
           significantly affected, then those laws, regulations, and
           provisions of contracts or grant agreements are likely to be
           significant to the audit objectives.

A.07 Auditors may consult with legal counsel to (1) determine those laws
and regulations that are significant to the audit objectives, (2) design
tests of compliance with laws and regulations, or (3) evaluate the results
of those tests. Auditors also may consult with legal counsel when audit
objectives require testing compliance with provisions of contracts or
grant agreements. Depending on the circumstances of the audit, auditors
may consult with others, such as investigative staff, other audit
organizations or government entities that provided assistance to the
audited entity, or applicable law enforcement authorities, to obtain
information on compliance matters.

  Information to Accompany Chapter 1

A1.01 Chapter 1 discusses the use and application of GAGAS and the role of
auditing in government accountability. Those charged with governance and
management of audited organizations also have roles in government
accountability. The discussion which follows is provided to assist
auditors in understanding the roles of others in accountability. The
following section also contains background information on the laws,
regulations and guidelines which require the use of GAGAS. This
information is provided to place the requirements contained in GAGAS
within the context of overall government accountability.

The Role of Those Charged with Governance in Accountability

A1.02 Those charged with governance are responsible for overseeing the
strategic direction of the entity and obligations related to the
accountability of the entity. This includes overseeing the financial
reporting process, subject matter, or program under audit including
related internal controls. In certain entities covered by GAGAS, those
charged with governance also may be part of the entity's management. In
some audit entities, multiple parties may be charged with governance,
including oversight bodies, members or staff of legislative committees,
boards of directors, audit committees, or parties contracting for the
audit.

Because the governance structures of government entities and organizations
can vary widely, it may not always be clearly evident who is charged with
key governance functions. In these situations, auditors evaluate the
organizational structure for directing and controlling operations to
achieve the entity's objectives. This evaluation also includes how the
government entity delegates authority and establishes accountability for
its management personnel.

Management's Role in Accountability

A1.03 Officials of the audited entity (for example, managers of a state or
local governmental entity or a nonprofit entity that receives federal
awards) are responsible for:

a.
           using government resources efficiently, economically, effectively,
           equitably, and legally to achieve the purposes for which the
           resources were furnished or the program was established;120

b.
           complying with applicable laws and regulations, including
           identifying the requirements with which the entity and the
           official must comply and implementing systems designed to achieve
           that compliance;

c.
           establishing and maintaining effective internal control to help
           ensure that appropriate goals and objectives are met; using
           resources efficiently, economically, effectively, and equitably,
           and safeguarding resources; following laws and regulations; and
           ensuring that management and financial information is reliable and
           properly reported;

d.
           providing appropriate reports to those who oversee their actions
           and to the public in order to be accountable for the resources and
           authority used to carry out government programs and the results of
           these programs;

e.
           addressing the findings and recommendations of auditors, and for
           establishing and maintaining a process to track the status of such
           findings and recommendations; and

f.
           following sound procurement practices when contracting for audits
           and attestation engagements, including ensuring procedures are in
           place for monitoring contract performance.

A1.04 Management of the audited entity is responsible for resolving audit
findings and recommendations and for having a process to track progress in
resolving the findings and recommendations.

This responsibility applies to all resources, both financial and physical,
as well as informational resources, whether entrusted to public officials
or others by their own constituencies or by other levels of government.

A1.05 Management of the audited entity is responsible for taking timely
and appropriate steps to remedy fraud, illegal acts, violations of
provisions of contracts or grant agreements, or abuse that auditors report
to it.

Laws, Regulations, and Guidelines that Require Use of GAGAS

A1.06 The following are among the laws, regulations, and guidelines that
require use of GAGAS:

a.
           The Inspector General Act of 1978, as amended, 5 U.S.C. App.
           (2000) requires that the statutorily appointed federal inspectors
           general comply with GAGAS for audits of federal establishments,
           organizations, programs, activities, and functions. The act
           further states that the inspectors general shall take appropriate
           steps to assure that any work performed by nonfederal auditors
           complies with GAGAS.

b.
           The Chief Financial Officers Act of 1990 (Public Law 101-576), as
           expanded by the Government Management Reform Act of 1994 (Public
           Law 103-356), requires that GAGAS be followed in audits of
           executive branch departments' and agencies' financial statements.

c.
           The Single Audit Act Amendments of 1996 (Public Law 104-156)
           require that GAGAS be followed in audits of state and local
           governments and nonprofit entities that receive federal awards.121
           Office of Management and Budget (OMB) Circular A-133, Audits of
           States, Local Governments, and Non-Profit Organizations, which
           provides the governmentwide guidelines and policies on performing
           audits to comply with the Single Audit Act, also requires the use
           of GAGAS.

Under the Single Audit Act, as amended, federal awards include federal
financial assistance (grants, loans, loan guarantees, property,
cooperative agreements, interest subsidies, insurance, food commodities,
direct appropriations, or other assistance) and cost-reimbursement
contracts.

d. The Accountability of Tax Dollars Act of 2002 extends the requirement
to prepare and submit audited financial statements to most executive
agencies not subject to the Chief Financial Officers Act unless they are
exempted by OMB. These covered agencies are required to follow GAGAS in
their financial statement audits, but are not required to have systems
that are compliant with FFMIA.

A1.07 Other laws, regulations, or other authoritative sources could
require the use of GAGAS. For example, auditors at the state and local
levels of government may be required by state and local laws and
regulations to follow GAGAS. Also, auditors may be required by the terms
of an agreement or contract to comply with GAGAS. Auditors may also be
required by federal audit guidelines pertaining to program requirements,
such as those issued for Housing and Urban Development programs and
Student Financial Aid programs.

A1.08 Even if not required to do so, auditors may find it useful to follow
GAGAS in performing audits of federal, state, and local government
programs as well as in performing audits of government awards administered
by contractors, nonprofit entities, and other nongovernment entities. Many
audit organizations not formally required to do so, both in the United
States of America and in other countries, voluntarily follow GAGAS.

Information to Accompany Chapters 3

A3.01 Chapter 3 discusses the general standards applicable when performing
financial audits, attestation engagements, and performance audits under
GAGAS. Auditors may also provide professional services, other than audits
and attestation engagements which are sometimes referred to as consulting
services. GAGAS do not cover nonaudit services since such services are not
audits or attestation engagements. If an audit organization decides to
perform nonaudit services, their independence for performing audits or
attestation engagements may be impacted. Nonaudit services which may
impair or do impair auditor independence are discussed in chapter 3. The
following supplemental guidance is provided to assist auditors and audited
entities in identifying nonaudit services that are often provided by
government audit organizations without impairing their independence with
respect to entities for which they provide audit or attest services by
providing examples of such services.

Nonaudit Services

A3.02 Government audit organizations frequently are requested to provide
or are required to provide nonaudit services that differ from the
traditional professional services provided to or for an audit/attest
entity. These types of nonaudit services are often performed in response
to a statutory requirement, under the authority of the audit organization,
or for a legislative oversight body or an independent external
organization and generally do not impair auditor independence. (The
requirements for evaluating whether nonaudit services impair auditor
independence are in chapter 3, paragraphs 3.24 through 3.35.)

A3.03 Examples of the types of services under this category include the
following:

a.
           Providing information or data to a requesting party without
           auditor evaluation or verification of the information or data;

b.
           Developing standards, methodologies, audit guides, audit programs,
           or criteria for use throughout the government or for use in
           certain specified situations;

c.
           Collaborating with other professional organizations to advance
           auditing of government organizations;

d.
           Developing question and answer documents to promote understanding
           of technical issues or standards;

e.
           Providing assistance and technical expertise to legislative bodies
           or independent external organizations and assisting legislative
           bodies by developing questions for use at a hearing;

f.
           Providing training, speeches, and technical presentations;

g.
           Developing surveys, collecting responses on behalf of others, and
           reporting results as "an independent third party;"

h.
           Providing oversight assistance in reviewing budget submissions;

i.
           Contracting for audit services on behalf of an audited entity and
           overseeing the audit contract, as long as the overarching
           principles are not violated and the auditor under contract reports
           to the audit organization and not to management;

j.
           Assessing the advantages and disadvantages of legislative
           proposals;

k.
           Identifying best practices for users in evaluating program or
           management system approaches, including financial and information
           management systems; and

                l.
                        Audit, investigative, and oversight-related services
                        that do not involve a full-scope GAGAS audit (but
                        which could be performed as an audit, if the audit
                        organization elects to do so), such as:

                             (1)
                                     Investigations of alleged fraud,
                                     violation of contract provisions or
                                     grant agreements, or abuse;

                             (2)
                                     Review-level work such as sales tax
                                     reviews that are designed to ensure the
                                     governmental entity receives from
                                     businesses, merchants and vendors all of
                                     the sales taxes to which it is entitled;

                             (3)
                                     Periodic audit recommendation follow-up
                                     engagements and reports;

                             (4)
                                     Identifying best practices or leading
                                     practices for use in advancing the
                                     practices of government organizations;

                             (5)
                                     Analyzing cross-cutting and emerging
                                     issues; and

                             (6)
                                     Providing forward-looking analysis
                                     involving programs.

  Information to Accompany Chapter 7

A7.01 Chapter 7 discusses the field work standards for performance audits.
An integral concept for performance auditing is the use of sufficient,
appropriate evidence based on the audit objectives to support a sound
basis for audit findings, conclusions, and recommendations. The following
discussion is provided to assist auditors in identifying the various types
of evidence and assessing the appropriateness of information or evidence
in relation to the audit objectives.

Types of Evidence

A7.02 In terms of its form and how it is collected, evidence may be
categorized as physical, documentary, or testimonial. Physical evidence is
obtained by auditors' direct inspection or observation of people,
property, or events. Such evidence may be documented in memoranda,
photographs, videos, drawings, charts, maps, or physical samples.
Documentary evidence is obtained in the form of already existing
information such as letters, contracts, accounting records, invoices,
spreadsheets, database extracts, electronically stored information, and
management information on performance. Testimonial evidence is obtained
through inquiries, interviews, focus groups, public forums, or
questionnaires. Auditors frequently use analytical processes including
computations, comparisons, separation of information into components, and
rational arguments to analyze any information gathered to determine
whether it is sufficient and appropriate.122

Appropriateness of Information in Relation to the Audit Objectives

A7.03 One of the primary factors influencing the assurance associated with
a performance audit is the appropriateness of the information in relation
to the audit objectives. For example:

a.
           The audit objectives might focus on verifying specific
           quantitative results presented by the audited entity. In these
           situations, the performance audit would likely provide reasonable
           assurance about the accuracy of the specific amounts in question.
           This work may include the possible use of statistical sampling.

b.
           The audit objectives might focus on the performance of a specific
           program or activity in the agency being audited. In this
           situation, the auditor may have to use specific information
           compiled by the agency being audited in order to answer the audit
           objectives. In this situation, the auditor may find it necessary
           to test the quality of the information, which includes both its
           validity and reliability.

c.
           The audit objectives might focus on information that is used for
           widely-accepted purposes and obtained from sources generally
           recognized as appropriate. For example, economic statistics issued
           by government agencies for purposes such as adjusting for
           inflation, or other such information issued by authoritative
           organizations, may be the best information available. In such
           cases, it may not be practical or necessary for auditors to
           conduct procedures to verify the information. These decisions call
           for professional judgment based on the nature of the information,
           its common usage or acceptance, and how it is being used in the
           audit. Paragraphs 7.56 through 7.62 in chapter 7 discuss the
           factors the auditor should consider.

d.
           The audit objectives might focus on comparisons or benchmarking
           between various government functions or agencies. These types of
           audits are especially useful for analyzing the outcomes of various
           public policy decisions. In these cases, auditors may perform
           analyses, such as comparative statistics of different
           jurisdictions or changes in performance over time, where it would
           be cost prohibitive and/or impractical to do a verification of the
           detailed data underlying the statistics. Clear disclosure as to
           what extent the comparative information or statistics were
           evaluated or corroborated will place the information in proper
           context for report users.

e.
           The audit objectives might focus on trend information. In this
           situation, auditors may use overall analytical tests, combined
           with a knowledge and understanding of the systems or processes
           used for compiling information.

f.
           The audit objectives might focus on the auditor identifying
           emerging and cross-cutting issues using information compiled or
           self-reported by agencies. In such cases, it may be helpful for
           the auditor to consider the overall appropriateness of the
           compiled information with other information available about the
           program. Other sources of information, such as Inspector General
           reports or other external audits may provide the auditors with
           information regarding whether any unverified or self-reported
           information is consistent with or can be corroborated by these
           other external sources of information.

See paragraphs 7.56 and 7.63 for definitions of appropriate and
sufficient.

  Members of the Comptroller General's Advisory Council on Government Auditing
  Standards

Mr. Jack R. Miller, Chair KMPG LLP (Retired) (member 1997-1998; chair
2001-2008)

The Honorable Ernest A. Almonte Office of the Auditor General State of
Rhode Island (member 2001-2008)

Dr. Paul A. Copley James Madison University (member 2005-2008)

Mr. David Cotton Cotton & Co. LLP (member 2006-2009)

The Honorable Debra K. Davenport Office of the Auditor General State of
Arizona (member 2002-2005)

Ms. Kristine Devine Deloitte & Touche, LLP (member 2005-2008)

Dr. John H. Engstrom Northern Illinois University (member 2002-2005)

The Honorable Richard L. Fair Office of the State Auditor State of New
Jersey (member 2002-2005)

Dr. Ehsan Feroz University of Minnesota Duluth (member 2002-2009)

The Honorable Phyllis Fong

U.S. Department of Agriculture (member 2004-2006) Mr. Alex Fraser Standard
& Poor's (member 2006-2009)

The Honorable Gregory H. Friedman

U.S. Department of Energy (member 2002-2005)

Mr. Mark Funkhouser Office of City Auditor Kansas City, Missouri (member
2005-2008)

Dr. Michael H. Granof University of Texas at Austin (member 2005-2008)

Mr. Jerome Heer Office of the County Auditor Milwaukee, Wisconsin (member
2004-2006)

Ms. Marion Higa Office of State Auditor State of Hawaii (member 2006-2009)

The Honorable John P. Higgins, Jr.

U.S. Department of Education (member 2005-2008)

Mr. Russell Hinton Office of the State Auditor State of Georgia (member
2004-2006)

Mr. Richard A. Leach United States Navy (member 2005-2008)

Mr. Patrick L. McNamee PricewaterhouseCoopers, LLP (member 2005-2008) Mr.
Rakesh Mohan Office of Performance Evaluations Idaho State Legislature
(member 2004-2006)

The Honorable Samuel Mok

U.S. Department of Labor (member 2006-2009)

Mr. Harold L. Monk Davis Monk & Company, CPAs (member 2002-2009)

Mr. William Monroe Office of Auditor General State of Florida (member
2004-2006)

Mr. Stephen L. Morgan Office of the City Auditor Austin, Texas (member
2001-2008)

Mr. Robert M. Reardon, Jr. State Farm Insurance Companies (member
2002-2005)

Mr. Brian A. Schebler McGladrey & Pullen, LLP (member 2005-2008)

Mr. Gerald Silva Office of the City Auditor San Jose, California (member
2002-2009)

Mr. Barry R. Snyder Federal Reserve Board (member 2001-2008)

Mr. James R. Speer JP Associates, Inc. (member 2004-2006)

Dr. Daniel Stufflebeam Western Michigan University (member 2002-2009)

The Honorable Nikki Tinsley

U. S. Environmental Protection Agency (member 2002-2005)

Mr. George Willie Bert Smith & Co. (member 2004-2006)

GAO Project Team:

Jeffrey C. Steinhoff, Managing Director Jeanette M. Franzel, Project
Director Marcia B. Buchanan, Assistant Director Gail F. Vallieres,
Assistant Director Michael C. Hrapsky, Senior Project Manager Heather I.
Keister, Senior Auditor Maxine L. Hattery, Communications Analyst Jennifer
V. Allison, Council Administrator

(194574)
*** End of document. ***