Government Auditing Standards: 2006 Revision (Exposure Draft)
(01-JUN-06, GAO-06-729G).
This is the Exposure Draft of the Government Auditing Standards
2006 revision. This document outlines standards that contain
requirements for auditor reporting on internal control. The
revision supersedes the 2003 revision.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-06-729G
ACCNO: A55400
TITLE: Government Auditing Standards: 2006 Revision (Exposure
Draft)
DATE: 06/01/2006
SUBJECT: Auditing procedures
Auditing standards
Cost accounting
Federal advisory bodies
Federal agencies
Internal auditors
Internal audits
Standards evaluation
Yellow Book
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-06-729G
United States Government Accountability Office
By the Comptroller General of the United States
GAO
June 2006 Government
Auditing
Standards
2006 Revision Exposure Draft
GAO-06-729G
United States Government Accountability Office Washington, DC 20548
June 2006
TO AUDIT OFFICIALS AND OTHERS INTERESTED IN GOVERNMENT AUDITING STANDARDS
GAO invites your comments on the accompanying proposed changes to
Government Auditing Standards(GAGAS), commonly known as the "Yellow Book."
These changes propose revisions throughout the entire set of standards.
This letter describes the process used by GAO for revising GAGAS,
summarizes the proposed major changes, discusses proposed effective dates,
and provides instructions for submitting comments on the proposed
standards.
Process for Revising GAGAS
To help ensure that the standards continue to meet the needs of the audit
community and the public it serves, the Comptroller General of the United
States appointed the Advisory Council on Government Auditing Standards to
review the standards and recommend necessary changes. The Advisory Council
includes experts in financial and performance auditing drawn from all
levels of government, private enterprise, public accounting, and academia.
This exposure draft of the standards includes the Advisory Council's
suggestions for proposed changes. We are currently requesting public
comments on the proposed revisions in the exposure draft.
Summary of Major Changes
The proposed 2006 revision to GAGAS will be the fifth revision since the
standards were first issued in 1972. The 2006 Yellow Book exposure draft
seeks to emphasize the critical role of high quality government audits in
achieving credibility and accountability in government. The overall focus
of the proposed 2006 revised standards includes an increased emphasis on
audit quality and ethics and an extensive update of the performance audit
standards to include a specified level of assurance within the context of
risk and materiality. In addition, this proposed revision modernizes
GAGAS, with updates to reflect major developments in the accountability
and audit environment. Finally, clarifications have been made throughout
the standards.
The standards are organized by separate chapters as follows:
Chapter 1 - Use and Application of GAGAS
Chapter 2 - Auditor's Ethical Responsibilities
Chapter 3 - General Standards
Chapter 4-Field Work Standards for Financial Audits
GAO-06-729G Government Auditing Standards Exposure Draft
Chapter 5-Reporting Standards for Financial Audits
Chapter 6 - General, Field Work, and Reporting Standards for Attestation
Engagements
Chapter 7 - Field Work Standards for Performance Audits
Chapter 8 - Reporting Standards for Performance Audits
Appendix - Explanatory materials that do not represent GAGAS requirements.
Effective Dates
When issued in final, the 2006 revision will supersede the 2003 revision
of the standards. We anticipate that, when finalized, standards will
become effective for audits beginning on or after July 1, 2007. For
financial audits, certain standards issued by the Auditing Standards Board
(ASB) of the American Institute of Certified Public Accountants have
earlier effective dates. For financial audits performed under GAGAS, the
effective dates of the new ASB standards will apply.
Instructions for Commenting
The draft of the proposed changes to Government Auditing Standards, 2006
Revision,is only available in electronic format and can be downloaded from
GAO's Yellow Book Web Page at http://www.gao.gov/govaud/ybk01.htm.
We are requesting comments on this draft from audit officials and
financial management at all levels of government, the public accounting
profession, academia, professional organizations, public interest groups,
and other interested parties. To assist you in developing your comments,
specific issues are presented in an enclosure to this letter, along with a
detailed list of proposed changes. We encourage you to comment on these
issues and any additional issues that you note. Please associate your
comments with specific references to issue numbers and/or paragraph
numbers in the proposed standards and provide your rationale for any
proposed changes, along with suggested revised language. Please send your
comments electronically to [email protected] no later than August 15,
2006.
If you need additional information please call Michael Hrapsky, Senior
Project Manager, Financial Management and Assurance at (202) 512-9535, or
Jeanette Franzel, Director, at (202) 512-9471.
Sincerely yours,
Jeffrey C. Steinhoff Managing Director Financial Management and Assurance
Enclosures
GAO-06-729G Government Auditing Standards Exposure Draft
ii
Enclosure 1 Enclosure 1
Questions for Commenters
The following discussion and questions are provided to guide users in
commenting on the proposed 2006 revision of Government Auditing Standards.
We encourage you to comment on these issues and any additional issues that
you note. Please associate your comments with specific references to issue
numbers and/or paragraph numbers in the proposed standards.
Chapter 1 - Use and Application of GAGAS
1. The section entitled, "Use of Terminology to Define Professional
Requirements in GAGAS" was added to clarify the auditor's responsibilities
and to achieve consistency with other standard setting bodies. This new
section is consistent with the AICPA Statement on Auditing Standards (SAS)
No. 102, Defining Professional Requirements in Statements on Auditing
Standards issued by the Auditing Standards Board (ASB) of the American
Institute of CPAs (AICPA) and with the approach taken by the Public
Company Accounting Oversight Board (PCAOB). GAGAS requirements have also
been rewritten in accordance with the terminology set forth in this
section. This approach is intended to clarify auditors' responsibilities
and assist auditors in applying the standards.
Please comment on the application and use of this terminology throughout
the proposed revision to GAGAS.
2. The section entitled "Citing Compliance with GAGAS in the Auditor's
Report" was added to clarify auditor responsibilities and to provide
guidance to auditors in situations where they are unable to follow or
chose not to follow certain standards. Complementary guidance is also
provided in chapters 5 and 8.
Please comment on the application and use of this guidance for citing
compliance with GAGAS in auditors' reports.
Chapter 2 - Auditor's Ethical Responsibilities
3. Chapter 2 is devoted solely to emphasizing the ethical responsibilities
of government auditors. In the 2003 revision, GAGAS made reference to
ethical responsibilities throughout Chapter 1. This 2006 revision adds
clarity and emphasis to the discussion of ethical responsibilities of
government auditors to uphold and protect the public trust. This chapter
employs a principles-based framework of concepts that government auditors
use to guide all of their work.
Please comment on the framework discussed in this chapter.
GAO-06-729G Government Auditing Standards Exposure Draft
iii Enclosure 1 Enclosure 1
Chapter 3 - General Standards
impact on auditor
independence has been significantly streamlined and reorganized from
the 2003 revision of the standards to provide clarity. The discussion
is in paragraphs 3.30 through 3.35. Additional information on
nonaudit services that are generally unique to government audit
organizations is presented in the appendix, paragraphs A3.02 through
A3.03.
related elements.
rance system.
The transparency requirement is intended to increase accountability and
emphasize the importance of quality for audit organizations that perform
audits under GAGAS. The revisions to peer review time frames are risk
based and emphasize quality and a rigorous annual inspection program. (The
previous standard set the same requirement for all audit organizations,
regardless of peer review results or the underlying quality assurance
system.)
Please comment on the transparency requirements and the risk-based
approach to peer review time frames.
Chapters 4 and 5 - Financial Audits
7. The audit documentation standard has been updated and expanded based on
the ASB's revised standard, SAS No. 103, Audit Documentation. Paragraphs
4.22 through
4.39 are consistent with the AICPA standard. Paragraphs 4.40 and 4.41 are
additional GAGAS standards to deal with unique issues associated with
auditing in the government environment. The use of these standards is
consistent for attest engagements (chapter 6) and performance audits
(chapter 7). The overall goal of these revisions was consistency with the
ASB standard and among the different types of GAGAS audits.
Please comment on the adoption of this standard.
GAO-06-729G Government Auditing Standards Exposure Draft
iv Enclosure 1 Enclosure 1
8. The financial audit reporting standards have been updated to conform
with the ASB's and PCAOB's definitions of material weakness and
significant deficiency in internal controls. The definitions and related
guidance are provided in paragraphs 5.13 and 5.14. The overall goal of
adopting these revised definitions is to achieve consistency with the
other standards setters. These definitions may be further clarified in the
future by the other standards-setters, and we will continue to work
closely with them. The application of these new definitions could affect
the number and type of internal control weaknesses reported in GAGAS
audits.
Please comment on additional clarity or guidance that would assist in
implementing these new definitions.
Chapters 7 and 8 - Performance Audits
9. The standards for performance audits have been significantly revised to
include a specified level of assurance within the context of audit risk
and significance (materiality).
The level of assurance for performance audits is defined in paragraph 1.35
and incorporated throughout the performance audit standards in chapters 7
and 8. The level of assurance for performance audits is achieved within
the context of significance (materiality) and audit risk. The description
of significance and audit risk is included in paragraphs 7.04 through
7.06, and the standards in chapters 7 and 8 have been written within this
context.
Please comment on the discussion of levels of assurance, significance,
audit risk, and their application throughout the performance audit
standards.
10. Significant discussion has been added to chapters 7 and 8 about the
level of evidence needed to achieve the audit objectives in a performance
audit. This discussion uses the terminology "sufficient, appropriate
evidence" for consistency with other auditing standards setters. The
intent of the discussion of sufficient, appropriate evidence is to provide
clarity and guidance for making professional judgments about the levels of
evidence needed to achieve the audit objectives.
Please comment on the clarity of the standards and the discussion of
sufficient appropriate evidence.
GAO-06-729G Government Auditing Standards Exposure Draft
v Enclosure 1 Enclosure 1
Overall
17 through
6.22), and performance audits (7.34) has been clarified, but no
change was made to the auditor's responsibility for abuse. The
changes were in response to questions received about implementing the
standard on abuse.
your comments any specific examples of abuse you have
identified, along with supporting audit reports.
any Accounting Oversight Board (PCAOB), International
Auditing and Assurance Standards Board (IAASB), and the American
Institute of Certified Public Accountants (AICPA) have adopted similar
standards to clarify auditors' responsibilities. GAGAS terminology is
consistent with the AICPA's Statement on Auditing Standards No. 102,
Defining Professional Requirements in Statements on Auditing
Standards.
o All chapters were significantly revised to clarify auditors'
responsibilities and to avoid the confusion that existed in previous
versions of GAGAS through the use of the passive voice and other
references that were unclear as to the requirement placed on the
auditors.
Citing Compliance with GAGAS in the Auditors' Report provides guidance on
citing GAGAS in the auditors' report when auditors do not comply with all
unconditional or all presumptively mandatory requirements. (1.13 - 1.15)
Relationship Between GAGAS and Other Professional Standards has been
updated to recognize that other sets of professional standards, such as
those issued by the PCAOB and the IAASB, the Institute of Internal
Auditors, and others can be used in conjunction with GAGAS and provides
related guidance. (1.16 - 1.20)
Types of Government Audits and Attestation Engagements has been modified
to re-write the description of a performance audit to clarify the level of
assurance and evidence needed. The concept of equity as a potential
performance audit objective was incorporated, and examples of the types of
performance audits were updated. (1.21 - 1.42)
Chapter 2 - Auditors' Ethical Responsibilities
Chapter 2 has been completely revised to focus solely on audit
organizations' overall ethics responsibilities and auditors' need to
observe overarching ethical concepts in performing their work. (2.01 -
2.16) Other materials that had previously been in Chapter 2 have been
included in Chapter 1 of the draft.
o Several of the ethical concepts in this chapter were included in the
2003 GAGAS revision in Chapter 1 under "Auditors' Responsibilities," but
they were not separately labeled as ethical responsibilities.
vii
Enclosure 2 Enclosure 2
o The revised Chapter 2 describes the following ethical concepts that
auditors use to guide their work:
standard on
nonaudit services was not changed. Specifically, the discussion of
nonaudit services was moved from "personal" to "organizational"
impairments because it is often the audit organization's independence that
is impaired rather than that of the individual auditor, reorganized the
guidance into three categories of nonaudit services, and consolidated and
streamlined examples that had previously been interspersed throughout the
independence section. (3.02 - 3.35)
* The three distinct categories of nonaudit services are:
* 1. Nonaudit services that do not impair auditor independence and,
therefore, do not require compliance with the supplemental
safeguards. (3.30a and
* 3.31 - 3.32)
nce was expanded to describe five elements that
should be present in an audit organization's system of quality control:
(1) ethics, (2) initiation and continuance of engagements, (3) human
capital, (4) performance and reporting, and
(5) monitoring quality. (3.61)
viii
Enclosure 2 Enclosure 2
External Peer Review has been changed to include a transparency
requirement that audit organizations that report externally to third
parties make peer review results publicly available (3.68). The section
also establishes new peer review time frames based on risk and the
underlying quality assurance system (3.69) Audit organizations are
required to have a peer review
o within 18 months, if the most recent peer review opinion is adverse or
modified, and every 18 months thereafter until the audit organization
receives an unmodified opinion
o every 3 years if the audit organization has an unmodified peer review
opinion and does not meet the enhanced quality assurance criteria for
a 5-year cycle or does not chose a 5-year period
o every 5 years if the audit organization has an unmodified peer review
opinion and elects to meet the enhanced quality assurance criteria in
3.70.
* developed required enhanced quality assurance criteria for audit
organizations electing a 5-year peer review cycle, including
en assertion that is
consistent with the results of the audit organization's
monitoring and inspection processes about the effectiveness
of its quality assurance program [3.70b(3)].
Chapter 4-Field Work Standards for Financial Audits
The following changes have been made to update and clarify the standards
for field work:
* update of the AICPA field work standards cited to reflect recent
AICPA changes
* (4.04)
o addition of a clear and prominent discussion on consideration of fraud
and illegal acts which clarifies the existing standard (4.07 - 4.08),
o clarifications to the description of abuse and the existing standard
on the auditors' responsibility for abuse in a financial audit that is
material, either qualitatively or quantitatively (4.18 - 4.19), and
o update of the audit documentation standard for consistency with
AICPA's new standard (4.22 - 4.41).
ix
Enclosure 2 Enclosure 2
Chapter 5-Reporting Standards for Financial Audits
The following changes have been made to update and clarify the reporting
standards:
o update of definitions and terminology for internal control
deficiencies to achieve consistency with PCAOB and AICPA terminology
(5.12 - 5.15),
o clarification of reporting requirements for internal control
deficiencies, illegal acts, violations of provisions of contracts or
grant agreements, or abuse (5.12 - 5.27),
* addition of a section on emphasizing significant matters in the
auditors' report
* (5.28 - 5.31),
o addition of a section on reporting on restatement of previously-issued
financial statements (5.32 - 5.38), and
o clarification of the auditors' responsibilities for reporting views of
responsible officials (5.39 - 5.44) and for issuing and distributing
reports (5.48 - 5.51).
Chapter 6 - General, Field Work, and Reporting Standards for Attestation
Engagements
Conforming changes were made to chapter 6 for consistency with changes in
chapters 4 and 5.
Chapter 7 - Field Work Standards for Performance Audits
The field work standards for performance audits have been significantly
revised within a framework related to significance (materiality), audit
risk, and reasonable assurance. The following changes were made:
o addition of a section on the concept of significance in a performance
audit (7.04 - 7.05),
o addition of a section discussing audit risk (7.06),
o definition of the level of assurance associated with a performance
audit as providing reasonable assurance that auditors have adequate
support to achieve the audit objectives and reach conclusions (7.13),
o clarification throughout chapter 7 of the levels of evidence needed to
achieve audit objectives, recognizing that objectives vary and,
therefore, so will the nature of evidence needed,
o incorporation of the concept of risk into the auditors' planning and
evaluation process,
o inclusion of a section on information systems controls for the purpose
of assessing audit risk and planning the audit (7.25 - 7.27),
o emphasis of auditors' professional judgment and the focus of audit
work in relation to the audit objectives,
o clarification of the auditors' responsibility for responding to
indications of potential fraud (7.31 - 7.33),
o clarification of the auditors' responsibility for abuse (7.34),
x
Enclosure 2 Enclosure 2
* incorporation throughout the standard of the concept of
"sufficient, appropriate evidence" to replace "sufficient,
competent, and relevant evidence." This terminology is consistent
with other standards setters. (7.53 - 7.69)
ity in providing
support for audit objectives.
2)
7.92)
Chapter 8 - Reporting Standards for Performance Audits
The reporting standards were streamlined and conforming changes were made
to reflect changes in Chapter 7. The auditors' responsibilities for
reporting the views of responsible officials (8.35 - 8.40) and report
issuance and distribution (8.44 - 8.47) were clarified.
Appendix
An appendix has been added to provide supplemental guidance to assist
auditors in the implementation of GAGAS. This guidance does not establish
additional GAGAS requirements.
xi
CONTENTS
LETTER...................................................................................................
i
QUESTIONS FOR
COMMENTERS.............................................................
iii
SUMMARY OF MAJOR
CHANGES............................................................. vii
CHAPTER
1................................................................................................................1
USE AND APPLICATION OF GAGAS
......................................................................1
Introduction
..............................................................................................................1
Purpose and Applicability of
GAGAS.......................................................................1
Use of Terminology to Define Professional Requirements in GAGAS
...................3
Citing Compliance with GAGAS in the Auditors' Report
.......................................5
Relationship Between GAGAS and Other Professional Standards
........................6
Types of Government Audits and Attestation
Engagements..................................8
Financial Audits
........................................................................................................................
9
Attestation
Engagements.......................................................................................................
10
Performance
Audits................................................................................................................
12
Nonaudit Services Provided by Audit
Organizations......................................................... 18
CHAPTER
2..............................................................................................................19
AUDITORS' ETHICAL
RESPONSIBILITIES..........................................................19
Introduction
............................................................................................................19
Overarching Ethical Concepts
................................................................................20
The Public Interest
.................................................................................................................
21
Professional Behavior
............................................................................................................
21
Integrity....................................................................................................................................
22
Objectivity
...............................................................................................................................
22
Proper Use of Government Information, Resources, and Position
................................. 23
GENERAL STANDARDS
.........................................................................................25
Introduction
............................................................................................................25
xii
Independence...........................................................................................................25
Personal Impairments
............................................................................................................27
External Impairments
............................................................................................................30
Organizational Independence
...............................................................................................
31
Organizational Independence When Reporting Externally to Third Parties:
....................... 32
Organizational Independence When Reporting Internally to Management (as an
internal audit function)
.......................................................................................................................
34
Organizational Independence When Performing Nonaudit Services
................................... 36
Professional
Judgment............................................................................................45
Competence
.............................................................................................................47
Technical Knowledge and Competence
..............................................................................
48
Additional Qualifications for Financial Audits and Attestation
Engagements............... 49
Continuing Professional Education
.....................................................................................
50
Quality Control and Assurance
..............................................................................52
System of Quality Control
.....................................................................................................
52
External Peer
Review.............................................................................................................
55
CHAPTER
4..............................................................................................................63
CHAPTER
4..............................................................................................................63
FIELD WORK STANDARDS FOR FINANCIAL AUDITS
.......................................63
Introduction
............................................................................................................63
AICPA Field Work Standards
.................................................................................63
Additional Considerations for Financial Audits in Government
...................................... 64
Consideration of Potential Fraud in a Financial Statement Audit and
Illegal Acts by Auditees
...................................................................................................................................
65
Additional GAGAS
Standards.................................................................................66
Auditor Communication
........................................................................................................
67
Previous Audits and Attestation
Engagements...................................................................69
Detecting Material Misstatements Resulting from Violations of Contract
Provisions or Grant Agreements, or from
Abuse........................................................................................
70
Developing Elements of a Finding
.......................................................................................
71
Audit
Documentation.............................................................................................................72
CHAPTER
5..............................................................................................................78
REPORTING STANDARDS FOR FINANCIAL AUDITS
.........................................78
Introduction
............................................................................................................78
xiii
AICPA Reporting Standards
...................................................................................78
Additional GAGAS Reporting Standards for Financial
Audits.............................79
Reporting Auditors' Compliance with GAGAS
................................................................... 80
Reporting on Internal Control and on Compliance with Laws, Regulations,
and Provisions of Contracts or Grant
Agreements....................................................................
81
Reporting Deficiencies in Internal Control, Potential Fraud, Illegal Acts,
Violations of Provisions of Contracts or Grant Agreements, or Abuse
.................................................. 82
Reporting Deficiencies in Internal
Control...........................................................................
82
Reporting Potential Fraud, Illegal Acts, Violations of Provisions of
Contracts or Grant Agreements, or
Abuse...........................................................................................................
86
Direct Reporting of Potential Fraud, Illegal Acts, Violations of
Provisions of Contracts or Grant Agreements, or
Abuse.................................................................................................
88
Emphasizing Significant Matters in the Auditors' Report
................................................. 89
Reporting on Restatement of Previously-Issued Financial Statements
.......................... 91
Reporting Views of Responsible Officials
...........................................................................
95
Reporting Privileged and Confidential
Information........................................................... 97
Issuing and Distributing Reports
..........................................................................................
97
CHAPTER
6............................................................................................................100
GENERAL, FIELD WORK, AND REPORTING STANDARDS FOR ATTESTATION
ENGAGEMENTS....................................................................................................100
Introduction
..........................................................................................................100
AICPA General and Field Work Standards for Attestation Engagements
........100
Additional Considerations for Attestation Engagements in
Government..................... 101
Additional GAGAS Field Work Standards for Attestation
Engagements..........102
Auditor Communication
......................................................................................................
103
Previous Audits and Attestation
Engagements.................................................................104
Internal Control
....................................................................................................................
105
Detecting Potential Fraud, Illegal Acts, Violations of Provisions of
Contracts or Grant Agreements, or Abuse That Could Have a Material Effect
on the Subject Matter ....... 106
Developing Elements of Findings for Attestation
Engagements.................................... 109
Attest Documentation
..........................................................................................................
110
AICPA Reporting Standards for Attestation
Engagements................................116
Additional GAGAS Reporting Standards for Attestation
Engagements............117
Reporting Auditors' Compliance with GAGAS
................................................................. 117
Reporting Deficiencies in Internal Control, Potential Fraud, Illegal Acts,
Violations of Provisions of Contracts or Grant Agreements, or Abuse
................................................ 118
Reporting Deficiencies in Internal
Control.........................................................................
118
Direct Reporting of Potential Fraud, Illegal Acts, Violations of
Provisions of Contracts or Grant Agreements, or
Abuse...............................................................................................
121
Reporting Views of Responsible Officials
.........................................................................
123
Reporting Privileged and Confidential
Information......................................................... 124
Issuing and Distributing Reports
........................................................................................
125
xiv
CHAPTER
7............................................................................................................127
FIELD WORK STANDARDS FOR PERFORMANCE
AUDITS..............................127
Introduction
..........................................................................................................127
Significance in a Performance
Audit....................................................................127
Audit Risk
..............................................................................................................128
Sufficient, Appropriate
Evidence.........................................................................129
Planning
.................................................................................................................129
Nature and Profile of the Program
.....................................................................................
132
Internal Control
....................................................................................................................
135
Information Systems Controls
............................................................................................
138
Legal and Regulatory Requirements, Contract Provisions, or Grant
Agreements, Potential Fraud, or
Abuse....................................................................................................
140
Legal and Regulatory Requirements, Contracts, and Grants
.............................................. 141
Fraud
...................................................................................................................................
141
Abuse
..................................................................................................................................
143
Previous Audits and Attestation
Engagements.................................................................144
Identifying Audit
Criteria.....................................................................................................
144
.................................................................................................................................................
145 Identifying Sources of Audit Evidence and the Amount and Type of
Evidence Required Considering Work of
Others................................................................................................146
Assigning Staff and Other
Resources.................................................................................
147
Communicating with Management, Those Charged with Governance, and Others
.... 148
Preparing the Audit Plan
.....................................................................................................
149
Supervision
............................................................................................................150
Obtaining Sufficient, Appropriate Evidence
.......................................................151
Appropriateness....................................................................................................................
151
Sufficiency
.............................................................................................................................
154
Overall Assessment of Evidence
........................................................................................
155
Audit
Findings.......................................................................................................................
158
Audit Documentation
............................................................................................159
CHAPTER
8............................................................................................................166
REPORTING STANDARDS FOR PERFORMANCE AUDITS
...............................166
Introduction
..........................................................................................................166
xv
Reporting
...............................................................................................................166
Report Contents
....................................................................................................167
Objectives, Scope, and Methodology
.................................................................................
167
Findings
.................................................................................................................................
169
Reporting Deficiencies in Internal
Control.........................................................................
172
Reporting Potential Fraud, Illegal Acts, Violations of Provisions of
Contracts or Grant Agreements, or
Abuse.........................................................................................................
173
Direct Reporting of Potential Fraud, Illegal Acts, Violations of
Provisions of Contracts or Grant Agreements, or
Abuse...............................................................................................
174
Conclusions
...........................................................................................................................
175
Recommendations................................................................................................................
176
Statement on Compliance with GAGAS
............................................................................
176
Reporting Views of Responsible Officials
.........................................................................
177
Reporting Privileged and Confidential
Information......................................................... 179
Report Issuance and Distribution
........................................................................180
APPENDIX
.............................................................................................................181
Introduction
..........................................................................................................181
Overall Supplemental Guidance
...........................................................................181
Examples of Significant Deficiencies in Internal Control
............................................... 181
Examples of
Abuse...............................................................................................................
183
Examples of Indicators of Fraud Risk
...............................................................................
183
Determining Whether Laws, Regulations, or Provisions of Contracts or Grant
Agreements Are Significant to Audit Objectives
.............................................................. 184
Information to Accompany Chapter
1..................................................................185
The Role of Those Charged with Governance in Accountability
................................... 186
Management's Role in
Accountability................................................................................
186
Laws, Regulations, and Guidelines that Require Use of
GAGAS.................................... 188
Information to Accompany Chapters 3
................................................................189
Nonaudit
Services.................................................................................................................
190
Information to Accompany Chapter
7..................................................................192
Types of Evidence
................................................................................................................
192
Appropriateness of Information in Relation to the Audit Objectives
............................ 193
MEMBERS OF THE COMPTROLLER GENERAL'S ADVISORY COUNCIL ON GOVERNMENT
AUDITING STANDARDS................................................... 196
xvi
Chapter 1 Use and Application of GAGAS
Introduction
s.
Legislators, government officials, and the public need to know whether
(1) government manages public resources and uses its authority
properly and in compliance with laws and regulations, (2) government
programs are achieving their objectives and desired outcomes, (3)
government services are being provided efficiently, economically,
effectively, ethically, and equitably, and
(4) government managers are held fully accountable for their use of public
resources. Government auditing provides independent assessments of that
information for the benefit of those charged with oversight and for the
public.
Purpose and Applicability of GAGAS
1.03 The professional standards and guidance contained in this document,
often referred to as generally accepted government auditing standards
(GAGAS), are intended
1
The term equity in this context refers to the approaches used by a
government organization to provide services to citizens in a fair manner
within the context of the statutory parameters of the specific government
programs.
2
For additional information on management's responsibility, see appendix
paragraphs A1.01-A1.05.
for use by auditors3 of government entities and audit organizations4 to
help ensure that they perform high quality work with competence,
integrity, objectivity, and independence in planning, conducting, and
reporting on government audits. Auditors and audit organizations use GAGAS
when required by law, regulation, contract, grant agreement, or policy.
s should follow all applicable GAGAS
standards, and refer to compliance with GAGAS as set forth in
paragraphs 1.13 through 1.15.
ersight and
accountability of government programs and operations by requiring
auditors to objectively acquire and evaluate evidence and report the
results. When auditors perform their work in this manner and comply
with GAGAS in reporting the results, their work can lead to improved
government management, decision making and oversight, effective and
efficient operations, and accountability for resources and results.
Government auditing is also a key element in fulfilling the
government's duty to be accountable to the public.
3
The term "auditor" throughout this document includes individuals
performing work under GAGAS, and therefore, individuals who may have the
titles auditor, analyst, evaluator, inspector, or other similar titles.
4
The term "audit organizations" is used throughout the standards to refer
to government audit organizations as well as independent public accounting
firms that perform audits using GAGAS.
Use of Terminology to Define Professional Requirements in GAGAS
cted to fulfill. Rather, the professional
requirements are communicated by the language and the meaning of the
words used in GAGAS.
itional requirements. The auditor is required to comply with
an unconditional requirement in all cases in which the
circumstances exist to which the unconditional requirement
applies. GAGAS use the words mustor is required to indicate an
unconditional requirement.
b.
Presumptively mandatory requirements. The auditor is also required
to comply with a presumptively mandatory requirement in all cases
in which the circumstances exist to which the presumptively
mandatory requirement applies; however, in rare circumstances, the
auditor may depart from a presumptively mandatory requirement
provided the auditor documents his or her justification for the
departure and how the alternative procedures performed in the
circumstances were sufficient to achieve the objectives of the
presumptively mandatory requirement. GAGAS use the word shouldto
indicate a presumptively mandatory requirement.
The terminology used in GAGAS to designate professional requirements and
explanatory material is consistent with the AICPA's Statement on Auditing
Standard No. 102, Defining Professional Requirements in Statements on
Auditing Standards.
guidance for their application.
. That is, it may explain the objective of the
professional requirements (where not otherwise selfevident); explain
why the auditor might consider or employ particular procedures,
depending on the circumstances; or provide additional information for
the auditor to consider in exercising professional judgment in
performing the engagement.
r is not intended to
impose a professional requirement on the auditor to perform the
suggested procedures or actions. How and whether the auditor carries
out such procedures or actions in the engagement depends on the
exercise of professional judgment in the circumstances consistent with
the objective of the standard. The words may, might, and could are
used to describe these actions and procedures.
Citing Compliance with GAGAS in the Auditors' Report
1.13 Auditors should include one of the following types of GAGAS
compliance statements in reports on GAGAS engagements, as appropriate,
based on the provisions of paragraphs 1.14 through 1.15.
a.
Unqualified GAGAS compliance statement. The auditors state that
the engagement was performed in accordance with GAGAS.
b.
Qualified GAGAS compliance statement. The auditors state that the
engagement was performed in accordance with GAGAS, except for
specific applicable standards that were not followed.
c.
Negative GAGAS compliance statement. The auditors state that the
engagement was not performed in accordance with GAGAS.
unconditional and/or
presumptively mandatory requirements, they should assess the
significance of not following the requirement to the scope of the
audit and the auditors' overall compliance with GAGAS and document the
assessment, along with the reasons for not following the standard.
Based on this assessment, the auditors should determine whether and to
what extent to disclose in the report the applicable standard(s) not
followed, the reasons for not following the standard(s), and how not
following the standards affected, or could have affected the audit. In
addition, auditors should consider modifying the GAGAS compliance
statement as follows. These determinations are a matter of
professional judgment:
a.
When auditors do not comply with all unconditional requirements
that are applicable based on the audit objectives, they should
determine whether to include a qualified GAGAS compliance
statement or a negative GAGAS compliance statement in the report.
b.
When auditors do not comply with all presumptively mandatory
requirements that are applicable based on the audit objectives,
they should determine whether to include a qualified GAGAS
compliance statement or an unqualified GAGAS compliance statement
in the report. When auditors have justification for not following
a presumptively mandatory requirement, an unqualified GAGAS
statement may be appropriate.
c.
When auditors did not comply with multiple presumptively mandatory
requirements, they should determine whether they should include a
negative GAGAS compliance statement in the report.
Relationship Between GAGAS and Other Professional Standards
the standards, and the auditors cannot satisfy both standards, the
auditors should provide disclosure in the auditors' report about any
standards not followed and the impact on the audit. (See paragraphs
5.06, 6.47 and 8.34)
rds,
as follows:
a. The American Institute of Certified Public Accountants (AICPA) has
established professional standards that apply to financial audits and
attestation engagements for nonissuers6 performed by certified public
accountants (CPA). For financial statement audits, GAGAS incorporate the
AICPA's field work and reporting standards and the related statements on
auditing standards (SAS) unless specifically excluded or modified by
GAGAS.7
b.
The International Auditing and Assurance Standards Board (IAASB)
has established professional standards that apply to financial
audits and attestation engagements that are conducted
internationally. Auditors may use GAGAS in conjunction with the
IAASB standards and the related statements on International
Statements on Auditing (ISA).
c.
The Public Company Accounting Oversight Board (PCAOB) has
established professional standards that apply to financial audits
and attestation engagements for issuers. Auditors may use GAGAS in
conjunction with the PCAOB standards.
in conjunction with GAGAS, such as the following:
a. International Standards for the Professional Practice of Internal
Auditing, The Institute of Internal Auditors, Inc.;
6
Under the Sarbanes-Oxley Act of 2002 (Public Law 107-204), issuers
(generally, publicly traded companies with securities registered under the
Securities and Exchange Act of 1934) and their public accounting firms are
subject to rules and standards of the Public Company Accounting Oversight
Board. Nonissuer refers to any entity other than an issuer under Federal
securities laws, such as privately held companies, not-for-profit
entities, and government entities.
7
Because GAGAS incorporate the field work and reporting standards of the
AICPA for financial audits performed in which U.S. auditing standards are
to be followed, auditors are not required to cite compliance with the
AICPA standards when citing compliance with GAGAS, although both sets of
standards may be cited.
b.
Guiding Principles for Evaluators, American Evaluation
Association;
c.
The Program Evaluation Standards, Joint Committee on Standards for
Education Evaluation; and
d.
Standards for Educational and Psychological Testing, American
Psychological Association.
Types of Government Audits and Attestation Engagements
is
not intended to limit or require the types of audits or attestation
engagements that may be performed under GAGAS.
engagements, the standards applicable to the specific audit
objective will be apparent. For example, if the audit objective is to
express an opinion on financial statements, the standards for
financial audits apply. However, some engagements may have multiple or
overlapping objectives. For example, if the objectives are to
determine the reliability of performance measures, this work can be
done in accordance with either the standards for attestation
engagements or for performance audits. In cases where there is a
choice between applicable standards, auditors should evaluate users'
needs and the auditors' knowledge, skills, and experience in deciding
which standards to follow.
Financial Audits
financial audits performed in accordance with GAGAS also includes
reports on internal control, compliance with laws and regulations, and
provisions of contracts and grant agreements as they relate to
financial transactions, systems, and processes.
y accepted accounting principles (GAAP),8 or with a
comprehensive basis of accounting other than GAAP. Other types of
financial audits, which provide for different levels of assurance and
entail various scopes of work, may include:
a.
providing special reports, such as for specified elements,
accounts, or items of a financial statement;9
b.
reviewing interim financial information;
c.
issuing letters for underwriters and certain other requesting
parties;
d.
reporting on the processing of transactions by service
organizations; and
8
The three U.S.-based authoritative bodies for establishing accounting
principles and financial reporting standards are the Federal Accounting
Standards Advisory Board (federal government), the Governmental Accounting
Standards Board (state and local governments), and the Financial
Accounting Standards Board (nongovernmental entities).
9
Special reports apply to auditors` reports issued in connection with the
following: (1) financial statements that are prepared in conformity with a
comprehensive basis of accounting other than generally accepted accounting
principles; (2) specified elements, accounts, or items of a financial
statement; (3) compliance with aspects of contractual agreements or
regulatory requirements related to audited financial statements;
(4)
financial presentations to comply with contractual agreements or
regulatory requirements; or (5) financial information presented in
prescribed forms or schedules that require a prescribed form of
auditors` report. (See AICPA Professional Standards, AU 623.)
e.
auditing compliance with regulations relating to federal award
expenditures and other governmental financial assistance in
conjunction with or as a by-product of a financial statement
audit.
corporate the AICPA's field
work and reporting standards and the related statements on auditing
standards unless specifically excluded or modified by GAGAS. GAGAS
establish ethical responsibilities, independence standards, general
standards, and additional field work and reporting standards beyond
those provided by the AICPA when performing financial audits. (See
chapters 2, 3, 4, and 5 for standards and guidance for auditors
performing a financial audit in accordance with GAGAS.)
provide
different levels of assurance about the subject matter or assertion
depending on the users' needs.
e engagement. The three levels of attestation engagements
include the following:
For consistency within GAGAS, the word "auditor" is used to describe
individuals conducting and reporting on attestation engagements.
a.
Examination: Auditors perform sufficient testing to express an
opinion on whether the subject matter is based on (or in
conformity with) the criteria in all material respects or the
assertion is presented (or fairly stated), in all material
respects, based on the criteria.
b.
Review: Auditors perform sufficient testing to express a
conclusion about whether any information came to the auditors'
attention on the basis of the work performed that indicates the
subject matter is not based on (or in conformity with) the
criteria or the assertion is not presented (or fairly stated) in
all material respects based on the criteria.11
c.
Agreed-Upon Procedures: Auditors perform testing to issue a report
of findings based on specific procedures performed on subject
matter.
1.30 The subject matter of an attestation engagement may take many forms,
including historical or prospective performance or condition, physical
characteristics, analyses, internal controls, systems and processes, or
compliance with laws, regulations, contracts, or other requirements.
Possible subjects of attestation engagements could include reporting on:
a.
prospective financial or performance information;
b.
quantity, condition, and/or valuation of inventory or assets;
c.
management's discussion and analysis (MD&A) presentation;
d.
an entity's internal control over financial reporting;
As stated in the AICPA SSAEs, auditors should not perform review-level
work for reporting on internal control or compliance with laws and
regulations.
e.
the effectiveness of an entity's internal control over compliance
with specified requirements, such as those governing the bidding
for, accounting for, and reporting on grants and contracts;
f.
an entity's compliance with requirements of specified laws,
regulations, rules, contracts, or grants; and
g.
specific procedures performed on a subject matter (agreed-upon
procedures).
ard on criteria, and the field work and reporting standards and
the related Statements on Standards for Attestation Engagements
(SSAE), unless specifically excluded or modified by GAGAS. GAGAS
establish ethical responsibilities, independence standards, general
standards and additional field work and reporting standards beyond
those provided by the AICPA for attestation engagements. (See chapters
2, 3, and 6 for standards and guidance for auditors performing an
attestation engagement in accordance with GAGAS.)
ific requirements or measures, or good business practices.12
Performance audits provide objective analysis so that management and those
charged with governance and oversight may improve
Data gathering without auditor evaluation or verification of the data is
not a performance audit, but a nonaudit service.
13
program performance, operations, reduce costs, facilitate decision making
by parties with responsibility to oversee or initiate corrective action,
and contribute to public accountability. Performance audits can also
provide descriptive information in response to audit objectives to
describe a process or a condition. The term performance audit includes
audits classified by some audit organizations as program or performance
evaluations, program effectiveness and results audits, economy and
efficiency audits, operational audits, management audits, compliance
audits, and value-for-money audits.
ety of objectives, including assessing program
economy, efficiency, effectiveness, results, or equity; internal
control;14 compliance with legal, policy, procedural, or other
requirements; and providing assurance about prospective analyses,
guidance, or summary information. These overall objectives are not
mutually exclusive. Thus, a performance audit may have more than one
overall objective. For example, often a performance audit with an
initial objective of program effectiveness may also involve an
underlying objective of evaluating internal controls to determine the
reasons for a program's lack of effectiveness or how effectiveness can
be improved.
ce about the
descriptive information. The levels of evidence and tests of evidence
will vary based on the audit objectives and conclusions. Objectives
for performance audits range from narrow to broad and may involve
specific evidence or extensive evidence. In some engagements,
sufficient, appropriate evidence is easily obtained, and in others,
information may have limitations. Auditors use professional judgment
in determining the audit scope and methodology needed to address the
audit's
13
The term "program" is used in this document to include government
entities, organizations, programs, activities, and functions.
14
The term "internal control" in this document is synonymous with the term
management control and, unless otherwise stated, covers all aspects of an
entity`s operations (programmatic, financial, and compliance).
objectives, while providing the appropriate level of assurance that the
evidence obtained is sufficient and appropriate to meet the audit's
objectives.
audit facilitates the auditors' determination of what to report and
the proper context for the audit conclusions, including discussion
about the nature, type, and quality of evidence being used as a basis
for the audit conclusions. Performance audit conclusions logically
flow from all of these elements, and include the proper context based
on the underlying evidence.
cus on economy and efficiency address the costs and resources used
to achieve program results. Examples of audit objectives in these
categories include:
a.
assessing the extent to which legislative, regulatory, or
organizational goals and objectives are being achieved;
b.
assessing the relative ability of alternative approaches to yield
better program performance or eliminate factors that inhibit
program effectiveness;
c.
analyzing the relative cost effectiveness of a program or
activity;15
d.
determining whether a program produced intended results or
produced results that were not consistent with the program's
objectives;
e.
determining whether a program provides equitable access to or
distribution of public resources within the context of statutory
parameters;
f.
assessing the extent to which programs duplicate, overlap, or
conflict with other related programs;
g.
evaluating whether the audited entity is following sound and
equitable procurement practices;
h.
assessing the reliability, validity, or relevance of performance
measures concerning program effectiveness and results, or economy
and efficiency;
i.
assessing the reliability, validity, or relevance of financial
information related to the performance of a program;
j.
determining whether government resources (inputs) are obtained at
reasonable costs while meeting timeliness and quality
considerations;
k.
determining whether appropriate value was obtained based on the
cost or amount paid;
l.
determining whether government services and benefits are
accessible to those citizens who have a right to access those
services and benefits;
15 These objectives focus on combining cost information with information
about outputs or the benefit provided and outcomes or the results
achieved.
m.
determining whether and how the government program's unit costs
can be decreased or its productivity increased; and
n.
analyzing budget proposals or budget requests to assist
legislatures in the budget process.
1.39 Internal control audit objectives relate to an assessment of the
component of an organization's system of internal control that is designed
to provide reasonable assurance of achieving effective and efficient
operations, reliable financial and performance reporting, and compliance
with applicable laws and regulations. Internal control objectives are also
relevant when determining the cause of unsatisfactory program performance.
Internal control comprises the plans, methods, and procedures used to meet
the organization's mission, goals, and objectives. Internal control
includes the processes and procedures for planning, organizing, directing,
and controlling program operations, and management's system for measuring,
reporting, and monitoring program performance. Examples of audit
objectives related to internal control include an assessment of the extent
that internal control provides reasonable assurance that:
a.
organizational missions, goals, and objectives are achieved
effectively and efficiently;
b.
resources are used in compliance with laws, regulations, or other
requirements;
c.
resources are safeguarded against unauthorized acquisition, use,
or disposition;
d.
management information and public reports that are produced, such
as performance measures, are complete, accurate, and consistent to
support performance and decision making;
e.
the integrity of computerized information and information systems
are achieved, and
f.
contingency planning for information systems provides essential
back-up to prevent unwarranted disruption of activities and
functions the systems support.
1.40 Compliance audit objectives relate to compliance criteria established
by laws, regulations, contract provisions, grant agreements, and other
requirements16 that could affect the acquisition, protection, and use of
the entity's resources and the quantity, quality, timeliness, and cost of
services the entity produces and delivers. Compliance objectives include
determining whether
a.
the purpose of the program, the manner in which it is to be
conducted, the services delivered, the outcomes, or the population
it serves are in compliance with laws, regulations, contract
provisions, grant agreements, and other requirements;
b.
government services and benefits are distributed or delivered to
citizens based on the citizens' right to obtain those services and
benefits; and
c.
incurred or proposed costs are in compliance with applicable laws,
regulations, and contract or grant agreement terms.
1.41 Prospective audit objectives provide analysis or conclusions about
information that is based on assumptions about events that may occur in
the future along with possible actions that the audited entity may take in
reaction to the future events. Examples of objectives pertaining to this
work include providing analysis or conclusions about:
a.
current and projected trends and future potential impact on
government programs and services;
b.
program or policy alternatives, including forecasting program
outcomes under various assumptions;
c.
policy proposals for decision makers;
d.
prospective information prepared by management;
e.
forecasts that are based on (1) assumptions about expected future
events and (2) management's expected reaction to those future
events; and
f.
management's assumptions on which prospective information is
based.
Compliance requirements can be either financial or nonfinancial in nature.
1.42 As discussed in paragraphs 1.16 through 1.17 and 1.20, other
professional standards may be used in conjunction with GAGAS when
conducting performance audits.
Nonaudit Services Provided by Audit Organizations
entities they audit.
Further discussion of nonaudit services and potential impact on
auditor independence is included in Chapter 3, paragraphs 3.24 through
3.35 and in the appendix, paragraphs A3.02 through A3.03.
Chapter 2 Auditors' Ethical Responsibilities
Introduction
nd staff are an essential
element of a positive ethical environment for the audit organization.
ter 3.
Overarching Ethical Concepts
ors
include:
a.
The Public Interest;
b.
Professional Behavior;
c.
Integrity;
d.
Objectivity; and
e.
Proper Use of Government Information, Resources and Position.
Individual auditors who are members of professional organizations or are
licensed or certified professionals may also be subject to ethical
requirements of those professional organizations or licensing bodies.
Auditors in government audit organizations may also be subject to
government ethics laws and regulations.
The Public Interest
in the
government environment.
is essential that auditors' professional behavior include
compliance with laws and regulations and acting in a manner consistent
with the high expectations for their profession, while avoiding any
conduct that might bring discredit to their work, including actions that
would cause a reasonable and informed third party, having knowledge of all
relevant information to conclude that the conduct or work performed by the
government auditors or audit organization was professionally deficient.
Professional behavior includes auditors putting forth an honest effort in
the performance of their duties and carrying out their professional
services in accordance with the relevant technical and professional
standards.
2.09 The professional behavior of auditors practicing in the government
environment is expected to be above reproach. Professional behavior is
realized when auditors conduct themselves in a manner that avoids having
their actions and work misinterpreted or that gives the appearance of
being biased or misleading. By observing ethical principles, auditors
promote confidence in the integrity of government operations and programs.
Integrity
inion; it cannot accommodate deceit or subordination
of the principles of fairness and objectivity to personal gains. In
applying the principle of integrity, it is essential that auditors
observe both the form and the spirit of the relevant ethical
standards.
Objectivity
2.12 The credibility of government auditing is based on auditors'
objective attitude in discharging their professional responsibilities.
Objectivity includes being independent in fact and appearance when
providing audit and attestation services, maintaining an attitude of
impartiality, having intellectual honesty, and being free of conflicts of
interest. It is crucial that auditors avoid conflicts that may in fact or
appearance impair auditors' objectivity in performing the audit or
attestation engagement. Maintaining objectivity includes a continuing
assessment of relationships with audited entities and other stakeholders
in the context of the auditors' responsibility to the public.
Proper Use of Government Information, Resources, and Position
.
This concept also includes the proper handling of sensitive or
classified information or resources.
t auditors exercise prudence in the use of information acquired in
the course of their duties or as a result of professional and business
relationships. Auditors should not disclose any such information to
third parties without proper and specific authority, unless there is a
legal and professional right or obligation to disclose.
ts or those of an immediate or close family
member; a general partner; an organization for which the auditor serves as
an officer, director, trustee, or employee; or a person or organization
with which the auditor is negotiating or has an arrangement concerning
future employment. (See paragraph 3.06 through 3.09 for further discussion
of personal impairments to independence.)
Chapter 3 General Standards
Introduction
3.01 This chapter establishes general standards and provides guidance for
performing financial audits, attestation engagements,19 and performance
audits under GAGAS. These general standards, along with the overarching
ethical concepts presented in chapter 2, establish a foundation that adds
credibility to auditors' work. Credibility is essential to all audit
organizations performing work that government leaders and others use for
making decisions and achieving government accountability. Credibility is
what the public expects of information provided by government auditors.
These general standards emphasize the independence of the audit
organization and its individual auditors; the exercise of professional
judgment in the performance of work and the preparation of related
reports; the competence of audit staff; audit quality control and
assurance; and external peer reviews.
Independence
an
attestation engagement.
independence and, thus, are not capable of exercising objective and
impartial judgment on all issues associated with conducting the audit and
reporting on the work.
izations perform audit or attestation services, audit
organizations consider three general classes of impairments to
independence--personal, external, and organizational.20 If one or more
of these impairments affects an individual auditor's capability to
perform the work and report results impartially, the auditor should
either decline to perform the work-or in those situations in which the
auditor, because of a legislative requirement or for other reasons,
cannot decline to perform the work-the auditors must disclose the
impairment or impairments in the scope section of the audit report.
cialist's
independence from the activity or program under audit. Internal
specialists who are members of the audit team should follow the same
standards and processes as the other members of the audit team.
20
When applicable, auditors also follow the AICPA code of professional
conduct and the code of professional conduct of the state board with
jurisdiction over the practice of the public accountant and the audit
organization. Auditors have a responsibility to be aware of and comply
with any applicable government ethics laws and regulations and any other
ethics requirements (such as those of the state boards of accountancy)
associated with their activities.
21
Specialists to whom this section applies include, but are not limited to,
actuaries, appraisers, attorneys, engineers, environmental consultants,
medical professionals, statisticians, and geologists.
Personal Impairments
3.06 Auditors participating on an audit assignment must be free from
personal impairments to independence. 22 Personal impairments of staff
members result from relationships and beliefs that might cause auditors to
limit the extent of the inquiry, limit disclosure, or weaken or slant
audit findings in any way. Individual auditors should notify the
appropriate officials within their audit organizations if they have any
personal impairments to independence. Examples of personal impairments of
individual auditors include, but are not limited to, the following:
a.
immediate family or close family member23 who is a director or
officer of the audited entity, or as an employee of the audited
entity, is in a position to exert direct and significant influence
over the entity or the program under audit;
b.
financial interest that is direct, or is significant though
indirect, in the audited entity or
program;24
c. responsibility for managing an entity or decision making that could
affect operations of the entity or program being audited; for example as a
director, officer, or other senior position of the entity, activity, or
program being audited, or as a member of management in any decision
making, supervisory, or ongoing monitoring function for the entity,
activity, or program under audit;
22
This includes those who review the work or the report, and all others
within the audit organization who can directly influence the outcome of
the audit. The period covered includes the period covered by the audit,
and the period in which the audit is being performed and reported.
23
Immediate family member is a spouse, spouse equivalent, or dependent
(whether or not related). A close family member is a parent, sibling, or
nondependent child.
24
Auditors are not precluded from auditing pension plans that they
participate in if (1) the auditor has no control over the investment
strategy, benefits, or other management issues associated with the pension
plan and (2) the auditor belongs to such pension plan as part of his/her
employment with the audit organization, provided that the plan is normally
offered to all employees in equivalent employment positions.
d.
concurrent or subsequent performance of an audit by the same
individual who maintained the official accounting records when
such services involved preparing source documents or originating
data, in electronic or other form; posting transactions (whether
coded by management or not coded); authorizing, executing, or
consummating transactions (for example, approving invoices,
payrolls, claims, or other payments of the entity or program being
audited); maintaining an entity's bank account or otherwise having
custody of the audited entity's funds; or otherwise exercising
authority on behalf of the entity, or having authority to do so;
e.
preconceived ideas toward individuals, groups, organizations, or
objectives of a particular program that could bias the audit;
f.
biases, including those induced by political, ideological, or
social convictions, that result from employment in, or loyalty to,
a particular type of policy, group, organization, or level of
government; and
g.
seeking employment during the conduct of the audit with an audited
organization or an individual or entity with a direct interest in
the outcome of the audit.
3.07 Audit organizations and auditors may encounter many different
circumstances or combination of circumstances that could create a personal
impairment. Therefore, it is impossible to identify every situation that
could result in a personal impairment. Accordingly, audit organizations
should include as part of their internal quality control system procedures
to identify personal impairments and help ensure compliance with GAGAS
independence requirements. At a minimum, audit organizations should:
a.
establish policies and procedures to identify personal impairments
to independence (see paragraph 3.06);
b.
communicate the audit organization's policies and procedures to
all auditors in the organization and help ensure understanding of
the policies and procedures through training or other means such
as auditors periodically acknowledging their understanding;
c.
establish internal policies and procedures to monitor compliance
with the audit organization's policies and procedures;
d.
establish a disciplinary mechanism to promote compliance with the
audit organization's policies and procedures;
e.
stress the importance of independence and the expectation that
auditors will always act in the public interest; and
f.
maintain documentation of the steps taken to identify potential
personal independence impairments as well as actions taken to
resolve any impairments.
audit assignment. If the personal impairment cannot be mitigated
through these means, the audit organization should withdraw from the
audit. In situations in which government auditors cannot withdraw from
the audit, they should follow the requirement in paragraph 3.04.
nt to
independence after the audit report is issued, the audit organization
should assess the impact on the audit. The audit organization should
consider whether, given the impact on the audit, to notify
regulatory agencies that have jurisdiction over the audited entity and
persons known to be using the audit report about the independence
impairment and the impact on the audit. Auditors should make such
notifications in writing.
External Impairments
3.10 Audit organizations must be free from external impairments to
independence. Factors external to the audit organization may restrict the
work or interfere with auditors' ability to form independent and objective
opinions and conclusions. External impairments to independence occur when
auditors are deterred from acting objectively and exercising professional
skepticism by pressures, actual or perceived, from management and
employees of the audited entity or oversight organizations. For example,
under the following conditions, auditors may not have complete freedom to
make an independent and objective judgment, thereby adversely affecting
the audit:
a.
external interference or influence that could improperly limit or
modify the scope of an audit or threaten to do so, including
exerting pressure to reduce inappropriately the extent of work
performed in order to reduce costs or fees;
b.
external interference with the selection or application of audit
procedures or in the selection of transactions to be examined;
c.
unreasonable restrictions on the time allowed to complete an audit
or issue the report;
d.
restriction on access to records, government officials, or other
individuals needed to conduct the audit;
e.
external interference over the assignment, appointment, and
promotion of audit personnel;
f.
restrictions on funds or other resources provided to the audit
organization that adversely affect the audit organization's
ability to carry out its responsibilities;
g.
authority to overrule or to inappropriately influence the
auditors' judgment as to the appropriate content of the report;
h.
threat of replacement over a disagreement with the contents of an
audit report, the auditors' conclusions, or the application of an
accounting principle or other criteria; and
i.
influences that jeopardize the auditors' continued employment for
reasons other than incompetence, misconduct, or the need for audit
services.
3.11 Audit organizations should include, as part of their internal quality
control system for compliance with GAGAS independence requirements,
internal policies and procedures for reporting and resolving external
impairments.
Organizational Independence
3.12 In addition to the preceding paragraphs that address personal and
external impairments, a government audit organization's ability to perform
the work and report the results impartially can be affected by its place
within government and the structure of the government entity that the
audit organization is assigned to audit as well as by nonaudit services it
has provided to audited entities. Whether performing work to report
externally to third parties outside the audited entity or internally to
top management within the audited entity, audit organizations must be free
from organizational impairments to independence with respect to the
entities they audit.
Organizational Independence When Reporting Externally to Third Parties:
ation reporting externally to third
parties may be presumed to be free from organizational impairments to
independence from the audited entity, if the audit organization is:
a.
assigned to a level of government other than the one to which the
audited entity is assigned (federal, state, or local), for
example, federal auditors auditing a state government program, or
b.
assigned to a different branch of government within the same level
of government as the audited entity; for example, legislative
auditors auditing an executive branch program.
3.15 Second, a government audit organization reporting externally to third
parties may also be presumed to be free from organizational impairments if
the audit organization's head meets any of the following criteria:
a.
directly elected by voters of the jurisdiction being audited;
b.
elected or appointed by a legislative body, subject to removal by
a legislative body, and reports the results of audits to and is
accountable to a legislative body;
c.
appointed by someone other than a legislative body, so long as the
appointment is confirmed by a legislative body and removal from
the position is subject to oversight or
approval by a legislative body,25 and reports the results of audits to and
is accountable to a legislative body; or
d. appointed by, accountable to, reports to, and can only be removed by a
statutorily created governing body, the majority of whose members are
independently elected or appointed and come from outside the organization
being audited.
3.16 In addition to the presumptive criteria in paragraphs 3.14 and 3.15,
GAGAS recognize that there may be other organizational structures under
which a government audit organization could be considered to be free from
organizational impairments and thereby be considered organizationally
independent for reporting externally. These other structures provide
safeguards to prevent the audited entity from interfering with the audit
organization's ability to perform the work and report the results
impartially. For an audit organization to be considered free from
organizational impairments for reporting externally under a structure
different from the ones listed in paragraphs 3.14 and 3.15, the audit
organization should have all of the following safeguards:
a.
statutory protections that prevent the abolishment of the audit
organization by the audited entity;
b.
statutory protections that require that if the head of the audit
organization is removed from office, the head of the agency
reports this fact and the reasons for the removal to the
legislative body;
c.
statutory protections that prevent the audited entity from
interfering with the initiation, scope, timing, and completion of
any audit;
Legislative bodies may exercise their confirmation powers through a
variety of means so long as they are involved in the approval of the
individual to head the audit organization. This involvement can be
demonstrated by approving the individual after the appointment or by
initially selecting or nominating an individual or individuals for
appointment by the appropriate authority.
d.
statutory protections that prevent the audited entity from
interfering with the reporting on any audit, including the
findings, conclusions, and recommendations, or the manner, means,
or timing of the audit organization's reports;
e.
statutory protections that require the audit organization to
report to a legislative body or other independent governing body
on a recurring basis;
f.
statutory protections that give the audit organization sole
authority over the selection, retention, advancement, and
dismissal of its staff; and
g.
statutory access to records and documents that relate to the
agency, program, or function being audited and government
officials or other individuals needed to conduct the audit.26
3.17 If the head of the audit organization concludes that the organization
meets all the safeguards listed in paragraph 3.16, the audit organization
may be considered free from organizational impairments to independence
when reporting the results of its audits externally to third parties. In
such situations, the audit organization should document how the safeguards
discussed in paragraph 3.16 were satisfied and provide the documentation
to those performing quality control monitoring and to the external peer
reviewers to determine whether all the necessary safeguards have been met.
Organizational Independence When Reporting Internally to Management (as an
internal audit function)
3.18 Certain federal, state, or local government audit organizations or
audit organizations within other government entities employ auditors to
work for management of the audited entities. These auditors may be subject
to administrative direction from persons involved in the government
management process. Such audit organizations are
Statutory authority to issue a subpoena to obtain the needed records is
one way to meet the requirement for statutory access to records.
internal audit organizations and are encouraged to follow the IIA
International Standards for the Professional Practice of Internal
Auditing. In addition, under GAGAS, a government internal audit
organization can be presumed to be free from organizational impairments to
independence when reporting internally to management if the head of the
audit organization meets all of the following criteria:
a.
accountable to the head or deputy head of the government entity or
to those charged with governance,
b.
reports the results of the audit organization's work to the head
or deputy head of the government entity and to those charged with
governance,
c.
located organizationally outside the staff or line management
function of the unit under audit, and
d.
has access to those charged with governance.
may be considered free of organizational impairments to independence
to audit internally and report objectively to the entity's management
and those charged with governance. Further distribution of reports
outside the organization may be made in accordance with applicable
law, rule, regulation, or policy. In these situations, auditors must
clearly disclose in their reports the fact that they are auditing in
their employing organizations.
rectly assigned, such as auditing contractors or outside party
agreements, and no personal or external impairments exist, they may be
considered independent of the audited entities and free to report
objectively to the heads or deputy heads of the government entities to
which they are assigned, to those charged with governance, and to
parties outside the organizations in accordance with applicable law,
rule, regulation, or policy.
it service would impair an audit
organization's independence with respect to entities they audit. Auditors
also exercise professional
27
GAO has issued further guidance in the form of questions and answers to
assist in implementation of the standards associated with nonaudit
services. This guidance, Government Auditing Standards: Answers to
Independence Standard Questions, GAO-02-870G (Washington, DC: June 2002),
can be found on GAO`s Government Auditing Standards Web page
(http://www.gao.gov/govaud/ybk01.htm).
judgment in determining whether any previously performed nonaudit services
would impair an audit organization's independence with respect to entities
they audit. Those within the audit organization with sufficient knowledge,
experience, and competence to fully understand the current and future
issues the audit organization may face should make this determination.
consider whether nonaudit services
they have provided or are committed to provide have a significant or
material effect on the subject matter of the audits.
s should disclose nonaudit services
described in paragraph 3.30b related to individual audits selected for
review in an internal inspection or peer review and provide the
documentation required by paragraphs 3.35a through 3.35e to
inspectors/reviewers.
Overarching Independence Principles
3.27 The following two overarching principles apply to auditor
independence when assessing the impact of performing a nonaudit service
for audited entities: (1) audit organizations must not provide nonaudit
services that involve performing management functions or making management
decisions and (2) audit organizations must not audit
See appendix, paragraphs A3.02 through A3.03 for examples of nonaudit
services that are generally unique to government audit organizations.
their own work or provide nonaudit services in situations where the
nonaudit services are significant/material to the subject matter of
audits.29
anization can
be significantly or materially affected by the nonaudit service, audit
organizations should evaluate (1) ongoing audits; (2) planned audits;
(3) requirements and commitments for providing audits, which includes
laws, regulations, rules, contracts, and other agreements; and (4)
policies placing responsibilities on the audit organization for
providing audit services.
f the audit.
30
The requestor of nonaudit services could be the management of the audited
entity or a third party such as a legislative oversight body.
31
See appendix, paragraphs A3.02 through A3.03 for examples of nonaudit
services that are generally unique to government audit organizations.
b.
Nonaudit services that do not impair the audit organization's
independence with respect to entities they audit as long as the
supplemental safeguards in paragraph 3.35 are complied with. (See
paragraph 3.33.)
c.
Nonaudit services that would impair the audit organization's
independence. Compliance with the supplemental safeguards will not
overcome this impairment. (See paragraph 3.34.)
Nonaudit Services That Do Not Impair Auditor Independence
this category include the
following:
a. Participating in activities such as commissions, committees, task
forces, panels, and focus groups as an expert in a purely advisory,
non-voting capacity to:
(1)
advise entity management on issues based on the knowledge and
skills of the auditors, and
(2)
address urgent problems or policy issues.
b.
Providing tools and methodologies, such as guidance and good
business practices, benchmarking studies, and internal control
assessment methodologies that can be used by management.
c.
Providing targeted and limited technical advice to the audited
entity and management to assist them in activities such as (1)
answering technical questions and/or providing training, (2)
implementing audit recommendations, (3) performing internal
control selfassessments, and (4) providing information on good
business practices.
Nonaudit Services That Would Not Impair Independence if Supplemental
Safeguards Are Implemented.
3.33 These services would not impair the audit organization's independence
with respect to the entities they audit so long as they comply with the
supplemental safeguards. Examples of the types of services in this
category include the following:
a.
Providing basic accounting assistance limited to services such as
preparing draft financial statements that are based on
management's chart of accounts and trial balance and any
adjusting, correcting, and closing entries that have been approved
by management; preparing draft notes to the financial statements
based on information determined and approved by management;
preparing a trial balance based on management's chart of accounts;
maintaining depreciation schedules for which management has
determined the method of depreciation, rate of depreciation, and
salvage value of the asset.32
b.
Providing payroll services when payroll is not material to the
subject matter of the audit or to the audit objectives. Such
services are limited to using records and data that have been
approved by entity management.
If the audit organization has prepared draft financial statements and
notes and performed the financial statement audit, the auditor obtains
documentation from management in which management acknowledges the audit
organization's role in preparing the financial statements and related
notes and management's review, approval, and responsibility for the
financial statements and related notes in the management representation
letter. The management representation letter that is done as part of the
audit may be used for this type of documentation.
c.
Providing appraisal or valuation services limited to services such
as reviewing the work of the entity or a specialist employed by
the entity where the entity or specialist provides the primary
evidence for the balances recorded in financial statements or
other information that will be audited; valuing an entity's
pension, other post-employment benefits, or similar liabilities
provided management has determined and taken responsibility for
all significant assumptions and data.
d.
Preparing an entity's indirect cost proposal33 or cost allocation
plan provided that the amounts are not material to the financial
statements and management assumes responsibility for all
significant assumptions and data.
e.
Providing advisory services on information technology limited to
services such as advising on system design, system installation,
and system security if management, in addition to the safeguards
in paragraph 3.35, acknowledges responsibility for the design,
installation, and internal control over the entity's system and
does not rely on the auditors' work as the primary basis for
determining (1) whether to implement a new system, (2) the
adequacy of the new system design, (3) the adequacy of major
design changes to an existing system, and (4) the adequacy of the
system to comply with regulatory or other requirements.
f.
Providing human resource services to assist management in its
evaluation of potential candidates when the services are limited
to activities such as serving on an evaluation panel of at least
three individuals to review applications or interviewing
candidates to provide input to management in arriving at a listing
of best qualified applicants to be provided to management.
g.
Preparing routine tax filings in accordance with federal tax laws,
rules, and regulations of the Internal Revenue Service, and state
and local tax authorities, and any
The Office of Management and Budget prohibits an auditor who prepared the
entity's indirect cost proposal from conducting the required audit when
indirect costs recovered by the entity during the prior year exceeded $1
million under OMB Circular A-133, Audits of States, Local Governments, and
Non-Profit Organizations, Subpart C.305(b), revised June 27, 2003.
other applicable tax laws that do not violate the overarching independence
principles. For example, preparing tax returns, including IRS form 990,
"Return of Organization Exempt from Income Tax," based on information
provided by the audited entity, providing advice on deposits due to a
taxing authority, and representing an audit entity in IRS matters such as
in an IRS audit or in obtaining IRS rulings or other agreements,
ordinarily would be included in this category of nonaudit services.34
h. Documenting existing processes and internal controls.
Nonaudit Services That Impair Independence
3.34 Compliance with the supplemental safeguards will not overcome
independence impairments in this category. By their nature, certain
nonaudit services directly support the entity's operations and impair the
audit organization's ability to meet either or both of the overarching
independence principles in paragraph 3.27 for certain types of audit work.
Examples of the types of services under this category include the
following:
a.
Maintaining or preparing the audited entity's basic accounting
records or maintaining or taking responsibility for basic
financial or other records that the audit organization will audit.
b.
Posting transactions (whether coded or not coded) to the entity's
financial records or to other records that subsequently provide
input to the entity's financial records.
An audit organization's independence for performing financial statement
audits would not be impaired by representing the audited entity in IRS
matters or in obtaining IRS rulings or other agreements. However, these
nonaudit services would impair auditor independence with respect to
performance audits of tax compliance since the audit organization would be
auditing its own work.
c.
Determining account balances or determining capitalization
criteria.
d.
Designing, developing, installing, or operating the entity's
accounting system or other information system that are material or
significant to the subject matter of the audit.
e.
Providing payroll services that (1) are material to the subject
matter of the audit or the audit objectives, and/or (2) involve
making management decisions.
f.
Providing appraisal or valuation services that exceed the scope
described in paragraph
3.33 c.
g.
Recommending a single individual for a specific position that is
key to the entity or program under audit, or otherwise ranking or
influencing management's selection of the candidate; or conducting
an executive search or a recruiting program for the audited
entity.
h.
Developing an entity's performance measurement system when that
system is material or significant to the subject matter of the
audit.
i.
Performing the entity's internal control self-assessment process
or developing the internal control system.
j.
Developing an entity's policies, procedures, and internal
controls.
k.
Providing services that are used as management's primary basis for
making decisions that are significant to the subject matter under
audit.
l.
Internal audit functions, when performed by external auditors.
m.
Serving as voting members of an entity's management committee or
board of directors, making policy decisions that affect future
direction and operation of an entity's programs,
supervising entity employees, developing programmatic policy, authorizing
an entity's transactions, or maintaining custody of an entity's assets.35
Supplemental Safeguards for Maintaining Auditor Independence When
Performing Nonaudit Services Described in Paragraph 3.33
3.35 Performing nonaudit services described in paragraph 3.33 will not
impair independence if the overarching independence principles stated in
paragraph 3.27 are not violated. For these nonaudit services, the audit
organization must comply with the following safeguards.
a.
The audit organization documents its consideration of the nonaudit
services, including its conclusions about the impact on
independence.
b.
Before performing nonaudit services, the audit organization
establishes and documents an understanding with the audited entity
regarding the objectives, scope of work, and product or
deliverables of the nonaudit service. The audit organization also
establishes and documents an understanding with the audited entity
that its management is responsible for (1) the subject matter of
the nonaudit services, (2) the substantive outcomes of the work,
(3) making any decisions that involve management functions related
to the nonaudit service and accepting full responsibility for such
decisions.
c.
The audit organization precludes personnel who provided the
nonaudit services from planning, conducting, or reviewing audit
work of the subject matter of the nonaudit service under the
overarching independence principle that auditors must not audit
their own work.36
35
Entity assets are intended to include all of the entity's property
including bank accounts, investment accounts, inventories, equipment or
other assets owned, leased, or otherwise in the entity's possession, and
financial records, both paper and electronic.
36
Personnel who provided the nonaudit service are permitted to convey to the
audit assignment team the documentation and knowledge gained about the
audited entity and its operations.
d.
The audit organization does not reduce the scope and extent of the
audit work below the level that would be appropriate if the
nonaudit work were performed by an unrelated party.
e.
The audit organization's quality control systems for compliance
with independence requirements should include: (1) policies and
procedures to consider the effect on the ongoing, planned, and
future audits when deciding whether to provide nonaudit services,
and (2) a requirement to document the understanding with
management of the audited entity discussed above. The
understanding should be communicated to management in writing and
can be included in the engagement letter. In addition, the
documentation should specifically identify management's
responsibilities discussed above.
Professional Judgment
ponent of professional judgment, auditors exercise
professional skepticism, which is an attitude that includes a
questioning mind and a critical assessment of evidence. Professional
skepticism includes a mindset where auditors neither assume that
management is dishonest nor of unquestioned honesty, and auditors are
not to be satisfied with less than persuasive evidence because of a
belief that management is honest.
an audit engagement, as well as the professional judgment of
individual auditors. In addition to personnel directly involved in the
audit, professional judgment may involve collaboration with other
stakeholders, outside experts, and management in the audit
organization.
ects of carrying out
professional responsibilities, including following the independence
standards, maintaining objectivity and credibility, assigning
competent audit staff to the engagement, and maintaining appropriate
quality control over the engagement process.
f the audit subject matter and related
circumstances. This includes consideration about whether their
collective experience, training, knowledge, skills, abilities, and
overall understanding are sufficient to assess the risks that the
subject matter under audit may contain a significant inaccuracy or
could be misinterpreted.
gnment, it does not imply unlimited responsibility,
nor does it imply infallibility on the part of either the individual
auditor or the audit organization. Absolute assurance is not
attainable because of the nature of evidence and the characteristics
of fraud. Professional judgment does not mean eliminating all possible
limitations or weaknesses associated with a specific audit, but rather
identifying, considering, minimizing, mitigating, and explaining them.
Competence
ce that has
adequate competence. The nature, extent, and formality of the process
will depend on various factors such as the size of the audit
organization, its work, and its structure.
ncies
are not necessarily measured by years of auditing experience because
such a quantitative measurement may not accurately reflect the kinds
of experiences gained by an auditor in any given time period. Auditors
maintain competence through a commitment to learning and development
throughout an auditor's professional life. Competence enables an
auditor to make sound professional judgments.
technical knowledge, skills, and
experience necessary to be competent for the type of work being performed
before beginning work on that assignment. In assigning personnel to
engagements, audit organizations consider the workload requirements of an
engagement, the skills, competence, and experience needed in relation to
the complexity or other needs of an engagement, and the extent of
supervision to be provided. Staff members should collectively possess:
a.
knowledge of GAGAS applicable to the type of work they are
assigned and the education, skills, and experience to apply such
knowledge to the work being performed;
b.
general knowledge of the environment in which the audited entity
operates and the subject matter under review;
c.
skills to communicate clearly and effectively, both orally and in
writing; and
d.
skills appropriate for the work being performed. For example:
(1)
staff or specialists with statistical sampling skills if the work
involves use of statistical sampling;
(2)
staff or specialists with information technology skills if the
work involves review of information systems;
(3)
staff or specialists with engineering skills if the work involves
review of complex engineering data;
(4)
staff or specialists with skills in specialized audit
methodologies or analytical techniques, such as the use of complex
survey instruments, actuarial-based estimates, or statistical
analysis tests, if the work calls for such skills; or
(5)
staff or specialists with skills in specialized subject matters,
such as scientific, medical, environmental, educational, or any
other specialized subject matter, if the work calls for such
expertise.
Additional Qualifications for Financial Audits and Attestation Engagements
ation engagements in which U.S. attestation
engagement standards are to be followed, GAGAS incorporate the AICPA's
attestation standards. Auditors should be knowledgeable in the AICPA
general attestation standard related to criteria and the AICPA
attestation standards for field work and reporting and the related
Statements on Standards for Attestation Engagements (SSAE), and they
should be competent in applying these standards and SSAE to the task
assigned.
refore, each auditor
performing work under GAGAS should complete, every 2 years, at least 80
hours of CPE that enhance the auditor's professional proficiency to
perform audits and/or attestation engagements. Auditors should take
subjects directly related to government auditing, the government
environment, or the specific or unique environment in which the audited
entity operates for at least 24 of the 80 hours of CPE.37 Auditors should
complete at least 20 hours of the 80 in any 1 year of the 2-year period.
Auditors who are only involved in performing field work but not involved
in planning, directing, or reporting on the audit or attestation
engagement and who charge less than 20 percent of their time annually to
GAGAS audits and attestation engagements are subject to the 24 hour
requirement for government related CPE in each 2-year period but do not
have to comply with the remainder of the 80-hour CPE requirement.
e exercised by
auditors in consultation with appropriate officials within their audit
organizations. Among the considerations in exercising that judgment
are the auditors' experience, the responsibilities they assume in
performing GAGAS audits or attestation engagements, and the operating
environment of the audited entity.
the audit organization and perform as a
member of the audit team, should comply with GAGAS, including the CPE
requirements.
This guidance, Government Auditing Standards: Guidance on GAGAS
Requirements for Continuing Professional Education, GAO-05-586G
(Washington, D.C.: Apr. 2005), can be found on GAO`s Government Auditing
Standards Web page (http://www.gao.gov/govaud/ybk01.htm).
Quality Control and Assurance
3.59 Each audit organization performing audits and/or attestation
engagements in accordance with GAGAS must have an internal quality control
system in place that is designed to provide reasonable assurance that the
organization and its personnel comply with professional standards and
regulatory and legal requirements, and that reports issued are in
accordance with professional standards.
System of Quality Control
suitably designed in
relation to the audit organization's size, number of offices, the
knowledge and experience of its personnel, the nature and complexity
of the audit work, and appropriate cost-benefit considerations. Thus,
the systems established by individual audit organizations and the
extent of their documentation of the systems will vary based on an
audit organization's circumstances.
and has the capabilities,
time and resources to do so,
(2)
is independent and can comply with professional standards and
ethical principles, and
(3)
is within the legal mandate or authority of the audit
organization.
c.
Human capital management: Policies and procedures designed to
provide the audit organization with reasonable assurance that it
has sufficient personnel with the competence necessary to perform
its engagements in accordance with professional standards and
regulatory and legal requirements, and to enable the audit
organization to issue reports that are appropriate in the
circumstances. Policies and procedures related to competence of
personnel address the following:
(1)
recruitment of qualified personnel;
(2)
assignment of personnel with the competence and independence39
needed for specific engagements;
See paragraphs 3.06 through 3.09, and 3.35c for specific quality control
requirements related to personal impairments and performing nonaudit
services, respectively.
(3)
performance evaluation, professional development, continuing
professional education, promotion, and compensation.
d.
Engagement performance and reporting: Policies and procedures
designed to provide the audit organization with reasonable
assurance that engagements are performed in accordance with
professional standards and regulatory and legal requirements, and
that the audit organization issues reports that are appropriate in
the circumstances include the following:
(1)
information and communication provided to engagement teams so that
team members sufficiently understand the objectives of their work;
(2)
processes for engagement planning and supervision;
(3)
processes for complying with applicable engagement-related
standards;
(4)
reviewing the work performed, the significant judgments made and
the resulting report;
(5)
appropriate documentation of the work performed and review of
audit documentation, including appropriate management-level
reviews;
(6)
communication at the appropriate professional level with
individuals within or outside the audit organization to resolve a
difficult or contentious matter;
(7)
procedures for resolving disagreements among team members and
between the team and those consulted; and
(8)
reporting that is appropriate to circumstances associated with the
engagement, is supported by the work performed, and is in
accordance with applicable professional standards and regulatory
and legal requirements.
e.
Monitoring of quality: Policies and procedures designed to provide
management of the audit organization with reasonable assurance
that the policies and procedures relating to the system of quality
control are suitably designed and operating effectively in
practice. Audit organizations should have monitoring procedures
that include an ongoing consideration and evaluation of the audit
organization's system of quality control for achieving the
objectives in (a) through (d) above, including
(1)
relevance and adequacy of the organization's policies and
procedures,
(2)
appropriateness of the organization's guidance materials, and
(3)
compliance with the organization's policies and procedures.
ystem of
quality control as well as documentation to demonstrate compliance
with its policies and procedures for a period of time sufficient to
enable those performing monitoring procedures and peer reviews to
evaluate the extent of the audit organization's compliance with the
quality control policies and procedures. The form and content of such
documentation is a matter of judgment.
External Peer Review
3.64 Audit organizations performing audits and attestation engagements in
accordance with GAGAS must have an external peer review of their auditing
and attestation engagement practices in accordance with the time frames
set forth in paragraph 3.69.40
The review team collectively has current knowledge of GAGAS and of
the government environment relative to the work being reviewed.
b.
Each review team member is independent (as defined in GAGAS) of
the audit organization being reviewed, its staff, and the audits
and attestation engagements selected for the external peer review.
A review team or a member of the review team does not review the
audit organization that conducted its audit organization's most
recent external peer review.
c.
The review team collectively has sufficient knowledge of how to
perform a peer review. Such knowledge may be obtained from
on-the-job training, training courses, or a combination of both.
Having personnel on the peer review team with prior experience on
a peer review or internal inspection team is desirable.
The external peer review requirement is effective within 3 years from the
date an audit organization begins field work on its first assignment in
accordance with GAGAS. This 3-year period refers to the cutoff ("as of")
date for the peer review. Generally, peer reviews are completed within 6
months of the cut-off date. Extensions of these time frames beyond 3
months after the peer review completion deadline are granted by GAO, and
in cooperation with the cognizant peer review program, to meet the
external peer review requirements for extraordinary circumstances.
3.67 Audit organizations should obtain a peer review that meets the
following requirements:
a.
The peer review includes a review of the audit organization's
internal quality control policies and procedures, including
related monitoring procedures, audit and attestation engagement
reports, audit and attest documentation, and other necessary
documents (for example, independence documentation, CPE records,
and personnel management files related to compliance with hiring,
performance evaluation, advancement, compensation, and assignment
policies). The review also includes interviews with various levels
of the reviewed audit organization's professional staff to assess
their understanding of and compliance with relevant quality
control policies and procedures.
b.
The review team uses one of the following approaches to selecting
audits and attestation engagements for review: (1) select audits
and attestation engagements that provide a reasonable
cross-section of the assignments performed by the reviewed audit
organization in accordance with GAGAS or (2) select audits and
attestation engagements that provide a reasonable cross-section of
the reviewed audit organization's work subject to its quality
control system, including assignments performed in accordance with
GAGAS.41
c. The peer review is sufficiently comprehensive to provide a reasonable
basis for concluding whether the reviewed audit organization's system of
quality control was complied with to provide the organization with
reasonable assurance of conforming with professional standards in the
conduct of its work, and the peer review includes consideration of the
adequacy and results of the reviewed audit organization's monitoring
efforts.
For audit organizations that perform only a small number of GAGAS audits
in relation to other types of audits, at least one or more GAGAS audits is
selected for review. In these cases, one or more GAGAS audits may
represent more than what would be selected when looking at a cross-section
of the audit organization's work as a whole.
d. The review team prepares a written report(s) communicating the results
of the external peer review. The report indicates the scope of the review,
including any limitations thereon, and includes an opinion on whether the
system of quality control of the reviewed audit organization's audit
and/or attestation engagement practices was adequately designed based on
specified standards or criteria and whether the audit organization's
quality control policies and procedures were being complied with during
the year reviewed to provide the audit organization with reasonable
assurance of conforming with professional standards. The report states the
professional standards or criteria to which the reviewed audit
organization is being held. The report also describes the reasons for any
modification of the opinion. When there are matters that resulted in a
modification to the opinion, the report includes a detailed description of
the findings and recommendations, either in the peer review report or in a
separate letter of comment, to enable the reviewed audit organization to
take appropriate actions. The written report refers to the letter of
comment if such a letter is issued along with a modified report.
it
organizations should also transmit their external peer review reports
to appropriate oversight bodies. 43
er information public.
43
The transparency requirement in paragraph 3.68 does not include the letter
of comment.
a.
within 18 months, if the most recent external peer review opinion
is adverse or modified, with continued peer reviews every 18
months until the audit organization receives an unmodified
opinion;
b.
every 3 years if the audit organization has an unmodified peer
review opinion from its recent peer review, and does not qualify
for or does not elect a 5-year period; or
c.
every 5 years if the audit organization's most recent external
peer review opinion was unmodified and the audit organization
elects to meet the enhanced quality assurance and other criteria
in paragraph 3.70.44
3.70 The following represents the enhanced quality assurance criteria for
audit organizations that elect a 5-year peer review cycle. Audit
organizations that do not elect a 5-year peer review cycle are strongly
encouraged to adopt these criteria as a means to strengthen quality
assurance. In order to qualify for a 5-year peer review cycle, the audit
organization should meet the following criteria:
a. The audit organization makes public on its Web site a description of
the overall system of quality assurance used to provide the organization
with reasonable assurance of complying with applicable standards governing
audits and attestation engagements.45 The audit organization provides the
description of its system of quality assurance to the oversight
organization's bodies who receive the external peer review report under
paragraph 3.68.
44
Independent public accountants and audit organizations may be subject to
requirements of other professional organizations or licensing bodies.
45
This high-level description includes the major policies regarding ethical
requirements, initiation and continuance of audit work, human capital
management, engagement performance and reporting, and monitoring, as
discussed in paragraph 3.61.
b. The audit organization has an effective annual internal46 quality
inspection process that meets the following criteria:
(1)
The objective of the inspection process is to evaluate the
adequacy of the audit organization's quality control policies and
procedures, and the extent of the audit organization's compliance
with its quality control policies and procedures.
(2)
The annual inspection includes the following elements:
tal
management;
rnal or third-party resources to
conduct the inspection. If a third party is used to conduct the
inspection, that party is not independent to conduct the peer review.
ary modifications to the quality
control system, on a timely basis; and
process.
d.
The audit organization determines whether it qualifies for the
5-year peer review cycle and documents the rationale for its
decision if it believes it qualifies. The audit organization may
consult with its external peer reviewers in making this
determination.
3.71 Information in external peer review reports and letters of comment
may be relevant to decisions on procuring audit or attestation engagement
services. Therefore, audit organizations seeking to enter into a contract
to perform an assignment in accordance with GAGAS should provide the
following to the party contracting for such services:
Peer reviewers read the assurance statements for each year since the
previous peer review and compare them with the inspection results for
those years. Peer reviewers evaluate management's assertion and the
underlying monitoring and inspection processes for the year under review.
a.
the audit organization's most recent external peer review report
and any letter of comment, and
b.
any subsequent peer review reports and letters of comment received
during the period of the contract.
3.72 Auditors who are relying on another audit organization's work should
request a copy of the audit organization's latest peer review report and
any letter of comment, and the audit organization should provide these
documents when requested.
Chapter 4 Field Work Standards for Financial Audits
Introduction
generally accepted
government auditing standards (GAGAS). For financial audits, GAGAS
incorporate the AICPA's field work and reporting standards and the
related statements on auditing standards unless specifically excluded
or modified by GAGAS.48 This chapter identifies the AICPA field work
standards and prescribes additional standards for financial audits
performed in accordance with GAGAS.
b.
The auditor must obtain a sufficient understanding of the entity
and its environment, including its internal control49 to assess
the risk of material misstatement50 of the financial statements
whether due to error or fraud, and to design the nature, timing,
and extent of further audit procedures.
c.
The auditor must obtain sufficient appropriate audit evidence by
performing
procedures to afford a reasonable basis for an opinion regarding the
financial statements
under audit.
Additional Considerations for Financial Audits in Government
4.05 Additional considerations for financial audits in government apply in
audits of a
government entity or an entity that receives government awards. For
example, auditors
may need to set lower materiality levels than in audits in the private
sector because of
the public accountability of the audited entity, various legal and
regulatory requirements,
and the visibility and sensitivity of government programs. In applying
professional
judgment when applying auditing standards, auditors also consider the
needs of users
49
The AICPA standards incorporate the concepts contained in Internal
Control-Integrated Framework, published by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO). As discussed in the COSO
framework, internal control consists of five interrelated components,
which are (1) control environment, (2) risk assessment, (3) control
activities, (4) information and communication, and
(5) monitoring. The objectives of internal control relate to (1) financial
reporting, (2) operations, and (3) compliance. Safeguarding of assets is a
subset of these objectives. In that respect, management designs internal
control to provide reasonable assurance that unauthorized acquisition,
use, or disposition of assets will be prevented or timely detected and
corrected. In addition to the COSO document, the publication, Standards
for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1
(Washington, D.C.: Nov. 1999), which incorporates the relevant guidance
developed by COSO, provides definitions and fundamental concepts
pertaining to internal control at the federal level and may be useful to
other auditors at any level of government. The related Internal Control
Management and Evaluation Tool, GAO-01-1008G (Washington, D.C.: Aug.
2001), based on the federal internal control standards, provides a
systematic, organized, and structured approach to assessing the internal
control structure.
50
In accordance with AICPA Statement on Auditing Standards No. 107, Audit
Risk and Materiality in Conducting an Audit, the auditor's consideration
of materiality is a matter of professional judgment and is influenced by
the auditor's perception of the needs of users of financial statements.
Materiality is defined as "the magnitude of an omission or misstatement of
accounting information that, in the light of surrounding circumstances,
makes it probable that the judgment of a reasonable person relying on the
information would have been changed or influenced by the omission or
misstatement." This definition is from Financial Accounting Standards
Board Statement of Financial Accounting Concepts No. 2. Qualitative
Characteristics of Accounting Information.
and the concerns of oversight officials regarding previously identified
risks, previously reported deficiencies in internal control of the audited
entity, and current and emerging risks and uncertainties facing the
government entity or program.
4.06 An important element of financial audits in government is the
reporting of deficiencies in internal control so that the audited entity
can take corrective actions necessary under the circumstances. (See
paragraphs 5.13 through 5.18.) A deficiency in internal control exists
when the design or operation of a control does not allow management or
employees, in the normal course of performing their assigned functions, to
prevent or detect misstatements on a timely basis. A deficiency in design
exists when
(a) a control necessary to meet the control objective is missing or (b) an
existing control is not properly designed so that, even if the control
operates as designed, the control objective is not met. A deficiency in
operation exists when a properly designed control does not operate as
designed, or when the person performing the control does not possess the
necessary authority or qualifications to perform the control effectively.
Consideration of Potential Fraud in a Financial Statement Audit and
Illegal Acts by Auditees
4.07 Under both the AICPA standards51 and GAGAS, auditors should plan and
perform the audit to obtain reasonable assurance52 about whether the
financial statements are free of material misstatement, whether caused by
error or fraud.53 Auditors conduct the audit with a mindset that
recognizes the possibility that a material misstatement due to
51 See AICPA Professional Standards, AU 316 (Statement on Auditing
Standards No. 99, Consideration of Fraud in a Financial Statement Audit).
52
In accordance with AICPA Statement on Auditing Standard No. 104, Amendment
to Statement on Auditing Standard No. 1, Codification of Auditing
Standards and Procedures ("DueProfessional Care in the Performance of
Work"),paragraph 2, "the high, but not absolute, level of assurance that
is intended to be obtained by the auditor is expressed in the auditor's
report as obtaining reasonable assurance about whether the financial
statements are free of material misstatement (whether caused by error or
fraud).
53
Two types of misstatements are relevant to the auditors` consideration of
fraud in an audit of financial statements--misstatements arising from
fraudulent financial reporting and misstatements arising from
misappropriation of assets. The primary factor that distinguishes fraud
from error is whether the underlying action that results in the
misstatement in the financial statements is intentional or unintentional.
potential fraud could be present. However, absolute assurance is not
attainable and thus even a properly planned and performed audit may not
detect a material misstatement resulting from fraud.
4.08 Auditors should design the audit to provide reasonable assurance of
detecting material misstatements resulting from direct and material
illegal acts.54 Auditors also consider the possibility that indirect
illegal acts may have occurred. If specific information comes to the
auditors' attention that provides evidence concerning the existence of
possible illegal acts that could have a material indirect effect on the
financial statements, the auditors should apply audit procedures
specifically directed to ascertaining (1) whether an illegal act has
occurred 55 and (2) the potential financial statement effect.
Additional GAGAS Standards
4.09 GAGAS establish field work standards for financial audits in addition
to the requirements contained in the AICPA SAS. Auditors should comply
with these additional standards when citing GAGAS in their audit reports.
The additional GAGAS standards relate to
a.
auditor communication (see paragraphs 4.10 through 4.15);
b.
previous audits and attestation engagements (see paragraphs 4.16
through 4.17);
54 See AICPA Professional Standards, AU 317 (Statement on Auditing
Standards No. 54, Illegal Acts by Clients). Direct and material illegal
acts are violations of laws and regulations having a direct and material
effect on the determination of financial statement amounts.
Whether a particular act is, in fact, illegal may have to await final
determination by a court of law or other adjudicative body. Thus, auditors
may disclose matters that have led them to conclude that an illegal act is
likely to have occurred; they do not make a determination of illegality.
c.
detecting material misstatements resulting from violations of
contract provisions or grant agreements, or from abuse (see
paragraphs 4.18 through 4.20);
d.
developing elements of a finding (see paragraph 4.21); and
e.
audit documentation (see paragraphs 4.22 through 4.41).
Auditor Communication
ting for or
requesting the audit and document the communications.
individuals contracting for or requesting the audit, such as
contracting officials or members or staff of legislative committees,
in addition to communicating with the audited entity. When auditors
are performing the audit pursuant
Those charged with governance are those responsible for overseeing the
strategic direction of the entity and the entity's fulfillment of its
accountability obligations. In situations in which those charged with
governance are not clearly evident, the auditor documents the process
followed and conclusions reached for identifying the appropriate
individuals to receive the required auditor communications. (See appendix,
paragraph A1.02 for additional information.)
to a law or regulation and they are conducting the work directly for the
legislative committee who has oversight for the audited entity, auditors
should communicate with the members or staff of that legislative
committee. Auditors should coordinate communications with the responsible
government audit organization and/or management of the audited entity. If
an audit is terminated before it is completed, auditors should write a
memorandum for the audit documentation that summarizes the results of the
work and explains the reasons why the audit was terminated. In addition,
depending on the facts and circumstances, auditors should consider the
need to communicate the reason for terminating the audit to those charged
with governance, management of the audited entity, the entity requesting
the audit, and other appropriate officials, preferably in writing.
ally address their planned
work and reporting responsibilities related to testing internal
control over financial reporting and compliance with laws,
regulations, and provisions of contracts or grant agreements. During
the planning stages of an audit, auditors should communicate their
responsibilities for testing and reporting on internal control over
financial reporting and compliance with laws, regulations, and
provisions of contracts or grant agreements. Auditors should also
communicate the nature of any additional testing of internal control
and compliance required by laws, regulations, and provisions of
contracts or grant agreements, or otherwise requested, and whether the
auditors will provide opinions on internal control over financial
reporting and compliance with laws, regulations, and provisions of
contracts or grant agreements.
er
financial reporting and compliance with laws, regulations, and
provisions of contracts or grant agreements in a financial statement
audit contribute to the evidence supporting the auditors' opinion on
the financial statements or other conclusions regarding financial
data. However, such tests generally are not sufficient in scope to
provide an opinion on the effectiveness of internal control over
financial reporting or compliance with laws, regulations, and
provisions of contracts or grant agreements. To meet certain audit report
users' needs, laws and regulations sometimes prescribe testing and
reporting on internal control over financial reporting and compliance with
laws, regulations, and provisions of contracts and grant agreements to
supplement coverage of these areas.57
4.15 Even after auditors perform and report the results of additional
tests of internal control over financial reporting and compliance with
laws, regulations, and provisions of contracts and grant agreements, those
charged with governance, officials of the audited entity or individuals
contracting for or requesting the audit may desire additional procedures
or reporting. Auditors may meet these needs by performing further tests of
internal control and compliance with laws, regulations, and provisions of
contracts or grant agreements as an attestation engagement (see chapter
6), or a performance audit (see chapters 7 and 8), to achieve these
objectives.
Previous Audits and Attestation Engagements
the objectives of the audit being undertaken have an impact on the
current engagement, including whether related recommendations have
been implemented.
nagement Reform Act of 1994 and the Accountability of Tax Dollars Act of
2002, also have specific audit requirements prescribed by OMB in the areas
of internal control and compliance. In addition, some state and local
governments may have additional audit requirements that the auditors would
need to follow in planning the audit.
taken to address significant findings and recommendations,58 including
those related to significant deficiencies, including material
weaknesses.59
Detecting Material Misstatements Resulting from Violations of Contract
Provisions or Grant Agreements, or from Abuse
4.18 The standard related to violations of contract provisions or grant
agreements or abuse for financial audits performed in accordance with
GAGAS is:
a.
Auditors should design the audit to provide reasonable assurance
of detecting misstatements resulting from violations of provisions
of contracts or grant agreements that have a material effect on
the determination of financial statement amounts or other
financial data significant to the audit objectives.
b.
If during the course of the audit, auditors become aware of
indications of abuse that could be quantitatively or qualitatively
material, auditors should apply audit procedures specifically
directed to ascertain whether material abuse has occurred and the
potential effect on the financial statements or other financial
data significant to the audit objectives. Based on the facts and
circumstances, the auditors may find it helpful to identify
specific risks, situations, or transactions that are susceptible
to abuse. In addition, auditors remain alert throughout the audit
to situations or transactions that could be indicative of abuse.
However, because the determination of abuse is subjective,
auditors are not required to provide reasonable assurance of
detecting abuse.
4.19 Abuse involves behavior that is deficient or improper when compared
with behavior that a prudent person would consider reasonable and
necessary business practice given the facts and circumstances. Abuse also
includes misuse of authority or position for personal financial interests
or those of an immediate or close family member
58
Significant findings and recommendations are those matters that, if not
corrected, could affect the results of the auditors` work and the
auditors` conclusions and recommendations about those results.
59
See paragraph 5.13 for definitions of significant deficiency and material
weakness.
or business partner. Abuse is distinct from fraud, illegal acts, and
violations of provisions of contracts or grant agreements in that abuse
does not necessarily involve violation of laws, regulations, or provisions
of a contract or grant agreement. If auditors encounter such situations,
they should assess the risk of whether these situations or transactions
could be indicative of qualitatively or quantitatively material abuse.
When information comes to the auditors' attention (through audit
procedures, allegations received through a fraud hotline, or other means)
indicating that material abuse may have occurred, auditors should perform
audit procedures, as necessary, to (1) determine whether the abuse
occurred and, if so, (2) determine its effect on the financial statements
or other financial data. Auditors assess both quantitative and qualitative
factors in making judgments regarding the materiality of possible abuse.
4.20 In pursuing indications of potential fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse, auditors should
avoid interfering with potential investigations and/or legal proceedings.
In some circumstances, laws, regulations, or policies require auditors to
report indications of certain types of potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse to law
enforcement or investigatory authorities before performing additional
audit procedures. In cases where an investigation is initiated or in
process, it may be appropriate for the auditors to withdraw from or defer
further work on the engagement or a portion of the engagement to avoid
interfering with an investigation.
Developing Elements of a Finding
ficiencies are identified, auditors should plan audit
procedures to develop the elements of a finding necessary to achieve
the audit objectives. Audit findings, such as deficiencies in internal
control, potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse, contain the elements of
criteria, condition, cause, and effect or potential effect. Thus, a
finding or set of findings is complete to the extent that the auditors
believe that the audit objectives are satisfied. (See paragraph
provides the principal support for the statement in the auditor's
report that the auditor performed the audit in accordance with
GAGAS and any other standards cited, and
b.
provides the principal support for the auditors' conclusions.
documentation alone does not guarantee audit quality, the process of
preparing sufficient and appropriate documentation contributes to the
quality of an audit.
latory requirements, (c) the environment in which
the entity operates, and (d) auditing and financial reporting issues
relevant to the audited entity's environment.
d. the conclusions reached on significant matters.
4.25 In addition to the audit documentation requirements listed in the
previous paragraph, the auditor should document the following for
financial audits performed under GAGAS :
a.
the objectives, scope, and methodology of the audit, and
b.
evidence of supervisory review, before the audit report is issued,
of the work performed that supports findings, conclusions, and
recommendations contained in the audit report.
by the auditor to clarify or explain
information contained in the audit documentation. It is, however,
neither necessary nor practicable to document every matter the auditor
considers during the audit.
vidence obtained),
and the basis for the final conclusions reached. Judging the
significance of a finding or issue requires an objective analysis of
the facts and circumstances.
the date of such
review.
achieve the objectives of the requirements. The auditor
should also follow the requirements in paragraphs 1.13 through 1.15.
61 from the report release date.
s quality control policies may state a specific time in
which the assembly process should be completed.
assembling procedures such as deleting or
discarding superseded documentation and sorting, collating, and
cross-referencing final audit documentation,
c.
sign-off on audit documentation completion checklists prior to
completing and archiving the audit documentation, and
d.
add information received after the date of the report, for
example, an original document that was previously faxed.
4.37 After the documentation completion date, the auditors must not delete
or discard audit documentation before the end of the specified retention
period, as discussed in paragraph 4.34. When the auditor finds it
necessary to make an addition (including
61
The five-year requirement is from AICPA Statement on Auditing Standards
No. 103, Audit Documentation.
62
The 60-day requirement is from AICPA Statement on Auditing Standards No.
103, Audit Documentation.
amendments) to audit documentation after the documentation completion
date, the auditor should document the addition by including the following
in the documentation:
a.
when and by whom such additions were made and, where applicable,
reviewed,
b.
the specific reasons for the changes, and
c.
the effect, if any, of the changes on the auditors' conclusions.
, of the evidence supporting the auditors'
significant judgments and conclusions. If audit documentation is
retained only electronically, the audit organization should safeguard
the electronic documentation through sound computer security so that
it is capable of being accessed throughout the specified retention
period established for audit documentation.
ation available, upon request, in a timely manner to other
auditors or reviewers. It is also essential that contractual
arrangements for GAGAS audits provide for full and timely
access to audit staff and individuals, as well as audit documentation
without restriction to facilitate reliance by other auditors or reviewers
on the auditors' work.
4.41 Consistent with applicable laws and regulations, audit organizations
should develop clearly defined policies and criteria to deal with
situations where requests are made by outside parties to obtain access to
audit documentation. The audit organization should include in its policies
and procedures guidance for dealing with situations where an outside party
attempts to obtain indirectly through the auditor information that it is
unable to obtain directly from the audited entity and how to respond to
requests for access to audit documentation before the audit is complete.
The audit organization should also include flexibility in its policies and
procedures to consider the individual facts and circumstances surrounding
such requests, for instance, cases when granting access or providing
certain information could adversely affect the audit organization's
ability to successfully perform similar audits in the future.
Chapter 5 Reporting Standards for Financial Audits
Introduction
related statements on auditing standards unless specifically excluded
or modified by GAGAS.63 This chapter identifies the AICPA reporting
standards and prescribes additional standards for financial audits
performed in accordance with GAGAS.
ndards of reporting are as
follows:64
[AICPA is currently in the process of revising the reporting standardsto
use clarified language. GAO will monitor the status of AICPA's efforts in
order to include the most up-to-date AICPA standards in the final 2006
Revision of Government Auditing Standards.]
a. The report shall state whether the financial statements are presented
in accordance with generally accepted accounting principles.
To date, the Comptroller General has not excluded any reporting standards
or SASs. 64 See AICPA Professional Standards, AU 410 - 431 and 504.
b.
The report shall identify those circumstances in which such
principles have not been consistently observed in the current
period in relation to the preceding period.
c.
Informative disclosures in the financial statements are to be
regarded as reasonably adequate unless otherwise stated in the
report.
d.
The report shall either contain an expression of opinion regarding
the financial statements, taken as a whole, or an assertion to the
effect that an opinion cannot be expressed. When an overall
opinion cannot be expressed, the reasons should be stated. In all
cases where an auditor's name is associated with financial
statements, the report should contain a clear-cut indication of
the character of the auditor's work, if any, and the degree of
responsibility the auditor is taking.
Additional GAGAS Reporting Standards for Financial Audits
5.04 GAGAS establish additional reporting standards for financial audits
in addition to the requirements contained in the AICPA SAS. Auditors
should comply with these additional standards when citing GAGAS in their
audit reports. The additional GAGAS standards relate to:
a.
reporting auditors' compliance with GAGAS (see paragraphs 5.05
through 5.07);
b.
reporting on internal control and on compliance with laws,
regulations, and provisions of contracts or grant agreements (see
paragraphs 5.08 through 5.11);
c.
reporting deficiencies in internal control, potential fraud,
illegal acts, violations of provisions of contracts or grant
agreements, or abuse (see paragraphs 5.12 through 5.27);
d.
emphasizing significant matters in the auditors' report (see
paragraphs 5.28 through 5.31);
e.
reporting on restatement of previously-issued financial statements
(see paragraphs
5.32 through 5.38);
f.
reporting views of responsible officials (see paragraphs 5.39
through 5.44);
g.
reporting privileged and confidential information (see paragraphs
5.45 through 5.47); and
h.
issuing and distributing reports (see paragraphs 5.48 through
5.51).
Reporting Auditors' Compliance with GAGAS
ors comply with all applicable GAGAS standards, they should
include a statement in the audit report that they performed the audit
in accordance with GAGAS.
separate report conforming only to the requirements of
AICPA or other standards. When a GAGAS audit is the basis for an
auditors' subsequent report under the other standards, the auditors
should consider including a reference to the GAGAS report, as that
report will contain additional information on internal control,
compliance with laws, regulations, and provisions of contracts or
grant agreements, potential fraud, or abuse that GAGAS require.
Reporting on Internal Control and on Compliance with Laws, Regulations,
and Provisions of Contracts or Grant Agreements
ests or an opinion, if sufficient work was
performed, or (2) reference to the separate report(s) containing that
information. If auditors report separately, they should include a
reference to the separate report containing this information in their
opinion or disclaimer report and state that the separate report is an
integral part of the audit and important for assessing the results of
the audit.
ts or grant agreements. Auditors
should also indicate in the report whether or not the tests they
performed provided sufficient evidence to support an opinion on the
effectiveness of internal control over financial reporting and on
compliance with laws, regulations, and provisions of contracts or
grant agreements.
standalone
report.
ements that they are issuing those additional
reports. They also should state that the reports on internal control
over financial reporting and compliance with laws and regulations and
provisions of contracts or grant agreements are an integral part of a
GAGAS audit and important for assessing the results of the audit.
Reporting Deficiencies in Internal Control, Potential Fraud, Illegal Acts,
Violations of Provisions of Contracts or Grant Agreements, or Abuse
5.12 For financial audits, including audits of financial statements in
which auditors provide an opinion or disclaimer, auditors should report,
as applicable to the objectives of the audit, (1) deficiencies in internal
control considered to be material weaknesses or other significant
deficiencies, (2) all instances of potential fraud and illegal acts unless
clearly inconsequential,65 and (3) material violations of provisions of
contracts or grant agreements or abuse. In some circumstances, auditors
should report potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse directly to parties external to
the audited entity when other requirements provide for such reporting.
Reporting Deficiencies in Internal Control
5.13 For all financial audits, auditors should report deficiencies in
internal control considered to be significant deficiencies, including
material weaknesses, as follows:
65
If the auditor is performing an audit in accordance with OMB Circular No.
A-133, Audits of States, Local Governments, and Non-Profit Organizations,
the thresholds for reporting are defined in the circular. Those reporting
thresholds are sufficient to meet the requirements of GAGAS.
a.
A significant deficiency is a deficiency in internal control, or
combination of deficiencies, that adversely affects the entity's
ability to initiate, authorize, record, process, or report
financial data reliably in accordance with generally accepted
accounting principles such that there is more than a remote66
likelihood that a misstatement of the entity's financial
statements that is more than inconsequential67 will not be
prevented or detected.
b.
A material weakness is a significant deficiency, or combination of
significant deficiencies, that results in more than a remote
likelihood that a material misstatement of the financial
statements will not be prevented or detected.
5.14 If control deficiencies are identified, an important part of the
assessment is the consideration of significance of those deficiencies. In
addition to qualitative considerations, auditors evaluate the following
when concluding about the significance of a deficiency in internal
control:
a.
the likelihood that a deficiency, or combination of deficiencies,
could result in a misstatement of an account balance or
disclosure, and
b.
the magnitude of the potential misstatement resulting from the
deficiency or deficiencies.
5.15 Auditors should include all material weaknesses and other significant
deficiencies in the auditors' report on internal control over financial
reporting. (See appendix A.03
The term "more than remote" used in the definitions for significant
deficiency and material weakness means "at least reasonably possible." The
following definitions apply. (1) Remote-The chance of the future events or
their occurrence is slight. (2) Reasonably possible-The chance of the
future events or their occurrence is more than remote but less than
likely. (3) Probable-The future events are likely to occur. 67 "More than
inconsequential" indicates an amount that is less than material, yet has
significance. A misstatement is "inconsequential" if a reasonable,
objective person would conclude that the misstatement, either individually
or when aggregated with other misstatements, would clearly be immaterial
to the financial statements. If a reasonable, objective person could not
reach such a conclusion, that misstatement is "more than inconsequential."
for examples of matters that may be significant deficiencies, including
material weaknesses.)
5.16 To the extent necessary to achieve the audit objectives, in
presenting audit findings such as deficiencies in internal control,
auditors should develop the elements of criteria, condition, cause, and
effect to assist management or oversight officials of the audited entity
in understanding the need for taking corrective action. In addition, if
auditors are able to sufficiently develop the elements of a finding, they
should provide recommendations for corrective action. Following is
guidance for reporting on elements of findings:
a.
Criteria: The required or desired state or what is expected from
the program or operation. The criteria are easier to understand
when stated objectively, explicitly, and completely, and the
source of the criteria is identified in the audit report.68
b.
Condition: What the auditors found regarding the actual situation.
Reporting the scope or extent of the condition allows the report
user to gain an accurate perspective.
c.
Cause: Evidence on the factor or factors responsible for the
difference between condition and criteria. In reporting the cause,
auditors may consider whether the evidence provides a reasonable
and convincing argument for why the stated cause is the key factor
or factors contributing to the difference as opposed to other
possible causes, such as poorly designed criteria or factors
uncontrollable by program management. The auditors also may
consider whether the identified cause could serve as a basis for
the recommendations. Often the causes of deficiencies in internal
control are complex and involve multiple factors. In some cases,
it may not be practical for auditors to fully develop or identify
the causes of deficiencies. However, analyzing and identifying
root
68
Common sources for criteria include laws, regulations, policies,
procedures, and best or standard practices. The Standards for Internal
Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.:
Nov. 1999) and Internal Control--Integrated Framework, published by the
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
are two sources of established criteria auditors can use to support their
judgments and conclusions about internal control. The related Internal
Control Management and Evaluation Tool (GAO-01-1008G, Aug. 2001), based on
the federal internal control standards, provides a systematic, organized,
and structured approach to assessing internal control.
causes of internal control deficiencies is key to making recommendations
for corrective action.
d. Effect or potential effect: A clear, logical link to establish the
impact or potential impact of the difference between what the auditors
found (condition) and the required or desired state (criteria). Effect is
easier to understand when it is stated clearly, concisely, and, if
possible, in quantifiable terms. The significance of the reported effect
can be demonstrated through credible evidence.
ect deficiencies in internal control that are not
significant deficiencies (or material weaknesses) they should
communicate those deficiencies separately in a management letter to
officials of the audited entity unless the deficiencies are clearly
inconsequential considering both quantitative and qualitative factors.
Auditors should refer to that management letter (or to a management
letter to be issued) in the report on internal control. Auditors use
professional judgment when deciding whether or how to communicate to
officials of the audited entity deficiencies in internal control that
are clearly inconsequential. Auditors should include in their audit
documentation evidence of communications to officials of the audited
entity about deficiencies in internal control found during the audit.
Reporting Potential Fraud, Illegal Acts, Violations of Provisions of
Contracts or Grant Agreements, or Abuse
5.19 Under AICPA standards and GAGAS, auditors should address the effect
potential fraud or illegal acts may have on the audit report and to
determine that those charged with governance are adequately informed about
the potential fraud or illegal acts. Under GAGAS, auditors should provide
this information in writing and also include reporting on
(1)
violations of provisions of contracts or grant agreements that
have a material effect on the determination of financial statement
amounts or other financial data significant to the audit, and (2)
abuse that is material, either quantitatively or qualitatively.69
Therefore, when auditors conclude, on the basis of evidence
obtained, that any of the following either has occurred or is
likely to have occurred,70 they should include in their audit
report the relevant information about71
a.
potential fraud and illegal acts that are greater than
inconsequential;
b.
material violations of contracts or grant agreements; or
c.
material abuse.
5.20 When reporting instances of potential fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse, auditors should
place their findings in perspective by describing the extent of the work
performed that resulted in the finding. To give the reader a basis for
judging the prevalence and consequences of these findings, auditors may
relate the instances identified to the population or to the number of
cases
69
See paragraph 4.19 for a discussion of abuse.
70
Whether a particular act is, in fact, illegal may have to await final
determination by a court of law or other adjudicative body. Thus, when
auditors disclose matters that have led them to conclude that an illegal
act is likely to have occurred, they do not make a final determination of
illegality.
71
Auditors include information about fraud or abuse in the audit reports
required by paragraph 5.08 as applicable to internal control and
compliance with laws, regulations, and provisions of contracts and grant
agreements.
examined and quantify the results in terms of dollar value, as
appropriate. If the results cannot be projected, auditors should limit
their conclusions appropriately.
itors
should develop in their report the elements of criteria, condition,
cause, and effect when potential fraud, illegal acts, violations of
provisions of contracts or grant agreements, or abuse is found. The
guidance for reporting deficiencies in internal control in paragraph
5.16 is designed to assist auditors in developing the elements of
their findings.
of the audited entity potential fraud, illegal acts, violations of
provisions of contracts or grant agreements, or abuse that is clearly
inconsequential. Auditors should include in their audit documentation
evidence of communications to officials of the audited entity about
potential fraud, illegal acts, violations of provisions of contracts
or grant agreements, or abuse found during the audit.
ents, or abuse directly to
parties outside the audited entity in two circumstances, as discussed
below.72 This reporting is in addition to any legal requirements for
direct reporting of potential fraud, illegal acts, violations of
provisions of contracts or grant agreements, or abuse. Auditors should
follow these requirements even if they have resigned or been dismissed
from the audit prior to its completion.
grant agreements, or abuse directly to the external party specified
in the law or regulation.
management fails to take remedial steps.
When auditors conclude that such failure is likely to cause them to
depart from the standard report on the financial statements or resign
from the audit, they should communicate that conclusion to those
charged with governance of the audited entity. If the audited entity
does not report the potential fraud, illegal act, violation of
provisions
Internal audit organizations do not have a duty to report outside that
entity unless required by law, rule, regulation, or policy. See paragraph
3.19 for reporting requirements for internal audit organizations when
reporting externally.
of contracts or grant agreements, or abuse in a timely manner to the
entity that provided the government assistance, the auditors should report
the potential fraud, illegal act, violation of provisions of contracts or
grant agreements, or abuse directly to the awarding entity.
5.27 Auditors should obtain sufficient, appropriate evidence, such as
confirmation from outside parties, to corroborate assertions by management
that it has reported potential fraud, illegal acts, violations of
provisions of contracts or grant agreements, or abuse. When auditors are
unable to do so, they should report such potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse
directly as discussed above.
Emphasizing Significant Matters in the Auditors' Report
r in the auditors' report. Such explanatory material is presented
in a separate paragraph or separate section of the auditors' report.
Examples of matters that auditors should consider emphasizing when
they become aware that such issues exist include the following:
73 See AICPA Professional Standards, AU 508.19
a.
Concerns or significant uncertainties about the fiscal
sustainability of a government or program or other matters that
could have a significant impact on the financial condition or
operations of the government entity.74 Such concerns or
uncertainties may arise due to revenue and/or expenditure trends;
economic dependency on other governments or other entities; the
government's current commitments, responsibilities, liabilities,
or promises to citizens for future benefits that are not
sustainable over the long-term; deficit trends; the relationship
between the financial information and other key indicators; and
other significant risks and uncertainties that call into question
the longterm sustainability of current government programs in
relation to the resources expected to be available.
b.
Unusual or catastrophic events that will likely have a significant
ongoing or future impact on the government's financial condition
or operations.
c.
Significant uncertainties surrounding projections or estimations
in the financial statements.
d.
Any other matter that the auditors consider significant for
communication in the auditors' report to users and oversight
bodies.
iously-Issued Financial Statements
5.32 Auditors have professional responsibilities when they become aware of
actual or potential misstatements that might have affected their report on
previously-issued financial statements. Under both AICPA standards75 and
GAGAS, auditors have the following responsibilities related to (1)
potential material misstatements in previouslyissued financial statements,
and (2) restatement76 of the previously-issued financial statements:
a.
Auditors should determine if the previously-issued financial
statements were materially misstated and should request
management's cooperation in making this determination.
b.
Auditors should determine if (a) the misstatement(s) may affect
the auditors' report on the previously-issued financial statements
and, (b) persons are currently relying or likely to rely on the
financial statements.
c.
Auditors should advise the audited entity to disclose the
misstatement(s) and the related financial statement impact to
persons relying or likely to rely on the financial statements and
related auditors' report.
d.
Auditors should determine whether the audited entity has
appropriately disclosed the misstatement(s).
75See AICPA Professional Standards, AU 561, "Subsequent Discovery of Facts
Existing at the Date of the Auditor's Report."
As used in this standard, restatement means the correction of an error(s)
in previously-issued financial statement(s).
e. When the audited entity refuses to disclose the misstatement(s), then:
(1)
auditors should notify those charged with governance of the
entity's refusal to disclose the misstatement,
(2)
auditors should notify the audited entity that the related
auditors' report can no longer be relied upon or associated with
the previously-issued financial statements, and
(3)
auditors should notify oversight or regulatory agencies that have
jurisdiction over the audited entity and persons known to be
relying on the financial statements that the auditors' report can
no longer be relied upon.
ely misstatement(s) in
previously-issued audited financial statements may lead auditors to
believe that the auditors' report would or could reasonably have been
affected if they had known of the misstatements when they issued the
auditors' report. When this condition exists, auditors should advise
management to communicate the following information to those charged
with governance, oversight bodies, funding agencies, and others who
are relying or are likely to rely on the financial statements:
a.
The nature and cause(s) of the known or likely material
misstatement(s).
b.
The amount(s) of known or likely material misstatement(s) and the
related effect(s) on the previously-issued financial statements
(e.g., disclosure of the specific financial statement(s) and line
item(s) affected). If this information is not known, then the
disclosure includes information that is known and a statement that
management cannot determine the amount(s) and the related effect(s) on the
previously-issued financial statements without further investigation.
c. A notice that (1) previously-issued financial statements will or may be
restated and, therefore, (2) the related auditors' report is no longer
reliable.
5.35 Auditors should review the adequacy of management's communication
information about the known or potential material misstatement(s) to
report users, including those charged with governance, oversight bodies
and funding agencies. When performing this review, auditors consider
whether:
a.
management acted timely to determine the financial statement
effects of the potential material misstatement(s),
b.
management acted timely to communicate with appropriate parties,
and
c.
management disclosed the nature and extent of the known or likely
material misstatement(s) on Internet pages where the agency's
previously-issued financial statements are published.
Auditors should notify those charged with governance if they believe that
management is unduly delaying its determination of the effect(s) of the
misstatement(s) on previouslyissued financial statements.
5.36 Also, auditors should evaluate the timeliness and appropriateness of
management's decision whether to issue restated financial statements.
Management may separately issue the restated financial statements or may
present the restated financial statements on a comparative basis with
those of a subsequent period. Ordinarily, auditors would expect management
to issue restated financial statements as soon as practicable. However, it
may not be necessary for management to separately issue the restated
financial statements and auditors' report when issuance of the
subsequent-period audited financial statements is imminent.77
5.37 When management restates previously-issued financial statements,
auditors should perform audit procedures sufficient to reissue or update
the auditors' report on the restated financial statements. Auditors should
fulfill these responsibilities whether the restated financial statements
are separately issued or presented on a comparative basis with those of a
subsequent period. Auditors should include the following information in an
explanatory paragraph in the reissued or updated auditors' report on the
re-issued financial statements:
a.
a statement disclosing that the previously-issued financial
statement(s) have been restated,
b.
a statement that the previously-issued financial statements were
materially misstated and that the previously-issued auditors'
report (include report date) is withdrawn and replaced by the
auditors' report on the restated financial statement(s), and
c.
a reference to the note(s) to the restated financial statements
that discusses the restatement, including
(1)
the nature and cause(s) of the misstatement(s) that led to the
need for restatement, and
(2)
the specific amount(s) of the material misstatement(s) and the
related effect(s) on the previously-issued financial statements
(e.g., the specific financial statement(s) affected and line items
restated) and the impact on the current-year financial statements.
d.
A discussion of any significant internal control deficiency that
failed to prevent or detect the misstatement and what action
management has taken about the deficiency.
For purposes of this standard, imminent means within 90 days of
determining the effect of the misstatement(s) on the previously-issued
financial statements.
5.38 Auditors should notify those charged with governance, oversight
bodies, and funding agencies when management (1) does not take the
necessary steps to promptly inform report users of the situation or (2)
does not restate with appropriate timeliness the financial statements in
circumstances when auditors believe they need to be restated. Auditors
should inform these parties that the auditors will take steps to prevent
future reliance on the auditors' report. The steps taken will depend on
the facts and circumstances, including legal considerations.
Reporting Views of Responsible Officials
rs' report discloses deficiencies in internal control,
potential fraud, illegal acts, violations of provisions of contracts
or grant agreements, or abuse, auditors should obtain and report the
views of responsible officials concerning the findings, conclusions,
and recommendations, as well as planned corrective actions.
2. One of the most effective ways to provide a report that is fair,
complete, and objective is to provide a draft report for review and
comment by responsible officials of the audited entity and others, as
appropriate. Including the views of responsible officials results in a
report that presents not only the significant deficiencies in internal
control, potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse the auditors identified, but
also the perspectives of the responsible officials of the audited
entity and the corrective actions they plan to take. Auditors should
include in their report a copy of the officials' written comments
and/or a summary of the comments received. In cases where the audited
entity provides technical comments in addition to its written comments
on the report, auditors use professional judgment in determining
whether to include such comments or disclose in the report that such
comments were provided.
in some cases,
may be the most expeditious way to obtain comments. Obtaining oral
comments can be effective when, for example, there is a time-critical
reporting date to meet a user's needs; auditors have worked closely
with the responsible officials throughout the conduct of the work and
the parties are familiar with the findings and issues addressed in the
draft report; or the auditors do not expect major disagreements with
the draft report's findings, conclusions, and recommendations, or
perceive any major controversies with regard to the issues discussed
in the draft report. If oral comments are provided by the responsible
officials, auditors should prepare a summary of the oral comments and
provide a copy of the summary to the responsible officials to verify
that the comments are accurately stated prior to finalizing the
report.
comments, as appropriate, in the final report. Auditors may note
comments, such as a plan for corrective action, but should not accept
them as justification for dropping a finding or a related
recommendation without sufficient and appropriate evidence.
conclusions, or recommendations, and are not, in the auditors'
opinion, valid, or when planned corrective actions do not adequately
address the auditors' recommendations, the auditors should state
objectively their reasons for disagreeing with the comments or planned
corrective actions. Conversely, the auditors should modify their
report as necessary if they find the comments valid.
omitted and the requirement that makes the
omission necessary.
formation
and distribute the report only to persons authorized by law or
regulation to receive it. Additional circumstances associated with
public safety and security concerns could also justify the exclusion
of certain information in the report. For example, detailed
information related to computer security for a particular program may
be excluded from publicly available reports because of the potential
damage that could be caused by the misuse of this information. In such
circumstances, auditors may issue a limited-official-use report
containing such information and distribute the report only to those
parties responsible for acting on the auditors' recommendations. The
auditors may consult with legal counsel regarding any requirements or
other circumstances that may necessitate the omission of certain
information.
ring or arranging for the
audits, including external funding organizations78 such as legislative
bodies, unless legal restrictions prevent it. Auditors should also send
copies of the reports to other officials who have legal oversight
authority or who may be responsible for acting on audit findings and
recommendations and to others authorized to receive such reports. Auditors
should clarify whether the report will be made available for public
inspection. If the subject of the audit involves material that is
classified for security purposes or not releasable to particular parties
or the public for other valid reasons, auditors may limit the report
distribution.79 Auditors should document any limitation on report
distribution.
ry requirements for distribution. The head of the internal
audit organization should disseminate results to the appropriate
parties. The head of the internal audit organization is responsible
for communicating the final results to parties who are in a position
to take appropriate corrective actions. Distribution of reports
outside the organization ordinarily is made only in accordance with
applicable laws, rules, regulations, or policy.
of Management and Budget
(OMB) Circular No. A-133 on single audits for the distribution of reports
on single audits of state and local governmental entities and nonprofit
organizations that receive federal awards.
79
See paragraphs 5.45 through 5.47 for additional guidance on limited report
distribution when reports contain privileged or confidential information.
audit, and other appropriate officials about the termination of the audit,
preferably in writing. Auditors should document this communication.
Chapter 6 General, Field Work, and Reporting Standards for Attestation
Engagements
Introduction
ed
statements on standards for attestation engagements (SSAE), unless
specifically excluded or modified by GAGAS.80 This chapter identifies
the AICPA general standard on criteria,81 field work and reporting
standards for attestation engagements and prescribes additional
standards for attestation engagements performed in accordance with
GAGAS.
not excluded any field work
standards, reporting standards, or SSAEs.
81
GAGAS incorporate only one of the AICPA general standards for attestation
engagements.
up-to-date AICPA standards in the final 2006 Revision of Government
Auditing Standards.]
The practitioner [auditor] shall perform an engagement only if he or she
has reason to believe that the subject matter is capable of evaluation
against criteria that are suitable and available to users.
6.05 The two AICPA field work standards for attestation engagements are as
follows:
[AICPA is currently in the process of revising the field work standards to
use clarified language. GAO will monitor the status of AICPA's efforts in
order to include the most up-to-date AICPA standards in the final 2006
Revision of Government Auditing Standards.]
a.
The work shall be adequately planned and assistants, if any, shall
be properly supervised.
b.
Sufficient evidence shall be obtained to provide a reasonable
basis for the conclusion that is expressed in the report.
Additional Considerations for Attestation Engagements in Government
station engagements in government is the
reporting of deficiencies in internal control related to the subject
matter or objectives of the engagement so that the entity can take
corrective actions necessary under the circumstances. (See paragraphs
6.49 through 6.53.) In an attestation engagement, a deficiency in
internal control exists when the design or operation of a control does
not allow management or employees, in the normal course of performing
their assigned functions, to prevent errors in assertions made by
management on a timely basis. A deficiency in design exists when (a) a
control necessary to meet the control objective is missing or (b) an
existing control is not properly designed so that, even if the control
operates as designed, the control objective is not met. A deficiency
in operation exists when a properly designed control does not operate
as designed, or when the person performing the control does not
possess the necessary authority or qualifications to perform the
control effectively.
Additional GAGAS Field Work Standards for Attestation Engagements
6.08 GAGAS establish attestation engagement field work standards in
addition to the requirements contained in the AICPA SSAE. Auditors should
comply with these additional standards when citing GAGAS in their
attestation engagement reports. The additional GAGAS field work standards
relate to:
a.
auditor communication (see paragraphs 6.09 through 6.11);
b.
previous audits and attestation engagements (see paragraphs 6.12
through 6.13);
c.
internal control (see paragraphs 6.14 through 6.16);
d.
detecting potential fraud, illegal acts, violations of contract
provisions or grant agreements, or abuse that could have a
material effect on the subject matter (see paragraphs 6.17 through
6.22);
e.
developing elements of findings for attestation engagements
(paragraph 6.23); and
f.
attest documentation (see paragraphs 6.24 through 6.43).
Auditor Communication
e parties involved may be misinterpreted. During the planning
stages of an attestation engagement, auditors also should report (1)
the nature, timing, and extent of testing and reporting, and (2) the
level of assurance provided. Auditors use professional judgment when
determining the form, content, and frequency of the communication.
Auditors may use an engagement letter or a proposal, if appropriate,
to communicate the information. If the attestation engagement is part
of a larger audit, this information may be communicated as part of
that audit.
he entity's fulfillment of its
accountability obligations. In situations in which those charged with
governance are not clearly evident, the auditor documents the process
followed and conclusions reached for identifying the appropriate
individuals to receive the required auditor communications. (See appendix,
paragraph A1.02 for additional information.)
audit, such as contracting officials or members or staff of legislative
committees, in addition to communicating with the audited entity. When
auditors are performing the audit pursuant to a law or regulation and they
are conducting the work directly for the legislative committee who has
oversight for the audited entity, auditors should communicate with the
members or staff of that legislative committee. Auditors should coordinate
communications with the responsible government audit organization and/or
management of the audited entity. If an audit is terminated before it is
completed, auditors should write a memorandum for the audit documentation
that summarizes the results of the work and explains the reasons why the
audit was terminated. In addition, depending on the facts and
circumstances, auditors should consider the need to communicate the reason
for terminating the audit to those charged with governance, management of
the audited entity, the entity requesting the audit, and other appropriate
officials, preferably in writing.
Previous Audits and Attestation Engagements
ngagement being
undertaken and ask management of the audited entity to identify
corrective actions taken to address significant findings and
recommendations,83 including those related to significant
deficiencies, including material weaknesses.84
83
Significant findings and recommendations are those matters that, if not
corrected, could affect the results of the auditors` work and the
auditors` conclusions and recommendations about those results.
84
See paragraph 6.50 for definitions of significant deficiency and material
weakness.
Internal Control
ing of internal control85 as it
relates to the subject matter or assertion to which the auditors are
attesting. The subject matter or assertion may be financial or
nonfinancial, and internal control material to the subject matter or
assertion the auditors are testing may relate to:
a.
effectiveness and efficiency of operations, including the use of
an entity's resources;
b.
reliability of financial reporting, including reports on budget
execution and other reports for internal and external use;
c.
compliance with applicable laws and regulations, provisions of
contract, or grant agreements; and
d.
safeguarding of assets.
6.16 A deficiency in internal control exists when the design or operation
of a control does not allow management or employees, in the normal course
of performing their assigned functions, to prevent or detect errors in
assertions made by management on a
Although not applicable to attestation engagements, the AICPA SASs may
provide useful guidance related to internal control for auditors
performing attestation engagements in accordance with GAGAS. In addition,
auditors performing attestation engagements may wish to refer to the
internal control guidance published by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO). The Standards for
InternalControl in the Federal Government, GAO/AIMD-00-21.3.1 (Washington,
D.C.: Nov. 1999), which incorporates the relevant guidance developed by
COSO, provides definitions and fundamental concepts pertaining to internal
control at the federal level and may be useful to auditors at any level of
government. The related Internal Control Management and Evaluation Tool,
GAO-01-1008G (Washington, D.C.: Aug. 2001) based on the federal internal
control standards, provides a systematic, organized, and structured
approach to assessing internal control.
timely basis. A deficiency in design exists when (a) a control necessary
to meet the control objective is missing or (b) an existing control is not
properly designed so that, even if the control operates as designed, the
control objective is not met. A deficiency in operation exists when a
properly designed control does not operate as designed, or when the person
performing the control does not possess the necessary authority or
qualifications to perform the control effectively.
Detecting Potential Fraud, Illegal Acts, Violations of Provisions of
Contracts or Grant Agreements, or Abuse That Could Have a Material Effect
on the Subject Matter
6.17 The standard related to potential fraud, illegal acts, violations of
provisions of contracts or grant agreements, or abuse for attestation
engagements performed in accordance with GAGAS is:
a.
In planning examination-level attestation engagements, auditors
should design the engagement to provide reasonable assurance of
detecting potential fraud, illegal acts, or violations of
provisions of contracts or grant agreements that could have a
material effect on the subject matter or assertion of the
attestation engagement.
b.
In planning review-level attestation engagements, auditors should
be alert to situations or transactions that may be indicative of
potential fraud, illegal acts, and violations of provisions of
contracts or grant agreements.
c.
In agreed-upon-procedures-level engagements, auditors perform
limited testing in order to issue a report of finding based on
specific procedures performed on a subject matter. Therefore,
auditors are not expected to provide assurance of detecting
potential fraud, illegal acts, or violations of contract or grant
agreements for these types of engagements.
d.
Auditors conduct the attestation engagement with the mindset that
recognizes the possibility that a material misstatement in
management's assertion could be present.
However, absolute assurance is not attainable and thus even a properly
planned and performed examination-level attestation engagement may not
detect a material misstatement resulting from fraud.
e. For all types of attestation engagements, auditors remain alert to
situations or transactions that may be indicative of material abuse and
follow the requirements in 6.20 through 6.21.
6.18 For examination-level attestation engagements, auditors design the
engagement to provide reasonable assurance of detecting fraud86, illegal
acts, or violations of provisions of contracts or grant agreements that
have a material effect on the subject matter or assertion of the
attestation engagement. Auditors should assess the risk and possible
effects of material fraud, illegal acts, or violations of provisions of
contracts or grant agreements on the subject matter or assertion of the
attestation engagement. Auditors should document their assessment of risk,
and when risk factors are identified, auditors should also document:
a.
those risk factors identified,
b.
the auditors' response to those risk factors, individually or in
combination, and
c.
the auditors' conclusions.
6.19 For attestation engagements involving review-level reporting,
auditors are alert to situations or transactions that may be indicative of
potential fraud, illegal acts, or violations of provisions of contracts or
grant agreements. When information comes to the auditors' attention
(through audit procedures, allegations received through fraud
Fraud is a type of illegal act involving the obtaining of something of
value through willful misrepresentation. Although not applicable to
attestation engagements, the AICPA SASs may provide useful guidance
related to fraud for auditors performing attestation engagements in
accordance with GAGAS.
hotlines, or other means) indicating that potential fraud, illegal acts,
or violations of provisions of contracts or grant agreements that could
materially affect the results of the attestation engagement exist,
auditors should apply the audit steps and procedures, as necessary, to (1)
determine if potential fraud, illegal acts, or violations of provisions of
contracts or grant agreements are likely to have occurred and, if so, (2)
determine their effect on the results of the attestation engagement.
Because the scope of review-level engagements is limited, auditors are not
expected to provide reasonable assurance of detecting potential fraud,
illegal acts, or violations of contract or grant agreements for these
types of engagements.
if during the course of the
engagement, auditors become aware of indications of abuse that could
be quantitatively or qualitatively material, auditors should apply
audit procedures specifically directed to ascertain whether material
abuse has occurred and the potential effect on the engagement subject
matter or objective. Based on the facts and circumstances, auditors
may find it helpful to identify specific risks, situations, or
transactions that are susceptible to abuse. In addition, auditors
remain alert throughout the engagement to situations or transactions
that could be indicative of abuse. However, because the determination
of abuse is subjective, auditors are not required to provide
reasonable assurance of detecting abuse.
acts and circumstances. Abuse
also includes misuse of authority or position for personal financial
interest or those of an immediate or close family member or business
partner. Abuse is distinct from fraud, illegal acts, or violations of
provisions of contracts or grant agreements in that abuse does not
necessarily involve violation of laws, regulations, or provisions of a
contract or grant agreement. If auditors encounter such situations,
they should assess the risk of whether these situations or
transactions could be indicative of qualitatively or quantitatively
material abuse. When information comes to the auditors' attention
(through attest procedures, allegations received through
a fraud hotline, or other means) indicating that material abuse may have
occurred, auditors should perform procedures as necessary to (1) determine
whether the abuse occurred and, if so, (2) determine its potential effect
on the results of the attestation engagement. Auditors assess both
qualitative and qualitative factors in making judgments regarding the
materiality of possible abuse.
6.22 In pursuing indications of potential fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse, auditors should
avoid interfering with potential investigations, and/or legal proceedings.
In some circumstances, laws, regulations, or policies require auditors to
report indications of certain types of potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse to law
enforcement or investigatory authorities before performing additional
audit procedures. In cases where an investigation is initiated or in
process, it may be appropriate for the auditors to withdraw from or defer
further work on the engagement or a portion of the engagement to avoid
interfering with an investigation.
Developing Elements of Findings for Attestation Engagements
6.23 When deficiencies are identified, auditors should plan audit
procedures to develop the elements of a finding necessary to achieve the
objectives of the attestation engagement. Attest findings, such as
deficiencies in internal control, potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse,
contain the elements of criteria, condition, cause, and effect. The
elements needed for a finding depend on the objectives of the attestation
engagement. Thus, a finding or set of findings is complete to the extent
that the objectives of the attestation engagement are satisfied. (See
paragraphs 6.49 through 6.53 for a description of deficiencies in internal
control and paragraph 6.51 for a description of the elements of a finding.
Attest Documentation
6.24 The auditor must prepare attest documentation in connection with each
engagement in sufficient detail to provide a clear understanding of the
work performed (including the nature, timing, extent, and results of
attest procedures performed), the attest evidence obtained and its source,
and the conclusions reached. Attest documentation:
a.
provides the principal support for the statement in the auditor's
report that the auditors performed the attestation engagement in
accordance with GAGAS and any other standards cited, and
b.
provides the principal support for the auditors' conclusion.
ernal or external
to the audit organization) who possesses the competencies and skills that
would have enabled him or her to perform the attestation engagement. These
competencies and skills include an understanding of (a) attestation
engagement processes, (b) GAGAS and applicable legal and regulatory
requirements, (c) the subject matter that the auditor is engaged to report
on, (d) the suitability and availability of criteria, and (e) issues
related to the audited entity's environment.
b.
the results of the attest procedures performed and the attest
evidence obtained,
c.
how the attest evidence relates to the attestation engagement's
conclusions, and
d.
the conclusions reached on significant matters.
6.27 In addition to the attest documentation requirements listed in the
previous paragraph, the auditor should document the following for
attestation engagements performed under GAGAS:
a.
the objectives, scope, and methodology of the attestation
engagement;
b.
evidence of supervisory review, before the attest report is
issued, of the work performed that supports findings, conclusions,
and recommendations contained in the attest report; and
c.
the auditors' consideration that the planned attestation
procedures are designed to achieve objectives of the attestation
engagement when (1) evidence obtained is highly dependent on
computerized information systems, (2) evidence is material to the
objective of the engagement, and (3) the auditors are not relying
on the effectiveness of internal control over those computerized
systems that produced the information. Auditors should document
(1) the rationale for determining the nature, timing, and extent
of planned audit procedures; (2) the kinds and competence of
available evidence produced outside a computerized information
system, and/or plans for direct testing of data produced from a
computerized information system; and (3) the effect on the
attestation engagement report if evidence to be gathered does not
afford a reasonable basis for achieving the objectives of the
engagement.
6.28 Auditors should document matters specific to a particular attestation
engagement in the attest documentation file. Certain matters, such as
auditor independence and staff training, that are not engagement specific,
may be documented either centrally in the audit organization or in the
documentation for the attestation engagement.
tent of attest documentation depend on the
circumstances of the engagement and the attest methodology and tools
used. Oral explanations on their own do not represent sufficient
support for the work the auditor performed or conclusions the auditor
reached but may be used by the auditor to clarify or explain
information contained in the attest documentation. It is, however,
neither necessary nor practicable to document every matter the auditor
considers during the attestation engagement.
reached. Judging the
significance of a finding or issue requires an objective analysis of
the facts and circumstances.
s not comply with applicable unconditional or
presumptively mandatory GAGAS requirements, the auditor should
document the justification for the departure, the impact on the audit,
and how alternative procedures performed in the circumstances were
sufficient to achieve the objectives of the requirements. The auditor
should also follow the requirements in paragraphs 1.13 through 1.15.
tutes, regulations, or the audit
organization's quality control policies may state a specific time in
which the assembly process should be completed.
original document that was previously faxed.
6.39 After the documentation completion date, the auditors must not delete
or discard attest documentation before the end of the specified retention
period, as discussed in paragraph 6.36. When auditor finds it necessary to
make an addition (including amendments) to attest documentation after the
documentation completion date, the auditor should document the addition by
including the following in the documentation:
a.
when and by whom such additions were made and where applicable
reviewed,
b.
the specific reasons for the changes, and
c.
the effect, if any, of the changes on the auditors' conclusions.
electronically, the audit organization should safeguard the
electronic documentation through sound computer security so that it is
capable of being accessed throughout the specified retention period
established for attest documentation.
ms of common
interest so that auditors may use others' work and avoid duplication
of efforts. Auditors should make appropriate audit staff and
individuals, as well as attest documentation available, upon request,
in a timely manner to other auditors or reviewers. It is also
essential that contractual arrangements for GAGAS attestation
engagements provide for full and timely access to audit staff and
individuals, as well as attest documentation without restriction to
facilitate reliance by other auditors or reviewers on the auditors'
work.
tempts to obtain indirectly through the auditor
information that it is unable to obtain directly from the audited
entity and how to respond to requests for access to audit
documentation before the attestation engagement is complete. The audit
organization should also include flexibility in its policies and
procedures to consider the individual facts and circumstances
surrounding such requests, for instance, cases when granting access or
providing certain information could adversely affect the audit
organization's ability to successfully perform similar attestation
engagements in the future.
AICPA Reporting Standards for Attestation Engagements
6.44 As discussed in paragraph 1.29, the AICPA SSAE provide for different
levels of reporting based on the type of assurance the auditors are
providing.88 The four AICPA reporting standards for all levels of
reporting under attestation engagements are as follows:
[AICPA is currently in the process of revising the reporting standardsto
use clarified language. GAO will monitor the status of AICPA's efforts in
order to include the most up-to-date AICPA standards in the final 2006
Revision of Government Auditing Standards.]
a.
The report shall identify the subject matter or the assertion
being reported on and state the character of the engagement.
b.
The report shall state the practitioner's [auditor's] conclusions
about the subject matter or the assertion in relation to the
criteria against which the subject matter was evaluated.
c.
The report shall state all of the practitioner's [auditor's]
significant reservations about the engagement, the subject matter,
and, if applicable, the assertion related thereto.
d.
The report shall state that the use of the report is restricted to
specified parties under the following circumstances:89 (1) when
the criteria used to evaluate the subject matter are determined by
the practitioner to be appropriate only for a limited number of
parties who either participated in their establishment or can be
presumed to have an adequate understanding of the criteria, (2)
when the criteria used to evaluate the subject matter are
available only to specified parties, (3) when reporting on subject
matter and a written
88 See AT sections 101.63 - 101.83. For application of this standard in
the government environment, see paragraphs 6.67 through 6.71.
assertion has not been provided by the responsible party, and (4) when the
report is on an attest engagement to apply agreed-upon procedures to the
subject matter.
Additional GAGAS Reporting Standards for Attestation Engagements
6.45 GAGAS establish reporting standards for attestation engagements in
addition to the requirements contained in the AICPA SSAE. Auditors should
comply with these additional standards when citing GAGAS in their
attestation engagement reports. The additional GAGAS standards relate to:
a.
reporting auditors' compliance with GAGAS (see paragraphs 6.46
through 6.48);
b.
reporting deficiencies in internal control, potential fraud,
illegal acts, violations of provisions of contracts or grant
agreements, or abuse (see paragraphs 6.50 through 6.57);
c.
reporting views of responsible officials (see paragraphs 6.58
through 6.63);
d.
reporting privileged and confidential information (see paragraphs
6.64 through 6.66); and
e.
issuing and distributing reports (see paragraphs 6.67 through
6.71).
Reporting Auditors' Compliance with GAGAS
ditors
have complied with all applicable GAGAS general and attestation
engagement standards,
including underlying AICPA standards. If the auditors did not follow
applicable standards, or were not able to follow applicable standards due
to access problems or other scope limitations, they should follow the
requirements in paragraphs 1.13 through
1.15.
6.48 GAGAS do not prohibit auditors from issuing a separate report
conforming only to the requirements of other standards. When a GAGAS
attestation engagement is the basis for an auditors' subsequent report
under the AICPA or other standards, auditors should consider including a
reference to the GAGAS report, as that report will contain additional
information on internal control, compliance with laws, regulations, and
provisions of contracts or grant agreements, potential fraud, or abuse
that GAGAS require.
Reporting Deficiencies in Internal Control, Potential Fraud, Illegal Acts,
Violations of Provisions of Contracts or Grant Agreements, or Abuse
6.49 For attestation engagements, auditors should report, as applicable to
the objectives of the engagement, (1) deficiencies in internal control
considered to be material weaknesses or other significant deficiencies,
(2) all instances of potential fraud and illegal acts unless clearly
inconsequential, and (3) violations of provisions of contracts or grant
agreements or abuse that are material to the subject matter or assertion
of the engagement. In some circumstances, auditors should report potential
fraud, illegal acts, violations of provisions of contracts or grant
agreements, or abuse directly to parties external to the entity. (See
paragraphs 6.54 through 6.57.)
Reporting Deficiencies in Internal Control
6.50 For all attestation engagements, auditors should report deficiencies
in internal control considered to be significant deficiencies, including
material weaknesses, as follows:
a.
In attestation engagements, a significant deficiency is a
deficiency in internal control, or combination of deficiencies,
that adversely affects the entity's ability to initiate,
authorize, record, process, or report data reliably in accordance
with the applicable criteria or framework such that there is more
than a remote90 likelihood that a misstatement of the subject
matter or assertion that is more than inconsequential91 will not
be prevented or detected.
b.
In attestation engagements, a material weakness is a significant
deficiency, or combination of significant deficiencies, that
results in more than a remote likelihood that a material
misstatement will not be prevented or detected.
6.51 To the extent necessary to achieve the engagement objectives, in
presenting findings such as deficiencies in internal control, auditors
should develop the elements of criteria, condition, cause, and effect to
assist management or oversight officials of the audited entity in
understanding the need for taking corrective action. In addition, if
auditors are able to sufficiently develop the elements of a finding, they
should provide recommendations for corrective action. Following is
guidance for reporting on elements of findings:
a. Criteria: The required or desired state or what is expected from the
program or operation. The criteria are easier to understand when stated
fairly, explicitly, and
The term "more than remote" used in the definitions for significant
deficiency and material weakness means "at least reasonably possible." The
following definitions apply. (1) Remote-The chance of the future events or
their occurrence is slight. (2) Reasonably possible-The chance of the
future events or their occurrence is more than remote but less than
likely. (3) Probably-The future events are likely to occur.
91 "More than inconsequential" indicates an amount that is less than
material, yet has significance. A misstatement is "inconsequential" if a
reasonable, objective person would conclude that the misstatement, either
individually or when aggregated with other misstatements, would clearly be
immaterial to the financial statements. If a reasonable, objective person
could not reach such a conclusion, that misstatement is "more than
inconsequential."
completely, and the source of the criteria is identified in the
attestation engagement
report.92
b.
Condition: What the auditors found regarding the actual situation.
Reporting the scope or extent of the condition allows the report
user to gain an accurate perspective.
c.
Cause: Evidence on the factor or factors responsible for the
difference between condition and criteria. In reporting the cause,
auditors may consider whether the evidence provides a reasonable
and convincing argument for why the stated cause is the key factor
or factors contributing to the difference as opposed to other
possible causes, such as poorly designed criteria or factors
uncontrollable by program management. The auditors also may
consider whether the identified cause could serve as a basis for
the recommendations. Often the causes of deficiencies in internal
control are complex and involve multiple factors. In some cases,
it may not be practical for auditors to fully develop or identify
the causes of deficiencies. However, analyzing and identifying
root causes of internal control deficiencies is key to making
recommendations for corrective action.
d.
Effect or potential effect: A clear, logical link to establish the
impact or potential impact of the difference between what the
auditors found (condition) and the required or desired state
(criteria). Effect is easier to understand when it is stated
clearly, concisely, and, if possible, in quantifiable terms. The
significance of the reported effect can be demonstrated through
credible evidence.
6.52 Auditors should place their findings in perspective by describing the
nature and extent of the issues being reported and the extent of the work
performed that resulted in the finding. To give the reader a basis for
judging the prevalence and consequences of
Common sources for criteria including laws, regulations, policies,
procedures, best or standard practices. The Standards for InternalControl
in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov.
1999) and Internal Control--Integrated Framework, published by the
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
are two sources of established criteria auditors can use to support their
judgments and conclusions about internal control. The related Internal
Control Management and Evaluation Tool(GAO-01-1008G, Aug. 2001), based on
the federal internal control standards, provides a systematic, organized,
and structured approach to assessing internal control.
these findings, auditors may relate the instances identified to the
population or the number of cases examined and quantify the results in
terms of dollar value, as appropriate. If the results cannot be projected,
auditors should limit their conclusions appropriately.
6.53 When auditors detect deficiencies in internal control, potential
fraud, illegal acts, violations of provisions of contracts or grant
agreements, or abuse that are not material to the subject matter or
assertion, they should communicate those findings in a management letter
to officials of the audited entity unless they are clearly inconsequential
considering both qualitative and quantitative factors. Auditors use
professional judgment in determining whether and how to communicate to
officials of the audited entity deficiencies in internal control,
potential fraud, illegal acts, violations of provisions of contracts or
grant agreements, or abuse that are clearly inconsequential. Auditors
should include in their attest documentation evidence of communications to
officials of the audited entity about potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse.
Direct Reporting of Potential Fraud, Illegal Acts, Violations of
Provisions of
Contracts or Grant Agreements, or Abuse
6.54 Auditors should report potential fraud, illegal acts, violations of
provisions of contracts or grant agreements, or abuse directly to parties
outside the audited entity in two circumstances, as discussed below.93
This reporting is in addition to any legal requirements for direct
reporting of potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse. Auditors should follow these
requirements even if they have resigned or been dismissed from the
attestation engagement prior to its completion.
Internal audit organizations do not have a duty to report outside that
entity unless required by law, rule, regulation, or policy. See paragraph
3.19 for reporting requirements for internal audit organizations when
reporting externally.
ney general. When
auditors have communicated such potential fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse to
the audited entity and the entity fails to report them, the auditors
should communicate such an awareness to the governing body of the
audited entity. When the audited entity does not make the required
report as soon as possible after the auditors' communication with the
those charged with governance, the auditors should report such
potential fraud, illegal acts, violations of provisions of contracts
or grant agreements, or abuse directly to the external party specified
in the law or regulation.
ps.
When auditors conclude that such failure is likely to cause them to
depart from the standard report on the attestation engagement or
resign from the engagement, they should communicate that conclusion to
those charged with governance. If the audited entity does not report
the potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse in a timely manner to the
entity that provided the government assistance, the auditors should
report the potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse directly to the awarding
entity.
illegal acts,
violations of provisions of contracts or grant agreements, or abuse,
auditors should obtain and report the views of responsible officials
concerning the findings, conclusions, and recommendations, as well as
planned corrective actions.
complete, and objective is to provide a draft report for review and
comments by responsible officials of the audited entity and others, as
appropriate. Including the views of responsible officials results in a
report that presents not only the significant deficiencies in internal
control, potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse the auditors identified, but
also the perspectives of the responsible official of the audited
entity and the corrective actions they plan to take. Auditors should
include in their report a copy of the officials' written comments
and/or a summary of the comments received. In cases where the audited
entity provides technical comments in addition to its written comments
on the report, auditors use professional judgment in determining
whether to include such comments or disclose in the report that such
comments were provided.
ts. Obtaining oral
comments can be effective when, for example, there is a time-critical
reporting date to meet a user's needs; auditors have worked closely
with the responsible officials throughout the conduct of the work and
the parties are familiar with the findings and issues addressed in the
draft report; or the auditors do not expect major disagreements with
the draft report's findings, conclusions, and recommendations, or
perceive any major controversies with regard to the issues discussed
in the draft report. If oral
comments are provided by the responsible officials, auditors should
prepare a summary of the oral comments and provide a copy of the summary
to the responsible officials to verify that the comments are accurately
stated prior to finalizing the report.
lan for corrective action, but should not accept
them as justification for dropping a finding or a related
recommendation without sufficient and appropriate evidence.
corrective actions do not adequately address the
auditors' recommendations, the auditors should state objectively their
reasons for disagreeing with the comments or planned corrective
actions. Conversely, the auditors should modify their report as
necessary if they find the comments valid.
d or may be otherwise prohibited
from general disclosure by federal, state, or local laws or
regulations. In such circumstances, auditors may issue a separate,
classified or limited-official-use report containing such information
and distribute the report only to persons authorized by law or
regulation to receive it. Additional circumstances associated with
public safety and security concerns could also
justify the exclusion of certain information in the report. For example,
detailed information related to computer security for a particular program
may be excluded from publicly available reports because of the potential
damage that could be caused by the misuse of this information. In such
circumstances, auditors may issue a limited-official-use report containing
such information and distribute the report only to those parties
responsible for acting on the auditors' recommendations. The auditors may
consult with legal counsel regarding any requirements or other
circumstances that may necessitate the omission of certain information.
6.66 Auditors consider the broad public interest in the program or
activity under review when deciding whether to exclude certain information
from publicly available reports. When circumstances call for omission of
certain information, auditors should evaluate whether this omission could
distort the engagement results or conceal improper or unlawful practices.
Issuing and Distributing Reports
or
the engagement, including external funding organizations such as
legislative bodies, unless legal restrictions prevent it. Auditors
should also send copies of the reports to other officials who have
legal oversight authority or who may be responsible for acting on the
findings and recommendations and to others authorized to receive such
reports. Auditors should clarify whether the report will be made
available for public inspection. If the subject matter of the
attestation engagement involves material that is classified for
security purposes or not releasable to particular parties or the
public for other valid reasons, auditors may limit the report
distribution.94 Auditors should document any limitation on report
distribution.
res should contain a statement
indicating it is intended to be used solely by the parties who have
agreed upon such criteria or procedures, such a statement does not
necessarily limit the report distribution in a government environment.
GAGAS, they should clarify report distribution
responsibilities with the engaging organization. If nongovernment
auditors are to make the distribution, they should reach agreement
with the party contracting for the attestation engagement about which
officials or organizations should receive the report and the steps
being taken to make the report available to the public.
laws, rules, regulations, or policy.
tion engagement was terminated. In addition, depending on the
facts and circumstances, auditors should notify those charged with
governance, management of the entity, the entity requesting the
attestation engagement, and other appropriate officials, about the
termination of the engagement, preferably in writing. Auditors should
document this communication.
See paragraphs 6.64 through 6.66 for additional guidance on limited report
distribution when reports contain privileged or confidential information.
Chapter 7 Field Work Standards for Performance Audits
Introduction
documentation.
audits.
Significance in a Performance Audit
7.04 Auditors use the concept of significance95 throughout a performance
audit. Auditor consider significance when deciding the type and extent of
audit work to perform, when evaluating results of audit work, and when
developing the report. Significance is defined as the relative importance
of a matter within the context in which it is being considered, including
quantitative and qualitative factors. Such factors include relative
magnitude, the nature and effect of the matter, and the needs and
interests of intended users or recipients. Auditors use professional
judgment when considering whether a matter is
In the performance audit standards, the term "significant" is synonymous
with "material." "Material" is used in the AICPA standards for financial
audits. The term "significant" is used in performance audits where the
term "material" is generally not used.
significant within the context of the audit objectives. The auditors'
consideration is influenced by the relationship of the matter to the audit
objectives and the auditors' perception of the needs of users of the audit
reports.
7.05 When making judgments about significance within the context of the
audit objectives, auditors consider the quantitative or qualitative
factors that make it probable that the auditors' findings, conclusions or
recommendations would be affected by the matter if the matter had been
omitted from the auditors' analysis. When making judgments about
significance to the needs of report users, auditors consider whether it is
probable that the judgment of a reasonable person relying on the auditors'
report would have been changed or influenced if the matter was omitted
from the auditors' analysis and disclosed in the audit report. This
includes the probability that the matter would change or influence the
decisions of intended users of the auditors' report; or, as another
example, where the context is a judgment about whether to report a matter
to those charged with governance, whether the matter would be regarded as
important by those charged with governance in carrying out their duties.
When reporting on the results of their work, auditors should disclose
material or significant facts relevant to the objectives of their work and
known to them which, if not disclosed, could mislead knowledgeable users,
misrepresent the results, or conceal significant improper or unlawful
practices.
Audit Risk
7.06 Auditors must plan the audit so that the auditors reduce audit risk
to a level that is sufficiently low for the auditors to provide reasonable
assurance that the evidence is sufficient and appropriate to achieve the
audit objectives and support the conclusions reached. This determination
is a matter of professional judgment. Audit risk is the risk that auditors
may provide improper findings, conclusions, recommendations, or assurance
because, for example, the information obtained is not sufficient or not
appropriate, the audit process was inadequate, or intentional omissions or
misleading information existed due to misrepresentation or fraud. Factors
such as the time frames, complexity, or sensitivity of the work, size of
the program in terms of dollar amounts and number of citizens served, and
access to records are considered in the risk determination. Audit risk
involves qualitative and quantitative considerations. A component of audit
risk is the risk that auditors will not detect a mistake, inconsistency,
or significant error in the evidence supporting the audit. Auditors can
reduce the audit risk by using additional evidence, higher quality
evidence and/or alternative forms of evidence. When auditors cannot obtain
alternative forms of evidence, they should clearly describe the scope of
work and any limitations in the underlying information, so that (1)
readers of the auditors' report are provided with a clear understanding as
to what the auditors did or did not do and (2) the findings, conclusions
and recommendations are not misleading. In such cases, auditors should
also follow the guidance in paragraphs 1.06 through 1.15.
Sufficient, Appropriate Evidence
7.07 The concept of sufficient, appropriate evidence is integral to a
performance audit. Appropriateness is the measure of the quality of
information which encompasses its relevance, reliability, and validity in
providing support for achieving audit objectives. In assessing the overall
appropriateness of information, auditors should assess whether the
information is relevant, valid, and reliable. Sufficiency is a measure of
the quantity of evidence used to support the findings, conclusions, and
recommendations related to the audit objectives. In determining the
sufficiency of evidence, auditors should determine whether enough evidence
exists to persuade a knowledgeable person of the reasonableness of the
findings. Paragraphs 7.53 through 7.69 describe the auditors' assessment
of appropriateness and sufficiency of evidence.
Planning
the work
necessary to achieve the audit objectives.
elements
of the audit plan together, as the considerations in determining each
often overlap. Planning is a continuous process throughout the audit.
Therefore, auditors may need to make adjustments to the audit
objectives, scope, and methodology as work is being completed.
seek to answer based
on evidence obtained and assessed against criteria or best practices.
Auditors should also evaluate possible issues surrounding the
appropriateness of available information in planning the audit.
96
See discussion of the elements of a finding in paragraphs 7.36 through 7.37 and
paragraphs 7.70 through
7.73.
97
The term "program" is used in this document to include government
entities, organizations, programs, activities, and functions.
ssurance that the obtained
evidence is sufficient and appropriate to meet the audit's objectives.
the current audit objectives (see paragraph
7.35).
7.15 During planning, the auditors also should:
a.
identify the potential criteria needed to evaluate matters subject
to audit (see paragraph 7.36 through 7.37);
b.
identify potential sources of audit evidence and consider the
amount and type of evidence needed given risk and significance
(see paragraph 7.38 through 7.39);
c.
consider whether the work of other auditors and experts may be
used to satisfy some of the audit objectives (see paragraphs 7.40
through 7.42);
d.
assign sufficient staff and specialists with adequate collective
professional competence and identify other resources needed to
perform the audit (see paragraphs
7.43 through 7.44);
e.
communicate about planning and performance of the audit to
management officials, those charged with governance, and others as
applicable (see paragraphs 7.45 and 7.46); and
f.
prepare an audit plan (see paragraphs 7.47 through 7.48).
Nature and Profile of the Program
7.16 Auditors should obtain an understanding of the nature and profile of
the program or program component under audit and the potential use that
will be made of the audit results or report as they plan a performance
audit. The nature and profile of a program include:
a.
visibility, sensitivity, and risks associated with the program
under audit,
b.
newness of the program or changes in its conditions,
c.
the size of the program in terms of total dollars and/or number of
citizens impacted,
d.
role of the audit in providing information that can improve public
accountability and decision making (see paragraphs 1.01 and 1.02),
and
e.
level and extent of review or other forms of independent
oversight.
7.17 Auditors obtain an understanding of the program under audit to help
assess the risks associated with the program and the impact on the audit
objectives, scope and methodology. The auditors' understanding may come
from knowledge they already have about the program or knowledge they gain
from inquiries and observations they make in planning the audit. The
extent and breadth of those inquiries and observations will vary among
audits based on the audit objectives, as will the need to understand
individual aspects of the program, such as the following:
a.
Laws, regulations, and provisions of contracts or grant
agreements: Government programs usually are created by law and are
subject to specific laws and regulations. For example, laws and
regulations usually set forth what is to be done, who is to do it,
the purpose to be achieved, the population to be served, and
related funding guidelines or restrictions. Government programs
may also be subject to provisions of contracts and grant
agreements. Thus, understanding the laws and the legislative
history establishing a program and the provisions of any contracts
or grant agreements can be essential to understanding the program
itself. Obtaining that understanding is also a necessary step in
identifying provisions of laws, regulations, contracts, or grant
agreements that are significant within the context of the audit
objectives.
b.
Purpose and goals: Purpose is the result or effect that is
intended or desired from a program's operation. Legislatures
usually establish the program purpose when they provide authority
for the program. Entity officials may provide more detailed
information on program purpose to supplement the authorizing
legislation. Entity officials are sometimes asked to set goals for
program performance and operations,
including both output and outcome goals. Auditors may use the stated
program purpose and goals as criteria for assessing program performance or
may develop additional criteria or best practices to use when assessing
performance.
c.
Internal control: Internal control, often referred to as
management controls, in the broadest sense includes the plan,
methods, and procedures adopted by management to meet its
missions, goals, and objectives. Internal control includes the
processes for planning, organizing, directing, and controlling
program operations. It includes the systems for measuring,
reporting, and monitoring program performance. Internal control
also serves as a defense in safeguarding assets and preventing and
detecting errors; potential fraud; violations of laws,
regulations, and provisions of contracts and grant agreements; or
abuse. Paragraphs 7.18 through 7.24 contain guidance pertaining to
internal control.
d.
Efforts: Efforts are the amount of resources (in terms of money,
material, personnel, etc.) that are put into a program. These
resources may come from within or outside the entity operating the
program. Measures of efforts can have a number of dimensions, such
as cost, timing, and quality. Examples of measures of efforts are
dollars, employee-hours, and square feet of building space.
e.
Program operations: Program operations are the strategies,
processes, and activities management uses to convert efforts into
outputs. Program operations are subject to internal control.
f.
Outputs: Outputs represent the quantity of goods or services
produced by a program. For example, an output measure for a job
training program could be the number of persons completing
training, and an output measure for an aviation safety inspection
program could be the number of safety inspections completed.
g.
Outcomes: Outcomes are accomplishments or results of programs. For
example, an outcome measure for a job training program could be
the percentage of trained persons
obtaining a job and still in the work place after a specified period of
time. Examples of outcome measures for an aviation safety inspection
program could be the percentage reduction in safety problems found in
subsequent inspections and/or the percentage of problems deemed corrected
in follow-up inspections. Such outcome measures show progress in achieving
the stated program purposes of helping unemployable citizens obtain and
retain jobs, and improving the safety of aviation operations. Outcomes may
be influenced by cultural, economic, physical, or technological factors
outside the program. Auditors may use approaches drawn from other
disciplines, such as program evaluation, to isolate the effects of the
program from these other influences. An especially important type of
outcome is unexpected effects which may be negative such as adverse drug
reactions, or positive such as increased private investment in an area of
service.
Internal Control
7.18 Auditors should obtain an understanding of internal control
significant within the context of the audit objectives. For those internal
control objectives that are significant within the context of the audit
objectives, auditors should assess whether specific internal control
procedures have been properly designed and placed in operation and conduct
specific tests of the effectiveness of the internal control procedures.
Based on the test results and the auditors' assessment, the auditors
consider whether to modify the nature, timing, or extent of their audit
procedures.98 Officials of the audited entity are responsible for
establishing effective internal control. The lack of administrative
Refer to the internal control guidance contained in Internal
Control--Integrated Framework, published by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO). As discussed in the COSO
framework, internal control consists of five interrelated components,
which are (1) control environment, (2) risk assessment, (3) control
activities, (4) information and communication, and (5) monitoring. The
objectives of internal control relate to (1) financial reporting, (2)
operations, and (3) compliance. Safeguarding of assets is a subset of
these objectives. In that respect, management designs internal control to
provide reasonable assurance that unauthorized acquisition, use, or
disposition of assets will be prevented or timely detected and corrected.
In addition to the COSO document, the publication, Standards for Internal
Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.:
Nov. 1999), which incorporates the relevant guidance developed by COSO,
provides definitions and fundamental concepts pertaining to internal
control at the federal level and may be useful to other auditors at any
level of government. The related Internal Control Management and
Evaluation Tool, GAO-01-1008G (Washington, D.C.: Aug. 2001), based on the
federal internal control standards, provides a systematic, organized, and
structured approach to assessing the internal control structure.
continuity in government units because of changes in elected legislative
bodies and in other government officials increases the need for effective
internal control.
7.19 The following discussion of the principal types of internal control
objectives is intended to help auditors better understand internal
controls and determine their significance to the audit objectives:
a.
Effectiveness and efficiency of program operations: Controls over
program operations include policies and procedures that officials
of the audited entity have implemented to provide reasonable
assurance that a program meets its objectives and that unintended
actions do not result. Understanding these controls can help
auditors understand the program operations that convert efforts to
outputs or outcomes.
b.
Validity and reliability of information: Controls over the
validity and reliability of information include policies and
procedures that officials of the audited entity have implemented
to provide themselves reasonable assurance that operational
information they use and report is valid and reliable and fairly
disclosed in reports. These controls help assure management that
it is getting valid and reliable information about whether
programs are operating properly on an ongoing basis. Understanding
these controls can help auditors (1) assess the risk that the
information gathered by the entity may not be valid or reliable
and (2) design appropriate tests of the information considering
the audit objectives.
c.
Compliance with applicable laws and regulations and provisions of
contracts or grant agreements: Controls over compliance include
policies and procedures that officials of the audited entity have
implemented to provide reasonable assurance that program
implementation is consistent with laws, regulations, and
provisions of contracts or grant agreements. Understanding the
relevant controls concerning compliance with those laws and
regulations and provisions of contracts or grant agreements that
the auditors have
determined are significant can help auditors assess the risk of illegal
acts,99 violations of provisions of contracts or grant agreements, or
abuse.
ed acquisition, use, or disposition of
assets and resources.
ort their assessment about the
effectiveness of those controls. (See paragraph 1.39 for examples of
internal control objectives.)
igned
functions, to prevent or detect (1) impairments of effectiveness or
efficiency of operations (2) misstatements in financial or performance
99
Violations of laws or regulations are illegal acts.
100
The term "internal control" in this document is synonymous with the term
management control and, unless otherwise stated, covers all aspects of an
entity`s operations (programmatic, financial, and compliance).
information, or (3) violations of laws and regulations, on a timely basis.
7.24 Internal auditing is an important part of overall governance,
accountability, and internal control.101 A key role of many internal audit
organizations is to provide assurance that internal controls in place are
adequate to mitigate risks and achieve program goals and objectives. When
an assessment of internal control is called for, the work of the internal
auditors may be used in assessing whether internal controls are
effectively designed and functioning properly, and to prevent duplication
of effort.
Information Systems Controls
jectives and scope of audit (see paragraphs 7.18 through 7.24), or
as a separate audit objective or audit procedure, depending on the
nature of the audit. Depending on the significance of information
systems controls to the audit objectives, the extent of audit
procedures to obtain such an understanding may be limited or
extensive. In addition, the nature and extent of audit risk is
impacted by the nature of the hardware and software used, the
configuration of the entity's systems and networks, and the entity's
information systems strategy, and the significance of information
systems controls to the audit objectives.
ness of information systems controls in order to obtain
101
Many government entities have these activities identified by other names,
such as inspection, appraisal, investigation, organization and methods, or
management analysis. These activities assist management by reviewing
selected functions.
102
Information systems controls consist of those internal controls that are
dependent on information systems processing.
sufficient, appropriate evidence, then such information systems controls
are significant to the audit. In making this determination, auditors
consider the following:
a.
The extent to which internal controls that are significant to the
audit are processed by information systems or are dependent on the
reliability of information generated by information systems. As
part of assessing the effectiveness of such controls, auditors
also should assess the effectiveness of information systems
controls that impact the effectiveness of controls that are
significant to the audit.
b.
The availability of other evidence to support the findings,
conclusions, and recommendations. It may not be possible for
auditors to obtain sufficient, appropriate evidence without
assessing the effectiveness of relevant information systems
controls. For example, if information supporting the findings,
conclusions, and recommendations is generated by information
systems or its reliability is dependent on information systems
controls there may not be sufficient supporting or corroborating
information or documentary evidence that is available other than
that produced by the information systems.
c.
The relationship of information systems controls to data
reliability testing. To obtain evidence about the reliability of
computer-generated information, auditors may elect to assess the
effectiveness of information systems controls as part of testing
the reliability of the data. If information systems controls are
determined to be effective, the extent of direct testing of
supporting documentation may be reduced.
d.
Assessing the effectiveness of information systems controls as an
audit objective. When assessing the effectiveness of information
systems controls is directly a part of an audit objective,
auditors should perform the testing of information systems
controls necessary to achieve the audit objectives. For example,
the audit may involve the effectiveness of information systems
controls related to certain systems, facilities, or organizations.
7.27 If information systems controls are considered to be significant to
the audit, auditors should assess the effectiveness of such significant
controls, including other information systems controls that impact their
effectiveness or the reliability of information used in performing the
significant control. Generally, if information systems controls are
considered significant to the audit, the auditors' assessment of the
effectiveness of information systems controls will include both
application controls and general controls, because weaknesses in general
controls can result in unauthorized changes to applications and data that
can circumvent or impair the effectiveness of application controls.
Application controls, sometimes referred to as business process controls,
are those controls that help ensure the validity, completeness, accuracy,
and confidentiality of transactions and data during application
processing. Examples of application controls include controls over input,
processing, output, master data, application interfaces, and data
management system interfaces. Information systems general controls are the
policies and procedures that apply to all or a large segment of an
entity's information systems and help ensure their proper operation.
Examples of general controls include security management, logical and
physical access, configuration management, segregation of duties, and
contingency planning. Weaknesses in general controls can result in
unauthorized changes to applications and data that can circumvent or
impair the effectiveness of application controls.
Legal and Regulatory Requirements, Contract Provisions, or Grant
Agreements, Potential Fraud, or Abuse
7.28 In pursuing indications of possible fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse, auditors should
avoid interfering with potential investigations, and/or legal proceedings.
In some circumstances, laws, regulations, or policies require auditors to
report and/or refer indications of certain types of fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse to law
enforcement or investigatory authorities before performing procedures. In
cases where an investigation is initiated or in process, it may be
appropriate for auditors to withdraw from or defer further work on the
audit or a portion of the audit in order not to interfere with an
investigation.
Legal and Regulatory Requirements, Contracts, and Grants
are significant within the context of
the audit objectives and assess the risk that illegal acts or
violations of provisions of contracts or grant agreements could occur.
Based on that risk assessment, the auditors should design and perform
procedures to provide reasonable assurance of detecting instances of
illegal acts or violations of provisions of contracts or grant
agreements that are significant within the context of the audit
objectives.
ndividuals' incentives
or pressures to commit fraud, the opportunity for fraud to occur,
Fraud is a type of illegal act involving the obtaining something of value
through willful misrepresentation. Whether an act is, in fact, fraud is a
determination to be made through the judicial or other adjudicative system
and is beyond auditors` professional expertise and responsibility.
and rationalizations or attitudes that could allow individuals to commit
fraud. Auditors gather and assess information necessary to identify
potential fraud risks that are within the scope of the audit objectives or
could affect the results of their audit. For example, auditors may obtain
information through discussion with officials of the audited entity or
through other means to determine the susceptibility of the program to
potential fraud, the status of internal controls the entity has
established to detect and prevent fraud, or the risk that officials of the
audited entity could override internal control. An attitude of
professional skepticism in assessing these risks will assist auditors in
determining which factors or risks could significantly impact the audit
objectives and/or the audit procedures needed to answer the audit
objectives if fraud has occurred or is likely to have occurred.
ud
that they believe are significant within the context of the audit
objectives, they should design procedures to provide reasonable
assurance of detecting potential fraud significant within the context
of the audit objectives. Assessing the risk of potential fraud is an
ongoing process throughout the audit and relates not only to planning
the audit but also to evaluating evidence obtained during the audit.
urisdiction over such matters.
Abuse
7.34 Abuse involves behavior that is deficient or improper when compared
with behavior that a prudent person would consider reasonable and
necessary business practice given the facts and circumstances.104 Abuse
also includes misuse of authority or position for personal financial
interests or those of an immediate or close family member or business
partner. Abuse is distinct from fraud, illegal acts, or violations of
provisions of contracts or grant agreements in that abuse does not
necessarily involve violation of laws, regulations, or provisions of a
contract or grant agreement. If during the course of the audit, auditors
become aware of indications of abuse that could be quantitatively or
qualitatively significant to the program under audit, auditors should
apply audit procedures specifically directed to ascertain whether
significant abuse has occurred and the potential effect within the context
of the audit objectives. Based on the facts and circumstances, auditors
may find it helpful to identify specific risks or situations that are
susceptible to abuse. In addition, auditors remain alert throughout the
audit to situations that could be indicative of abuse. When information
comes to the auditors' attention (through audit procedures, allegations
received through a fraud hotline, or other means) indicating that
significant abuse may have occurred, they should perform audit procedures,
as necessary, to (1) determine whether the abuse occurred and, if so, (2)
determine its potential effect on the audit findings. If the abuse is not
significant within the context of the audit objectives, the auditors
should consider whether to expand the scope of the current audit, conduct
additional audit work as a separate engagement, or refer the potential
abuse to other parties with oversight responsibility or jurisdiction over
such matters. Auditors assess both quantitative and qualitative factors in
making judgments regarding the significance of possible abuse and whether
they need to extend the audit steps and procedures. However, because of
the subjectivity involved in determining abuse, auditors are not required
to provide reasonable assurance of detecting abuse.
For example, in a performance audit of management`s efficient use of funds
for office building maintenance, auditors might find abuse if renovation
of senior management`s offices far exceed usual office space
specifications. While auditors might not view the renovation costs as
quantitatively significant to the audit results, these expenses could be
considered qualitatively significant to this audit objective.
Previous Audits and Attestation Engagements
7.35 Auditors should determine whether the results of previous audits and
attestation engagements that directly relate to the audit objectives have
an impact on the current engagement, including whether recommendations
have been implemented. Auditors should identify previous financial audits,
attestation engagements, performance audits, or other studies significant
within the context of the audit objectives and ask management of the
audited entity to identify corrective actions taken to address relevant
findings, conclusions and recommendations.
Identifying Audit Criteria
7.36 Auditors should identify audit criteria including the standards,
measures, expectations of what should exist, best practices, and
benchmarks against which performance is compared or evaluated. Criteria
provide a context for evaluating evidence and understanding the findings,
conclusions, and recommendations included in the report. Auditors should
use criteria that are objective, measurable, complete, and relevant to the
objectives of the performance audit.
a.
Objectivity -free from bias.
b.
Measurability -permit reasonably consistent assessments,
qualitative105 or quantitative, of subject matter.
c.
Completeness -include relevant factors that could change a
conclusion about the subject matter
d.
Relevant -related to the subject matter.
Qualitative assessments can include expert judgment and reasonableness
judgments about program performance, for example, whether program
objectives reflect the needs of targeted beneficiaries and whether program
performance adequately meets objectives.
7.37 The following are some examples of possible criteria:
a.
purpose or goals prescribed by law or regulation or set by
officials of the audited entity,
b.
policies and procedures established by officials of the audited
entity,
c.
technically developed standards or norms,
d.
expert opinions,
e.
prior periods' performance,
f.
performance of similar entities,
g.
performance in the private sector, or
h.
best practices of leading organizations.
Identifying Sources of Audit Evidence and the Amount and Type of Evidence
Required
they should consider revising the
audit objectives or modifying the scope and methodology and determine
alternative procedures to meet the current audit objectives. Auditors
should disclose in the audit report revisions made to the audit
objectives due to the lack of sufficient, appropriate evidence.
Auditors should also evaluate whether the
lack of sufficient, appropriate evidence is due to internal control
deficiencies or other program weaknesses, and whether the lack of
sufficient, appropriate evidence is the basis for audit findings. (See
paragraphs 7.53 through 7.69 for standards concerning evidence.
Considering Work of Others
rk of the other auditors to support findings, recommendations
or conclusions for the current audit and thereby, avoid duplication of
audit efforts. If auditors rely on the work of other auditors, they
should perform procedures regarding the specific work to be relied on
that provide a sufficient basis for that reliance. Auditors should
obtain evidence concerning the other auditors' qualifications and
independence and should determine whether the scope and quality of the
audit work performed by the other auditors is adequate for reliance in
the context of the current audit objectives. Auditors can accomplish
this by reviewing the report, audit plan, or audit documentation, or
by performing supplemental tests of the other auditors' work. The
nature and extent of evidence needed will depend on the significance
of the other auditors' work, on the extent to which the auditors will
rely on that work, and whether auditors plan to refer to that work in
their work.
ain an understanding of the qualifications of
the specialists. (See paragraph 3.05 for independence considerations when
relying on the work of others.) Auditors consider the following in
evaluating the professional qualifications of the specialist:
a.
the professional certification, license, or other recognition of
the competence of the specialist in his or her field, as
appropriate;
b.
the reputation and standing of the specialist in the views of
peers and others familiar with the specialist's capability or
performance; and
c.
the specialist's experience and published work in the subject
matter.
Assigning Staff and Other Resources
7.43 Audit management should assign sufficient staff and specialists with
adequate collective professional competence to perform the audit. Staffing
an audit includes, among other things:
a.
assigning staff and specialists with the appropriate collective
knowledge, skills, and experience for the job;
b.
assigning an adequate number of staff and supervisors to the
audit;
c.
providing for on-the-job training of staff; and
d.
engaging specialists when necessary.
See paragraph 3.51 for a discussion of using specialists in a GAGAS audit.
7.44 If planning to use the work of a specialist, auditors should
determine and articulate nature and scope of the work to be performed by
the specialist, including
a.
the objectives and scope of the specialist's work;
b.
the intended use of the specialist's work to support the audit
objectives;
c.
documentation of the specialist's procedures and findings so they
can be evaluated and related to other planned audit procedures;
d.
the assumptions and methods used; and
e.
a comparison of how the methods and assumptions used compare with
those used in prior, related work.
Communicating with Management, Those Charged with Governance, and Others
7.45 Auditors should communicate information about the objectives, scope
and methodology, and timing of the performance audit and planned reporting
to the following individuals:
a.
the head of the audited entity;
b.
those charged with governance;107
c.
the individual who possesses a sufficient level of authority and
responsibility to
Those charged with governance are those responsible for overseeing the
strategic direction of the entity and the entity's fulfillment of its
accountability obligations. In situations in which those charged with
governance are not clearly evident, the auditor documents the process
followed and conclusions reached for identifying those charged with
governance. (See appendix paragraphs A1.02 through A1.05.)
implement corrective actions in the program or activity being audited; and
d. the individuals contracting for or requesting audit services, such as
contracting officials or legislative members or staff, if applicable.
7.46 Auditors use professional judgment to determine the form, content,
and frequency of the communication, although written communication is
preferred. Auditors may use an engagement letter to communicate the
information. If an audit is terminated before it is completed, auditors
should write a memorandum for the audit documentation that summarizes the
results of the work and explains the reasons why the audit was terminated.
In addition, depending on the facts and circumstances, auditors should
consider the need to communicate the reason for terminating the audit to
those charged with governance, management of the audited entity, the
entity requesting the audit, and other appropriate officials, preferably
in writing.
Preparing the Audit Plan
egy, audit program or project plan, a
memorandum, design matrix or paper, or other appropriate documentation
of key decisions about the audit objectives, scope, and methodology
and of the auditors' basis for those decisions. Auditors should update
the plan, as necessary, to reflect any significant changes to the plan
made during the audit.
audit objectives and
follow applicable standards. Audit supervisors should stay informed
about significant problems encountered, review the work performed, and
provide effective on-the-job training.
to be conducted,
and what the work is expected to accomplish. With experienced staff,
supervisors may outline the scope of the work and leave details to the
staff. With less experienced staff, supervisors may have to specify
audit procedures to be performed as well as techniques for gathering
and analyzing data.
to assess sufficiency and appropriateness may
likewise vary widely. For example, in establishing the appropriateness
of evidence, auditors may test the reliability by obtaining supporting
information, using statistical testing or by obtaining corroborating
evidence. Auditors consider the concepts of audit risk and
significance in evaluating the audit evidence.
s to the extent to which the information has a
logical relationship with, and importance to, the issue being
addressed.
b.
Validity refers to how well the information actually represents
what the auditors are trying to evaluate.
c.
Reliability refers to the consistency of results achieved and
includes the concepts of being verifiable or supported.
7.57 To assess the appropriateness of information, auditors consider the
different types of information and the source of the information. Evidence
may be obtained by observation, inquiry, or inspection. Each type of
evidence109 has its own strengths and weaknesses. The following contrasts
are useful in judging the appropriateness of information. In each
contrast, the first item generally provides a higher quality of evidence.
However, these contrasts are not to be considered adequate in themselves
to determine appropriateness. The nature and types of evidence required to
support auditors' findings, conclusions, and recommendations is a matter
of the auditors' professional judgment based on the audit objectives.
a.
Evidence obtained when internal control is effective versus
information obtained when internal control is weak or nonexistent.
b.
Information obtained through the auditors' direct physical
examination, observation, computation, and inspection versus
information obtained indirectly.
c.
Examination of original documents versus copies.
d.
Testimonial information obtained under conditions where persons
may speak freely versus information obtained where the persons may
be intimidated given the circumstances.
e.
Testimonial information obtained from an individual who is not
biased and has direct knowledge about the area versus testimonial
information obtained from an individual who is biased or has
indirect or partial knowledge about the area.
f.
Information obtained from a knowledgeable, credible, and unbiased
third party versus from management or other officials of the
audited entity.
See appendix paragraph A7.02 for additional guidance regarding the types
of evidence.
s generally self-reported information that is
frequently used to obtain information about existing conditions or
programs. Auditors should evaluate the objectivity, credibility, and
reliability of the self-reported information as well as the survey
design and administration.
ion that is most
appropriate will depend on the audit objectives. For example, when a
representative sample is appropriate, the use of statistical sampling
approaches would result in stronger evidence than that obtained from
non-statistical techniques. In cases where a representative sample is
not appropriate, a targeted selection may be more effective if the
auditors have isolated certain risk factors or other criteria used to
target the selection.
rk are current,
auditors may be able to use the work to
reduce their audit procedures if, based on testing the work done by agency
officials, the data is sufficient and appropriate, in combination with
other evidence.
7.62 When computer-processed information is used to support findings,
conclusions, and recommendations, auditors should perform procedures for
assessing the appropriateness of the information. Auditors should assess
the sufficiency and appropriateness of this type of data regardless of
whether computer-processed information is provided to auditors or auditors
independently extract them. The nature, timing and extent of audit
procedures to assess sufficiency and appropriateness is affected by the
effectiveness of the entity's internal controls over the information,
including information system controls, and the significance of the
information and the level of detail presented in the auditors' findings,
conclusions, and recommendations in light of the audit objectives. Audit
procedures to evaluate the effectiveness of selected system controls
includes (1) gaining a detailed understanding of the system as it relates
to the information and (2) identifying and evaluating the general controls
and application controls that are critical to ensuring the reliability of
the information required for the audit.
The nature and extent of audit procedures to evaluate the effectiveness of
information system controls will vary based on the following:
a.
the extent to which the information systems controls are
significant to the auditors' overall assessment of appropriateness
of information; and
b.
the availability of other evidence to support the auditors'
findings, conclusions, and recommendations.
Sufficiency
7.63 Sufficiency is a measure of the quantity of evidence used to support
the findings, conclusions, and recommendations related to the audit
objectives. Sufficiency is also dependent on the appropriateness of the
evidence. In determining the sufficiency of evidence, auditors should
determine whether enough evidence exists to support the findings,
conclusions, and recommendations.
7.64 The following presumptions are useful in judging the sufficiency of
evidence. The sufficiency of evidence required to support the auditors'
findings, conclusions, and recommendations is a matter of the auditors'
professional judgment.
a.
The greater the audit risk, the greater the quantity of evidence
required.
b.
Stronger evidence may allow less evidence to be used. The
appropriateness test (see
7.56 through 7.62) is closely interrelated with decisions about
sufficiency.
c. Having a large volume of audit evidence does not compensate for a lack
of relevance, validity and/or reliability.
Overall Assessment of Evidence
he objectives of the audit. Professional
judgments about the sufficiency and appropriateness of evidence are
closely intertwined, as auditors interpret the results of audit
testing and evaluate whether the nature and extent of the evidence
obtained is sufficient and appropriate given the audit objectives.
Auditors perform an overall assessment of the collective evidence used
to support findings, conclusions, or recommendations. This overall
assessment also includes the results of any specific assessments
conducted to conclude on the validity and reliability of specific
evidence.
(3) of undetermined sufficiency and appropriateness in relation to
the audit objectives. Auditors consider sufficiency and
appropriateness in the context of the findings, conclusions, and
recommendations. For example, even though the auditors may have
some uncertainty about the sufficiency or appropriateness of the
evidence, the auditors may nonetheless determine that there is
sufficient and appropriate evidence given the findings,
conclusions, or recommendations. (See paragraph 7.77 through 7.92
for documentation requirements.)
a.
Evidence is considered to be sufficient and appropriate when using
the evidence provides the basis for an analysis that achieves the
audit objectives and provides a reasonable basis for their
findings, conclusions, or recommendations.
b.
Evidence is considered to be not sufficient and appropriate when
(1) using the evidence carries an unacceptably high risk that it
could lead to an incorrect or improper conclusion or (2) the
information has significant or potentially significant
limitations, given the objectives and intended use of the
information.
c.
Evidence is considered to be of undetermined sufficiency and
appropriateness when
(1)
the auditors do not have an adequate basis to conclude whether it
achieves the audit objectives and provides a reasonable basis for
the findings, conclusions, and recommendations or (2) the
information has significant or potentially significant limitations
of unknown impact, given the objectives and the intended use.
es so
that the evidence is sufficient and appropriate;
b.
clearly indicating in the report the limitations of the
information, while refraining from using the information to make
unwarranted findings, conclusions or recommendations, and
considering whether to report the limitations of the information
as an audit finding; or
c.
redefining the audit objectives or limiting the audit scope to
eliminate the need to use the information and fully disclosing in
the audit report revisions made to the audit objectives due to the
lack of sufficient, appropriate evidence.
7.69 How the use of information of undetermined sufficiency and
appropriateness affects the auditors' report depends on the significance
of the information to the auditors' findings, conclusions, or
recommendations in light of the audit objectives. For example, auditors
may use such information to provide background information. In cases where
auditors use information of undetermined sufficiency and appropriateness
to support audit findings conclusions, or recommendations, auditors should
fully disclose the fact that such information is being used, assess the
impact of using such information, and use professional judgment to
determine whether and to what extent to qualify the audit findings and
conclusions. Auditors use professional judgment in determining the impact
on the audit objectives and compliance with GAGAS. (See paragraphs 1.13
through 1.15.)
Audit Findings
e extent
that the audit objectives are satisfied and the report clearly relates
those objectives to the elements of a finding. Audit findings often
have been regarded as containing the elements of criteria, condition,
cause, and effect. Criteria are discussed in paragraph 7.36 through
7.37, and the other elements of a finding--condition, effect, and
cause--are discussed in the following paragraphs:
eria identified in the audit, "effect" is a measure of those
consequences. Auditors often use effect or potential effect to
demonstrate the need for corrective action in response to identified
problems or risks. When the auditors' objectives include estimating
the extent to which a program has caused changes in physical, social,
or economic conditions, "effect" is a measure of the impact achieved
by the program. In this case, effect is the extent to which positive
or negative changes in actual physical, social, or economic conditions
can be identified and attributed to program operations.
as the cause. When the auditors' objectives
include estimating the program's effect on changes in physical, social, or
economic conditions, auditors seek evidence of the extent to which the
program itself is the "cause" of those changes. Auditors may identify
deficiencies in internal control that are significant to the subject
matter of the performance audit as the cause of deficient performance. In
reporting this type of finding, the deficiencies in internal control would
be described as the "cause." Often the causes of deficiencies in internal
control are complex and involve multiple factors, including fundamental,
systemic root causes. In some cases, it may not be practical or possible
for auditors to fully develop or identify the causes of deficiencies.
However, analyzing and identifying root cause of deficiencies is key to
making recommendations for corrective actions.
Audit Documentation
7.74 The auditor must prepare audit documentation in connection with each
engagement in sufficient detail to provide a clear understanding of the
work performed (including the nature, timing, extent, and results of audit
procedures performed), the audit evidence obtained and its source, and the
conclusions reached. Audit documentation:
a.
provides the principal support for the statement in the auditors'
report that the auditors performed the audit in accordance with
GAGAS and any other standards cited, and
b.
provides the principal support for the auditors' conclusions.
sufficient and appropriate documentation contributes to the
quality of an audit.
b.
the auditors' risk assessment;
c.
the auditors' determination that certain standards did not apply
or that an applicable standard was not followed, the reasons
supporting their determinations, and the known effect that not
following the applicable standard had, or could have had, on the
audit;
An experienced auditor means an individual (whether internal or external
to the audit organization) who possesses the competencies and skills that
would have enabled him or her to perform the performance audit. These
competencies and skills include an understanding of (a) the performance
audit processes, (b) GAGAS and applicable legal and regulatory
requirements, and (c) the subject matter associated with achieving the
audit objectives.
d.
the work performed to support significant judgments, findings,
conclusions and recommendations, including descriptions of
transactions and records examined;111
e.
evidence of supervisory reviews, before the audit report is
issued, of the work performed that supports findings, conclusions,
and recommendations contained in the audit report;
f.
work performed as part of the appropriateness assessment,
including the following items, as applicable: testing, information
review, analysis, and knowledge gained related to the quality of
the information;
g.
decisions made during the overall assessment of evidence,
including the auditors' final assessment of whether the
information is sufficient and appropriate for the purposes of the
audit;
h.
communications with management and others;
i.
evidence of communications about deficiencies in internal control
found during the audit;
j.
evidence of communications to officials of the audited entity
about instances of potential fraud, illegal acts, violations of
provisions of contracts or grant agreements, or abuse;
k.
the availability of the report for public inspection; and
Auditors may meet this requirement by listing file numbers, case numbers,
or other means of identifying specific documents they examined. They are
not required to include copies of documents they examined as part of the
audit documentation, nor are they required to list detailed information
from those documents.
l. if the audit does not result in a report, a memorandum for the record
that summarizes the results of the work and explains the reason the audit
was terminated, and any communications regarding the termination of the
audit.
file for the specific audit.
d others, including the significant findings
or issues discussed, and when and with whom the discussions took
place.
ontradiction or inconsistency was addressed in forming the
conclusion.
ould also follow the requirements in
paragraphs 1.13 through 1.15.
at the auditors
may use others' work and avoid duplication of effort. Auditors should
make appropriate audit staff and individuals, as well as audit
documentation available, upon request, in a timely manner to other
auditors or reviewers. It is also essential that contractual
arrangements for GAGAS audits provide for full and timely access to
audit staff and individuals, as well as audit documentation to
facilitate reliance by other auditors or reviewers on the auditors'
work.
rectly from the audited
entity and how to respond to requests for access to audit documentation
before the audit is complete. The audit organization should also include
flexibility in its policies and procedures to consider the individual
facts and circumstances surrounding a request, for instance, cases when
granting access or providing certain information would serve to adversely
affect the ability of the audit organization to successfully perform
similar audits in the future.
, and agreed with relevant members
of the audit team prior to the date of the audit report,
b.
perform routine file-assembling procedures such as deleting or
discarding superseded documentation and sorting, collating, and
cross-referencing final audit documentation,
c.
sign-off on file completion checklists prior to completing and
archiving the audit file, and
d.
add information received after the date of the report, for
example, an original document that was previously faxed.
7.91 After the documentation completion date, the auditors should not
delete or discard audit documentation before the end of the specified
retention period, as discussed above in paragraph 7.88. When the auditor
finds it necessary to make an addition (including amendments) to audit
documentation after the documentation completion date, the auditor should
document the addition by including the following in the documentation:
a.
when and by whom such additions were made and, where applicable,
reviewed,
b.
an audit trail that clearly shows the specific changes,
c.
the specific reasons for the changes, and
d.
the effect, if any, of the changes on the auditors' conclusions.
7.92 Whether audit documentation is in paper, electronic, or other media,
the integrity, accessibility, and retrievability of the underlying data
may be compromised if the documentation could be altered, added to, or
deleted without the auditors' knowledge, or if the documentation could be
permanently lost or damaged. Accordingly, auditors should apply
appropriate controls to protect audit documentation from alteration,
destruction, and unauthorized access.
Chapter 8 Reporting Standards for Performance Audits
Introduction
hat are retrievable by report users and
the audit organization, such as video or compact disc formats. The
users' needs, likely demand, and distribution will influence the form
of the audit report used. In addition to a more traditional
presentation of audit results, such as a chapter report or a letter
report, briefing slides and/or other presentation materials that are
complete and retrievable are considered to be audit reports.
Regardless of form, auditors should comply with all applicable
reporting standards.
.07 Auditors should prepare audit reports which include (1) the
objectives, scope, and methodology of the audit; (2) the audit results,
including findings, conclusions, and recommendations, as appropriate; (3)
a reference to compliance with generally accepted government auditing
standards; (4) the views of responsible officials; and (5) if applicable,
the nature of any privileged and confidential information omitted.
Objectives, Scope, and Methodology
ted audit objectives
provide more meaningful information to report users if they are measurable
and feasible and are not presented in a broad or general manner. To reduce
misunderstanding in cases where the objectives are particularly limited
and broader objectives can be inferred, auditors may state objectives that
were not part of the audit.
evidence gathering and analysis techniques used, in sufficient detail
to allow knowledgeable users of their reports to understand how the
auditors addressed the audit objectives. In situations when extensive
and/or multiple sources of information are used by auditors, the
auditors should consider whether to include a description of the
procedures performed as part of the auditors' assessment of the
appropriateness of information used as audit evidence. Auditors should
identify any significant assumptions made in conducting the audit;
describe any comparative techniques applied; describe the criteria
used; and, when sampling significantly supports auditors' findings,
conclusions or recommendations, describe the sample design and state
why it was chosen, including whether the results can be projected to
the intended population.
fficiency and appropriateness of the evidence
in the aggregate. Auditors should also report any significant constraints
imposed on the audit approach by information limitations or scope
impairments, including demands of access to certain records or
individuals.
8.13 How the use of information of undetermined sufficiency and
appropriateness affects the auditors' report depends on the significance
of the information to the auditors' findings, conclusions, or
recommendations in light of the audit objectives. For example, auditors
may use such information to provide background information. In cases where
auditors use information of undetermined sufficiency and appropriateness
to support audit findings conclusions, or recommendations, auditors should
fully disclose the fact that such information is being used, assess the
impact of using such information, and use professional judgment to
determine whether and to what extent to qualify the audit findings and
conclusions. If the use of such information is significant to the
auditors' findings and conclusions, auditors should determine the impact
on the audit objectives and compliance with GAGAS. (See paragraphs 1.13
through 1.15.)
Findings
8.14 In the audit report, auditors should present sufficient, appropriate
evidence to support the findings, conclusions and recommendations in
relation to the audit objectives. Auditors should present findings in a
manner to promote adequate understanding of the matters reported and to
provide convincing but fair presentations in proper perspective that are
compelling. Auditors consider the significance of evidence as they develop
the report findings, conclusions and recommendations. In making judgments
about significance, auditors consider whether the judgment of a reasonable
person relying on the auditors' report would have been changed or
influenced if the matter had been disclosed in the audit report. This
includes the probability that the matter would change or influence the
decisions of intended users of the auditors' report; or, as another
example, where the context is a judgment about whether to report a matter
to those charged with governance, whether the matter would be regarded as
important by those charged with governance in carrying out their duties.
Auditors may provide selective background information to provide the
context for the overall message and to help the reader understand the
findings and significance of the issues discussed.112
s significant to the performance of the program being
audited. If the limitations of the information are partially or wholly
a result of internal control deficiencies, auditors should recommend
actions necessary to address the deficiencies.
ng the elements of criteria, condition, cause, and effect.
(See 7.36 through 7.37 and 7.70 through 7.73). However, the elements
needed for a finding depend on the audit objectives. For example, an
audit objective may be limited to determining the current status or
condition of implementing legislative requirements, and not the
related cause or effect. Thus, a finding or set of findings is
complete to the extent that the auditors achieve the audit objectives
and the report clearly relates those objectives to the elements of the
finding.
hould provide recommendations for corrective
action if they
Appropriate background information may include information on how programs
and operations work; the significance of programs and operations (e.g.,
dollars, impact, purposes, and past audit work if relevant); a description
of the audited entity`s responsibilities; and explanation of terms,
organizational structure, and the statutory basis for the program and
operations.
are significant within the context of the audit objectives. Following is
guidance for reporting on elements of findings:
a.
Criteria: The required or desired state and/or what is expected
from the program or operation. The criteria are easier to
understand when stated objectively, explicitly, and completely and
when the source of the criteria is identified in the audit
report.113
b.
Condition: What the auditors found regarding the actual situation.
Reporting the scope or extent of the condition allows the report
user to gain an accurate perspective.
c.
Cause: Evidence on the factor or factors responsible for the
difference between condition and criteria. In reporting the cause,
auditors may consider whether the evidence provides a reasonable
and convincing argument for why the stated cause is the key factor
or factors contributing to the difference as opposed to other
possible causes, such as poorly designed criteria or factors
uncontrollable by program management. The auditors also may
consider whether the identified cause could serve as a basis for
the recommendations. Often the causes of deficiencies in internal
control are complex and involve multiple factors. In some cases,
it may not be practical for auditors to fully develop or identify
all of the causes of deficiencies. However, analyzing and
identifying root causes of internal control deficiencies are key
to making recommendations for corrective action.
d.
Effect or potential effect: A clear, logical link to establish the
impact or potential impact of the difference between what the
auditors found (condition) and the required or desired state
(criteria). Effect is easier to understand when it is stated
clearly, concisely,
113
Common sources for criteria include laws, regulations, policies,
procedures, and best or standard practices. The Standards for Internal
Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.:
Nov. 1999) and Internal Control--Integrated Framework, published by the
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
are two sources of established criteria auditors can use to support their
judgments and conclusions about internal control. The related Internal
Control Management and Evaluation Tool,GAO-01-1008G (Washington, D.C.:
Aug. 2001), based on the federal internal control standards, provides a
systematic, organized, and structured approach to assessing internal
control.
and, if possible, in quantifiable terms. The significance of the reported
effect can be demonstrated through credible evidence.
potential fraud and illegal acts unless they
are clearly inconsequential,115 significant violations of provisions
of contracts or grant agreements, and significant abuse.
Reporting Deficiencies in Internal Control
8.20 Auditors should include in the audit report (1) the scope of their
work on internal control and (2) deficiencies in internal control that are
significant within the context of the audit objectives. When auditors
detect deficiencies in internal control that are not significant to the
objectives of the performance audit, they should communicate those
deficiencies in a separate letter to officials of the audited entity
unless the deficiencies are clearly inconsequential considering both
qualitative and quantitative factors. If the auditors have communicated
deficiencies to officials of the audited entity during the
114
As discussed in paragraph 7.23, in performance audits a deficiency in
internal control exists when the design or operation of a control does not
allow management or employees, in the normal course of performing their
assigned functions, to prevent or detect (1) misstatements in financial or
performance information, (2) violations of laws and regulations, or (3)
impairments of effectiveness or efficiency of operations, on a timely
basis.
115
Whether a particular act is, in fact, illegal may have to await final
determination by a court of law. Thus, when auditors disclose matters that
have led them to conclude that an illegal act is likely to have occurred,
they should take care not to unintentionally imply that a final
determination of illegality has been made.
course of the audit, they should refer to that communication in the audit
report. Whether or how to communicate deficiencies that are clearly
inconsequential to officials of the audited entity is a matter of the
auditors' professional judgment.
8.21 In a performance audit, auditors may conclude that identified
deficiencies in internal control that are significant within the context
of the audit objectives are the cause of the deficient performance. In
reporting this type of finding, the internal control deficiency would be
described as the cause.
Reporting Potential Fraud, Illegal Acts, Violations of Provisions of
Contracts or
Grant Agreements, or Abuse
ignificant violations of provisions of contracts
or grant agreements, or significant abuse either has occurred or may
have occurred, they should report the matter as a finding.116
mmunicate those findings in a separate letter to officials of the
audited entity unless the findings are clearly inconsequential,
considering both qualitative and quantitative factors. Auditors should
See paragraphs 8.26 through 8.28 for additional reporting considerations.
refer to that letter in the audit report. Whether or how to communicate
potential fraud, illegal acts, violations of provisions of contracts or
grant agreements, or abuse that are clearly inconsequential to officials
of the audited entity is a matter of the auditors' professional judgment.
Auditors should include in their audit documentation evidence of
communications to officials of the audited entity about deficiencies in
potential fraud, illegal acts, violations of provisions of contracts or
grant agreements, or abuse.
8.25 When auditors conclude that potential fraud, illegal acts, violations
of provisions of contracts or grant agreements, or abuse either have
occurred or are likely to have occurred, they may consult with authorities
and/or legal counsel about whether publicly reporting certain information
about the potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse would compromise investigative or
legal proceedings. Auditors should limit their public reporting to matters
that would not compromise those proceedings, such as information that is
already a part of the public record.
Direct Reporting of Potential Fraud, Illegal Acts, Violations of
Provisions of
Contracts or Grant Agreements, or Abuse
to
parties outside the audited entity in two circumstances, as discussed
below.117 This reporting is in addition to any legal requirements for
direct reporting of potential fraud, illegal acts, violations of
provisions of contracts or grant agreements, or abuse. Auditors should
follow these requirements even if they have resigned or been dismissed
from the audit prior to its completion.
ud,
illegal acts, violations of provisions of contracts or grant agreements,
or abuse to the audited entity and the audited entity fails to report
them, then the auditors should communicate such an awareness to the
governing body of the audited entity. When the audited entity does not
make the required report as soon as possible after the auditors'
communication with those charged with governance, then the auditors should
report such potential fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse directly to the external party
specified in the law or regulation.
from the audit, they should communicate
that conclusion to those charged with governance of the audited
entity. If the audited entity does not report the potential fraud,
illegal act, violation of provisions of contracts or grant agreements,
or abuse in a timely manner to the entity that provided the government
assistance, the auditors should report the potential fraud, illegal
act, violation of provisions of contracts or grant agreements, or
abuse directly to that entity.
uld report conclusions related to the audit objectives
and the audit findings and recommendations. Report conclusions are logical
inferences about the program based on the auditors' findings, not merely a
summary of the findings. The strength of the auditors' conclusions depends
on the sufficiency, and appropriateness of the evidence supporting the
findings and the soundness of the logic used to formulate the conclusions.
Conclusions are stronger if they lead to the auditors' recommendations and
convince the knowledgeable user of the report that action is necessary.
Recommendations
ded actions.
ble
basis for our findings and conclusions based on our audit objectives.
8.34 The statement of compliance with GAGAS indicates that the auditors
have complied with all applicable GAGAS general and auditing standards.
When the auditors did not follow applicable standards, or were not able to
follow applicable standards due to access problems or other scope
limitations, they should follow the requirements in paragraphs 1.13
through 1.15.
Reporting Views of Responsible Officials
appropriate. Including the views of responsible officials results in a
report that presents not only the auditors' findings, conclusions, and
recommendations, but also the perspectives of the responsible
officials of the audited entity and the corrective actions they plan
to take. Auditors should include in their report a copy of the
officials' written comments or a summary of the comments received
along with the auditors' evaluation of the comments. In cases when the
audited entity provides technical comments in addition to its written
comments on the report, auditors should
Some audits may address audit objectives which cover cross-cutting issues
that transcend specific government agencies. In these situations, auditors
use professional judgment to identify appropriate officials for the issues
addressed by the audit objectives and include the views of those officials
in the audit report.
use professional judgment in determining whether to include such comments
or disclose in the report that such comments were provided.
raft report. If oral comments are provided by the responsible
officials, auditors should prepare a summary of the oral comments and
provide a copy of the summary to the responsible officials to verify
that the comments are accurately stated prior to finalizing the
report.
comments. If the auditors disagree with the comments, they should
state in the report their reasons for disagreeing with the comments or
planned corrective actions. Conversely, the auditors should modify
their report as necessary if they find the officials' comments to be
valid.
be classified or may be otherwise prohibited
from general disclosure by federal, state, or local laws or
regulations. In such circumstances, auditors may issue a separate,
classified or limited-official-use report containing such information
and distribute the report only to persons authorized by law or
regulation to receive it. Additional circumstances associated with
public safety and security concerns could also justify the exclusion
of certain information in the report. For example, detailed
information related to computer security for a particular program may
be excluded from publicly available reports because of the potential
damage that could be caused by the misuse of this information. In such
circumstances, auditors may issue a limited-official-use report
containing such information and distribute the report only to those
parties responsible for acting on the auditors' recommendations. The
auditors may consult with legal counsel regarding any requirements or
other circumstances that may necessitate the omission of certain
information.
eports to other officials who have
legal oversight authority or who may be responsible for acting on
audit findings and recommendations, and to others authorized to
receive such reports. Auditors should clarify whether the report will
be made available for public distribution.
organization. If the nongovernment auditors are to make
the distribution, they should reach agreement with the party
contracting for the audit about which officials or organizations
should receive the report and the steps being taken to make the report
available to the public.
ted report
distribution.
Appendix
Introduction
A.01 The following sections provide supplemental guidance for auditors and
the audited entities to assist in the implementation of GAGAS. The
guidance is not intended to establish additional auditor requirements but
instead is to facilitate auditor implementation of the standards contained
in chapters 1 through 8. The supplemental guidance in the first section
may be of assistance for all types of audits and engagements covered by
GAGAS. Subsequent sections provide supplemental guidance for specific
chapters of GAGAS, as indicated.
Overall Supplemental Guidance
A.02 Chapters 4 through 8 discuss the field work and reporting standards
for financial audits, attestation engagements, and performance audits. The
identification of significant deficiencies in internal control,
significant abuse, fraud risks, and significant laws, regulations, or
provisions of contract or grant agreements are important aspects of
government auditing. The following discussion is provided to assist
auditors with identifying significant deficiencies in internal control,
abuse, and indicators of fraud risk and to assist auditors with
determining whether laws, regulations, or provisions of contracts or grant
agreements are significant to the audit objectives.
Examples of Significant Deficiencies in Internal Control
A.03 Auditor requirements for reporting significant deficiencies in
internal control are discussed in paragraphs 5.13 through 5.18, 6.49
through 6.53, and 8.20 through 8.21. The following are examples of matters
that may be significant deficiencies, including material weaknesses,
depending on the facts and circumstances:
a.
Ineffective oversight by those charged with governance of the
entity's financial reporting, performance reporting, or internal
control, or an ineffective overall governance structure.
b.
Restatement of previously issued financial statements to reflect
the correction of a material misstatement or significant
corrections made to previously reported performance or operational
results.
c.
Identification by the auditor of a material misstatement in the
financial statements for the period under audit that was not
initially identified by the entity's internal control. This
includes misstatements involving estimation and judgment for which
the auditor identifies potential material adjustments and
corrections of the recorded amounts. (This is a strong indicator
of a material weakness even if management subsequently corrects
the misstatement.)
d.
An ineffective internal audit function or risk assessment function
at an entity for which such functions are important to the
monitoring or risk assessment component of internal control, such
as for a very large or highly complex entity.
e.
Identification of fraud of any magnitude on the part of senior
management.
f.
Failure by management or those charged with governance to assess
the effect of a significant deficiency previously communicated to
them and either correct it or conclude that it will not be
corrected.
g.
An ineffective control environment. Control deficiencies in
various other components of internal control could lead the
auditor to conclude that a significant deficiency or material
weakness exists in the control environment.
h.
Inadequate provisions for the safeguarding of assets.
i.
Evidence of intentional override of internal control by those in
authority to the detriment of the overall objectives of the
system.
j.
Deficiencies in the design or operation of internal control that
could result in violations of laws, regulations, provisions of
contracts or grant agreements; fraud; or abuse having a direct and
material effect on the financial statements or the audit
objective.
Examples of Abuse
A.04 [Placeholder for discussion of examples of abuse.]
Examples of Indicators of Fraud Risk
A.05 In some circumstances, conditions such as the following might
indicate a heightened risk of fraud:
a.
the entity's financial stability, viability, or budget is
threatened by economic, programmatic, or entity operating
conditions;
b.
the nature of the audited entity's operations provide
opportunities to engage in fraud;
c.
inadequate monitoring by management for compliance with policies,
laws, and regulations;
d.
the organizational structure is unstable or unnecessarily complex;
e.
lack of communication and/or support for ethical standards by
management;
f.
management has a willingness to accept unusually high levels of
risk in making significant decisions;
g.
a history of impropriety, such as previous issues with fraud,
waste, abuse, or questionable practices, or past audits or
investigations with findings of questionable or criminal activity;
h.
operating policies and procedures have not been developed or are
outdated;
i.
key documentation is often lacking or does not exist;
j.
lack of asset accountability or safeguarding procedures;
k.
improper payments;
l.
false or misleading information; or
m.
a pattern of large procurements in any budget line with remaining
funds at year end, in order to "use up all of the funds
available."
Determining Whether Laws, Regulations, or Provisions of Contracts or Grant
Agreements Are Significant to Audit Objectives
A.06 Government programs are subject to many laws, regulations, and
provisions of contracts or grant agreements. At the same time their
significance to audit objectives vary widely, depending on the objectives
of the audit. Auditors may find the following approach helpful in
assessing whether laws, regulations, or provisions of contracts or grant
agreements are significant to audit objectives:
a.
Reduce each audit objective to questions about specific aspects of
the program being audited (that is, purpose and goals, internal
control, inputs, program operations, outputs, and outcomes).
b.
Identify laws, regulations, and provisions of contracts or grant
agreements that directly relate to specific aspects of the program
included in questions that reflect the audit objectives.
c.
Determine if the audit objectives or the auditors' conclusions
could be significantly affected if violations of those laws,
regulations, or provisions of contracts or grant agreements
occurred. If the audit objectives or audit conclusions could be
significantly affected, then those laws, regulations, and
provisions of contracts or grant agreements are likely to be
significant to the audit objectives.
A.07 Auditors may consult with legal counsel to (1) determine those laws
and regulations that are significant to the audit objectives, (2) design
tests of compliance with laws and regulations, or (3) evaluate the results
of those tests. Auditors also may consult with legal counsel when audit
objectives require testing compliance with provisions of contracts or
grant agreements. Depending on the circumstances of the audit, auditors
may consult with others, such as investigative staff, other audit
organizations or government entities that provided assistance to the
audited entity, or applicable law enforcement authorities, to obtain
information on compliance matters.
Information to Accompany Chapter 1
A1.01 Chapter 1 discusses the use and application of GAGAS and the role of
auditing in government accountability. Those charged with governance and
management of audited organizations also have roles in government
accountability. The discussion which follows is provided to assist
auditors in understanding the roles of others in accountability. The
following section also contains background information on the laws,
regulations and guidelines which require the use of GAGAS. This
information is provided to place the requirements contained in GAGAS
within the context of overall government accountability.
The Role of Those Charged with Governance in Accountability
A1.02 Those charged with governance are responsible for overseeing the
strategic direction of the entity and obligations related to the
accountability of the entity. This includes overseeing the financial
reporting process, subject matter, or program under audit including
related internal controls. In certain entities covered by GAGAS, those
charged with governance also may be part of the entity's management. In
some audit entities, multiple parties may be charged with governance,
including oversight bodies, members or staff of legislative committees,
boards of directors, audit committees, or parties contracting for the
audit.
Because the governance structures of government entities and organizations
can vary widely, it may not always be clearly evident who is charged with
key governance functions. In these situations, auditors evaluate the
organizational structure for directing and controlling operations to
achieve the entity's objectives. This evaluation also includes how the
government entity delegates authority and establishes accountability for
its management personnel.
Management's Role in Accountability
A1.03 Officials of the audited entity (for example, managers of a state or
local governmental entity or a nonprofit entity that receives federal
awards) are responsible for:
a.
using government resources efficiently, economically, effectively,
equitably, and legally to achieve the purposes for which the
resources were furnished or the program was established;120
b.
complying with applicable laws and regulations, including
identifying the requirements with which the entity and the
official must comply and implementing systems designed to achieve
that compliance;
c.
establishing and maintaining effective internal control to help
ensure that appropriate goals and objectives are met; using
resources efficiently, economically, effectively, and equitably,
and safeguarding resources; following laws and regulations; and
ensuring that management and financial information is reliable and
properly reported;
d.
providing appropriate reports to those who oversee their actions
and to the public in order to be accountable for the resources and
authority used to carry out government programs and the results of
these programs;
e.
addressing the findings and recommendations of auditors, and for
establishing and maintaining a process to track the status of such
findings and recommendations; and
f.
following sound procurement practices when contracting for audits
and attestation engagements, including ensuring procedures are in
place for monitoring contract performance.
A1.04 Management of the audited entity is responsible for resolving audit
findings and recommendations and for having a process to track progress in
resolving the findings and recommendations.
This responsibility applies to all resources, both financial and physical,
as well as informational resources, whether entrusted to public officials
or others by their own constituencies or by other levels of government.
A1.05 Management of the audited entity is responsible for taking timely
and appropriate steps to remedy fraud, illegal acts, violations of
provisions of contracts or grant agreements, or abuse that auditors report
to it.
Laws, Regulations, and Guidelines that Require Use of GAGAS
A1.06 The following are among the laws, regulations, and guidelines that
require use of GAGAS:
a.
The Inspector General Act of 1978, as amended, 5 U.S.C. App.
(2000) requires that the statutorily appointed federal inspectors
general comply with GAGAS for audits of federal establishments,
organizations, programs, activities, and functions. The act
further states that the inspectors general shall take appropriate
steps to assure that any work performed by nonfederal auditors
complies with GAGAS.
b.
The Chief Financial Officers Act of 1990 (Public Law 101-576), as
expanded by the Government Management Reform Act of 1994 (Public
Law 103-356), requires that GAGAS be followed in audits of
executive branch departments' and agencies' financial statements.
c.
The Single Audit Act Amendments of 1996 (Public Law 104-156)
require that GAGAS be followed in audits of state and local
governments and nonprofit entities that receive federal awards.121
Office of Management and Budget (OMB) Circular A-133, Audits of
States, Local Governments, and Non-Profit Organizations, which
provides the governmentwide guidelines and policies on performing
audits to comply with the Single Audit Act, also requires the use
of GAGAS.
Under the Single Audit Act, as amended, federal awards include federal
financial assistance (grants, loans, loan guarantees, property,
cooperative agreements, interest subsidies, insurance, food commodities,
direct appropriations, or other assistance) and cost-reimbursement
contracts.
d. The Accountability of Tax Dollars Act of 2002 extends the requirement
to prepare and submit audited financial statements to most executive
agencies not subject to the Chief Financial Officers Act unless they are
exempted by OMB. These covered agencies are required to follow GAGAS in
their financial statement audits, but are not required to have systems
that are compliant with FFMIA.
A1.07 Other laws, regulations, or other authoritative sources could
require the use of GAGAS. For example, auditors at the state and local
levels of government may be required by state and local laws and
regulations to follow GAGAS. Also, auditors may be required by the terms
of an agreement or contract to comply with GAGAS. Auditors may also be
required by federal audit guidelines pertaining to program requirements,
such as those issued for Housing and Urban Development programs and
Student Financial Aid programs.
A1.08 Even if not required to do so, auditors may find it useful to follow
GAGAS in performing audits of federal, state, and local government
programs as well as in performing audits of government awards administered
by contractors, nonprofit entities, and other nongovernment entities. Many
audit organizations not formally required to do so, both in the United
States of America and in other countries, voluntarily follow GAGAS.
Information to Accompany Chapters 3
A3.01 Chapter 3 discusses the general standards applicable when performing
financial audits, attestation engagements, and performance audits under
GAGAS. Auditors may also provide professional services, other than audits
and attestation engagements which are sometimes referred to as consulting
services. GAGAS do not cover nonaudit services since such services are not
audits or attestation engagements. If an audit organization decides to
perform nonaudit services, their independence for performing audits or
attestation engagements may be impacted. Nonaudit services which may
impair or do impair auditor independence are discussed in chapter 3. The
following supplemental guidance is provided to assist auditors and audited
entities in identifying nonaudit services that are often provided by
government audit organizations without impairing their independence with
respect to entities for which they provide audit or attest services by
providing examples of such services.
Nonaudit Services
A3.02 Government audit organizations frequently are requested to provide
or are required to provide nonaudit services that differ from the
traditional professional services provided to or for an audit/attest
entity. These types of nonaudit services are often performed in response
to a statutory requirement, under the authority of the audit organization,
or for a legislative oversight body or an independent external
organization and generally do not impair auditor independence. (The
requirements for evaluating whether nonaudit services impair auditor
independence are in chapter 3, paragraphs 3.24 through 3.35.)
A3.03 Examples of the types of services under this category include the
following:
a.
Providing information or data to a requesting party without
auditor evaluation or verification of the information or data;
b.
Developing standards, methodologies, audit guides, audit programs,
or criteria for use throughout the government or for use in
certain specified situations;
c.
Collaborating with other professional organizations to advance
auditing of government organizations;
d.
Developing question and answer documents to promote understanding
of technical issues or standards;
e.
Providing assistance and technical expertise to legislative bodies
or independent external organizations and assisting legislative
bodies by developing questions for use at a hearing;
f.
Providing training, speeches, and technical presentations;
g.
Developing surveys, collecting responses on behalf of others, and
reporting results as "an independent third party;"
h.
Providing oversight assistance in reviewing budget submissions;
i.
Contracting for audit services on behalf of an audited entity and
overseeing the audit contract, as long as the overarching
principles are not violated and the auditor under contract reports
to the audit organization and not to management;
j.
Assessing the advantages and disadvantages of legislative
proposals;
k.
Identifying best practices for users in evaluating program or
management system approaches, including financial and information
management systems; and
l.
Audit, investigative, and oversight-related services
that do not involve a full-scope GAGAS audit (but
which could be performed as an audit, if the audit
organization elects to do so), such as:
(1)
Investigations of alleged fraud,
violation of contract provisions or
grant agreements, or abuse;
(2)
Review-level work such as sales tax
reviews that are designed to ensure the
governmental entity receives from
businesses, merchants and vendors all of
the sales taxes to which it is entitled;
(3)
Periodic audit recommendation follow-up
engagements and reports;
(4)
Identifying best practices or leading
practices for use in advancing the
practices of government organizations;
(5)
Analyzing cross-cutting and emerging
issues; and
(6)
Providing forward-looking analysis
involving programs.
Information to Accompany Chapter 7
A7.01 Chapter 7 discusses the field work standards for performance audits.
An integral concept for performance auditing is the use of sufficient,
appropriate evidence based on the audit objectives to support a sound
basis for audit findings, conclusions, and recommendations. The following
discussion is provided to assist auditors in identifying the various types
of evidence and assessing the appropriateness of information or evidence
in relation to the audit objectives.
Types of Evidence
A7.02 In terms of its form and how it is collected, evidence may be
categorized as physical, documentary, or testimonial. Physical evidence is
obtained by auditors' direct inspection or observation of people,
property, or events. Such evidence may be documented in memoranda,
photographs, videos, drawings, charts, maps, or physical samples.
Documentary evidence is obtained in the form of already existing
information such as letters, contracts, accounting records, invoices,
spreadsheets, database extracts, electronically stored information, and
management information on performance. Testimonial evidence is obtained
through inquiries, interviews, focus groups, public forums, or
questionnaires. Auditors frequently use analytical processes including
computations, comparisons, separation of information into components, and
rational arguments to analyze any information gathered to determine
whether it is sufficient and appropriate.122
Appropriateness of Information in Relation to the Audit Objectives
A7.03 One of the primary factors influencing the assurance associated with
a performance audit is the appropriateness of the information in relation
to the audit objectives. For example:
a.
The audit objectives might focus on verifying specific
quantitative results presented by the audited entity. In these
situations, the performance audit would likely provide reasonable
assurance about the accuracy of the specific amounts in question.
This work may include the possible use of statistical sampling.
b.
The audit objectives might focus on the performance of a specific
program or activity in the agency being audited. In this
situation, the auditor may have to use specific information
compiled by the agency being audited in order to answer the audit
objectives. In this situation, the auditor may find it necessary
to test the quality of the information, which includes both its
validity and reliability.
c.
The audit objectives might focus on information that is used for
widely-accepted purposes and obtained from sources generally
recognized as appropriate. For example, economic statistics issued
by government agencies for purposes such as adjusting for
inflation, or other such information issued by authoritative
organizations, may be the best information available. In such
cases, it may not be practical or necessary for auditors to
conduct procedures to verify the information. These decisions call
for professional judgment based on the nature of the information,
its common usage or acceptance, and how it is being used in the
audit. Paragraphs 7.56 through 7.62 in chapter 7 discuss the
factors the auditor should consider.
d.
The audit objectives might focus on comparisons or benchmarking
between various government functions or agencies. These types of
audits are especially useful for analyzing the outcomes of various
public policy decisions. In these cases, auditors may perform
analyses, such as comparative statistics of different
jurisdictions or changes in performance over time, where it would
be cost prohibitive and/or impractical to do a verification of the
detailed data underlying the statistics. Clear disclosure as to
what extent the comparative information or statistics were
evaluated or corroborated will place the information in proper
context for report users.
e.
The audit objectives might focus on trend information. In this
situation, auditors may use overall analytical tests, combined
with a knowledge and understanding of the systems or processes
used for compiling information.
f.
The audit objectives might focus on the auditor identifying
emerging and cross-cutting issues using information compiled or
self-reported by agencies. In such cases, it may be helpful for
the auditor to consider the overall appropriateness of the
compiled information with other information available about the
program. Other sources of information, such as Inspector General
reports or other external audits may provide the auditors with
information regarding whether any unverified or self-reported
information is consistent with or can be corroborated by these
other external sources of information.
See paragraphs 7.56 and 7.63 for definitions of appropriate and
sufficient.
Members of the Comptroller General's Advisory Council on Government Auditing
Standards
Mr. Jack R. Miller, Chair KMPG LLP (Retired) (member 1997-1998; chair
2001-2008)
The Honorable Ernest A. Almonte Office of the Auditor General State of
Rhode Island (member 2001-2008)
Dr. Paul A. Copley James Madison University (member 2005-2008)
Mr. David Cotton Cotton & Co. LLP (member 2006-2009)
The Honorable Debra K. Davenport Office of the Auditor General State of
Arizona (member 2002-2005)
Ms. Kristine Devine Deloitte & Touche, LLP (member 2005-2008)
Dr. John H. Engstrom Northern Illinois University (member 2002-2005)
The Honorable Richard L. Fair Office of the State Auditor State of New
Jersey (member 2002-2005)
Dr. Ehsan Feroz University of Minnesota Duluth (member 2002-2009)
The Honorable Phyllis Fong
U.S. Department of Agriculture (member 2004-2006) Mr. Alex Fraser Standard
& Poor's (member 2006-2009)
The Honorable Gregory H. Friedman
U.S. Department of Energy (member 2002-2005)
Mr. Mark Funkhouser Office of City Auditor Kansas City, Missouri (member
2005-2008)
Dr. Michael H. Granof University of Texas at Austin (member 2005-2008)
Mr. Jerome Heer Office of the County Auditor Milwaukee, Wisconsin (member
2004-2006)
Ms. Marion Higa Office of State Auditor State of Hawaii (member 2006-2009)
The Honorable John P. Higgins, Jr.
U.S. Department of Education (member 2005-2008)
Mr. Russell Hinton Office of the State Auditor State of Georgia (member
2004-2006)
Mr. Richard A. Leach United States Navy (member 2005-2008)
Mr. Patrick L. McNamee PricewaterhouseCoopers, LLP (member 2005-2008) Mr.
Rakesh Mohan Office of Performance Evaluations Idaho State Legislature
(member 2004-2006)
The Honorable Samuel Mok
U.S. Department of Labor (member 2006-2009)
Mr. Harold L. Monk Davis Monk & Company, CPAs (member 2002-2009)
Mr. William Monroe Office of Auditor General State of Florida (member
2004-2006)
Mr. Stephen L. Morgan Office of the City Auditor Austin, Texas (member
2001-2008)
Mr. Robert M. Reardon, Jr. State Farm Insurance Companies (member
2002-2005)
Mr. Brian A. Schebler McGladrey & Pullen, LLP (member 2005-2008)
Mr. Gerald Silva Office of the City Auditor San Jose, California (member
2002-2009)
Mr. Barry R. Snyder Federal Reserve Board (member 2001-2008)
Mr. James R. Speer JP Associates, Inc. (member 2004-2006)
Dr. Daniel Stufflebeam Western Michigan University (member 2002-2009)
The Honorable Nikki Tinsley
U. S. Environmental Protection Agency (member 2002-2005)
Mr. George Willie Bert Smith & Co. (member 2004-2006)
GAO Project Team:
Jeffrey C. Steinhoff, Managing Director Jeanette M. Franzel, Project
Director Marcia B. Buchanan, Assistant Director Gail F. Vallieres,
Assistant Director Michael C. Hrapsky, Senior Project Manager Heather I.
Keister, Senior Auditor Maxine L. Hattery, Communications Analyst Jennifer
V. Allison, Council Administrator
(194574)
*** End of document. ***