Government Auditing Standards: Implementation Tool: Professional
Requirements Tool for Use in Implementing Requirements Identified
by "Must" and "Should" in the July 2007 Revision of Government
Auditing Standards (31-DEC-07, GAO-08-210G).
This is the Government Auditing Standards Implementation Tool.
This document outlines the professional requirements tool for use
in implementing requirements identified by "must" and "should" in
the July 2007 revision of Government Auditing Standards. This
document is supplementary to the July 2007 revision.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-08-210G
ACCNO: A79251
TITLE: Government Auditing Standards: Implementation Tool:
Professional Requirements Tool for Use in Implementing
Requirements Identified by "Must" and "Should" in the July 2007
Revision of Government Auditing Standards
DATE: 12/31/2007
SUBJECT: Auditing procedures
Auditing standards
Cost accounting
Federal advisory bodies
Federal agencies
Internal auditors
Internal audits
Standards evaluation
Yellow Book
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-08-210G
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
Government Auditing Standards: Implementation Tool:
Professional Requirements Tool for Use in Implementing Requirements
Identified by "Must" and "Should" in the July 2007 Revision of
Government Auditing Standards:
This Professional Requirements Tool lists the requirements for audit
organizations and auditors included in the July 2007 Revision of
Generally Accepted Government Auditing Standards (GAGAS), also commonly
known as the Yellow Book. This tool lists professional responsibilities
that are specifically identified in the standards by the words "must"
and "should."
This tool is divided into four sections. The general requirements
section contains entity-wide requirements for the audit organization
and is intended for use in addition to the specific sections for
financial audits, attestation engagements, and performance audits,
which contain engagement-specific requirements for the auditors
conducting the engagement. Audit organizations and auditors should also
refer to the complete text of the July 2007 Revision of GAGAS to
understand the context for those requirements along with related
guidance.
This tool was prepared by GAO's government auditing standards staff to
facilitate audit organizations' and auditors' implementation of the
standards, and does not represent additional standards or requirements.
The staff welcomes your feedback and comments. If you have questions or
comments related to this tool, please contact Heather Keister, at (202)
512-2943 or [email protected]. For other questions on GAGAS, please
contact us at [email protected].
Signed by:
Jeanette M. Franzel:
Director, Financial Management and Assurance:
Contents:
Background:
General Requirements For Audit Organizations:
Specific Requirements For Financial Audits:
Specific Requirements For Attestation Engagements:
Specific Requirements For Performance Audits:
Background:
In July 2007, the Comptroller General issued a major revision to
Government Auditing Standards.[Footnote 1] The July 2007 Revision uses
clarified language to define the auditors' level of responsibility and
distinguish between auditor requirements and additional guidance.
As described in the July 2007 Revision (paragraphs 1.05 through 1.08),
GAGAS use two categories of professional requirements to describe the
degree of responsibility for auditors and audit organizations, as
follows:
* Unconditional requirements: Auditors and audit organizations are
required to comply with an unconditional requirement in all cases in
which the circumstances exist to which the unconditional requirement
applies. GAGAS use the words must or is required to specify an
unconditional requirement.
* Presumptively mandatory requirements: Auditors and audit
organizations are also required to comply with a presumptively
mandatory requirement in all cases in which the circumstances exist to
which the presumptively mandatory requirement applies; however, in rare
circumstances, auditors and audit organizations may depart from a
presumptively mandatory requirement provided they document their
justification for the departure and how the alternative procedures
performed in the circumstances were sufficient to achieve the
objectives of the presumptively mandatory requirement. GAGAS use the
word should to specify a presumptively mandatory requirement.
For financial audits and attestation engagements, GAGAS incorporates
the AICPA field work and reporting standards and the related Statements
on Auditing Standards (SAS) and Statements on Standards for Attestation
Engagements (SSAE). Therefore, in addition to the requirements
contained in this tool, documentation of compliance with the
requirements in the AICPA field work and reporting standards is
required for financial audits and attestation engagements conducted in
accordance with GAGAS.
This tool is intended to assist auditors with documenting compliance
with GAGAS. The columns to the right of the requirements may be used
for auditor notations to indicate the location of audit documentation
that supports compliance with the GAGAS requirement. The words "must"
and "should" that are applicable to each section are bolded and
underlined in this tool for emphasis.
Explanatory material that identifies or describes other procedures does
not represent a professional requirement for the audit organization or
auditor to perform such procedures. How and whether to carry out such
procedures depends on the exercise of professional judgment consistent
with the objective of the standard. This tool does not include
explanatory material from the July 2007 Revision of Government Auditing
Standards. Therefore, audit organizations and auditors should read the
entire text of the July 2007 Revision of GAGAS, including the
explanatory material when planning the audit and making professional
judgments about compliance with professional requirements.
General Requirements for Audit Organizations:
General Requirements - Audit organizations:
Chapter 1 - Use and Application of GAGAS;
Types of GAGAS Audits and Attestation Engagements;
Professional Services Other Than Audits (Nonaudit Services) Provided by
Audit Organizations;
1.33: GAGAS do not cover professional services other than audits or
attestation engagements (nonaudit services)...Therefore, auditors must
not report that the nonaudit services were conducted in accordance with
GAGAS. When performing nonaudit services for an entity for which the
audit organization performs a GAGAS audit or attestation engagement,
audit organizations should communicate, as appropriate, with requestors
and those charged with governance to clarify that the scope of work
performed does not constitute an audit under GAGAS;
Must: [Check];
Should: [Empty].
Chapter 1 - Use and Application of GAGAS;
Types of GAGAS Audits and Attestation Engagements;
Professional Services Other Than Audits (Nonaudit Services) Provided by
Audit Organizations;
1.34: Audit organizations that provide nonaudit services must evaluate
whether providing nonaudit services creates an independence impairment
either in fact or appearance with respect to the entities they audit...
Must: [Empty]
Should: [Check].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
Independence;
3.02: In all matters relating to the audit work, the audit organization
and the individual auditor, whether government or public, must be free
from personal, external, and organizational impairments to
independence, and must avoid the appearance of such impairments of
independence;
Must: [Empty]
Should: [Check].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
Independence;
3.03: Auditors and audit organizations must maintain independence so
that their opinions, findings, conclusions, judgments, and
recommendations will be impartial and viewed as impartial by objective
third parties with knowledge of the relevant information. Auditors
should avoid situations that could lead objective third parties with
knowledge of the relevant information to conclude that the auditors are
not able to maintain independence and thus are not capable of
exercising objective and impartial judgment on all issues associated
with conducting the audit and reporting on the work;
Must: [Empty]
Should: [Check].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
Independence;
3.04: When evaluating whether independence impairments exist either in
fact or appearance with respect to the entities for which audit
organizations perform audits or attestation engagements, auditors and
audit organizations must take into account the three general classes of
impairments to independence--personal, external, and organizational.
[Footnote not shown.] If one or more of these impairments affects or
can be perceived to affect independence, the audit organization (or
auditor) should decline to perform the work--except in those situations
in which an audit organization in a government entity, because of a
legislative requirement or for other reasons, cannot decline to perform
the work, in which case the government audit organization must disclose
the impairment(s) and modify the GAGAS compliance statement...;
Must: [Empty];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
Independence;
3.06: If an impairment to independence is identified after the audit
report is issued, the audit organization should assess the impact on
the audit. If the audit organization concludes that it did not comply
with GAGAS, it should determine the impact on the auditors' report and
notify entity management, those charged with governance, the
requesters, or regulatory agencies that have jurisdiction over the
audited entity and persons known to be using the audit report about the
independence impairment and the impact on the audit. The audit
organization should make such notifications in writing;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
Personal Impairments;
3.08: Audit organizations and auditors may encounter many different
circumstances or combinations of circumstances that could create a
personal impairment. Therefore, it is impossible to identify every
situation that could result in a personal impairment. Accordingly,
audit organizations should include as part of their quality control
system procedures to identify personal impairments and help ensure
compliance with GAGAS independence requirements. At a minimum, audit
organizations should:
a. establish policies and procedures to identify, report, and resolve
personal impairments to independence,
b. communicate the audit organization's policies and procedures to all
auditors in the organization and promote understanding of the policies
and procedures,
c. establish internal policies and procedures to monitor compliance
with the audit organization's policies and procedures,
d. establish a disciplinary mechanism to promote compliance with the
audit organization's policies and procedures,
e. stress the importance of independence and the expectation that
auditors will always act in the public interest, and;
f. maintain documentation of the steps taken to identify potential
personal independence impairments;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
Personal Impairments;
3.09: When the audit organization identifies a personal impairment to
independence prior to or during an audit, the audit organization should
take action to resolve the impairment in a timely manner. � If the
personal impairment cannot be eliminated, the audit organization should
withdraw from the audit. In situations in which auditors employed by
government entities cannot withdraw from the audit, they should follow
paragraph 3.04;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
External Impairments;
3.10: Audit organizations must be free from external impairments to
independence. Factors external to the audit organization may restrict
the work or interfere with auditors' ability to form independent and
objective opinions, findings, and conclusions. External impairments to
independence occur when auditors are deterred from acting objectively
and exercising professional skepticism by pressures, actual or
perceived, from management and employees of the audited entity or
oversight organizations...;
Must: [Empty];
Should: [Check].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
External Impairments;
3.11: Audit organizations should include policies and procedures for
identifying and resolving external impairments as part of their quality
control system for compliance with GAGAS independence requirements;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
Organizational Independence;
3.12: The ability of audit organizations in government entities to
perform work and report the results objectively can be affected by
placement within government, and the structure of the government entity
being audited. Whether reporting to third parties externally or to top
management within the audited entity internally, audit organizations
must be free from organizational impairments to independence with
respect to the entities they audit. Impairments to organizational
independence result when the audit function is organizationally located
within the reporting line of the areas under audit or when the auditor
is assigned or takes on responsibilities that affect operations of the
area under audit;
Must: [Empty];
Should: [Check].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
Organizational Independence for External Audit Functions;
3.15:..For an external audit organization to be considered free from
organizational impairments under a structure different from the ones
[government entity structures] listed in paragraphs 3.13 and 3.14, the
audit organization should have all of the following safeguards. In such
situations, the audit organization should document how each of the
following safeguards were satisfied and provide the documentation to
those performing quality control monitoring and to the external peer
reviewers to determine whether all the necessary safeguards have been
met:
a. statutory protections that prevent the audited entity from
abolishing the audit organization;
b. statutory protections that require that if the head of the audit
organization is removed from office, the head of the agency report this
fact and the reasons for the removal to the legislative body;
c. statutory protections that prevent the audited entity from
interfering with the initiation, scope, timing, and completion of any
audit;
d. statutory protections that prevent the audited entity from
interfering with audit reporting, including the findings and
conclusions or the manner, means, or timing of the audit organization's
reports;
e. statutory protections that require the audit organization to report
to a legislative body or other independent governing body on a
recurring basis;
f. statutory protections that give the audit organization sole
authority over the selection, retention, advancement, and dismissal of
its staff; and;
g. statutory access to records and documents related to the agency,
program, or function being audited and access to government officials
or other individuals as needed to conduct the audit. [Footnote not
shown.];
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
Organizational Independence for Internal Audit Functions;
3.17: The internal audit organization should report regularly to those
charged with governance;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
Organizational Independence for Internal Audit Functions;
3.19: The internal audit organization should document the conditions
that allow it to be considered free of organizational impairments to
independence for internal reporting and provide the documentation to
those performing quality control monitoring and to the external peer
reviewers to determine whether all the necessary safeguards have been
met;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
Organizational Independence When Performing Nonaudit Services;
3.20:...Audit organizations that provide nonaudit services must
evaluate whether providing the services creates an independence
impairment either in fact or appearance with respect to entities they
audit. [Footnote not shown.]...;
Must: [Empty];
Should: [Check].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
Organizational Independence When Performing Nonaudit Services;
3.21: Audit organizations in government entities generally have broad
audit responsibilities and, therefore, should establish policies and
procedures for accepting engagements to perform nonaudit services so
that independence is not impaired with respect to entities they
audit...Independent public accountants may provide audit and nonaudit
services (commonly referred to as consulting) under contractual
commitments to an entity and should determine whether nonaudit services
they have provided or are committed to provide have a significant or
material effect on the subject matter of the audits;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
Overarching Independence Principles;
3.22: The following two overarching principles apply to auditor
independence when assessing the impact of performing a nonaudit service
for an audited program or entity: (1) audit organizations must not
provide nonaudit services that involve performing management functions
or making management decisions and (2) audit organizations must not
audit their own work or provide nonaudit services in situations in
which the nonaudit services are significant or material to the subject
matter of the audits. [Footnote not shown.];
Must: [Empty];
Should: [Check].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
Overarching Independence Principles;
3.23: In considering whether audits performed by the audit organization
could be significantly or materially affected by the nonaudit service,
audit organizations should evaluate (1) ongoing audits; (2) planned
audits; (3) requirements and commitments for providing audits, which
includes laws, regulations, rules, contracts, and other agreements; and
(4) policies placing responsibilities on the audit organization for
providing audit services;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
Overarching Independence Principles;
3.24: If requested [footnote not shown] to perform nonaudit services
that would impair the audit organization's ability to meet either or
both of the overarching independence principles for certain types of
audit work, the audit organization should inform the requestor and the
audited entity that performing the nonaudit service would impair the
auditors' independence with regard to subsequent audit or attestation
engagements;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
Supplemental Safeguards for Maintaining Auditor Independence When
Performing Nonaudit Services;
3.30: Performing nonaudit services described in paragraph 3.28 will not
impair independence if the overarching independence principles stated
in paragraph 3.22 are not violated. For these nonaudit services, the
audit organization should comply with each of the following safeguards:
a. document its consideration of the nonaudit services, including its
conclusions about the impact on independence;
b. establish in writing an understanding with the audited entity
regarding the objectives, scope of work, and product or deliverables of
the nonaudit service; and management's responsibility for (1) the
subject matter of the nonaudit services, (2) the substantive outcomes
of the work, and (3) making any decisions that involve management
functions related to the nonaudit service and accepting full
responsibility for such decisions;
c. exclude personnel who provided the nonaudit services from planning,
conducting, or reviewing audit work in the subject matter of the
nonaudit service; [footnote not shown] and;
d. do not reduce the scope and extent of the audit work below the level
that would be appropriate if the nonaudit service were performed by an
unrelated party;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
Competence;
3.41: The audit organization's management should assess skill needs to
consider whether its workforce has the essential skills that match
those necessary to fulfill a particular audit mandate or scope of
audits to be performed. Accordingly, audit organizations should have a
process for recruitment, hiring, continuous development, assignment,
and evaluation of staff to maintain a competent workforce. The nature,
extent, and formality of the process will depend on various factors
such as the size of the audit organization, its structure, and its
work;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
Continuing Professional Education;
3.48: Improving their own competencies and meeting CPE requirements are
primarily the responsibilities of individual auditors. The audit
organization should have quality control procedures to help ensure that
auditors meet the continuing education requirements, including
documentation of the CPE completed...;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
Quality Control and Assurance;
3.50: Each audit organization performing audits or attestation
engagements in accordance with GAGAS must:
a. establish a system of quality control that is designed to provide
the audit organization with reasonable assurance that the organization
and its personnel comply with professional standards and applicable
legal and regulatory requirements, and;
b. have an external peer review at least once every 3 years.[35].
[35] An audit organization's noncompliance with the peer review
requirements (paragraph 3.50b and 3.55 through 3.60) results in a
modified GAGAS compliance statement. The audit organization's
compliance (or noncompliance) with the requirements for a system of
quality control in paragraphs 3.50a and 3.51 through 3.54 are tested
and reported on as part of the peer review process and do not impact
the GAGAS compliance statement...;
Must: [Empty];
Should: [Check].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
System of Quality Control;
3.52: Each audit organization must document its quality control
policies and procedures and communicate those policies and procedures
to its personnel. The audit organization should document compliance
with its quality control policies and procedures and maintain such
documentation for a period of time sufficient to enable those
performing monitoring procedures and peer reviews to evaluate the
extent of the audit organization's compliance with its quality control
policies and procedures...;
Must: [Empty];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
System of Quality Control;
3.53 An audit organization should include policies and procedures in
its system of quality control that collectively address:
a. Leadership responsibilities for quality within the audit
organization: Policies and procedures that designate responsibility for
quality of audits and attestation engagements performed under GAGAS and
communication of policies and procedures relating to quality...;
b. Independence, legal, and ethical requirements: Policies and
procedures designed to provide reasonable assurance that the audit
organization and its personnel maintain independence, and comply with
applicable legal and ethical requirements. [Footnote not shown.];
c. Initiation, [footnote not shown] acceptance, and continuance of
audit and attestation engagements: Policies and procedures for the
initiation, acceptance, and continuance of audit and attestation
engagements, designed to provide reasonable assurance that the audit
organization will undertake audit engagements only if it can comply
with professional standards and ethical principles and is acting within
the legal mandate or authority of the audit organization;
d. Human resources: Policies and procedures designed to provide the
audit organization with reasonable assurance that it has personnel with
the capabilities and competence to perform its audits in accordance
with professional standards and legal and regulatory requirements.
[Footnote not shown.];
e. Audit and attestation engagement performance, documentation, and
reporting: Policies and procedures designed to provide the audit
organization with reasonable assurance that audits and attestation
engagements are performed and reports are issued in accordance with
professional standards and legal and regulatory requirements...;
f. Monitoring of quality: An ongoing, periodic assessment of work
completed on audits and attestation engagements designed to provide
management of the audit organization with reasonable assurance that the
policies and procedures related to the system of quality control are
suitably designed and operating effectively in practice...The audit
organization should perform monitoring procedures that enable it to
assess compliance with applicable professional standards and quality
control policies and procedures for GAGAS audits. Individuals
performing monitoring should collectively have sufficient expertise and
authority for this role;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
System of Quality Control;
3.54 The audit organization should analyze and summarize the results of
its monitoring procedures at least annually, with identification of any
systemic issues needing improvement, along with recommendations for
corrective action. (Under GAGAS, reviews of the work and the report
that are performed as part of supervision are not monitoring controls
when used alone. However, these types of pre-issuance reviews may be
used as a part of this analysis and summary.);
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
External Peer Review;
3.55 Audit organizations performing audits and attestation engagements
in accordance with GAGAS must have an external peer review performed by
reviewers independent of the audit organization being reviewed at least
once every 3 years. [Footnote not shown.];
Must: [Empty];
Should: [Check].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
External Peer Review;
3.56 The audit organization should obtain an external peer review
sufficient in scope to provide a reasonable basis for determining
whether, for the period under review, [footnote not shown] the reviewed
audit organization's system of quality control was suitably designed
and whether the audit organization is complying with its quality
control system in order to provide the audit organization with
reasonable assurance of conforming with applicable professional
standards;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
External Peer Review;
3.57: The peer review team should include the following elements in the
scope of the peer review:
a. review of the audit organization's quality control policies and
procedures;
b. consideration of the adequacy and results of the audit
organization's internal monitoring procedures;
c. review of selected audit and attestation engagement reports and
related documentation;
d. review of other documents necessary for assessing compliance with
standards, for example, independence documentation, CPE records, and
relevant human resource management files; and;
e. interviews with a selection of the reviewed audit organization's
professional staff at various levels to assess their understanding of
and compliance with relevant quality control policies and procedures;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
External Peer Review;
3.58: The peer review team should perform a risk assessment to help
determine the number and types of engagements to select. Based on the
risk assessment, the team should use one or a combination of the
following approaches to selecting individual audits and attestation
engagements for review: (1) select GAGAS audits and attestation
engagements that provide a reasonable cross-section of the GAGAS
assignments performed by the reviewed audit organization or (2) select
audits and attestation engagements that provide a reasonable cross-
section from all types of work subject to the reviewed audit
organization's quality control system, including one or more
assignments performed in accordance with GAGAS. [Footnote not shown.];
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
External Peer Review;
3.59: The peer review team should prepare one or more written reports
communicating the results of the peer review, including the following:
a. description of the scope of the peer review, including any
limitations;
b. an opinion on whether the system of quality control of the reviewed
audit organization's audit and/or attestation engagement practices was
adequately designed and compiled with during the period reviewed to
provide the audit organization with reasonable assurance of conforming
with applicable professional standards;
c. specification of the professional standards to which the reviewed
audit organization is being held;
d. for modified or adverse opinions, [footnote not shown] a description
of reasons for the modification or adverse opinion, along with a
detailed description of the findings and recommendations, in the peer
review report, to enable the reviewed audit organization to take
appropriate actions; and;
e. reference to a separate letter of comments, if such a letter is
issued;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
External Peer Review;
3.60: The peer review team should meet the following criteria:
a. The review team collectively has current knowledge of GAGAS and
government auditing;
b. The organization conducting the peer review and individual review
team members are independent (as defined in GAGAS) of the audit
organization being reviewed, its staff, and the audits and attestation
engagements selected for the peer review;
c. The review team collectively has sufficient knowledge of how to
perform a peer review. Such knowledge may be obtained from on-the-job
training, training courses, or a combination of both. Having personnel
on the peer review team with prior experience on a peer review or
internal inspection team is desirable;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
External Peer Review;
3.61: An external audit organization [footnote not shown] should make
its most recent peer review report[45] publicly available; for example,
by posting the peer review report on an external Web site or to a
publicly available file designed for public transparency of peer review
results. If neither of these options is available to the audit
organization, then it should use the same transparency mechanism it
uses to make other information public, and also provide the peer review
report to others upon request. Internal audit organizations that report
internally to management should provide a copy of the external peer
review report to those charged with governance. Government audit
organizations should also communicate the overall results and the
availability of their external peer review reports to appropriate
oversight bodies.
[45] This requirement does not include the letter of comment;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
External Peer Review;
3.62:...audit organizations seeking to enter into a contract to perform
an audit or attestation engagement in accordance with GAGAS should
provide the following to the party contracting for such services:
a. the audit organization's most recent peer review report and any
letter of comment, and;
b. any subsequent peer review reports and letters of comment received
during the period of the contract;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Types of GAGAS Audits and Attestation Engagements;
3.63:...Auditors who are using another audit organization's work should
request a copy of the audit organization's latest peer review report
and any letter of comment, and the audit organization should provide
these documents when requested...;
Must: [Check];
Should: [Empty].
Chapter 4 - Field Work Standards for Financial Audits;
Additional Government Auditing Standards;
Audit Documentation;
4.22: Audit organizations should establish policies and procedures for
the safe custody and retention of audit documentation for a time
sufficient to satisfy legal, regulatory, and administrative
requirements for record retention...For audit documentation that is
retained electronically, the audit organization should establish
information systems controls concerning accessing and updating the
audit documentation;
Must: [Check];
Should: [Empty].
Chapter 4 - Field Work Standards for Financial Audits;
Additional Government Auditing Standards;
Audit Documentation;
4.24: Audit organizations should develop policies to deal with requests
by outside parties to obtain access to audit documentation, especially
when an outside party attempts to obtain information indirectly through
the auditor rather than directly from the audited entity. In developing
such policies, audit organizations should determine what laws and
regulations apply, if any;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Distributing Reports;
5.44: Distribution of reports completed under GAGAS depends on the
relationship of the auditors to the audited organization and the nature
of the information contained in the report. If the subject of the audit
involves material that is classified for security purposes or contains
confidential or sensitive information, auditors may limit the report
distribution. Auditors should document any limitation on report
distribution. The following discussion outlines distribution for
reports completed under GAGAS: [One of the following will apply
depending on the type of audit organization.];
a. Audit organizations in government entities should distribute audit
reports to those charged with governance, to the appropriate officials
of the audited entity, and to the appropriate oversight bodies or
organizations requiring or arranging for the audits. As appropriate,
auditors should also distribute copies of the reports to other
officials who have legal oversight authority or who may be responsible
for acting on audit findings and recommendations, and to others
authorized to receive such reports;
b. Internal audit organizations in government entities may follow the
Institute of Internal Auditors (IIA) International Standards for the
Professional Practice of Internal Auditing. Under GAGAS and IIA
standards, the head of the internal audit organization should
communicate results to the parties who can ensure that the results are
given due consideration. If not otherwise mandated by statutory or
regulatory requirements, prior to releasing results to parties outside
the organization, the head of the internal audit organization should:
(1) assess the potential risk to the organization, (2) consult with
senior management and/or legal counsel as appropriate, and (3) control
dissemination by indicating the intended users in the report;
c. Public accounting firms contracted to perform an audit under GAGAS
should clarify report distribution responsibilities with the engaging
organization. If the contracted firm is to make the distribution, it
should reach agreement with the party contracting for the audit about
which officials or organizations will receive the report and the steps
being taken to make the report available to the public;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
Attest Documentation;
6.24: Audit organizations should establish policies and procedures for
the safe custody and retention of documentation for a time sufficient
to satisfy legal, regulatory, and administrative requirements for
records retention...For attest documentation that is retained
electronically, the audit organization should establish information
systems controls concerning accessing and updating the attest
documentation;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
Attest Documentation;
6.26: Audit organizations should develop policies to deal with requests
by outside parties to obtain access to attest documentation, especially
when an outside party attempts to obtain information indirectly through
the auditor rather than directly from the entity. In developing such
policies, audit organizations should determine what laws and
regulations apply, if any;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Distributing Reports;
6.56: Distribution of reports completed under GAGAS depends on the
relationship of the auditors to the entity and the nature of the
information contained in the report. If the subject matter or the
assertion involves material that is classified for security purposes or
contains confidential or sensitive information, auditors may limit the
report distribution. Auditors should document any limitation on report
distribution. The following discussion outlines distribution for
reports completed under GAGAS: [One of the following will apply
depending on the type of audit organization.];
a. Audit organizations in government entities should distribute reports
to those charged with governance, to the appropriate entity officials,
and to the appropriate oversight bodies or organizations requiring or
arranging for the engagements. As appropriate, auditors should also
distribute copies of the reports to other officials who have legal
oversight authority or who may be responsible for acting on engagement
findings and recommendations, and to others authorized to receive such
reports;
b. Internal audit organizations in government entities may follow the
Institute of Internal Auditors (IIA) International Standards for the
Professional Practice of Internal Auditing. Under GAGAS and IIA
standards, the head of the internal audit organization should
communicate results to the parties who can ensure that the results are
given due consideration. If not otherwise mandated by statutory or
regulatory requirements, prior to releasing results to parties outside
the organization, the head of the internal audit organization should:
(1) assess the potential risk to the organization, (2) consult with
senior management and/or legal counsel as appropriate, and (3) control
dissemination by indicating the intended users in the report;
c. Public accounting firms contracted to perform an engagement under
GAGAS should clarify report distribution responsibilities with the
engaging organization. If the contracting firm is to make the
distribution, it should reach agreement with the party contracting for
the engagement about which officials or organizations will receive the
report and the steps being taken to make the report available to the
public;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Audit Documentation;
7.82: Audit organizations should establish policies and procedures for
the safe custody and retention of audit documentation for a time
sufficient to satisfy legal, regulatory, and administrative
requirements for records retention...For audit documentation that is
retained electronically, the audit organization should establish
information systems controls concerning accessing and updating the
audit documentation;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Audit Documentation;
7.84: Audit organizations should develop policies to deal with requests
by outside parties to obtain access to audit documentation, especially
when an outside party attempts to obtain information indirectly through
the auditor rather than directly from the audited entity. In developing
such policies, audit organizations should determine what laws and
regulations apply, if any;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits.
Distributing Reports;
8.43: Distribution of reports completed under GAGAS depends on the
relationship of the auditors to the audited organization and the nature
of the information contained in the report. If the subject of the audit
involves material that is classified for security purposes or contains
confidential or sensitive information, auditors may limit the report
distribution. � Auditors should document any limitation on report
distribution. The following discussion outlines distribution for
reports completed under GAGAS: [One of the following will apply
depending on the type of audit organization.];
a. Audit organizations in government entities should distribute audit
reports to those charged with governance, to the appropriate officials
of the audited entity, and to the appropriate oversight bodies or
organizations requiring or arranging for the audits. As appropriate,
auditors should also distribute copies of the reports to other
officials who have legal oversight authority or who may be responsible
for acting on audit findings and recommendations, and to others
authorized to receive such reports;
b. Internal audit organizations in government entities may follow the
Institute of Internal Auditors (IIA) International Standards for the
Professional Practice of Internal Auditing. Under GAGAS and IIA
standards, the head of the internal audit organization should
communicate results to parties who can ensure that the results are
given due consideration. If not otherwise mandated by statutory or
regulatory requirements, prior to releasing results to parties outside
the organization, the head of the internal audit organization should:
(1) assess the potential risk to the organization, (2) consult with
senior management and/or legal counsel as appropriate, and (3) control
dissemination by indicating the intended users of the report;
c. Public accounting firms contracted to perform an audit under GAGAS
should clarify report distribution responsibilities with the engaging
organization. If the contracted firm is to make the distribution, it
should reach agreement with the party contracting for the audit about
which officials or organizations will receive the report and the steps
being taken to make the report available to the public;
Must: [Check];
Should: [Empty].
Specific Requirements for Financial Audits:
GAGAS incorporate the AICPA field work and reporting standards and the
related Statements on Auditing Standards (SAS). The requirements listed
in this professional requirements tool for financial audits represent
the supplemental GAGAS requirements for financial audits. In addition
to the requirements contained in this tool, documentation of compliance
with the requirements in the AICPA field work and reporting standards
is required for financial audits conducted in accordance with GAGAS.
Auditors are advised to refer to the entire text of both GAGAS and the
AICPA field work and reporting standards and the related Statements on
Auditing Standards to obtain a comprehensive understanding of all the
requirements for financial audits conducted in accordance with GAGAS.
See paragraph 4.01a.
Chapter 1 - Use and Application of GAGAS;
Stating Compliance with GAGAS in the Auditors' Report;
1.11 When auditors are required to follow GAGAS or are representing to
others that they followed GAGAS, they should follow all applicable
GAGAS requirements and should refer to compliance with GAGAS in the
auditors' report as set forth in paragraphs 1.12 and 1.13;
Must: [Check];
Should: [Empty].
Chapter 1 - Use and Application of GAGAS;
Stating Compliance with GAGAS in the Auditors' Report;
1.12: Auditors should include one of the following types of GAGAS
compliance statements in reports on GAGAS audits and attestation
engagements, as appropriate. [Footnote not shown.]; a. Unmodified GAGAS
compliance statement: Stating that the auditor performed the audit or
attestation engagement in accordance with GAGAS. Auditors should
include an unmodified GAGAS compliance statement in the audit report
when they have (1) followed all applicable unconditional and
presumptively mandatory GAGAS requirements, or (2) have followed all
unconditional requirements and documented justification for any
departures from applicable presumptively mandatory requirements, and
have achieved the objectives of those requirements through other means;
b. Modified GAGAS compliance statement: Stating either that (1) the
auditor performed the audit or attestation engagement in accordance
with GAGAS, except for specific applicable requirements that were not
followed or, (2) because of the significance of the departure(s) from
the requirements, the auditor was unable to and did not perform the
audit or attestation engagement in accordance with GAGAS. Situations
when auditors use modified compliance statements include scope
limitations, such as restrictions on access to records, government
officials, or other individuals needed to conduct the audit. When
auditors use a modified GAGAS statement, they should disclose in the
report the applicable requirement(s) not followed, the reasons for not
following the requirement(s), and how not following the requirements
affected, or could have affected, the audit and the assurance provided;
Must: [Check];
Should: [Empty].
Chapter 1 - Use and Application of GAGAS;
Stating Compliance with GAGAS in the Auditors' Report;
1.13: When auditors do not comply with any applicable requirements,
they should (1) assess the significance of the noncompliance to the
audit objectives, (2) document the assessment, along with their reasons
for not following the requirement, and (3) determine the type of GAGAS
compliance statement. [Footnote not shown.] The auditors' determination
will depend on the significance of the requirements not followed in
relation to the audit objectives;
Must: [Check];
Should: [Empty].
Chapter 1 - Use and Application of GAGAS;
Relationship between GAGAS and Other Professional Standards;
1.14: Auditors may use GAGAS in conjunction with professional standards
issued by other authoritative bodies. Auditors may also cite the use of
other standards in their audit reports, as appropriate. If the auditor
is citing compliance with GAGAS and inconsistencies exist between GAGAS
and other standards cited, the auditor should use GAGAS as the
prevailing standard for conducting the audit and reporting the results;
Must: [Check];
Should: [Empty].
Chapter 1 - Use and Application of GAGAS;
Types of GAGAS Audits and Attestation Engagements;
1.19: In some audits and attestation engagements, the standards
applicable to the specific audit objective will be apparent...However,
some engagements may have multiple or overlapping objectives...In cases
in which there is a choice between applicable standards, auditors
should evaluate users' needs and the auditors' knowledge, skills, and
experience in deciding which standards to follow;
Must: [Check];
Should: [Empty].
Chapter 1 - Use and Application of GAGAS;
Professional Services Other Than Audits (Nonaudit Services) Provided by
Audit Organizations;
1.33: GAGAS do not cover professional services other than audits or
attestation engagements (nonaudit services). � Therefore, auditors must
not report that the nonaudit services were conducted in accordance with
GAGAS. When performing nonaudit services for an entity for which the
audit organization performs a GAGAS audit or attestation engagement,
audit organizations should communicate, as appropriate, with requestors
and those charged with governance to clarify that the scope of work
performed does not constitute an audit under GAGAS;
Must: [Empty];
Should: [Check].
Chapter 3 - General Standards;
Independence;
3.02: In all matters relating to the audit work, the audit organization
and the individual auditor, whether government or public, must be free
from personal, external, and organizational impairments to
independence, and must avoid the appearance of such impairments of
independence;
Must: [Empty];
Should: [Check].
Chapter 3 - General Standards;
Independence;
3.03: Auditors and audit organizations must maintain independence so
that their opinions, findings, conclusions, judgments, and
recommendations will be impartial and viewed as impartial by objective
third parties with knowledge of the relevant information. Auditors
should avoid situations that could lead objective third parties with
knowledge of the relevant information to conclude that the auditors are
not able to maintain independence and thus are not capable of
exercising objective and impartial judgment on all issues associated
with conducting the audit and reporting on the work;
Must: [Empty];
Should: [Empty].
Chapter 3 - General Standards;
Independence;
3.04: When evaluating whether independence impairments exist either in
fact or appearance with respect to the entities for which audit
organizations perform audits or attestation engagements, auditors and
audit organizations must take into account the three general classes of
impairments to independence--personal, external, and organizational.
[Footnote not shown.] If one or more of these impairments affects or
can be perceived to affect independence, the audit organization (or
auditor) should decline to perform the work--except in those situations
in which an audit organization in a government entity, because of a
legislative requirement or for other reasons, cannot decline to perform
the work, in which case the government audit organization must disclose
the impairment(s) and modify the GAGAS compliance statement...;
Must: [Empty];
Should: [Empty].
Chapter 3 - General Standards;
Independence;
3.05: When auditors use the work of a specialist, [footnote not shown]
auditors should assess the specialist's ability to perform the work and
report results impartially as it relates to their relationship with the
program or entity under audit. If the specialist's independence is
impaired, auditors should not use the work of that specialist;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Personal Impairments;
3.07: Auditors participating on an audit assignment must be free from
personal impairments to independence. [Footnote not shown.] Personal
impairments of auditors result from relationships or beliefs that might
cause auditors to limit the extent of the inquiry, limit disclosure, or
weaken or slant audit findings in any way. Individual auditors should
notify the appropriate officials within their audit organizations if
they have any personal impairment to independence...;
Must: [Empty];
Should: [Empty].
Chapter 3 - General Standards;
Organizational Independence;
Organizational Independence When Performing Nonaudit Services;
Nonaudit Services That Would Not Impair Independence if Supplemental
Safeguards Are Implemented;
3.28: Services that do not impair the audit organization's independence
with respect to the entities they audit so long as they comply with
supplemental safeguards include the following:
a. providing basic accounting assistance limited to services such as
preparing draft financial statements that are based on management's
chart of accounts and trial balance and any adjusting, correcting, and
closing entries that have been approved by management; preparing draft
notes to the financial statements based on information determined and
approved by management; � (If the audit organization has prepared draft
financial statements and notes and performed the financial statement
audit, the auditor should obtain documentation from management in which
management acknowledges the audit organization's role in preparing the
financial statements and related notes and management's review,
approval, and responsibility for the financial statements and related
notes in the management representation letter...);
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Professional Judgment;
3.31: Auditors must use professional judgment in planning and
performing audits and attestation engagements and in reporting the
results;
Must: [Empty];
Should: [Check].
Chapter 3 - General Standards;
Professional Judgment;
3.38: Auditors should document significant decisions affecting the
audit objectives, scope, and methodology; findings; conclusions; and
recommendations resulting from professional judgment;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Competence;
3.40: The staff assigned to perform the audit or attestation engagement
must collectively possess adequate professional competence for the
tasks required;
Must: [Empty];
Should: [Check].
Chapter 3 - General Standards;
Technical Knowledge and Competence;
3.43: The staff assigned to conduct an audit or attestation engagement
under GAGAS must collectively possess the technical knowledge, skills,
and experience necessary to be competent for the type of work being
performed before beginning work on that assignment. The staff assigned
to a GAGAS audit or attestation engagement should collectively possess;
a. knowledge of GAGAS applicable to the type of work they are assigned
and the education, skills, and experience to apply this knowledge to
the work being performed;
b. general knowledge of the environment in which the audited entity
operates and the subject matter under review;
c. skills to communicate clearly and effectively, both orally and in
writing; and;
d. skills appropriate for the work being performed. For example, staff
or specialist skills in;
(1) statistical sampling if the work involves use of statistical
sampling;
(2) information technology if the work involves review of information
systems;
(3) engineering if the work involves review of complex engineering
data;
(4) specialized audit methodologies or analytical techniques, such as
the use of complex survey instruments, actuarial-based estimates, or
statistical analysis tests, as applicable; or;
(5) specialized knowledge in subject matters, such as scientific,
medical, environmental, educational, or any other specialized subject
matter, if the work calls for such expertise;
Must: [Empty];
Should: [Empty].
Chapter 3 - General Standards;
Additional Qualifications for Financial Audits and Attestation
Engagements;
3.44: Auditors performing financial audits should be knowledgeable in
generally accepted accounting principles (GAAP), the American Institute
of Certified Public Accountants (AICPA) generally accepted auditing
standards for field work and reporting and the related Statements on
Auditing Standards (SAS), and the application of these standards. Also,
if auditors use GAGAS in conjunction with any other standards, they
should be knowledgeable and competent in applying those standards.
Auditors engaged to perform financial audits or attestation engagements
should be licensed certified public accountants or persons working for
a licensed certified public accounting firm or a government audit
organization. [Footnote not shown.];
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Continuing Professional Education;
3.46: Auditors performing work under GAGAS, including planning,
directing, performing field work, or reporting on an audit or
attestation engagement under GAGAS, should maintain their professional
competence through continuing professional education (CPE). Therefore,
each auditor performing work under GAGAS should complete, every 2
years, at least 24 hours of CPE that directly relates to government
auditing, the government environment, or the specific or unique
environment in which the audited entity operates. For auditors who are
involved in any amount of planning, directing, or reporting on GAGAS
assignments and those auditors who are not involved in those activities
but charge 20 percent or more of their time annually to GAGAS
assignments should also obtain at least an additional 56 hours of CPE
(for a total of 80 hours of CPE in every 2-year period) that enhances
the auditor's professional proficiency to perform audits or attestation
engagements. Auditors required to take the total 80 hours of CPE should
complete at least 20 hours of CPE in each year of the 2-year period;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Continuing Professional Education;
3.49: External specialists assisting in performing a GAGAS assignment
should be qualified and maintain professional competence in their areas
of specialization but are not required to meet the GAGAS CPE
requirements described. However, auditors who use the work of external
specialists should assess the professional qualifications of such
specialists and document their findings and conclusions. Internal
specialists who are part of the audit organization and perform as a
member of the audit team should comply with GAGAS, including the CPE
requirements;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Quality Control and Assurance;
External Peer Review;
3.63: Auditors who are using another audit organization's work should
request a copy of the audit organization's latest peer review report
and any letter of comment, and the audit organization should provide
these documents when requested...;
Must: [Check];
Should: [Empty].
Chapter 4 - Field Work Standards for Financial Audits;
Introduction;
4.01: This chapter establishes field work standards and provides
guidance for financial audits conducted in accordance with generally
accepted government auditing standards (GAGAS). This chapter identifies
the American Institute of Certified Public Accountants (AICPA) field
work standards and prescribes additional standards for financial audits
performed in accordance with GAGAS;
a. For financial audits, GAGAS incorporate the AICPA field work and
reporting standards and the related statements on auditing standards
(SAS) unless specifically excluded or modified by GAGAS;
b. Under AICPA standards and GAGAS, auditors must plan and perform the
audit to obtain sufficient appropriate audit evidence so that audit
risk will be limited to a low level that is, in his or her professional
judgment, appropriate for expressing an opinion on the financial
statements. The high, but not absolute, level of assurance that is
intended to be obtained by auditors is expressed in the auditor's
report as obtaining reasonable assurance about whether the financial
statements are free of material misstatement (whether caused by error
or fraud). Absolute assurance is not attainable because of the nature
of audit evidence and the characteristics of fraud. Therefore, an audit
conducted in accordance with generally accepted auditing standards may
not detect a material misstatement;
Must: [Empty];
Should: [Check].
Chapter 4 - Field Work Standards for Financial Audits;
AICPA Field Work Standards;
4.03 The three AICPA generally accepted standards of field work are as
follows: [Footnote not shown.];
[Documentation of compliance with the field work requirements in the
AICPA standards and the related statements on auditing standards (SAS)
is required for financial audits conducted in accordance with GAGAS.
These AICPA standards and SAS contain requirements in addition to the
requirements in 4.03 a-c below. Use of a checklist for the AICPA
standards may be helpful for auditors to ensure compliance with these
standards.];
Must: [Check];
Should: [Check].
Chapter 4 - Field Work Standards for Financial Audits;
AICPA Field Work Standards;
a. The auditor must adequately plan the work and must properly
supervise any assistants;
Must: [Empty];
Should: [Check].
Chapter 4 - Field Work Standards for Financial Audits;
AICPA Field Work Standards;
b. The auditor must obtain a sufficient understanding of the entity and
its environment, including its internal control, to assess the risk of
material misstatement of the financial statements whether due to error
or fraud, and to design the nature, timing, and extent of further audit
procedures;
Must: [Empty];
Should: [Check].
Chapter 4 - Field Work Standards for Financial Audits;
AICPA Field Work Standards;
c. The auditor must obtain sufficient appropriate audit evidence by
performing audit procedures to afford a reasonable basis for an opinion
regarding the financial statements under audit;
Must: [Empty];
Should: [Check].
Chapter 4 - Field Work Standards for Financial Audits;
Additional Government Auditing Standards;
4.04: GAGAS establish field work standards for financial audits in
addition to the requirements contained in the AICPA standards. Auditors
should comply with these additional standards when citing GAGAS in
their audit reports. The additional government auditing standards
relate to:
a. auditor communication during planning (see paragraphs 4.05 through
4.08);
b. previous audits and attestation engagements (see paragraph 4.09);
c. detecting material misstatements resulting from violations of
provisions of contracts or grant agreements, or from abuse (see
paragraphs 4.10 through 4.13);
d. developing elements of a finding (see paragraphs 4.14 through 4.18);
and;
e. audit documentation (see paragraphs 4.19 through 4.24);
Must: [Check];
Should: [Empty].
Chapter 4 - Field Work Standards for Financial Audits;
Auditor Communication During Planning;
4.05: Under AICPA standards and GAGAS, auditors should communicate with
the audited entity their understanding of the services to be performed
for each engagement and document that understanding through a written
communication. [Footnote not shown.] GAGAS broaden the parties included
in the communication and the items for the auditors to communicate;
Must: [Check];
Should: [Empty].
Chapter 4 - Field Work Standards for Financial Audits;
Auditor Communication During Planning;
4.06: Under GAGAS, when planning the audit, auditors should communicate
certain information in writing to management of the audited entity,
those charged with governance, [footnote not shown] and to the
individuals contracting for or requesting the audit. When auditors
perform the audit pursuant to a law or regulation or they conduct the
work for the legislative committee that has oversight of the audited
entity, auditors should communicate with the legislative committee. In
those situations where there is not a single individual or group that
both oversees the strategic direction of the entity and the fulfillment
of its accountability obligations or in other situations where the
identity of those charged with governance is not clearly evident,
auditors should document the process followed and conclusions reached
for identifying the appropriate individuals to receive the required
auditor communications. Auditors should communicate the following
additional information under GAGAS:
a. The nature of planned work and level of assurance to be provided
related to internal control over financial reporting and compliance
with laws, regulations, and provisions of contracts or grant
agreements;
b. Any potential restriction on the auditors' reports, in order to
reduce the risk that the needs or expectations of the parties involved
may be misinterpreted;
Must: [Check];
Should: [Empty].
Chapter 4 - Field Work Standards for Financial Audits;
Auditor Communication During Planning;
4.08: If an audit is terminated before it is completed and an audit
report is not issued, auditors should document the results of the work
to the date of termination and why the audit was terminated...;
Must: [Check];
Should: [Empty].
Chapter 4 - Field Work Standards for Financial Audits;
Previous Audits and Attestation Engagements;
4.09: Auditors should evaluate whether the audited entity has taken
appropriate corrective action to address findings and recommendations
from previous engagements that could have a material effect on the
financial statements. When planning the audit, auditors should ask
management of the audited entity to identify previous audits,
attestation engagements, and other studies that directly relate to the
objectives of the audit, including whether related recommendations have
been implemented. Auditors should use this information in assessing
risk and determining the nature, timing, and extent of current audit
work, including determining the extent to which testing the
implementation of the corrective actions is applicable to the current
audit objectives;
Must: [Check];
Should: [Empty].
Chapter 4 - Field Work Standards for Financial Audits;
Detecting Material Misstatements Resulting from Violations of
Provisions of Contracts or Grant Agreements, or from Abuse;
4.10: Auditors should design the audit to provide reasonable assurance
of detecting misstatements that result from violations of provisions of
contracts or grant agreements and could have a direct and material
effect on the determination of financial statement amounts or other
financial data significant to the audit objectives;
Must: [Check];
Should: [Empty].
Chapter 4 - Field Work Standards for Financial Audits;
Detecting Material Misstatements Resulting from Violations of
Provisions of Contracts or Grant Agreements, or from Abuse;
4.11: If specific information comes to the auditors' attention that
provides evidence concerning the existence of possible violations of
provisions of contracts or grant agreements that could have a material
indirect effect on the financial statements, the auditors should apply
audit procedures specifically directed to ascertaining whether such
violations have occurred When the auditors conclude that a violation of
provisions of contracts or grant agreements has or is likely to have
occurred, they should determine the effect on the financial statements
as well as the implications for other aspects of the audit;
Must: [Check];
Should: [Empty].
Chapter 4 - Field Work Standards for Financial Audits;
Detecting Material Misstatements Resulting from Violations of
Provisions of Contracts or Grant Agreements, or from Abuse;
4.13: If during the course of the audit, auditors become aware of abuse
that could be quantitatively or qualitatively material to the financial
statements, auditors should apply audit procedures specifically
directed to ascertain the potential effect on the financial statements
or other financial data significant to the audit objectives...;
Must: [Check];
Should: [Empty].
Chapter 4 - Field Work Standards for Financial Audits;
Developing Elements of a Finding;
4.14:... When auditors identify deficiencies, auditors should plan and
perform procedures to develop the elements of the findings that are
relevant and necessary to achieve the audit objectives...;
Must: [Check];
Should: [Empty].
Chapter 4 - Field Work Standards for Financial Audits;
Audit Documentation;
4.19: Under AICPA standards and GAGAS, auditors must prepare audit
documentation in connection with each audit in sufficient detail to
provide a clear understanding of the work performed (including the
nature, timing, extent, and results of audit procedures performed), the
audit evidence obtained and its source, and the conclusions reached.
[Footnote not shown.] Under AICPA standards and GAGAS, auditors should
prepare audit documentation that enables an experienced auditor,
[footnote not shown] having no previous connection to the audit, to
understand:
a. the nature, timing, and extent of auditing procedures performed to
comply with GAGAS and other applicable standards and requirements;
b. the results of the audit procedures performed and the audit evidence
obtained;
c. the conclusions reached on significant matters; and;
d. that the accounting records agree or reconcile with the audited
financial statements or other audited information;
Must: [Check];
Should: [Empty].
Chapter 4 - Field Work Standards for Financial Audits;
Audit Documentation;
4.20 Under GAGAS, auditors also should document, before the audit
report is issued, evidence of supervisory review of the work performed
that supports findings, conclusions, and recommendations contained in
the audit report;
Must: [Check];
Should: [Empty].
Chapter 4 - Field Work Standards for Financial Audits;
Audit Documentation;
4.21: When auditors do not comply with applicable GAGAS requirements
due to law, regulation, scope limitations, restrictions on access to
records, or other issues impacting the audit, the auditors should
document the departure from the GAGAS requirements and the impact on
the audit and on the auditors' conclusions. This applies to departures
from both mandatory requirements and presumptively mandatory
requirements where alternative procedures performed in the
circumstances were not sufficient to achieve the objectives of the
standard...;
Must: [Check];
Should: [Empty].
Chapter 4 - Field Work Standards for Financial Audits;
Audit Documentation;
4.23 ...Subject to applicable laws and regulations, auditors should
make appropriate individuals, as well as audit documentation, available
upon request and in a timely manner to other auditors or reviewers to
satisfy these objectives...;
Must: [Check];
Should: [Empty].
Chapter 4 - Field Work Standards for Financial Audits;
Additional Considerations for GAGAS Financial Audits;
Consideration of Fraud and Illegal Acts;
4.27: Under both the AICPA standards [footnote not shown] and GAGAS,
auditors should plan and perform the audit to obtain reasonable
assurance about whether the financial statements are free of material
misstatement, whether caused by error or fraud. [Footnote not
shown.]...;
Must: [Check];
Should: [Empty].
Chapter 4 - Field Work Standards for Financial Audits;
Additional Considerations for GAGAS Financial Audits;
Consideration of Fraud and Illegal Acts;
4.28: Under both the AICPA standards [footnote not shown] and GAGAS,
auditors should design the audit to provide reasonable assurance of
detecting material misstatements resulting from illegal acts that could
have a direct and material effect on the financial statements.
[Footnote not shown.] If specific information comes to the auditors'
attention that provides evidence concerning the existence of possible
illegal acts [footnote not shown] that could have a material indirect
effect on the financial statements, the auditors should apply audit
procedures specifically directed to ascertaining whether an illegal act
has occurred. When an illegal act has or is likely to have occurred,
auditors should determine the effect on the financial statements as
well as the implications for other aspects of the audit;
Must: [Check];
Should: [Empty].
Chapter 4 - Field Work Standards for Financial Audits;
Additional Considerations for GAGAS Financial Audits;
Ongoing Investigations or Legal Proceedings;
4.29: ...When investigations or legal proceedings are initiated or in
process, auditors should evaluate the impact on the current audit. In
some cases, it may be appropriate for the auditors to work with
investigators and/or legal authorities, or withdraw from or defer
further work on the audit engagement or a portion of the engagement to
avoid interfering with an investigation;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
AICPA Reporting Standards;
5.03: The four AICPA generally accepted standards of reporting
[footnote not shown] are as follows:
[Documentation of compliance with the reporting requirements in the
AICPA standards and the related statements on auditing standards (SAS)
is required for financial audits conducted in accordance with GAGAS.
These AICPA standards and SAS contain requirements in addition to the
requirements in 5.03 a-d below. Use of a checklist for the AICPA
standards may be helpful for auditors to ensure compliance with these
standards.];
Must: [Check];
Should: [Check].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Considerations for GAGAS Financial Audits;
AICPA Reporting Standards;
a. The auditor must state in the auditor's report whether the financial
statements are presented in accordance with generally accepted
accounting principles (GAAP);
Must: [Empty];
Should: [Check].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Considerations for GAGAS Financial Audits;
AICPA Reporting Standards;
b. The auditor must identify in the auditor's report those
circumstances in which such principles have not been consistently
observed in the current period in relation to the preceding period;
Must: [Empty];
Should: [Check].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Considerations for GAGAS Financial Audits;
AICPA Reporting Standards;
c. When the auditor determines that informative disclosures are not
reasonably adequate, the auditor must so state in the auditor's report;
Must: [Empty];
Should: [Check].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Considerations for GAGAS Financial Audits;
AICPA Reporting Standards;
d. The auditor must either express an opinion regarding the financial
statements, taken as a whole, or state that an opinion cannot be
expressed, in the auditor's report. When the auditor cannot express an
overall opinion, the auditor should state the reasons therefor in the
auditor's report. In all cases where an auditor's name is associated
with financial statements, the auditor should clearly indicate the
character of the auditor's work, if any, and the degree of
responsibility the auditor is taking in the auditor's report;
Must: [Empty];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
5.04: GAGAS establish reporting standards for financial audits in
addition to the standards contained in the AICPA standards. Auditors
should comply with these additional standards when citing GAGAS in
their audit reports. The additional government auditing standards
relate to:
a. reporting auditors' compliance with GAGAS (see paragraphs 5.05 and
5.06);
b. reporting on internal control and compliance with laws, regulations,
and provisions of contracts or grant agreements (see paragraphs 5.07
through 5.09);
c. reporting deficiencies in internal control, fraud, illegal acts,
violations of provisions of contracts or grant agreements, and abuse
(see paragraphs 5.10 through 5.22);
d. communicating significant matters in the auditors' report (see
paragraphs 5.23 through 5.25);
e. reporting on the restatement of previously-issued financial
statements (see paragraphs 5.26 through 5.31);
f. reporting views of responsible officials (see paragraphs 5.32
through 5.38);
g. reporting confidential or sensitive information (see paragraphs 5.39
through 5.43); and;
h. distributing reports (see paragraph 5.44);
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Reporting Auditors' Compliance with GAGAS;
5.05: When auditors comply with all applicable GAGAS requirements, they
should include a statement in the auditors' report that they performed
the audit in accordance with GAGAS...;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Reporting on Internal Control and Compliance with Laws, Regulations,
and Provisions of Contracts or Grant Agreements;
5.07: When providing an opinion or a disclaimer on financial
statements, auditors must also report on internal control over
financial reporting and on compliance with laws, regulations, and
provisions of contracts or grant agreements;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Reporting on Internal Control and Compliance with Laws, Regulations,
and Provisions of Contracts or Grant Agreements;
5.08: Auditors should include either in the same or in separate
report(s) a description of the scope of the auditors' testing of
internal control over financial reporting and compliance with laws,
regulations, and provisions of contracts or grant agreements. If the
auditors issue separate reports, they should include a reference to the
separate reports in the report on financial statements. Auditors should
state in the reports whether the tests they performed provided
sufficient, appropriate evidence to support an opinion on the
effectiveness of internal control over financial reporting and on
compliance with laws, regulations, and provisions of contracts or grant
agreements. The internal control reporting standard under GAGAS differs
from the objective of an examination of internal control in accordance
with the AICPA Statement on Standards for Attestation Engagements
(SSAE), which is to express an opinion on the design or the design and
operating effectiveness of an entity's internal control, as applicable.
To form a basis for expressing such an opinion, the auditor must plan
and perform the examination to obtain reasonable assurance about
whether the entity maintained, in all material respects, effective
internal control as of a point in time or for a specified period of
time;
Must: [Empty];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Reporting on Internal Control and Compliance with Laws, Regulations,
and Provisions of Contracts or Grant Agreements;
5.09: When auditors report separately (including separate reports bound
in the same document) on internal control over financial reporting and
compliance with laws and regulations and provisions of contracts or
grant agreements, they should state in the financial statement audit
report that they are issuing those additional reports. They should
include a reference to the separate reports[54] and also state that the
reports on internal control over financial reporting and compliance
with laws and regulations and provisions of contracts or grant
agreements are an integral part of a GAGAS audit and important for
assessing the results of the audit. If auditors issued or intend to
issue a management letter, they should refer to that management letter
in the reports;
[54] This requirement applies to financial statement audits described
in paragraph 1.22a. It does not apply to other types of financial
audits described in paragraph 1.22b;
Must: [Empty];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Reporting Deficiencies in Internal Control, Fraud, Illegal Acts,
Violations of Provisions of Contracts or Grant Agreements, and Abuse;
5.10: For financial audits, including audits of financial statements in
which auditors provide an opinion or disclaimer, auditors should
report, as applicable to the objectives of the audit, and based upon
the audit work performed, (1) significant deficiencies in internal
control, identifying those considered to be material weaknesses; (2)
all instances of fraud and illegal acts unless inconsequential; and (3)
violations of provisions of contracts or grant agreements and abuse
that could have a material effect on the financial statements.
[Footnote not shown.];
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Deficiencies in Internal Control;
5.11: For all financial audits, auditors should report the following
deficiencies in internal control:
a. Significant deficiency: a deficiency in internal control, or
combination of deficiencies, that adversely affects the entity's
ability to initiate, authorize, record, process, or report financial
data reliably in accordance with GAAP such that there is more than a
remote [footnote not shown] likelihood that a misstatement of the
entity's financial statements that is more than inconsequential
[footnote not shown]will not be prevented or detected. [Footnote not
shown.];
b. Material weakness: a significant deficiency, or combination of
significant deficiencies, that results in more than a remote likelihood
that a material misstatement of the financial statements will not be
prevented or detected;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Deficiencies in Internal Control;
5.13: Auditors should include all significant deficiencies in the
auditors' report on internal control over financial reporting and
indicate those that represent material weaknesses. If (1) a significant
deficiency is remediated before the auditors' report is issued and (2)
the auditors obtain sufficient, appropriate evidence supporting the
remediation of the significant deficiency, then the auditors should
report the significant deficiency and the fact that it was remediated
before the auditors' report was issued;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Deficiencies in Internal Control;
5.14 Determining whether and how to communicate to officials of the
audited entity internal control deficiencies that have an
inconsequential effect on the financial statements is a matter of
professional judgment. Auditors should document such communications;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant
Agreements, and Abuse;
5.15 Under AICPA standards and GAGAS, auditors have responsibilities
for detecting fraud and illegal acts that have a material effect on the
financial statements and determining whether those charged with
governance are adequately informed about fraud and illegal acts. GAGAS
include additional reporting standards. When auditors conclude, based
on sufficient, appropriate evidence, that any of the following either
has occurred or is likely to have occurred, they should include in
their audit report the relevant information about;
a. fraud and illegal acts [footnote not shown] that have an effect on
the financial statements that is more than inconsequential,;
b. violations of provisions of contracts or grant agreements that have
a material effect on the determination of financial statement amounts
or other financial data significant to the audit, and;
c. abuse that is material, either quantitatively or qualitatively...;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant
Agreements, and Abuse;
5.16: When auditors detect violations of provisions of contracts or
grant agreements or abuse that have an effect on the financial
statements that is less than material but more than inconsequential,
they should communicate those findings in writing to officials of the
audited entity. Determining whether and how to communicate to officials
of the audited entity fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse that is inconsequential is a
matter of professional judgment. Auditors should document such
communications;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Reporting Findings Directly to Parties Outside the Audited Entity;
5.18: Auditors should report known or likely fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse
directly to parties outside the audited entity in the following two
circumstances. [Footnote not shown.];
a. When entity management fails to satisfy legal or regulatory
requirements to report such information to external parties specified
in law or regulation, auditors should first communicate the failure to
report such information to those charged with governance. If the
audited entity still does not report this information to the specified
external parties as soon as practicable after the auditors'
communication with those charged with governance, then the auditors
should report the information directly to the specified external
parties;
b. When entity management fails to take timely and appropriate steps to
respond to known or likely fraud, illegal acts, violations of
provisions of contracts or grant agreements, or abuse that (1) is
likely to have a material effect on the financial statements and (2)
involves funding received directly or indirectly from a government
agency, auditors should first report management's failure to take
timely and appropriate steps to those charged with governance. If the
audited entity still does not take timely and appropriate steps as soon
as practicable after the auditors' communication with those charged
with governance, then the auditors should report the entity's failure
to take timely and appropriate steps directly to the funding agency;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Reporting Findings Directly to Parties Outside the Audited Entity;
5.19: The reporting in paragraph 5.18 is in addition to any legal
requirements to report such information directly to parties outside the
audited entity. Auditors should comply with these requirements even if
they have resigned or been dismissed from the audit prior to its
completion;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Reporting Findings Directly to Parties Outside the Audited Entity;
5.20: Auditors should obtain sufficient, appropriate evidence, such as
confirmation from outside parties, to corroborate assertions by
management of the audited entity that it has reported such findings in
accordance with laws, regulations, and funding agreements. When
auditors are unable to do so, they should report such information
directly as discussed in paragraph 5.18;
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Reporting Findings Directly to Parties Outside the Audited Entity;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Presenting Findings in the Auditors' Report;
5.21: In presenting findings such as deficiencies in internal control,
fraud, illegal acts, violations of provisions of contracts or grant
agreements, and abuse, auditors should develop the elements of the
findings to the extent necessary to achieve the audit objectives...;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Presenting Findings in the Auditors' Report;
5.22 Auditors should place their findings in perspective by describing
the nature and extent of the issues being reported and the extent of
the work performed that resulted in the finding. To give the reader a
basis for judging the prevalence and consequences of these findings,
auditors should, as applicable, relate the instances identified to the
population or the number of cases examined and quantify the results in
terms of dollar value or other measures, as appropriate. If the results
cannot be projected, auditors should limit their conclusions
appropriately;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Reporting on Restatement of Previously-Issued Financial Statements;
5.26: AICPA Professional Standards, AU Section 561, "Subsequent
Discovery of Facts Existing at the Date of the Auditor's Report,"
establish standards and provide guidance for situations when auditors
become aware of new information that could have affected their report
on previously-issued financial statements. [Footnote not shown.] Under
AU Section 561, if auditors become aware of new information that might
have affected their opinion on previously-issued financial
statement(s), then the auditors should advise entity management to
determine the potential effect(s) of the new information on the
previously-issued financial statement(s) as soon as reasonably
possible. Such new information may lead management to conclude that
previously-issued financial statements were materially misstated and to
restate and reissue the misstated financial statements. In such
circumstances, auditors should advise management to make appropriate
disclosure of the newly discovered facts and their impact on the
financial statements to those who are likely to rely on the financial
statements. [Footnote not shown.];
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Reporting on Restatement of Previously-Issued Financial Statements;
5.27: Under GAGAS, auditors should advise management to make
appropriate disclosures when the auditors believe that the following
conditions exist: (1) it is likely that previously-issued financial
statements are misstated and (2) the misstatement is or reasonably
could be material. Under GAGAS, auditors also should perform the
following procedures related to restated financial statements:[65];
[65] These additional GAGAS requirements also apply to other financial
information on which auditors opine, such as schedules of expenditures
of federal awards;
a. evaluate the timeliness and appropriateness of management's
disclosure and actions to determine and correct misstatements in
previously-issued financial statements (see paragraph 5.28),;
b. report on restated financial statements (see paragraphs 5.29 and
5.30), and;
c. report directly to appropriate officials when the audited entity
does not take the necessary steps (see paragraph 5.31);
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Evaluate the Timeliness and Appropriateness of Management's Disclosure
and Actions to Determine and Correct Misstatements in Previously-Issued
Financial Statements;
5.28: Auditors should evaluate the timeliness and appropriateness of
management's disclosure to those who are likely to rely on the
financial statements and management's actions to determine and correct
misstatements in previously-issued financial statements in accordance
with AU Sections 561.06 through 561.08. Under GAGAS, auditors also
should evaluate whether management;
a. acted in an appropriate time frame after new information was
available to (1) determine the financial statement effects of the new
information and (2) notify those who are likely to rely on the
financial statements;
b. disclosed the nature and extent of the known or likely material
misstatements on Web pages where management has published the auditors'
report on the previously-issued financial statements; and;
c. disclosed the following information in the entity's restated
financial statements: (1) the nature and cause(s) of the
misstatement(s) that led to the need for restatement, (2) the specific
amount(s) of the material misstatement(s), and (3) the related
effect(s) on the previously-issued financial statement(s) (e.g.,
year(s) being restated, specific financial statement(s) affected and
line items restated, actions the agency's management took after
discovering the misstatement), and (4) the impact on the financial
statements as a whole (e.g., change in overall net position, change in
the audit opinion) and on key information included in the Management
Discussion & Analysis;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Report on Restated Financial Statements;
5.29: When management restates financial statements, auditors should
perform audit procedures sufficient to reissue or update the auditors'
report on the restated financial statements regardless of whether the
restated financial statements are separately issued or presented on a
comparative basis with those of a subsequent period. [Footnote not
shown.] Auditors should include the following in an explanatory
paragraph in the reissued or updated auditors' report:
a. a statement disclosing that the previously-issued financial
statements have been restated;
b. a statement that (1) the previously-issued auditors' report
(identified by report date) is not to be relied on because the
previously-issued financial statements were materially misstated and
(2) the previously-issued auditors' report is replaced by the auditors'
report on the restated financial statements;
c. a reference to the note(s) to the restated financial statements that
discusses the restatement; and;
d. if applicable, a reference to the report on internal control
containing a discussion of any significant internal control deficiency
identified by the auditors as having failed to prevent or detect the
misstatement and any corrective action taken by management to address
the deficiency;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Evaluate the Timeliness and Appropriateness of Management's Disclosure
and Actions to Determine and Correct Misstatements in Previously-Issued
Financial Statements;
5.30: Management's failure to include appropriate disclosures, as
discussed in paragraph 5.28c, in restated financial statements may have
implications for the audit. In addition, auditors should include the
omitted disclosures in the auditors' report, if practicable;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Report Directly to Appropriate Officials When the Audited Entity Does
Not Take the Necessary Steps;
5.31: Auditors should notify those charged with governance if entity
management (1) does not act in an appropriate time frame after new
information was available to determine the financial statement effects
of the new information and take the necessary steps to timely inform
those who are likely to rely on the financial statements and the
related auditors' reports of the situation or (2) does not restate with
reasonable timeliness the financial statements under circumstances in
which auditors believe they need to be restated. Auditors should inform
those charged with governance that the auditors will take steps to
prevent further reliance on the auditors' report and advise them to
notify oversight bodies and funding agencies that rely on the financial
statements. If those charged with governance do not notify appropriate
oversight bodies and funding agencies, then the auditors should do so.
[Footnote not shown.];
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Reporting Views of Responsible Officials;
5.32: If the auditors' report discloses deficiencies in internal
control, fraud, illegal acts, violations of provisions of contracts or
grant agreements, or abuse, auditors should obtain and report the views
of responsible officials concerning the findings, conclusions, and
recommendations, as well as planned corrective actions;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Reporting Views of Responsible Officials;
5.34: When auditors receive written comments from the responsible
officials, they should include in their report a copy of the officials'
written comments, or a summary of the comments received. When the
responsible officials provide oral comments only, auditors should
prepare a summary of the oral comments and provide a copy of the
summary to the responsible officials to verify that the comments are
accurately stated;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Reporting Views of Responsible Officials;
5.35: Auditors should also include in the report an evaluation of the
comments, as appropriate...;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Reporting Views of Responsible Officials;
5.37: When the audited entity's comments are inconsistent or in
conflict with findings, conclusions, or recommendations in the draft
report, or when planned corrective actions do not adequately address
the auditors' recommendations, the auditors should evaluate the
validity of the audited entity's comments. If the auditors disagree
with the comments, they should explain in the report their reasons for
disagreement. Conversely, the auditors should modify their report as
necessary if they find the comments valid and supported with
sufficient, appropriate evidence;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Reporting Views of Responsible Officials;
5.38: If the audited entity refuses to provide comments or is unable to
provide comments within a reasonable period of time, the auditors may
issue the report without receiving comments from the audited entity. In
such cases, the auditors should indicate in the report that the audited
entity did not provide comments;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Reporting Confidential or Sensitive Information;
5.39: If certain pertinent information is prohibited from public
disclosure or is excluded from a report due to the confidential or
sensitive nature of the information, auditors should disclose in the
report that certain information has been omitted and the reason or
other circumstances that makes the omission necessary;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Reporting Confidential or Sensitive Information;
5.42: Considering the broad public interest in the program or activity
under review assists auditors when deciding whether to exclude certain
information from publicly available reports. When circumstances call
for omission of certain information, auditors should evaluate whether
this omission could distort the audit results or conceal improper or
illegal practices;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Reporting Confidential or Sensitive Information;
5.43: When audit organizations are subject to public records laws,
auditors should determine whether public records laws could impact the
availability of classified or limited use reports and determine whether
other means of communicating with management and those charged with
governance would be more appropriate...;
Must: [Check];
Should: [Empty].
Chapter 5 - Reporting Standards for Financial Audits;
Additional Government Auditing Standards;
Distributing Reports;
5.44: Distribution of reports completed under GAGAS depends on the
relationship of the auditors to the audited organization and the nature
of the information contained in the report. If the subject of the audit
involves material that is classified for security purposes or contains
confidential or sensitive information, auditors may limit the report
distribution. Auditors should document any limitation on report
distribution. The following discussion outlines distribution for
reports completed under GAGAS: [One of the following will apply
depending on the type of audit organization.];
a. Audit organizations in government entities should distribute audit
reports to those charged with governance, to the appropriate officials
of the audited entity, and to the appropriate oversight bodies or
organizations requiring or arranging for the audits. As appropriate,
auditors should also distribute copies of the reports to other
officials who have legal oversight authority or who may be responsible
for acting on audit findings and recommendations, and to others
authorized to receive such reports;
b. Internal audit organizations in government entities may follow the
Institute of Internal Auditors (IIA) International Standards for the
Professional Practice of Internal Auditing. Under GAGAS and IIA
standards, the head of the internal audit organization should
communicate results to the parties who can ensure that the results are
given due consideration. If not otherwise mandated by statutory or
regulatory requirements, prior to releasing results to parties outside
the organization, the head of the internal audit organization should:
(1) assess the potential risk to the organization, (2) consult with
senior management and/or legal counsel as appropriate, and (3) control
dissemination by indicating the intended users in the report;
c. Public accounting firms contracted to perform an audit under GAGAS
should clarify report distribution responsibilities with the engaging
organization. If the contracted firm is to make the distribution, it
should reach agreement with the party contracting for the audit about
which officials or organizations will receive the report and the steps
being taken to make the report available to the public;
Must: [Check];
Should: [Empty].
[End of table]
Specific Requirements for Attestation Engagements:
GAGAS incorporate the AICPA general standard on criteria, and the field
work and reporting standards and the related Statements on Standards
for Attestation Engagements (SSAE). The requirements listed in this
professional requirements tool for attestation engagements represent
the supplemental GAGAS requirements for attestation engagements. In
addition to the requirements contained in this tool, documentation of
compliance with the requirements in the AICPA general standard on
criteria and the field work and reporting standards is required for
attestation engagements conducted in accordance with GAGAS. Auditors
are advised to refer to the entire text of the both GAGAS and the AICPA
general standard on criteria, and the field work and reporting
standards and the related Statements on Standards for Attestation
Engagements to obtain a comprehensive understanding of all the
requirements for attestation engagements conducted in accordance with
GAGAS. See paragraph 6.01.
Must: [Check];
Should: [Empty].
Chapter 1 - Use and Application of GAGAS;
Stating Compliance with GAGAS in the Auditors' Report;
1.11: When auditors are required to follow GAGAS or are representing to
others that they followed GAGAS, they should follow all applicable
GAGAS requirements and should refer to compliance with GAGAS in the
auditors' report as set forth in paragraphs 1.12 and 1.13;
Must: [Check];
Should: [Empty].
Chapter 1 - Use and Application of GAGAS;
Stating Compliance with GAGAS in the Auditors' Report;
1.12: Auditors should include one of the following types of GAGAS
compliance statements in reports on GAGAS audits and attestation
engagements, as appropriate. [Footnote not shown.]; a. Unmodified GAGAS
compliance statement: Stating that the auditor performed the audit or
attestation engagement in accordance with GAGAS. Auditors should
include an unmodified GAGAS compliance statement in the audit report
when they have (1) followed all applicable unconditional and
presumptively mandatory GAGAS requirements, or (2) have followed all
unconditional requirements and documented justification for any
departures from applicable presumptively mandatory requirements, and
have achieved the objectives of those requirements through other means;
b. Modified GAGAS compliance statement: Stating either that (1) the
auditor performed the audit or attestation engagement in accordance
with GAGAS, except for specific applicable requirements that were not
followed or, (2) because of the significance of the departure(s) from
the requirements, the auditor was unable to and did not perform the
audit or attestation engagement in accordance with GAGAS. Situations
when auditors use modified compliance statements include scope
limitations, such as restrictions on access to records, government
officials, or other individuals needed to conduct the audit. When
auditors use a modified GAGAS statement, they should disclose in the
report the applicable requirement(s) not followed, the reasons for not
following the requirement(s), and how not following the requirements
affected, or could have affected, the audit and the assurance provided;
Must: [Check];
Should: [Empty].
Chapter 1 - Use and Application of GAGAS;
Stating Compliance with GAGAS in the Auditors' Report;
1.13: When auditors do not comply with any applicable requirements,
they should (1) assess the significance of the noncompliance to the
audit objectives, (2) document the assessment, along with their reasons
for not following the requirement, and (3) determine the type of GAGAS
compliance statement. [Footnote not shown.] The auditors' determination
will depend on the significance of the requirements not followed in
relation to the audit objectives;
Must: [Check];
Should: [Empty].
Chapter 1 - Use and Application of GAGAS;
Relationship between GAGAS and Other Professional Standards;
1.14: Auditors may use GAGAS in conjunction with professional standards
issued by other authoritative bodies. Auditors may also cite the use of
other standards in their audit reports, as appropriate. If the auditor
is citing compliance with GAGAS and inconsistencies exist between GAGAS
and other standards cited, the auditor should use GAGAS as the
prevailing standard for conducting the audit and reporting the results;
Must: [Check];
Should: [Empty].
Chapter 1 - Use and Application of GAGAS;
Types of GAGAS Audits and Attestation Engagements;
1.19: In some audits and attestation engagements, the standards
applicable to the specific audit objective will be apparent...However,
some engagements may have multiple or overlapping objectives...In cases
in which there is a choice between applicable standards, auditors
should evaluate users' needs and the auditors' knowledge, skills, and
experience in deciding which standards to follow;
Must: [Check];
Should: [Empty].
Chapter 1 - Use and Application of GAGAS;
Attestation Engagements;
1.23: Attestation engagements can cover a broad range of financial or
nonfinancial objectives and may provide different levels of assurance
about the subject matter or assertion depending on the users' needs.
Attestation engagements result in an examination, a review, or an
agreed-upon procedures report on a subject matter or on an assertion
about a subject matter that is the responsibility of another party. The
three types of attestation engagements are:
a. Examination: Consists of obtaining sufficient, appropriate evidence
to express an opinion on whether the subject matter is based on (or in
conformity with) the criteria in all material respects or the assertion
is presented (or fairly stated), in all material respects, based on the
criteria;
b. Review: Consists of sufficient testing to express a conclusion about
whether any information came to the auditors' attention on the basis of
the work performed that indicates the subject matter is not based on
(or not in conformity with) the criteria or the assertion is not
presented (or not fairly stated) in all material respects based on the
criteria. As stated in the AICPA SSAE, auditors should not perform
review-level work for reporting on internal control or compliance with
laws and regulations;
c. Agreed-Upon Procedures: Consists of specific procedures performed on
a subject matter;
Must: [Check];
Should: [Empty].
Chapter 1 - Use and Application of GAGAS;
Professional Services Other Than Audits (Nonaudit Services) Provided by
Audit Organizations;
1.33: GAGAS do not cover professional services other than audits or
attestation engagements (nonaudit services). � Therefore, auditors must
not report that the nonaudit services were conducted in accordance with
GAGAS. When performing nonaudit services for an entity for which the
audit organization performs a GAGAS audit or attestation engagement,
audit organizations should communicate, as appropriate, with requestors
and those charged with governance to clarify that the scope of work
performed does not constitute an audit under GAGAS;
Must: [Empty];
Should: [Check].
Chapter 3 - General Standards;
Independence;
3.02: In all matters relating to the audit work, the audit organization
and the individual auditor, whether government or public, must be free
from personal, external, and organizational impairments to
independence, and must avoid the appearance of such impairments of
independence;
Must: [Empty];
Should: [Check].
Chapter 3 - General Standards;
Independence;
3.03: Auditors and audit organizations must maintain independence so
that their opinions, findings, conclusions, judgments, and
recommendations will be impartial and viewed as impartial by objective
third parties with knowledge of the relevant information. Auditors
should avoid situations that could lead objective third parties with
knowledge of the relevant information to conclude that the auditors are
not able to maintain independence and thus are not capable of
exercising objective and impartial judgment on all issues associated
with conducting the audit and reporting on the work;
Must: [Empty];
Should: [Empty].
Chapter 3 - General Standards;
Independence;
3.04: When evaluating whether independence impairments exist either in
fact or appearance with respect to the entities for which audit
organizations perform audits or attestation engagements, auditors and
audit organizations must take into account the three general classes of
impairments to independence--personal, external, and organizational.
[Footnote not shown.] If one or more of these impairments affects or
can be perceived to affect independence, the audit organization (or
auditor) should decline to perform the work--except in those situations
in which an audit organization in a government entity, because of a
legislative requirement or for other reasons, cannot decline to perform
the work, in which case the government audit organization must disclose
the impairment(s) and modify the GAGAS compliance statement...;
Must: [Empty];
Should: [Empty].
Chapter 3 - General Standards;
Independence;
3.05: When auditors use the work of a specialist, [footnote not shown]
auditors should assess the specialist's ability to perform the work and
report results impartially as it relates to their relationship with the
program or entity under audit. If the specialist's independence is
impaired, auditors should not use the work of that specialist;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Personal Impairments;
3.07: Auditors participating on an audit assignment must be free from
personal impairments to independence. [Footnote not shown.] Personal
impairments of auditors result from relationships or beliefs that might
cause auditors to limit the extent of the inquiry, limit disclosure, or
weaken or slant audit findings in any way. Individual auditors should
notify the appropriate officials within their audit organizations if
they have any personal impairment to independence...;
Must: [Empty];
Should: [Empty].
Chapter 3 - General Standards;
Professional Judgment;
3.31: Auditors must use professional judgment in planning and
performing audits and attestation engagements and in reporting the
results;
Must: [Empty];
Should: [Check].
Chapter 3 - General Standards;
Professional Judgment;
3.38: Auditors should document significant decisions affecting the
audit objectives, scope, and methodology; findings; conclusions; and
recommendations resulting from professional judgment;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Competence;
3.40: The staff assigned to perform the audit or attestation engagement
must collectively possess adequate professional competence for the
tasks required;
Must: [Empty];
Should: [Check].
Chapter 3 - General Standards;
Technical Knowledge and Competence;
3.43: The staff assigned to conduct an audit or attestation engagement
under GAGAS must collectively possess the technical knowledge, skills,
and experience necessary to be competent for the type of work being
performed before beginning work on that assignment. The staff assigned
to a GAGAS audit or attestation engagement should collectively possess;
a. knowledge of GAGAS applicable to the type of work they are assigned
and the education, skills, and experience to apply this knowledge to
the work being performed;
b. general knowledge of the environment in which the audited entity
operates and the subject matter under review;
c. skills to communicate clearly and effectively, both orally and in
writing; and;
d. skills appropriate for the work being performed. For example, staff
or specialist skills in;
(1) statistical sampling if the work involves use of statistical
sampling;
(2) information technology if the work involves review of information
systems;
(3) engineering if the work involves review of complex engineering
data;
(4) specialized audit methodologies or analytical techniques, such as
the use of complex survey instruments, actuarial-based estimates, or
statistical analysis tests, as applicable; or:
(5) specialized knowledge in subject matters, such as scientific,
medical, environmental, educational, or any other specialized subject
matter, if the work calls for such expertise;
Must: [Empty];
Should: [Empty].
Chapter 3 - General Standards;
Additional Qualifications for Financial Audits and Attestation
Engagements;
3.44: Auditors performing financial audits should be knowledgeable in
generally accepted accounting principles (GAAP), the American Institute
of Certified Public Accountants (AICPA) generally accepted auditing
standards for field work and reporting and the related Statements on
Auditing Standards (SAS), and the application of these standards. Also,
if auditors use GAGAS in conjunction with any other standards, they
should be knowledgeable and competent in applying those standards.
Auditors engaged to perform financial audits or attestation engagements
should be licensed certified public accountants or persons working for
a licensed certified public accounting firm or a government audit
organization. [Footnote not shown.];
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Additional Qualifications for Financial Audits and Attestation
Engagements;
3.45: Similarly, for attestation engagements, GAGAS incorporate the
AICPA attestation standards. Auditors should be knowledgeable in the
AICPA general attestation standard related to criteria, the AICPA
attestation standards for field work and reporting, and the related
Statements on Standards for Attestation Engagements (SSAE), and they
should be competent in applying these standards and SSAE to the task
assigned. Also, if auditors use GAGAS in conjunction with any other
standards, they should be knowledgeable and competent in applying those
standards;
Chapter 3 - General Standards;
Continuing Professional Education;
3.46: Auditors performing work under GAGAS, including planning,
directing, performing field work, or reporting on an audit or
attestation engagement under GAGAS, should maintain their professional
competence through continuing professional education (CPE). Therefore,
each auditor performing work under GAGAS should complete, every 2
years, at least 24 hours of CPE that directly relates to government
auditing, the government environment, or the specific or unique
environment in which the audited entity operates. For auditors who are
involved in any amount of planning, directing, or reporting on GAGAS
assignments and those auditors who are not involved in those activities
but charge 20 percent or more of their time annually to GAGAS
assignments should also obtain at least an additional 56 hours of CPE
(for a total of 80 hours of CPE in every 2-year period) that enhances
the auditor's professional proficiency to perform audits or attestation
engagements. Auditors required to take the total 80 hours of CPE should
complete at least 20 hours of CPE in each year of the 2-year period;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Continuing Professional Education;
3.49 External specialists assisting in performing a GAGAS assignment
should be qualified and maintain professional competence in their areas
of specialization but are not required to meet the GAGAS CPE
requirements described. However, auditors who use the work of external
specialists should assess the professional qualifications of such
specialists and document their findings and conclusions. Internal
specialists who are part of the audit organization and perform as a
member of the audit team should comply with GAGAS, including the CPE
requirements;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Quality Control and Assurance;
External Peer Review;
3.63: Auditors who are using another audit organization's work should
request a copy of the audit organization's latest peer review report
and any letter of comment, and the audit organization should provide
these documents when requested...;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
AICPA General and Field Work Standards for Attestation Engagements;
6.03: The AICPA general standard related to criteria is as follows:
The practitioner [auditor] must have reason to believe that the subject
matter is capable of evaluation against criteria that are suitable and
available to users.
[Documentation of compliance with the AICPA general standard related to
criteria is required for attestation engagements conducted in
accordance with GAGAS. These AICPA standards and SSAE contain
requirements in addition to the requirements in 6.03 above. Use of a
checklist for the AICPA standards may be helpful for auditors to ensure
compliance with these standards.];
Must: [Empty];
Should: [Check].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
AICPA General and Field Work Standards for Attestation Engagements;
6.04: The two AICPA field work standards for attestation engagements
are as follows:
[Documentation of compliance with the field work requirements in the
AICPA standards and the related statements on standards for attestation
engagements (SSAE) is required for attestation engagements conducted in
accordance with GAGAS. These AICPA standards and SSAE contain
requirements in addition to the requirements in 6.04 a-b below. Use of
a checklist for the AICPA standards may be helpful for auditors to
ensure compliance with these standards.];
Must: [Check];
Should: [Check].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
AICPA General and Field Work Standards for Attestation Engagements;
a. The practitioner [auditor] must adequately plan the work and must
properly supervise any assistants;
Must: [Empty];
Should: [Check].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
AICPA General and Field Work Standards for Attestation Engagements;
b. The practitioner [auditor] must obtain sufficient evidence to
provide a reasonable basis for the conclusion that is expressed in the
report;
Must: [Empty];
Should: [Check].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
6.05: GAGAS establish attestation engagement field work standards in
addition to the requirements contained in the AICPA standards. Auditors
should comply with these additional standards when citing GAGAS in
their attestation engagement reports. The additional government
auditing standards relate to; a. auditor communication during planning
(see paragraphs 6.06 through 6.08);
b. previous audits and attestation engagements (see paragraph 6.09);
c. internal control (see paragraphs 6.10 through 6.12);
d. fraud, illegal acts, violations of provisions of contracts or grant
agreements, or abuse that could have a material effect on the subject
matter (see paragraphs 6.13 and 6.14);
e. developing elements of a finding (see paragraphs 6.15 through 6.19);
and;
f. documentation (see paragraphs 6.20 through 6.26);
Must: [Check];
Empty: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Auditor Communication During Planning.
6.06: Under AICPA standards and GAGAS, auditors should establish an
understanding with the entity regarding the services to be performed
for each engagement. Auditors also should obtain written acknowledgment
or other evidence of the entity's responsibilities for the subject
matter or the written assertion as it relates to the objectives of the
engagement. GAGAS broaden the parties included in the communications
during planning and contain additional items in the communications;
Must: [Check];
Empty: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Auditor Communication During Planning;
6.07: Under GAGAS, when planning the engagement, auditors should
communicate certain information, including their understanding of the
services to be performed for each engagement, in writing to entity
management, those charged with governance, [footnote not shown] and to
the individuals contracting for or requesting the engagement. When
auditors perform the engagement pursuant to a law or regulation or they
conduct the work for the legislative committee that has oversight of
the entity, auditors should communicate with the legislative committee.
In those situations where there is not a single individual or group
that both oversees the strategic direction of the entity and the
fulfillment of its accountability obligations or in other situations
where the identity of those charged with governance is not clearly
evident, the auditors should document the process followed and
conclusions reached for identifying the appropriate individuals to
receive the required auditor communications. Auditors should
communicate the following additional information under GAGAS:
a. the nature, timing, and extent of planned testing and reporting;
b. the level of assurance the auditor will provide; and;
c. any potential restriction on the auditors' reports, in order to
reduce the risk that the needs or expectations of the parties involved
may be misinterpreted;
Must: [Check];
Empty: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Auditor Communication During Planning;
6.08: If an engagement is terminated before it is completed and a
report is not issued, auditors should document the results of the work
to the date of termination and why the engagement was terminated...;
Must: [Check];
Empty: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Previous Audits and Attestation Engagements;
6.09: Auditors should evaluate whether the audited entity has taken
appropriate corrective action to address findings and recommendations
from previous engagements that could have a material effect on the
subject matter. When planning the engagement, auditors should ask
entity management to identify previous audits, attestation engagements,
and other studies that directly relate to the subject matter of the
attestation engagement being undertaken, including whether related
recommendations have been implemented. Auditors should use this
information in assessing risk and determining the nature, timing, and
extent of current work, including determining the extent to which
testing the implementation of the corrective actions is applicable to
the current engagement objectives;
Must: [Check];
Empty: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Internal Control;
6.10: In planning examination-level attestation engagements, auditors
should obtain a sufficient understanding of internal control that is
material to the subject matter in order to plan the engagement and
design procedures to achieve the objectives of the attestation
engagement;
Must: [Check];
Empty: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Internal Control;
6.11: In planning an examination-level attestation engagement, auditors
should obtain an understanding of internal control as it relates to the
subject matter to which the auditors are attesting. The subject matter
may be financial or nonfinancial...;
Must: [Check];
Empty: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant
Agreements, or Abuse That Could Have a Material Effect on the Subject
Matter;
6.13 :The auditors' responsibility with regard to fraud, [footnote not
shown] illegal acts, violations of provisions of contracts or grant
agreements, or abuse for attestation engagements performed in
accordance with GAGAS is as follows:
Must: [Check];
Empty: [Check].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant
Agreements, or Abuse That Could Have a Material Effect on the Subject
Matter;
a. Examination-level engagements: In planning, auditors should design
the engagement to provide reasonable assurance of detecting fraud,
illegal acts, or violations of provisions of contracts or grant
agreements that could have a material effect on the subject matter of
the attestation engagement. Thus, auditors should assess the risk and
possible effects of material fraud, illegal acts, or violations of
provisions of contracts or grant agreements on the subject matter of
the attestation engagement. When risk factors are identified, auditors
should document the risk factors identified, the auditors' response to
those risk factors individually or in combination, and the auditors'
conclusions;
b. Review-level and agreed-upon-procedures-level engagements: If during
the course of the engagement, information comes to the auditors'
attention indicating that fraud, illegal acts, or violations of
provisions of contracts or grant agreements that could have a material
effect on the subject matter may have occurred, auditors should perform
procedures as necessary to (1) determine if fraud, illegal acts, or
violations of provisions of contracts or grant agreements are likely to
have occurred and, if so, (2) determine their effect on the results of
the attestation engagement. Auditors are not expected to provide
assurance of detecting potential fraud, illegal acts, or violations of
provisions of contracts or grant agreements for these types of
engagements unless it is specified in the procedures;
c. For all levels of attestation engagements: If during the course of
the engagement, auditors become aware of abuse that could be
quantitatively or qualitatively material, auditors should apply
procedures specifically directed to ascertain the potential effect on
the subject matter or other data significant to the engagement
objectives....;
Must: [Check];
Empty: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Developing Elements of a Finding;
6.15:...When auditors identify deficiencies, auditors should plan and
perform procedures to develop the elements of the findings that are
relevant and necessary to achieve the engagement objectives....;
Must: [Check];
Empty: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Documentation;
6.20: Under GAGAS, auditors must prepare attest documentation in
connection with each engagement in sufficient detail to provide a clear
understanding of the work performed (including the nature, timing,
extent, and results of engagement procedures performed); the evidence
obtained and its source; and the conclusions reached....;
Must: [Empty];
Empty: [Check].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Documentation;
6.21: Auditors should prepare attest documentation in sufficient detail
to enable an experienced auditor, [footnote not shown] having no
previous connection to the attestation engagement, to understand from
the documentation the nature, timing, extent, and results of procedures
performed and the evidence obtained and its source and the conclusions
reached, including evidence that supports the auditors' significant
judgments and conclusions. Auditors should prepare attest documentation
that contains support for findings, conclusions, and recommendations
before they issue their report;
Must: [Check];
Empty: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Documentation;
6.22: Auditors also should document the following for attestation
engagements performed under GAGAS:
a. the objectives, scope, and methodology of the attestation
engagement;
b. the work performed to support significant judgments and conclusions,
including descriptions of transactions and records examined;[74].
[74] Auditors may meet this requirement by listing file numbers, case
numbers, or other means of identifying specific documents they
examined. They are not required to include copies of documents they
examined as part of the audit documentation, nor are they required to
list detailed information from those documents;
c. evidence of supervisory review, before the engagement report is
issued, of the work performed that supports findings, conclusions, and
recommendations contained in the engagement report; and;
d. the auditors' consideration that the planned procedures be designed
to achieve objectives of the attestation engagement when (1) evidence
obtained is dependent on computerized information systems, (2) such
evidence is material to the objective of the engagement, and (3) the
auditors are not relying on the effectiveness of internal control over
those computerized systems that produced the evidence. Auditors should
document (1) the rationale for determining the nature, timing, and
extent of planned procedures; (2) the kinds and competence of available
evidence produced outside a computerized information system, or plans
for direct testing of data produced from a computerized information
system; and (3) the effect on the attestation engagement report if
evidence to be gathered does not afford a reasonable basis for
achieving the objectives of the engagement;
Must: [Check];
Empty: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Documentation;
6.23 When auditors do not comply with applicable GAGAS requirements due
to law, regulation, scope limitations, restrictions on access to
records, or other issues impacting the engagement, the auditors should
document the departure, the impact on the engagement and on the
auditors' conclusions. This applies to departures from mandatory
requirements and presumptively mandatory requirements where alternative
procedures performed in the circumstances were not sufficient to
achieve the objectives of the standard....;
Must: [Check];
Empty: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Documentation;
6.25...Subject to applicable laws and regulations, auditors should make
appropriate individuals, as well as attest documentation, available
upon request and in a timely manner to other auditors or reviewers to
satisfy these objectives....;
Must: [Check];
Empty: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Considerations for GAGAS Attestation Engagements;
Ongoing Investigations or Legal Proceedings;
6.29:...When investigations or legal proceedings are initiated or in
process, auditors should evaluate the impact on the current engagement.
In some cases, it may be appropriate for the auditors to work with
investigators and/or legal authorities, or withdraw from or defer
further work on the engagement or a portion of the engagement to avoid
interfering with an investigation;
Must: [Check];
Empty: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
AICPA Reporting Standards for Attestation Engagements;
6.30: The four AICPA reporting standards that apply to all levels of
attestation engagements are as follows: [Footnote not shown.];
[Documentation of compliance with the reporting requirements in the
AICPA standards and the related statements on standards for attestation
engagements (SSAE) is required for attestation engagements conducted in
accordance with GAGAS. These AICPA standards and SSAE contain
requirements in addition to the requirements in 6.30 a-d below. Use of
a checklist for the AICPA standards may be helpful for auditors to
ensure compliance with these standards.];
a. The practitioner [auditor] must identify the subject matter or the
assertion being reported on and state the character of the engagement
in the report;
b. The practitioner [auditor] must state the practitioner's [auditor's]
conclusion about the subject matter or the assertion in relation to the
criteria against which the subject matter was evaluated in the report;
c. The practitioner [auditor] must state all of the practitioner's
[auditor's] significant reservations about the engagement, the subject
matter, and, if applicable, the assertion related thereto in the
report;
d. The practitioner [auditor] must state in the report that the report
is intended for use by specified parties under the following
circumstances:
(1) When the criteria used to evaluate the subject matter are
determined by the practitioner [auditor] to be appropriate only for a
limited number of parties who either participated in their
establishment or can be presumed to have an adequate understanding of
the criteria;
(2) When the criteria used to evaluate the subject matter are available
only to specified parties;
(3) When reporting on subject matter and a written assertion has not
been provided by the responsible party;
(4) When the report is on an attest engagement to apply agreed-upon
procedures to the subject matter;
Must: [Empty];
Should: [Check].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
6.31: GAGAS establish reporting standards for attestation engagements
in addition to the requirements contained in the AICPA standards.
Auditors should comply with these additional standards when citing
GAGAS in their attestation engagement reports. The additional
government auditing standards relate to;
a. reporting auditors' compliance with GAGAS (see paragraph 6.32);
b. reporting deficiencies in internal control, fraud, illegal acts,
violations of provisions of contracts or grant agreements, and abuse
(see paragraphs 6.33 through 6.43);
c. reporting views of responsible officials (see paragraphs 6.44
through 6.50);
d. reporting confidential or sensitive information (see paragraphs 6.51
through 6.55); and;
e. distributing reports (see paragraph 6.56);
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
Reporting Auditors' Compliance with GAGAS;
6.32: When auditors comply with all applicable GAGAS requirements, they
should include a statement in the attestation report that they
performed the engagement in accordance with GAGAS...GAGAS do not
prohibit auditors from issuing a separate report conforming only to the
requirements of other standards;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
Reporting Deficiencies in Internal Control, Fraud, Illegal Acts,
Violations of Provisions of Contracts or Grant Agreements, and Abuse;
6.33: For attestation engagements, auditors should report, as
applicable to the objectives of the engagement, and based upon the work
performed, (1) significant deficiencies in internal control,
identifying those considered to be material weaknesses; (2) all
instances of fraud and illegal acts unless inconsequential; and (3)
violations of provisions of contracts or grant agreements and abuse
that could have a material effect on the subject matter of the
engagement;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
Deficiencies in Internal Control;
6.34: For all attestation engagements, auditors should report the
following deficiencies in internal control:
a. Significant deficiency: a deficiency in internal control, or
combination of deficiencies, that adversely affects the entity's
ability to initiate, authorize, record, process, or report data
reliably in accordance with the applicable criteria or framework such
that there is more than a remote [footnote not shown] likelihood that a
misstatement of the subject matter that is more than inconsequential
[footnote not shown] will not be prevented or detected;
b. Material weakness: a significant deficiency or combination of
significant deficiencies, that results in more than a remote likelihood
that a material misstatement of the subject matter will not be
prevented or detected;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
Deficiencies in Internal Control;
6.35: Determining whether and how to communicate to entity officials
internal control deficiencies that have an inconsequential effect on
the subject matter is a matter of professional judgment. Auditors
should document such communications;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant
Agreements, and Abuse;
6.36: Under GAGAS, when auditors conclude, based on sufficient,
appropriate evidence, that any of the following either has occurred or
is likely to have occurred, they should include in their report the
relevant information about;
a. fraud and illegal acts [footnote not shown] that have an effect on
the subject matter that is more than inconsequential,;
b. violations of provisions of contracts or grant agreements that have
a material effect on the subject matter, and:
c. abuse that is material to the subject matter, either quantitatively
or qualitatively....;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant
Agreements, and Abuse;
6.37: When auditors detect violations of provisions of contracts or
grant agreements or abuse that have an effect on the subject matter
that is less than material but more than inconsequential, they should
communicate those findings in writing to entity officials. Determining
whether and how to communicate to entity officials fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse
that is inconsequential is a matter of professional judgment. Auditors
should document such communications;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
Reporting Findings Directly to Parties Outside the Entity;
6.39: Auditors should report known or likely fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse
directly to parties outside the audited entity in the following two
circumstances. [Footnote not shown.];
a. When entity management fails to satisfy legal or regulatory
requirements to report such information to external parties specified
in law or regulation, auditors should first communicate the failure to
report such information to those charged with governance. If the
audited entity still does not report this information to the specified
external parties as soon as practicable after the auditors'
communication with those charged with governance, then the auditors
should report the information directly to the specified external
parties;
b. When entity management fails to take timely and appropriate steps to
respond to known or likely fraud, illegal acts, violations of
provisions of contracts or grant agreements, or abuse that (1) is
likely to have a material effect on the subject matter and (2) involves
funding received directly or indirectly from a government agency,
auditors should first report management's failure to take timely and
appropriate steps to those charged with governance. If the audited
entity still does not take timely and appropriate steps as soon as
practicable after the auditors' communication with those charged with
governance, then the auditors should report the entity's failure to
take timely and appropriate steps directly to the funding agency;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
Reporting Findings Directly to Parties Outside the Entity;
6.40: The reporting in paragraph 6.39 is in addition to any legal
requirements to report such information directly to parties outside the
entity. Auditors should comply with these requirements even if they
have resigned or been dismissed from the engagement prior to its
completion;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
Reporting Findings Directly to Parties Outside the Entity;
6.41: Auditors should obtain sufficient, appropriate evidence, such as
confirmation from outside parties, to corroborate assertions by entity
management that it has reported such findings in accordance with laws,
regulations, and funding agreements. When auditors are unable to do so,
they should report such information directly as discussed in paragraph
6.39;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
Presenting Findings in the Auditors' Report;
6.42: In presenting findings such as deficiencies in internal control,
fraud, illegal acts, violations of provisions of contracts or grant
agreements, and abuse, auditors should develop the elements of the
findings to the extent necessary to achieve the engagement
objectives....;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
Presenting Findings in the Auditors' Report;
6.43: Auditors should place their findings in perspective by describing
the nature and extent of the issues being reported and the extent of
the work performed that resulted in the finding. To give the reader a
basis for judging the prevalence and consequences of these findings,
auditors should, as applicable, relate the instances identified to the
population or the number of cases examined and quantify the results in
terms of dollar value or other measures, as appropriate. If the results
cannot be projected, auditors should limit their conclusions
appropriately;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
Reporting Views of Responsible Officials;
6.44: If the attestation engagement report discloses deficiencies in
internal control, fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse, auditors should obtain and
report the views of responsible officials concerning the findings,
conclusions, and recommendations, as well as planned corrective
actions;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
Reporting Views of Responsible Officials;
6.46: When auditors receive written comments from the responsible
officials, they should include in their report a copy of the officials'
written comments, or a summary of the comments received. When the
responsible officials provide oral comments only, auditors should
prepare a summary of the oral comments and provide a copy of the
summary to the responsible officials to verify that the comments are
accurately stated;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
Reporting Views of Responsible Officials;
6.47: Auditors should also include in the report an evaluation of the
comments, as appropriate....;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
Reporting Views of Responsible Officials;
6.49: When the entity's comments are inconsistent or in conflict with
the findings, conclusions, or recommendations in the draft report, or
when planned corrective actions do not adequately address the auditors'
recommendations, the auditors should evaluate the validity of the
audited entity's comments. If the auditors disagree with the comments,
they should explain in the report their reasons for disagreement.
Conversely, the auditors should modify their report as necessary if
they find the comments valid and supported with sufficient, appropriate
evidence;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
Reporting Views of Responsible Officials;
6.50: If the entity refuses to provide comments or is unable to provide
comments within a reasonable period of time, the auditors may issue the
report without receiving comments from the entity. In such cases, the
auditors should indicate in the report that the audited entity did not
provide comments;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
Reporting Confidential or Sensitive Information;
6.51: If certain pertinent information is prohibited from public
disclosure or is excluded from a report due to the confidential or
sensitive nature of the information, auditors should disclose in the
report that certain information has been omitted and the reason or
other circumstances that make the omission necessary;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
Reporting Confidential or Sensitive Information;
6.54: Considering the broad public interest in the program or activity
under review assists auditors when deciding whether to exclude certain
information from publicly available reports. When circumstances call
for omission of certain information, auditors should evaluate whether
this omission could distort the engagement results or conceal improper
or illegal practices;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
Reporting Confidential or Sensitive Information;
6.55 When audit organizations are subject to public records laws,
auditors should determine whether public records laws could impact the
availability of classified or limited use reports and determine whether
other means of communicating with management and those charged with
governance would be more appropriate....;
Must: [Check];
Should: [Empty].
Chapter 6 - General, Field Work, and Reporting Standards for
Attestation Engagements;
Additional Government Auditing Standards;
Distributing Reports;
6.56: Distribution of reports completed under GAGAS depends on the
relationship of the auditors to the entity and the nature of the
information contained in the report. If the subject matter or the
assertion involves material that is classified for security purposes or
contains confidential or sensitive information, auditors may limit the
report distribution. Auditors should document any limitation on report
distribution. The following discussion outlines distribution for
reports completed under GAGAS: [One of the following will apply
depending on the type of audit organization.];
a. Audit organizations in government entities should distribute reports
to those charged with governance, to the appropriate entity officials,
and to the appropriate oversight bodies or organizations requiring or
arranging for the engagements. As appropriate, auditors should also
distribute copies of the reports to other officials who have legal
oversight authority or who may be responsible for acting on engagement
findings and recommendations, and to others authorized to receive such
reports;
b. Internal audit organizations in government entities may follow the
Institute of Internal Auditors (IIA) International Standards for the
Professional Practice of Internal Auditing. Under GAGAS and IIA
standards, the head of the internal audit organization should
communicate results to the parties who can ensure that the results are
given due consideration. If not otherwise mandated by statutory or
regulatory requirements, prior to releasing results to parties outside
the organization, the head of the internal audit organization should:
(1) assess the potential risk to the organization, (2) consult with
senior management and/or legal counsel as appropriate, and (3) control
dissemination by indicating the intended users in the report;
c. Public accounting firms contracted to perform an engagement under
GAGAS should clarify report distribution responsibilities with the
engaging organization. If the contracting firm is to make the
distribution, it should reach agreement with the party contracting for
the engagement about which officials or organizations will receive the
report and the steps being taken to make the report available to the
public;
Must: [Check];
Should: [Empty].
[End of table]
Specific Requirements for Performance Audits:
Chapter 1 - Use and Application of GAGAS;
Stating Compliance with GAGAS in the Auditors' Report;
1.11: When auditors are required to follow GAGAS or are representing to
others that they followed GAGAS, they should follow all applicable
GAGAS requirements and should refer to compliance with GAGAS in the
auditors' report as set forth in paragraphs 1.12 and 1.13;
Must: [Check];
Should: [Empty].
Chapter 1 - Use and Application of GAGAS;
Stating Compliance with GAGAS in the Auditors' Report;
1.12: Auditors should include one of the following types of GAGAS
compliance statements in reports on GAGAS audits and attestation
engagements, as appropriate. [Footnote not shown.];
a. Unmodified GAGAS compliance statement: Stating that the auditor
performed the audit or attestation engagement in accordance with GAGAS.
Auditors should include an unmodified GAGAS compliance statement in the
audit report when they have (1) followed all applicable unconditional
and presumptively mandatory GAGAS requirements, or (2) have followed
all unconditional requirements and documented justification for any
departures from applicable presumptively mandatory requirements, and
have achieved the objectives of those requirements through other means;
b. Modified GAGAS compliance statement: Stating either that (1) the
auditor performed the audit or attestation engagement in accordance
with GAGAS, except for specific applicable requirements that were not
followed or, (2) because of the significance of the departure(s) from
the requirements, the auditor was unable to and did not perform the
audit or attestation engagement in accordance with GAGAS. Situations
when auditors use modified compliance statements include scope
limitations, such as restrictions on access to records, government
officials, or other individuals needed to conduct the audit. When
auditors use a modified GAGAS statement, they should disclose in the
report the applicable requirement(s) not followed, the reasons for not
following the requirement(s), and how not following the requirements
affected, or could have affected, the audit and the assurance provided;
Must: [Check];
Should: [Empty].
Chapter 1 - Use and Application of GAGAS;
Stating Compliance with GAGAS in the Auditors' Report;
1.13: When auditors do not comply with any applicable requirements,
they should (1) assess the significance of the noncompliance to the
audit objectives, (2) document the assessment, along with their reasons
for not following the requirement, and (3) determine the type of GAGAS
compliance statement. [Footnote not shown.] The auditors' determination
will depend on the significance of the requirements not followed in
relation to the audit objectives;
Must: [Check];
Should: [Empty].
Chapter 1 - Use and Application of GAGAS;
Relationship between GAGAS and Other Professional Standards;
1.14: Auditors may use GAGAS in conjunction with professional standards
issued by other authoritative bodies. Auditors may also cite the use of
other standards in their audit reports, as appropriate. If the auditor
is citing compliance with GAGAS and inconsistencies exist between GAGAS
and other standards cited, the auditor should use GAGAS as the
prevailing standard for conducting the audit and reporting the results;
Must: [Check];
Should: [Empty].
Chapter 1 - Use and Application of GAGAS;
Types of GAGAS Audits and Attestation Engagements;
1.19: In some audits and attestation engagements, the standards
applicable to the specific audit objective will be apparent....However,
some engagements may have multiple or overlapping objectives....In
cases in which there is a choice between applicable standards, auditors
should evaluate users' needs and the auditors' knowledge, skills, and
experience in deciding which standards to follow;
Must: [Check];
Should: [Empty].
Chapter 1 - Use and Application of GAGAS;
Types of GAGAS Audits and Attestation Engagements;
Professional Services Other Than Audits (Nonaudit Services) Provided by
Audit Organizations;
1.33: GAGAS do not cover professional services other than audits or
attestation engagements (nonaudit services). � Therefore, auditors must
not report that the nonaudit services were conducted in accordance with
GAGAS. When performing nonaudit services for an entity for which the
audit organization performs a GAGAS audit or attestation engagement,
audit organizations should communicate, as appropriate, with requestors
and those charged with governance to clarify that the scope of work
performed does not constitute an audit under GAGAS;
Must: [Empty];
Should: [Check].
Chapter 1 - Use and Application of GAGAS;
Independence;
3.02: In all matters relating to the audit work, the audit organization
and the individual auditor, whether government or public, must be free
from personal, external, and organizational impairments to
independence, and must avoid the appearance of such impairments of
independence;
Must: [Empty];
Should: [Check].
Chapter 1 - Use and Application of GAGAS;
Independence;
3.03: Auditors and audit organizations must maintain independence so
that their opinions, findings, conclusions, judgments, and
recommendations will be impartial and viewed as impartial by objective
third parties with knowledge of the relevant information. Auditors
should avoid situations that could lead objective third parties with
knowledge of the relevant information to conclude that the auditors are
not able to maintain independence and thus are not capable of
exercising objective and impartial judgment on all issues associated
with conducting the audit and reporting on the work;
Must: [Empty];
Should: [Empty].
Chapter 1 - Use and Application of GAGAS;
Independence;
3.04: When evaluating whether independence impairments exist either in
fact or appearance with respect to the entities for which audit
organizations perform audits or attestation engagements, auditors and
audit organizations must take into account the three general classes of
impairments to independence--personal, external, and organizational.
[Footnote not shown.] If one or more of these impairments affects or
can be perceived to affect independence, the audit organization (or
auditor) should decline to perform the work--except in those situations
in which an audit organization in a government entity, because of a
legislative requirement or for other reasons, cannot decline to perform
the work, in which case the government audit organization must disclose
the impairment(s) and modify the GAGAS compliance statement....;
Must: [Empty];
Should: [Empty].
Chapter 1 - Use and Application of GAGAS;
Independence;
3.05: When auditors use the work of a specialist, [footnote not shown]
auditors should assess the specialist's ability to perform the work and
report results impartially as it relates to their relationship with the
program or entity under audit. If the specialist's independence is
impaired, auditors should not use the work of that specialist;
Must: [Check];
Should: [Empty].
Chapter 1 - Use and Application of GAGAS;
Independence;
Personal Impairments;
3.07: Auditors participating on an audit assignment must be free from
personal impairments to independence. [Footnote not shown.] Personal
impairments of auditors result from relationships or beliefs that might
cause auditors to limit the extent of the inquiry, limit disclosure, or
weaken or slant audit findings in any way. Individual auditors should
notify the appropriate officials within their audit organizations if
they have any personal impairment to independence....;
Must: [Empty];
Should: [Empty].
Chapter 3 - General Standards;
Professional Judgment;
3.31: Auditors must use professional judgment in planning and
performing audits and attestation engagements and in reporting the
results;
Must: [Empty];
Should: [Check].
Chapter 3 - General Standards;
Professional Judgment;
3.38: Auditors should document significant decisions affecting the
audit objectives, scope, and methodology; findings; conclusions; and
recommendations resulting from professional judgment;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Competence;
3.40: The staff assigned to perform the audit or attestation engagement
must collectively possess adequate professional competence for the
tasks required;
Must: [Empty];
Should: [Check].
Chapter 3 - General Standards;
Competence;
Technical Knowledge and Competence;
3.43: The staff assigned to conduct an audit or attestation engagement
under GAGAS must collectively possess the technical knowledge, skills,
and experience necessary to be competent for the type of work being
performed before beginning work on that assignment. The staff assigned
to a GAGAS audit or attestation engagement should collectively possess;
a. knowledge of GAGAS applicable to the type of work they are assigned
and the education, skills, and experience to apply this knowledge to
the work being performed;
b. general knowledge of the environment in which the audited entity
operates and the subject matter under review;
c. skills to communicate clearly and effectively, both orally and in
writing; and;
d. skills appropriate for the work being performed. For example, staff
or specialist skills in;
(1) statistical sampling if the work involves use of statistical
sampling;
(2) information technology if the work involves review of information
systems;
(3) engineering if the work involves review of complex engineering
data;
(4) specialized audit methodologies or analytical techniques, such as
the use of complex survey instruments, actuarial-based estimates, or
statistical analysis tests, as applicable; or; (5) specialized
knowledge in subject matters, such as scientific, medical,
environmental, educational, or any other specialized subject matter, if
the work calls for such expertise;
Must: [Empty];
Should: [Empty].
Chapter 3 - General Standards;
Competence;
Continuing Professional Education;
3.46: Auditors performing work under GAGAS, including planning,
directing, performing field work, or reporting on an audit or
attestation engagement under GAGAS, should maintain their professional
competence through continuing professional education (CPE). Therefore,
each auditor performing work under GAGAS should complete, every 2
years, at least 24 hours of CPE that directly relates to government
auditing, the government environment, or the specific or unique
environment in which the audited entity operates. For auditors who are
involved in any amount of planning, directing, or reporting on GAGAS
assignments and those auditors who are not involved in those activities
but charge 20 percent or more of their time annually to GAGAS
assignments should also obtain at least an additional 56 hours of CPE
(for a total of 80 hours of CPE in every 2-year period) that enhances
the auditor's professional proficiency to perform audits or attestation
engagements. Auditors required to take the total 80 hours of CPE should
complete at least 20 hours of CPE in each year of the 2-year period;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Competence;
Continuing Professional Education;
3.49: External specialists assisting in performing a GAGAS assignment
should be qualified and maintain professional competence in their areas
of specialization but are not required to meet the GAGAS CPE
requirements described. However, auditors who use the work of external
specialists should assess the professional qualifications of such
specialists and document their findings and conclusions. Internal
specialists who are part of the audit organization and perform as a
member of the audit team should comply with GAGAS, including the CPE
requirements;
Must: [Check];
Should: [Empty].
Chapter 3 - General Standards;
Quality Control and Assurance;
External Peer Review;
3.63: Auditors who are using another audit organization's work should
request a copy of the audit organization's latest peer review report
and any letter of comment, and the audit organization should provide
these documents when requested....;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Planning;
7.06: Auditors must adequately plan and document the planning of the
work necessary to address the audit objectives;
Must: [Empty];
Should: [Check].
Chapter 7 - Field Work Standards for Performance Audits;
Planning;
7.07: Auditors must plan the audit to reduce audit risk to an
appropriate level for the auditors to provide reasonable assurance that
the evidence is sufficient and appropriate to support the auditors'
findings and conclusions. This determination is a matter of
professional judgment. In planning the audit, auditors should assess
significance and audit risk and apply these assessments in defining the
audit objectives and the scope and methodology to address those
objectives. [Footnote not shown.]...;
Must: [Empty];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Planning;
7.10:...Auditors should design the methodology to obtain sufficient,
appropriate evidence to address the audit objectives, reduce audit risk
to an acceptable level, and provide reasonable assurance that the
evidence is sufficient and appropriate to support the auditors'
findings and conclusions....;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Planning;
7.11: Auditors should assess audit risk and significance within the
context of the audit objectives by gaining an understanding of the
following:
a. the nature and profile of the programs and the needs of potential
users of the audit report (see paragraphs 7.13 through 7.15);
b. internal control as it relates to the specific objectives and scope
of the audit (see paragraphs 7.16 through 7.22);
c. information systems controls for purposes of assessing audit risk
and planning the audit within the context of the audit objectives (see
paragraphs 7.23 through 7.27);
d. legal and regulatory requirements, contract provisions or grant
agreements, potential fraud, or abuse that are significant within the
context of the audit objectives (see paragraphs 7.28 through 7.35);
and;
e. the results of previous audits and attestation engagements that
directly relate to the current audit objectives (see paragraph 7.36);
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Planning;
7.12: During planning, auditors also should;
a. identify the potential criteria needed to evaluate matters subject
to audit (see paragraphs 7.37 and 7.38);
b. identify sources of audit evidence and determine the amount and type
of evidence needed given audit risk and significance (see paragraphs
7.39 and 7.40);
c. evaluate whether to use the work of other auditors and experts to
address some of the audit objectives (see paragraphs 7.41 through
7.43);
d. assign sufficient staff and specialists with adequate collective
professional competence and identify other resources needed to perform
the audit (see paragraphs 7.44 and 7.45);
e. communicate about planning and performance of the audit to
management officials, those charged with governance, and others as
applicable (see paragraphs 7.46 through 7.49); and;
f. prepare a written audit plan (see paragraphs 7.50 and 7.51);
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Planning;
Nature and Profile of the Program and User Needs;
7.13: Auditors should obtain an understanding of the nature of the
program or program component under audit and the potential use that
will be made of the audit results or report as they plan a performance
audit. The nature and profile of a program include;
a. visibility, sensitivity, and relevant risks associated with the
program under audit;
b. age of the program or changes in its conditions;
c. the size of the program in terms of total dollars, number of
citizens affected, or other measures;
d. level and extent of review or other forms of independent oversight;
e. program's strategic plan and objectives; and;
f. external factors or conditions that could directly affect the
program;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Planning;
Internal Control;
7.16: Auditors should obtain an understanding of internal control
[footnote not shown] that is significant within the context of the
audit objectives. For internal control that is significant within the
context of the audit objectives, auditors should assess whether
internal control has been properly designed and implemented. For those
internal controls that are deemed significant within the context of the
audit objectives, auditors should plan to obtain sufficient,
appropriate evidence to support their assessment about the
effectiveness of those controls. � Thus, when obtaining an
understanding of internal control significant to the audit objectives,
auditors should also determine whether it is necessary to evaluate
information systems controls. (See paragraphs 7.23 through 7.27 for
additional discussion on evaluating the effectiveness of information
systems controls.);
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Planning;
Information Systems Controls;
7.24:...When information systems controls are determined to be
significant to the audit objectives, auditors should then evaluate the
design and operating effectiveness of such controls. �Auditors should
obtain a sufficient understanding of information systems controls
necessary to assess audit risk and plan the audit within the context of
the audit objectives. [Footnote not shown.];
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Planning;
Information Systems Controls;
7.27 Auditors should determine which audit procedures related to
information systems controls are needed to obtain sufficient,
appropriate evidence to support the audit findings and conclusions. The
following factors may assist auditors in making this determination: �
[7.27 a-c do not contain auditor requirements.];
d. Evaluating the effectiveness of information systems controls as an
audit objective: When evaluating the effectiveness of information
systems controls is directly a part of an audit objective, auditors
should test information systems controls necessary to address the audit
objectives. For example, the audit may involve the effectiveness of
information systems controls related to certain systems, facilities, or
organizations;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Planning;
Legal and Regulatory Requirements, Provisions of Contracts or Grant
Agreements, Fraud, or Abuse;
Legal and Regulatory Requirements, Contracts, and Grants;
7.28: Auditors should determine which laws, regulations, and provisions
of contracts or grant agreements are significant within the context of
the audit objectives and assess the risk that violations of those laws,
regulations, and provisions of contracts or grant agreements could
occur. Based on that risk assessment, the auditors should design and
perform procedures to provide reasonable assurance of detecting
instances of violations of legal and regulatory requirements or
violations of provisions of contracts or grant agreements that are
significant within the context of the audit objectives;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Planning;
Legal and Regulatory Requirements, Provisions of Contracts or Grant
Agreements, Fraud, or Abuse;
Fraud;
7.30: In planning the audit, auditors should assess risks of fraud
[footnote not shown] occurring that is significant within the context
of the audit objectives. Audit team members should discuss among the
team fraud risks, including factors such as individuals' incentives or
pressures to commit fraud, the opportunity for fraud to occur, and
rationalizations or attitudes that could allow individuals to commit
fraud. Auditors should gather and assess information to identify risks
of fraud that are significant within the scope of the audit objectives
or that could affect the findings and conclusions....;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Planning;
Legal and Regulatory Requirements, Provisions of Contracts or Grant
Agreements, Fraud, or Abuse;
Fraud;
7.31: When auditors identify factors or risks related to fraud that has
occurred or is likely to have occurred that they believe are
significant within the context of the audit objectives, they should
design procedures to provide reasonable assurance of detecting such
fraud. Assessing the risk of fraud is an ongoing process throughout the
audit and relates not only to planning the audit but also to evaluating
evidence obtained during the audit;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Planning;
Legal and Regulatory Requirements, Provisions of Contracts or Grant
Agreements, Fraud, or Abuse;
Fraud;
7.32: When information comes to the auditors' attention indicating that
fraud that is significant within the context of the audit objectives
may have occurred, auditors should extend the audit steps and
procedures, as necessary, to (1) determine whether fraud has likely
occurred and (2) if so, determine its effect on the audit findings....;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Planning;
Legal and Regulatory Requirements, Provisions of Contracts or Grant
Agreements, Fraud, or Abuse;
Abuse;
7.34: If during the course of the audit, auditors become aware of abuse
that could be quantitatively or qualitatively significant to the
program under audit, auditors should apply audit procedures
specifically directed to ascertain the potential effect on the program
under audit within the context of the audit objectives....;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Planning;
Legal and Regulatory Requirements, Provisions of Contracts or Grant
Agreements, Fraud, or Abuse;
Ongoing Investigations or Legal Proceedings;
7.35...When investigations or legal proceedings are initiated or in
process, auditors should evaluate the impact on the current audit. In
some cases, it may be appropriate for the auditors to work with
investigators and/or legal authorities, or withdraw from or defer
further work on the audit or a portion of the audit to avoid
interfering with an investigation;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Planning;
Legal and Regulatory Requirements, Provisions of Contracts or Grant
Agreements, Fraud, or Abuse;
Previous Audits and Attestation Engagements;
7.36: Auditors should evaluate whether the audited entity has taken
appropriate corrective action to address findings and recommendations
from previous engagements that are significant within the context of
the audit objectives. When planning the audit, auditors should ask
management of the audited entity to identify previous audits,
attestation engagements, performance audits, or other studies that
directly relate to the objectives of the audit, including whether
related recommendations have been implemented. Auditors should use this
information in assessing risk and determining the nature, timing, and
extent of current audit work, including determining the extent to which
testing the implementation of the corrective actions is applicable to
the current audit objectives;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Planning;
Legal and Regulatory Requirements, Provisions of Contracts or Grant
Agreements, Fraud, or Abuse;
Identifying Audit Criteria;
7.37: Auditors should identify criteria. Criteria represent the laws,
regulations, contracts, grant agreements, standards, measures, expected
performance, defined business practices, and benchmarks against which
performance is compared or evaluated. � Auditors should use criteria
that are relevant to the audit objectives and permit consistent
assessment of the subject matter;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Planning;
Legal and Regulatory Requirements, Provisions of Contracts or Grant
Agreements, Fraud, or Abuse;
Identifying Sources of Evidence and the Amount and Type of Evidence
Required;
7.39: Auditors should identify potential sources of information that
could be used as evidence. Auditors should determine the amount and
type of evidence needed to obtain sufficient, appropriate evidence to
address the audit objectives and adequately plan audit work;
7.40 If auditors believe that it is likely that sufficient, appropriate
evidence will not be available, they may revise the audit objectives or
modify the scope and methodology and determine alternative procedures
to obtain additional evidence or other forms of evidence to address the
current audit objectives. Auditors should also evaluate whether the
lack of sufficient, appropriate evidence is due to internal control
deficiencies or other program weaknesses, and whether the lack of
sufficient, appropriate evidence could be the basis for audit
findings....;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Planning;
Legal and Regulatory Requirements, Provisions of Contracts or Grant
Agreements, Fraud, or Abuse;
Using the Work of Others;
7.41: Auditors should determine whether other auditors have conducted,
or are conducting, audits of the program that could be relevant to the
current audit objectives....;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Planning;
Legal and Regulatory Requirements, Provisions of Contracts or Grant
Agreements, Fraud, or Abuse;
Using the Work of Others;
7.42...If auditors use the work of other auditors, they should perform
procedures that provide a sufficient basis for using that work.
Auditors should obtain evidence concerning the other auditors'
qualifications and independence and should determine whether the scope,
quality, and timing of the audit work performed by the other auditors
is adequate for reliance in the context of the current audit
objectives....;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Planning;
Legal and Regulatory Requirements, Provisions of Contracts or Grant
Agreements, Fraud, or Abuse;
Using the Work of Others;
7.43....If auditors intend to use the work of specialists, they should
obtain an understanding of the qualifications and independence of the
specialists...Evaluating the professional qualifications of the
specialist involves the following:
a. the professional certification, license, or other recognition of the
competence of the specialist in his or her field, as appropriate;
b. the reputation and standing of the specialist in the views of peers
and others familiar with the specialist's capability or performance;
c. the specialist's experience and previous work in the subject matter;
and;
d. the auditors' prior experience in using the specialist's work;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Planning;
Legal and Regulatory Requirements, Provisions of Contracts or Grant
Agreements, Fraud, or Abuse;
Assigning Staff and Other Resources;
7.44: Audit management should assign sufficient staff and specialists
with adequate collective professional competence to perform the audit.
...Staffing an audit includes, among other things:
a. assigning staff and specialists with the collective knowledge,
skills, and experience appropriate for the job,;
b. assigning a sufficient number of staff and supervisors to the
audit,;
c. providing for on-the-job training of staff, and;
d. engaging specialists when necessary;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Legal and Regulatory Requirements, Provisions of Contracts or Grant
Agreements, Fraud, or Abuse;
Assigning Staff and Other Resources;
7.45: If planning to use the work of a specialist, auditors should
document the nature and scope of the work to be performed by the
specialist, including;
a. the objectives and scope of the specialist's work,;
b. the intended use of the specialist's work to support the audit
objectives,;
c. the specialist's procedures and findings so they can be evaluated
and related to other planned audit procedures, and;
d. the assumptions and methods used by the specialist;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Legal and Regulatory Requirements, Provisions of Contracts or Grant
Agreements, Fraud, or Abuse;
Communicating with Management, Those Charged with Governance, and
Others;
7.46: Auditors should communicate an overview of the objectives, scope,
and methodology, and timing of the performance audit [footnote not
shown] and planned reporting (including any potential restrictions on
the report) to the following, as applicable:
a. management of the audited entity, including those with sufficient
authority and responsibility to implement corrective action in the
program or activity being audited;
b. those charged with governance; [footnote not shown] and;
c. the individuals contracting for or requesting audit services, such
as contracting officials, grantees; and;
d. when auditors perform the audit pursuant to a law or regulation or
they conduct the work for the legislative committee that has oversight
of the audited entity, auditors should communicate with the legislative
committee;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Legal and Regulatory Requirements, Provisions of Contracts or Grant
Agreements, Fraud, or Abuse;
Communicating with Management, Those Charged with Governance, and
Others;
7.47: In situations in which those charged with governance are not
clearly evident, auditors should document the process followed and
conclusions reached for identifying those charged with governance;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Legal and Regulatory Requirements, Provisions of Contracts or Grant
Agreements, Fraud, or Abuse;
Communicating with Management, Those Charged with Governance, and
Others;
7.48: Determining the form, content, and frequency of the communication
is a matter of professional judgment, although written communication is
preferred. Auditors may use an engagement letter to communicate the
information. Auditors should document this communication;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Legal and Regulatory Requirements, Provisions of Contracts or Grant
Agreements, Fraud, or Abuse;
Communicating with Management, Those Charged with Governance, and
Others;
7.49: If an audit is terminated before it is completed and an audit
report is not issued, auditors should document the results of the work
to the date of termination and why the audit was terminated....;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Legal and Regulatory Requirements, Provisions of Contracts or Grant
Agreements, Fraud, or Abuse;
Preparing the Audit Plan;
7.50: Auditors must prepare a written audit plan for each audit. �
Auditors should update the plan, as necessary, to reflect any
significant changes to the plan made during the audit;
Must: [Empty];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Legal and Regulatory Requirements, Provisions of Contracts or Grant
Agreements, Fraud, or Abuse;
Supervision;
7.52: Audit supervisors or those designated to supervise auditors must
properly supervise audit staff;
Must: [Empty];
Should: [Check].
Chapter 7 - Field Work Standards for Performance Audits;
Obtaining Sufficient, Appropriate Evidence;
7.55: Auditors must obtain sufficient, appropriate evidence to provide
a reasonable basis for their findings and conclusions;
Must: [Empty];
Should: [Check].
Chapter 7 - Field Work Standards for Performance Audits;
Obtaining Sufficient, Appropriate Evidence;
7.56:...Appropriateness is the measure of the quality of evidence that
encompasses its relevance, validity, and reliability in providing
support for findings and conclusions related to the audit objectives.
In assessing the overall appropriateness of evidence, auditors should
assess whether the evidence is relevant, valid, and reliable.
Sufficiency is a measure of the quantity of evidence used to support
the findings and conclusions related to the audit objectives. In
assessing the sufficiency of evidence, auditors should determine
whether enough evidence has been obtained to persuade a knowledgeable
person that the findings are reasonable;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Obtaining Sufficient, Appropriate Evidence;
7.57: In assessing evidence, auditors should evaluate whether the
evidence taken as a whole is sufficient and appropriate for addressing
the audit objectives and supporting findings and conclusions....;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Obtaining Sufficient, Appropriate Evidence;
Appropriateness;
7.61: Testimonial evidence may be useful in interpreting or
corroborating documentary or physical information. Auditors should
evaluate the objectivity, credibility, and reliability of the
testimonial evidence....;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Obtaining Sufficient, Appropriate Evidence;
Appropriateness;
7.64: When auditors use information gathered by officials of the
audited entity as part of their evidence, they should determine what
the officials of the audited entity or other auditors did to obtain
assurance over the reliability of the information....;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Obtaining Sufficient, Appropriate Evidence;
Appropriateness;
7.65: Auditors should assess the sufficiency and appropriateness of
computer-processed information regardless of whether this information
is provided to auditors or auditors independently extract it....;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Obtaining Sufficient, Appropriate Evidence;
Sufficiency;
7.66...In determining the sufficiency of evidence, auditors should
determine whether enough appropriate evidence exists to address the
audit objectives and support the findings and conclusions;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Obtaining Sufficient, Appropriate Evidence;
Sufficiency;
Overall Assessment of Evidence;
7.68: Auditors should determine the overall sufficiency and
appropriateness of evidence to provide a reasonable basis for the
findings and conclusions, within the context of the audit objectives. �
Auditors should perform and document an overall assessment of the
collective evidence used to support findings and conclusions, including
the results of any specific assessments conducted to conclude on the
validity and reliability of specific evidence;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Obtaining Sufficient, Appropriate Evidence;
Sufficiency;
Overall Assessment of Evidence;
7.70: When assessing the sufficiency and appropriateness of evidence,
auditors should evaluate the expected significance of evidence to the
audit objectives, findings, and conclusions, available corroborating
evidence, and the level of audit risk....;
a. Evidence is sufficient and appropriate when it provides a reasonable
basis for supporting the findings or conclusions within the context of
the audit objectives;
b. Evidence is not sufficient or not appropriate when (1) using the
evidence carries an unacceptably high risk that it could lead to an
incorrect or improper conclusion, (2) the evidence has significant
limitations, given the audit objectives and intended use of the
evidence, or (3) the evidence does not provide an adequate basis for
addressing the audit objectives or supporting the findings and
conclusions. Auditors should not use such evidence as support for
findings and conclusions;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Obtaining Sufficient, Appropriate Evidence;
Overall Assessment of Evidence;
7.71:...When the auditors identify limitations or uncertainties in
evidence that is significant to the audit findings and conclusions,
they should apply additional procedures, as appropriate. Such
procedures include;
a. seeking independent, corroborating evidence from other sources;
b. redefining the audit objectives or limiting the audit scope to
eliminate the need to use the evidence;
c. presenting the findings and conclusions so that the supporting
evidence is sufficient and appropriate and describing in the report the
limitations or uncertainties with the validity or reliability of the
evidence, if such disclosure is necessary to avoid misleading the
report users about the findings or conclusions (see paragraph 8.15 for
additional reporting requirements when there are limitations or
uncertainties with the validity or reliability of evidence); or;
d. determining whether to report the limitations or uncertainties as a
finding, including any related, significant internal control
deficiencies;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Obtaining Sufficient, Appropriate Evidence;
Developing Elements of a Finding;
7.72: Auditors should plan and perform procedures to develop the
elements of a finding necessary to address the audit objectives. In
addition, if auditors are able to sufficiently develop the elements of
a finding, they should develop recommendations for corrective action if
they are significant within the context of the audit objectives....;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Audit Documentation;
7.77: Auditors must prepare audit documentation related to planning,
conducting, and reporting for each audit. Auditors should prepare audit
documentation in sufficient detail to enable an experienced auditor,
[footnote not shown] having no previous connection to the audit, to
understand from the audit documentation the nature, timing, extent, and
results of audit procedures performed, the audit evidence obtained and
its source and the conclusions reached, including evidence that
supports the auditors' significant judgments and conclusions. Auditors
should prepare audit documentation that contains support for findings,
conclusions, and recommendations before they issue their report;
Must: [Empty];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Audit Documentation;
7.78: Auditors should design the form and content of audit
documentation to meet the circumstances of the particular audit. The
audit documentation constitutes the principal record of the work that
the auditors have performed in accordance with standards and the
conclusions that the auditors have reached....;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Audit Documentation;
7.80: Under GAGAS, auditors should document the following:
a. the objectives, scope, and methodology of the audit;
b. the work performed to support significant judgments and conclusions,
including descriptions of transactions and records examined;[92] and.
[92] Auditors may meet this requirement by listing file numbers, case
numbers, or other means of identifying specific documents they
examined. They are not required to include copies of documents they
examined as part of the audit documentation, nor are they required to
list detailed information from those documents.];
c. evidence of supervisory review, before the audit report is issued,
of the work performed that supports findings, conclusions, and
recommendations contained in the audit report;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Audit Documentation;
7.81: When auditors do not comply with applicable GAGAS requirements
due to law, regulation, scope limitations, restrictions on access to
records, or other issues impacting the audit, the auditors should
document the departure from the GAGAS requirements and the impact on
the audit and on the auditors' conclusions. This applies to departures
from both mandatory requirements and presumptively mandatory
requirements when alternative procedures performed in the circumstances
were not sufficient to achieve the objectives of the standard...;
Must: [Check];
Should: [Empty].
Chapter 7 - Field Work Standards for Performance Audits;
Audit Documentation;
7.83...Subject to applicable laws and regulations, auditors should make
appropriate individuals, as well as audit documentation, available upon
request and in a timely manner to other auditors or reviewers to
satisfy these objectives....;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Reporting;
8.03: Auditors must issue audit reports communicating the results of
each completed performance audit;
Must: [Empty];
Should: [Check].
Chapter 8 - Reporting Standards for Performance Audits;
Reporting;
8.04: Auditors should use a form of the audit report that is
appropriate for its intended use and is in writing or in some other
retrievable form....;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Reporting;
8.06: If an audit is terminated before it is completed and an audit
report is not issued, auditors should follow the guidance in paragraph
7.49;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Reporting;
8.07: If after the report is issued, the auditors discover that they
did not have sufficient, appropriate evidence to support the reported
findings or conclusions, they should communicate with those charged
with governance, the appropriate officials of the audited entity, and
the appropriate officials of the organizations requiring or arranging
for the audits, so that they do not continue to rely on the findings or
conclusions that were not supported. If the report was previously
posted to the auditors' publicly accessible website, the auditors
should remove the report and post a public notification that the report
was removed. The auditors should then determine whether to conduct
additional audit work necessary to reissue the report with revised
findings or conclusions;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
8.08: Auditors should prepare audit reports that contain (1) the
objectives, scope, and methodology of the audit; (2) the audit results,
including findings, conclusions, and recommendations, as appropriate;
(3) a statement about the auditors' compliance with GAGAS; (4) a
summary of the views of responsible officials; and (5) if applicable,
the nature of any confidential or sensitive information omitted;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Objectives, Scope, and Methodology;
8.09: Auditors should include in the report a description of the audit
objectives and the scope and methodology used for addressing the audit
objectives....;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Objectives, Scope, and Methodology;
8.10:...Auditors should communicate audit objectives in the audit
report in a clear, specific, neutral, and unbiased manner that includes
relevant assumptions, including why the audit organization undertook
the assignment and the underlying purpose of the audit and resulting
report....;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Objectives, Scope, and Methodology;
8.11: Auditors should describe the scope of the work performed and any
limitations, including issues that would be relevant to likely users,
so that they could reasonably interpret the findings, conclusions, and
recommendations in the report without being misled. Auditors should
also report any significant constraints imposed on the audit approach
by information limitations or scope impairments, including denials of
access to certain records or individuals;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Objectives, Scope, and Methodology;
8.12: In describing the work conducted to address the audit objectives
and support the reported findings and conclusions, auditors should, as
applicable, explain the relationship between the population and the
items tested; identify organizations, geographic locations, and the
period covered; report the kinds and sources of evidence; and explain
any significant limitations or uncertainties based on the auditors'
overall assessment of the sufficiency and appropriateness of the
evidence in the aggregate;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Objectives, Scope, and Methodology;
8.13: In reporting audit methodology, auditors should explain how the
completed audit work supports the audit objectives, including the
evidence gathering and analysis techniques, in sufficient detail to
allow knowledgeable users of their reports to understand how the
auditors addressed the audit objectives....Auditors should identify
significant assumptions made in conducting the audit; describe
comparative techniques applied; describe the criteria used; and, when
sampling significantly supports the auditors' findings, conclusions, or
recommendations, describe the sample design and state why the design
was chosen, including whether the results can be projected to the
intended population;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Reporting Findings;
8.14: In the audit report, auditors should present sufficient,
appropriate evidence to support the findings and conclusions in
relation to the audit objectives. �. If auditors are able to
sufficiently develop the elements of a finding, they should provide
recommendations for corrective action if they are significant within
the context of the audit objectives....;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Reporting Findings;
8.15 Auditors should describe in their report limitations or
uncertainties with the reliability or validity of evidence if (1) the
evidence is significant to the findings and conclusions within the
context of the audit objectives and (2) such disclosure is necessary to
avoid misleading the report users about the findings and conclusions. �
Auditors should describe the limitations or uncertainties regarding
evidence in conjunction with the findings and conclusions, in addition
to describing those limitations or uncertainties as part of the
objectives, scope, and methodology....;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Reporting Findings;
8.16: Auditors should place their findings in perspective by describing
the nature and extent of the issues being reported and the extent of
the work performed that resulted in the finding. To give the reader a
basis for judging the prevalence and consequences of these findings,
auditors should, as applicable, relate the instances identified to the
population or the number of cases examined and quantify the results in
terms of dollar value, or other measures, as appropriate. If the
results cannot be projected, auditors should limit their conclusions
appropriately;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Reporting Findings;
8.17:...When reporting on the results of their work, auditors should
disclose significant facts relevant to the objectives of their work and
known to them which, if not disclosed, could mislead knowledgeable
users, misrepresent the results, or conceal significant improper or
illegal practices;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Reporting Findings;
8.18 Auditors should report deficiencies [footnote not shown] in
internal control that are significant within the context of the
objectives of the audit, all instances of fraud, illegal acts [footnote
not shown] unless they are inconsequential within the context of the
audit objectives, significant violations of provisions of contracts or
grant agreements, and significant abuse that have occurred or are
likely to have occurred;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Deficiencies in Internal Control;
8.19: Auditors should include in the audit report (1) the scope of
their work on internal control and (2) any deficiencies in internal
control that are significant within the context of the audit objectives
and based upon the audit work performed. When auditors detect
deficiencies in internal control that are not significant to the
objectives of the audit, they may include those deficiencies in the
report or communicate those deficiencies in writing to officials of the
audited entity unless the deficiencies are inconsequential considering
both qualitative and quantitative factors. Auditors should refer to
that written communication in the audit report, if the written
communication is separate from the audit report. Determining whether or
how to communicate to officials of the audited entity deficiencies that
are inconsequential within the context of the audit objectives is a
matter of professional judgment. Auditors should document such
communications;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant
Agreements, and Abuse;
8.21: When auditors conclude, based on sufficient, appropriate
evidence, that fraud, illegal acts, significant violations of
provisions of contracts or grant agreements, or significant abuse
either has occurred or is likely to have occurred, they should report
the matter as a finding;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant
Agreements, and Abuse;
8.22 When auditors detect violations of provisions of contracts or
grant agreements, or abuse that are not significant, they should
communicate those findings in writing to officials of the audited
entity unless the findings are inconsequential within the context of
the audit objectives, considering both qualitative and quantitative
factors. Determining whether or how to communicate to officials of the
audited entity fraud, illegal acts, violations of provisions of
contracts or grant agreements, or abuse that is inconsequential is a
matter of the auditors' professional judgment. Auditors should document
such communications;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Reporting Findings Directly to Parties Outside the Audited Entity;
8.24: Auditors should report known or likely fraud, illegal acts,
violations of provisions of contracts or grant agreements, or abuse
directly to parties outside the audited entity in the following two
circumstances. [Footnote not shown.];
a. When entity management fails to satisfy legal or regulatory
requirements to report such information to external parties specified
in law or regulation, auditors should first communicate the failure to
report such information to those charged with governance. If the
audited entity still does not report this information to the specified
external parties as soon as practicable after the auditors'
communication with those charged with governance, then the auditors
should report the information directly to the specified external
parties;
b. When entity management fails to take timely and appropriate steps to
respond to known or likely fraud, illegal acts, violations of
provisions of contracts or grant agreements, or abuse that (1) is
significant to the findings and conclusions, and (2) involves funding
received directly or indirectly from a government agency, auditors
should first report management's failure to take timely and appropriate
steps to those charged with governance. If the audited entity still
does not take timely and appropriate steps as soon as practicable after
the auditors' communication with those charged with governance, then
the auditors should report the entity's failure to take timely and
appropriate steps directly to the funding agency;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Reporting Findings Directly to Parties Outside the Audited Entity;
8.25: The reporting in paragraph 8.24 is in addition to any legal
requirements to report such information directly to parties outside the
audited entity. Auditors should comply with these requirements even if
they have resigned or been dismissed from the audit prior to its
completion;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Reporting Findings Directly to Parties Outside the Audited Entity;
8.26: Auditors should obtain sufficient, appropriate evidence, such as
confirmation from outside parties, to corroborate assertions by
management of the audited entity that it has reported such findings in
accordance with laws, regulations, and funding agreements. When
auditors are unable to do so, they should report such information
directly as discussed in paragraph 8.24;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Conclusions;
8.27: Auditors should report conclusions, as applicable, based on the
audit objectives and the audit findings....;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Recommendations;
8.28: Auditors should recommend actions to correct problems identified
during the audit and to improve programs and operations when the
potential for improvement in programs, operations, and performance is
substantiated by the reported findings and conclusions. Auditors should
make recommendations that flow logically from the findings and
conclusions, are directed at resolving the cause of identified
problems, and clearly state the actions recommended;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Reporting Auditors' Compliance with GAGAS;
8.30: When auditors comply with all applicable GAGAS requirements, they
should use the following language, which represents an unmodified GAGAS
compliance statement, in the audit report to indicate that they
performed the audit in accordance with GAGAS....;We conducted this
performance audit in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform
the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit
objectives. We believe that the evidence obtained provides a reasonable
basis for our findings and conclusions based on our audit objectives;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Reporting Auditors' Compliance with GAGAS;
8.31: When auditors do not comply with all applicable GAGAS
requirements, they should include a modified GAGAS compliance statement
in the audit report. For performance audits, auditors should use a
statement that includes either (1) the language in 8.30, modified to
indicate the standards that were not followed or (2) language that the
auditor did not follow GAGAS....;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Reporting Views of Responsible Officials;
8.33: When auditors receive written comments from the responsible
officials, they should include in their report a copy of the officials'
written comments, or a summary of the comments received. When the
responsible officials provide oral comments only, auditors should
prepare a summary of the oral comments and provide a copy of the
summary to the responsible officials to verify that the comments are
accurately stated;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Reporting Views of Responsible Officials;
8.34: Auditors should also include in the report an evaluation of the
comments, as appropriate....;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Reporting Views of Responsible Officials;
8.36: When the audited entity's comments are inconsistent or in
conflict with the findings, conclusions, or recommendations in the
draft report, or when planned corrective actions do not adequately
address the auditors' recommendations, the auditors should evaluate the
validity of the audited entity's comments. If the auditors disagree
with the comments, they should explain in the report their reasons for
disagreement. Conversely, the auditors should modify their report as
necessary if they find the comments valid and supported with
sufficient, appropriate evidence;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Reporting Views of Responsible Officials;
8.37: If the audited entity refuses to provide comments or is unable to
provide comments within a reasonable period of time, the auditors may
issue the report without receiving comments from the audited entity. In
such cases, the auditors should indicate in the report that the audited
entity did not provide comments;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Reporting Confidential or Sensitive Information;
8.38: If certain pertinent information is prohibited from public
disclosure or is excluded from a report due to the confidential or
sensitive nature of the information, auditors should disclose in the
report that certain information has been omitted and the reason or
other circumstances that makes the omission necessary;
entity did not provide comments;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Reporting Confidential or Sensitive Information;
8.41: Considering the broad public interest in the program or activity
under review assists auditors when deciding whether to exclude certain
information from publicly available reports. When circumstances call
for omission of certain information, auditors should evaluate whether
this omission could distort the audit results or conceal improper or
illegal practices;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Reporting Confidential or Sensitive Information;
8.42 When audit organizations are subject to public records laws,
auditors should determine whether public records laws could impact the
availability of classified or limited use reports and determine whether
other means of communicating with management and those charged with
governance would be more appropriate....;
Must: [Check];
Should: [Empty].
Chapter 8 - Reporting Standards for Performance Audits;
Report Contents;
Distributing Reports;
8.43: Distribution of reports completed under GAGAS depends on the
relationship of the auditors to the audited organization and the nature
of the information contained in the report. If the subject of the audit
involves material that is classified for security purposes or contains
confidential or sensitive information, auditors may limit the report
distribution. � Auditors should document any limitation on report
distribution. The following discussion outlines distribution for
reports completed under GAGAS: [One of the following will apply
depending on the type of audit organization.];
a. Audit organizations in government entities should distribute audit
reports to those charged with governance, to the appropriate officials
of the audited entity, and to the appropriate oversight bodies or
organizations requiring or arranging for the audits. As appropriate,
auditors should also distribute copies of the reports to other
officials who have legal oversight authority or who may be responsible
for acting on audit findings and recommendations, and to others
authorized to receive such reports;
b. Internal audit organizations in government entities may follow the
Institute of Internal Auditors (IIA) International Standards for the
Professional Practice of Internal Auditing. Under GAGAS and IIA
standards, the head of the internal audit organization should
communicate results to parties who can ensure that the results are
given due consideration. If not otherwise mandated by statutory or
regulatory requirements, prior to releasing results to parties outside
the organization, the head of the internal audit organization should:
(1) assess the potential risk to the organization, (2) consult with
senior management and/or legal counsel as appropriate, and (3) control
dissemination by indicating the intended users of the report;
c. Public accounting firms contracted to perform an audit under GAGAS
should clarify report distribution responsibilities with the engaging
organization. If the contracted firm is to make the distribution, it
should reach agreement with the party contracting for the audit about
which officials or organizations will receive the report and the steps
being taken to make the report available to the public;
Must: [Check];
Should: [Empty].
[End of table]
Footnotes:
[1] U.S. Government Accountability Office, Government Auditing
Standards, GAO-07-731G (Washington, D.C.: July 2007).
GAO's Mission:
The Government Accountability Office, the audit, evaluation, and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, DC 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: [email protected]:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, [email protected]:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, DC 20548:
Public Affairs:
Chuck Young, Managing Director, [email protected]:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, DC 20548: