This is the accessible text file for GAO report number GAO-03-673G 
entitled 'Government Auditing Standards: 2003 Revision' which was 
released on June 01, 2003.

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

By the Comptroller General of the United States:

June 2003:

Government Auditing Standards:

2003 Revision:

GAO-03-673G:

By the Comptroller General of the United States:

June 2003:

Government Auditing Standards:

2003 Revision:

This revision of the standards supersedes the 1994 revision, 
including amendments 1 through 3. Its provisions are effective for 
financial audits and attestation engagements of periods ending on or 
after January 1, 2004, and for performance audits beginning on or 
after January 1, 2004. Early application is permissible.

Letter:

The concept of accountability for public resources is key in our 
nation's governing process and a critical element for a healthy 
democracy. Legislators, government officials, and the public want to 
know whether government services are being provided efficiently, 
effectively, economically, and in compliance with laws and regulations. 
They also want to know whether government programs are achieving their 
objectives and desired outcomes, and at what cost. Government managers 
are accountable to legislative bodies and the public for their 
activities and related results. Government auditing is a key element in 
fulfilling the government's duty to be accountable to the people. 
Auditing allows those parties and other stakeholders to have confidence 
in the reported information on the results of programs or operations, 
as well as in the related systems of internal control. Government 
auditing standards provide a framework to auditors so that their work 
can lead to improved government management, decision making, oversight 
and accountability.

These standards are broad statements of auditors' responsibilities. 
They provide an overall framework for ensuring that auditors have the 
competence, integrity, objectivity, and independence in planning, 
conducting, and reporting on their work. Auditors will face many 
situations in which they could best serve the public by doing work 
exceeding the standards' minimum requirements. As performance and 
accountability professionals, we should not strive just to comply with 
minimum standards, which represent the floor of acceptable behavior, 
but we need to do the right thing according to the facts and 
circumstances of each audit situation. I encourage auditors to seek 
opportunities to do additional work when and where it is appropriate, 
particularly in connection with testing and reporting on internal 
control.

This is the fourth revision of the overall standards since they were 
first issued in 1972. This revision of the standards supersedes the 
1994 revision, including amendments 1 through 3. This revision makes 
changes to these standards in the following 3 areas:

* redefining the types of audits and services covered by the standards, 
including an expansion of the definition of performance auditing to 
incorporate prospective analyses and other studies and adding 
attestation as a separate type of audit,

* providing consistency in the field work and reporting requirements 
among all types of audits defined under the standards, and:

* strengthening the standards and clarifying the language in areas 
that, by themselves, do not warrant a separate amendment to the 
standards.

These standards contain requirements for auditor reporting on internal 
control, but they do not require the auditor to render an opinion on 
internal control. Nevertheless, I encourage auditors to evaluate those 
situations where they are reporting on internal control to determine 
whether providing an opinion on internal control would add value and be 
cost beneficial based on related risks. The Sarbanes-Oxley Act requires 
private sector auditors to attest to and report on the assessment made 
by management of each publicly traded company on the effectiveness of 
internal control over financial reporting. GAO strongly believes that 
auditor reporting on internal control is a critical component of 
monitoring the effectiveness of an organization's risk management and 
accountability systems. Auditors can better serve their clients and 
other financial statement users and better protect the public interest 
by having a greater role in providing assurances over the effectiveness 
of internal control in deterring fraudulent financial reporting, 
protecting assets, and providing an early warning of emerging problems. 
We believe auditor reporting on internal control is appropriate and 
necessary for publicly traded companies and major public entities. We 
also believe that such reporting is appropriate in other cases where 
management assessment and auditor examination and reporting on the 
effectiveness of internal control add value and mitigate risk in a cost 
beneficial manner. In this regard, GAO seeks to lead by example in 
establishing the appropriate level of auditor reporting on internal 
control for federal agencies, programs, and entities receiving 
significant amounts of federal funding. In fact, we already provide 
opinions on internal control for all our major federal audit clients, 
including the consolidated financial statements of the U.S. Government.

Because of the breadth of the fourth revision to the overall standards, 
any new standards are applicable for financial audits and attestation 
engagements of periods ending on or after January 1, 2004, and for 
performance audits beginning on or after January 1, 2004. Early 
application is permissible and encouraged. An electronic version of 
these standards can be accessed on the Web at www.gao.gov/govaud/
ybk01.htm. We have also posted a listing of the major changes from the 
1994 Revision to this Web site. Printed copies can be obtained from the 
U.S. Government Printing Office.

This revision of the standards currently incorporates the field work 
and the reporting standards issued by the American Institute of 
Certified Public Accountants (AICPA). The Sarbanes-Oxley Act gives the 
Public Company Accounting Oversight Board (PCAOB) the authority to set 
auditing standards to be used by registered public accounting firms in 
the preparation and issuance of audit reports for publicly traded 
companies. As the PCAOB promulgates auditing standards for audits of 
these entities, GAO will continue to closely monitor the actions of 
both standard setting bodies and will issue clarifying guidance as 
necessary on the incorporation of future standards set by either 
standard setting body.

This revision has gone through an extensive deliberative process 
including extensive public comments and input from the Comptroller 
General's Advisory Council on Government Auditing Standards, which 
includes 21 experts in financial and performance auditing and reporting 
drawn from all levels of government, academia, private enterprise, and 
public accounting. The views of all parties were thoroughly considered 
in finalizing the standards. I thank those who commented and suggested 
improvements to the standards. I especially commend the Advisory 
Council on Government Auditing Standards and the GAO project team for 
important contributions to this revision.

David M. Walker 
Comptroller General of the United States:

Signed by David M. Walker: 

June 2003:

[End of section]

Contents:

Chapter 1: Introduction: 

Purpose:

Applicability:

Relationship between GAGAS and Other Professional Standards:

Accountability:

Roles and Responsibilities:

Chapter 2: Types of Government Audits and Attestation Engagements: 

Introduction:

Financial Audits:

Attestation Engagements:

Performance Audits:

Nonaudit Services Provided by Audit Organizations:

Chapter 3: General Standards:

Introduction:

Independence:

Professional Judgment:

Competence:

Quality Control and Assurance:

Chapter 4: Field Work Standards for Financial Audits:

Introduction:

AICPA Field Work Standards:

Additional GAGAS Standards:

Auditor Communication:

Considering the Results of Previous Audits and Attestation Engagements:

Detecting Material Misstatements Resulting from Violations of Contract 
Provisions or Grant Agreements, or from Abuse:

Developing Elements of a Finding:

Audit Documentation:

Chapter 5: Reporting Standards for Financial Audits:

Introduction:

AICPA Reporting Standards:

Additional GAGAS Reporting Standards for Financial Audits:

Reporting Auditors' Compliance with GAGAS:

Reporting on Internal Control and on Compliance with Laws, Regulations, 
and Provisions of Contracts or Grant Agreements:

Reporting Deficiencies in Internal Control, Fraud, Illegal Acts, 
Violations of Provisions of Contracts or Grant Agreements, and Abuse:

Reporting Views of Responsible Officials:

Reporting Privileged and Confidential Information:

Report Issuance and Distribution:

Chapter 6: General, Field Work, and Reporting Standards for 
Attestation Engagements:

Introduction:

AICPA General and Field Work Standards for Attestation Engagements:

Additional GAGAS Field Work Standards for Attestation Engagements:

Auditor Communication:

Considering the Results of Previous Audits and Attestation Engagements:

Internal Control:

Detecting Fraud, Illegal Acts, Violations of Provisions of Contracts or 
Grant Agreements, and Abuse That Could Have a Material Effect on the 
Subject Matter:

Developing Elements of Findings for Attestation Engagements:

Attest Documentation:

AICPA Reporting Standards for Attestation Engagements:

Additional GAGAS Reporting Standards for Attestation Engagements:

Reporting Auditors' Compliance with GAGAS:

Reporting Deficiencies in Internal Control, Fraud, Illegal Acts, 
Violations of Provisions of Contracts or Grant Agreements, and Abuse:

Reporting Views of Responsible Officials:

Reporting Privileged and Confidential Information:

Report Issuance and Distribution:

Chapter 7: Field Work Standards for Performance Audits:

Introduction:

Planning:

Supervision:

Evidence:

Audit Documentation:

Chapter 8: Reporting Standards for Performance Audits:

Introduction:

Form:

Report Contents:

Report Quality Elements:

Report Issuance and Distribution:

Appendix: Appendix I Advisory Council on Government Auditing 
Standards: 

GAO Project Team:

Index:

Abbreviations:

AICPA: American Institute of Certified Public Accountants:

COSO: Committee of Sponsoring Organizations of the Treadway Commission:

CPA: certified public accountant:

CPE: continuing professional education:

GAAP: generally accepted accounting principles:

GAAS: generally accepted auditing standards:

GAGAS: generally accepted government auditing standards:

GAO: U.S. General Accounting Office:

MD&A: Management's Discussion and Analysis:

OMB: U.S. Office of Management and Budget:

SAS: AICPA Statements on Auditing Standards:

SSAE: AICPA Statements on Standards for Attestation Engagements:

Chapter 1 Introduction:

Purpose:

1.01: The standards and guidance contained in this document, often 
referred to as generally accepted government auditing standards 
(GAGAS), are intended for use by government auditors[Footnote 1] to 
ensure that they maintain competence, integrity, objectivity, and 
independence in planning, conducting, and reporting their work, and are 
to be followed by auditors and audit organizations when required by 
law, regulation, contract, agreement, or policy.[Footnote 2] The work 
performed in accordance with GAGAS, which is described in this chapter 
and more fully in chapter 2, includes financial audits, attestation 
engagements, and performance audits. Users of government audits and 
attestation engagements that are performed in accordance with GAGAS 
should have confidence that the work is objective and credible.

1.02: GAGAS pertain to auditors' professional qualifications and the 
quality of their work, the performance of field work, and the 
characteristics of meaningful reporting. Adherence to GAGAS can help 
ensure that audits and attestation engagements provide credibility to 
the information reported by or obtained from officials of the audited 
entity through objectively acquiring and evaluating evidence. When 
auditors perform their work in this manner and comply with GAGAS in 
reporting the results, their work can lead to improved government 
management, decision making, and oversight. Government auditing is also 
a key element in fulfilling the government's duty to be accountable to 
the public.

1.03: This chapter describes the applications of GAGAS by auditors and 
audit organizations. This chapter also describes the concept of 
accountability for public resources and discusses the responsibilities 
of managers of government programs, auditors, and audit organizations 
in the audit process.

Applicability:

1.04: The standards and guidance in this document apply to audits and 
attestation engagements of government entities, programs, activities, 
and functions, and of government assistance administered by 
contractors, nonprofit entities, and other nongovernmental entities. A 
number of statutes and other mandates require that auditors follow 
GAGAS. Where a statute or other mandate does not exist, auditors will 
find it useful to follow GAGAS in work regarding the use of government 
funds. If auditors hold themselves out as following GAGAS, regardless 
of whether the auditors are required to follow such standards, the 
auditors need to justify any departures from GAGAS.

1.05: The following are among the laws, regulations, and guidelines 
that require use of GAGAS:

a. The Inspector General Act of 1978, as amended, 5 U.S.C. App. (2000) 
requires that the statutorily appointed federal inspectors general 
comply with GAGAS for audits of federal establishments, organizations, 
programs,[Footnote 3] activities, and functions. The act further states 
that the inspectors general shall take appropriate steps to assure that 
any work performed by nonfederal auditors complies with GAGAS.

b. The Chief Financial Officers Act of 1990 (Public Law 101-576), as 
expanded by the Government Management Reform Act of 1994 (Public Law 
103-356), requires that GAGAS be followed in audits of executive branch 
departments' and agencies' financial statements.

c. The Single Audit Act Amendments of 1996 (Public Law 104-156) require 
that GAGAS be followed in audits of state and local governments and 
nonprofit entities that receive federal awards.[Footnote 4] The Office 
of Management and Budget (OMB) Circular A-133, Audits of States, Local 
Governments, and Non-Profit Organizations, which provides the 
government-wide guidelines and policies on performing audits to comply 
with the Single Audit Act, also requires the use of GAGAS.

1.06: Auditors need to be alert to other laws, regulations, or other 
authoritative sources that could require the use of GAGAS. For example, 
state and local laws and regulations may require auditors at the state 
and local levels of government to follow GAGAS. Also, the terms of an 
agreement or contract may require auditors to comply with GAGAS. 
Federal audit guidelines pertaining to program requirements, such as 
those issued for Housing and Urban Development programs and Student 
Financial Aid programs, may also require that GAGAS be followed.

1.07: Even if not required to do so, auditors may find it useful to 
follow GAGAS in performing audits of federal, state, and local 
government programs as well as in performing audits of government 
awards administered by contractors, nonprofit entities, and other 
nongovernment entities. Many audit organizations not formally required 
to do so, both in the United States of America and in other countries, 
voluntarily follow GAGAS.

1.08: Auditors may provide professional services, other than audits and 
attestation engagements, that consist solely of gathering, providing, 
and explaining information requested by decision makers or by providing 
advice or assistance to officials of the audited entity. GAGAS are not 
applicable to nonaudit services, which are described more fully in 
chapter 2. However, providing nonaudit services may affect an audit 
organization's independence to conduct audits, which is discussed in 
chapter 3.

Relationship between GAGAS and Other Professional Standards:

1.09: GAGAS may be used in conjunction with professional standards 
issued by other authoritative bodies. For example, the American 
Institute of Certified Public Accountants (AICPA) has issued 
professional standards that apply in financial audits and attestation 
engagements performed by certified public accountants (CPA). GAGAS 
incorporate the AICPA's field work and reporting standards and the 
related statements on auditing standards for financial audits unless 
specifically excluded, as discussed in chapters 4 and 5. GAGAS 
incorporate the AICPA's general standard on criteria, and the field 
work and reporting standards and the related statements on the 
standards for attestation engagements, unless specifically excluded, as 
discussed in chapter 6. To meet the needs of users of government audits 
and attestation engagements, GAGAS also prescribe requirements in 
addition to those provided by the AICPA for these types of work.

1.10: Other professional standards that may be used by auditors are 
issued by such bodies as the Institute of Internal Auditors 
(Codification of the Standards for the Professional Practice of 
Internal Auditing, The Institute of Internal Auditors, Inc.) and the 
American Evaluation Association (Guiding Principles for Evaluators, a 
report from the American Evaluation Association Task Force on Guiding 
Principles for Evaluators; The Program Evaluation Standards, Joint 
Committee on Standards for Education Evaluation; and Standards for 
Educational and Psychological Testing, American Psychological 
Association.) These other professional standards are not incorporated 
into GAGAS, but can be used in conjunction with GAGAS. To the extent of 
any inconsistencies between the standards, GAGAS should prevail as the 
controlling (authorative) source if GAGAS are cited in the report.

Accountability:

1.11: The concept of accountability for public resources is key in our 
nation's governing processes. Legislators, other government officials, 
and the public want to know whether (1) government resources are 
managed properly and used in compliance with laws and regulations, (2) 
government programs are achieving their objectives and desired 
outcomes, and (3) government services are being provided efficiently, 
economically, and effectively. Managers of these programs are 
accountable to legislative bodies and the public. Auditors of these 
programs, when they adhere to GAGAS, provide reports that enhance the 
credibility and reliability of the information that is reported by or 
obtained from officials of the audited entity.

1.12: Financial audits contribute to making governments more 
accountable for the use of public resources. The auditors, in 
providing an independent report on whether an entity's financial 
information is presented fairly in accordance with recognized 
criteria, provide users with statements concerning the reliability of 
the information. Financial audits performed in accordance with GAGAS 
also provide information about internal control, compliance with laws 
and regulations, and provisions of contracts and grant agreements as 
they relate to financial transactions, systems, and processes.

1.13: Attestation engagements also contribute to governments' 
accountability for the use of public resources and the delivery of 
services. In an attestation engagement, auditors issue an examination, 
a review, or an agreed-upon procedures report on a subject matter or on 
an assertion about a subject matter, based on or in conformity with 
criteria that is the responsibility of another party. Attestation 
engagements can cover a broad range of financial or nonfinancial 
objectives and provide various levels of assurance about the subject 
matter or assertion dependent upon the user's needs.

1.14: Performance audits also contribute to governments' accountability 
for the use of public resources and the delivery of services. The term 
performance audit is used to include a variety of objectives to meet 
users' needs. Performance audits provide an independent assessment of 
the performance and management of government programs against objective 
criteria or an assessment of best practices and other information. 
Performance audits provide information to improve program operations, 
facilitate decision making by parties with responsibility to oversee or 
initiate corrective action, and contribute to public accountability. 
The term performance audit is used generically to include work 
classified by some audit organizations as program evaluations, program 
effectiveness and results audits, economy and efficiency audits, 
operational audits, and value-for-money audits.

1.15: Given the importance and complexity of government programs in 
providing a variety of public services, auditors are increasingly being 
called on by legislative bodies and government agencies to expand the 
variety of performance audits to include work that has a prospective 
focus or provides guidance, best practice information, or information 
on issues that affect multiple programs or entities already studied or 
under study by an audit organization. This work may also include an 
assessment of policy alternatives, identification of risks and risk 
mitigation efforts, and a variety of analytical services to aid 
government officials in performing their responsibilities and carrying 
out their stewardship of government resources. Such work, like other 
performance audits, (1) involves a level of analysis, research, or 
evaluation, (2) may provide conclusions and recommendations, and (3) 
results in a report.

1.16: Audit organizations may also seek to achieve improvement through 
cooperative engagements with affected agencies while continuing to 
maintain independence under the standards. Such "constructive 
engagement" approaches, where appropriate, can facilitate management 
improvements on a real-time basis without compromising the audit 
organization's independence and objectivity. Efforts to provide 
technical advice and expertise to agencies for use in responding to 
current risks, correcting internal control deficiencies, or responding 
to the audit organization's recommendations are examples of 
constructive engagements. Constructive engagement approaches will not 
impair independence when conducted within the framework of an audit or 
as technical advice to agencies. However, audit organizations need to 
take care to avoid making management decisions or to avoid situations 
that would result in the audit organization auditing its own work, such 
as directing agencies to undertake a specific activity in a specific 
manner as discussed more fully in chapter 3 of these standards. By 
limiting the audit organization's role in this way, the overarching 
principles of independence are not violated.

Roles and Responsibilities:

1.17: Officials of the audited entity entrusted with handling public 
resources and auditors of government programs fulfill essential roles 
and responsibilities in ensuring that public resources are used 
efficiently, economically, effectively, and legally. Audit 
organizations also have the important responsibility of ensuring that 
auditors can meet their responsibilities. These unique roles involve 
using sound management practices and providing professional audits and 
attestation engagements.

Management's Role:

1.18: Officials of the audited entity (for example, managers of a state 
or local governmental entity or a nonprofit entity that receives 
federal awards) are responsible for:

a. applying those resources efficiently, economically, effectively, and 
legally to achieve the purposes for which the resources were furnished 
or the program was established;[Footnote 5]

b. complying with applicable laws and regulations, including 
identifying the requirements with which the entity and the official 
must comply and implementing systems designed to achieve that 
compliance;

c. establishing and maintaining effective internal control to help 
ensure that appropriate goals and objectives are met; resources are 
used efficiently, economically, and effectively, and are safeguarded; 
laws and regulations are followed; and reliable data are obtained, 
maintained, and fairly disclosed;

d. providing appropriate reports to those who oversee their actions and 
to the public in order to be accountable for the resources used to 
carry out government programs and the results of these programs;

e. addressing the findings and recommendations of auditors, and for 
establishing and maintaining a process to track the status of such 
findings and recommendations; and:

f. following sound procurement practices when contracting for audits 
and attestation engagements, including ensuring procedures are in place 
for monitoring contract performance. The objectives and scope of the 
audit or attestation engagement need to be made clear. In addition to 
price, other factors that may be considered in evaluating bid proposals 
include the responsiveness of the bidder to the request for proposal; 
the prior performance and experience of the bidder; the availability of 
the bidder's staff who have the appropriate professional qualifications 
and technical abilities; and the results of the bidder's peer reviews.

Auditors' Responsibilities:

1.19: In discharging their professional responsibilities, auditors need 
to observe the principles of serving the public interest and 
maintaining the highest degree of integrity, objectivity, and 
independence. The public interest is defined as the collective well-
being of the community of people and entities the auditors serve. These 
principles are fundamental to the responsibilities of auditors.

1.20: Auditors should act in a way that will serve the public interest, 
honor the public trust, and uphold their professionalism. A 
distinguishing mark of a profession is acceptance of its responsibility 
to the public. This responsibility is critical when auditing in the 
government environment. GAGAS embody the concept of accountability, 
which is fundamental to serving the public interest.

1.21: Auditors need to make decisions that are consistent with the 
public interest in the program or activity under audit. In discharging 
their professional responsibilities, auditors may encounter 
conflicting pressures from management of the audited entity, various 
levels of government, and others who rely on the objectivity and 
independence of the auditors. In resolving those conflicts, auditors 
are responsible for acting with integrity, guided by the precept that 
when auditors fulfill their responsibilities to the public, these 
individuals' and organizations' interests are best served.

1.22: To maintain and broaden public confidence, auditors need to 
perform all professional responsibilities with the highest degree of 
integrity. Auditors need to be professional, objective, fact-based, 
nonpartisan, and non-ideological in their relationships with audited 
entities and users of the auditors' reports. Auditors should be honest 
and candid with the audited entity and users of the auditors' work in 
the conduct of their work, within the constraints of the audited 
entity's confidentiality laws, rules, or policies. Auditors need to be 
prudent in the use of information acquired in the course of their 
duties. They should not use such information for any personal gain or 
in any manner that would be detrimental to the legitimate and ethical 
objectives of the audited entity.

1.23: Service and the public trust should not be subordinated to 
personal gain and advantage. Integrity can accommodate the inadvertent 
error and the honest difference of opinion; it cannot accommodate 
deceit or subordination of principle. Integrity requires auditors to 
observe both the form and the spirit of technical and ethical 
standards; circumvention of those standards constitutes subordination 
of judgment. Integrity also requires auditors to observe the principles 
of objectivity and independence.

1.24: Auditors should be objective and free of conflicts of interest in 
discharging their professional responsibilities. Auditors are also 
responsible for being independent in fact and appearance when providing 
audit and attestation services. Objectivity is a state of mind that 
requires auditors to be impartial, intellectually honest, and free of 
conflicts of interest. Independence precludes relationships that may in 
fact or appearance impair auditors' objectivity in performing the audit 
or attestation engagement. The maintenance of objectivity and 
independence requires continuing assessment of relationships with the 
audited entities in the context of the auditors' responsibility to the 
public.

1.25: In applying GAGAS, auditors are responsible for using 
professional judgment when establishing scope and methodologies for 
their work, determining the tests and procedures to be performed, 
conducting the work, and reporting the results. Auditors need to 
maintain integrity and objectivity when doing their work to make 
decisions that are consistent with the broader public interest in the 
program or activity under review. When reporting on the results of 
their work, auditors are responsible for disclosing all material or 
significant facts known to them which, if not disclosed, could mislead 
knowledgeable users, misrepresent the results, or conceal improper or 
unlawful practices.

1.26: Auditors are responsible for helping management and other report 
users[Footnote 6] understand the auditors' responsibilities under GAGAS 
and other audit or attestation coverage required by law or regulation. 
To help managers and other report users understand an engagement's 
objectives, time frames, and data needs, auditors need to communicate 
information concerning planning, conduct, and reporting of the 
engagement to the parties involved during the planning stages of the 
audit or attestation engagement.

Audit Organizations' Responsibilities:

1.27: Audit organizations also have responsibility for ensuring that 
(1) independence and objectivity are maintained in all phases of the 
assignment, (2) professional judgment is used in planning and 
performing the work and in reporting the results, (3) the work is 
performed by personnel who are professionally competent and 
collectively have the necessary skills and knowledge, and (4) an 
independent peer review is periodically performed resulting in an 
opinion issued as to whether an audit organization's system of quality 
control is designed and being complied with to provide reasonable 
assurance of conforming with professional standards.

1.28: While management is responsible for addressing audit and 
attestation engagement findings and recommendations and tracking their 
status of resolution, audit organizations are responsible for 
establishing policies and procedures for follow-up to determine whether 
previous significant findings and recommendations are addressed and are 
considered in planning future engagements.

[End of section]

Chapter 2: Types of Government Audits and Attestation Engagements:

Introduction:

2.01: This chapter describes the types of audits and attestation 
engagements that audit organizations perform, or arrange to have 
performed, of government entities, programs, and federal awards 
administered by contractors, nonprofit entities, and other 
nongovernment entities. This description is not intended to limit or 
require the types of audits or attestation engagements that may be 
performed or arranged to be performed. In performing work described 
below in accordance with generally accepted government auditing 
standards (GAGAS), auditors should follow the applicable standards 
included and incorporated in chapters 3 through 8. This chapter also 
describes nonaudit services that audit organizations may provide, 
although these services are not covered by GAGAS.

2.02: All engagements begin with objectives, and those objectives 
determine the type of work to be performed and the auditing standards 
to be followed. The types of work, as defined by their objectives that 
are covered by GAGAS, are classified in this document as financial 
audits, attestation engagements, and performance audits.

2.03: Engagements may have a combination of objectives that include 
more than one type of work described in this chapter or may have 
objectives limited to only some aspects of one type of work. Auditors 
should follow the standards that are applicable to the individual 
objectives of the audit or attestation engagement.

2.04: In some engagements, the applicable standards that apply to the 
specific audit objective will be apparent. For example, if the audit 
objective is to express an opinion on financial statements, the 
standards for financial audits apply. However, for some engagements, 
there may be overlap between the applicable objectives. For example, if 
the objectives are to determine the reliability of performance 
measures, this work can be done in accordance with either the standards 
for attestation engagements or for performance audits. In cases where 
there is a choice between applicable standards, auditors should 
consider users' needs and the auditors' knowledge, skills, and 
experience in deciding which standards to follow. Auditors should apply 
the standards that are applicable to the type of assignment conducted 
(the financial audit standards, the attestation engagement standards, 
or the performance auditing standards).

Financial Audits:

2.05: Financial audits are primarily concerned with providing reason-
able assurance about whether financial statements are presented fairly 
in all material respects in conformity with generally accepted 
accounting principles (GAAP),[Footnote 7] or with a comprehensive 
basis of accounting other than GAAP. Other objectives of financial 
audits, which provide for different levels of assurance and entail 
various scopes of work, may include:

a. providing special reports for specified elements, accounts, or items 
of a financial statement;[Footnote 8]

b. reviewing interim financial information;

c. issuing letters for underwriters and certain other requesting 
parties;

d. reporting on the processing of transactions by service 
organizations; and:

e. auditing compliance with regulations relating to federal award 
expenditures and other governmental financial assistance in conjunction 
with or as a by-product of a financial statement audit.

2.06: Financial audits are performed under the American Institute of 
Certified Public Accountants' (AICPA) generally accepted auditing 
standards for field work and reporting, as well as the related AICPA 
Statements on Auditing Standards (SAS). GAGAS prescribe general 
standards and additional field work and reporting standards beyond 
those provided by the AICPA when performing financial audits. (See 
chapters 3, 4, and 5 for standards and guidance for auditors performing 
a financial audit in accordance with GAGAS.):

Attestation Engagements:

2.07: Attestation engagements[Footnote 9] concern examining, reviewing, 
or performing agreed-upon procedures on a subject matter or an 
assertion[Footnote 10] about a subject matter and reporting on the 
results. The subject matter of an attestation engagement may take many 
forms, including historical or prospective performance or condition, 
physical characteristics, historical events, analyses, systems and 
processes, or behavior. Attestation engagements can cover a broad range 
of financial or nonfinancial subjects and can be part of a financial 
audit or performance audit. Possible subjects of attestation 
engagements could include reporting on:

a. an entity's internal control over financial reporting;

b. an entity's compliance with requirements of specified laws, 
regulations, rules, contracts, or grants;

c. the effectiveness of an entity's internal control over compliance 
with specified requirements, such as those governing the bidding for, 
accounting for, and reporting on grants and contracts;

d. management's discussion and analysis (MD&A) presentation;

e. prospective financial statements or pro-forma financial information;

f. the reliability of performance measures;

g. final contract cost;

h. allowability and reasonableness of proposed contract amounts; and:

i. specific procedures performed on a subject matter (agreed-upon 
procedures).

2.08: Attestation engagements are performed under the AICPA's 
attestation standards, as well as the related AICPA Statements on 
Standards for Attestation Engagements (SSAE). GAGAS prescribe general 
standards and additional field work and reporting standards beyond 
those provided by the AICPA for attestation engagements. (See chapters 
3 and 6 for standards and guidance for auditors performing an 
attestation engagement in accordance with GAGAS.):

Performance Audits:

2.09: Performance audits entail an objective and systematic examination 
of evidence to provide an independent assessment of the performance and 
management of a program against objective criteria as well as 
assessments that provide a prospective focus or that synthesize 
information on best practices or cross-cutting issues. Performance 
audits provide information to improve program operations and facilitate 
decision making by parties with responsibility to oversee or initiate 
corrective action, and improve public accountability. Performance 
audits encompass a wide variety of objectives, including objectives 
related to assessing program effectiveness and results; economy and 
efficiency; internal control;[Footnote 11] compliance with legal or 
other requirements; and objectives related to providing prospective 
analyses, guidance, or summary information. Performance audits may 
entail a broad or narrow scope of work and apply a variety of 
methodologies; involve various levels of analysis, research, or 
evaluation; generally provide findings, conclusions, and 
recommendations; and result in the issuance of a report. (See chapters 
3, 7, and 8 for standards and guidance for auditors performing a 
performance audit in accordance with GAGAS.):

2.10: Program effectiveness and results audit objectives address the 
effectiveness of a program and typically measure the extent to which a 
program is achieving its goals and objectives. Economy and efficiency 
audit objectives concern whether an entity is acquiring, protecting, 
and using its resources in the most productive manner to achieve 
program objectives. Program effectiveness and results audit objectives 
and economy and efficiency audit objectives are often interrelated and 
may be concurrently addressed in a performance audit. Examples of these 
audit objectives include assessing:

a. the extent to which legislative, regulatory, or organizational goals 
and objectives are being achieved;

b. the relative ability of alternative approaches to yield better 
program performance or eliminate factors that inhibit program 
effectiveness;

c. the relative cost and benefits or cost effectiveness of program 
performance;[Footnote 12]

d. whether a program produced intended results or produced effects that 
were not intended by the program's objectives;

e. the extent to which programs duplicate, overlap, or conflict with 
other related programs;

f. whether the audited entity is following sound procurement practices;

g. the validity and reliability of performance measures concerning 
program effectiveness and results, or economy and efficiency; and:

h. the reliability, validity, or relevance of financial information 
related to the performance of a program.

2.11: Internal control audit objectives relate to management's plans, 
methods, and procedures used to meet its mission, goals, and 
objectives. Internal control includes the processes and procedures for 
planning, organizing, directing, and controlling program operations, 
and the system put in place for measuring, reporting, and monitoring 
program performance. Examples of audit objectives related to internal 
control include the extent that internal control of a program provides 
reasonable assurance that:

a. organizational missions, goals, and objectives are achieved 
effectively and efficiently;

b. resources are used in compliance with laws, regulations, or other 
requirements;

c. resources are safeguarded against unauthorized acquisition, use, or 
disposition;

d. management information and public reports that are produced, such as 
performance measures, are complete, accurate, and consistent to support 
performance and decision making;

e. security over computerized information systems will prevent or 
timely detect unauthorized access; and:

f. contingency planning for information systems provides essential 
back-up to prevent unwarranted disruption of activities and functions 
the systems support.

2.12: Compliance audit objectives relate to compliance criteria 
established by laws, regulations, contract 
provisions, grant agreements, and other requirements[Footnote 13] that 
could affect the acquisition, protection, and use of the entity's 
resources and the quantity, quality, timeliness, and cost of services 
the entity produces and delivers. Compliance objectives also concern 
the purpose of the program, the manner in which it is to be conducted 
and services delivered, and the population it serves.

2.13: Audit organizations also undertake work that provides a 
prospective focus or may provide guidance, best practice information, 
and information that cuts across program or organizational lines, or 
summary information on issues already studied or under study by an 
audit organization. Examples of objectives pertaining to this work 
include:

a. assessing program or policy alternatives, including forecasting 
program outcomes under various assumptions;

b. assessing the advantages and disadvantages of legislative proposals;

c. analyzing views of stakeholders on policy proposals for decision 
makers;

d. analyzing budget proposals or budget requests to assist legislatures 
in the budget process;

e. identifying best practices for users in evaluating program or 
management system approaches, including financial and information 
management systems; and:

f. producing a high-level summary or a report that affects multiple 
programs or entities on issues studied or under study by the audit 
organization.

Nonaudit Services Provided by Audit Organizations:

2.14: Audit organizations may also provide nonaudit services that are 
not covered by GAGAS.[Footnote 14] Nonaudit services generally differ 
from financial audits, attestation engagements, and performance audits 
in that auditors may (1) perform tasks requested by management that 
directly support the entity's operations, such as developing or 
implementing accounting systems; determining account balances; 
developing internal control systems; establishing capitalization 
criteria; processing payroll; posting transactions; evaluating assets; 
designing or implementing information technology or other systems; or 
performing actuarial studies or (2) provide information or data to a 
requesting party without providing verification, analysis, or 
evaluation of the information or data, and, therefore, the work does 
not usually provide a basis for conclusions, recommendations, or 
opinions on the information or data. These services may or may not 
result in the issuance of a report. In the case of nongovernment 
auditors who conduct audits under GAGAS, the term nonaudit services is 
synonymous with consulting services.

2.15: GAGAS do not cover nonaudit services described in this chapter 
since such services are not audits or attestation engagements. 
Therefore, auditors should not report that nonaudit services were 
conducted in accordance with GAGAS. However, audit organizations are 
encouraged to establish policies for maintaining the quality of this 
type of work, and may wish to disclose such policies in any product 
resulting from this work, any other professional standards followed, 
and the quality control steps taken.

2.16: Importantly, although GAGAS do not provide standards for 
conducting nonaudit services, auditors providing such services need to 
ensure that their independence to provide audit services is not 
impaired by providing nonaudit services. (See chapter 3, general 
standards on independence.):

[End of section]

Chapter 3: General Standards:

Introduction:

3.01: This chapter prescribes general standards and provides guidance 
for performing financial audits, attestation engagements,[Footnote 15] 
and performance audits. These general standards concern the fundamental 
requirements for ensuring the credibility of auditors' results. 
Credibility is essential to all audit organizations performing work 
that government leaders and other users rely on for making decisions, 
and is what the public expects of information provided by auditors. 
These general standards encompass the independence of the audit 
organization and its individual auditors; the exercise of professional 
judgment in the performance of work and the preparation of related 
reports; the competence of audit staff, including the need for their 
continuing professional education; and the existence of quality control 
systems and external peer reviews.

3.02: These general standards provide the underlying framework that is 
critical in effectively applying the field work and reporting standards 
described in the following chapters when performing the detailed work 
associated with audits or attestation engagements and when preparing 
related reports and other products. Therefore, these general standards 
are required to be followed by all auditors and audit organizations, 
both government and nongovernment, performing work under generally 
accepted government auditing standards (GAGAS).

Independence:

3.03: The general standard related to independence is:

In all matters relating to the audit work, the audit organization and 
the individual auditor, whether government or public, should be free 
both in fact and appearance from personal, external, and organizational 
impairments to independence.

3.04: Auditors and audit organizations have a responsibility to 
maintain independence so that opinions, conclusions, judgments, and 
recommendations will be impartial and will be viewed as impartial by 
knowledgeable third parties. Auditors should avoid situations that 
could lead reasonable third parties with knowledge of the relevant 
facts and circumstances to conclude that the auditors are not able to 
maintain independence and, thus, are not capable of exercising 
objective and impartial judgment on all issues associated with 
conducting and reporting on the work.

3.05: Auditors need to consider three general classes of impairments to 
independence--personal, external, and organizational.[Footnote 16] If 
one or more of these impairments affects an individual auditor's 
capability to perform the work and report results impartially, that 
auditor should either decline to perform the work, or in those 
situations in which the government auditor, because of a legislative 
requirement or for other reasons, cannot decline to perform the work, 
the impairment or impairments should be reported in the scope section 
of the audit report.

3.06: In using the work of a specialist,[Footnote 17] auditors need to 
consider the specialist as a member of the audit team and, accordingly, 
assess the specialist's ability to perform the work and report results 
impartially. In conducting this assessment, auditors should provide the 
specialist with the GAGAS independence requirements and obtain 
representations from the specialist regarding the specialist's 
independence from the activity or program under audit. If the 
specialist has an impairment to independence, auditors should not use 
the work of that specialist.

Personal Impairments:

3.07: The audit organization should have an internal quality control 
system to help determine whether auditors have any personal impairments 
to independence that could affect their impartiality or the appearance 
of impartiality. The audit organization needs to be alert for personal 
impairments to independence of its staff members. Personal impairments 
of staff members result from relationships and beliefs that might cause 
auditors to limit the extent of the inquiry, limit disclosure, or 
weaken or slant audit findings in any way. Auditors are responsible for 
notifying the appropriate officials within their audit organizations if 
they have any personal impairments to independence. Examples of 
personal impairments of individual auditors include, but are not 
limited to, the following:

a. immediate family or close family member[Footnote 18] who is a 
director or officer of the audited entity, or as an employee of the 
audited entity, is in a position to exert direct and significant 
influence over the entity or the program under audit;

b. financial interest that is direct, or is significant/material though 
indirect, in the audited entity or program;[Footnote 19]

c. responsibility for managing an entity or decision making that could 
affect operations of the entity or program being audited; for example 
as a director, officer, or other senior position of the entity, 
activity, or program being audited, or as a member of management in any 
decision making, supervisory, or ongoing monitoring function for the 
entity, activity, or program under audit;[Footnote 20],[Footnote 21]

d. concurrent or subsequent performance of an audit by the same 
individual who maintained the official accounting records when such 
services involved preparing source documents or originating data, in 
electronic or other form; posting transactions (whether coded by 
management or not coded); authorizing, executing, or consummating 
transactions (for example, approving invoices, payrolls, claims, or 
other payments of the entity or program being audited); maintaining an 
entity's bank account or otherwise having custody of the audited 
entity's funds; or otherwise exercising authority on behalf of the 
entity, or having authority to do so;[Footnote 22]

e. preconceived ideas toward individuals, groups, organizations, or 
objectives of a particular program that could bias the audit;

f. biases, including those induced by political, ideological, or social 
convictions, that result from employment in, or loyalty to, a 
particular type of policy, group, organization, or level of government; 
and:

g. seeking employment with an audited organization during the conduct 
of the audit.

3.08: Audit organizations and auditors may encounter many different 
circumstances or combination of circumstances that could create a 
personal impairment. Therefore, it is impossible to identify every 
situation that could result in a personal impairment. Accordingly, 
audit organizations should include as part of their internal quality 
control system requirements to identify personal impairments and assure 
compliance with GAGAS independence requirements. At a minimum, audit 
organizations should:

a. establish policies and procedures that will enable the 
identification of personal impairments to independence, including 
whether performing nonaudit services affects the subject matter of 
audits and applying safeguards to appropriately reduce that risk (See 
paragraphs 3.10 through 3.18.);

b. communicate the audit organization's policies and procedures to all 
auditors in the organization and assure understanding of requirements 
through training or other means such as auditors periodically 
acknowledging their understanding;

c. establish internal policies and procedures to monitor compliance 
with the audit organization's policies and procedures;

d. establish a disciplinary mechanism to promote compliance with the 
audit organization's policies and procedures; and:

e. stress the importance of independence and the expectation that 
auditors will always act in the public interest.

3.09: When the audit organization identifies a personal impairment to 
independence, the impairment needs to be resolved in a timely manner. 
In situations in which the personal impairment is applicable only to an 
individual auditor on a particular assignment, the audit organization 
may be able to mitigate the personal impairment by requiring the 
auditor to eliminate the personal impairment. For example, the auditor 
could sell a financial interest that created the personal impairment, 
or the audit organization could remove that auditor from any work on 
that audit assignment.[Footnote 23] If the personal impairment cannot 
be mitigated through these means, the audit organization should 
withdraw from the audit. In situations in which government auditors 
cannot withdraw from the audit, they should follow the requirement in 
paragraph 3.05.

3.10: Audit organizations that provide other professional services 
(nonaudit services) should consider whether providing these services 
creates a personal impairment either in fact or appearance that 
adversely affects their independence for conducting audits.[Footnote 
24]

3.11: Nonaudit services generally differ from financial audits, 
attestation engagements, and performance audits described in chapter 2 
in that auditors may (1) perform tasks requested by management that 
directly support the entity's operations, such as developing or 
implementing accounting systems; determining account 
balances;[Footnote 25] developing internal control systems; 
establishing capitalization criteria; processing payroll; posting 
transactions; evaluating assets; designing or implementing information 
technology or other systems; or performing actuarial studies, or (2) 
provide information or data to a requesting party without providing 
verification, analysis, or evaluation of the information or data, 
circumstances in which the work does not usually provide a basis for 
conclusions, recommendations, or opinions on the information or data. 
These other services may or may not result in a report. In the case of 
nongovernment auditors who perform audits of government entities under 
GAGAS, the term "nonaudit services" is synonymous with consulting 
services.

3.12: Audit organizations have the capability of performing a range of 
services for their clients. However, in certain circumstances, it is 
not appropriate for the audit organization to perform both audit and 
certain nonaudit services for the same client. In these circumstances, 
auditors and/or the audited entity will have to make a choice as to 
which of these services the audit organization will provide. GAGAS 
recognize that nonaudit services are provided by audit organizations 
and that care needs to be taken to avoid situations that can impair 
auditor independence, either in fact or appearance, when performing 
financial audits, attestation engagements, or performance audits in 
accordance with GAGAS.

3.13: Before an audit organization agrees to perform nonaudit services, 
it should carefully consider the requirements of paragraph 3.04 that 
auditors should avoid situations that could lead reasonable third 
parties with knowledge of the relevant facts and circumstances to 
conclude that auditors are not able to maintain independence in 
conducting audits. In conducting the assessment, the audit organization 
should apply two overarching principles: (1) audit organizations should 
not provide nonaudit services that involve performing management 
functions or making management decisions and (2) audit organizations 
should not audit their own work or provide nonaudit services in 
situations where the nonaudit services are significant/material to the 
subject matter of audits. If the audit organization makes the 
determination that the nonaudit service does not violate these 
principles, it should comply with all the safeguards stated in 
paragraph 3.17.

3.14: Audit organizations should not perform management functions or 
make management decisions. Performing management functions or making 
management decisions creates a situation that impairs the audit 
organization's independence, both in fact and in appearance, to perform 
audits of that subject matter and may affect the audit organization's 
independence to conduct audits of related subject matter. For example, 
auditors should not serve as members of an entity's management 
committee or board of directors, make policy decisions that affect 
future direction and operation of an entity's programs, supervise 
entity employees, develop programmatic policy, authorize an entity's 
transactions, or maintain custody of an entity's assets.[Footnote 26]

3.15: Auditors may participate on committees or task forces in a purely 
advisory capacity to advise entity management on issues related to the 
knowledge and skills of the auditors without impairing their 
independence. However, auditors should not make management decisions or 
perform management functions. For example, auditors can provide routine 
advice to the audited entity and management to assist them in 
activities such as establishing internal controls or implementing audit 
recommendations and can answer technical questions and/or provide 
training. The decision to follow the auditors' advice remains with 
management of the audited entity. These types of interactions are 
normal between auditors and officials of the audited entity given the 
auditors' technical expertise and the knowledge auditors gain of the 
audited entity's operations. Auditors may also provide tools and 
methodologies, such as best practice guides, benchmarking studies, and 
internal control assessment methodologies that can be used by 
management. By their very nature, these are routine activities that 
would not require the audit organization to apply the safeguards 
described in paragraph 3.17.

3.16: Audit organizations should not audit their own work or provide 
nonaudit services if the services are significant/material to the 
subject matter of the audits. In considering whether the nonaudit 
service can have a significant or material affect on the subject matter 
of the audits, audit organizations should consider (1) ongoing audits; 
(2) planned audits; (3) requirements and commitments for providing 
audits, which includes laws, regulations, rules, contracts, and other 
agreements; and (4) policies placing responsibilities on the audit 
organization for providing audit services. Government auditors 
generally have broad audit responsibilities that may extend to a level 
of government or a particular entity within a level of government. 
Given their broad area of audit responsibility, government auditors 
need to be especially careful in providing nonaudit services to the 
entity so that their independence is not impaired for fulfilling their 
full range of audit responsibilities. Nongovernment audit organizations 
may provide audit and nonaudit services (commonly referred to as 
consulting) under contractual commitments to an entity and need to 
consider whether nonaudit services they have provided or are committed 
to provide have a significant or material effect on the subject matter 
of the audits.

3.17: Audit organizations may perform nonaudit services that do not 
violate the principles stated in paragraph 3.13 only if the audit 
organization and the audited entity comply with the following 
safeguards. These safeguards would not apply in connection with the 
type of routine activities described in paragraph 3.15. The intent in 
this paragraph is not for the audit organization to apply these 
safeguards to every interaction it has with management.

a. The audit organization should document its consideration of the 
nonaudit services as discussed in paragraph 3.13, including 
documentation for its rationale that providing the nonaudit services 
does not violate the two overarching principles.

b. Before performing nonaudit services, the audit organization should 
establish and document an understanding with the audited entity 
regarding the objectives, scope of work, and product or deliverables of 
the nonaudit service. The audit organization should also establish and 
document an understanding with management that (1) management is 
responsible for the substantive outcomes of the work and, therefore, 
has a responsibility to be in a position in fact and appearance to make 
an informed judgment on the results of the nonaudit service and (2) the 
audited entity complies with the following:

1. designates a management-level individual to be responsible and 
accountable for overseeing the nonaudit service,

2. establishes and monitors the performance of the nonaudit service to 
ensure that it meets management's objectives,

3. makes any decisions that involve management functions related to the 
nonaudit service and accepts full responsibility for such decisions, 
and:

4. evaluates the adequacy of the services performed and any findings 
that result.

c. The audit organization should preclude personnel who provided the 
nonaudit services from planning, conducting, or reviewing audit work of 
subject matter involving the nonaudit service under the overarching 
principle that auditors cannot audit their own work.[Footnote 27]

d. The audit organization is precluded from reducing the scope and 
extent of the audit work below the level that would be appropriate if 
the nonaudit work were performed by an unrelated party.

e. The audit organization's quality control systems for compliance with 
independence requirements should include: (1) policies and procedures 
to assure consideration of the effect on the ongoing, planned, and 
future audits when deciding whether to provide nonaudit services, and 
(2) a requirement to have the understanding with management of the 
audited entity documented. The understanding should be communicated to 
management in writing and can be included in the engagement letter. In 
addition, the documentation should specifically identify management's 
compliance with the elements discussed in paragraph 3.17b, including 
evidence of the management-level individual responsible for overseeing 
the nonaudit service's qualifications to conduct the required oversight 
and that the tasks required of management were performed.

f. By their nature, certain nonaudit services impair the audit 
organization's ability to meet either or both of the overarching 
principles in paragraph 3.13 for certain types of audit work. In these 
cases, the audit organization should communicate to management of the 
audited entity that the audit organization will not be able to perform 
subsequent audit work related to the subject matter of the nonaudit 
service. It should be clear to management up front that the audit 
organization would be in violation of the independence standard if it 
were to perform such audit work and that another audit organization 
that meets the independence standard will have to be engaged to perform 
the audit. For example, if the audit organization has been responsible 
for designing, developing, and/or installing the entity's accounting 
system or is operating the system and then performs a financial 
statement audit of the entity, the audit organization would clearly be 
in violation of the two overarching principles of the GAGAS 
independence standard discussed in paragraph 3.13. Likewise, if the 
audit organization developed an entity's performance measurement 
system, the audit organization would not be deemed independent in 
conducting a performance audit to evaluate whether the system was 
adequate. In both of these examples, the audit organization could 
decide to perform the nonaudit service but would then not be 
independent under GAGAS with regard to the subsequent audit because it 
would be in violation of one or both of the two overarching principles. 
It becomes a matter of choice for the audit organization and the 
audited entity. But the audit organization cannot maintain independence 
under GAGAS while providing both the nonaudit service and performing 
the audit if either of the two overarching principles would be 
violated.

g. For individual audits selected for inspection during a peer review, 
all related nonaudit services should be disclosed to the audit 
organization's peer reviewer, and the audit documentation required by 
paragraphs 3.17a through 3.17e should be made available for inclusion 
in the audit organization's peer review.

3.18: Audit organizations and auditors may encounter many different 
circumstances or combinations of circumstances; therefore, it is 
impossible to define every situation that could result in an 
impairment, as discussed in paragraph 3.12. The following are examples 
of nonaudit services performed by an audit organization that typically 
would not create an impairment to the audit organization's independence 
as long as (1) auditors avoid situations that would conflict with the 
two overarching principles listed in paragraph 3.13 and (2) the audit 
organization complies with the safeguards in paragraph 3.17:

a. Providing basic accounting assistance limited to services such as 
preparing draft financial statements that are based on management's 
chart of accounts and trial balance and any adjusting, correcting, and 
closing entries that have been approved by management; preparing draft 
notes to the financial statements based on information determined and 
approved by management; preparing a trial balance based on management's 
chart of accounts; maintaining depreciation schedules for which 
management has determined the method of depreciation, rate of 
depreciation, and salvage value of the asset.[Footnote 28] The audit 
organization, however, cannot maintain or prepare the audited entity's 
basic accounting records or maintain or take responsibility for basic 
financial or other records that the audit organization will 
audit.[Footnote 29] As part of this prohibition, auditors should not 
post transactions (whether coded or not coded) to the entity's 
financial records or to other records that subsequently provide data to 
the entity's financial records.

b. Providing payroll services limited to services such as computing pay 
amounts for the entity's employees based on entity-maintained and 
approved time records, salaries or pay rates, and deductions from pay; 
generating unsigned payroll checks; transmitting client-approved 
payroll data to a financial institution provided management has 
approved the transmission and limited the financial institution to 
making payments only to previously approved individuals. In cases in 
which the audit organization was processing the entity's entire payroll 
and payroll was a material amount to the subject matter of the audit, 
this would be a violation of one of the overarching principles in 
paragraph 3.13, and auditors would not be deemed independent under 
GAGAS.

c. Providing appraisal or valuation services limited to services such 
as reviewing the work of the entity or a specialist employed by the 
entity where the entity or specialist provides the primary evidence for 
the balances recorded in financial statements or other information that 
will be audited; valuing an entity's pension, other post-employment 
benefit, or similar liabilities provided management has determined and 
taken responsibility for all significant assumptions and data.

d. Preparing an entity's indirect cost proposal[Footnote 30] or cost 
allocation plan provided management assumes responsibility for all 
significant assumptions and data.

e. Providing advisory services on information technology limited to 
services such as advising on system design, system installation, and 
system security if management, in addition to the safeguards in 
paragraph 3.17, acknowledges responsibility for the design, 
installation, and internal control over the entity's system and does 
not rely on the auditors' work as the primary basis for determining (1) 
whether to implement a new system, (2) the adequacy of the new system 
design, (3) the adequacy of major design changes to an existing system, 
and (4) the adequacy of the system to comply with regulatory or other 
requirements. However, the audit organization should not operate or 
supervise the operation of the entity's information technology system.

f. Providing human resource services to assist management in its 
evaluation of potential candidates when the services are limited to 
activities such as serving on an evaluation panel to review 
applications or interviewing candidates to provide input to management 
in arriving at a listing of best qualified applicants to be provided to 
management. The auditors should not recommend a single individual for a 
specific position, nor should the auditors conduct an executive search 
or a recruiting program for the audited entity.

g. Preparing routine tax filings in accordance with federal tax laws, 
rules, and regulations of the Internal Revenue Service, and state and 
local tax authorities, and any other applicable laws.

h. Gathering and reporting on unverified external or third-party data 
to aid legislative and administrative decision making.

i. Advising an entity regarding its performance of internal control 
self-assessments.

j. Assisting a legislative body by developing questions for use at a 
hearing.

External Impairments:

3.19: Factors external to the audit organization may restrict the work 
or interfere with auditors' ability to form independent and objective 
opinions and conclusions. External impairments to independence occur 
when auditors are deterred from acting objectively and exercising 
professional skepticism by pressures, actual or perceived, from 
management and employees of the audited entity or oversight 
organizations. For example, under the following conditions, auditors 
may not have complete freedom to make an independent and objective 
judgment and an audit may be adversely affected:

a. external interference or influence that could improperly or 
imprudently limit or modify the scope of an audit or threaten to do so, 
including pressure to reduce inappropriately the extent of work 
performed in order to reduce costs or fees;

b. external interference with the selection or application of audit 
procedures or in the selection of transactions to be examined;

c. unreasonable restrictions on the time allowed to complete an audit 
or issue the report;

d. interference external to the audit organization in the assignment, 
appointment, and promotion of audit personnel;

e. restrictions on funds or other resources provided to the audit 
organization that adversely affect the audit organization's ability to 
carry out its responsibilities;

f. authority to overrule or to inappropriately influence the auditors' 
judgment as to the appropriate content of the report;

g. threat of replacement over a disagreement with the contents of an 
audit report, the auditors' conclusions, or the application of an 
accounting principle or other criteria; and:

h. influences that jeopardize the auditors' continued employment for 
reasons other than incompetence, misconduct, or the need for audit 
services.

3.20: An audit organization's internal quality control system for 
compliance with GAGAS independence requirements, as stated in paragraph 
3.08, should include internal policies and procedures for reporting and 
resolving external impairments.

Organizational Impairments:

3.21: In addition to the preceding paragraphs that address personal and 
external impairments, a government audit organization's ability to 
perform the work and report the results impartially can be affected by 
its place within government and the structure of the government entity 
that the audit organization is assigned to audit. Whether performing 
work to report externally to third parties outside the audited entity 
or internally to top management within the audited entity, audit 
organizations need to be free from organizational impairments to 
independence.

Organizational Impairment Considerations When Reporting Externally to 
Third Parties:

3.22: Government auditors can be presumed to be free from organizational 
impairments to independence when reporting externally to third parties 
if their audit organization is organizationally independent from the 
audited entity. Government audit organizations can meet the requirement 
for organizational independence in a number of ways.

3.23: First, a government audit organization may be presumed to be free 
from organizational impairments to independence from the audited entity 
to report externally, if the audit organization is:

a. assigned to a level of government other than the one to which the 
audited entity is assigned (federal, state, or local), for example, a 
federal auditor auditing a state government program, or:

b. assigned to a different branch of government within the same level 
of government as the audited entity; for example, a legislative auditor 
auditing an executive branch program.

3.24: Second, a government audit organization may also be presumed to 
be free from organizational impairments for external reporting if the 
audit organization's head meets any of the following criteria:

a. directly elected by voters of the jurisdiction being audited;

b. elected or appointed by a legislative body subject to removal by a 
legislative body, and reports the results of audits to and is 
accountable to a legislative body;

c. appointed by someone other than a legislative body, so long as the 
appointment is confirmed by a legislative body and removal from the 
position is subject to oversight or approval by a legislative 
body,[Footnote 31] and reports the results of audits to and is 
accountable to a legislative body; or:

d. appointed by, accountable to, reports to, and can only be removed by 
a statutorily created governing body, the majority of whose members are 
independently elected or appointed and come from outside the 
organization being audited.

3.25: In addition to the presumptive criteria in paragraphs 3.23 and 
3.24, GAGAS recognize that there may be other organizational structures 
under which a government audit organization could be considered to be 
free from organizational impairments and thereby be considered 
organizationally independent for reporting externally. These other 
structures should provide sufficient safeguards to prevent the audited 
entity from interfering with the audit organization's ability to 
perform the work and report the results impartially. For an audit 
organization to be considered free from organizational impairments for 
reporting externally under a structure different from the ones listed 
in paragraphs 3.23 and 3.24, the audit organization should have all of 
the following safeguards:

a. statutory protections that prevent the abolishment of the audit 
organization by the audited entity;

b. statutory protections that require that if the head of the audit 
organization is removed from office, the head of the agency should 
report this fact and the reasons for the removal to the legislative 
body;

c. statutory protections that prevent the audited entity from 
interfering with the initiation, scope, timing, and completion of any 
audit;

d. statutory protections that prevent the audited entity from 
interfering with the reporting on any audit, including the findings, 
conclusions, and recommendations, or the manner, means, or timing of 
the audit organization's reports;

e. statutory protections that require the audit organization to report 
to a legislative body or other independent governing body on a 
recurring basis;

f. statutory protections that give the audit organization sole 
authority over the selection, retention, advancement, and dismissal of 
its staff; and:

g. statutory access to records and documents that relate to the agency, 
program, or function being audited.[Footnote 32]

3.26: If the head of the audit organization concludes that the 
organization meets all the safeguards listed in paragraph 3.25, the 
audit organization should be considered free from organizational 
impairments to independence when reporting the results of its audits 
externally to third parties. The audit organization should document the 
statutory provisions in place that allow it to meet these safeguards. 
Those provisions should be reviewed during an external peer review to 
ensure that all the necessary safeguards have been met.

Organizational Impairment Considerations When Reporting Internally to 
Management:

3.27: Certain federal, state, or local government audit organizations 
or audit organizations within other government entities, such as public 
colleges, universities, and hospitals, employ auditors to work for 
management of the audited entities. These auditors may be subject to 
administrative direction from persons involved in the government 
management process. Such audit organizations are internal audit 
organizations. A government internal audit organization can be presumed 
to be free from organizational impairments to independence when 
reporting internally to management if the head of the audit 
organization meets all of the following criteria:

a. accountable to the head or deputy head of the government entity,

b. required to report the results of the audit organization's work to 
the head or deputy head of the government entity, and:

c. located organizationally outside the staff or line management 
function of the unit under audit.

3.28: If the conditions of paragraph 3.27 are met, the audit 
organization should be considered free of organizational impairments to 
independence to audit internally and report objectively to the entity's 
management. Further distribution of reports outside the organization 
should only be made in accordance with applicable law, rule, 
regulation, or policy. In these situations, the fact that the auditors 
are auditing in their employing organizations should be clearly 
reflected in the auditors' reports.

3.29: Auditors need to be sufficiently removed from political pressures 
to ensure that they can conduct their audits objectively and report 
their findings, opinions, and conclusions objectively without fear of 
political repercussions. Whenever feasible, auditors within internal 
audit organizations should be under a personnel system in which 
compensation, training, job tenure, and advancement are based on merit.

3.30: The audit organization's independence is enhanced when it also 
reports regularly to the entity's independent audit committee and/or 
the appropriate government oversight body.

3.31: When internal audit organizations that are free of organizational 
impairments to independence, under the criteria in paragraph 3.27, 
perform audits external to the government entities to which they are 
directly assigned, such as auditing contractors or outside party 
agreements, and no personal or external impairments exist, they may be 
considered independent of the audited entities and free to report 
objectively to the heads or deputy heads of the government entities to 
which they are assigned and to parties outside the organizations in 
accordance with applicable law, rule, regulation, or policy.

3.32: The audit organization should document the conditions that allow 
it to be considered free of organizational impairments to independence 
to report internally. Those conditions should be reviewed during the 
peer review to ensure that all the necessary safeguards have been met.

Professional Judgment:

3.33: The general standard related to professional judgment is:

Professional judgment should be used in planning and performing audits 
and attestation engagements and in reporting the results.

3.34: This standard requires auditors to exercise reasonable care and 
diligence and to observe the principles of serving the public interest 
and maintaining the highest degree of integrity, objectivity, and 
independence in applying professional judgment to all aspects of their 
work. This standard also imposes a responsibility upon each auditor 
performing work under GAGAS to observe GAGAS. If auditors state they 
are performing their work in accordance with GAGAS, they should justify 
any departures from GAGAS.

3.35: Auditors should use professional judgment in determining the type 
of assignment to be performed and the standards that apply to the work; 
defining the scope of work; selecting the methodology; determining the 
type and amount of evidence to be gathered; and choosing the tests and 
procedures for their work. Professional judgment also should be applied 
in performing the tests and procedures and in evaluating and reporting 
the results of the work.

3.36: Professional judgment requires auditors to exercise professional 
skepticism, which is an attitude that includes a questioning mind and a 
critical assessment of evidence. Auditors use the knowledge, skills, 
and experience called for by their profession to diligently perform, in 
good faith and with integrity, the gathering of evidence and the 
objective evaluation of the sufficiency, competency, and relevancy of 
evidence. Since evidence is gathered and evaluated throughout the 
assignment, professional skepticism should be exercised throughout the 
assignment.

3.37: Auditors neither assume that management is dishonest nor assume 
unquestioned honesty. In exercising professional skepticism, auditors 
should not be satisfied with less than persuasive evidence because of a 
belief that management is honest.

3.38: The exercise of professional judgment allows auditors to obtain 
reasonable assurance that material misstatements or significant 
inaccuracies in data will likely be detected if they exist. Absolute 
assurance is not attainable because of the nature of evidence and the 
characteristics of fraud. Therefore, an audit or attestation engagement 
conducted in accordance with GAGAS may not detect a material 
misstatement or significant inaccuracy, whether from error or fraud, 
illegal acts, or violations of provisions of contracts or grant 
agreements. Accordingly, while this standard places responsibility on 
each auditor and audit organization to exercise professional judgment 
in planning and performing an assignment, it does not imply unlimited 
responsibility, nor does it imply infallibility on the part of either 
the individual auditor or the audit organization.

Competence:

3.39: The general standard related to competence is:

The staff assigned to perform the audit or attestation engagement 
should collectively possess adequate professional competence for the 
tasks required.

3.40: This standard places responsibility on audit organizations to 
ensure that each audit or attestation engagement is performed by staff 
who collectively have the knowledge, skills, and experience necessary 
for that assignment. Accordingly, audit organizations should have a 
process for recruitment, hiring, continuous development, and evaluation 
of staff to assist the organization in maintaining a workforce that has 
adequate competence. The nature, extent, and formality of the process 
will depend on various factors such as the size of the audit 
organization, its work, and its structure.

3.41: The competencies discussed below apply to the knowledge, skills, 
and experience of audit organizations and not necessarily to each 
individual auditor. An audit organization may need to employ personnel 
or hire specialists who are knowledgeable, skilled, or experienced in 
such areas as accounting, statistics, law, engineering, audit design 
and methodology, information technology, public administration, 
economics, social sciences, or actuarial science.

Technical Knowledge and Competence:

3.42: Audit organizations should ensure that staff members assigned to 
conduct an audit or attestation engagement under GAGAS should 
collectively possess the technical knowledge, skills, and experience 
necessary to be competent for the type of work being performed before 
beginning work on that assignment. Staff members should collectively 
possess:

a. knowledge of GAGAS applicable to the type of work they are assigned 
and the education, skills, and experience to apply such knowledge to 
the work being performed;

b. general knowledge of the environment in which the audited entity 
operates and the subject matter under review;

c. skills to communicate clearly and effectively, both orally and in 
writing; and:

d. skills appropriate for the work being performed. For example:

(1) if the work requires use of statistical sampling, the staff or 
specialists should include persons with statistical sampling skills;

(2) if the work requires extensive review of information systems, the 
staff or specialists should include persons with information technology 
skills;

(3) if the work involves review of complex engineering data, the staff 
or specialists should include persons with engineering skills; or:

(4) if the work involves the use of specialized audit methodologies or 
analytical techniques, such as the use of complex survey instruments, 
actuarial-based estimates, or statistical analysis tests, the staff or 
specialists should include persons with skills in those methodologies 
or techniques.

Additional Qualifications for Financial Audits and Attestation 
Engagements:

3.43: Auditors performing financial audits should be knowledgeable in 
generally accepted accounting principles (GAAP)[Footnote 33] and the 
AICPA's generally accepted auditing standards for field work and 
reporting and the related Statements on Auditing Standards (SAS), and 
they should be competent in applying these standards and SASs to the 
task assigned. Similarly, when performing an attestation engagement, 
auditors should be knowledgeable in the AICPA general attestation 
standard related to criteria, and the AICPA attestation standards for 
field work and reporting and the related Statements on Standards for 
Attestation Engagements (SSAE), and they should be competent in 
applying these standards and SSAEs to the task assigned.

3.44: Auditors engaged to perform financial audits or attestation 
engagements should be licensed certified public accountants or persons 
working for a licensed certified public accounting firm or a government 
auditing organization.[Footnote 34] Public accountants and accounting 
firms meeting licensing requirements should also comply with the 
applicable provisions of the public accountancy law and rules of the 
jurisdiction(s) where the audit is being performed and the 
jurisdiction(s) in which the public accountants and their firms are 
licensed.

Continuing Professional Education:

3.45: Auditors performing work under GAGAS, including planning, 
directing, performing field work, or reporting on an audit or 
attestation engagement under GAGAS, need to maintain their professional 
competence through continuing professional education (CPE). Therefore, 
each auditor performing work under GAGAS should complete, every 2 
years, at least 80 hours of CPE that directly enhance the auditor's 
professional proficiency to perform audits and/or attestation 
engagements.[Footnote 35] At least 24 of the 80 hours of CPE should be 
in subjects directly related to government auditing, the government 
environment, or the specific or unique environment in which the audited 
entity operates.[Footnote 36] At least 20 hours of the 80 should be 
completed in any 1 year of the 2-year period.

3.46: CPE may include a variety of topics that contribute to auditors' 
proficiency to perform audits and/or attestation engagements, such as 
developments in auditing standards and methodology, accounting 
principles, assessment of internal control, principles of management or 
supervision, information systems management, audit sampling, financial 
statement analysis, evaluation design, and data analysis. It may also 
include subjects related to specific fields of work, such as public 
administration, public policy and structure, industrial engineering, 
finance, economics, social sciences, and information technology.

3.47: The audit organization is responsible for ensuring that auditors 
meet the continuing education requirements and should maintain 
documentation of the CPE completed. The U.S. General Accounting Office 
(GAO) has developed guidance pertaining to CPE requirements to assist 
auditors and audit organizations in exercising professional judgment in 
complying with the CPE requirements.[Footnote 37]

3.48: External and internal specialists assisting in performing a GAGAS 
assignment should be qualified and should maintain professional 
competence in their areas of specialization but are not required to 
meet the CPE requirements described here. However, auditors who use the 
work of external and internal specialists should ensure that such 
specialists are qualified in their areas of specialization and should 
document such assurance.

Quality Control and Assurance:

3.49: The general standard related to quality control and assurance is:

Each audit organization performing audits and/or attestation 
engagements in accordance with GAGAS should have an appropriate 
internal quality control system in place and should undergo an external 
peer review.

3.50: An audit organization's system of quality control encompasses the 
audit organization's structure and the policies adopted and procedures 
established to provide the organization with reasonable assurance of 
complying with applicable standards governing audits and attestation 
engagements. An audit organization's internal quality control system 
should include procedures for monitoring, on an ongoing basis, whether 
the policies and procedures related to the standards are suitably 
designed and are being effectively applied.

3.51: The nature and extent of an audit organization's internal quality 
control system depends on a number of factors, such as its size, the 
degree of operating autonomy allowed its personnel and its audit 
offices, the nature of its work, its organizational structure, and 
appropriate cost-benefit considerations. Thus, the systems established 
by individual audit organizations will vary as will the need for, and 
extent of, their documentation of the systems. However, each audit 
organization should prepare appropriate documentation for its system of 
quality control to demonstrate compliance with its policies and 
procedures. The form and content of such documentation is a matter of 
judgment. Documentation of compliance should be retained for a period 
of time sufficient to enable those performing monitoring procedures and 
peer reviews to evaluate the extent of the audit organization's 
compliance with the quality control policies and procedures.

3.52: Audit organizations performing audits and attestation engagements 
in accordance with GAGAS should have an external peer review of their 
auditing and attestation engagement practices at least once every 3 
years by reviewers independent of the audit organization being 
reviewed.[Footnote 38] The external peer review should determine 
whether, during the period under review, the reviewed audit 
organization's internal quality control system was adequate and whether 
quality control policies and procedures were being complied with to 
provide the audit organization with reasonable assurance of conforming 
with applicable professional standards. Audit organizations should take 
remedial, corrective actions as needed based on the results of the peer 
review.

3.53: Members of the external peer review team should meet the 
following requirements:

a. Each review team member should have current knowledge of GAGAS and 
of the government environment relative to the work being reviewed.

b. Each review team member should be independent (as defined in GAGAS) 
of the audit organization being reviewed, its staff, and the audits and 
attestation engagements selected for the external peer review. A review 
team or a member of the review team is not permitted to review the 
audit organization that conducted its audit organization's most recent 
external peer review.

c. Each review team member should have knowledge on how to perform a 
peer review. Such knowledge may be obtained from on-the-job training, 
training courses, or a combination of both.

3.54: The peer review should meet the following requirements:

a. The peer review should include a review of the audit organization's 
internal quality control policies and procedures, including related 
monitoring procedures, audit and attestation engagement reports, audit 
and attest documentation, and other necessary documents (for example, 
independence documentation, CPE records, and personnel management files 
related to compliance with hiring, performance evaluation, and 
assignment policies). The review should also include interviews with 
various levels of the reviewed audit organization's professional staff 
to assess their understanding of and compliance with relevant quality 
control policies and procedures.

b. The review team should use one of the following approaches to 
selecting audits and attestation engagements for review: (1) select 
audits and attestation engagements that provide a reasonable cross 
section of the assignments performed by the reviewed audit organization 
in accordance with GAGAS or (2) select audits and attestation 
engagements that provide a reasonable cross section of the reviewed 
audit organization's work subject to quality control requirements, 
including one or more assignments performed in accordance with GAGAS.

c. The peer review should be sufficiently comprehensive to provide a 
reasonable basis for concluding whether the reviewed audit 
organization's system of quality control was complied with to provide 
the organization with reasonable assurance of conforming with 
professional standards in the conduct of its work. The review team 
should consider the adequacy and results of the reviewed audit 
organization's monitoring efforts to efficiently plan its peer review 
procedures.

d. The review team should prepare a written report(s) communicating the 
results of the external peer review. The report should indicate the 
scope of the review, including any limitations thereon, and should 
express an opinion on whether the system of quality control of the 
reviewed audit organization's audit and/or attestation engagement 
practices was adequate and was being complied with during the year 
reviewed to provide the audit organization with reasonable assurance of 
conforming with professional standards for audits and attestation 
engagements. The report should state the professional 
standards[Footnote 39] to which the reviewed audit organization is 
being held. The report should also describe the reasons for any 
modification of the opinion. When there are matters that resulted in a 
modification to the opinion, reviewers should report a detailed 
description of the findings and recommendations, either in the peer 
review report or in a separate letter of comment or management letter, 
to enable the reviewed audit organization to take appropriate actions. 
The written report should refer to the letter of comment or management 
letter if such a letter is issued along with a modified report.

3.55: Audit organizations seeking to enter into a contract to perform 
an assignment in accordance with GAGAS should provide their most recent 
external peer review report and any letter of comment, and any 
subsequent peer review reports and letters of comment received during 
the period of the contract, to the party contracting for the audit or 
attestation engagement. Information in the external peer review report 
and letter of comment is often relevant to decisions on procuring audit 
or attestation engagement services. Auditors who are relying on another 
audit organization's work should request a copy of the audit 
organization's peer review report and any letter of comment, and the 
audit organization should provide the peer review report and letter of 
comment when requested.

3.56: Government audit organizations also should transmit their 
external peer review reports to appropriate oversight bodies. It is 
also recommended that, upon request, the peer review report and letter 
of comment be made available to the public in a timely manner.

[End of section]

Chapter 4: Field Work Standards for Financial Audits:

Introduction:

4.01: This chapter prescribes field work standards and provides 
guidance for financial audits performed in accordance with generally 
accepted government auditing standards (GAGAS). Financial audits 
consist of all work performed under the American Institute of 
Certified Public Accountants' (AICPA) generally accepted auditing 
standards and governed by the AICPA Statements on Auditing Standards 
(SAS). GAGAS incorporate the AICPA generally accepted field work 
standards for audits and the related SASs unless the Comptroller 
General of the United States excludes them by formal announcement.
[Footnote 40] This chapter identifies the AICPA field work standards 
and prescribes additional standards for financial audits performed in 
accordance with GAGAS.

4.02: Financial audits performed in a government environment primarily 
include audits of financial statements.[Footnote 41] The SASs also 
govern and provide guidance for other types of financial audits which 
may be performed in a government environment, such as 
compliance auditing, issuing special reports,[Footnote 42] audits of 
service organizations, reviews of interim financial information, and 
issuing letters to underwriters and certain other requesting parties. 
These other services may be performed in conjunction with an audit of 
financial statements.

AICPA Field Work Standards:

4.03: The three AICPA generally accepted standards of field work are as 
follows:

a. The work is to be adequately planned, and assistants, if any, are to 
be properly supervised.

b. A sufficient understanding of internal control[Footnote 43] is to be 
obtained to plan the audit and to determine the nature, timing, and 
extent of tests to be performed.

c. Sufficient competent evidential matter is to be obtained through 
inspection, observation, inquiries, and confirmations to afford a 
reasonable basis for an opinion regarding the financial statements 
under audit.

4.04: Auditors should use professional judgment and consider the needs 
of users in applying the AICPA standards and related guidance to audits 
of a government entity or an entity that receives government awards. 
For example, auditors may need to set lower materiality levels than in 
audits in the private sector because of the public accountability of 
the audited entity, various legal and regulatory requirements, and the 
visibility and sensitivity of government programs. Also, auditors need 
to be sensitive to the concerns of oversight officials regarding 
previously reported internal control deficiencies of the audited entity 
and, accordingly, may need to test the effectiveness of internal 
control that have been changed in response to reported deficiencies 
even if auditors do not plan to rely on the effectiveness of such 
internal control.

Additional GAGAS Standards:

4.05: GAGAS prescribe additional standards for financial audits that go 
beyond the requirements contained in the AICPA SASs. Auditors must 
comply with these additional standards when citing GAGAS in their audit 
reports. The additional GAGAS standards relate to:

a. auditor communication (see paragraphs 4.06 through 4.13);

b. considering the results of previous audits and attestation 
engagements (see paragraphs 4.14 through 4.16);

c. detecting material misstatements resulting from violations of 
contract provisions or grant agreements or from abuse (see paragraphs 
4.17 through 4.20);

d. developing elements of a finding for financial audits (see paragraph 
4.21); and:

e. audit documentation (see paragraphs 4.22 through 4.26).

Auditor Communication:

4.06: The standard related to auditor communication for financial 
audits performed in accordance with GAGAS is:

Auditors should communicate information regarding the nature, timing, 
and extent of planned testing and reporting and the level of assurance 
provided to officials of the audited entity and to the individuals 
contracting for or requesting the audit.

4.07: AICPA standards and GAGAS require auditors to establish an 
understanding with the client and to communicate with audit committees. 
GAGAS broaden the parties with whom auditors must communicate and 
require auditors to communicate specific information during the 
planning stages of a financial audit, including any potential 
restriction of the auditors' reports, to reduce the risk that the needs 
or expectations of the parties involved may be misinterpreted. Auditors 
should use their professional judgment to determine the form, content, 
and frequency of the communication, although written communication is 
preferred. Auditors may use an engagement letter, if appropriate, to 
communicate the information. Auditors should document the communication 
in their audit documentation.

4.08: Auditors should communicate their responsibilities for the 
engagement to the appropriate officials of the audited entity, 
including:

a. the head of the audited entity,

b. the audit committee or board of directors or other equivalent 
oversight body in the absence of an audit committee, and:

c. the individual who possesses a sufficient level of authority and 
responsibility for the financial reporting process, such as the chief 
financial officer.

4.09: In situations in which auditors are performing the audit under a 
contract with a party other than the officials of the audited entity, 
or pursuant to a third-party request, auditors should also communicate 
with the individuals contracting for or requesting the audit, such as 
contracting officials or members or staff of legislative committees. 
When auditors are performing the audit pursuant to a law or regulation, 
auditors should communicate with the members or staff of legislative 
committees who have oversight of the auditee.[Footnote 44] Auditors 
should coordinate communications with the responsible government audit 
organization and/or management of the audited entity and may use the 
engagement letter to keep interested parties informed. If an audit is 
terminated before it is completed, auditors should write a memorandum 
for the record that summarizes the results of the work and explains the 
reasons why the audit was terminated. In addition, auditors should 
communicate the reason for terminating the audit to management of the 
audited entity, the entity requesting the audit, and other appropriate 
officials, preferably in writing. This communication should be 
documented.

4.10: In communicating the nature of services and level of assurance 
provided, auditors should specifically address their planned work and 
reporting related to testing internal control over financial reporting 
and compliance with laws, regulations, and provisions of contracts or 
grant agreements. During the planning stages of an audit, auditors 
should communicate their responsibilities for testing and reporting on 
internal control over financial reporting and compliance with laws, 
regulations, and provisions of contracts or grant agreements. Such 
communication should include the nature of any additional testing of 
internal control and compliance required by laws, regulations, and 
provisions of contracts or grant agreements, or otherwise requested, 
and whether the auditors are planning on providing opinions on internal 
control over financial reporting and compliance with laws, regulations, 
and provisions of contracts or grant agreements.

4.11: To assist in understanding the limitations of auditors' 
responsibilities for testing and reporting on internal control over 
financial reporting and compliance with laws, regulations, and 
provisions of contracts or grant agreements, auditors may want to 
contrast those responsibilities with other audits of internal control 
and compliance. The discussion in paragraphs 4.12 and 4.13 may be 
helpful to auditors in explaining their responsibilities for testing 
and reporting on internal control over financial reporting and 
compliance to officials of the audited entity and other interested 
parties.

4.12: Tests of internal control over financial reporting and compliance 
with laws, regulations, and provisions of contracts or grant agreements 
in a financial statement audit contribute to the evidence supporting 
the auditors' opinion on the financial statements or other conclusions 
regarding financial data. However, such tests generally are not 
sufficient in scope to opine on internal control over financial 
reporting or compliance with laws, regulations, and provisions of 
contracts or grant agreements. To meet certain audit report users' 
needs, laws and regulations sometimes prescribe testing and reporting 
on internal control over financial reporting and compliance with laws, 
regulations, and provisions of contracts and grant agreements to 
supplement coverage of these areas.[Footnote 45]

4.13: Even after auditors perform and report the results of additional 
tests of internal control over financial reporting and compliance with 
laws, regulations, and provisions of contracts and grant agreements, 
some reasonable needs of officials of the audited entity or individuals 
contracting for or requesting the audit still may be unmet. Auditors 
may meet these needs by performing further tests of internal control 
and compliance with laws, regulations, and provisions of contracts or 
grant agreements using the AICPA Statements on Standards for 
Attestation Engagements and additional GAGAS requirements (see chapter 
6), or the performance audit standards (see chapters 7 and 8), to 
achieve these objectives.

Considering the Results of Previous Audits and Attestation Engagements:

4.14: The standard related to considering the results of previous audits 
and attestation engagements for financial audits performed in 
accordance with GAGAS is:

Auditors should consider the results of previous audits and attestation 
engagements and follow up on known significant findings and 
recommendations that directly relate to the objectives of the audit 
being undertaken.

4.15: Auditors should ask audited entity officials to identify previous 
financial audits, attestation engagements, performance audits, or other 
studies related to the objectives of the audit being undertaken and to 
identify corrective actions taken to address significant findings and 
recommendations,[Footnote 46] including those related to reportable 
conditions. For example, an audit report on an entity's computerized 
information systems may contain significant findings that could relate 
to the financial audit if the entity uses such systems to process its 
accounting information. Auditors should use professional judgment in 
determining (1) prior periods to be considered, (2) the level of work 
necessary to follow up on significant findings and recommendations that 
affect the audit, and (3) the effect on the risk assessment and audit 
procedures in planning the current audit.

4.16: Providing continuing attention to significant findings and 
recommendations is important to ensure that the benefits of the 
auditors' work are realized. Ultimately, the benefits of audit work 
occur when management of the audited entity takes meaningful and 
effective corrective action in response to the auditors' findings and 
recommendations. Management of the audited entity is responsible for 
resolving audit findings and recommendations directed to them and for 
having a process to track their status. If management of the audited 
entity does not have such a process, auditors may wish to establish 
their own process.

Detecting Material Misstatements Resulting from Violations of Contract 
Provisions or Grant Agreements, or from Abuse:

4.17: The standard related to violations of contract provisions or grant 
agreements or abuse for financial audits performed in accordance with 
GAGAS is:

a. Auditors should design the audit to provide reasonable assurance of 
detecting material misstatements resulting from violations of 
provisions of contracts or grant agreements that have a direct and 
material effect on the determination of financial statement amounts or 
other financial data significant to the audit objectives. If specific 
information comes to the auditors' attention that provides evidence 
concerning the existence of possible violations of provisions of 
contracts or grant agreements that could have a material indirect 
effect on the determination of financial statement amounts or other 
financial data significant to the audit objectives, auditors should 
apply audit procedures specifically directed to ascertain whether 
violations of provisions of contracts or grant agreements have occurred 
or are likely to have occurred.

b. Auditors should be alert to situations or transactions that could be 
indicative of abuse, and if indications of abuse exist that could 
significantly affect the financial statement amounts or other financial 
data, auditors should apply audit procedures specifically directed to 
ascertain whether abuse has occurred and the effect on the financial 
statement amounts or other financial data.

4.18: AICPA standards and GAGAS require auditors to assess the risk of 
material misstatements of financial statement amounts or other 
financial data significant[Footnote 47] to the audit objectives due to 
fraud and to consider that assessment in designing the audit procedures 
to be performed.[Footnote 48] Auditors are also required to design the 
audit to provide reasonable assurance of detecting material 
misstatements resulting from direct and material illegal acts 
(violations of laws and regulations) and to be aware of the possibility 
that indirect illegal acts[Footnote 49] may have occurred.[Footnote 50] 
Under GAGAS, auditors have the same responsibilities for detecting 
material misstatements arising from violations of provisions of 
contracts or grant agreements as they do for detecting those arising 
from fraud and illegal acts. Auditors should design the audit to 
provide reasonable assurance of detecting material misstatements 
resulting from direct and material violations of provisions of 
contracts or grant agreements. If specific information comes to the 
auditors' attention that provides evidence concerning the existence of 
possible violations of provisions of contracts or grant agreements that 
could have a material indirect effect on the financial statements or 
significant indirect effect on other financial data needed to achieve 
audit objectives, auditors should apply audit procedures specifically 
directed to ascertain whether violations have occurred or are likely to 
have occurred.

4.19: Abuse is distinct from fraud, illegal acts, and violations of 
provisions of contracts or grant agreements. When abuse occurs, no law, 
regulation, or provision of a contract or grant agreement is violated. 
Rather, abuse involves behavior that is deficient or improper when 
compared with behavior that a prudent person would consider reasonable 
and necessary business practice given the facts and 
circumstances.[Footnote 51] Auditors should be alert to situations or 
transactions that could be indicative of abuse. When information comes 
to the auditors' attention (through audit procedures, allegations 
received through a fraud hotline, or other means) indicating that abuse 
may have occurred, auditors should consider whether the possible abuse 
could affect the financial statement amounts or other financial data 
significantly. If indications of possible abuse exist that 
significantly affect the financial statement amounts or other financial 
data, the auditors should extend the audit steps and procedures, as 
necessary, to (1) determine whether the abuse occurred and, if so, (2) 
determine its effect on the financial statement amounts or other 
financial data. Auditors should consider both quantitative and 
qualitative factors in making judgments regarding the materiality of 
possible abuse and whether they need to extend the audit steps and 
procedures. However, because the determination of abuse is subjective, 
auditors are not expected to provide reasonable assurance of detecting 
abuse.

4.20: Auditors should exercise professional judgment in pursuing 
indications of possible fraud, illegal acts, violations of provisions 
of contracts or grant agreements, or abuse, in order not to interfere 
with potential investigations, legal proceedings, or both. Under some 
circumstances, laws, regulations, or policies require auditors to 
report indications of certain types of fraud, illegal acts, violations 
of provisions of contracts or grant agreements, and abuse to law 
enforcement or investigatory authorities before extending audit steps 
and procedures. Auditors may also be required to withdraw from or defer 
further work on the engagement or a portion of the engagement in order 
not to interfere with an investigation.

Developing Elements of a Finding:

4.21 Audit findings, such as deficiencies in internal control, fraud, 
illegal acts, violations of provisions of contracts or grant 
agreements, and abuse, have often been regarded as containing the 
elements of criteria, condition, and effect, plus cause when problems 
are found. However, the elements needed for a finding depend entirely 
on the objectives of the audit. Thus, a finding or set of findings is 
complete to the extent that the audit objectives are satisfied. When 
problems are identified, to the extent possible, auditors should plan 
audit procedures to develop the elements of a finding to facilitate 
developing the auditors' report. (See paragraph 5.15 for a description 
of the elements of a finding.):

Audit Documentation:

4.22: The standard related to audit documentation for financial audits 
performed in accordance with GAGAS is:

Audit documentation related to planning, conducting, and reporting on 
the audit should contain sufficient information to enable an 
experienced auditor who has had no previous connection with the audit 
to ascertain from the audit documentation the evidence that supports 
the auditors' significant judgments and conclusions. Audit 
documentation should contain support for findings, conclusions, and 
recommendations before auditors issue their report.

4.23: AICPA standards and GAGAS require auditors to prepare and maintain 
audit documentation. The form and content of audit documentation should 
be designed to meet the circumstances of the particular audit. The 
information contained in audit documentation constitutes the principal 
record of the work that the auditors have performed in accordance with 
professional standards and the conclusions that the auditors have 
reached. The quantity, type, and content of audit documentation are a 
matter of the auditors' professional judgment.

4.24: Audit documentation serves to (1) provide the principal support 
for the auditors' report, (2) aid auditors in conducting and 
supervising the audit, and (3) allow for the review of audit quality. 
The preparation of audit documentation should be appropriately detailed 
to provide a clear understanding of its purpose and source and the 
conclusions the auditors reached, and it should be appropriately 
organized to provide a clear link to the findings, conclusions, and 
recommendations contained in the audit report. Audit documentation for 
financial audits performed under GAGAS should contain the following 
additional items not explicitly addressed in the AICPA standards or 
elsewhere in GAGAS:

a. the objectives, scope, and methodology of the audit.

b. the auditors' determination that certain additional government 
auditing standards do not apply or that an applicable standard was not 
followed, the reasons therefor, and the known effect that not following 
the applicable standard had, or could have had, on the audit.

c. the auditors' consideration that the planned audit procedures are 
designed to achieve audit objectives when evidential matter obtained is 
highly dependent on computerized information systems and is material to 
the objective of the audit and that the auditors are not relying on the 
effectiveness of internal control over those computerized systems that 
produced the information. The audit documentation should specifically 
address (1) the rationale for determining the nature, timing, and 
extent of planned audit procedures; (2) the kinds and competence of 
available evidential matter produced outside a computerized information 
system and/or plans for direct testing of data produced from a 
computerized information system; and (3) the effect on the audit report 
if evidential matter to be gathered does not afford a reasonable basis 
for achieving the objectives of the audit.[Footnote 52]

d. evidence of supervisory review, before the audit report is issued, 
of the work performed that supports findings, conclusions, and 
recommendations contained in the audit report.

4.25: Underlying GAGAS audits is the premise that federal, state, and 
local governments and other organizations cooperate in auditing 
programs of common interest so that auditors may use others' work and 
avoid duplication of audit efforts. Auditors should make arrangements 
to make audit documentation available, upon request, in a timely manner 
to other auditors or reviewers. Contractual arrangements for GAGAS 
audits should provide for full and timely access to audit documentation 
to facilitate reliance by others on the auditors' work.

4.26: Audit organizations need to adequately safeguard the audit 
documentation associated with any particular engagement. Audit 
organizations should develop clearly defined policies and criteria to 
deal with situations where requests are made by outside parties to 
obtain access to audit documentation, especially in connection with 
situations where an outside party attempts to obtain indirectly through 
the auditor information that it is unable to obtain directly from the 
audited entity. In developing such policies, audit organizations need 
to consider applicable laws and regulations that apply to the audit 
organizations or the audited entity.

[End of section]

Chapter 5: Reporting Standards for Financial Audits:

[End of section]

Introduction:

5.01: This chapter prescribes reporting standards and provides guidance 
for financial audits performed in accordance with generally accepted 
government auditing standards (GAGAS). Financial audits consist of all 
work performed under the American Institute of Certified Public 
Accountants' (AICPA) generally accepted auditing standards and related 
Statements on Auditing Standards (SAS). GAGAS incorporate the AICPA 
reporting standards and SASs unless the Comptroller General of the 
United States excludes them by formal announcement.[Footnote 53] This 
chapter identifies the AICPA reporting standards and prescribes 
additional standards for financial audits performed in accordance with 
GAGAS.

5.02:Financial audits performed in a government environment primarily 
include audits of financial statements. The AICPA SASs also govern and 
provide guidance for other types of financial audits that may be 
performed in a government environment, such as compliance auditing, 
issuing special reports, audits of service organizations, reviews of 
interim financial information, and issuing letters to underwriters and 
certain other requesting parties. These other services may be performed 
in conjunction with an audit of financial statements.

AICPA Reporting Standards:

5.03: The four AICPA generally accepted standards of reporting are as 
follows:

a. The report shall state whether the financial statements are 
presented in accordance with generally accepted accounting principles.

b. The report shall identify those circumstances in which such 
principles have not been consistently observed in the current period in 
relation to the preceding period.

c. Informative disclosures in the financial statements are to be 
regarded as reasonably adequate unless otherwise stated in the report.

d. The report shall either contain an expression of opinion regarding 
the financial statements, taken as a whole, or an assertion to the 
effect that an opinion cannot be expressed. When an overall opinion 
cannot be expressed, the reasons therefor should be stated. In all 
cases where an auditor's name is associated with financial statements, 
the report should contain a clear-cut indication of the character of 
the auditor's work, if any, and the degree of responsibility the 
auditor is taking.

Additional GAGAS Reporting Standards for Financial Audits:

5.04: GAGAS prescribe additional reporting standards for financial 
audits that go beyond the requirements contained in the AICPA SASs. 
Auditors must comply with these additional standards when citing GAGAS 
in their audit reports. The additional GAGAS standards relate to:

a. reporting auditors' compliance with GAGAS (see paragraphs 5.05 
through 5.07);

b. reporting on internal control and on compliance with laws, 
regulations, and provisions of contracts or grant agreements (see 
paragraphs 5.08 through 5.11);

c. reporting deficiencies in internal control, fraud, illegal acts, 
violations of provisions of contracts or grant agreements, and abuse 
(see paragraphs 5.12 through 5.25);

d. reporting views of responsible officials (see paragraph 5.26 through 
5.30);

e. reporting privileged and confidential information (see paragraphs 
5.31 through 5.33); and:

f. report issuance and distribution (see paragraphs 5.34 through 5.38).

Reporting Auditors' Compliance with GAGAS:

5.05: The standard related to reporting auditors' compliance with GAGAS 
for financial audits performed in accordance with GAGAS is:

Audit reports should state that the audit was performed in accordance 
with GAGAS.

5.06: When the report on the financial audit is submitted to comply with 
a legal, regulatory, or contractual requirement for a GAGAS audit, or 
when GAGAS are voluntarily followed, the report should specifically 
cite GAGAS and may also cite AICPA standards. "GAGAS" refers to all the 
applicable standards that the auditors should follow during the audit, 
and the statement of compliance should be qualified in situations in 
which the auditors did not follow an applicable standard. In these 
situations, the auditors should disclose in the scope section of the 
report the applicable standard that was not followed, the reasons 
therefor, and how not following the standard affected, or could have 
affected, the results of the audit. In assessing the impact on the 
results of the audit of not following an applicable standard, auditors 
may need to qualify the assurances provided, disclaim from providing 
any assurances, or withdraw from the audit.

5.07: An audited entity receiving a GAGAS audit report may also request 
auditors to issue a financial audit report for purposes other than 
complying with requirements calling for a GAGAS audit. For example, the 
audited entity may need audited financial statements to issue bonds or 
for other financing purposes. GAGAS do not prohibit auditors from 
issuing a separate report conforming only to the requirements of AICPA 
standards. When a GAGAS audit is the basis for an auditors' subsequent 
report under the AICPA standards, it would be advantageous to users of 
the subsequent report for the auditors' report to include the 
information on internal control, compliance with laws, regulations, and 
provisions of contracts or grant agreements, fraud, and abuse that is 
required by GAGAS but not required by AICPA standards.

Reporting on Internal Control and on Compliance with Laws, Regulations, 
and Provisions of Contracts or Grant Agreements:

5.08: The standard related to reporting on internal control and 
compliance for financial statement audits performed in accordance with 
GAGAS is:

When providing an opinion or a disclaimer on financial statements, 
auditors should include in their report on the financial statements 
either a (1) description of the scope of the auditors' testing of 
internal control over financial reporting and compliance with laws, 
regulations, and provisions of contracts or grant agreements and the 
results of those tests or an opinion, if sufficient work was performed, 
or (2) reference to the separate report(s) containing that information. 
If auditors report separately, the opinion or disclaimer should contain 
a reference to the separate report containing this information and 
state that the separate report is an integral part of the audit and 
should be considered in assessing the results of the audit.

5.09: For audits of financial statements in which auditors provide an 
opinion or disclaimer, auditors should report the scope of their 
testing of internal control over financial reporting and of compliance 
with laws, regulations, and provisions of contracts or grant agreements 
including whether or not the tests they performed provided sufficient 
evidence to support an opinion on the effectiveness of internal control 
over financial reporting and on compliance with laws, regulations, and 
provisions of contracts or grant agreements.

5.10: Auditors may report on internal control over financial reporting 
and on compliance with laws, regulations, and provisions of contracts 
or grant agreements in the opinion or disclaimer on the financial 
statements or in a separate report or reports. When auditors report on 
internal control over financial reporting and compliance as part of the 
opinion or disclaimer on the financial statements, they should include 
an introduction summarizing key findings in the audit of the financial 
statements and the related internal control and compliance work. 
Auditors should not issue this introduction as a stand-alone report.

5.11: When auditors report separately (including separate reports bound 
in the same document) on internal control over financial reporting and 
compliance with laws and regulations and provisions of contracts or 
grant agreements, the opinion or disclaimer on the financial statements 
should state that the auditors are issuing those additional reports. 
The opinion or disclaimer on the financial statements should also state 
that the reports on internal control over financial reporting and 
compliance with laws and regulations and provisions of contracts or 
grant agreements are an integral part of a GAGAS audit and should be 
considered in assessing the results of the audit.

Reporting Deficiencies in Internal Control, Fraud, Illegal Acts, 
Violations of Provisions of Contracts or Grant Agreements, and Abuse:

5.12: The standard related to reporting deficiencies in internal 
control, fraud, illegal acts, violations of provisions of contracts or 
grant agreements, and abuse for financial audits performed in 
accordance with GAGAS is:

For financial audits, including audits of financial statements in which 
the auditor provides an opinion or disclaimer, auditors should report, 
as applicable to the objectives of the audit, (1) deficiencies in 
internal control considered to be reportable conditions as defined in 
AICPA standards, (2) all instances of fraud and illegal acts unless 
clearly inconsequential,[Footnote 54] and (3) significant violations of 
provisions of contracts or grant agreements and abuse. In some 
circumstances, auditors should report fraud, illegal acts, violations 
of provisions of contracts or grant agreements, and abuse directly to 
parties external to the audited entity.

Reporting Deficiencies in Internal Control:

5.13: For all financial audits, auditors should report deficiencies in 
internal control considered to be reportable conditions as defined in 
AICPA standards.[Footnote 55] The following are examples of matters 
that may be reportable conditions:

a. absence of appropriate segregation of duties consistent with 
appropriate control objectives;

b. absence of appropriate reviews and approvals of transactions, 
accounting entries, or systems output;

c. inadequate provisions for the safeguarding of assets;

d. evidence of failure to safeguard assets from loss, damage, or 
misappropriation;

e. evidence that a system fails to provide complete and accurate output 
consistent with the control objectives of the audited entity because of 
the misapplication of control activities;

f. evidence of intentional override of internal control by those in 
authority to the detriment of the overall objectives of the system;

g. evidence of failure to perform tasks that are a significant part of 
internal control, such as reconciliations not prepared or not timely 
prepared;

h. a weakness in the control environment at an entity such as the 
absence of a sufficient positive and supportive attitude towards 
internal control by management within the organization;

i. deficiencies in the design or operation of internal control that 
could result in violations of laws, regulations, provisions of 
contracts or grant agreements; fraud; or abuse having a direct and 
material effect on the financial statements or the audit objectives; 
and:

j. failure to follow up and correct previously identified deficiencies 
in internal control.

5.14: When reporting deficiencies in internal control, auditors should 
identify those reportable conditions that are individually or in the 
aggregate considered to be material weaknesses.[Footnote 56] Auditors 
should place their findings in proper perspective by providing a 
description of the work performed that resulted in the finding. To give 
the reader a basis for judging the prevalence and consequences of these 
findings, the instances identified should be related to the population 
or the number of cases examined and be quantified in terms of dollar 
value, if appropriate.

5.15: To the extent possible, in presenting audit findings such as 
deficiencies in internal control, auditors should develop the elements 
of criteria, condition, cause, and effect to assist management or 
oversight officials of the audited entity in understanding the need for 
taking corrective action. In addition, if auditors are able to 
sufficiently develop the findings, they should provide recommendations 
for corrective action. Following is guidance for reporting on elements 
of findings:

a. Criteria: An audit report is improved when it provides information 
so that the report user will be able to determine what is the required 
or desired state or what is expected from the program or operation. The 
criteria are easier to understand when stated fairly, explicitly, and 
completely, and the source of the criteria is identified in the audit 
report.[Footnote 57]

b. Condition: The audit report is improved when it provides evidence of 
what the auditors found regarding the actual situation. Reporting the 
scope or extent of the condition allows the report user to gain an 
accurate perspective.

c. Cause: The audit report is improved when it provides persuasive 
evidence on the factor or factors responsible for the difference 
between condition and criteria. In reporting the cause, auditors may 
consider whether the evidence provides a reasonable and convincing 
argument for why the stated cause is the key factor or factors 
contributing to the difference as opposed to other possible causes, 
such as poorly designed criteria or factors uncontrollable by program 
management. The auditors also may consider whether the identified cause 
could serve as a basis for the recommendations.

d. Effect: The audit report is improved when it provides a clear, 
logical link to establish the impact of the difference between what the 
auditors found (condition) and what should be (criteria). Effect is 
easier to understand when it is stated clearly, concisely, and, if 
possible, in quantifiable terms. The significance of the reported 
effect can be demonstrated through credible evidence.

5.16: When auditors detect deficiencies in internal control that are not 
reportable conditions, they should communicate those deficiencies 
separately in a management letter to officials of the audited entity 
unless the deficiencies are clearly inconsequential considering both 
quantitative and qualitative factors. Auditors should refer to that 
management letter in the report on internal control. Auditors should 
use their professional judgment in deciding whether or how to 
communicate to officials of the audited entity deficiencies in internal 
control that are clearly inconsequential. Auditors should include in 
their audit documentation evidence of all communications to officials 
of the audited entity about deficiencies in internal control found 
during the audit.

Reporting Fraud, Illegal Acts, Violations of Provisions of Contracts or 
Grant Agreements, and Abuse:

5.17: AICPA standards and GAGAS require auditors to address the effect 
fraud or illegal acts may have on the audit report and to determine 
that the audit committee or others with equivalent authority and 
responsibility are adequately informed about the fraud or illegal acts. 
GAGAS further require that this information be in writing and also 
include reporting on significant violations of provisions of contracts 
or grant agreements and significant abuse.[Footnote 58] Therefore, when 
auditors conclude, on the basis of evidence obtained, that fraud, an 
illegal act, a significant violation of a contract or grant agreement, 
or significant abuse either has:

occurred or is likely to have occurred,[Footnote 59] they should 
include in their audit report the relevant information.[Footnote 60]

5.18: When reporting instances of fraud, illegal acts, violations of 
provisions of contracts or grant agreements, or abuse, auditors should 
place their findings in proper perspective by providing a description 
of the work performed that resulted in the finding. To give the reader 
a basis for judging the prevalence and consequences of these findings, 
the instances identified should be related to the population or the 
number of cases examined and be quantified in terms of dollar value, if 
appropriate. If the results cannot be projected, auditors should limit 
their conclusion to the items tested.

5.19: To the extent possible, auditors should develop in their report 
the elements of criteria, condition, cause, and effect when fraud, 
illegal acts, violations of provisions of contracts or grant 
agreements, or abuse is found. Auditors should develop their findings 
following the guidance for reporting deficiencies in internal control 
in paragraph 5.15.

5.20: When auditors detect inmaterial violations of provisions of 
contracts or grant agreements or abuse, they should communicate those 
findings in a management letter to officials of the audited entity 
unless the findings are clearly inconsequential considering both 
qualitative and quantitative factors. Auditors should refer to that 
management letter in their audit report on compliance. Auditors should 
use their professional judgment in determining whether and how to 
communicate to officials of the audited entity fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse 
that is clearly inconsequential. Auditors should include in their audit 
documentation evidence of all communications to officials of the 
audited entity about fraud, illegal acts, violations of provisions of 
contracts or grant agreements, and abuse.

Direct Reporting of Fraud, Illegal Acts, Violations of Provisions of 
Contracts or Grant Agreements, and Abuse:

5.21: GAGAS require auditors to report fraud, illegal acts, violations 
of provisions of contracts or grant agreements, and abuse directly to 
parties outside the audited entity in two circumstances, as discussed 
below.[Footnote 61] These requirements are in addition to any legal 
requirements for direct reporting of fraud, illegal acts, violations of 
provisions of contracts or grant agreements, or abuse. Auditors should 
meet these requirements even if they have resigned or been dismissed 
from the audit prior to its completion.

5.22: The audited entity may be required by law or regulation to report 
certain fraud, illegal acts, violations of provisions of contracts or 
grant agreements, or abuse to specified external parties, such as a 
federal inspector general or a state attorney general. If auditors have 
communicated such fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse to the audited entity and the 
audited entity fails to report them, then the auditors should 
communicate such an awareness to the governing body of the audited 
entity. If the audited entity does not make the required report as soon 
as possible after the auditors' communication with the entity's 
governing body, then the auditors should report such fraud, illegal 
acts, violations of provisions of contracts or grant agreements, or 
abuse directly to the external party specified in the law or 
regulation.

5.23: Management of the audited entity is responsible for taking timely 
and appropriate steps to remedy fraud, illegal acts, violations of 
provisions of contracts or grant agreements, or abuse that auditors 
report to it. When fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse involve awards received 
directly or indirectly from a government agency, auditors may have a 
duty to report directly if management fails to take remedial steps. If 
auditors conclude that such failure is likely to cause them to depart 
from the standard report on the financial statements or resign from the 
audit, they should communicate that conclusion to the governing body of 
the audited entity. Then, if the audited entity does not report the 
fraud, illegal act, violation of provisions of contracts or grant 
agreements, or abuse as soon as possible to the entity that provided 
the government assistance, the auditors should report the fraud, 
illegal act, violation of provisions of contracts or grant agreements, 
or abuse directly to that entity.

5.24: In these situations, auditors should obtain sufficient, competent, 
and relevant evidence, such as confirmation from outside parties, to 
corroborate assertions by management that it has reported fraud, 
illegal acts, violations of provisions of contracts or grant 
agreements, or abuse. If they are unable to do so, then the auditors 
should report such fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse directly as discussed above.

5.25: Laws, regulations, or policies may require auditors to report 
promptly indications of certain types of fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse to 
law enforcement or investigatory authorities. In such circumstances, 
when auditors conclude that these types of fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse 
either have occurred or are likely to have occurred, they should ask 
those authorities and/or legal counsel if publicly reporting certain 
information about the potential fraud, illegal acts, violations of 
provisions of contracts or grant agreements, or abuse would compromise 
investigative or legal proceedings. Auditors should limit their public 
reporting to matters that would not compromise those proceedings, such 
as information that is already a part of the public record.

Reporting Views of Responsible Officials:

5.26: The standard related to reporting the views of responsible 
officials for financial audits performed in accordance with GAGAS is:

If the auditors' report discloses deficiencies in internal control, 
fraud, illegal acts, violations of provisions of contracts or grant 
agreements, or abuse, auditors should obtain and report the views of 
responsible officials concerning the findings, conclusions, and 
recommendations, as well as planned corrective actions.

5.27: One of the most effective ways to ensure that a report is fair, 
complete, and objective is to obtain advance review and comments by 
responsible officials of the audited entity and others, as may be 
appropriate. Including the views of responsible officials results in a 
report that presents not only the deficiencies in internal control, 
fraud, illegal acts, violations of provisions of contracts or grant 
agreements, or abuse the auditors identified but also what the 
responsible officials of the audited entity think about the 
deficiencies in internal control, fraud, illegal acts, violations of 
provisions of contracts or grant agreements, or abuse and what 
corrective actions officials of the audited entity plan to take. 
Auditors should include in their report a copy of the officials' 
written comments or a summary of the comments received.

5.28: Auditors should normally request that the responsible officials 
submit in writing their views on the auditors' reported findings, 
conclusions, and recommendations, as well as management's planned 
corrective actions. Oral comments are acceptable as well, and, in some 
cases, may be the only or most expeditious way to obtain comments. 
Cases in which obtaining oral comments can be effective include when 
there is a time-critical requirement to meet a user's needs; auditors 
have worked closely with the responsible officials throughout the 
conduct of the work and the parties are very familiar with the findings 
and issues addressed in the draft report; or the auditors do not expect 
major disagreements with the draft report's findings, conclusions, and 
recommendations, or perceive any major controversies with regard to the 
issues discussed in the draft report. Auditors should prepare a summary 
of the officials' oral comments and provide a copy of the summary to 
officials of the audited entity to verify that the comments are 
accurately stated prior to finalizing the report.

5.29: Comments should be fairly and objectively evaluated and 
recognized, as appropriate, in the final report. Comments, such as a 
promise or plan for corrective action, should be noted but should not 
be accepted as justification for deleting a significant finding or a 
related recommendation.

5.30: When the audited entity's comments oppose the report's findings, 
conclusions, or recommendations, and are not, in the auditors' opinion, 
valid, or when planned corrective actions do not adequately address the 
auditors' recommendations, the auditors should state their reasons for 
disagreeing with the comments or planned corrective actions. The 
auditors' disagreement should be stated in a fair and objective manner. 
Conversely, the auditors should modify their report as necessary if 
they find the comments valid.

Reporting Privileged and Confidential Information:

5.31: The standard related to reporting privileged and confidential 
information for financial audits performed in accordance with GAGAS is:

If certain pertinent information is prohibited from general disclosure, 
the audit report should state the nature of the information omitted and 
the requirement that makes the omission necessary.

5.32: Certain information may be prohibited from general disclosure by 
federal, state, or local laws or regulations. In such circumstances, 
auditors may issue a separate limited-official-use report containing 
such information and distribute the report only to persons authorized 
by law or regulation to receive it. Additional circumstances associated 
with public safety and security concerns could also justify the 
exclusion of certain information in the report. For example, detailed 
information related to computer security for a particular program may 
be excluded from publicly available reports because of the potential 
damage that could be caused by the misuse of this information. In such 
circumstances, auditors may issue a limited-official-use report 
containing such information and distribute the report only to those 
parties responsible for acting on the auditors' recommendations. The 
auditors should, when appropriate, consult with legal counsel regarding 
any requirements or other circumstances that may necessitate the 
omission of certain information.

5.33: Auditors' judgments that certain information should be excluded 
from publicly available reports should be made in a manner consistent 
with consideration of the broader public interest in the program or 
activity under review. When circumstances call for omission of certain 
information, auditors should consider whether this omission could 
distort the engagement results or conceal improper or unlawful 
practices. If auditors make the judgment that certain information 
should be excluded from a publicly available report, they should state 
the general nature of the information omitted and the reasons that make 
the omission necessary in the report.

Report Issuance and Distribution:

5.34: The standard related to report issuance and distribution for 
financial audits performed in accordance with GAGAS is:

Government auditors should submit audit reports to the appropriate 
officials of the audited entity and to appropriate officials of the 
organizations requiring or arranging for the audits, including external 
funding organizations such as legislative bodies, unless legal 
restrictions prevent it. Auditors should also send copies of the 
reports to other officials who have legal oversight authority or who 
may be responsible for acting on audit findings and recommendations and 
to others authorized to receive such reports. Unless the report is 
restricted by law or regulation, or contains privileged and 
confidential information, auditors should clarify that copies are made 
available for public inspection. Nongovernment auditors should clarify 
report distribution responsibilities with the party contracting for the 
audit and follow the agreements reached.

5.35: Audit reports should be distributed in a timely manner to 
officials interested in the results.[Footnote 62] Such officials 
include those designated by law or regulation to receive such reports, 
those responsible for acting on the findings and recommendations 
contained in the report, those in other levels of government that have 
provided assistance to the audited entity, and legislators. However, if 
the subject of the audit involves material that is classified for 
security purposes or not releasable to particular parties or the public 
for other valid reasons, auditors should limit the report distribution. 
See paragraphs 5.31 through 5.33 for additional guidance on limited 
report distribution when reports contain privileged or confidential 
information. The availability of the report for public inspection 
should be documented in the audit documentation.

5.36: When public accountants are engaged to conduct an audit under 
GAGAS, they should clarify report distribution responsibilities with 
the engaging organization. If the public accountants are to make the 
distribution, the engagement agreement should indicate which officials 
or organizations should receive the report and other steps being taken 
to ensure the availability of the report for public inspection. The 
availability of the report for public inspection should be documented 
in the audit documentation.

5.37: Internal auditors should follow their entity's own arrangements 
and statutory requirements for distribution. Usually, they report to 
their entity's head or deputy head, who are responsible for 
distribution of the report. Further distribution of reports outside the 
organization should be made in accordance with applicable laws, rules, 
regulations, or policy.

5.38: If an audit is terminated before it is completed but the auditors 
do not issue an audit report, auditors should write a memorandum for 
the record that summarizes the results of the work to the date of 
termination and explains why the audit was terminated. In addition, 
auditors should communicate the reasons for terminating the audit to 
management of the audited entity, the entity requesting the audit, and 
other appropriate officials, preferably in writing. This communication 
should be documented.

[End of section]

Chapter 6: General, Field Work, and Reporting Standards for Attestation 
Engagements:

[End of section]

Introduction:

6.01: This chapter prescribes standards and provides guidance for 
attestation engagements performed in accordance with generally accepted 
government auditing standards (GAGAS). Attestation engagements consist 
of work governed by the American Institute of Certified Public 
Accountants' (AICPA) standards for attestation engagements. GAGAS 
incorporate the AICPA general standard on criteria, its field work 
standards, and its reporting standards for attestation engagements, as 
well as the AICPA Statements on Standards for Attestation Engagements 
(SSAE), unless the Comptroller General of the United States excludes 
them by formal announcement.[Footnote 63] This chapter identifies the 
AICPA general standard on criteria,[Footnote 64] field work standards, 
and reporting standards for attestation engagements and prescribes 
additional standards for attestation engagements performed in 
accordance with GAGAS. In addition to the AICPA general standard on 
criteria, auditors should also follow all of the general standards for 
work performed under GAGAS, as discussed in chapter 3.

6.02:In an attestation engagement, auditors issue an examination, a 
review, or an agreed-upon procedures report on a subject matter, or an 
assertion about a subject matter, that is the responsibility of another 
party. Attestation engagements can cover a broad range of financial or 
nonfinancial objectives[Footnote 65] and can be part of an audit or a 
separate engagement. The three levels of attestation engagements 
include the following.

a. Examination: Auditors perform sufficient testing to express an 
opinion on whether the subject matter is based on (or in conformity 
with) the criteria in all material respects or the assertion is 
presented (or fairly stated), in all material respects, based on the 
criteria.

b. Review: Auditors perform sufficient testing to express a conclusion 
about whether any information came to the auditors' attention on the 
basis of the work performed that indicates the subject matter is not 
based on (or in conformity with) the criteria or the assertion is not 
presented (or fairly stated) in all material respects based on the 
criteria.[Footnote 66]

c. Agreed-Upon Procedures: Auditors perform testing to issue a report 
of findings based on specific procedures performed on subject matter.

AICPA General and Field Work Standards for Attestation Engagements:

6.03: The AICPA general standard related to criteria states the 
following:

The practitioner [auditor] shall perform an engagement only if he or 
she has reason to believe that the subject matter is capable of 
evaluation against criteria that are suitable and available to users.

6.04: The two AICPA field work standards for attestation engagements are 
as follows:

a. The work shall be adequately planned and assistants, if any, shall 
be properly supervised.

b. Sufficient evidence shall be obtained to provide a reasonable basis 
for the conclusion that is expressed in the report.

Additional GAGAS Field Work Standards for Attestation Engagements:

6.05: GAGAS prescribe additional attestation engagement field work 
standards that go beyond the requirements contained in the AICPA SSAEs. 
Auditors must comply with these additional standards when citing GAGAS 
in their attestation engagement reports. The additional GAGAS field 
work standards relate to:

a. auditor communication (see paragraphs 6.06 through 6.09);

b. considering the results of previous audits and attestation 
engagements (see paragraphs 6.10 through 6.12);

c. internal control (see paragraphs 6.13 and 6.14);

d. detecting fraud, illegal acts, violations of contract provisions or 
grant agreements, and abuse that could have a material effect on the 
subject matter (see paragraphs 6.15 through 6.20);

e. developing elements of findings for attestation engagements 
(paragraph 6.21); and:

f. attest documentation (see paragraphs 6.22 through 6.26).

Auditor Communication:

6.06: The standard related to auditor communication for attestation 
engagements performed in accordance with GAGAS is:

Auditors should communicate information regarding the nature, timing, 
and extent of planned testing and reporting on the subject matter or 
assertion about the subject matter, including the level of assurance 
provided, to officials of the audited entity and to the individuals 
contracting for or requesting the attestation engagement.

6.07: During the planning stages of an attestation engagement, auditors 
should communicate to officials of the audited entity and to 
individuals contracting for or requesting the servicesinformation 
regarding the nature, timing, and extent of testing and reporting 
including the level of assurance provided and any potential restriction 
of reports associated with the different levels of assurance services, 
to reduce the risk that the needs or expectations of the parties 
involved may be misinterpreted. See paragraph 6.02 for a discussion of 
the levels of attestation services. Auditors should use their 
professional judgment to determine the form and content of the 
communication, although written communication is preferred. Auditors 
may use an engagement letter, if appropriate, to communicate the 
information. If the attestation engagement is part of a larger audit, 
this information may be communicated as part of that audit. Auditors 
should document the communication in their attest documentation.

6.08: Auditors should communicate their responsibilities for the 
engagement to the appropriate officials of the audited entity, 
including:

a. the head of the audited entity,

b. the audit committee or board of directors or other equivalent 
oversight body in the absence of an audit committee, and:

c. the individual who possesses a sufficient level of authority and 
responsibility for the subject matter or the assertion.

6.09: In situations where auditors are performing the engagement under a 
contract with a party other than the officials of the audited entity, 
or pursuant to a third-party request, auditors should also communicate 
with the individuals contracting for or requesting the engagement, such 
as contracting officials or legislative members or staff. When auditors 
are performing the engagement pursuant to a law or regulation, auditors 
should communicate with the legislative members or staff who have 
oversight of the auditee.[Footnote 67] Auditors should coordinate 
communications with the responsible government audit organization and/
or management of the audited entity, and may use the engagement letter 
to keep interested parties informed. If an engagement is terminated 
before it is completed, auditors should write a memorandum for the 
record that summarizes the results of the work and explains why the 
engagement was terminated. In addition, auditors should communicate the 
reason for terminating the engagement to management of the audited 
entity, the entity requesting the engagement, and other appropriate 
officials, preferably in writing. This communication should be 
documented.

Considering the Results of Previous Audits and Attestation Engagements:

6.10: The standard related to considering the results of previous audits 
and attestation engagements for attestation engagements performed in 
accordance with GAGAS is:

Auditors should consider the results of previous audits and attestation 
engagements and follow up on known significant findings and 
recommendations that directly relate to the subject matter or the 
assertion of the attestation engagement being undertaken.

6.11: Auditors should ask audited entity officials to identify previous 
financial audits, attestation engagements, performance audits, or other 
studies related to the subject matter or assertions of the attestation 
engagement being undertaken and to identify corrective actions taken to 
address significant findings and recommendations.[Footnote 68] For 
example, an audit report on an entity's computerized information 
systems may contain significant findings that could relate to the 
attestation engagement if the entity uses such systems to process 
information about the subject matter or contained in an assertion about 
the subject matter. Following up on known significant findings and 
recommendations identified in previous audits, attestation 
engagements, or studies can help auditors evaluate the subject matter 
or the assertion associated with the attestation engagement. Auditors 
should use professional judgment in determining (1) prior periods to be 
considered, (2) the level of work necessary to follow up on significant 
findings and recommendations that affect the attestation engagement, 
and (3) the effect on the risk assessment and attestation procedures in 
planning the current attestation engagement.

6.12: Providing continuing attention to significant findings and 
recommendations is important to ensure that the benefits of the 
auditors' work are realized. Ultimately, the benefits of auditors' work 
occur when management of the audited entity takes meaningful and 
effective corrective action in response to the auditors' findings and 
recommendations. Management of the audited entity is responsible for 
resolving findings and recommendations directed to them and for having 
a process to track their status. If management of the audited entity 
does not have such a process, auditors may wish to establish their own 
process.

Internal Control:

6.13: The standard related to internal control for examination-level 
attestation engagements performed in accordance with GAGAS is:

In planning examination-level attestation engagements, auditors should 
obtain a sufficient understanding of internal control that is material 
to the subject matter or assertion to plan the engagement and design 
procedures to achieve the objectives of the attestation engagement.

6.14: In planning an examination-level attestation engagement, auditors 
should obtain an understanding of internal control[Footnote 69] as it 
relates to the subject matter or assertion to which the auditors are 
attesting. The subject matter or assertion may be of a financial or 
nonfinancial nature, and internal control material to the subject 
matter or assertion the auditor is testing may relate to:

a. effectiveness and efficiency of operations, including the use of an 
entity's resources;

b. reliability of financial reporting, including reports on budget 
execution and other reports for internal and external use;

c. compliance with applicable laws and regulations, provisions of 
contract, or grant agreements; and:

d. safeguarding of assets.

Detecting Fraud, Illegal Acts, Violations of Provisions of Contracts or 
Grant Agreements, and Abuse That Could Have a Material Effect on the 
Subject Matter:

6.15: The standard related to fraud, illegal acts, violations of 
provisions of contracts or grant agreements, and abuse for attestation 
engagements performed in accordance with GAGAS is:

a. In planning examination-level attestation engagements, auditors 
should design the engagement to provide reasonable assurance of 
detecting fraud, illegal acts, or violations of provisions of contracts 
or grant agreements that could have a material effect on the subject 
matter or assertion of the attestation engagement, and should be alert 
to situations or transactions that could be indicative of abuse.

b. In planning review-level or agreed-upon-procedure-level attestation 
engagements, auditors should be alert to situations or transactions 
that could be indicative of fraud, illegal acts, violations of 
provisions of contracts or grant agreements, and if indications of 
fraud, illegal acts, violations of provisions of contracts or grant 
agreements, exist that could materially affect the subject matter or 
assertion, auditors should apply procedures specifically directed to 
ascertain whether violations of provisions of contracts or grant 
agreements, and if indications of fraud, illegal acts, violations of 
provisions of contracts or grant agreements, has occurred and the 
effect on the subject matter or assertion.

c. Auditors should be alert to situations or transactions that could be 
indicative of abuse, and if indications of abuse exist that could 
significantly affect the results of the attestation engagement, 
auditors should apply audit procedures specifically directed to 
ascertain whether abuse has occurred and the effect on the results of 
the attestation engagement.

6.16: Auditors should exercise professional judgment in planning an 
examination-level attestation engagement by obtaining an understanding 
of the possible effects of fraud,[Footnote 70] illegal acts, or 
violations of provisions of contracts or grant agreements on the 
subject matter or assertion of the attestation engagement and by 
identifying and assessing any associated risks that could have a 
material effect on the attestation engagement. Auditors should include 
attest documentation on their assessment of risk, and, when risk 
factors are identified as being present, the documentation should 
include:

a. those risk factors identified, and:

b. the auditors' response to those risk factors, individually or in 
combination.

6.17: In addition, if during the performance of the attestation 
engagement, risk factors or other conditions are identified that cause 
the auditors to believe that an additional response is required, such 
factors or other conditions, and any future response the auditors 
conclude is appropriate, should be documented.

6.18: For attestation engagements involving review-level or agreed-upon-
procedure-level of reporting, auditors should be alert to situations or 
transactions that could be indicative of fraud, illegal acts, or 
violations of provisions of contracts or grant agreements. When 
information comes to the auditors' attention (through audit procedures, 
allegations received through fraud hotlines, or other means) indicating 
that fraud, illegal acts, or violations of provisions of contracts or 
grant agreements may have occurred, auditors should consider whether 
the possible fraud, illegal acts, or violation of provisions of 
contracts or grant agreements could materially affect the results of 
the attestation engagement. If such acts could materially affect the 
results of the engagement, auditors should extend the audit steps and 
procedures, as necessary, to (1) determine if fraud, illegal acts, or 
violations of provisions of contracts or grant agreements are likely to 
have occurred and, if so, (2) determine their effect on the results of 
the attestation engagement. Because the scope of review-level and 
agreed-upon-procedures-level engagements is limited, auditors are not 
expected to provide reasonable assurance of detecting fraud, illegal 
acts, or violations of contract or grant agreements for these types of 
engagements.

6.19: Abuse is distinct from fraud, illegal acts, or violations of 
provisions of contracts or grant agreements. When abuse occurs, no law, 
regulation, or provision of a contract or grant agreement is violated. 
Rather, abuse involves behavior that is deficient or improper when 
compared with behavior that a prudent person would consider reasonable 
and necessary business practice given the facts and 
circumstances.[Footnote 71] For all levels of attestation engagements, 
auditors should be alert to situations or transactions that could be 
indicative of abuse. When information comes to the auditors' attention 
(through audit procedures, allegations received through a fraud 
hotline, or other means) indicating that abuse may have occurred, 
auditors should consider whether the possible abuse could affect the 
assertion significantly. Auditors should consider both quantitative and 
qualitative factors in making judgments regarding the significance of 
possible abuse and whether they need to extend the audit steps and 
procedures. If indications of the possible abuse exist that 
significantly affect the results of the attestation engagement, the 
auditors should extend the audit steps and procedures, as necessary, to 
(1) determine whether the abuse occurred and, if so, (2) determine its 
effect on the results of the attestation engagement. However, because 
the determination of abuse is so subjective, auditors are not expected 
to provide reasonable assurance of detecting abuse.

6.20: Auditors should exercise professional judgment in pursuing 
indications of possible fraud, illegal acts, violations of provisions 
of contracts or grant agreements, or abuse, in order not to interfere 
with potential investigations, legal proceedings, or both. Under some 
circumstances, laws, regulations, or policies require auditors to 
report indications of certain types of fraud, illegal acts, violations 
of provisions of contracts or grant agreements, or abuse to law 
enforcement or investigatory authorities before extending audit steps 
and procedures. Auditors may also be required to withdraw from or defer 
further work on the engagement or a portion of the engagement in order 
not to interfere with an investigation.

Developing Elements of Findings for Attestation Engagements:

6.21: Attest findings, such as deficiencies in internal control, illegal 
acts, violations of provisions of contracts or grant agreements, and 
abuse, have often been regarded as containing the elements of criteria, 
condition, and effect, plus cause when problems are found. However, the 
elements needed for a finding depend entirely on the objectives of the 
attestation engagement. Thus, a finding or set of findings is complete 
to the extent that the objectives of the attestation engagement are 
satisfied. When problems are identified, to the extent possible, 
auditors should plan attest procedures to develop the elements of a 
finding to facilitate developing the auditors' report. (See paragraph 
6.34: for a description of the elements of a finding.):

Attest Documentation:

6.22: The standard related to attest documentation for attestation 
engagements performed in accordance with GAGAS is:

Attest documentation related to planning, conducting, and reporting on 
the attestation engagement should contain sufficient information to 
enable an experienced auditor who has had no previous connection with 
the attestation engagement to ascertain from the attest documentation 
the evidence that supports the auditors' significant judgments and 
conclusions. Attest documentation should contain support for findings, 
conclusions, and recommendations before auditors issue their report.

6.23: AICPA standards and GAGAS require that auditors prepare and 
maintain attest documentation. The form and content of attest 
documentation should be designed to meet the circumstances of the 
particular attestation engagement. The information contained in attest 
documentation constitutes the principal record of the work that the 
auditors have performed in accordance with professional standards and 
the conclusions that the auditors have reached. The quantity, type, and 
content of attest documentation are a matter of the auditors' 
professional judgment.

6.24: Attest documentation serves to (1) provide the principal support 
for the auditors' report, (2) aid auditors in conducting and 
supervising the attestation engagement, and (3) allow for the review of 
the quality of the attestation engagement. The preparation of attest 
documentation should be appropriately detailed to provide a clear 
understanding of its purpose and source and the conclusions the 
auditors reached, and it should be appropriately organized to provide a 
clear link to the findings, conclusions, and recommendations contained 
in the auditors' report. Attest documentation for attestation 
engagements performed under GAGAS should contain the following 
additional items not explicitly addressed in the AICPA SSAEs or 
elsewhere in GAGAS:

a. the objectives, scope, and methodology of the attestation 
engagement, including any sampling and other selection criteria used;

b. the auditor's determination that certain additional government 
auditing standards do not apply or that an applicable standard was not 
followed, the reasons therefor, and the known effect that not following 
the applicable standard had, or could have had, on the attestation 
engagement;

c. the work performed to support significant judgments and conclusions, 
including descriptions of transactions and records examined;[Footnote 
72]

d. the auditors' consideration that the planned attestation procedures 
are designed to achieve objectives of the attestation engagement when 
evidential matter obtained is highly dependent on computerized 
information systems and is material to the objective of the engagement, 
and the auditors are not relying on the effectiveness of internal 
control over those computerized systems that produced the information. 
The attest documentation should specifically address (1) the rationale 
for determining the nature, timing, and extent of planned audit 
procedures; (2) the kinds and competence of available evidential matter 
produced outside a computerized information system, and/or plans for 
direct testing of data produced from a computerized information system; 
and (3) the effect on the attestation engagement report if evidential 
matter to be gathered does not afford a reasonable basis for achieving 
the objectives of the engagement; and:

e. evidence of supervisory reviews, before the report on the 
attestation engagement is issued, of the work performed that supports 
findings, conclusions, and recommendations contained in the report.

6.25: Underlying GAGAS attestation engagements is the premise that 
federal, state, and local governments and other organizations cooperate 
in auditing programs of common interest so that auditors may use 
others' work and avoid duplication of efforts. Auditors should make 
arrangements to make attest documentation available, upon request, in a 
timely manner to other auditors or reviewers. Contractual arrangements 
for GAGAS attestation engagements should provide for full and timely 
access to attest documentation to facilitate reliance by others on the 
auditors' work.

6.26: Audit organizations need to adequately safeguard the audit 
documentation associated with any particular engagement. Audit 
organizations should develop clearly defined policies and criteria to 
deal with situations where requests are made by outside parties to 
obtain access to audit documentation, especially in connection with 
situations where an outside party attempts to obtain indirectly through 
the auditor information that it is unable to obtain directly from the 
audited entity. In developing such policies, audit organizations need 
to consider applicable laws and regulations applying to the audit 
organizations or the audited entity.

AICPA Reporting Standards for Attestation Engagements:

6.27: As discussed in paragraph 6.02, the AICPA SSAEs provide for 
different levels of reporting based on the type of assurance the 
auditors are providing. The four AICPA reporting standards for all 
levels of reporting under attestation engagements are as follows:

a. The report shall identify the subject matter or the assertion being 
reported on and state the character of the engagement.

b. The report shall state the practitioner's [auditor's] conclusions 
about the subject matter or the assertion in relation to the criteria 
against which the subject matter was evaluated.

c. The report shall state all of the practitioner's [auditor's] 
significant reservations about the engagement, the subject matter, and, 
if applicable, the assertion related thereto.

d. The report shall state that the use of the report is restricted to 
specified parties under the following circumstances:[Footnote 73] (1) 
when the criteria used to evaluate the subject matter are determined by 
the practitioner to be appropriate only for a limited number of parties 
who either participated in their establishment or can be presumed to 
have an adequate understanding of the criteria, (2) when the criteria 
used to evaluate the subject matter are available only to specified 
parties, (3) when reporting on subject matter and a written assertion 
has not been provided by the responsible party, and (4) when the report 
is on an attest engagement to apply agreed-upon procedures to the 
subject matter.

Additional GAGAS Reporting Standards for Attestation Engagements:

6.28: GAGAS prescribe additional reporting standards for attestation 
engagements that go beyond the requirements contained in the AICPA 
SSAEs. Auditors must comply with these additional standards when citing 
GAGAS in their attestation engagement reports. The additional GAGAS 
standards relate to:

a. reporting auditors' compliance with GAGAS (see paragraphs 6.29 
through 6.31);

b. reporting deficiencies in internal control, fraud, illegal acts, 
violations of provisions of contracts or grant agreements, and abuse 
(see paragraphs 6.32 through 6.40);

c. reporting views of responsible officials (see paragraphs 6.41 
through 6.45);

d. reporting privileged and confidential information (see paragraphs 
6.46 through 6.48); and:

e. report issuance and distribution (see paragraphs 6.49 through 6.54).

Reporting Auditors' Compliance with GAGAS:

6.29: The standard related to reporting auditors' compliance with GAGAS 
for attestation engagements performed in accordance with GAGAS is:

Reports on attestation engagements should state that the engagement was 
made in accordance with GAGAS.

6.30: When the report on the attestation engagement is submitted to 
comply with a legal, regulatory, or contractual requirement, or when 
GAGAS are voluntarily used, the report should specifically cite GAGAS 
and may cite AICPA standards as well. The statement referencing 
compliance with GAGAS refers to all the applicable standards that the 
auditors should have followed during the attestation engagement, and 
the statement of compliance should be qualified in situations in which 
the auditors did not follow an applicable standard. In these 
situations, the auditors should disclose in the scope section of the 
report the applicable standard that was not followed, the reasons 
therefor, and how not following the standard affected, or could have 
affected, the results of the attestation engagement. In assessing the 
impact of not following an applicable standard on the results of the 
attestation engagement, auditors may need to qualify the assurances 
provided, disclaim from providing any assurances, or withdraw from the 
engagement.

6.31: An audited entity receiving a GAGAS report on an attestation 
engagement may also need a report on the attestation engagement for 
purposes other than complying with requirements calling for a GAGAS 
attestation engagement. GAGAS do not prohibit auditors from issuing a 
separate report conforming only to the requirements of AICPA standards. 
When a GAGAS attestation engagement is the basis for an auditors' 
subsequent report under the AICPA standards, it would be advantageous 
to users of the subsequent report for the auditors' report to include 
the information on internal control and fraud, illegal acts, violations 
of provisions of contracts and grant agreements, and abuse that are 
required by GAGAS but not required by AICPA standards.

Reporting Deficiencies in Internal Control, Fraud, Illegal Acts, 
Violations of Provisions of Contracts or Grant Agreements, and Abuse:

6.32: The standard related to reporting deficiencies in internal 
control, fraud, illegal acts, violations of provisions of contracts or 
grant agreements, and abuse for attestation engagements performed in 
accordance with GAGAS is:

The report on an attestation engagement should disclose (1) 
deficiencies in internal control, including internal control over 
compliance with laws, regulations, and provisions of contracts or grant 
agreements that are material to the subject matter or assertion, (2) 
all instances of fraud and illegal acts unless clearly inconsequential, 
and (3) violations of provisions of contracts or grant agreements and 
abuse that are material to the subject matter or assertion of the 
engagement. In some circumstances, auditors should report fraud, 
illegal acts, violations of provisions of contracts or grant 
agreements, and abuse directly to parties external to the audited 
entity.

6.33: When reporting deficiencies in internal control or instances of 
fraud, illegal acts,[Footnote 74] violations of provisions of contracts 
or grant agreements, or abuse, auditors should place their findings in 
proper perspective by providing a description of the work performed 
that resulted in the finding. To give the reader a basis for judging 
the prevalence and consequences of these findings, the deficiencies or 
instances identified should be related to the population or the number 
of cases examined and be quantified in terms of dollar value, if 
appropriate. If the results cannot be projected, auditors should limit 
their conclusion to the items tested.

6.34: To the extent possible, in presenting findings, auditors should 
develop the elements of criteria, condition, cause, and effect to 
assist management or oversight officials of the audited entity in 
understanding the need for taking corrective action. In addition, if 
auditors are able to sufficiently develop the findings, auditors should 
provide recommendations for corrective action. The following list 
contains guidance for reporting on elements of findings:

a. Criteria: An attestation engagement report is improved when it 
provides information so that the report user will be able to determine 
what is the required or desired state or what is expected from the 
program or operation. The criteria are easier to understand when stated 
fairly, explicitly, and completely, and the source of the criteria is 
identified in the attestation engagement report.[Footnote 75]

b. Condition: The attestation engagement report is improved when it 
provides evidence of what the auditors found regarding the actual 
situation. Reporting the scope or extent of the condition allows the 
report user to gain an accurate perspective.

c. Cause: The attestation engagement report is improved when it 
provides persuasive evidence on the factor or factors responsible for 
the difference between condition and criteria. In reporting the cause, 
auditors may consider whether the evidence provides a reasonable and 
convincing argument for why the stated cause is the key factor or 
factors contributing to the difference as opposed to other possible 
causes, such as poorly designed criteria or factors uncontrollable by 
program management. The auditors also may consider whether the 
identified cause could serve as a basis for the recommendations.

d. Effect: The attestation engagement report is improved when it 
provides a clear, logical link to establish the impact of the 
difference between what the auditors found (condition) and what should 
be (criteria). Effect is easier to understand when it is stated 
clearly, concisely, and, if possible, in quantifiable terms. The 
significance of the reported effect can be demonstrated through 
credible evidence.

6.35: When auditors detect internal control deficiencies, fraud, illegal 
acts, violations of provisions of contracts or grant agreements, or 
abuse that is not material to the subject matter or assertion, they 
should communicate those findings to the audited entity in a management 
letter, unless they are clearly inconsequential, considering both 
qualitative and quantitative factors. The auditor should refer to the 
management letter in the report on the attestation engagement. Auditors 
should use their professional judgment in determining whether and how 
to communicate to officials of the audited entity internal control 
deficiencies, fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse that are clearly 
inconsequential. Auditors should include in their attest documentation 
evidence of all communication to officials of the audited entity about 
fraud, illegal acts, violations of provisions of contracts or grant 
agreements, and abuse.

Direct Reporting of Fraud, Illegal Acts, Violations of Provisions of 
Contracts or Grant Agreements, and Abuse:

6.36: GAGAS require auditors to report fraud, illegal acts, violations 
of provisions of contracts or grant agreements, and abuse directly to 
parties outside the audited entity in two circumstances, as discussed 
below.[Footnote 76] These requirements are in addition to any legal 
requirements for direct reporting of fraud, illegal acts, violations of 
provisions of contracts or grant agreements, or abuse. Auditors should 
meet these requirements even if they have resigned or been dismissed 
from the attestation engagement prior to its completion.

6.37: The audited entity may be required by law or regulation to report 
certain fraud, illegal acts, violations of provisions of contracts or 
grant agreements, or abuse to specified external parties, such as a 
federal inspector general or a state attorney general. If auditors have 
communicated such fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse to the audited entity and the 
entity fails to report them, then the auditors should communicate such 
an awareness to the governing body of the audited entity. If the 
audited entity does not make the required report as soon as possible 
after the auditors' communication with the entity's governing body, 
then the auditors should report such fraud, illegal acts, violations of 
provisions of contracts or grant agreements, or abuse directly to the 
external party specified in the law or regulation.

6.38: Officials of the audited entity are responsible for taking timely 
and appropriate steps to remedy fraud, illegal acts, violations of 
provisions of contracts or grant agreements, or abuse that auditors 
report to them. When fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse involves assistance received 
directly or indirectly from a government agency, auditors may have a 
duty to report directly if management fails to take remedial steps. If 
auditors conclude that such failure is likely to cause them to depart 
from the standard report on the attestation engagement or resign from 
the engagement, they should communicate that conclusion to the 
governing body of the audited entity. Then, if the audited entity does 
not report the fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse as soon as possible to the 
entity that provided the government assistance, the auditors should 
report the fraud, illegal acts, violations of provisions of contracts 
or grant agreements, or abuse directly to that entity.

6.39: In these situations, auditors should obtain sufficient, competent, 
and relevant evidence, such as confirmation from outside parties, to 
corroborate assertions by management that management has reported 
fraud, illegal acts, violations of provisions of contracts or grant 
agreements, or abuse. If they are unable to do so, the auditors should 
report the fraud, illegal acts, violations of provisions of contracts 
or grant agreements, or abuse directly as discussed above.

6.40: Laws, regulations, or policies may require auditors to report 
promptly indications of certain types of fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse to 
law enforcement or investigatory authorities. In such circumstances, 
when auditors conclude that these types of fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse 
either have occurred or are likely to have occurred, they should ask 
those authorities and/or legal counsel if publicly reporting certain 
information about the potential fraud, illegal acts, violations of 
provisions of contracts or grant agreements, or abuse would compromise 
investigative or legal proceedings. Auditors should limit their public 
reporting to matters that would not compromise those proceedings, such 
as information that is already a part of the public record.

Reporting Views of Responsible Officials:

6.41: The standard related to reporting the views of responsible 
officials for attestation engagements performed in accordance with 
GAGAS is:

If the auditors' report on the attestation engagement discloses 
deficiencies in internal control, fraud, illegal acts, violations of 
provisions of contracts or grant agreements, or abuse, auditors should 
obtain and report the views of responsible officials concerning the 
findings, conclusions, and recommendations, as well as planned 
corrective actions.

6.42: One of the most effective ways to ensure that a report is fair, 
complete, and objective is to obtain advance review and comments by 
responsible officials of the audited entity and others, as may be 
appropriate. Including the views of responsible officials results in a 
report that presents not only the deficiencies in internal control, 
fraud, illegal acts, violations of provisions of contracts or grant 
agreements, or abuse the auditors identified, but also what the 
responsible officials of the audited entity think about the 
deficiencies in internal control, fraud, illegal acts, violations of 
provisions of contracts or grant agreements, or abuse and what 
corrective actions the officials plan to take. Auditors should include 
in their report a copy of the officials' written comments or a summary 
of the comments received.

6.43: Auditors should normally request that the responsible officials 
submit in writing their views on the auditors' reported findings, 
conclusions, and recommendations, as well as management's planned 
corrective actions. Oral comments are acceptable as well, and, in some 
cases, may be the only or most expeditious way to obtain comments. 
Cases in which obtaining oral comments can be effective include 
circumstances in which there is a time-critical requirement to meet a 
user's needs; the auditors have worked closely with the responsible 
officials throughout the conduct of the work and the parties are 
familiar with the findings and issues addressed in the draft product; 
or the auditors do not expect major disagreements with the draft 
report's findings, conclusions, and recommendations, or perceive any 
major controversies with regard to the issues discussed in the draft 
report. Before finalizing the report, auditors should prepare a summary 
of the officials' oral comments and provide a copy of the summary to 
officials of the audited entity to verify that the comments are 
accurately stated.

6.44: Comments should be fairly and objectively evaluated and 
recognized, as appropriate, in the final report. Comments, such as a 
promise or plan for corrective action, should be noted but should not 
be accepted as justification for deleting a significant finding or a 
related recommendation.

6.45: When the audited entity's comments oppose the report's findings, 
conclusions, or recommendations, and are not, in the auditors' opinion, 
valid, or when planned corrective actions do not adequately address the 
auditors' recommendations, the auditors should state their reasons for 
disagreeing with the comments or planned corrective actions. The 
auditors' disagreement should be stated in a fair and objective manner. 
Conversely, the auditors should modify their report as necessary if 
they find the comments valid.

Reporting Privileged and Confidential Information:

6.46: The standard related to reporting privileged and confidential 
information for attestation engagements performed in accordance with 
GAGAS is:

If certain pertinent information is prohibited from general disclosure, 
the report on the attestation engagement should state the nature of the 
information omitted and the requirement that makes the omission 
necessary.

6.47: Certain information may be prohibited from general disclosure by 
federal, state, or local laws or regulations. In such circumstances, 
auditors may issue a separate limited-official-use report containing 
such information and distribute the report only to persons authorized 
by law or regulation to receive it. Additional circumstances associated 
with public safety and security concerns could also justify the 
exclusion of certain information in the report. For example, detailed 
information related to computer security for a particular program may 
be excluded from publicly available reports if potential damage could 
be caused by the misuse of this information. In such circumstances, 
auditors may issue a limited-official-use report containing such 
information and distribute the report only to those parties responsible 
for acting on the auditors' recommendations. The auditors should, when 
appropriate, consult with legal counsel regarding any requirements or 
other circumstances that may necessitate the omission of certain 
information.

6.48: Auditors' judgments that certain information should be excluded 
from publicly available reports should be made in a manner consistent 
with consideration of the broader public interest in the program or 
activity under review. When circumstances call for omission of certain 
information, auditors should consider whether this omission could 
distort the engagement results or conceal improper or unlawful 
practices. If auditors make the judgment that certain information 
should be excluded from a publicly available report, they should state 
the general nature of the information omitted and the reasons that make 
the omission necessary in the report.

Report Issuance and Distribution:

6.49: The standard related to report issuance and distribution for 
attestation engagements performed in accordance with GAGAS is:

Government auditors should submit reports on the attestation engagement 
to the appropriate officials of the audited entity and to the 
appropriate officials of the organizations requiring or arranging for 
the engagement, including external funding organizations such as 
legislative bodies, unless legal restrictions prevent it. Auditors 
should also send copies of the reports to other officials who have 
legal oversight authority or who may be responsible for acting on the 
findings and recommendations and to others authorized to receive such 
reports. Unless the report is restricted by law or regulation, or 
contains privileged or confidential information, auditors should 
clarify that copies are made available for public inspection. 
Nongovernment auditors should clarify report distribution 
responsibilities with the party contracting for the audit and follow 
the agreements reached.

6.50: Reports on attestation engagements should be distributed in a 
timely manner to officials interested in the results. Such officials 
include those designated by law or regulation to receive such reports, 
those responsible for acting on the findings and recommendations 
contained in the reports, those in other levels of government that have 
provided assistance to the audited entity, and legislators. However, if 
the subject matter or assertion of the attestation engagement involves 
material that is classified for security purposes or not releasable to 
particular parties or the public for other valid reasons, auditors 
should limit the report distribution. The availability of the report 
for public inspection should be documented in the audit documentation.

6.51: Although AICPA standards require that a report on an engagement to 
evaluate an assertion based on agreed-upon criteria or on an engagement 
to apply agreed-upon procedures should contain a statement limiting its 
use to the parties who have agreed upon such criteria or procedures, 
such a statement does not require that the report distribution be 
limited. (See paragraphs 6.46 through 6.48 for additional guidance on 
limited report distribution.) The availability of the report for public 
inspection should be documented in the audit documentation.

6.52: When nongovernment auditors are engaged to conduct an attestation 
engagement under GAGAS, they should clarify report distribution 
responsibilities with the engaging organization. If the public 
accountants are to make the distribution, the engagement agreement 
should indicate which officials or organizations should receive the 
report and the steps being taken to ensure the availability of the 
report for public inspection. The availability of the report for public 
inspection should be documented in the audit documentation.

6.53: Internal auditors should follow their entity's own arrangements 
and statutory requirements for distribution. Usually, they report to 
their entity's head or deputy head, who is responsible for distribution 
of the report. Further distribution of reports outside the organization 
should be made in accordance with applicable laws, rules, regulations, 
or policies.

6.54: If an attestation engagement is terminated before it is completed 
but the auditors do not issue a report on the engagement, auditors 
should write a memorandum for the record that summarizes the results of 
the work to the date of termination and explains why the attestation 
engagement was terminated. In addition, auditors should communicate the 
reasons for terminating the attest engagement to management of the 
audited entity, the entity requesting the attestation engagement, and 
other appropriate officials, preferably in writing. This communication 
should be documented.

[End of section]

Chapter 7: Field Work Standards for Performance Audits:

[End of section]

Introduction:

7.01: This chapter prescribes field work standards and provides guidance 
to auditors conducting performance audits in accordance with generally 
accepted government auditing standards (GAGAS). The field work 
standards for performance audits relate to planning the audit; 
supervising staff; obtaining sufficient, competent, and relevant 
evidence; and preparing audit documentation.

Planning:

7.02:The field work standard related to planning for performance audits 
performed in accordance with GAGAS are:

Work is to be adequately planned.

7.03: In planning the audit, auditors should define the audit 
objectives, as well as the scope and methodology to achieve those 
objectives. Audit objectives, scope, and methodologies are not 
determined in isolation. Auditors determine these three elements of the 
audit plan together, as the considerations in determining each often 
overlap. Planning is a continuous process throughout the audit. 
Therefore, auditors should consider the need to make adjustments to the 
audit objectives, scope, and methodology as work is being completed.

7.04: The objectives are what the audit is intended to accomplish. They 
identify the audit subjects and performance aspects to be included, as 
well as the potential finding and reporting elements that the auditors 
expect to develop.[Footnote 77] Audit objectives can be thought of as 
questions about the program[Footnote 78] that auditors seek to answer. 
(See paragraphs 2.09 through 2.13.):

7.05: Scope is the boundary of the audit and should be directly tied to 
the audit objectives. For example, the scope defines parameters of the 
audit such as the period of time reviewed, the availability of 
necessary documentation or records, and the locations at which field 
work will be performed.

7.06: The methodology comprises the work involved in gathering and 
analyzing data to achieve the objectives. Audit procedures are the 
specific steps and tests auditors will carry out to address the audit 
objectives. Auditors should design the methodology to provide 
sufficient, competent, and relevant evidence to achieve the objectives 
of the audit. Methodology includes both the types and extent of audit 
procedures used to achieve the audit objectives.

7.07: Planning should be documented and should include:

a. considering the significance of various programs and the needs of 
potential users of the audit report (see paragraphs 7.08 and 7.09);

b. obtaining an understanding of the program to be audited (see 
paragraph 7.10);

c. obtaining an understanding of internal control as it relates to the 
specific objectives and scope of the audit (see paragraphs 7.11 through 
7.16);

d. designing methodology and procedures to detect significant 
violations of legal and regulatory requirements, contract provisions, 
or grant agreements (see paragraphs 7.17 through 7.27);

e. identifying the criteria needed to evaluate matters subject to audit 
(see paragraph 7.28);

f. considering the results of previous audits and attestation 
engagements that could affect the current audit objectives (see 
paragraphs 7.29 and 7.30);

g. identifying potential sources of data that could be used as audit 
evidence (see paragraph 7.31);

h. considering whether the work of other auditors and experts may be 
used to satisfy some of the audit objectives (see paragraphs 7.32 
through 7.34);

i. providing appropriate and sufficient staff and other resources to 
perform the audit (see paragraphs 7.35 through 7.38);

j. communicating general information concerning the planning and 
performance of the audit to management officials responsible for the 
program being audited and others as applicable (see paragraphs 7.39 and 
7.40); and:

k. preparing an audit plan (see paragraphs 7.41 through 7.43).

Program Significance:

7.08: The significance of a matter is its relative importance to the 
audit objectives and potential users of the audit report. Auditors 
should consider the significance of a program or program component and 
the potential use that will be made of the audit results or report as 
they plan a performance audit. Indicators of significance and/or use to 
consider include:

a. visibility and sensitivity of the program under audit,

b. newness of the program or changes in its conditions,

c. role of the audit in providing information that can improve public 
accountability and decision making, and:

d. level and extent of review or other forms of independent oversight.

7.09: One group of users of the auditors' report is government officials 
who may have authorized or requested the audit. Other important users 
of the auditors' report are the entity being audited and legislative 
bodies, which are responsible for acting on the auditors' 
recommendations. Other potential users of the auditors' report include 
government legislators or officials (other than those who may have 
authorized or requested the audit), the media, interest groups, and 
individual citizens. In addition to an interest in the program, 
potential users may have an ability to influence the conduct of the 
program. An awareness of these potential users' interests and influence 
can help auditors understand why the program operates the way it does. 
This awareness can also help auditors judge whether possible findings 
could be significant to various possible users.

Understanding the Program:

7.10: Auditors should obtain an understanding of the program to be 
audited to help assess, among other matters, the significance of 
possible audit objectives and the feasibility of achieving them. The 
auditors' understanding may come from knowledge they already have about 
the program or knowledge they gain from inquiries and observations they 
make in planning the audit. The extent and breadth of those inquiries 
and observations will vary among audits based on the audit objectives, 
as will the need to understand individual aspects of the program, such 
as the following:

a. Laws, regulations, and provisions of contracts or grant agreements: 
Government programs usually are created by law and are subject to 
specific laws and regulations. For example, laws and regulations 
usually set forth what is to be done, who is to do it, the purpose to 
be achieved, the population to be served, and how much can be spent on 
what. Government programs may also be subject to provisions of 
contracts and grant agreements. Thus, understanding the laws and the 
legislative history establishing a program and the provisions of any 
contracts or grant agreements can be essential to understanding the 
program itself. Obtaining that understanding is also a necessary step 
in identifying provisions of laws, regulations, contracts, or grant 
agreements significant to audit objectives.

b. Purpose and goals: Purpose is the result or effect that is intended 
or desired from a program's operation. Legislatures usually establish 
the program purpose when they provide authority for the program. Entity 
officials may provide more detailed guidance on program purpose to 
supplement the authorizing legislation. Entity officials are sometimes 
asked to set goals for program performance and operations, including 
both output and outcome goals. Auditors may use the stated program 
purpose and goals as criteria for assessing program performance or may 
develop additional criteria or best practices to compare the program 
against.

c. Internal control: Internal control, often referred to as management 
controls, in the broadest sense includes the plan of organization, 
methods, and procedures adopted by management to meet its missions, 
goals, and objectives. Internal control includes the processes for 
planning, organizing, directing, and controlling program operations. It 
includes the systems for measuring, reporting, and monitoring program 
performance. Internal control also serves as the first line of defense 
in safeguarding assets and preventing and detecting errors, fraud, and 
violations of laws, regulations, and provisions of contracts and grant 
agreements. Paragraphs 7.11 through 7.16 contain guidance pertaining to 
internal control.

d. Efforts: Efforts are the amount of resources (in terms of money, 
material, personnel, etc.) that are put into a program. These resources 
may come from within or outside the entity operating the program. 
Measures of efforts can have a number of dimensions, such as cost, 
timing, and quality. Examples of measures of efforts are dollars, 
employee-hours, and square feet of building space.

e. Program operations: Program operations are the strategies, 
processes, and activities management uses to convert efforts into 
outputs. Program operations are subject to internal control.

f. Outputs: Outputs represent the quantity of goods or services 
produced by a program. For example, an output measure for a job 
training program could be the number of persons completing training, 
and an output measure for an aviation safety inspection program could 
be the number of safety inspections completed.

g. Outcomes: Outcomes are accomplishments or results of programs. For 
example, an outcome measure for a job training program could be the 
percentage of trained persons obtaining a job and still in the work 
place after a specified period of time. Examples of outcome measures 
for an aviation safety inspection program could be the percentage 
reduction in significant safety problems found in subsequent 
inspections and/or the percentage of significant problems deemed 
corrected in follow-up inspections. Such outcome measures show progress 
in achieving the stated program purposes of helping unemployable 
citizens obtain and retain jobs, and improving the safety of aviation 
operations. Auditors should be aware that outcomes may be influenced by 
cultural, economic, physical, or technological factors outside the 
program. Auditors may use approaches drawn from other disciplines, such 
as program evaluation, to try to isolate the effects of the program 
from these other influences.

Considering Internal Control:

7.11: The lack of administrative continuity in government units because 
of changes in elected legislative bodies and in other government 
officials increases the need for effective internal control. Auditors 
should obtain an understanding of internal control significant to the 
audit objectives and consider whether specific internal control 
procedures have been properly designed and placed in operation. 
Auditors also need to consider whether they plan to modify the nature, 
timing, or extent of their audit procedures based on the effectiveness 
of internal controls. If so, auditors should include specific tests of 
the effectiveness of internal control and consider the results in 
designing:

audit procedures.[Footnote 79] Officials of the audited entity are 
responsible for establishing effective internal control.

7.12: The following discussion of internal control objectives is 
intended to help auditors better understand internal controls and 
determine their significance to the audit objectives:

a. Effectiveness and efficiency of program operations: Controls over 
program operations include policies and procedures that officials of 
the audited entity have implemented to reasonably ensure that a program 
meets its objectives and that unintended actions do not result. 
Understanding these controls can help auditors understand the program 
operations that convert efforts to outputs or outcomes.

b. Validity and reliability of data: Controls over the validity and 
reliability of data include policies and procedures that officials of 
the audited entity have implemented to reasonably ensure that valid and 
reliable data are obtained, maintained, and fairly disclosed in 
reports. These controls help assure management that it is getting valid 
and reliable information about whether programs are operating properly 
on an ongoing basis. Understanding these controls can help auditors (1) 
assess the risk that the data gathered by the entity may not be valid 
or reliable and (2) design appropriate tests of the data.

c. Compliance with applicable laws and regulations and provisions of 
contracts or grant agreements: Controls over compliance include 
policies and procedures that officials of the audited entity have 
implemented to reasonably ensure that program implementation is 
consistent with laws, regulations, and provisions of contracts or grant 
agreements. Understanding the relevant controls concerning compliance 
with those laws and regulations and provisions of contracts or grant 
agreements that the auditors have determined are significant can help 
auditors assess the risk of illegal acts[Footnote 80] and violations of 
provisions of contracts or grant agreements.

7.13: A subset of these categories of internal control objectives is the 
safeguarding of resources. Controls over the safeguarding of resources 
include policies and procedures that officials of the audited entity 
have implemented to reasonably prevent or promptly detect unauthorized 
acquisition, use, or disposition of resources.

7.14: Auditors can obtain an understanding of internal control through 
inquiries, observations, inspection of documents and records, or review 
of other auditors' reports. The procedures auditors perform to obtain 
an understanding of internal control will vary among audits. One factor 
influencing the extent of these procedures is the auditors' knowledge 
about internal control gained in prior audits. Also, the need to 
understand internal control will depend on the particular aspects of 
the program the auditors consider in setting objectives, scope, and 
methodology. The following are examples of how the auditors' 
understanding of internal control can influence the audit plan:

a. Audit objectives: Poorly controlled aspects of a program have a 
higher risk of failure, so they may be more significant than others in 
terms of where auditors may want to focus their efforts.

b. Audit scope: Knowledge that internal controls are not properly 
designed or placed in operation at a certain location may lead auditors 
to target their efforts there.

c. Audit methodology: Effective controls at the audited entity over 
collecting, summarizing, and reporting data may enable auditors to 
limit the extent of their direct testing of data validity and 
reliability. In contrast, evidence suggesting ineffective controls may 
lead auditors to perform more direct testing of the data, look for data 
from outside the entity, or develop their own data.

7.15: When internal controls are significant to the audit objectives, 
auditors should plan to obtain sufficient evidence to support their 
judgments about those controls. The following are examples of 
circumstances in which internal controls can be significant to audit 
objectives:

a. In determining the cause of unsatisfactory performance, auditors may 
consider that unsatisfactory performance could result from deficiencies 
in internal controls.

b. When assessing the validity and reliability of performance measures 
developed by the audited entity, effective internal control by the 
audited entity over collecting, summarizing, and reporting data will 
help ensure that the performance measures are valid and reliable.

7.16: Internal auditing is an important part of internal 
control.[Footnote 81] When an assessment of internal control is called 
for, the work of the internal auditors can be used to help provide 
reasonable assurance that internal controls are effectively designed 
and functioning properly, and to prevent duplication of effort.

Designing the Audit to Detect Violations of Legal and Regulatory 
Requirements, Contract Provisions, or Grant Agreement, Fraud, and 
Abuse:

7.17: When laws, regulations, or provisions of contracts or grant 
agreements are significant to the audit objectives, auditors should 
design the audit methodology and procedures to provide reasonable 
assurance of detecting violations that could have a significant effect 
on the audit results. Auditors should determine which laws, 
regulations, and provisions of contracts or grant agreements are 
significant to the audit objectives and assess the risk that illegal 
acts or violations of provisions of contracts or grant agreements could 
occur. Based on that risk assessment, the auditors design and perform 
procedures to provide reasonable assurance of detecting significant 
instances of illegal acts or violations of provisions of contracts or 
grant agreements. Auditors should include audit documentation on their 
assessment of risk.

7.18: It is not practical to set precise standards for determining 
whether laws, regulations, or provisions of contracts or grant 
agreements are significant to audit objectives because government 
programs are subject to many laws, regulations, and provisions of 
contracts or grant agreements, and audit objectives vary widely. 
However, auditors may find the following approach helpful in making 
that determination:

a. Reduce each audit objective to questions about specific aspects of 
the program being audited (that is, purpose and goals, internal 
control, efforts, program operations, outputs, and outcomes, as 
discussed in paragraph 7.10).

b. Identify laws, regulations, and provisions of contracts or grant 
agreements that directly relate to specific aspects of the program 
included in questions that reflect the audit objectives.

c. Determine if violations of those laws, regulations, or provisions of 
contracts or grant agreements could significantly affect the auditors' 
answers to the questions that relate to the audit objectives. If they 
could, then those laws, regulations, and provisions of contracts or 
grant agreements are likely to be significant to the audit objectives.

7.19: Auditors may find it necessary to rely on the work of legal 
counsel to (1) determine those laws and regulations that are 
significant to the audit objectives, (2) design tests of compliance 
with laws and regulations, or (3) evaluate the results of those 
tests.[Footnote 82] Auditors also may find it necessary to rely on the 
work of legal counsel when audit objectives require testing compliance 
with provisions of contracts or grant agreements. Depending on the 
circumstances of the audit, auditors may find it necessary to obtain 
information on compliance matters from others, such as investigative 
staff, other audit organizations or government entities that provided 
assistance to the audited entity, or the applicable law enforcement 
authority.

7.20: In planning tests of compliance with significant laws, 
regulations, and provisions of contracts or grant agreements, auditors 
should assess the risk that violations could occur. That risk may be 
affected by such factors as the complexity or newness of the laws, 
regulations, and provisions of contracts or grant agreements. The 
auditors' assessment of risk includes consideration of whether the 
entity has controls that are effective in preventing or detecting 
violations of laws, regulations, and provisions of contracts or grant 
agreements. If auditors obtain sufficient evidence of the effectiveness 
of these controls, they can reduce the extent of their tests of 
compliance.

7.21: In planning the audit, auditors should consider risks due to 
fraud[Footnote 83] that could significantly[Footnote 84] affect their 
audit objectives and the results of their audit. The audit team should 
discuss potential fraud risks, considering fraud factors such as 
individuals' incentives or pressures to commit fraud, the opportunity 
for fraud to occur, and rationalizations or attitudes that could allow 
individuals to commit fraud. Auditors should gather and assess 
information necessary to identify fraud risks which could be relevant 
to the audit objectives or affect the results of their audit. For 
example, auditors may need to obtain information through discussion 
with officials of the audited entity or through other means to 
determine the susceptibility of the program to fraud, the status of 
internal controls the entity has established to detect and prevent 
fraud, or the risk that officials of the audited entity could override 
internal control. Auditors should exercise professional skepticism in 
assessing these risks to determine which factors or risks could 
significantly affect the results of their work if fraud has occurred or 
is likely to have occurred.

7.22: When auditors identify factors or risks related to fraud that they 
believe could significantly affect the audit objectives or the results 
of the audit, auditors should respond by designing procedures to 
provide reasonable assurance of detecting fraud significant to the 
audit objectives. Auditors should prepare audit documentation related 
to their identification and assessment of and response to fraud risks. 
Auditors should also be aware that assessing the risk of fraud is an 
ongoing process throughout the audit and relates not only to planning 
the audit but also to evaluating evidence obtained during the audit.

7.23: Auditors should also be alert to situations or transactions that 
could be indicative of fraud. When information comes to the auditors' 
attention (through audit procedures, allegations received through fraud 
hotlines, or other means) indicating that fraud may have occurred, 
auditors should consider whether the possible fraud could significantly 
affect the audit results. If the fraud could significantly affect the 
audit results, auditors should extend the audit steps and procedures, 
as necessary, to (1) determine if fraud likely has occurred and (2) if 
so, determine its effect on the audit results.

7.24: Auditors' training, experience, and understanding of the program 
being audited may provide a basis for recognizing that some acts coming 
to their attention may be indicative of fraud. Whether an act is, in 
fact, fraud is a determination to be made through the judicial or other 
adjudicative system and is beyond auditors' professional expertise and 
responsibility. However, auditors are responsible for being aware of 
vulnerabilities to fraud associated with the area being audited in 
order to be able to identify indications that fraud may have occurred. 
In some circumstances, conditions such as the following might indicate 
a heightened risk of fraud:

a. weak management that fails to enforce existing internal control or 
to provide adequate oversight over the control process;

b. inadequate separation of duties, especially those that relate to 
controlling and safeguarding resources;

c. transactions that are out of the ordinary and are not satisfactorily 
explained, such as unexplained adjustments in inventories or other 
resources;

d. instances when employees of the audited entity refuse to take 
vacations or accept promotions;

e. missing or altered documents, or unexplained delays in providing 
information;

f. false or misleading information; or:

g. a history of impropriety, such as past audits or investigations with 
findings of questionable or criminal activity.

7.25: Abuse is distinct from fraud, illegal acts, or violations of 
provisions of contracts or grant agreements. When abuse occurs, no law, 
regulation, or provision of a contract or grant agreement is violated. 
Rather, abuse involves behavior that is deficient or improper when 
compared with behavior that a prudent person would consider reasonable 
and necessary business practice given the facts and 
circumstances.[Footnote 85] Auditors should be alert to situations or 
transactions that could be indicative of abuse. When information comes 
to the auditors' attention (through audit procedures, allegations 
received through a fraud hotline, or other means) indicating that abuse 
may have occurred, auditors should consider whether the possible abuse 
affects the audit results significantly. If indications of abuse exist 
that significantly affect the audit results, the auditors should extend 
the audit steps and procedures, as necessary, to (1) determine whether 
the abuse occurred and, if so, (2) determine its effect on the audit 
results. However, because the determination of abuse is subjective, 
auditors are not expected to provide reasonable assurance of detecting 
it. Auditors should consider both quantitative and qualitative factors 
in making judgments regarding the significance of possible abuse and 
whether they need to extend the audit steps and procedures.

7.26: Auditors should exercise professional judgment in pursuing 
indications of possible fraud, illegal acts, violations of provisions 
of contracts or grant agreements, or abuse in order to not interfere 
with potential investigations, legal proceedings, or both. Under some 
circumstances, laws, regulations, or policies require auditors to 
report indications of certain types of fraud, illegal acts, violations 
of provisions of contracts or grant agreements, or abuse to law 
enforcement or investigatory authorities before extending audit steps 
and procedures. Auditors may also be required to withdraw from or defer 
further work on the audit or a portion of the audit in order not to 
interfere with an investigation.

7.27: An audit made in accordance with these standards provides 
reasonable assurance of detecting illegal acts, violations of 
provisions of contracts or grant agreements, or fraud that could 
significantly affect the audit results; however, it does not guarantee 
the discovery of illegal acts, violations of provisions of contracts or 
grant agreements, or fraud. Nor does the subsequent discovery of 
illegal acts, violations of contracts or grant agreements, or fraud 
committed during the audit period necessarily mean that the auditors' 
performance was inadequate, provided the audit was made in accordance 
with these standards.

Identifying Audit Criteria:

7.28: Criteria are the standards, measures, expectations of what should 
exist, best practices, and benchmarks against which performance is 
compared or evaluated. Criteria, one of the elements of a finding, 
provide a context for understanding the results of the audit. (See 
paragraphs 7.62 through 7.65 for a discussion on the other elements of 
a finding.) The audit plan, where possible, should state the criteria 
to be used. In selecting criteria, auditors have a responsibility to 
use criteria that are reasonable, attainable, and relevant to the 
objectives of the performance audit. The following are some examples of 
possible criteria:

a. purpose or goals prescribed by law or regulation or set by officials 
of the audited entity,

b. policies and procedures established by officials of the audited 
entity,

c. technically developed standards or norms,

d. expert opinions,

e. prior periods' performance,

f. performance of similar entities,

g. performance in the private sector, or:

h. best practices of leading organizations.

Considering the Results of Previous Audits and Attestation Engagements:

7.29: Auditors should consider the results of previous audits and 
attestation engagements and follow up on known significant findings and 
recommendations[Footnote 86] identified in previous audit reports that 
directly relate to the objectives of the audit being undertaken. 
Auditors should ask audited entity officials to identify previous 
financial audits, attestation engagements, performance audits, or other 
studies related to the objectives of the audit being undertaken and to 
identify corrective actions taken to address significant findings and 
recommendations. For example, an audit report on an entity's 
computerized information systems may contain significant findings that 
could relate to the performance audit if the entity uses such systems 
to process its accounting or other information the auditors plan on 
using. Auditors should use professional judgment in determining (1) 
prior periods to be considered, (2) the level of work necessary to 
follow up on significant findings and recommendations that affect the 
audit, and (3) the risk assessment used in planning the current audit 
and designing audit procedures to be performed.

7.30: Providing continuing attention to significant findings and 
recommendations is important to ensure that the benefits of audit work 
are realized. Ultimately, the benefits of audit work occur when 
officials of the audited entity take meaningful and effective 
corrective action in response to the auditors' findings and 
recommendations. Officials of the audited entity are responsible for 
resolving audit findings and recommendations directed to them and for 
having a process to track their status. If the audited entity does not 
have such a process, auditors may wish to establish their own process.

Identifying Sources of Audit Evidence:

7.31: In identifying potential sources of data that could be used as 
audit evidence, auditors should consider the validity and reliability 
of the data, including data collected by the audited entity, data 
generated by the auditors, or data provided by third parties, as well 
as the sufficiency and relevance of the evidence. (See paragraphs 7.48 
through 7.65 for standards and guidance concerning evidence.):

Considering Work of Others:

7.32: Auditors should determine whether other auditors have previously 
done, or are doing, audits of the program or the entity that operates 
it. Whether other auditors have done performance audits, financial 
audits, or attestation engagements, the other auditors may be useful 
sources of information for planning and performing the audit. If other 
auditors have identified areas that warrant further study, their work 
may influence the auditors' selection of performance audit objectives. 
The availability of other auditors' work may also influence the 
selection of methodology, since the auditors may be able to rely on 
that work to limit the extent of their own testing.

7.33: If auditors intend to rely on the work of other auditors, they 
should perform procedures regarding the specific work to be relied on 
that provide a sufficient basis for that reliance. Auditors should 
obtain evidence concerning the other auditors' qualifications and 
independence through prior experience, inquiry, and/or review of the 
other auditors' external quality control review report. Auditors should 
determine the sufficiency, relevance, and competence of other auditors' 
evidence by reviewing their report, audit program, or audit 
documentation, or by performing supplemental tests of the other 
auditors' work. The nature and extent of evidence needed will depend on 
the significance of the other auditors' work, on the extent to which 
the auditors will rely on that work, and whether auditors will refer to 
that work in their work.

7.34: Auditors face similar considerations when using the work of 
nonauditors (such as specialists). In addition, auditors should obtain 
an understanding of the methods and significant assumptions used by the 
nonauditors. (See paragraph 3.06 for independence considerations when 
relying on the work of others.):

Assigning Staff and Other Resources:

7.35: Staff planning should include, among other things:

a. assigning staff with the appropriate collective knowledge, skills, 
and experience for the job;

b. assigning an adequate number of staff and supervisors to the audit;

c. providing for on-the-job training of staff; and:

d. engaging specialists when necessary.

7.36: The availability of staff and other resources and the need for 
specialized skills are important considerations in establishing the 
audit objectives, scope, and methodology. For example, limitations on 
travel funds may preclude auditors from visiting certain critical 
locations, or lack of appropriate expertise in a particular methodology 
or with computerized information systems may preclude auditors from 
undertaking certain objectives. Auditors may be able to overcome such 
limitations by engaging specialists with the necessary expertise.

7.37: If the use of a specialist is planned, auditors should have 
sufficient knowledge to:

a. articulate the objectives required of the specialist,

b. evaluate whether the specified procedures will meet auditors' 
objectives, and:

c. evaluate the results of the procedures applied as they relate to 
other planned audit procedures.

7.38: Auditors without sufficient knowledge to perform the functions 
listed above should consider alternative measures for ensuring audit 
quality related to the specialist's work, such as engaging another 
specialist to review the specialist's work.

Communicating with Management and Others:

7.39: Auditors should communicate information about the specific nature 
of the performance audit, as well as general information concerning the 
planning and conduct of the audit and reporting--such as the form of 
the report and any potential restrictions on the report--to the various 
parties involved in the audit to help them understand the objectives, 
time frames, and any data needs. Parties involved may include:

a. the head of the audited entity;

b. the audit committee or, in the absence of an audit committee, the 
board of directors or other equivalent oversight body;

c. the individual who possesses a sufficient level of authority and 
responsibility for the program or activity being audited; and:

d. the individuals contracting for or requesting audit services, such 
as contracting officials or legislative members or staff, if 
applicable.

7.40: Auditors should use their professional judgment to determine the 
form, content, and frequency of the communication, although written 
communication is preferred. Auditors may use an engagement letter, if 
appropriate, to communicate the information. Auditors should include 
the communication in the audit documentation. If the audit does not 
result in a product, auditors should document the audit by preparing a 
memorandum for the record that summarizes the results of the work and 
explain the reason the audit was terminated. If the audit is terminated 
before it is completed, auditors should communicate the reason for 
terminating it to management of the audited entity, the entity 
requesting the audit, and other appropriate officials, preferably in 
writing. This communication should be documented.

Preparing the Audit Plan:

7.41: A written audit plan should be prepared for each audit. The form 
and content of the written audit plan will vary among audits but should 
include an audit program or project plan, a memorandum, or other 
appropriate documentation of key decisions about the audit objectives, 
scope, and methodology and of the auditors' basis for those decisions. 
It should be updated, as necessary, to reflect any significant changes 
to the plan made during the audit.

7.42: Documenting the audit plan is an opportunity for the auditors to 
supervise audit planning and to determine whether:

a. the proposed audit objectives are likely to result in a useful 
report,

b. the proposed audit scope and methodology are adequate to satisfy the 
audit objectives, and:

c. sufficient staff and other resources are available to perform the 
audit and to meet expected time frames for completing the work.

7.43: Written audit plans may include the following:

a. information about the legal authority for the audited program, its 
history and current objectives, its principal locations, and other 
background that can help auditors understand and carry out the audit 
plan;

b. information about the responsibilities of each member of the audit 
team (such as preparing audit programs, conducting audit work, 
supervising and reviewing audit work, drafting reports, handling 
comments from officials of the audited program, and processing the 
final report), which can help auditors when the work is conducted at 
several different locations. In these audits, use of comparable audit 
methods and procedures can help make the data obtained from 
participating locations comparable;

c. audit programs describing procedures to accomplish the audit 
objectives and providing a systematic basis for assigning work to staff 
and for summarizing the work performed; and:

d. the general format of the audit report and the types of information 
to be included, which can help auditors focus their field work on the 
information to be reported.

Supervision:

7.44: The field work standard related to supervision for performance 
audits performed in accordance with GAGAS is:

Staff are to be properly supervised.

7.45: Supervision involves directing the efforts of staff assigned to 
the audit to ensure that the audit objectives are accomplished. 
Elements of supervision include providing sufficient guidance to staff 
members, staying informed about significant problems encountered, 
reviewing the work performed, and providing effective on-the-job 
training.

7.46: Supervisors should satisfy themselves that staff members clearly 
understand what work they are to do, why the work is to be conducted, 
and what the work is expected to accomplish. With experienced staff, 
supervisors may outline the scope of the work and leave details to the 
staff. With less experienced staff, supervisors may have to specify 
audit procedures to be performed as well as techniques for gathering 
and analyzing data.

7.47: Reviews of audit work should be documented. The nature and extent 
of the review of audit work may vary depending on a number of factors, 
such as the size of the audit organization, the significance of the 
work, and the experience of the staff.

Evidence:

7.48: The field work standard related to evidence for performance audits 
performed in accordance with GAGAS is:

Sufficient, competent, and relevant evidence is to be obtained to 
provide a reasonable basis for the auditors' findings and conclusions.

7.49: A large part of auditors' work on an audit concerns obtaining and 
evaluating evidence that ultimately supports their judgments and 
conclusions pertaining to the audit objectives. In evaluating evidence, 
auditors consider whether they have obtained the evidence necessary to 
achieve specific audit objectives. When internal control or compliance 
requirements are significant to the audit objectives, auditors should 
also collect and evaluate evidence relating to controls or compliance.

7.50: Evidence may be categorized as physical, documentary, testimonial, 
and analytical. Physical evidence is obtained by auditors' direct 
inspection or observation of people, property, or events. Such evidence 
may be documented in memoranda, photographs, drawings, charts, maps, or 
physical samples. Documentary evidence consists of created information 
such as letters, contracts, accounting records, invoices, and 
management information on performance. Testimonial evidence is obtained 
through inquiries, interviews, or questionnaires. Analytical evidence 
includes computations, comparisons, separation of information into 
components, and rational arguments.

7.51: The guidance in the following paragraphs is intended to help 
auditors judge the quality and quantity of evidence needed to satisfy 
audit objectives. Paragraphs 7.52 through 7.61 are intended to help 
auditors determine what constitutes sufficient, competent, and relevant 
evidence to support their findings and conclusions. Paragraphs 7.62 
through 7.65 describe the elements of an audit finding.

Tests of Evidence:

7.52: Evidence should be sufficient, competent, and relevant to support 
a sound basis for audit findings, conclusions, and recommendations:

a. Evidence should be sufficient to support the auditors' findings. In 
determining the sufficiency of evidence, auditors should ensure that 
enough evidence exists to persuade a knowledgeable person of the 
validity of the findings. When appropriate, statistical methods may be 
used to establish sufficiency.

b. Evidence is competent if it is valid, reliable, and consistent with 
fact. In assessing the competence of evidence, auditors should consider 
such factors as whether the evidence is accurate, authoritative, 
timely, and authentic. When appropriate, auditors may use statistical 
methods to derive competent evidence.

c. Evidence is relevant if it has a logical relationship with, and 
importance to, the issue being addressed.

7.53: The following presumptions are useful in judging the competence of 
evidence. However, these presumptions are not to be considered 
sufficient in themselves to determine competence. The amount and kinds 
of evidence required to support auditors' conclusions should be based 
on auditors' professional judgment.

a. Evidence obtained when internal controls are effective is more 
competent than evidence obtained when controls are weak or nonexistent. 
Auditors should be particularly careful in cases where controls are 
weak or nonexistent and should, therefore, plan alternative audit 
procedures to corroborate such evidence.

b. Evidence obtained through the auditors' direct physical examination, 
observation, computation, and inspection is more competent than 
evidence obtained indirectly.

c. Examination of original documents provides more competent evidence 
than do copies.

d. Testimonial evidence obtained under conditions where persons may 
speak freely is more competent than testimonial evidence obtained under 
compromising conditions (for example, where the persons may be 
intimidated).

e. Testimonial evidence obtained from an individual who is not biased 
or has complete knowledge about the area is more competent than 
testimonial evidence obtained from an individual who is biased or has 
only partial knowledge about the area.

f. Evidence obtained from a credible third party may in some cases be 
more competent than that secured from management or other officials of 
the audited entity.

7.54: Auditors may find it useful to obtain written representations 
concerning the competence and completeness of certain evidence from 
officials of the audited entity. Written representations ordinarily 
confirm oral representations given to auditors, indicate and document 
the continuing appropriateness of such representations, and reduce the 
possibility of misunderstandings concerning the matters that are the 
subject of the representations. Written representations can take 
several forms, including summary documents prepared by the auditors and 
signed by the entity's management. If officials of the audited entity 
refuse to provide a written representation that the auditors have 
requested, the auditors should consider the effects of the refusal on 
results of the audit.

7.55: The auditors' approach to determining the sufficiency, competence, 
and relevance of evidence depends on the source of the information that 
constitutes the evidence. Information sources include original data 
gathered by auditors and existing data gathered by either officials of 
the audited entity or a third party. Data from any of these sources may 
be obtained from computer-based systems. (See paragraphs 7.63 through 
7.65 for additional documentation requirements when using information 
from a computer-based system.):

7.56: Data gathered by auditors: Data gathered by auditors include the 
auditors' own observations and measurements. Among the methods for 
gathering this type of data are questionnaires, structured interviews, 
direct observations, and computations. The design of these methods and 
the skill of the auditors applying them are the keys to ensuring that 
these data constitute sufficient, competent, and relevant evidence. 
When these methods are applied to determine cause, auditors are 
concerned with eliminating conflicting explanations.

7.57: Data gathered by management: Auditors can use data gathered by 
officials of the audited entity as part of their evidence. However, 
auditors should determine the validity and reliability of data that are 
significant to the audit objectives and may do so by direct tests of 
the data. Auditors can reduce the direct tests of the data if they test 
the effectiveness of the entity's internal controls over the validity 
and reliability of the data and these tests support the conclusion that 
the controls are effective. The nature and extent of data testing will 
depend on the significance of the data to support the auditors' 
findings. How the use of unaudited data gathered by officials of the 
audited entity affect the auditors' report depends on the data's 
significance to the auditors' findings. For example, in some 
circumstances, auditors may use unaudited data to provide background 
information; however, the use of such unaudited data would generally 
not be appropriate to support audit findings and conclusions.

7.58: Data gathered by third parties: The auditors' evidence may also 
include data gathered by third parties. In some cases, these data may 
have been audited by others, or the auditors may be able to audit the 
data themselves. In other cases, however, it will not be practical to 
obtain evidence of the data's validity and reliability. How the use of 
unaudited third-party data affects the auditors' report depends on the 
data's significance to the auditors' findings. For example, in some 
circumstances, auditors may use unaudited data to provide background 
information; however, the use of such unaudited data would generally 
not be appropriate to support audit findings and conclusions.

7.59: Validity and reliability of data from computer-based systems: 
Auditors should obtain sufficient, competent, and relevant evidence 
that computer-processed data are valid and reliable when these data are 
significant to the auditors' findings. This work is necessary 
regardless of whether the data are provided to auditors or auditors 
independently extract them. Auditors should determine if officials of 
the audited entity or other auditors have worked to establish the 
validity and reliability of the data or the effectiveness of the 
controls over the system that produced the data. If the results of such 
work are current, auditors may be able to rely on that work. (See 
paragraphs 7.32 through 7.34 for requirements when relying on the work 
of others.) Auditors may also determine the validity and reliability of 
computer-processed data by direct tests of the data.

7.60: Auditors can reduce the direct tests of the data if they test the 
effectiveness of general and application controls over computer-
processed data and these tests support the conclusion that the controls 
are effective. If auditors determine that internal controls over data 
that are significantly dependent upon computerized information systems 
are not effective or if auditors do not plan to test the effectiveness 
of such controls, auditors should include audit documentation regarding 
the basis for that conclusion by addressing (1) the reasons why the 
design or operation of the controls is ineffective, or (2) the reasons 
why it is inefficient to test the controls. In such circumstances, 
auditors should also include audit documentation regarding their 
reasons for concluding that the planned audit procedures, such as 
direct tests of the data, are effectively designed to achieve specific 
audit objectives. This documentation should address:

a. the rationale for determining the types and extent of planned audit 
procedures;

b. the kinds and competence of available evidence produced outside a 
computerized information system; and:

c. the effect on the audit report if the evidence gathered during the 
audit does not allow the auditors to achieve audit objectives.

7.61: When the auditors' tests of data disclose errors in the data, or 
when they are unable to obtain sufficient, competent, and relevant 
evidence about the validity and reliability of the data, they may find 
it necessary to:

a. seek evidence from other sources,

b. redefine the audit's objectives to eliminate the need to use the 
data, or:

c. use the data, but clearly indicate in their report the data's 
limitations and refrain from making unwarranted conclusions or 
recommendations.

Audit Findings:

7.62: Audit findings often have been regarded as containing the elements 
of criteria, condition, and effect, plus cause when problems are found. 
However, the elements needed for a finding depend entirely on the 
objectives of the audit. Thus, a finding or set of findings is complete 
to the extent that the audit objectives are satisfied and the report 
clearly relates those objectives to the elements of a finding. Criteria 
are discussed in paragraph 7.28, and the other elements of a finding--
condition, effect, and cause--are discussed in the following 
paragraphs:

7.63: Condition: Condition is a situation that exists. It has been 
determined and documented during the audit.

7.64: Effect: Effect has two meanings that depend on the audit 
objectives. When the auditors' objectives include identifying the 
actual or potential consequences of a condition that varies (either 
positively or negatively) from the criteria identified in the audit, 
"effect" is a measure of those consequences. Auditors often use effect 
in this sense to demonstrate the need for corrective action in response 
to identified problems. When the auditors' objectives include 
estimating the extent to which a program has caused changes in 
physical, social, or economic conditions, "effect" is a measure of the 
impact achieved by the program. Here, effect is the extent to which 
positive or negative changes in actual physical, social, or economic 
conditions can be identified and attributed to program operations.

7.65: Cause: Like effect, cause also has two meanings that depend on the 
audit objectives. When the auditors' objectives include explaining why 
a particular type of positive or negative performance identified in the 
audit occurred, the reasons for that performance are referred to as 
"cause." Identifying the cause of problems can assist auditors in 
making constructive recommendations for correction. Because problems 
can result from a number of plausible factors or multiple causes, the 
recommendation can be more persuasive if auditors can clearly 
demonstrate and explain with evidence and reasoning the link between 
the problems and the factor or factors they have identified as the 
cause. When the auditors' objectives include estimating the program's 
effect on changes in physical, social, or economic conditions, auditors 
seek evidence of the extent to which the program itself is the "cause" 
of those changes. Auditors may identify significant deficiencies in 
internal control as the cause of deficient performance. In reporting 
this type of finding, the internal control deficiency would be 
described as the "cause.":

Audit Documentation:

7.66: The field work standard related to audit documentation for 
performance audits performed in accordance with GAGAS is:

Auditors should prepare and maintain audit documentation. Audit 
documentation related to planning, conducting, and reporting on the 
audit should contain sufficient information to enable an experienced 
auditor, who has had no previous connection with the audit, to 
ascertain from the audit documentation the evidence that supports the 
auditors' significant judgments and conclusions. Audit documentation 
should contain support for findings, conclusions, and recommendations 
before auditors issue their report.

7.67: The form and content of audit documentation should be designed to 
meet the circumstances of the particular audit. The information 
contained in audit documentation constitutes the principal record of 
the work that the auditors have performed in accordance with standards 
and the conclusions that the auditors have reached. The quantity, type, 
and content of audit documentation are a matter of the auditors' 
professional judgment.

7.68: Audit documentation serves to (1) provide the principal support 
for the auditors' report, (2) aid auditors in conducting and 
supervising the audit, and (3) allow for the review of audit quality. 
Audit documentation should be appropriately detailed to provide a clear 
understanding of its purpose and source and the conclusions the 
auditors reached, and it should be appropriately organized to provide a 
clear link to the findings, conclusions, and recommendations contained 
in the audit report. Audit documentation for performance audits should 
contain the following items not explicitly addressed elsewhere in 
GAGAS:

a. the objectives, scope, and methodology of the audit, including 
sampling and other selection criteria used;

b. the auditors' determination that certain standards do not apply or 
that an applicable standard was not followed, the reasons therefor, and 
the known effect that not following the applicable standard had, or 
could have had, on the audit;

c. the work performed to support significant judgments and conclusions, 
including descriptions of transactions and records examined;[Footnote 
87] and:

d. evidence of supervisory reviews, before the audit report is issued, 
of the work performed that supports findings, conclusions, and 
recommendations contained in the audit report.

7.69: Audit organizations should establish reasonable policies and 
procedures for the safe custody and retention of audit documentation 
for a time sufficient to satisfy legal and administrative requirements. 
Audit documentation allows for the review of audit quality by providing 
the reviewer with documentation, either in written or electronic 
formats, of the evidence supporting the auditors' significant judgments 
and conclusions. If audit documentation is only retained 
electronically, the audit organization should ensure that the 
electronic documentation is capable of being accessed throughout the 
specified retention period established for audit documentation and that 
it is safeguarded through sound computer security.

7.70: Underlying GAGAS audits is the premise that federal, state, and 
local governments and other organizations cooperate in auditing 
programs of common interest so that the auditors may use others' work 
and avoid duplication of effort. Auditors should make arrangements to 
make audit documentation available, upon request, in a timely manner to 
other auditors or reviewers. Contractual arrangements for GAGAS audits 
should provide for full and timely access to audit documentation to 
facilitate reliance by others on the auditors' work.

7.71: Audit organizations need to adequately safeguard the audit 
documentation associated with any particular engagement. Audit 
organizations should develop clearly defined policies and criteria to 
deal with situations where requests are made by outside parties to 
obtain access to audit documentation, especially in connection with 
situations where an outside party attempts to obtain indirectly through 
the auditor information that it is unable to obtain directly from the 
audited entity. In developing such policies, audit organizations need 
to consider applicable laws and regulations applying to the audit 
organizations or the audited entity.

[End of section]

Chapter 8: Reporting Standards for Performance Audits:

Introduction:

8.01: This chapter prescribes reporting standards and provides guidance 
to auditors reporting on performance audits in accordance with 
generally accepted government auditing standards (GAGAS). The reporting 
standards for performance audits relate to the form of the report, the 
report contents, report quality, and report issuance and distribution.

Form:

8.02:The reporting standard related to the form of the report for 
performance audits performed in accordance with GAGAS is:

Auditors should prepare audit reports communicating the results of each 
audit.

8.03: The form of the audit report should be appropriate for its 
intended use, but should be written or in some other retrievable form. 
Auditors should use their professional judgment including consideration 
of users' needs, likely demand, and distribution in determining the 
form of the audit report. In addition to a more formal presentation of 
audit results, such as a chapter report or a letter report, briefing 
slides may be considered audit reports. Audit reports also may be 
presented on electronic media that are retrievable by report users and 
the audit organization, such as video or compact disc formats. However, 
regardless of form, audit reports should comply with all applicable 
reporting standards.

8.04: This standard is not intended to limit or prevent discussion of 
findings, judgments, conclusions, and recommendations with persons who 
have responsibilities involving the area being audited. On the 
contrary, such discussions are encouraged.

8.05: Audit reports (1) communicate the results of audits to officials 
at various levels of government, (2) make the results less susceptible 
to misunderstanding, (3) make the results available for public 
inspection, and (4) facilitate follow-up to determine whether 
appropriate corrective actions have been taken. The need to maintain 
public accountability for government programs demands that audit 
reports be retrievable.

8.06: If an audit is terminated before it is completed but the auditors 
do not issue an audit report, auditors should follow the requirements 
in paragraph 7.40.

Report Contents:

8.07: The reporting standard related to the contents of the report for 
performance audits conducted in accordance with GAGAS is:

The audit report should include the objectives, scope, and methodology; 
the audit results, including findings, conclusions, and 
recommendations, as appropriate; a reference to compliance with 
generally accepted government auditing standards; the views of 
responsible officials; and, if applicable, the nature of any privileged 
and confidential information omitted.

Objectives, Scope, and Methodology:

8.08: Auditors should include in the report the audit objectives and the 
scope and methodology used for achieving the audit objectives. This 
information is needed by report users to understand the purpose of the 
audit and the nature of the audit work performed, to provide 
perspective as to what is reported, and to understand any significant 
limitations in audit objectives, scope, or methodology.

8.09: Audit objectives should be communicated in the audit report in a 
clear, specific, and neutral manner that avoids unstated assumptions. 
Auditors should explain why the audit organization undertook the 
assignment and state what the report is to accomplish and why the 
subject matter is important. Articulating what the report is to 
accomplish normally involves identifying the audit subject and the 
aspect of performance examined. The reported audit objectives provide 
more meaningful information to report users if they are measurable and 
feasible and avoid being presented in a broad or general manner. To 
reduce misunderstanding in cases where the objectives are particularly 
limited and broader objectives can be inferred, it may be necessary to 
state objectives that were not pursued.

8.10: In reporting the scope of the audit, auditors should describe the 
depth and coverage of work conducted to accomplish the audit's 
objectives. Auditors should, as applicable, explain the relationship 
between the population of items sampled and what was audited; identify 
organizations, geographic locations, and the period covered; report the 
kinds and sources of evidence; and explain any problems with the 
evidence. Auditors should also report significant constraints imposed 
on the audit approach by data limitations or scope impairments, 
including demands of access to certain records or individuals.

8.11: To report the methodology used, auditors should clearly explain 
how the audit objectives were accomplished, including the evidence 
gathering and analysis techniques used, in sufficient detail to allow 
knowledgeable users of their reports to understand the work. This 
explanation should identify any significant assumptions made in 
conducting the audit; describe any comparative techniques applied; 
describe the criteria used; and, when sampling significantly supports 
auditors' findings, describe the sample design and state why it was 
chosen, including whether the results can be projected to the intended 
population.

8.12: Auditors should attempt to avoid misunderstanding by the report 
user concerning the work that was and was not done to achieve the audit 
objectives, particularly when the work was limited because of 
constraints on time or resources. The auditors' report should clearly 
describe the scope of the work performed and any limitations; any 
applicable standards that were not followed, and the reasons therefor; 
and how not following the applicable standards affected or could affect 
the results of the work. For example, if the auditors are unable to 
determine the reliability of information from an agency's database, and 
information from this database is critical to achieving the audit 
objectives, the report should clearly state the limitations associated 
with the information and refrain from making unwarranted conclusions or 
recommendations. In these situations, the audit report should also 
include the reasons the auditors were unable to perform this work and 
the potential impact on the findings if the information is not 
reliable.[Footnote 88]

Findings:

8.13: Auditors should report findings by providing credible evidence 
that relates to the audit objectives. These findings should be 
supported by sufficient, competent, and relevant evidence. They also 
should be presented in a manner to promote adequate understanding of 
the matters reported and to provide convincing but fair presentations 
in proper perspective. The audit report should provide selective 
background information to provide the context for the overall message 
and to help the reader understand the findings and significance of the 
issues discussed.[Footnote 89]

8.14: As discussed in chapter 7, audit findings have often been regarded 
as containing the elements of criteria, condition, cause, and effect. 
However, the elements needed for a finding depend on the audit 
objectives. For example, an audit objective may be limited to 
determining the current status or condition of implementing legislative 
requirements, and not the related cause or effect. Thus, a finding or 
set of findings is complete to the extent that the audit objectives are 
satisfied and the report clearly relates those objectives to the 
elements of the finding.

8.15: To the extent possible, in presenting findings, auditors should 
develop the elements of criteria, condition, cause, and effect to 
assist officials of the audited entity or oversight officials of the 
audited entity in understanding the need for taking corrective action. 
In addition, if auditors are able to sufficiently develop the findings, 
auditors should provide recommendations for corrective action. 
Following is guidance for reporting on elements of findings:

a. Criteria provides information so that the report user will be able 
to determine what is the required or desired state or what is expected 
from the program or operation. The criteria are easier to understand 
when stated fairly, explicitly, and completely and when the source of 
the criteria is identified in the audit report.[Footnote 90]

b. Condition provides evidence on what the auditors found regarding the 
actual situation. Reporting the scope or extent of the condition allows 
the report user to gain an accurate perspective.

c. Cause provides persuasive evidence on the factor or factors 
responsible for the difference between condition and criteria. In 
reporting the cause, auditors may consider whether the evidence 
provides a reasonable and convincing argument for why the stated cause 
is the key factor or factors contributing to the difference as opposed 
to other possible causes, such as poorly designed criteria or factors 
uncontrollable by program management. The auditors also may consider 
whether the identified cause could serve as a basis for the 
recommendations.

d. Effect provides a clear, logical link to establish the impact of the 
difference between what the auditors found (condition) and what should 
be (criteria). Effect is easier to understand when it is stated 
clearly, concisely, and, if possible, in quantifiable terms. The 
significance of the reported effect can be demonstrated through 
credible evidence.

8.16: The audit report should also include any significant 
deficiencies[Footnote 91] in internal control, all instances of fraud 
and illegal acts unless they are clearly inconsequential,[Footnote 92] 
significant violations of provisions of contracts or grant agreements, 
and significant abuse.

Internal Control Deficiencies:

8.17: Auditors should include in the audit report the scope of their 
work on internal control and any significant deficiencies found during 
the audit. When auditors detect deficiencies in internal control that 
are not significant, they should communicate those deficiencies in a 
separate letter to officials of the audited entity unless the 
deficiencies are clearly inconsequential considering both qualitative 
and quantitative factors. If the auditors have communicated 
deficiencies in a separate letter to officials of the audited entity, 
they should refer to that letter in the audit report. Auditors should 
use professional judgment in determining whether or how to communicate 
deficiencies that are clearly inconsequential to officials of the 
audited entity. Auditors should include in their audit documentation 
evidence of all communications about internal control deficiencies 
found during the audit.

8.18: In a performance audit, auditors may identify significant 
deficiencies in internal control as the cause of deficient performance. 
In reporting this type of finding, the internal control weakness would 
be described as the cause.

Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant 
Agreements, and Abuse:

8.19: When auditors conclude, based on evidence obtained, that fraud, 
illegal acts, significant violations of provisions of contracts or 
grant agreements, or significant abuse either has occurred or is likely 
to have occurred, they should include in their audit report relevant 
information.[Footnote 93] Abuse occurs when the conduct of a government 
program or entity falls far short of behavior that is expected to be 
reasonable and necessary business practices by a prudent person.

8.20: When reporting instances of fraud, illegal acts, violations of 
provisions of contracts or grant agreements, and abuse, auditors should 
place their findings in proper perspective by providing a description 
of the work conducted that resulted in the finding. To give the reader 
a basis for judging the prevalence and consequences of these findings, 
the instances identified should be related to the population or the 
number of cases examined and be quantified in terms of dollar value, if 
appropriate. If the results cannot be projected, auditors should limit 
their conclusion to the items tested.

8.21: When auditors detect violations of provisions of contracts or 
grant agreements; or abuse that is not significant, they should 
communicate those findings in a separate letter to officials of the 
audited entity unless the findings are clearly inconsequential, 
considering both qualitative and quantitative factors. If the auditors 
have communicated instances of fraud, illegal acts, violations of 
provisions of contracts or grant agreements, or abuse in a separate 
letter to officials of the audited entity, auditors should refer to 
that letter in the audit report. Auditors should use their professional 
judgment in determining whether and how to communicate to officials of 
the audited entity fraud, illegal acts, violations of provisions of 
contracts or grant agreements, and abuse that are clearly 
inconsequential. Auditors should include in their audit documentation 
evidence of all communications to officials of the audited entity about 
instances of fraud, illegal acts, violations of provisions of contracts 
or grant agreements, and abuse.

Direct Reporting of Fraud, Illegal Acts, Violations of Provisions of 
Contracts or Grant Agreements, and Abuse:

8.22: GAGAS require auditors to report fraud, illegal acts, violations 
of provisions of contracts or grant agreements, and abuse directly to 
parties outside the audited entity in certain circumstances, as 
discussed below.[Footnote 94] These requirements are in addition to any 
legal requirements for direct reporting of fraud, illegal acts, 
violations of provisions of contracts or grant agreements, and abuse. 
Auditors should meet these requirements even if they have resigned or 
been dismissed from the audit.

8.23: The audited entity may be required by law or regulation to report 
certain fraud, illegal acts, violations of provisions of contracts or 
grant agreements, or abuse to specified external parties, such as a 
federal inspector general or a state attorney general. If auditors have 
communicated such fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse to the audited entity and it 
fails to report them, then the auditors should communicate their 
awareness of that failure to the governing body of the audited entity. 
If the audited entity does not make the required report as soon as 
possible after the auditors' communication with the entity's governing 
body, then the auditors should report such fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse 
directly to the external party specified in the law or regulation.

8.24: Officials of the audited entity are responsible for taking timely 
and appropriate steps to remedy fraud, illegal acts, violations of 
provisions of contracts or grant agreements, or abuse that auditors 
report to them. When fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse involves assistance received 
directly or indirectly from a government agency, auditors may have a 
duty to report such fraud, illegal acts, violations of provisions of 
contracts or grant agreements, or abuse directly to that government 
agency if officials of the audited entity fail to take remedial steps. 
If auditors conclude that such failure is likely to cause them to 
report such findings or resign from the audit, they should communicate 
that conclusion to the governing body of the audited entity. Then, if 
the audited entity does not report the fraud, illegal act, violation of 
provisions of contracts or grant agreements, or abuse as soon as 
possible to the entity that provided the government assistance, the 
auditors should report the fraud, illegal act, violation of provisions 
of contracts or grant agreements, or abuse directly to that entity.

8.25: In these situations, auditors should obtain sufficient, competent, 
and relevant evidence, such as confirmation with outside parties, to 
corroborate assertions by officials of the audited entity that the 
officials have reported fraud, illegal acts, violations of provisions 
of contracts or grant agreements, or abuse. If the officials are unable 
to do so, then the auditors should report such fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse 
directly as discussed above.

8.26: Laws, regulations, or other authority may require auditors to 
report promptly indications of certain types of fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse to 
law enforcement or investigatory authorities. In such circumstances, 
when auditors conclude that these types of fraud, illegal acts, 
violations of provisions of contracts or grant agreements, or abuse 
either have occurred or are likely to have occurred, they should ask 
those authorities or legal counsel if publicly reporting certain 
information about the potential fraud, illegal acts, violations of 
provisions of contracts or grant agreements, or abuse would compromise 
investigative or legal proceedings. Auditors should limit the extent of 
their public reporting to matters that would not compromise those 
proceedings, such as information that is already a part of the public 
record.

Conclusions:

8.27: Auditors should report conclusions when called for by the audit 
objectives and the results of the audit. Conclusions are logical 
inferences about the program based on the auditors' findings and should 
represent more than just a summary of the findings. Conclusions should 
be clearly stated, not implied. The strength of the auditors' 
conclusions depends on the persuasiveness of the evidence supporting 
the findings and the soundness of the logic used to formulate the 
conclusions. Conclusions are stronger if they set up the report's 
recommendations and convince the knowledgeable user of the report that 
action is necessary.

Recommendations:

8.28: If warranted, auditors should make recommendations for actions to 
correct problems identified during the audit and to improve programs 
and operations. Auditors should make recommendations when the potential 
for improvement in programs, operations, and performance is 
substantiated by the reported findings and conclusions. Recommendations 
should logically flow from the findings and conclusions and need to 
state clearly the actions to be taken. Recommendations to effect 
compliance with laws and regulations and improve internal control also 
should be made when significant instances of possible fraud, illegal 
acts, or violations of provisions of contracts or grant agreements are 
noted, or when abuse or deficiencies in internal control are found.

8.29: Constructive recommendations can encourage improvements in the 
conduct of government programs and operations. For recommendations to 
be most constructive, they should be directed at resolving the cause of 
identified problems, action oriented and specific, addressed to parties 
that have the authority to act, practical and, to the extent feasible, 
cost effective and measurable.

Statement on Compliance with GAGAS:

8.30: Auditors should report that the audit was made in accordance with 
GAGAS. The statement of compliance with GAGAS refers to all the 
applicable standards that the auditors should have followed during the 
audit. The statement referencing compliance with GAGAS should be 
qualified in situations in which the auditors did not follow an 
applicable standard. In these situations, auditors should disclose in 
the scope section of the report the applicable standard that was not 
followed, the reasons therefor, and how not following the standard 
affected, or could have affected, the results of the audit. In 
assessing the impact of not following an applicable standard on the 
results of the audit, auditors may need to qualify any assurances, 
disclaim from providing any assurances, or withdraw from the audit.

Reporting Views of Responsible Officials:

8.31: Auditors should report the views of responsible officials of the 
audited program concerning auditors' findings, conclusions, and 
recommendations; as well as planned corrective actions. One of the most 
effective ways to ensure that a report is fair, complete, and objective 
is to obtain advance review and comments by responsible officials of 
the audited entity and others, as may be appropriate. Including the 
views of responsible officials results in a report that presents not 
only the auditors' findings, conclusions, and recommendations, but also 
what the responsible officials of the audited entity think about the 
audit results and what corrective actions officials of the audited 
entity plan to take. Auditors should include in their report a copy of 
the officials' written comments or a summary of the comments received.

8.32: Auditors should normally request that the responsible officials 
submit in writing their views on reported findings, conclusions, and 
recommendations, as well as management's planned corrective actions. 
Oral comments are acceptable as well and, in some cases, may be the 
only or most expeditious way to obtain comments. Cases in which 
obtaining oral comments can be effective include when there is a time-
critical requirement to meet a user's needs; the auditors have worked 
closely with the responsible officials throughout the conduct of the 
work and the parties are very familiar with the findings and issues 
addressed in the draft report; or the auditors do not expect major 
disagreements with the draft report's findings, conclusions, and 
recommendations, or perceive any major controversies with regard to the 
issues discussed in the draft report. Auditors should prepare a summary 
of the officials' oral comments and provide a copy of the summary to 
officials of the audited entity to verify that the comments are 
accurately stated prior to finalizing the report.

8.33: Comments should be fairly and objectively evaluated and 
recognized, as appropriate, in the final report. Comments, such as a 
promise or plan for corrective action, should be noted but should not 
be accepted as justification for dropping a finding or a related 
recommendation.

8.34: When the audited entity's comments oppose the report's findings, 
conclusions, or recommendations and are not, in the auditors' opinion, 
valid, or when planned corrective actions do not adequately address the 
auditors' recommendations, the auditors should state their reasons for 
disagreeing with the comments or planned corrective actions. The 
auditors' disagreement should be stated in a fair and objective manner. 
Conversely, the auditors should modify their report as necessary if 
they find the comments valid.

Reporting Privileged and Confidential Information:

8.35: If certain pertinent information is prohibited from general 
disclosure, the audit report should state the nature of the information 
omitted and the requirement that makes the omission necessary.

8.36: Certain information may be prohibited from general disclosure by 
federal, state, or local laws or regulations. In such circumstances, 
auditors may issue a separate limited-official-use report containing 
such information and distribute the report only to persons authorized 
by law or regulation to receive it. Additional circumstances associated 
with public safety and security concerns could also justify the 
exclusion of certain information in the report. For example, detailed 
information related to computer security for a particular program may 
be excluded from publicly available reports because of the potential 
damage that could be caused by the misuse of this information. In such 
circumstances, auditors may issue a limited-official-use report 
containing such information and distribute the report only to those 
parties responsible for acting on the auditors' recommendations. The 
auditors should, when appropriate, consult with legal counsel regarding 
any requirements or other circumstances that may necessitate the 
omission of certain information.

8.37: Auditors' judgments that certain information should be excluded 
from publicly available reports should be made in a manner consistent 
with consideration of the broader public interest in the program or 
activity under review. When circumstances call for omission of certain 
information, auditors should consider whether this omission could 
distort the engagement results or conceal improper or unlawful 
practices. If auditors make the judgment that certain information 
should be excluded from a publicly available report, they should state 
the general nature of the information omitted and the reasons that make 
the omission necessary in the report.

Report Quality Elements:

8.38: The reporting standard related to report quality for performance 
audits performed in accordance with GAGAS is:

The report should be timely, complete, accurate, objective, convincing, 
clear, and as concise as the subject permits.

Timely:

8.39: To be of maximum use, the audit report needs to provide relevant 
information in time to respond to officials of the audited entity, 
legislative officials, and other users' legitimate needs. Likewise, the 
information provided in the report needs to be current. Therefore, 
auditors should plan for the appropriate issuance of the report and 
conduct the audit with these goals in mind.

8.40: During the audit, the auditors should consider interim reporting 
of significant matters to appropriate entity officials. Such 
communication, which may be oral or written, is not a substitute for a 
final report, but it does alert officials to matters needing immediate 
attention and permits them to take corrective action before the final 
report is completed.

Complete:

8.41: Being complete requires that the report contain all evidence 
needed to satisfy the audit objectives and promote an adequate and 
correct understanding of the matters reported. It also means the report 
states information and findings completely, including all necessary 
facts and explanations. Giving report users an adequate and correct 
understanding means providing perspective on the extent and 
significance of reported findings, such as the frequency of occurrence 
relative to the number of cases or transactions tested and the 
relationship of the findings to the entity's operations.

8.42: In most cases, a single example of a deficiency is not sufficient 
to support a broad conclusion or a related recommendation. All that it 
supports is that a deviation, an error, or a weakness existed. 
Sufficient detailed supporting data should be included to make 
convincing presentations.

Accurate:

8.43: Accuracy requires that the evidence presented be true and that 
findings be correctly portrayed. The need for accuracy is based on the 
need to assure report users that what is reported is credible and 
reliable. One inaccuracy in a report can cast doubt on the reliability 
of an entire report and can divert attention from the substance of the 
report. Also, use of inaccurate evidence can damage the credibility of 
the issuing audit organization and reduce the effectiveness of its 
reports.

8.44: The report should include only information, findings, and 
conclusions that are supported by sufficient, competent, and relevant 
evidence in the audit documentation. If data are significant to the 
audit findings and conclusions, but are not audited, the auditors 
should clearly indicate in their report the data's limitations and not 
make unwarranted conclusions or recommendations based on those data.

8.45: Evidence included in audit reports should demonstrate the 
correctness and reasonableness of the matters reported. Correct 
portrayal means describing accurately the audit scope and methodology 
and presenting findings and conclusions in a manner consistent with the 
scope of audit work. The report also should not have errors in logic 
and reasoning. One way to help ensure that the audit report meets these 
reporting standards is to use a quality control process such as 
referencing. Referencing is a process in which an experienced auditor 
who is independent of the audit verifies that statements of facts, 
figures, and dates are correctly reported, that the findings are 
adequately supported by the audit documentation, and that the 
conclusions and recommendations flow logically from the support.

Objective:

8.46: Objectivity requires that the presentation of the entire report be 
balanced in content and tone. A report's credibility is significantly 
enhanced when it presents evidence in an unbiased manner so that report 
users can be persuaded by the facts. The report should be fair and not 
misleading and should place the audit results in perspective. This 
means presenting the audit results impartially and fairly. In 
describing shortcomings in performance, auditors should put findings in 
context. For example, the audited entity may have faced unusual 
difficulties or circumstances.

8.47: The tone of reports should encourage decision makers to act on 
the auditors' findings and recommendations. This tone should be 
balanced by requiring reports to present sound and logical evidence to 
support conclusions while refraining from using adjectives or adverbs 
that characterize evidence in a way that implies criticism or 
unsupported conclusions.

8.48: The report should recognize the positive aspects of the program 
reviewed if applicable to the audit objectives. Inclusion of positive 
program aspects may lead to improved performance by other government 
organizations that read the report. Such information allows for a 
fairer presentation of the situation by providing appropriate balance 
to the report. In addition, inclusion of such accomplishments may lead 
to improved performance by other government organizations that read the 
report.

Convincing:

8.49: Being convincing requires that the audit results be responsive to 
the audit objectives, that the findings be presented persuasively, and 
that the conclusions and recommendations follow logically from the 
facts presented. The information presented should be sufficient to 
convince the report users to recognize the validity of the findings, 
the reasonableness of the conclusions, and the benefit of implementing 
the recommendations. Reports designed in this way can help focus the 
attention of responsible officials on the matters that warrant 
attention and can provide an incentive for taking corrective action.

Clear:

8.50: Clarity requires that the report be easy to read and understand. 
Reports should be prepared in language as clear and simple as the 
subject permits. Use of straightforward, nontechnical language is 
essential to simplicity of presentation. Whenever technical terms, 
abbreviations, and acronyms are used, they should be clearly defined.

8.51: Auditors may consider using a summary within the report to capture 
the report user's attention and highlight the overall message. If a 
summary is used, it generally should focus on the specific answers to 
the questions in the audit objectives, summarize the audit's most 
significant findings and the report's principal conclusions, and 
prepare users to anticipate the major recommendations.

8.52: Logical organization of material, and accuracy and precision in 
stating facts and in drawing conclusions, are essential to clarity and 
understanding. Effective use of titles and captions and topic sentences 
makes the report easier to read and understand. Visual aids (such as 
pictures, charts, graphs, and maps) should be used when appropriate to 
clarify and summarize complex material.

Concise:

8.53: Being concise requires that the report be no longer than necessary 
to convey and support the message. Extraneous detail detracts from a 
report, may even conceal the real message, and may confuse or distract 
the users. Also, needless repetition should be avoided. Although room 
exists for considerable judgment in determining the content of reports, 
those that are fact-based but concise are likely to achieve greater 
results.

Report Issuance and Distribution:

8.54: The reporting standard related to report issuance and distribution 
for performance audits performed in accordance with GAGAS is:

Government auditors should submit audit reports to the appropriate 
officials of the audited entity and to the appropriate officials of the 
organizations requiring or arranging for the audits, including external 
funding organizations, such as legislative bodies, unless legal 
restrictions prevent it. Auditors should also send copies of the 
reports to other officials who have legal oversight authority or who 
may be responsible for acting on audit findings and recommendations, 
and also to others authorized to receive such reports. Unless the 
report is restricted by law or regulation, or contains privileged or 
confidential information, auditors should clarify that copies are made 
available for public inspection. Nongovernment auditors should clarify 
report distribution responsibilities with the party contracting for the 
audit and follow the agreements reached.

8.55: Audit reports should be distributed in a timely manner to 
officials interested in the results. Such officials include those 
designated by law or regulation to receive such reports, those 
responsible for acting on the findings and recommendations contained in 
the report, those in other levels of government who have provided 
assistance to the audited entity, and legislators. However, if the 
subject of the audit involves material that is classified for security 
purposes or is not releasable to particular parties or the public for 
other valid reasons, auditors should limit the report distribution. 
(See paragraphs 8.35 through 8.37 for additional guidance on limited 
report distribution.) The availability of the report for public 
inspection should be documented in the audit documentation.

8.56: When nongovernment auditors are engaged to perform the audit under 
GAGAS, they should clarify report distribution responsibilities with 
the engaging organization. If the nongovernment auditors are to make 
the distribution, the engagement agreement should indicate which 
officials or organizations should receive the report and any other 
steps being taken to ensure the availability of the report for public 
inspection. The availability of the report for public inspection should 
be documented in the audit documentation.

8.57: Internal auditors should follow their entity's own arrangements 
and statutory requirements for distribution. Usually, they report to 
their entity's head or deputy head, who is responsible for distribution 
of the report. Further distribution of reports outside the organization 
should be made in accordance with applicable laws, rules, regulations, 
or policy.

[End of section]

Appendixes:

Appendix I Advisory Council on Government Auditing Standards:

Advisory Council Members:

Mr. Jack R. Miller, Chair KMPG LLP (member 1997-1998; chair 2001-2003):

Mr. Richard C. Tracy, Former Chair Office of City Auditor Portland, 
Oregon (member 1997-1998; chair 1999-2000):

The Honorable James B. Thomas, Former Chair Office of the Chief 
Inspector General State of Florida (chair 1997-1998):

The Honorable Ernest A. Almonte Office of the Auditor General State of 
Rhode Island (member 2001-2003):

Mr. Robert H. Attmore Office of the Comptroller New York State (member 
1997-1999):

The Honorable Thomas R. Bloom Defense Finance and Accounting Service 
(member 1997-2000):

The Honorable June Gibbs Brown U.S. Department of Health and Human 
Services (member 1997-1999):

The Honorable Ralph Campbell, Jr. Office of the State Auditor State of 
North Carolina (member 2000-2002):

Mr. Donald H. Chapin Consultant (member 1997-1998):

Ms. Patricia A. Dalton U.S. Department of Labor (member 1997-1999):

The Honorable Debra K. Davenport Office of the Auditor General State of 
Arizona (member 2002-2004):

The Honorable Bert T. Edwards Department of Interior (member 2000-
2002):

Dr. John H. Engstrom University of Northern Illinois (member 2002-
2004):

The Honorable Richard L. Fair Office of the State Auditor State of New 
Jersey (member 2002-2004):

Dr. Ehsan Feroz University of Minnesota Duluth (member 2002-2004):

The Honorable Gregory H. Friedman Department of Energy (member 2002-
2004):

The Honorable Gaston L. Gianni, Jr. Federal Deposit Insurance 
Corporation (member 1999-2001):

Ms. Barbara J. Hinton Office of the Legislative Post Auditor State of 
Kansas (member 1999-2001):

Mr. David G. Hitchcock Standards & Poor's (member 1999-2001):

Dr. Jesse W. Hughes Consultant (member 2000-2002):

Dr. Rhoda C. Icerman Florida State University (member 2001-2003):

Mr. Norwood J. Jackson, Jr. U.S. Office of Management and Budget 
(member 1997-2000):

The Honorable Auston G. Johnson Office of the State Auditor State of 
Utah (member 2000-2002):

The Honorable Margaret B. Kelly Office of the State Auditor State of 
Missouri (member 1997-1998):

Dr. Daniel G. Kyle Office of the Legislative Auditor State of Louisiana 
(member 1997-1998):

Mr. Philip A. Leone Joint Legislative Audit and Review Commission 
Commonwealth of Virginia (member 1997-2000):

Mr. George A. Lewis Broussard, Poche, Lewis & Breaux (member 1997-
2000):

Ms. Nora J.E. Masters Deliotte & Touche LLP (member 1997-1999):

Mr. Sam M. McCall Office of the City Auditor Tallahassee, Florida 
(member 1997-1998; 2000-2002):

Mr. Harold L. Monk Davis, Monk & Company, CPAs (member 2002-2004):

Mr. Stephen L. Morgan Office of the City Auditor Austin, Texas (member 
2001-2003):

The Honorable Everett L. Mosley U.S. Agency for International 
Development (member 2001-2003):

Mr. Bruce A. Myers Office of the Legislative Auditor State of Maryland 
(member 1999-2001):

Dr. Kathryn E. Newcomer George Washington University (member 1999-
2001):

Mr. Robert M. Reardon, Jr. State Farm Insurance Companies (member 2002-
2004):

Ms. Roberta Reese Office of the Controller State of Nevada (member 
1997-1999):

Mr. George A. Scott Deloitte & Touche LLP (member 1999-2001):

Mr. Gerald Silva Office of the City Auditor City of San Jose, 
California (member 2002-2004):

The Honorable Kurt R. Sjoberg Office of the State Auditor State of 
California (member 1997-2000):

Mr. Barry R. Snyder Federal Reserve Board (member 2001-2003):

Dr. Daniel Stufflebeam Western Michigan University (member 2002-2004):

Dr. Paul M. Thompson AMBAC Indemnity Corporation (member 1997-1998):

Mr. Cornelius E. Tierney George Washington University (member 1997-
1999):

The Honorable Nikki Tinsley Environmental Protection Agency (member 
2002-2004):

Ms. Leslie E. Ward Office of the City Auditor Kansas City, Missouri 
(member 1999-2001):

The Honorable Jacquelyn L. Williams-Bridgers U.S. Department of State 
(member 2000-2002):

Dr. Earl R. Wilson University of Missouri-Columbia (member 1999-2001):

GAO Project Team:

Jeffrey C. Steinhoff, Managing Director Jeanette M. Franzel, Director 
Marcia B. Buchanan, Assistant Director Cheryl E. Clark, Assistant 
Director Michael C. Hrapsky, Project Manager Robert W. Gramling, 
Consultant:

[End of section]

Index:

abuse: 

	attestation engagement; 6.15, 6.19-6.20, 6.32-6.40.

	defined; 4.19, 6.19, 7.25, 8.19.

	financial audit; 4.17, 4.19, 4.20, 5.12, 5.17-5.25.

	performance audit; 7.25-7.26, 8.19-8.26.

	pursuing indications of; 4.20, 6.20, 7.26.

	reporting; 5.12, 5.17-5.25, 6.32-6.40, 8.19-8.26.

	reporting, direct; 5.21-5.25, 6.36-6.40, 8.22-8.26.

accountability; 1.11-1.16.

AICPA standards: 

	attestation engagement; 2.08, 6.01, 6.03-6.04, 6.23, 6.27, 6.51.

	financial audit; 2.06, 4.01-4.02, 4.03-4.04, 5.01-5.02, 5.03, 5.17.

	relationship to GAGAS; 1.09, 4.01, 5.01, 6.01.

American Institute of Certified Public Accountants (see AICPA 
standards).

attestation engagements; 1.13, 2.07-2.08, 6.01-6.54.

	abuse; 6.15, 6.19-6.20, 6.32-6.40.

	communication, auditor; 6.06-6.09, 6.35, 6.54.

	compliance with GAGAS, reporting auditors'; 6.29-6.31.

	corrective actions; 6.34, 6.41-6.45.

	defined; 1.13, 2.07, 6.02.

	distribution, report issuance and; 6.46, 6.49-6.54.

	distribution, limited; 6.27d, 6.47, 6.50-6.51.

	documentation: 

		access to; 6.25-6.26.

		attest; 6.07, 6.16-6.17, 6.22-6.26, 6.35, 6.54.

		of communication; 6.07, 6.09, 6.35, 6.54.

		safeguarding; 6.26.

	findings; 6.21, 6.33-6.35.

	fraud and illegal acts; 6.15-6.18, 6.20, 6.32-6.40.

	internal control; 2.07, 6.13-6.14, 6.32-6.35.

	levels of; 6.02.

		agreed-upon-procedures; 6.02c, 6.15b, 6.18, 6.27d, 6.51.

		examination; 6.02a, 6.13-6.14, 6.15a, 6.16.

		review; 6.02b, 6.15b, 6.18.

	planning; 6.04, 6.13-6.14, 6.15-6.16.

	previous engagements, considering results of; 6.10-6.12.

	privileged and confidential information; 6.46-6.48.

	recommendations; 6.34.

	reporting; 6.27-6.54.

	reporting, direct; 6.36-6.40.

	qualifications for auditors, additional; 3.43-3.44.

	termination; 6.54.

	views of responsible officials; 6.41-6.45.

	violations of provisions of contracts or grant agreements; 6.15-6.18, 
6.20, 6.32-6.35, 6.36-6.40.

	work of others, using; 6.25.

audit objectives (see objectives).

audit organizations' responsibilities (see also under independence); 
1.27-1.28, 3.38.

auditors, qualifications of (see competence).

auditors' responsibilities; 1.19-1.26, 4.11, 4.18.

audits and attestation engagements, types of (see also attestation 
engagements; financial audits; performance audits); 2.01-2.16.

cause; 5.15c, 6.34c, 7.65, 8.15c, 8.18.

comments (see letters of comment; views of responsible officials); 
[Empty].

communication, auditor (see also under attestation engagements; 
financial audits; performance audits); 1.26, 3.17e-3.17f.

competence (see also continuing professional education); 3.39-3.48.

	technical knowledge; 3.42.

	qualifications for financial audits and attestation 	 engagements, 
additional; 3.43-3.44.

compliance; 1.18b, 4.12-4.13, 4.17-4.18, 5.08-5.11, 6.15-6.20, 6.32, 
6.36-6.40, 7.12c, 7.19-7.20, 7.49.

	tests of; 4.12-4.13, 4.17-4.18, 6.15-6.20, 7.07d, 7.17-7.20.

compliance with GAGAS (see under GAGAS).

computer-based systems, data from; 7.59-7.61.

conclusions; 6.27b, 8.27, 8.42, 8.44, 8.47, 8.49.

condition; 5.15b, 6.34b, 7.63, 8.15b.

conditions, reportable (see reportable conditions under financial 
audits).

confidential information (see privileged and confidential information 
under attestation engagements; financial audits; performance audits); 
[Empty].

conflict of interest (see independence).

constructive engagement; 1.16.

consulting services (see nonaudit services).

continuing professional education (CPE) (see also documentation, 
continuing professional education); 3.45-3.48.

corrective actions (see under attestation engagements; financial 
audits; performance audits).

criteria; 5.15a, 6.03, 6.34a, 7.28, 8.15a.

data (see also evidence); 7.31, 7.55-7.61.

	sources of; 7.31, 7.55-7.59.

	tests of; 7.60-7.61.

	unaudited; 8.44.

	validity and reliability of; 7.12b, 7.15b, 7.57, 7.59.

diligence (see professional judgment).

direct reporting (see under attestation engagements; financial 
audits; performance audits).

distribution, limited (see under attestation engagements; financial 
audits; performance audits).

distribution, report issuance and; 5.31-5.33, 5.34-5.38, 6.46-6.48, 
6.49-6.54, 8.35-8.37, 8.54-8.57.

documentation: 

	access to; 4.25-4.26, 6.25-6.26, 7.69-7.71.

	attestation engagement; 6.07, 6.09, 6.16-6.17, 6.22-6.26, 6.35, 6.50-
6.51, 6.54.

	audit plan; 7.41-7.43.

	of audit reviews; 7.47.

	of communication; 4.07, 4.09, 5.16, 5.20, 5.38, 6.07, 6.09, 6.35, 6.54, 
7.40, 8.17, 8.21.

	of continuing professional education; 3.47.

	of evidence; 7.54, 7.60, 7.66-7.68.

	financial audit; 4.07, 4.09, 4.22-4.26, 5.16, 5.20, 5.35-5.36, 5.38.

	independence; 3.17a, 3.17e, 3.26, 3.32.

	peer review; 3.17g, 3.54.

	performance audit; 7.07, 7.17, 7.22, 7.40-7.43, 7.47, 7.54, 7.60, 7.66-
7.71, 8.17, 8.21, 8.55-8.56.

	of planning; 7.07.

	quality control; 3.51.

	safeguarding; 4.26, 6.26, 7.69, 7.71.

	of specialists' qualifications; 3.48.

economy and efficiency (see under objectives).

effect; 5.15d, 6.34d, 7.64, 8.15d.

effectiveness (see under objectives).

engagement letter; 3.17e, 4.07-4.09, 6.07-6.09, 7.40.

evidence (see also data):

	attestation engagement; 6.04b, 6.34, 6.39.

	financial audits; 4.03c, 4.12, 5.15, 5.24.

	performance audit; 7.31, 7.48-7.51, 7.52-7.65, 8.13, 8.15, 8.25, 8.41-
8.47.

	tests of; 7.52-7.61.

	types of; 7.50.

external quality control review (see peer review).

field work; 4.01-4.26, 6.03-6.26, 7.01-7.71.

financial audits; 1.12, 2.05-2.06, 4.01-4.26, 5.01-5.38.

	abuse; 4.17, 4.19, 4.20, 5.12, 5.17-5.25.

	communication, auditor; 4.06-4.13, 5.16, 5.20, 5.22-5.23, 5.38.

	compliance; 4.10-4.13, 4.17-4.20, 5.08-5.11, 5.12, 5.17-5.25.

	compliance with GAGAS, reporting auditors'; 5.05-5.07.

	conclusions; 5.18.

	corrective actions; 4.15-4.16, 5.15, 5.26-5.30.

	defined; 1.12, 2.05, 4.02.

	distribution, limited; 5.32, 5.35.

	distribution, report issuance and; 5.31-5.33, 5.34-5.38.

	documentation: 

		access to; 4.25-4.26.

		audit; 4.22-4.26.

		of communication; 4.07, 4.09, 5.16, 5.20, 5.38.

		safeguarding; 4.26.

	field work; 4.01-4.26.

	findings; 4.21, 5.14-5.15, 5.18-5.20.

	fraud and illegal acts; 4.17-4.18, 4.20, 5.12, 5.17-5.25.

	internal control; 4.03b, 4.04, 4.10-4.13, 5.08-5.11, 5.12-5.16.

	material misstatement, detecting; 4.17-4.18.

	material weakness; 5.14.

	previous engagements, considering results of; 4.04, 4.14-4.16.

	privileged and confidential information; 5.31-5.33.

	procedures, audit; 4.17-4.21.

	reportable conditions; 5.12-5.16.

	reporting; 5.01-5.38.

	reporting, direct; 5.12, 5.21-5.25.

	qualifications for auditors, additional; 3.43-3.44.

	termination; 4.09, 5.38.

	users (of the audit report); 4.04, 5.07, 5.15.

	views of responsible officials; 5.26-5.30.

	violations of provisions of contracts or 		grant agreements; 4.17-4.18, 
4.20, 5.12, 5.17-5.25.

findings; 4.21, 5.14-5.15, 5.18-5.20, 6.21, 6.33-6.35, 7.28, 7.62-7.65, 
8.13-8.16.

findings, elements of; 5.15, 6.34, 7.28, 7.62-7.65, 8.14-8.15.

follow-up (see also previous engagements, considering results of); 
1.28.

fraud and illegal acts (see also laws, regulations, and provisions of 
contracts or grant agreements): 

	attestation engagement; 6.15-6.18, 6.20, 6.32-6.35, 6.36-6.40.

	financial audit; 4.17-4.18, 4.20, 5.12, 5.17-5.19, 5.21-5.25.

	performance audit; 7.17, 7.21-7.24, 7.26-7.27, 8.16, 8.19-8.26.

	pursuing indications of; 4.20, 6.20, 7.26.

	reporting; 5.12, 5.17-5.19, 5.21-5.25, 6.32-6.40, 8.19-8.26.

	reporting, direct; 5.21-5.25, 6.36-6.40, 8.22-8.26.

GAGAS (generally accepted government auditing standards; see also 
individual standards); 1.01-1.03.

	applicability; 1.04-1.08.

	attestation engagement standards; 1.09, 2.08, 6.01-6.45.

	compliance with, reporting auditors'; 2.15, 5.05-5.07, 6.29-6.31, 8.30.

	financial audit standards; 1.09, 2.06, 4.01-4.26, 5.01-5.38.

	laws, regulations, and guidelines requiring; 1.05-1.06.

	and nonaudit services; 2.14-2.16.

	performance audit standards; 7.01-7.71, 8.01-8.57.

	professional judgment; 3.34.

	relationship to other standards; 1.09-1.10, 4.01, 5.01, 6.01.

illegal acts (see fraud and illegal acts).

independence; 3.03-3.32.

	external impairments; 3.19-3.20.

	and nonaudit services; 3.07, 3.10-3.18.

	organizational impairments; 3.21-3.32.

	organizations, responsibilities of audit; 3.07-3.10, 3.12-3.14, 3.16-
3.18, 3.20, 3.26, 3.28, 3.32.

	and reporting; 3.22-3.32.

	personal impairments; 3.07-3.18.

	specialists, using work of; 3.06.

internal auditing; 3.27-3.29, 3.31-3.32, 5.37, 6.53, 7.16, 8.57.

internal control: 

	attestation engagement; 6.13-6.14, 6.32-6.35.

	and compliance; 5.08-5.11, 6.13, 6.32.

	components of; 4.03 (footnote).

	deficiencies; 5.12-5.16, 6.32-6.35, 7.65, 8.16, 8.17-8.18.

	financial audit; 4.03b, 4.04, 4.10-4.13, 5.08-5.11, 5.12-5.16.

	management's role; 1.18.

	performance audit; 2.11, 7.10c, 7.11-7.16, 7.49, 7.65, 8.16, 8.17-8.18.

	safeguarding resources; 7.13.

	tests of; 4.12-4.13, 5.08-5.09, 7.60.

	understanding; 7.14.

internal quality control system (see also quality control and 
assurance); 3.07-3.08, 3.17e, 3.20, 3.49-3.52.

issuance and distribution, report (see distribution, report issuance 
and).

laws, regulations, and provisions of contracts or grant 	 agreements 
(see also fraud and illegal 	acts; violations of provisions of 	
contracts or grant agreements); 7.10a, 7.12c, 7.17-7.20, 8.23, 8.26.

legal counsel; 7.19.

letters of comment; 3.54-3.56.

limited official use (see distribution, limited, under attestation 
engagements, financial audits, performance audits).

management letters; 5.16, 5.20, 6.35, 8.17, 8.21.

management controls (see internal control).

management's role (see also officials, responsibilities of); 1.17, 
1.18, 1.28, 3.17b, 4.16, 6.12, 7.30.

material misstatements, detecting; 4.17-4.18.

material weakness; 5.14.

methodology and procedures; 7.03, 7.06, 7.14c, 7.17-7.27, 7.32, 8.08, 
8.11.

nonaudit services; 1.08, 2.14-2.16, 3.08a, 3.10-3.18.

objectives; 2.02-2.04, 2.09-2.13.

	compliance; 2.12, 7.10a, 7.12c.

	economy and efficiency; 2.10, 7.12a.

	effectiveness and results; 2.10, 7.10g, 7.12a.

	internal control; 2.11, 7.12-7.16.

	performance audit; 2.09-2.13, 7.03-7.06, 7.12-7.16, 7.18a, 8.08-8.12.

	prospective; 2.13.

	types of; 2.10-2.13.

objectivity (see also auditors' responsibilities; audit 
 organizations' responsibilities; independence); 8.46-8.48.

officials, reporting views of responsible (see views of responsible 
officials).

officials, responsibilities of (see also management's role); 4.16, 
5.23, 6.12, 6.38, 7.30, 8.24.

peer review (see also under documentation); 1.27, 3.17g, 3.26, 3.32, 
3.49, 3.52-3.56.

performance audits; 1.14-1.15, 2.09-2.13, 7.01-7.71, 8.01-8.57.

	abuse; 7.25-7.26, 8.19-8.26.

	accomplishments, reporting; 8.48.

	communication, auditor; 7.39-7.40, 8.17, 8.21, 8.40.

	compliance; 2.12, 7.07d, 7.12c, 7.19-7.20, 7.49.

	compliance with GAGAS, auditors'; 8.30.

	conclusions; 8.20, 8.27, 8.47, 8.49.

	corrective actions; 7.29-7.30, 8.05, 8.15, 8.31-8.34, 8.40, 8.49,.

	defined; 2.09.

	distribution, limited; 8.36, 8.55.

	distribution, report issuance and; 8.36, 8.54-8.57.

	documentation: 

		access to; 7.69-7.71.

		audit; 7.22, 7.60, 7.66-7.71.

		audit plan; 7.41-7.43.

		of communication; 7.40, 8.17, 8.21.

		of evidence; 7.54, 7.60, 7.66-7.68.

		of planning; 7.07.

		safeguarding; 7.69, 7.71.

	field work; 7.01-7.71.

	findings; 7.28, 7.62-7.65, 8.13-8.16, 8.20.

	fraud and illegal acts; 7.17, 7.21-7.24, 7.26-7.27, 8.16, 8.19-8.26, 
8.28.

	internal control; 2.11, 7.10c, 7.11-7.16, 7.49, 7.65, 8.16, 8.17-8.18.

	methodology and procedures; 7.03, 7.06, 7.14, 7.17-7.27, 7.32, 8.08, 
8.12.

	objectives; 2.10-2.13, 7.03-7.06, 7.12-7.16, 7.18, 8.08-8.12.

	planning; 7.02-7.43.

	plan, preparing an audit; 7.03, 7.14, 7.28, 7.41-7.43.

	previous engagements, considering results of; 7.29-7.30.

	privileged and confidential information; 8.35-8.37.

	program significance; 7.08-7.09.

	program, understanding; 7.10, 7.12.

	recommendations; 8.28-8.29.

	referencing; 8.45.

	report: 

		contents; 8.07-8.37.

		elements; 8.38-8.53.

		form; 8.02-8.06.

	reporting; 8.01-8.57.

		accurate; 8.43-8.45.

		clear; 8.50-8.52.

		complete; 8.41-8.42.

		concise; 8.53.

		convincing; 8.49.

		objective; 8.46-8.48.

		timely; 8.39-8.40.

	reporting, direct; 8.22-8.26.

	reporting, interim; 8.40.

	scope; 7.03, 7.05, 7.14b, 7.36, 8.08, 8.10, 8.12, 8.17, 8.30, 8.45.

	significance; 4.15 (footnote), 4.18 (footnote), 7.08.

	staffing; 7.35-7.38.

	supervision; 7.44-7.47.

	termination of audit; 7.40, 8.06.

	users (of the audit report); 2.04, 7.08-7.09, 8.03, 8.08-8.09, 8.11-
8.12, 8.32, 8.39.

	views of responsible officials; 8.31-8.34.

	violations of provisions of contracts or grant 	 agreements; 7.17-7.20, 
7.26-7.27, 8.16, 8.19-8.21, 8.22-8.26.

	work of others, considering; 7.32-7.34, 7.70.

planning; 4.03, 4.06-4.07, 4.15-4.18, 6.04, 6.06-6.16, 7.02-7.43.

previous engagements, considering results of (see also work of 
others, considering); 4.04, 4.14-4.16, 6.10-6.12, 7.07, 7.29-7.30.

privileged and confidential information (see under attestation 
engagements; financial audits; performance audits).

procurement for audits; 1.18f.

professional judgment; 1.25, 3.33-3.38, 4.04.

program (see also performance audits): 

	aspects; 7.10.

	significance; 7.08-7.09.

program audits (see performance audits).

quality control and assurance (see also internal quality control 
system; see also under documentation); 3.49-3.56.

recommendations; 5.15, 6.34, 8.28-8.29.

referencing (see under performance audits).

reportable conditions (see under financial audits).

reporting (see also under attestation engagements; financial audits; 
performance audits); 1.26, 5.01-5.38, 6.27-6.54, 8.01-8.57.

roles and responsibilities (see also audit organizations' 
 responsibilities; auditors' responsibilities; management's role; 
officials, responsibilities of); 1.17-1.28.

scope; 5.08-5.09, 7.03, 7.05, 7.14b, 7.36, 8.08, 8.10, 8.12, 8.17, 
8.45.

significance; 4.15, 4.18, 7.08-7.09.

significance, program (see under program).

specialists, use of (see also under documentation); 3.06, 3.48, 7.37.

supervision; 4.03, 6.03, 7.44-7.47.

users (of the audit report) (see also under financial audits, 
performance audits); 1.01, 1.22, 1.25-1.26, 2.04, 3.01.

views of responsible officials; 5.26-5.30, 6.41-6.45, 8.31-8.34.

violations of provisions of contracts or grant agreements (see also 
laws, regulations, and provisions of contracts and grant agreements):

	attestation engagement; 6.15-6.18, 6.20, 6.32-6.35, 6.36-6.40.

	financial audit; 4.17-4.18, 4.20, 5.12, 5.17-5.25.

	performance audit; 7.17-7.20, 7.26-7.27, 8.16, 8.19-8.21, 8.22-8.26.

	pursuing indications of; 4.20, 6.20, 7.26.

	reporting; 5.12, 5.17-5.25, 6.32-6.40, 8.19-8.26.

	reporting, direct; 5.21-5.25, 6.36-6.40, 8.22-8.26.

working papers (see documentation).

work of others, considering (see also previous engagements, 
considering the results of); 4.25, 6.25, 7.32-7.34, 7.70.

[End of table]

FOOTNOTES

[1] This document addresses the standards that should be used by the 
individuals in audit organizations conducting the broad array of work 
that is described more fully in chapter 2. Accordingly, the focus of 
this document is not on the wide variety of titles that are used by 
individuals conducting and reporting on this work, but instead the 
nature of the work that is being performed. The term "auditor" 
throughout this document includes individuals who may be titled 
auditor, analyst, evaluator, inspector, or who may have a similar 
position.

[2] Requirements in GAGAS are identified by statements that include the 
word "should." Auditors are expected to comply with these requirements 
if they apply to the type of work being performed.

[3] Henceforth, the term "program" will be used in this document to 
include government establishments, organizations, programs, 
activities, and functions.

[4] Under the Single Audit Act, as amended, federal awards include 
federal financial assistance (grants, loans, loan guarantees, property, 
cooperative agreements, interest subsidies, insurance, food 
commodities, direct appropriations, or other assistance) and cost-
reimbursement contracts.

[5] This responsibility applies to all resources, both financial and 
physical, as well as informational resources, whether entrusted to 
public officials or others by their own constituencies or by other 
levels of government.

[6] Other report users may include officials of the audited entity, the 
audit committee, the board of directors or other audit oversight body, 
management or auditors of granting or funding agencies, and individuals 
contracting for or requesting audit services.

[7] The three authoritative bodies for establishing accounting 
principles and financial reporting standards are the Federal Accounting 
Standards Advisory Board (federal government), the Governmental 
Accounting Standards Board (state and local governments), and the 
Financial Accounting Standards Board (nongovernmental entities).

[8] Special reports apply to auditors' reports issued in connection 
with the following: (1) financial statements that are prepared in 
conformity with a comprehensive basis of accounting other than 
generally accepted accounting principles; (2) specified elements, 
accounts, or items of a financial statement; (3) compliance with 
aspects of contractual agreements or regulatory requirements related to 
audited financial statements; (4) financial presentations to comply 
with contractual agreements or regulatory requirements; or (5) 
financial information presented in prescribed forms or schedules that 
require a prescribed form of auditors' report.

[9] For consistency within GAGAS, the word "auditor" is used to 
describe individuals conducting and reporting on attestation 
engagements.

[10] An assertion is any declaration or set of declarations made by 
management about whether the subject matter is based on or in 
conformity with the criteria selected.

[11] The term "internal control" in this document is synonymous with 
the term management control and, unless otherwise stated, covers all 
aspects of an entity's operations (programmatic, financial, and 
compliance).

[12] These objectives focus on combining cost information with 
information about outputs or the benefit provided and outcomes or the 
results achieved.

[13] Compliance requirements can be either financial or nonfinancial in 
nature.

[14] If audit organizations provide nonaudit services, audit 
organizations need to consider whether providing these services creates 
a personal impairment either in fact of appearance that adversely 
affects their independence for conducting audits.

[15] See chapter 6 for an additional general standard auditors should 
follow when performing an attestation engagement.

[16] Nongovernment auditors should also follow the AICPA code of 
professional conduct and the code of professional conduct of the state 
board with jurisdiction over the practice of the public accountant and 
the audit organization. All auditors should also be aware of and comply 
with any applicable government ethics laws and regulations and any 
other ethics requirements (such as those of the state boards of 
accountancy) associated with their activities.

[17] Specialists to whom this section applies include, but are not 
limited to, actuaries, appraisers, attorneys, engineers, environmental 
consultants, medical professionals, statisticians, and geologists. 
This section applies to external consultants and firms performing work 
for the audit organization.

[18] Immediate family member is a spouse, spouse equivalent, or 
dependent (whether or not related). A close family member is a parent, 
sibling, or nondependent child.

[19] Auditors are not precluded from auditing pension plans that they 
participate in if (1) the auditor has no control over the investment 
strategy, benefits, or other management issues associated with the 
pension plan and (2) the auditor belongs to such pension plan as part 
of his/her employment with the audit organization, provided that the 
plan is normally offered to all employees in equivalent employment 
positions.

[20] If the auditor has performed nonaudit services for a client that 
affect information that is the subject of the audit, and management is 
unable or unwilling to take responsibility for this information, the 
risk that the auditor may be perceived to have a personal impairment to 
independence is increased. See paragraphs 3.10 through 3.18 for 
additional guidance on impairments to independence associated with the 
scope of services that may be provided by audit organizations to 
entities they audit.

[21] The auditor needs to be free from this personal impairment for the 
period covered by the activity under audit, including any financial 
statements being audited, and for the period in which the audit is 
being performed and reported.

[22] See footnote 21.

[23] Auditors participating in the audit assignment need to be free 
from personal impairments. This includes those who review the work or 
the report, and all others within the audit organization who can 
directly influence the outcome of the audit.

[24] GAO has issued further guidance in the form of questions and 
answers to assist in implementation of the standards associated with 
nonaudit services. This guidance, Answers to Independence Standard 
Questions, can be found on GAO's Government Auditing Standards Web page 
(http://www.gao.gov/govaud/ybk01.htm).

[25] The determination of account balances is used by management to 
prepare financial statements, such as determining for management the 
balance of accounts receivable or accounts payable or the value of 
inventory as of a specific date.

[26] Entity assets are intended to include all of the entity's property 
including bank accounts, investment accounts, inventories, equipment or 
other assets owned, leased, or otherwise in the entity's possession, 
and financial records, both paper and electronic.

[27] Personnel who provided the nonaudit service are permitted to 
convey to the audit assignment team the knowledge gained about the 
audited entity and its operations.

[28] If the audit organization has prepared draft financial statements 
and notes and performed the financial statement audit, management 
should acknowledge the audit organization's role in preparing the 
financial statements and related notes and management's review, 
approval, and responsibility for the financial statements and related 
notes in the management representation letter. Likewise, if the audit 
organization converts cash-based financial statements to accrual-based 
financial statements, management should also acknowledge the audit 
organization's role in reflecting accruals and management's review, 
approval, and responsibility for the accrual adjustments in the 
management representation letter. A management representation letter is 
required by generally accepted auditing standards (GAAS) and GAGAS.

[29] Proposing adjusting and correcting entries that are identified 
during the audit is a routine byproduct of audit services that is 
always permissible so long as management makes the decision to accept 
the entries.

[30] The Office of Management and Budget prohibits an auditor who 
prepared the entity's indirect cost proposal from conducting the 
required audit when indirect costs recovered by the entity during the 
prior year exceeded $1 million under OMB Circular A-133, Audits of 
States, Local Governments, and Non-Profit Organizations, Subpart 
C.305(b), revised June 24, 1997.

[31] Legislative bodies may exercise their confirmation powers through 
a variety of means as long as they are involved in the approval of the 
individual to head the audit organization. This involvement can be 
demonstrated by approving the individual after the appointment or by 
initially selecting or nominating an individual or individuals for 
appointment by the appropriate authority.

[32] Statutory authority to issue a subpoena to obtain the needed 
records is one way to meet the requirement for statutory access to 
records.

[33] If GAAP is not the basis of accounting being used on a particular 
assignment, then auditors should be knowledgeable about the appropriate 
accounting principles used, such as regulatory accounting principles.

[34] Public accountants licensed on or before December 31, 1970, or 
persons working for a public accounting firm licensed on or before 
December 31, 1970, are also considered qualified under this standard.

[35] Although staff members must collectively possess the technical 
knowledge, skills, and experience necessary to be competent for the 
type of work being performed before beginning work on a GAGAS 
assignment as discussed in paragraph 3.42, individual auditors have 2 
years from the date they start an audit or attestation engagement 
conducted under GAGAS to comply with the CPE requirements.

[36] Staff members not involved in planning, directing, or reporting on 
the audit or attestation engagement, and who charge less than 20 
percent annually of their time to audits and attestation engagements 
following GAGAS, do not have to comply with the 24-hour CPE 
requirement.

[37] This guidance, Interpretation of Continuing Education and Training 
Requirements, can be found on GAO's Government Auditing Standards Web 
page (http://www.gao.gov/govaud/ybk01.htm).

[38] Audit organizations should have an external peer review conducted 
within 3 years from the date they start (that is, start of field work) 
their first assignment in accordance with GAGAS. Subsequent external 
peer reviews should be conducted every 3 years. Extensions of these 
time frames beyond 3 months to meet the external peer review 
requirements can only be granted by GAO and should only be requested 
for extraordinary circumstances.

[39] "Professional standards" refers to both the auditing standards and 
quality control standards used by the reviewed audit organization.

[40] To date, the Comptroller General has not excluded any field work 
standards or SASs.

[41] The term "financial statements" refers to a presentation of 
financial data, including accompanying notes, derived from accounting 
records and intended to communicate an entity's economic resources or 
obligations at a point in time or the changes for a period of time in 
conformity with an identifiable framework, such as generally accepted 
accounting principles (GAAP) or another comprehensive basis of 
accounting. Audits of financial statements include all services 
governed by the AICPA SASs for which the auditors are engaged to 
provide a level of assurance on the fair presentation of financial 
statements in accordance with stated criteria.

[42] The term "special report" applies to auditors' reports issued in 
connection with the following: (1) financial statements that are 
prepared in conformity with a comprehensive basis of accounting other 
than GAAP; (2) specified elements, accounts, or items of a financial 
statement; (3) compliance with aspects of contractual agreements or 
regulatory requirements related to audited financial statements; (4) 
financial presentations to comply with contractual agreements or 
regulatory provisions; or (5) financial information presented in 
prescribed forms or schedules that require a prescribed form of 
auditors' report. Under GAGAS, an audit of financial statements 
prepared in conformity with a comprehensive basis of accounting other 
than GAAP (item 1 above) would be subject to the same GAGAS 
requirements applicable to audits of financial statements prepared in 
conformity with GAAP.

[43] The AICPA standards incorporate the concepts contained in Internal 
Control - Integrated Framework, published by the Committee of 
Sponsoring Organizations (COSO) of the Treadway Commission. Internal 
control consists of five interrelated components, which are (1) control 
environment, (2) risk assessment, (3) control activities, (4) 
information and communication, and (5) monitoring. The objectives of 
internal control relate to (1) financial reporting, (2) operations, and 
(3) compliance. Safeguarding of assets is a subset of these objectives. 
In that respect, internal control should be designed to provide 
reasonable assurance regarding prevention of or prompt detection of 
unauthorized acquisition, use, or disposition of assets.

[44] This requirement applies only to situations where the law or 
regulation specifically identifies the entity to be audited, such as an 
audit of a specific agency's financial statements required by the Chief 
Financial Officers Act of 1990, as expanded by the Government 
Management Reform Act of 1994. Situations in which the mandate to audit 
financial statements applies to entities not specifically identified, 
such as audits required by the Single Audit Act Amendments of 1996, are 
excluded.

[45] For example, when engaged to perform audits under the Single Audit 
Act Amendments of 1996 for state and local government entities and 
nonprofit entities that receive federal awards, auditors should be 
familiar with the Office of Management and Budget (OMB) Circular A-133 
on single audits. The act and circular include specific audit 
requirements, mainly in the areas of internal control and compliance 
with laws and regulations, that exceed the minimum audit requirements 
in the standards in chapters 4 and 5 of this document. Audits performed 
under the Chief Financial Officers Act of 1990, as expanded by the 
Government Management Reform Act of 1994, also have specific audit 
requirements prescribed by OMB in the areas of internal control and 
compliance. In addition, some state and local governments may have 
additional audit requirements that the auditors would need to consider 
in planning the audit.

[46] Significant findings and recommendations are those matters that, 
if not corrected, could affect the results of the auditors' work and 
the auditors' conclusions and recommendations about those results.

[47] The terms "material" and "significant" are synonymous under GAGAS. 
"Material" is used in the AICPA standards in relation to audits of 
financial statements. "Significant" is used in relation to other types 
of audits governed by GAGAS, such as performance audits, where the term 
"material" is generally not used.

[48] Two types of misstatements are relevant to the auditors' 
consideration of fraud in an audit of financial statements--
misstatements arising from fraudulent financial reporting and 
misstatements arising from misappropriation of assets. The primary 
factor that distinguishes fraud from error is whether the underlying 
action that results in the misstatement in the financial statements is 
intentional or unintentional.

[49] Indirect illegal acts are violations of laws and regulations 
having material but indirect effects on the financial statements.

[50] Whether a particular act is, in fact, illegal may have to await 
final determination by a court of law or other adjudicative body. Thus, 
when auditors disclose matters that have led them to conclude that an 
illegal act is likely to have occurred, they should not imply that they 
have made a determination of illegality.

[51] For example, in a financial statement audit, auditors might find 
abuse when examining sensitive payments such as travel of senior 
management officials to locations chosen for personal reasons rather 
than less costly locations which would have been appropriate to satisfy 
the business objectives of the travel. While auditors generally will 
not view travel expenses of senior management officials as 
quantitatively material to the financial statements, this expense 
generally would be considered qualitatively material to the financial 
statements.

[52] This documentation requirement does not increase the auditors' 
responsibility for testing internal control but is intended to assist 
the auditors in ensuring that audit objectives are met and audit risk 
is reduced to an acceptable level.

[53] To date, the Comptroller General has not excluded any reporting 
standards or SASs.

[54] If the auditor is performing an audit in accordance with OMB 
Circular A-133, Audits of States, Local Governments, and Non-Profit 
Organizations, the thresholds for reporting are defined in the 
circular. These reporting thresholds are sufficient to meet the 
requirements of GAGAS.

[55] AICPA standards define reportable conditions as significant 
deficiencies in the design or operation of internal control that could 
adversely affect the entity's ability to record, process, summarize, 
and report financial data consistent with the assertions of management 
in the financial statements.

[56] The AICPA standards define a material weakness as a reportable 
condition in which the design or operation of one or more of the 
internal control components does not reduce to a relatively low level 
the risk that misstatements caused by error or fraud in amounts that 
would be material in relation to the financial statements being audited 
may occur and not be detected within a timely period by employees in 
the normal course of performing their assigned functions.

[57] Common sources for criteria include laws, regulations, policies, 
procedures, and best or standard practices. The Standards for Internal 
Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, 
D.C.: Nov. 1999) and Internal Control--Integrated Framework, published 
by the Committee of Sponsoring Organizations of the Treadway Commission 
(COSO) are two sources of established criteria auditors can use to 
support their judgments and conclusions about internal control. The 
related Internal Control Management and Evaluation Tool (GAO-01-1008G, 
Aug. 2001), based on the federal internal control standards, provides a 
systematic, organized, and structured approach to assessing internal 
control.

[58] See paragraph 4.19 for a discussion of abuse.

[59] Whether a particular act is, in fact, illegal may have to await 
final determination by a court of law or other adjudicative body. Thus, 
when auditors disclose matters that have led them to conclude that an 
illegal act is likely to have occurred, they should not unintentionally 
imply that a final determination of illegality has been made.

[60] Auditors should include information about fraud or abuse in the 
audit reports required by paragraph 5.08 as applicable to internal 
control and compliance with laws, regulations, and provisions of 
contracts and grant agreements.

[61] Internal audit organizations do not have a duty to report outside 
that entity unless required by law, rule, regulation, or policy. See 
paragraph 3.28 for reporting requirements for internal audit 
organizations when reporting externally.

[62] See the Single Audit Act Amendments of 1996 and Office of 
Management and Budget (OMB) Circular A-133 on single audits for the 
distribution of reports on single audits of state and local 
governmental entities and nonprofit organizations that receive federal 
awards.

[63] To date, the Comptroller General has not excluded any field work 
standards, reporting standards, or SSAEs.

[64] GAGAS incorporate only one of the AICPA general standards for 
attestation engagements.

[65] See chapter 2 for examples of subjects of attestation engagements.

[66] As stated in the AICPA SSAEs, auditors should not perform review-
level work for reporting on internal control or compliance with laws 
and regulations.

[67] This requirement applies only to situations in which the law or 
regulation specifically identifies the entity to be subject to an 
attestation engagement. Situations in which the mandate to have an 
attestation engagement not specifically identified, such as attestation 
engagements required by the U.S. Department of Education, are excluded.

[68] Significant findings and recommendations are those matters that, 
if not corrected, could affect the results of the auditors' work and 
the auditors' conclusions and recommendations regarding those results.

[69] Although not applicable to attestation engagements, the AICPA SASs 
may provide useful guidance related to internal control for auditors 
performing attestation engagements in accordance with GAGAS. In 
addition, auditors performing attestation engagements may wish to refer 
to the internal control guidance published by the Committee of 
Sponsoring Organizations of the Treadway Commission (COSO). The 
Standards for Internal Control in the Federal Government, GAO/AIMD-00-
21.3.1 (Washington, D.C.: Nov. 1999), which incorporates the relevant 
guidance developed by COSO, provides definitions and fundamental 
concepts pertaining to internal control at the federal level and may be 
useful to auditors at any level of government. The related Internal 
Control Management and Evaluation Tool, GAO-01-1008G (Washington, D.C.: 
Aug. 2001) based on the federal internal control standards, provides a 
systematic, organized, and structured approach to assessing internal 
control.

[70] Fraud is a type of illegal act involving the obtaining of 
something of value through willful misrepresentation. Although not 
applicable to attestation engagements, the AICPA SASs may provide 
useful guidance related to fraud for auditors performing attestation 
engagements in accordance with GAGAS.

[71] For example, in an attestation engagement that has as its subject 
reporting on an entity's internal controls over compliance with 
specified requirements governing the procurement of motor vehicles, 
auditors might find abuse when considering purchases of passenger cars 
for official senior management use if costly luxury cars were purchased 
when less expensive models would have been appropriate. While auditors 
generally will not view the procurement of costly luxury cars as 
quantitatively significant to the subject matter, this action generally 
would be considered qualitatively significant to the subject matter or 
assertion.

[72] Auditors may meet this requirement by listing voucher numbers, 
check numbers, or other means of identifying specific documents they 
examined. Auditors are not required to include copies of documents they 
examined as part of the attest documentation, nor are auditors required 
to list detailed information from those documents.

[73] Auditors should, however, follow the report distribution standard 
(see paragraphs 6.49 through 6.54).

[74] Whether a particular act is, in fact, illegal may have to await 
final determination by a court of law. Thus, when auditors disclose 
matters that have led them to conclude that an illegal act is likely to 
have occurred, they should not unintentionally imply that a final 
determination of illegality has been made.

[75] Common sources for criteria are laws, regulations, policies, 
procedures, best or standard practices, or assertions. The Standards 
for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 
(Washington, D.C.: Nov. 1999) and Internal Control--Integrated 
Framework, published by the Committee of Sponsoring Organizations of 
the Treadway Commission (COSO) are two sources of established criteria 
auditors can use to support their judgments and conclusions about 
internal control. The related Internal Control Management and 
Evaluation Tool (GAO-01-1008G, Aug. 2001), based on the federal 
internal control standards, provides a systematic, organized, and 
structured approach to assessing internal control.

[76] Internal audit organizations do not have a duty to report outside 
that entity unless required by law, rule, regulation, or policy. See 
paragraph 3.28 for reporting requirements for internal audit 
organizations when reporting externally.

[77] See discussion of the elements of a finding in paragraph 7.28 and 
paragraphs 7.62 through 7.65.

[78] This chapter uses only the term "program;" however, the concepts 
presented also apply to audits of entities, activities, and services.

[79] Refer to the internal control guidance contained in Internal 
Control--Integrated Framework, published by the Committee of Sponsoring 
Organizations of the Treadway Commission (COSO). As discussed in the 
COSO study, internal control consists of five interrelated components, 
which are (1) control environment, (2) risk assessment, (3) control 
activities, (4) information and communication, and (5) monitoring. The 
objectives of internal control relate to (1) financial reporting, (2) 
operations, and (3) compliance. Safeguarding of assets is a subset of 
these objectives. In that respect, internal control should be designed 
to provide reasonable assurance regarding prevention of or prompt 
detection of unauthorized acquisition, use, or disposition of assets. 
In addition to the COSO document, the publication, Standards for 
Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 
(Washington, D.C.: Nov. 1999), which incorporates the relevant guidance 
developed by COSO, provides definitions and fundamental concepts 
pertaining to internal control at the federal level and may be useful 
to other auditors at any level of government. The related Internal 
Control Management and Evaluation Tool, GAO-01-1008G (Washington, D.C.: 
Aug. 2001), based on the federal internal control standards, provides a 
systematic, organized, and structured approach to assessing the 
internal control structure.

[80] Violations of laws or regulations are illegal acts.

[81] Many government entities have these activities identified by other 
names, such as inspection, appraisal, investigation, organization and 
methods, or management analysis. These activities assist management by 
reviewing selected functions.

[82] Paragraphs 7.32 through 7.34 discuss relying on the work of 
others.

[83] Fraud is a type of illegal act involving the obtaining something 
of value through willful misrepresentation.

[84] The terms "material" and "significant" are synonymous under GAGAS. 
"Material" is used in the AICPA standards in relation to audits of 
financial statements. "Significant" is used in relation to other types 
of audits governed by GAGAS, such as performance audits, where the term 
"material" is generally not used.

[85] For example, in a performance audit of management's efficient use 
of funds for office building maintenance, auditors might find abuse if 
renovation of senior management's offices far exceed usual office space 
specifications. While auditors might not view the renovation costs as 
quantitatively significant to the audit results, these expenses would 
be considered qualitatively significant to this audit objective.

[86] Significant findings and recommendations are those matters that, 
if not corrected, could affect the results of the auditors' work and 
the auditors' conclusions and recommendations about those results.

[87] Auditors may meet this requirement by listing file numbers, case 
numbers, or other means of identifying specific documents they 
examined. They are not required to include copies of documents they 
examined as part of the audit documentation, nor are they required to 
list detailed information from those documents.

[88] When computer-processed data are included in the report for 
background or informational purposes and are not significant to the 
auditors' findings, citing the source of the data and stating that they 
were not verified will satisfy the reporting standards.

[89] Appropriate background information may include information on how 
programs and operations work; the significance of programs and 
operations (e.g., dollars, impact, purposes, and past audit work if 
relevant); a description of the audited entity's responsibilities; and 
explanation of terms, organizational structure, and the statutory basis 
for the program and operations.

[90] Common sources for criteria include laws, regulations, policies, 
procedures, and best or standard practices. The Standards for Internal 
Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, 
D.C.: Nov. 1999) and Internal Control--Integrated Framework, published 
by the Committee of Sponsoring Organizations of the Treadway Commission 
(COSO) are two sources of established criteria auditors can use to 
support their judgments and conclusions about internal control. The 
related Internal Control Management and Evaluation Tool, GAO-01-1008G 
(Washington, D.C.: Aug. 2001), based on the federal internal control 
standards, provides a systematic, organized, and structured approach to 
assessing internal control.

[91] Significant deficiencies are those matters coming to the auditor's 
attention that, in the auditor's judgment, affect the results of the 
auditors' work and the auditors' conclusions and recommendations about 
those results.

[92] Whether a particular act is, in fact, illegal may have to await 
final determination by a court of law. Thus, when auditors disclose 
matters that have led them to conclude that an illegal act is likely to 
have occurred, they should take care not to unintentionally imply that 
a final determination of illegality has been made.

[93] See paragraphs 8.22 through 8.26 for additional reporting 
considerations.

[94] Internal audit organizations do not have a duty to report outside 
the entity unless required by law, rule, regulation, or policy. See 
paragraph 3.28 for reporting requirements for internal audit 
organizations when reporting externally.

GAO's Mission:

The General Accounting Office, the investigative arm of Congress, 
exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony:

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics.

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading.

Order by Mail or Phone:

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:

U.S. General Accounting Office

441 G Street NW,

Room LM Washington,

D.C. 20548:

To order by Phone: 	

	Voice: (202) 512-6000:

	TDD: (202) 512-2537:

	Fax: (202) 512-6061:

To Report Fraud, Waste, and Abuse in Federal Programs:

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470:

Public Affairs:

Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.

General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.

20548: