1

2

3

4

5

6
By the Comptroller General of the United
7
States
8
January 2002
9
Government Auditing Standards
10

11
2002 Revision
12
Exposure Draft
13
a
14

15

16

17
GAO-02-340G
18

19
United States General Accounting Office Washington, DC 20548
20
January 2002
21
TO AUDIT OFFICIALS AND OTHERS INTERESTED IN GOVERNMENT AUDITING
22
STANDARDS
23
GAO invites your comments on the accompanying proposed changes
24
to Government Auditing Standards (GAGAS), commonly known as the
25
"yellow book." These changes propose revision throughout the entire
26
set of standards except for the second general standard,
27
independence, which is being revised separately. The proposed
28
revisions fall into three categories: GAGAS framework, consistent
29
application of the standards where applicable to the various types
30
of audits, and strengthening or streamlining the standards. This
31
letter describes the process followed in revising the standards,
32
summarizes proposed major changes, outlines the format of this
33
exposure draft, and requests comments from interested parties on
34
these proposed revisions.
35
To help ensure that the standards continue to meet the needs of
36
the audit community and the public it serves, the Comptroller
37
General of the United States appointed the Advisory Council on
38
Government Auditing Standards to review the standards and recommend
39
necessary changes. The Advisory Council includes experts in
40
financial and performance auditing drawn from all levels of
41
government, private enterprise, public accounting, and academia.
42
Public comment is requested on all draft revisions to the
43
standards. This exposure draft reflects the Advisory Council's
44
advice to the Comptroller General.
45
To assist you in developing your comments, this letter discusses
46
the proposed GAGAS framework and encloses a listing of the proposed
47
changes to GAGAS made for consistent application of the standards
48
or for strengthening or streamlining the standards.
49
The types of audits and services and applicable standards are
50
organized by separate chapters for financial audits, attestation
51
engagements, and performance audits in order to make the standards
52
user friendly. For example, the financial audit and attestation
53
chapters are directed at auditors with a financial audit background
54
and the required knowledge of the American Institute of Certified
55
Public Accountants' (AICPA) Generally Accepted Auditing Standards
56
(GAAS) and Attestation Standards. The performance audit chapters
57
are written to avoid use of terminology drawn from financial
58
audits.
59
The financial audit presentation proposes retaining the current
60
format of separate chapters for field and reporting standards. The
61
term financial audit is defined to include financial statement
62
audits
63
GAO-02-340G Government Auditing Standards Exposure Draft
64
and other services covered by GAAS and the AICPA's Statements on
65
Auditing Standards (SASs), which interpret the standards. These
66
other services are defined in the SASs and include areas such as
67
special reports, reviews of interim financial information, letters
68
to underwriters and certain other requesting parties, compliance
69
auditing, and audits of service organizations.
70
Attestation engagements are defined as those services performed
71
under the AICPA's Attestation Standards and the related Statement
72
on Standards for Attestation Engagements (SSAEs), which interpret
73
the standards. As the proposed additional GAGAS standards are fewer
74
than for financial audits, the field and reporting standards are
75
presented in a single chapter.
76
GAGAS proposes recognizing the overlap between attestation
77
engagement objectives and performance audit objectives and allowing
78
the services that overlap to be performed under either set of
79
standards. Therefore, GAGAS simply proposes to recognize the
80
reality of current practice. Namely, performance auditors provide
81
these services using performance audit standards, and financial
82
auditors are likely to provide these services using the attestation
83
standards. We are not aware of any problems that have arisen as a
84
result of this practice.
85
The presentation of the financial audit chapters proposes
86
eliminating the term "financial related audits" by specifically
87
recognizing the services in addition to financial statement audits
88
that are covered by the AICPA's Statements on Auditing Standards in
89
chapters 4 and 5 or by the Statement on Standards for Attestation
90
Engagements in chapter 6. The term "financial related audits" was
91
the source of considerable confusion to the users of GAGAS. By
92
specifically recognizing the services covered by the AICPA's SASs
93
and SSAEs, we have proposed clarifying what in fact was intended by
94
this term, but not always understood by the users of GAGAS.
95
The proposed changes related to performance audits retain the
96
current presentation of separate chapters for field and reporting
97
standards. The Advisory Council has recognized that GAGAS
98
applicable to the performance audit objectives of effectiveness,
99
economy and efficiency, internal control, and compliance are also
100
applicable to prospective analyses, guidance, or summary
101
information. Therefore, we have proposed including that latter
102
objective in the definition of performance audits, as discussed in
103
chapter 2, and in the presentation of field work and reporting
104
standards, in chapters 7 and 8, applicable to the various
105
objectives of performance audits. We believe this is a more logical
106
and user friendly presentation than having a separate chapter
107
discussing the field work and reporting standards for these
108
objectives that would only tell the auditor to follow the same
109
standards applicable to other types of performance audit
110
objectives.
111
Chapter 2 of this exposure draft discusses nonaudit services
112
provided by audit organizations that are not covered by GAGAS.
113
These services generally differ from financial audits, attestation
114
engagements, and performance audits in that auditors may (1)
115
provide information or data to a requesting party without providing
116
verification, analysis, or evaluation of the information or data,
117
and therefore the work does not usually provide a basis for
118
conclusions, recommendations, or opinions on the information or
119
data, or (2) perform tasks requested by management that directly
120
support the entity's operations, such as asset evaluation,
121
actuarial services, or information system design services. Audit
122
organizations are encouraged to establish policies for maintaining
123
the
124
GAO-02-340G Government Auditing Standards Exposure Draft
125
2
126
quality of this type of work. This exposure draft does not
127
discuss the impact of the provision of nonaudit services on auditor
128
independence. That issue was addressed in the May 2001 exposure
129
draft and comments are currently being considered.
130
As previously stated, we are enclosing a numbered listing of the
131
more significant proposed changes made to the chapters for
132
consistent application of GAGAS and the proposed changes made to
133
strengthen or streamline GAGAS. The enclosure includes a reference
134
to the applicable proposed revised paragraph(s) of GAGAS. The
135
enclosure does not include the proposed reorganization of the order
136
of presentation to provide a more logical grouping of the standards
137
by function, such as planning, audit documentation, report content,
138
and the audit process. This proposed type of change was primarily
139
made to the presentation of the performance audit chapters.
140
Given the extensiveness of the proposed revisions, we plan to
141
issue a new version of GAGAS that will incorporate existing
142
amendments. We expect this revision of the standards to supersede
143
the 1994 revision, including amendments 1 and 2. Thereafter, we
144
intend to continue our policy of issuing amendments addressing
145
specific issues as needed. We anticipate this revision of the
146
standards, when finalized, will become effective for financial
147
audits of periods ending on or after January 1, 2003, and for
148
attestation engagements and performance audits beginning on or
149
after January 1, 2003.
150
This draft is being sent to financial management and audit
151
officials at all levels of government, the public accounting
152
profession, academia, professional organizations, and public
153
interest groups. We encourage you to send your comments, whether
154
you wish to comment on the entire document or only a portion of it.
155
It would be helpful to key your comments to the specific paragraph
156
numbers, give your rationale for any proposed changes, and suggest
157
revised language.
158
Additional copies of this exposure draft can be obtained from
159
the U.S. General Accounting Office, Room 1100, 700 4th Street, NW,
160
Washington, DC 20548 or by calling (202) 512-6000.
161
A marked version of the exposure draft is available on the
162
Internet on GAO's Home Page ( 
163
www.gao.gov/govaud/ybk01.htm). In the marked version,
164
italicizing and bolding are used to identify potential added
165
language and striking-out is used to identify potential deleted
166
language from the 1994 revision of Government Auditing Standards,
167
as currently amended.
168
Since GAO is still experiencing delays in mail delivery, it
169
would be preferable if you sent your comments via e-mail to 
170
[email protected] ensure that your comments are
171
considered by the Advisory Council in their deliberations, please
172
submit them by April 30, 2002. If you need to use the mail, it
173
would be helpful if you sent your comments both in writing and on
174
diskette (in Word or ASCII format). Please send any mail to the
175
following address:
176
Government Auditing Standards Comments U.S. General Accounting
177
Office Room 5X16 (FMA) 441 G Street, NW Washington, DC 20548
178
GAO-02-340G Government Auditing Standards Exposure Draft
179
3
180
If you need additional information, please call Marcia Buchanan,
181
Assistant Director, Financial Management and Assurance at (202)
182
512-9321 or Cheryl Clark, Assistant Director, Financial Management
183
and Assurance at (202) 512-9377.
184
Sincerely yours,
185

186
Jeffrey C. Steinhoff Managing Director Financial Management and
187
Assurance
188
Enclosures
189
GAO-02-340G Government Auditing Standards Exposure Draft
190
4
191
Enclosure Enclosure
192
Proposed changes made for consistent application of GAGAS where
193
applicable:
194

195

196
1.
197
For attestation engagements: require the additional GAGAS
198
field work standards for auditor communication for all levels of
199
work (par. 6.5-6.6); follow-up (par. 6.8-6.10); audit documentation
200
(par. 6.11-6.17); internal control for examination level work (par.
201
6.18-6.19); and fraud, illegal acts, and other noncompliance for
202
examination level work (par. 6.20-6.22)
203

204

205
2.
206
For attestation engagements: require additional GAGAS
207
reporting standards for reporting compliance with GAGAS (par.
208
6.25-6.27); reporting on internal control and on fraud, illegal
209
acts, and other noncompliance when the work identifies deficiencies
210
for all levels of attestation engagements (par. 6.28-6.31); views
211
of responsible officials (par. 6.32-6.36); privileged and
212
confidential information (par. 6.37-6.38); and report issuance and
213
distribution (par. 6.39-6.43)
214

215

216
3.
217
For performance audits: add a requirement that when using
218
the work of a specialist, performance auditors be able to
219
articulate the specialist's objectives, evaluate procedures used,
220
and evaluate the results of the procedures or use another
221
specialist for these purposes (par. 7.30-7.31)
222

223

224

225
4.
226
For performance audits: add requirements consistent with
227
Amendment No. 1, requiring documentation of decisions related to
228
internal control over data significantly dependent on computerized
229
information systems (par. 7.57), and Amendment No. 2, Auditor
230
Communication (par. 7.32-7.33)
231

232
Proposed changes in requirements to strengthen/streamline
233
GAGAS
234

235

236
5.
237
Require, as part of the due care standard, that auditors
238
exercise professional skepticism and perform their work with
239
integrity (par. 3.6-3.7)
240

241

242
6.
243
Require that audit organizations have an human capital
244
management system (par. 3.10)
245

246

247
7.
248
Require that auditors collectively possess the technical
249
knowledge, skills, and experience necessary to be competent for the
250
type of work being performed before beginning work on the
251
assignment (par. 3.12)
252

253

254
8.
255
Specifically state that auditors should have knowledge of
256
GAGAS applicable to the work they are assigned (par. 3.12 a.) and
257
knowledge of the specific environment in which the audited entity
258
operates and the subject matter under review (par.
259
3.12b.)
260

261

262
9.
263
Require that auditors be proficient in the AICPA
264
Statements on Standards for Attestation Engagements when performing
265
attestation engagements (par. 3.13 a) and that public auditors be
266
licensed CPAs or work for a licensed CPA firm if engaged to perform
267
an attestation engagement (par. 3.13b.)
268

269

270
GAO-02-340G Government Auditing Standards Exposure Draft
271

272

273
10.
274
Require that CPE directlycontribute to the auditor's
275
professional proficiency to perform work under GAGAS (par.
276
3.14)
277

278

279
11.
280
Require external consultants/internal specialists that
281
are responsible for following GAGAS in planning and directing an
282
assignment, performing substantial portions of field work, or
283
reporting on the assignment meet CPE requirements (par.
284
3.18)
285

286

287
12.
288
Require that the internal quality control system include
289
procedures for monitoring, on an ongoing basis, whether the
290
policies and procedures related to the standards are suitably
291
designed and are being effectively applied (par. 3.20)
292

293

294
13.
295
Require that an audit organization prepare documentation
296
to demonstrate compliance with its policies and procedures for its
297
system of quality control (par. 3.21)
298

299

300
14.
301
Specifically state that extensions of quality assurance
302
review timeframes granted by other professional bodies are not
303
recognized under GAGAS (par. 3.22, f/n. 7)
304

305

306
15.
307
Require that organizations conducting external peer
308
reviews to have received an unqualified opinion on the review of
309
their organization's system of quality controls (par.
310
3.23b.)
311

312

313
16.
314
Require that peer reviewers have knowledge and training
315
on how to perform a peer review (par. 3.23c.)
316

317

318
17.
319
Expand what is included in the peer review report (par.
320
3.23g.)
321

322

323
18.
324
Require auditors to transmit their peer review reports to
325
appropriate oversight bodies and provide a copy of their peer
326
review report to auditors using their work (par. 3.25)
327

328

329
19.
330
Specifically incorporate the AICPA's general standard on
331
criteria for attestation engagements (par. 6.1)
332

333

334
20.
335
Require that audit organizations establish policies and
336
procedures for custody and retention of audit documentation (par.
337
4.24, 6.15, 7.67)
338

339

340
21.
341
Require documentation when applicable standards are not
342
followed (par. 4.22b, 6.16b, 7.68b)
343

344

345
22.
346
Permit auditor judgment to exclude reporting certain
347
information (par. 5.34, 6.38, 8.34) and to act with integrity in
348
making this judgment (par. 8.35)
349

350

351
23.
352
Revise the requirement for a written report to requiring
353
a report that the auditor can make a judgment as the appropriate
354
form (par. 8.3)
355

356

357
24.
358
Require reporting whether the results from a sample can
359
be projected to the intended population (par. 8.11)
360

361

362
GAO-02-340G Government Auditing Standards Exposure Draft
363

364

365
25.
366
Permit oral agency comments to be equally acceptable as
367
written comments (par. 5.29, 6.34, 8.30)
368

369

370
26.
371
Delete the specific statement that external quality
372
control reviews conducted through or by other professional bodies
373
meet GAGAS requirements
374

375

376
27.
377
Delete the standard that requiring auditors to refer
378
significant issues needing further study
379

380

381
28.
382
Delete the requirement for auditors to report noteworthy
383
accomplishments
384

385

386
GAO-02-340G Government Auditing Standards Exposure Draft
387
C o n t e n t s
388
Page
389

390
GAO-02-340G Government Auditing Standards Exposure Draft
391
GAO-02-340G Government Auditing Standards Exposure Draft
392
GAO-02-340G Government Auditing Standards Exposure Draft
393
ABBREVIATIONS
394
AICPA American Institute of Certified Public Accountants CPA
395
certified public accountant FASAB Federal Accounting Standards
396
Advisory Board FASB Financial Accounting Standards Board GAAS
397
AICPA's generally accepted auditing standards GAGAS generally
398
accepted government auditing standards GASB Governmental Accounting
399
Standards Board GAO General Accounting Office OMB Office of
400
Management and Budget SASs AICPA's statements on auditing standards
401
SSAEs AICPA's statement on standards for attestation
402
engagements
403
GAO-02-340G Government Auditing Standards Exposure Draft
404
CHAPTER 1
405
INTRODUCTION
406
PURPOSE
407

408

409
1.1
410
The standards and guidance contained in this document,
411
often referred to as generally accepted government auditing
412
standards (GAGAS), are intended for use by government auditors1 to
413
ensure that they maintain integrity, objectivity, and independence
414
in planning, conducting, and reporting their work, and are to be
415
followed by auditors and audit organizations when required by law,
416
regulation, contract, agreement, or policy. 2 The work performed in
417
accordance with GAGAS is referred to as audits and attestation
418
engagements. This work, which is described in this chapter and more
419
fully in chapter 2, includes financial audits, attestation
420
engagements, and performance audits. Users of government audits and
421
attestation engagements that are performed in accordance with GAGAS
422
should have confidence that the work is objective and
423
credible.
424

425

426
1.2
427
The standards and guidance in this document are for
428
audits and attestation engagements of government entities,
429
programs,3 activities, and services, and of government assistance
430
administered by contractors, nonprofit entities, and other
431
nongovernment entities. Adherence to GAGAS can help ensure that
432
audits and attestation engagements provide credibility to the
433
information reported by or obtained from management through
434
objectively acquiring and evaluating evidence. When
435
auditors
436

437

438
1This document addresses the standards that should be used by
439
the individuals conducting the broad array of work that is
440
described more fully in chapter 2. Accordingly, the focus of this
441
document is not on the wide variety of titles that are used by
442
individuals conducting and reporting on this work, but instead the
443
nature of the work that is being performed. The term "auditor"
444
throughout this document includes individuals who may be titled
445
auditor, analyst, evaluator, or a similar position description.
446
2 Requirements in GAGAS are identified by statements that
447
include the word "should." Auditors are expected to comply with
448
these requirements if they apply to the type of work being
449
performed. Auditors are strongly encouraged to comply with the
450
guidance provided by GAGAS.
451
3Henceforth, the term "program" will be used in this document to
452
include government entities, services, and activities.
453
GAO-02-340G Government Auditing Standards Exposure Draft
454
perform their work in this manner and comply with GAGAS in
455
reporting the results, their work can lead to improved government
456
management, decision-making, and oversight, and can assist in
457
fulfilling the government's duty to be accountable to the public.
458
GAGAS pertain to auditors' professional qualifications and the
459
quality of their work, the performance of field work, and the
460
characteristics of meaningful audit reporting.
461
1.3 This chapter describes the applications of GAGAS by auditors
462
and audit organizations. This chapter also describes the concept of
463
accountability for public resources and discusses the
464
responsibilities of managers of government programs, auditors, and
465
audit organizations in the audit process.
466
APPLICABILITY
467

468

469
1.4
470
GAGAS are intended to be followed in performing audits
471
and attestation engagements. A number of statutes and other
472
mandates require that auditors follow GAGAS. Where a statute or
473
other mandate does not exist, auditors will find it useful to use
474
GAGAS in work regarding the use of government funds. If auditors
475
hold themselves out as following GAGAS, regardless of whether they
476
are required to follow such standards, they need to justify any
477
departures from them.
478

479

480
1.5
481
The following laws, regulations, or guidelines require
482
use of GAGAS:
483

484

485

486

487
a.
488
The Inspector General Act of 1978, as amended, 5 U.S.C.
489
App. (2000) requires that the statutorily-appointed federal
490
inspectors general comply with GAGAS for audits of federal
491
entities, programs, activities, and functions. The act further
492
states that the inspectors general should take appropriate steps to
493
ensure that any work performed by nonfederal auditors complies with
494
GAGAS.
495

496

497
b.
498
The Chief Financial Officers Act of 1990 (Public Law
499
101-576), as expanded by the Government Management Reform Act of
500
1994 (Public Law 103-356), requires that GAGAS be followed in
501
audits of federal departments' and agencies' financial
502
statements.
503

504

505
c.
506
The Single Audit Act Amendments of 1996 (Public Law
507
104-156) require that GAGAS be followed in audits of state and
508
local governments and nonprofit entities that receive federal
509
financial assistance. OMB Circular A-133, "Audits of States, Local
510
Governments, and Non-profit Organizations," which provides the
511
governmentwide guidelines and policies on performing audits to
512
comply with the Single Audit Act, also requires the use of
513
GAGAS.
514

515

516

517

518
1.6
519
Auditors need to be alert to other laws, regulations, or
520
other authoritative sources that could require the use of GAGAS.
521
For example, state and local laws and regulations may require
522
auditors at the state and local levels of government to follow
523
these standards. Also, the terms of an agreement or contract may
524
require auditors to comply with GAGAS. Federal audit guidelines
525
pertaining to program requirements, such as those issued for
526
Housing and Urban Development and Student Financial Aid programs,
527
may require that GAGAS be followed.
528

529

530
1.7
531
Even if not required to do so, auditors would find it
532
useful to follow GAGAS in performing audits of federal, state, and
533
local government programs as well as in performing audits of
534
government assistance administered by contractors, nonprofit
535
entities, and other nongovernment entities. Many audit
536
organizations not formally required to do so, both in the United
537
States and in other countries, voluntarily follow GAGAS.
538

539

540
1.8
541
Auditors may provide professional services, other than
542
audits and attestation engagements, that consist solely of
543
gathering, providing, and explaining information requested by
544
decision-makers or by providing advice or assistance to management
545
officials. GAGAS are not applicable to these other professional
546
services, which are described more fully in chapter 2. However,
547
providing other professional services may
548

549

550
affect an audit organization's independence to conduct audits,
551
which is discussed in chapter 3.
552
Relationship between GAGAS and Other Professional Standards
553
1.9 GAGAS may be used in conjunction with professional standards
554
issued by other authoritative bodies. For example, the American
555
Institute of Certified Public Accountants (AICPA) has issued
556
professional standards that apply in financial audits and
557
attestation engagements. GAGAS incorporate the AICPA's field work
558
and reporting standards and the related statements on the standards
559
for financial audits unless specifically excluded, as discussed in
560
chapters 4 and 5. GAGAS incorporates the AICPA's general standard
561
on criteria, and the field work and reporting standards and the
562
related statements on the standards for attestation engagements,
563
unless specifically excluded, as discussed in chapter 6. To meet
564
the needs of users of government audits and attestation
565
engagements, GAGAS also prescribe additional requirements to those
566
provided by the AICPA for these types of work.
567
1.10 Other professional standards which may be used by auditors
568
are issued by such bodies as the Institute of Internal Auditors
569
(Codification of the Standards for the Professional Practice of
570
Internal Auditing, The Institute of Internal Auditors, Inc.), and
571
the American Evaluation Association, which has developed guiding
572
principles for evaluators (Guiding Principles for Evaluators, a
573
report from the American Evaluation Association Task Force on
574
Guiding Principles for Evaluators). These other professional
575
standards are not incorporated into GAGAS, but can be used in
576
conjunction with GAGAS.
577
ACCOUNTABILITY
578
1.11 The concept of accountability for public resources is
579
inherent in our nation's governing processes. Legislators and other
580
government officials, and the public want to
581
GAO-02-340G Government Auditing Standards Exposure Draft
582
know whether (1) government resources are managed properly and
583
used in compliance with laws and regulations, (2) government
584
programs are achieving their objectives and desired outcomes, and
585
(3) government programs are being provided efficiently,
586
economically, and effectively. Managers of these programs are often
587
asked to render an account of their activities and related results
588
to legislative bodies and the public.
589

590

591
1.12
592
Financial audits contribute to making governments more
593
accountable for the use of public resources. The auditor, in
594
providing an independent report on whether an entity's financial
595
information is presented fairly in accordance with recognized
596
criteria, informs users whether they can rely on the information.
597
Financial audits performed in accordance with GAGAS also provide
598
information about internal control and compliance with laws and
599
regulations as they relate to financial transactions, systems, and
600
processes.
601

602

603
1.13
604
Attestation engagements also contribute to governments'
605
accountability for the use of public resources and the delivery of
606
services. In an attestation engagement, auditors issue an
607
examination, a review, or an agreed-upon procedures report on the
608
subject matter or on an assertion about the subject matter, based
609
on or in conformity with criteria, that is the responsibility of
610
another party. Attestation engagements can cover a broad range of
611
financial or nonfinancial objectives and provide various levels of
612
assurance about the subject matter or assertion dependent upon the
613
user's needs.
614

615

616
1.14
617
Performance audits also contribute to governments'
618
accountability for the use of public resources and for the delivery
619
of services. The term performance audit is used to include a
620
variety of objectives to meet users' needs. Performance audits
621
provide an independent assessment of the performance and management
622
of government programs against objective criteria or an assessment
623
of best practices and other information. Performance audits provide
624
information to improve program operations and facilitate
625
decision-making by parties with responsibility to oversee or
626
initiate corrective action, and improve public accountability. The
627
term performance audit is used generically to include work
628
classified by some audit organizations as program evaluations,
629
program
630

631

632
effectiveness and results audits, economy and efficiency audits,
633
operational audits, and value-for-money audits.
634
1.15 Given the importance and complexity of government programs
635
in providing a variety of public services, auditors are
636
increasingly being called on by legislative bodies and government
637
agencies to expand the variety of performance audits to include
638
work that has a prospective focus or provides guidance, best
639
practice information, or information on issues that affect multiple
640
programs or entities already studied or under study by an audit
641
organization. This work may also include an assessment of policy
642
alternatives, identification of risks and risk mitigation efforts,
643
and a variety of analytical services to aid government officials in
644
performing their responsibilities and stewardship of government
645
resources. Such work, like other performance audits, involves a
646
level of analysis, research, or evaluation; may provide conclusions
647
and recommendations; and results in a report.
648
ROLES AND RESPONSIBILITIES
649
1.16 Management and auditors of government programs fulfill
650
essential roles and responsibilities in ensuring that public
651
resources are used efficiently, economically, effectively, and
652
legally. Audit organizations also have the important responsibility
653
for ensuring that auditors can meet their responsibilities. These
654
unique roles involve sound management practices and professional
655
audits and attestation engagements.
656
Management's Role
657
1.17 Management entrusted with handling public resources (for
658
example, managers of a state or local governmental entity or a
659
nonprofit entity that receives federal assistance) is responsible
660
for applying those resources efficiently, economically,
661
effectively, and legally to achieve the purposes for which the
662
resources were furnished or the program was established. This
663
responsibility applies to all resources, both financial and
664
physical, whether entrusted to public officials or others by their
665
own constituencies or by other levels of government.
666

667

668
1.18
669
Management entrusted with public resources is responsible
670
for complying with applicable laws and regulations. That
671
responsibility encompasses identifying the requirements with which
672
the entity and the official must comply and implementing systems
673
designed to achieve that compliance.
674

675

676
1.19
677
Management entrusted with public resources is responsible
678
for establishing and maintaining effective internal control to
679
ensure that appropriate goals and objectives are met; resources are
680
received, used efficiently and effectively, and safeguarded; laws
681
and regulations are followed; and reliable data are obtained,
682
maintained, and fairly disclosed. Management is responsible for
683
providing appropriate reports to those who oversee their actions
684
and to the public in order to be accountable for the resources used
685
to carry out government programs and the results of these
686
programs.
687

688

689
1.20
690
Management is responsible for addressing the findings and
691
recommendations of auditors, and for establishing and maintaining a
692
process to track the status of such findings and
693
recommendations.
694

695

696
1.21
697
Management is responsible for following sound procurement
698
practices when contracting for audits and attestation engagements,
699
including procedures for monitoring contract performance, need to
700
be in place. The objectives and scope of the assignment need to be
701
made clear. In addition to price, other factors that may be
702
considered in evaluating bid proposals include the responsiveness
703
of the bidder to the request for proposal; the experience of the
704
bidder; the availability of the bidder's staff who have the
705
appropriate professional qualifications and technical abilities;
706
and the results of the bidder's peer reviews.
707

708

709
Auditors' Responsibilities
710

711

712
1.22
713
Auditors in discharging their professional
714
responsibilities need to observe the principles of serving the
715
public interest and maintaining the highest sense of integrity,
716
objectivity, and independence. These principles are fundamental to
717
the responsibilities of auditors and the auditing
718
profession.
719

720

721
1.23
722
Auditors are responsible to accept the obligation to act
723
in a way that will serve the public interest, honor the public
724
trust, and uphold their professionalism. A distinguishing mark of a
725
profession is acceptance of its responsibility to the public. This
726
responsibility is critical when auditing in the government
727
environment. Because the concept of accountability underlies GAGAS,
728
this need to serve the public interest is essential for all work
729
done in accordance with GAGAS.
730

731

732
1.24
733
Auditors need to make decisions that are consistent with
734
the public interest in the program or activity under audit. The
735
public interest is defined as the collective wellbeing of the
736
community of people and entities the auditor serves. In discharging
737
their professional responsibilities, auditors may encounter
738
conflicting pressures from management of the audited entity,
739
various levels of government, employers, and others who rely on the
740
objectivity and independence of the auditors. In resolving those
741
conflicts, auditors are responsible to act with integrity, guided
742
by the precept that when auditors fulfill their responsibilities to
743
the public, these individuals' and organizations' interests are
744
best served.
745

746

747
1.25
748
To maintain and broaden public confidence, auditors need
749
to perform all professional responsibilities with the highest sense
750
of integrity. Auditors are responsible to be honest and candid with
751
the audited entity and users of the auditors' work in the conduct
752
of their work, within the constraints of the audited entity's
753
confidentiality. Service and the public trust should not be
754
subordinated to personal gain and advantage. Integrity can
755
accommodate the inadvertent error and the honest difference of
756
opinion; it cannot accommodate deceit or subordination of
757
principle. Integrity requires auditors to
758

759

760
observe both the form and the spirit of technical and ethical
761
standards; circumvention of those standards constitutes
762
subordination of judgment. Integrity also requires auditors to
763
observe the principles of objectivity and independence.
764

765

766
1.26
767
Auditors are responsible to maintain objectivity and be
768
free of conflicts of interest in discharging their professional
769
responsibilities. Auditors are also responsible to be independent
770
in fact and appearance when providing audit and attestation
771
services. Objectivity is a state of mind that requires auditors to
772
be impartial, intellectually honest, and free of conflicts of
773
interest. Independence precludes relationships that may in fact or
774
appearance impair an auditor's objectivity in performing the audit.
775
The maintenance of objectivity and independence requires continuing
776
assessment of relationships with the audited entities and public
777
responsibility.
778

779

780
1.27
781
In applying GAGAS, auditors are responsible for using
782
professional judgment when establishing scope and methodologies for
783
their work, determining the tests and procedures to be performed,
784
conducting the work, and reporting the results. Auditors need to
785
maintain integrity and objectivity when doing their work to make
786
decisions that are consistent with the broader public interest in
787
the program or activity under review. When reporting on the results
788
of their work, auditors are responsible for disclosing all material
789
or significant facts known to them which, if not disclosed, could
790
mislead knowledgeable users, misrepresent the results, or conceal
791
improper or unlawful practices.
792

793

794
1.28
795
Auditors are responsible for helping management and other
796
report users understand the auditors' responsibilities under GAGAS
797
and other audit coverage required by law or regulation. To help
798
managers and other report users understand an audit's objectives,
799
time frames, and data needs, auditors need to communicate
800
information concerning the planning, conduct, and reporting of the
801
assignment to the parties involved.
802

803

804
Audit Organizations' Responsibilities
805

806

807
1.29
808
Audit organizations also have the responsibility for
809
ensuring that (1) independence and objectivity are maintained in
810
all phases of the assignment, (2) professional judgment is used in
811
planning and performing the work and in reporting the results, (3)
812
the work is performed by personnel who are professionally
813
competent, and (4) their systems of quality control are
814
periodically examined by independent peers to ensure that they have
815
in place appropriately designed policies, procedures, and practices
816
that are functioning effectively to meet professional
817
standards.
818

819

820
1.30
821
While management is responsible for addressing audit and
822
attestation engagement findings and recommendations and tracking
823
their status of resolution, audit organizations are responsible for
824
establishing policies and procedures for follow-up to determine
825
whether previous findings and recommendations are addressed and are
826
considered in planning future assignments.
827

828

829
CHAPTER 2
830
TYPES OF GOVERNMENT AUDITS AND ATTESTATION ENGAGEMENTS
831
INTRODUCTION
832

833

834
2.1
835
This chapter describes the types of audits and
836
attestation engagements that audit organizations perform, or
837
arrange to have performed, of government, programs,1 and of
838
government assistance administered by contractors, nonprofit
839
entities, and other nongovernment entities. This description is not
840
intended to limit or require the types of audits or attestation
841
engagements that may be performed or arranged to be performed. In
842
performing work described below in accordance with generally
843
accepted government auditing standards (GAGAS), auditors should
844
follow the applicable standards included and incorporated in
845
chapters 3 through 8. This chapter also describes other
846
professional services that audit organizations provide, although
847
these services are not covered by GAGAS.
848

849

850
2.2
851
All assignments begin with objectives, and those
852
objectives determine the type of work to be performed and the audit
853
standards to be followed. The types of work, as defined by their
854
objectives that are covered by GAGAS, are classified in these
855
standards as financial audits, attestation engagements, and
856
performance audits.
857

858

859
2.3
860
Assignments may have a combination of objectives that
861
include more than one type of work described in this chapter or may
862
have objectives limited to only some aspects of one type of work.
863
Auditors should follow the standards that are applicable to the
864
individual objectives of the audit or attestation
865
engagement.
866

867

868
1The term "program" is used to include entities, services, and
869
activities. GAO-02-340G Government Auditing Standards Exposure
870
Draft
871
FINANCIAL AUDITS
872
2.4 Financial audits primarily concern providing reasonable
873
assurance about whether financial statements are presented fairly
874
in all material respects in conformity with generally accepted
875
accounting principles (GAAP),2 or with a comprehensive basis of
876
accounting other than GAAP. Other objectives of financial audits
877
may include
878

879

880
a.
881
providing special reports for specified elements,
882
accounts, or items of a financial statement;
883

884

885
b.
886
reviewing interim financial information or segments of
887
financial statements;
888

889

890
c.
891
issuing letters for underwriters and certain other
892
requesting parties;
893

894

895
d.
896
reporting on the processing of transactions by service
897
organizations; and
898

899

900
e.
901
auditing compliance with regulations relating to
902
governmental financial assistance.
903

904

905
2.5 Financial audits are performed under the American Institute
906
of Certified Public Accountants' (AICPA) generally accepted
907
auditing standards for field work and reporting, as well as the
908
related AICPA Statements on Auditing Standards (SASs) which
909
interpret the standards and provide guidance on conducting such
910
work.3 Accordingly, auditors performing financial audits need to be
911
proficient in applying the AICPA standards and guidance contained
912
in the SASs. GAGAS prescribe general standards and
913
2Three authoritative bodies for generally accepted accounting
914
principles (GAAP) are the Governmental Accounting Standards Board
915
(GASB), the Financial Accounting Standards Board (FASB), and the
916
Federal Accounting Standards Advisory Board (FASAB). GASB
917
establishes accounting principles and financial reporting standards
918
for state and local government entities. FASB establishes
919
accounting principles and financial reporting standards for
920
nongovernment entities. FASAB promulgates accounting principles and
921
financial reporting standards for the federal government.
922
3GAGAS incorporate all AICPA field work and reporting auditing
923
standards and the related SASs unless the Comptroller General of
924
the United States excludes them by formal announcement. To date,
925
the Comptroller General has not excluded any AICPA field work or
926
reporting auditing standards or any SASs.
927
GAO-02-340G Government Auditing Standards Exposure Draft
928
additional field work and reporting requirements beyond those
929
provided by the AICPA when performing financial audits. (See
930
chapters 3, 4, and 5 for standards and guidance for auditors
931
performing a financial audit in accordance with GAGAS.)
932
ATTESTATION ENGAGEMENTS
933
2.6 Attestation engagements concern examining, reviewing, or
934
performing agreed upon procedures on a subject matter or an
935
assertion4 about a subject matter and reporting on the results. The
936
subject matter of an attestation engagement may take many forms,
937
including historical or prospective performance or condition,
938
physical characteristics, historical events, analyses, systems and
939
processes, or behavior. Attestation engagements can cover a broad
940
range of financial or nonfinancial objectives and can be part of a
941
financial audit or other type of audit. Examples of objectives of
942
attestation engagements include reporting on
943

944

945
a.
946
an entity's internal control over financial
947
reporting;
948

949

950
b.
951
an entity's compliance with requirements of specified
952
laws, regulations, rules, contracts, or grants;
953

954

955
c.
956
the effectiveness of an entity's internal control over
957
compliance with specified requirements, such as those governing the
958
bidding for, accounting for, and reporting on grants and
959
contracts;
960

961

962
d.
963
management's discussion and analysis (MD&A)
964
presentation;
965

966

967
e.
968
prospective financial statements or pro forma financial
969
information;
970

971

972
f.
973
the reliability of performance measures;
974

975

976
g.
977
final contract cost; and
978

979

980
h.
981
allowability and reasonableness of proposed contract
982
amounts.5
983

984

985
4An assertion is any declaration or set of declarations about
986
whether the subject matter is based on or in conformity with the
987
criteria selected.
988
2.7 Attestation engagements are performed under the AICPA's
989
attestation standards, as well as the related AICPA Statements on
990
Standards for Attestation Engagements (SSAEs) which interpret the
991
standards and provide guidance on conducting such work.6
992
Accordingly, auditors performing attestation engagements need to be
993
proficient in applying the AICPA standards and guidance contained
994
in the SSAEs. GAGAS prescribe general standards and additional
995
field work and reporting requirements beyond those provided by the
996
AICPA for attestation engagements. (See chapters 3 and 6 for
997
standards and guidance for auditors performing an attestation
998
engagement in accordance with GAGAS.)
999
PERFORMANCE AUDITS
1000
2.8 A performance audit is an objective and systematic
1001
examination of evidence to provide an independent assessment of the
1002
performance and management of a program against objective criteria
1003
or an assessment of best practices and other information.
1004
Performance audits provide information to improve program
1005
operations and facilitate decisionmaking by parties with
1006
responsibility to oversee or initiate corrective action, and
1007
improve public accountability. Performance audits encompass a wide
1008
variety of
1009
5Some of these examples of attestation engagement objectives are
1010
similar to some of the performance audit objectives listed in
1011
paragraphs 2.9 through 2.11. Depending on user needs and the
1012
auditor's qualifications, the auditor may choose to apply
1013
performance audit standards in chapters 7 and 8 to the objectives
1014
in paragraph 2.6 instead of following the attestation standards in
1015
chapter 6.
1016
6GAGAS incorporate the AICPA's general attestation standard on
1017
criteria and all the AICPA's field work and reporting attestation
1018
standards and the related SSAEs unless the Comptroller General of
1019
the United States excludes them by formal announcement. To date,
1020
the Comptroller General has not excluded any AICPA field work or
1021
reporting attestation standards or SSAEs.
1022
GAO-02-340G Government Auditing Standards Exposure Draft
1023
objectives including objectives related to assessing program
1024
effectiveness and results; economy and efficiency; internal
1025
control;7 and compliance with legal or other requirements; and
1026
objectives related to providing prospective analyses, guidance, or
1027
summary information. Performance audits also may encompass a broad
1028
or narrow scope of work and a variety of methodologies; involve a
1029
level of analysis, research, or evaluation; generally provide
1030
conclusions and recommendations; and result in a report. (See
1031
chapters 3, 7, and 8 for standards and guidance for auditors
1032
performing a performance audit in accordance with GAGAS.)
1033
2.9 Program effectiveness and results audit objectives address
1034
the effectiveness of a program and typically measure the extent to
1035
which a program is achieving its goals and objectives. Economy and
1036
efficiency audit objectives concern whether an entity is acquiring,
1037
protecting, and using its resources in the most productive manner
1038
to achieve program objectives. These audit objectives are often
1039
interrelated and may be concurrently addressed in a performance
1040
audit. Examples of program effectiveness and results and economy
1041
and efficiency audit objectives include assessing
1042

1043

1044
a.
1045
the extent to which legislative, regulatory, or
1046
organizational goals and objectives are being achieved;
1047

1048

1049
b.
1050
the relative utility of alternative approaches to yield
1051
better program performance or eliminate factors that inhibit
1052
program effectiveness;
1053

1054

1055
c.
1056
the relative cost and benefits or cost effectiveness of
1057
program performance;8
1058

1059

1060
d.
1061
whether a program produced intended results or produced
1062
effects that were not intended by the program's established or
1063
stated objectives;
1064

1065

1066
7The term internal control in this document is synonymous with
1067
the term management control and, unless otherwise stated, covers
1068
all aspects of an entity's operations (programmatic, financial, and
1069
compliance). 8These objectives focus on combining cost information
1070
with information about outputs or the benefit provided, and
1071
outcomes or the results achieved.
1072
GAO-02-340G Government Auditing Standards Exposure Draft
1073

1074

1075
e.
1076
the extent to which programs duplicate, overlap, or
1077
conflict with other related programs;
1078

1079

1080
f.
1081
whether the audited entity is following sound procurement
1082
practices;
1083

1084

1085
g.
1086
the validity and reliability of performance measures
1087
concerning program effectiveness and results, or economy and
1088
efficiency; and
1089

1090

1091
h.
1092
the financial information related to the performance of a
1093
program.
1094

1095

1096
2.10 Internal control audit objectives relate to management's
1097
plans, methods, and procedures used to meet its mission, goals, and
1098
objectives. Internal controls include the processes and procedures
1099
for planning, organizing, directing, and controlling program
1100
operations, and the system put in place for measuring, reporting,
1101
and monitoring program performance. Examples of audit objectives
1102
related to internal control include the extent that internal
1103
controls of a program provide reasonable assurance that
1104

1105

1106
a.
1107
organizational missions, goals, and objectives are
1108
achieved effectively and efficiently;
1109

1110

1111
b.
1112
resources are used in compliance with laws, regulations,
1113
or other requirements;
1114

1115

1116
c.
1117
resources are safeguarded against unauthorized
1118
acquisition, use, or disposition;
1119

1120

1121
d.
1122
management information and public reports that are
1123
produced, such as performance measures, are complete, accurate, and
1124
consistent to document performance and support
1125
decisionmaking;
1126

1127

1128
e.
1129
security over computerized information systems will
1130
prevent or detect unauthorized access; and
1131

1132

1133
f.
1134
contingency planning for information systems provides
1135
essential back-up to prevent unwarranted disruption of activities
1136
and functions the systems support.
1137

1138

1139

1140

1141
2.11
1142
Compliance audit objectives relate to compliance criteria
1143
established by laws, regulations, contract provisions, grant
1144
agreements, and other requirements9 that could affect the
1145
acquisition, protection, and use of the entity's resources, and the
1146
quantity, quality, timeliness, and cost of services the entity
1147
produces and delivers. Compliance objectives also concern the
1148
purpose of the program, the manner in which it is to be conducted
1149
and services delivered, and the population it serves.
1150

1151

1152
2.12
1153
Audit organizations are increasingly undertaking work
1154
that is similar to the traditional performance audit but may have a
1155
prospective focus or may provide guidance, best practice
1156
information, or information on cross-cutting issues already studied
1157
or under study by an audit organization. While this work generally
1158
does not involve assessing specific ongoing programs, it may use
1159
data from relevant audit work for comparative or baseline purposes.
1160
This performance-related work may encompass a broad or narrow range
1161
of objectives and scope of work; use a variety of methodologies;
1162
involve a level of analysis, research, or evaluation; generally
1163
provide conclusions and recommendations; and result in a report. It
1164
is also subject to the same standards as performance audits.
1165
Examples of objectives pertaining to this work include
1166

1167

1168

1169

1170
a.
1171
assessing program or policy alternatives, including
1172
forecasting program outcomes under various assumptions;
1173

1174

1175
b.
1176
assessing the advantages and disadvantages of legislative
1177
proposals;
1178

1179

1180
c.
1181
conducting surveys to obtain and analyze views of
1182
stakeholders on policy proposals for decisionmakers;
1183

1184

1185
d.
1186
analyzing budget proposals or budget requests to assist
1187
legislatures in the budget process;
1188

1189

1190
e.
1191
developing methods or approaches for use in evaluating
1192
new or proposed programs;
1193

1194

1195
f.
1196
producing a high-level summary or a report that affects
1197
multiple programs or entities on issues studied or under study by
1198
the audit organization; and
1199

1200

1201
g.
1202
developing guidance documents such as those based on best
1203
practices research and syntheses for management's use in evaluating
1204
program or management system approaches, including financial and
1205
information management systems.10
1206

1207

1208
9 Compliance requirements can be either financial or
1209
nonfinancial in nature. GAO-02-340G Government Auditing Standards
1210
Exposure Draft
1211
NONAUDIT SERVICES OF AUDIT ORGANIZATIONS
1212
2.13 Audit organizations may also provide nonaudit services that
1213
are not covered by GAGAS. These nonaudit services consist of
1214
gathering, providing, or explaining information requested by
1215
decision makers or providing advice or assistance to management
1216
officials. Nonaudit services generally differ from financial
1217
audits, attestation engagements, and performance audits described
1218
above in that auditors provide information or data to a requesting
1219
party without providing verification, analysis, or evaluation of
1220
the information or data, and therefore the work does not usually
1221
provide a basis for conclusions, recommendations, or opinions on
1222
the information or data. These other services may or may not result
1223
in a report. Some examples of these other professional services
1224
include
1225

1226

1227
a.
1228
assisting a legislative body by developing questions for
1229
use at a hearing;
1230

1231

1232
b.
1233
gathering and reporting unverified external or
1234
third-party data to aid legislative and administrative decision
1235
making;
1236

1237

1238
c.
1239
compiling or reviewing financial statements or other
1240
information to assist entities and management
1241
officials;11
1242

1243

1244
d.
1245
advising an entity regarding its performance of internal
1246
control self-assessments;
1247

1248

1249
e.
1250
providing professional advice to entities and management
1251
officials to assist them in activities such as the design or
1252
installation of information systems and related internal control
1253
activities;
1254

1255

1256
f.
1257
valuing an entity's pension, other postemployment
1258
benefit, or other similar liabilities;
1259

1260

1261
g.
1262
preparing an entity's indirect cost proposal or cost
1263
allocation plan;
1264

1265

1266
h.
1267
providing human resource services to assist management in
1268
its evaluation of potential candidates; and
1269

1270

1271
i.
1272
development of audit methodologies, policies, and
1273
procedures.
1274

1275

1276
10These guidance documents may also be used by auditors in
1277
planning and performing their work. GAO-02-340G Government Auditing
1278
Standards Exposure Draft
1279
2.14 GAGAS do not cover nonaudit services described in this
1280
chapter as such services are not audits or attestation engagements.
1281
Therefore, auditors should not report that such services were
1282
conducted in accordance with GAGAS. However, audit organizations
1283
are encouraged to establish policies for maintaining the quality of
1284
this type of work, and may wish to disclose in any product
1285
resulting from this work, any other professional standards followed
1286
and the quality control steps taken.
1287
11This type of work is covered under the AICPA's Statements on
1288
Standards for Accounting and Review Services (SSARS), which are not
1289
incorporated into GAGAS since the work covered by the SSARS are not
1290
considered audits.
1291
GAO-02-340G Government Auditing Standards Exposure Draft
1292
CHAPTER 3
1293
GENERAL STANDARDS
1294
INTRODUCTION
1295

1296

1297
3.1
1298
This chapter prescribes general standards and provides
1299
guidance for performing financial audits, attestation engagements,1
1300
and performance audits. These general standards concern the
1301
fundamental requirements for ensuring the credibility of auditors'
1302
results. Credibility is essential to all audit organizations
1303
performing work that government leaders and other users rely on for
1304
making decisions, and is what the public expects of information
1305
provided by auditors. These general standards encompass the
1306
independence of the audit organization and its individual auditors;
1307
the exercise of professional judgment in the performance of work
1308
and the preparation of related reports; the competence of audit
1309
staff, including their continuing professional education; and the
1310
existence of quality control systems and external peer
1311
reviews.
1312

1313

1314
3.2
1315
These general standards provide the underlying framework
1316
that is critical in effectively applying the field work and
1317
reporting standards described in the following chapters, in
1318
performing the detailed work associated with the assignment, and in
1319
preparing related reports and other products. Therefore, these
1320
general standards are required to be followed by all auditors and
1321
audit organizations, both government and nongovernment, performing
1322
work under generally accepted government auditing standards
1323
(GAGAS).
1324

1325

1326
1See chapter 6 for an additional general standard auditors
1327
should follow when performing an attestation engagement.
1328
GAO-02-340G Government Auditing Standards Exposure Draft
1329
INDEPENDENCE
1330
[Refer to Amendment No. 3, Independence. The following paragraph
1331
numbers will change accordingly.]
1332
PROFESSIONAL JUDGMENT
1333
3.3 The second general standard is:
1334
Professional judgment should be used in planning and performing
1335
audits and attestation engagements, and in reporting the
1336
results.
1337

1338

1339
3.4
1340
This standard requires auditors to observe the principles
1341
of serving the public interest and maintaining the highest sense of
1342
integrity, objectivity, and independence in applying professional
1343
judgment2 in all aspects of their work. This standard also imposes
1344
a responsibility upon each auditor within the audit organization to
1345
observe GAGAS. If auditors hold themselves out as following GAGAS,
1346
regardless of whether they are required to follow such standards,
1347
they need to justify any departures from them.
1348

1349

1350
3.5
1351
Auditors should use professional judgment in determining
1352
the type of assignment to be performed and the standards that apply
1353
to the work; establishing the scope of work; selecting the
1354
methodology; determining the type and amount of evidence to be
1355
gathered; and choosing the tests and procedures for their work.
1356
Professional judgment also should be applied in performing the
1357
tests and procedures and in evaluating and reporting the results of
1358
the work.
1359

1360

1361
2Professional judgment is synonymous with due professional care
1362
as defined in the American Institute of Certified Public
1363
Accountants (AICPA) standards. While the principles of serving the
1364
public interest and maintaining the highest sense of integrity,
1365
objectivity, and independence are not explicitly stated in the
1366
AICPA's due professional care standard, these principles serve as
1367
the framework for all AICPA rules and standards.
1368
GAO-02-340G Government Auditing Standards Exposure Draft
1369

1370

1371
3.6
1372
Professional judgment requires auditors to exercise
1373
professional skepticism, which is an attitude that includes a
1374
questioning mind and a critical assessment of evidence. Auditors
1375
use the knowledge, skills, and experience called for by their
1376
profession to diligently perform, in good faith and with integrity,
1377
the gathering of evidence and objective evaluation of the
1378
competency and sufficiency of evidence. Since evidence is gathered
1379
and evaluated throughout the assignment, professional skepticism
1380
should be exercised throughout the assignment.
1381

1382

1383
3.7
1384
Auditors neither assume that management is dishonest nor
1385
assume unquestioned honesty. In exercising professional skepticism,
1386
auditors should not be satisfied with less than persuasive evidence
1387
because of a belief that management is honest.
1388

1389

1390
3.8
1391
The exercise of professional judgment allows the auditor
1392
to obtain reasonable assurance that material misstatements or
1393
significant inaccuracies in data will be detected if they exist.
1394
Absolute assurance is not attainable because of the nature of
1395
evidence and the characteristics of fraud. Therefore, an audit or
1396
attestation engagement conducted in accordance with GAGAS may not
1397
detect a material misstatement or significant inaccuracy, whether
1398
from error or fraud. Accordingly, while this standard places
1399
responsibility on each auditor and audit organization to exercise
1400
professional judgment in planning and performing an assignment, it
1401
does not imply unlimited responsibility, nor does it imply
1402
infallibility on the part of either the individual auditor or the
1403
audit organization.
1404

1405

1406
COMPETENCE
1407
3.9 The third general standard is:
1408
The staff assigned to perform the assignment should collectively
1409
possess adequate professional competence for the tasks
1410
required.
1411

1412

1413
3.10
1414
This standard places responsibility on audit
1415
organizations to ensure that each assignment is performed by staff
1416
who collectively have the knowledge, skills, and experience
1417
necessary for that assignment. Audit organizations should have a
1418
process, such as a human capital system, for recruitment, hiring,
1419
continuous development, and evaluation of staff to assist the
1420
organization in maintaining a workforce that has adequate
1421
competence.
1422

1423

1424
3.11
1425
The competencies discussed below apply to the knowledge,
1426
skills, and experience of audit organizations as a whole and not
1427
necessarily to each individual auditor. An organization may need to
1428
employ individuals or hire subject matter experts who are
1429
knowledgeable, skilled, or experienced in such areas as accounting,
1430
statistics, law, engineering, audit design and methodology,
1431
information technology, public administration, economics, social
1432
sciences, or actuarial science.
1433

1434

1435
Technical Knowledge and Competence
1436
3.12 Staff members conducting audits and attestation engagements
1437
under GAGAS should collectively possess the technical knowledge,
1438
skills, and experience necessary to be competent for the type of
1439
work being performed before beginning work on an assignment.
1440
Auditors should possess
1441

1442

1443
a.
1444
knowledge of government auditing standards applicable to
1445
the type of work they are assigned and the education, skills, and
1446
experience to apply such knowledge to the work being
1447
performed;
1448

1449

1450
b.
1451
knowledge of the specific environment in which the
1452
audited entity operates and the subject matter under
1453
review;
1454

1455

1456
c.
1457
skills to communicate clearly and effectively, both
1458
orally and in writing; and
1459

1460

1461
d.
1462
skills appropriate for the work being performed. For
1463
example:
1464

1465

1466

1467

1468
(1)
1469
if the work requires use of statistical sampling, the
1470
staff or consultants to the staff should include persons with
1471
statistical sampling expertise;
1472

1473

1474
(2)
1475
if the work requires extensive review of information
1476
systems, the staff or consultants to the staff should include
1477
persons with information technology expertise;
1478

1479

1480
(3)
1481
if the work involves review of complex engineering data,
1482
the staff or consultants to the staff should include persons with
1483
engineering expertise; or
1484

1485

1486
(4)
1487
if the work involves the use of specialized audit
1488
methodologies or analytical techniques, such as the use of complex
1489
survey instruments, actuarial-based estimates, or statistical
1490
analysis tests, the staff or consultants to the staff should
1491
include persons with expertise in those methodologies.
1492

1493

1494
3.13 The following additional competencies are needed for
1495
financial audits.
1496

1497

1498
a.
1499
Auditors should be knowledgeable in generally accepted
1500
accounting principles and the AICPA's generally accepted auditing
1501
standards for field work and reporting and the related statements
1502
on the standards (SASs) when performing a financial audit and
1503
should be competent in applying these standards and SASs to the
1504
task assigned. Similarly, when performing an attestation
1505
engagement, auditors should be knowledgeable in the AICPA's general
1506
attestation standard related to criteria, and the AICPA's
1507
attestation standards for field work and reporting and the related
1508
statements on the standards for attestation engagements (SSAEs),
1509
and should be competent in applying these standards and SSAEs to
1510
the task assigned.
1511

1512

1513
b.
1514
Public accountants engaged to perform financial audits or
1515
attestation engagements should be (a) licensed certified public
1516
accountants or persons working for a licensed certified public
1517
accounting firm, or (b) public accountants licensed on or
1518
before
1519

1520

1521
December 31, 1970, or persons working for
1522
a public accounting firm licensed on or before December 31,
1523
1970.3
1524
Continuing Professional Education
1525

1526

1527
3.14
1528
Auditors performing work under GAGAS need to maintain
1529
their professional competence through continuing professional
1530
education (CPE). Therefore, each auditor performing work under
1531
GAGAS should complete, every 2 years, at least 80 hours of CPE
1532
which directly contributes to the auditor's professional
1533
proficiency to perform such work. At least 20 hours should be
1534
completed in any 1 year of the 2-year period.
1535

1536

1537
3.15
1538
Continuing education may include such topics as
1539
developments in audit standards and methodology, accounting,
1540
assessment of internal control, principles of management or
1541
supervision, information systems management, statistical sampling,
1542
financial statement analysis, evaluation design, and data analysis.
1543
It may also include subjects related to specific fields of work,
1544
such as public administration, public policy and structure,
1545
industrial engineering, finance, economics, social sciences, and
1546
information technology.
1547

1548

1549
3.16
1550
In addition, auditors responsible for planning or
1551
directing an assignment, performing substantial portions of the
1552
field work,4 or reporting on the assignment under GAGAS should
1553
complete at least 24 of the 80 hours of CPE in subjects directly
1554
related to the government environment and to government auditing.
1555
If the audited entity operates in a specific or unique environment,
1556
auditors should receive CPE that is related to that
1557
environment.
1558

1559

1560
3Accountants and accounting firms meeting these licensing
1561
requirements should also comply with the applicable provisions of
1562
the public accountancy law and rules of the jurisdiction(s) where
1563
the audit is being conducted and the jurisdiction(s) in which the
1564
accountants and their firms are licensed.
1565
4Auditors are considered responsible for "conducting substantial
1566
portions of field work" when, in a given CPE year, time chargeable
1567
to audits and attestation engagements following GAGAS is 20 percent
1568
or more of their total chargeable time.
1569
GAO-02-340G Government Auditing Standards Exposure Draft
1570

1571

1572
3.17
1573
The audit organization is responsible for ensuring that
1574
auditors meet the continuing education requirements. The audit
1575
organization should maintain documentation of the CPE completed.
1576
GAO has developed guidance pertaining to CPE requirements to assist
1577
auditors and audit organizations in exercising professional
1578
judgment in complying with the CPE requirements.5
1579

1580

1581
3.18
1582
External consultants and internal experts and specialists
1583
should be qualified and maintain professional competence in their
1584
areas of expertise and/or specialization. However, they are not
1585
required to meet the above CPE requirements unless they are
1586
responsible for following GAGAS in planning or directing the
1587
assignment, performing substantial portions of field work, or
1588
reporting on the assignment.
1589

1590

1591
QUALITY CONTROL AND ASSURANCE
1592
3.19 The fourth general standard is:
1593
Each audit organization performing assignments in accordance
1594
with GAGAS should have an appropriate internal quality control
1595
system in place and should undergo an external peer review.
1596
3.20 The internal quality control system established by the
1597
audit organization should provide reasonable assurance that it is
1598
following (1) adequate quality control policies and procedures, and
1599
(2) applicable government auditing standards. The internal quality
1600
control system should include procedures for monitoring, on an
1601
ongoing basis, whether the policies and procedures related to the
1602
standards are suitably designed and are being effectively
1603
applied.
1604
5Interpretation of Continuing Education and Training
1605
Requirements, April 1991, Government Printing Office stock number
1606
020-000-00250-6.
1607
GAO-02-340G Government Auditing Standards Exposure Draft
1608

1609

1610
3.21
1611
The nature and extent of an audit organization's internal
1612
quality control system depends on a number of factors, such as its
1613
size, the degree of operating autonomy allowed its personnel and
1614
its audit offices, the nature of its work, its organizational
1615
structure, and appropriate cost-benefit considerations. Thus the
1616
systems established by individual organizations will vary as will
1617
the need for, and extent of, their documentation of the systems.
1618
However, each organization should prepare appropriate documentation
1619
to demonstrate compliance with its policies and procedures for its
1620
system of quality control.
1621

1622

1623
3.22
1624
Audit organizations performing assignments in accordance
1625
with GAGAS should have an external peer review conducted at least
1626
once every 3 years by reviewers independent of the organization
1627
being reviewed.6 The external peer review should determine whether
1628
the organization's internal quality control system is in place and
1629
operating effectively to provide reasonable assurance that
1630
established policies and procedures and applicable government
1631
auditing standards are being followed.
1632

1633

1634
3.23
1635
An external peer review under this standard should meet
1636
the following requirements.
1637

1638

1639

1640

1641
a.
1642
Individuals conducting peer reviews of an audit
1643
organization's system of quality control should have thorough
1644
knowledge of GAGAS and of the government environment relative to
1645
the work being reviewed.
1646

1647

1648
b.
1649
Reviewers should be independent (as defined in GAGAS) of
1650
the audit organization being reviewed, its staff, and the
1651
assignments selected for review. An organization is not permitted
1652
to review the organization that conducted its most recent external
1653
peer review. Also, the employing organization of the peer reviewers
1654
should
1655

1656

1657
6Audit organizations should have an external peer review
1658
conducted within 3 years from the date they start (that is, start
1659
of field work) their first assignment in accordance with GAGAS.
1660
Subsequent external peer reviews should be conducted every 3 years.
1661
Audit organizations should generally maintain their review year
1662
from review to review. Any extensions of these time frames to meet
1663
the external peer review requirements can only be granted by GAO
1664
and should only be requested for extraordinary circumstances.
1665
GAO-02-340G Government Auditing Standards Exposure Draft
1666
have received an unqualified opinion on the review of their
1667
organization's system of quality controls.
1668

1669

1670
c.
1671
Reviewers should have knowledge and training on how to
1672
perform a peer review and should use professional judgment in
1673
conducting and reporting the results of the review.
1674

1675

1676
d.
1677
This review should include a review of the organization's
1678
internal quality control policies and procedures, reports, audit
1679
documentation, and other necessary documents (for example,
1680
independence statements, outside employment requests, financial
1681
disclosure reports, and CPE documentation). The review should also
1682
include contacts with various levels of the reviewed organization's
1683
professional staff to assess their understanding of and compliance
1684
with relevant quality control policies and procedures.
1685

1686

1687
e.
1688
Reviewers should use one of the following approaches to
1689
selecting assignments for review: (1) select assignments that
1690
provide a reasonable cross section of the assignments performed by
1691
the reviewed organization in accordance with GAGAS or
1692

1693

1694

1695

1696
(2)
1697
select assignments that provide a reasonable cross
1698
section of the reviewed organization's work subject to quality
1699
control requirements, including one or more assignments performed
1700
in accordance with GAGAS.
1701

1702

1703
f.
1704
The review should be sufficiently comprehensive to
1705
provide a reasonable basis for concluding whether the reviewed
1706
audit organization's system of quality control was complied with to
1707
provide the organization with reasonable assurance of conforming
1708
with professional standards in the conduct of its work. Reviewers
1709
may scale back the peer review procedures based on the reviewers'
1710
evaluation of the adequacy and results of the reviewed
1711
organization's monitoring efforts.
1712

1713

1714
g.
1715
Reviewers should prepare a written report(s)
1716
communicating the results of the external peer review. The report
1717
should indicate the scope of the review, including
1718

1719

1720
any limitations thereon, and should express an opinion on
1721
whether the system of quality control of the reviewed organization
1722
was in place and operating effectively to provide reasonable
1723
assurance that established policies and procedures and applicable
1724
government auditing standards are followed. The report should also
1725
describe the reason(s) for any modifications to the opinion. When
1726
there are matters that resulted in a modification to the standard
1727
report, reviewers should report a detailed description of the
1728
findings and recommendations to enable the reviewed organization to
1729
take appropriate actions. To help users of the peer review report
1730
understand the peer review process, each report should be
1731
accompanied by an attachment describing the process, including how
1732
peer reviews are planned and performed.
1733

1734

1735
3.24
1736
Audit organizations seeking to enter into a contract to
1737
perform an assignment in accordance with GAGAS should provide their
1738
most recent external peer review report7 to the party contracting
1739
for the audit or attestation engagement. Information in the
1740
external peer review report often would be relevant to decisions on
1741
procuring audit or attestation engagement services.
1742

1743

1744
3.25
1745
Auditors who are relying on another audit organization's
1746
work should request a copy of the audit organization's peer review
1747
report, and the audit organization should provide the peer review
1748
report when requested. Audit organizations also should transmit
1749
their external peer review reports to appropriate oversight bodies.
1750
It is also recommended that the report be made available to the
1751
public in a timely manner.
1752

1753

1754
7The term "report" does not include separate letters of comment.
1755
GAO-02-340G Government Auditing Standards Exposure Draft
1756
CHAPTER 4
1757
FIELD WORK STANDARDS FOR FINANCIAL AUDITS
1758
INTRODUCTION
1759

1760

1761
4.1
1762
Generally accepted government auditing standards (GAGAS)
1763
incorporate the American Institute of Certified Public Accountants'
1764
(AICPA) generally accepted field work standards for audits and the
1765
related AICPA Statements on Auditing Standards (SASs) unless the
1766
Comptroller General of the United States excludes them by formal
1767
announcement.1 This chapter identifies the AICPA field work
1768
standards and prescribes additional standards for applying the
1769
AICPA field work standards for financial audits performed in
1770
accordance with GAGAS. This chapter concludes with guidance that
1771
auditors should give consideration to when performing financial
1772
audits in accordance with GAGAS.
1773

1774

1775
4.2
1776
Financial audits consist of all work performed under the
1777
AICPA's generally accepted auditing standards and governed by the
1778
AICPA SASs, which interpret the standards. Such work performed in a
1779
government environment primarily includes audits of financial
1780
statements. The SASs also govern other types of services which may
1781
also be performed in a government environment, such as compliance
1782
auditing, issuing special reports,3 audits of service
1783
organizations, reviews of interim
1784

1785

1786
1To date, the Comptroller General has not excluded any field
1787
work standards or statements on auditing standards.
1788
2The term "financial statement" refers to a presentation of
1789
financial data, including accompanying notes, derived from
1790
accounting records and intended to communicate an entity's economic
1791
resources or obligations at a point in time or the changes therein
1792
for a period of time in conformity with an identifiable framework,
1793
such as generally accepted accounting principles (GAAP) or an other
1794
comprehensive basis of accounting (OCBOA). Audits of financial
1795
statements include all services governed by the AICPA's SASs for
1796
which the auditors are engaged to provide a level of assurance on
1797
the fair presentation of financial statements in accordance with a
1798
stated criteria.
1799
3Special reports apply to auditors' reports issued in connection
1800
with the following: (1) financial statements that are prepared in
1801
conformity with a comprehensive basis of accounting other than
1802
generally accepted accounting principles; (2) specified elements,
1803
accounts, or items of a financial statement; (3) compliance with
1804
aspects of contractual agreements or regulatory requirements
1805
related to audited financial statements; (4) financial
1806
presentations to comply with contractual agreements or regulatory
1807
provisions; or (5) financial information presented in prescribed
1808
forms or schedules that require a prescribed form of auditor's
1809
report.
1810
financial information, and issuing letters to underwriters and
1811
certain other requesting parties. These other services may be
1812
performed in conjunction with an audit of financial statements.
1813
FIELD WORK STANDARDS
1814
4.3 The three AICPA generally accepted standards of field work
1815
are as follows.
1816

1817

1818
a.
1819
The work is to be adequately planned, and assistants, if
1820
any, are to be properly supervised.
1821

1822

1823
b.
1824
A sufficient understanding of internal control is to be
1825
obtained to plan the audit and to determine the nature, timing, and
1826
extent of tests to be performed.
1827

1828

1829
c.
1830
Sufficient competent evidential matter is to be obtained
1831
through inspection, observation, inquiries, and confirmations to
1832
afford a reasonable basis for an opinion regarding the financial
1833
statements under audit.
1834

1835

1836
ADDITIONAL GAGAS FIELD WORK STANDARDS
1837
4.4 GAGAS prescribe additional standards for applying the AICPA
1838
three generally accepted AICPA field work standards which go beyond
1839
the requirements contained in the AICPA's SASs. Auditors must
1840
comply with these additional standards when citing GAGAS in their
1841
audit reports. The additional GAGAS relate to
1842

1843

1844
a.
1845
auditor communication (see paragraphs 4.6 through
1846
4.13),
1847

1848

1849
b.
1850
considering the results of previous audits (see
1851
paragraphs 4.14 through 4.16),
1852

1853

1854
c.
1855
noncompliance with provisions of contracts and grants
1856
(see paragraphs 4.17 through 4.19), and
1857

1858

1859
d.
1860
audit documentation (see paragraphs 4.20 through
1861
4.24).
1862

1863

1864
4.5 This chapter concludes with guidance auditors should give
1865
consideration to when performing financial audits in accordance
1866
with GAGAS for the following areas:
1867

1868

1869
a.
1870
audit risk and materiality (see paragraphs 4.26 and
1871
4.27),
1872

1873

1874
b.
1875
internal control over safeguarding of assets (see
1876
paragraphs 4.28 through 4.33),
1877

1878

1879
c.
1880
internal control over compliance (see paragraphs 4.34
1881
through 4.36), and
1882

1883

1884
d.
1885
professional judgment concerning possible fraud and
1886
illegal acts (see paragraphs 4.37 through 4.39).
1887

1888

1889
AUDITOR COMMUNICATION
1890
4.6 An additional standard related to auditor communication for
1891
financial audits performed in accordance with GAGAS is:
1892
Auditors should communicate information regarding the nature of
1893
services and level of assurance provided to not only officials of
1894
the audited entity, but also to the individuals contracting for or
1895
requesting the audit services, and the audit committee or other
1896
equivalent oversight body.
1897
4.7 AICPA standards and GAGAS require auditors to establish an
1898
understanding with the client and to communicate with audit
1899
committees. GAGAS broaden the parties with whom auditors must
1900
communicate with during the planning stages of a financial audit to
1901
reduce the risk that the needs or expectations of the parties
1902
involved may be misinterpreted. Auditors should use their
1903
professional judgment to determine the form, content, and frequency
1904
of the communication, although written communication is preferred,
1905
and should document the communication. Auditors may use an
1906
engagement letter, if appropriate, to communicate the
1907
information.
1908
4.8 Auditors should communicate their responsibilities for the
1909
engagement to the appropriate officials of the audited entity,
1910
which may include
1911

1912

1913
a.
1914
the head of the audited entity,
1915

1916

1917
b.
1918
the audit committee or board of directors or other
1919
equivalent oversight body in the absence of an audit committee,
1920
and
1921

1922

1923
c.
1924
the individual who possesses a sufficient level of
1925
authority and responsibility for the financial reporting process,
1926
such as the chief financial officer.
1927

1928

1929
4.9 In situations where auditors are performing the audit under
1930
a contract with a party other than the officials of the audited
1931
entity, or pursuant to a third-party request, auditors should also
1932
communicate with the individuals contracting for or requesting the
1933
audit, such as contracting officials or legislative members or
1934
staff. When auditors are performing the audit pursuant to a law or
1935
regulation, auditors should communicate with the legislative
1936
members or staff who have oversight of the auditee.4 Auditors
1937
should coordinate communications with the responsible government
1938
audit organization and/or management of the audited entity, and may
1939
use the engagement letter to keep interested parties informed.
1940
4.10 In communicating the nature of services and level of
1941
assurance provided, auditors should specifically address their
1942
planned work related to testing compliance with laws and
1943
regulations and
1944
4This requirement applies only to situations where the law or
1945
regulation specifically identifies the entity to be audited, such
1946
as an audit of a specific agency's financial statements required by
1947
the Chief Financial Officers Act, as expanded by the Government
1948
Management Reform Act of 1994. Situations where the audit of
1949
financial statements mandate applies to entities not specifically
1950
identified, such as audits required by the Single Audit Act
1951
Amendments of 1996, are excluded.
1952
internal control over financial reporting. During the planning
1953
stages of an audit, auditors should communicate their
1954
responsibilities for testing and reporting on compliance with laws
1955
and regulations and internal control over financial reporting. Such
1956
communication should include the nature of any additional testing
1957
of compliance and internal control required by laws and regulations
1958
or otherwise requested, and whether the auditors are planning on
1959
providing opinions on compliance with laws and regulations and
1960
internal control over financial reporting.
1961

1962

1963
4.11
1964
To assist in understanding the limitations of auditors'
1965
responsibilities for testing and reporting on compliance and
1966
internal control over financial reporting, auditors may want to
1967
contrast those responsibilities with other audits of compliance and
1968
controls. The discussion in paragraphs 4.12 and
1969

1970

1971
4.13
1972
may be helpful to auditors in explaining their
1973
responsibilities for testing and reporting on compliance with laws
1974
and regulations and internal control over financial reporting to
1975
officials of the audited entity and other interested
1976
parties.
1977

1978

1979

1980

1981
4.12
1982
Tests of compliance with laws and regulations and
1983
internal control over financial reporting in a financial audit
1984
contribute to the evidence supporting the auditors' opinion on the
1985
financial statements or other conclusions regarding financial data.
1986
However, such tests generally are not sufficient in scope to opine
1987
on compliance or internal control over financial reporting. To meet
1988
certain audit report users' needs, laws and regulations sometimes
1989
prescribe testing and reporting on compliance and internal control
1990
over financial reporting to supplement coverage of these
1991
areas.5
1992

1993

1994
4.13
1995
Even after auditors perform and report the results of
1996
additional tests of compliance and internal control over financial
1997
reporting required by laws and regulations, some reasonable needs
1998
of report users still may be unmet. Auditors may meet these needs
1999
by performing further tests of compliance
2000

2001

2002
5For example, when engaged to perform audits under the Single
2003
Audit Act Amendments of 1996 for state and local government
2004
entities and nonprofit entities that receive federal awards,
2005
auditors should be familiar with the Office of Management and
2006
Budget (OMB) Circular A-133 on single audits. The act and circular
2007
include specific audit requirements, mainly in the areas of
2008
compliance with laws and regulations and internal control, that
2009
exceed the minimum audit requirements in the standards in chapters
2010
4 and 5 of this document. Audits conducted under the Chief
2011
Financial Officers Act of 1990, as expanded by the Government
2012
Management Reform Act of 1994, also have specific audit
2013
requirements prescribed by OMB in the areas of compliance and
2014
internal control. Many state and local governments have additional
2015
audit requirements.
2016
and internal control in either of two ways:6
2017

2018

2019
a.
2020
supplemental (or agreed-upon) procedures or
2021

2022

2023
b.
2024
examination, resulting in an opinion.
2025

2026

2027
CONSIDERING THE RESULTS OF PREVIOUS AUDITS
2028
4.14 An additional standard for financial audits performed in
2029
accordance with GAGAS is:
2030
Auditors should consider the results of previous audits and
2031
follow up on known significant findings and recommendations,
2032
including those related to reportable conditions, identified in
2033
previous audits reports that relate to the objectives of the audit
2034
being undertaken.
2035
4.15 Auditors should perform such follow-up to determine whether
2036
officials of the audited entity have taken appropriate corrective
2037
actions. In addition to following up on significant reported
2038
findings and recommendations7 from previous financial audits,
2039
auditors should consider significant findings identified in
2040
attestation engagements, performance audits, or other studies if
2041
these findings could materially affect the results of the financial
2042
audit. For example, an audit report on an entity's computerized
2043
information systems may contain significant findings that could
2044
relate to the financial audit if the entity uses such systems to
2045
process its accounting information. In any event, auditors need to
2046
make judgments about the extent of follow-up needed and the
2047
appropriate disclosure of uncorrected significant findings and
2048
recommendations from prior audits that affect the audit
2049
objectives.
2050
6Such work is generally performed under the AICPA's Statements
2051
on Standards for Attestation Engagements. See chapter 6 for a
2052
discussion of the standards used when performing attestation
2053
engagements. 7Significant findings and recommendations are those
2054
matters that, if not corrected, could affect the results of the
2055
auditors' work and users' conclusions about those results.
2056
4.16 Providing continuing attention to
2057
significant findings and recommendations is important to ensure
2058
that the benefits of audit work are realized. Ultimately, the
2059
benefits of audit work occur when audit findings are resolved
2060
through meaningful and effective corrective action taken in
2061
response to the auditors' findings and recommendations. Officials
2062
of the audited entity are responsible for resolving audit findings
2063
and recommendations directed to them, and for having a process to
2064
track their status. If officials of the audited entity do not have
2065
such a process, auditors may wish to establish their own
2066
process.
2067
NONCOMPLIANCE WITH PROVISIONS OF CONTRACTS AND GRANT
2068
AGREEMENTS
2069
4.17 The additional standard related to compliance with
2070
provisions of contracts and grant agreements for financial audits
2071
performed in accordance with GAGAS is:
2072
Auditors should design the audit to provide reasonable assurance
2073
of detecting material misstatements of financial statements or
2074
other financial data resulting from noncompliance with provisions
2075
of contracts or grant agreements that have a direct and material
2076
effect on the determination of financial statement amounts. If
2077
specific information comes to the auditors' attention that provides
2078
evidence concerning the existence of possible noncompliance that
2079
could affect financial data significant to the audit objectives or
2080
that could have a material indirect effect on the financial
2081
statements, auditors should apply audit procedures specifically
2082
directed to ascertaining whether noncompliance has occurred or is
2083
likely to have occurred.
2084
4.18 AICPA standards and GAGAS require auditors to assess the
2085
risk of material misstatements of financial statements due to fraud
2086
and should consider that assessment in designing the audit
2087
procedures to be performed.8 Auditors are also required to design
2088
the audit to provide reasonable assurance of detecting material
2089
misstatements resulting from direct and material illegal acts to
2090
be
2091
8Two types of misstatements are relevant to the auditors'
2092
consideration of fraud in an audit of financial statements-
2093
misstatements arising from fraudulent financial statements and
2094
misstatements arising from misappropriation of assets. The primary
2095
factor that distinguishes fraud from error is whether the
2096
underlying action that results in the misstatement in the financial
2097
statements is intentional or unintentional.
2098
aware of the possibility that indirect illegal acts may have
2099
occurred. Under GAGAS, the term noncompliance, however, has a
2100
broader meaning than fraud and illegal acts. Noncompliance includes
2101
not only fraud and illegal acts, but also violations of provisions
2102
of contracts or grant agreements.
2103
4.19 Under GAGAS, auditors have the same responsibilities for
2104
detecting material misstatements arising from other types of
2105
noncompliance as they do for detecting those arising from fraud and
2106
illegal acts. Direct and material noncompliance is noncompliance
2107
having a direct and material effect on the determination of
2108
financial statement amounts or could have a significant effect on
2109
other financial data needed to achieve audit objectives. Auditors
2110
should design the audit to provide reasonable assurance of
2111
detecting material misstatements resulting from direct and material
2112
noncompliance with provisions of contracts or grant agreements.
2113
Indirect noncompliance is noncompliance having material but
2114
indirect effects on financial statements or other financial data
2115
needed to achieve audit objectives. If specific information comes
2116
to the auditors' attention that provides evidence concerning the
2117
existence of possible noncompliance that could have a material
2118
indirect effect on the financial statements or significant indirect
2119
effect on other financial data need to achieve audit objectives,
2120
auditors should apply audit procedures specifically directed to
2121
ascertaining whether that noncompliance has occurred or is likely
2122
to have occurred.
2123
AUDIT DOCUMENTATION
2124
4.20 An additional standard related to audit documentation for
2125
financial audits performed in accordance with GAGAS is:
2126
Audit documentation should contain sufficient information to
2127
enable an experienced reviewer, who has had no previous connection
2128
with the audit, to ascertain from the audit documentation the
2129
evidence that supports the auditors' significant judgments and
2130
conclusions. Audit documentation that supports significant
2131
findings, conclusions, and recommendations should be complete
2132
before auditors issue their report.
2133
4.21 AICPA standards and GAGAS require auditors to prepare and
2134
maintain audit documentation. The form and content of audit
2135
documentation should be designed to meet the circumstances of the
2136
particular audit. The information contained in audit documentation
2137
constitutes the principal record of the work that the auditors have
2138
performed and the conclusions that the auditors have reached. The
2139
quantity, type, and content of audit documentation is a matter of
2140
the auditors' professional judgment.
2141
However, audits performed in accordance with GAGAS are subject
2142
to review by other reviewers and by oversight officials more
2143
frequently than audits done in accordance with AICPA standards.
2144
Thus, whereas AICPA standards cite two main purposes of audit
2145
documentation--providing the principal support for the audit report
2146
and aiding auditors in performing and supervising the audit--audit
2147
documentation serves an additional purpose in audits performed in
2148
accordance with GAGAS. Audit documentation allows for the review of
2149
audit quality by providing the reviewer documentation, either in
2150
written or electronic formats, of the evidence supporting the
2151
auditors' significant judgments and conclusions.
2152
4.22 Audit documentation for financial audits performed under
2153
GAGAS should contain the following.
2154

2155

2156
a.
2157
The objectives, scope, and methodology, including
2158
sampling and other selection criteria used.
2159

2160

2161
b.
2162
Documentation of the auditor's determination that certain
2163
additional government auditing standards do not apply or that an
2164
applicable standard was not followed, the reasons therefore, and
2165
the known effect that not following the standard had, or could
2166
have, on the audit.
2167

2168

2169
c.
2170
Documentation of the work performed to support
2171
significant judgments and conclusions, including descriptions of
2172
transactions and records examined that would enable an experienced
2173
reviewer to examine the same transactions and records.9
2174

2175

2176
d.
2177
Auditors' basis for assessing control risk at the maximum
2178
level for assertions related to material
2179

2180

2181
9Auditors may meet this requirement by listing voucher numbers,
2182
check numbers, or other means of identifying specific documents
2183
they examined. Auditors are not required to include copies of
2184
documents they examined as part of the audit documentation, nor are
2185
auditors required to list detailed information from those
2186
documents.
2187
account balances, transaction classes, and disclosure components
2188
of financial statements when such assertions are significantly
2189
dependent upon computerized information systems by addressing (1)
2190
the ineffectiveness of the design and/or operation of the controls,
2191
or (2) the reasons why it would be inefficient to test the
2192
controls.
2193

2194

2195
e.
2196
The consideration that the planned audit procedures are
2197
designed to achieve audit objectives when evidential matter
2198
obtained is highly dependent on computerized information systems
2199
and is material to the audit objective, and the auditors are not
2200
relying on the effectiveness of internal control over those
2201
computerized systems that produced the information. The audit
2202
documentation should specifically address (1) the rationale for
2203
determining the nature, timing, and extent of planned audit
2204
procedures; (2) the kinds and competence of available evidential
2205
matter produced outside a computerized information system; and (3)
2206
the effect on the audit report if evidential matter to be gathered
2207
does not afford a reasonable basis to achieve the audit
2208
objectives.10
2209

2210

2211
f.
2212
Evidence of supervisory reviews of the work
2213
performed.
2214

2215

2216

2217

2218
4.23
2219
Underlying GAGAS audits is that federal, state, and local
2220
governments and other organizations cooperate in auditing programs
2221
of common interest so that auditors may use others' work and avoid
2222
duplicate audit efforts. In addition, audits performed in
2223
accordance with GAGAS are subject to quality control and assurance
2224
reviews. Auditors should make arrangements to make audit
2225
documentation available, upon request, in a timely manner to other
2226
auditors or reviewers. Contractual arrangements for GAGAS audits
2227
should provide for full and timely access to audit documentation to
2228
facilitate reliance by other auditors on the auditors' work, as
2229
well as reviews of audit quality control and assurance.
2230

2231

2232
4.24
2233
Audit organizations should establish reasonable policies
2234
and procedures for the safe custody and retention of audit
2235
documentation for a time sufficient to satisfy legal and
2236
administrative requirements. If audit documentation is only
2237
retained electronically, the audit organization should ensure that
2238
the electronic documentation is capable of being accessed
2239
throughout the specified
2240

2241

2242
10This documentation requirement does not increase the auditors'
2243
responsibility for testing internal control but is intended to
2244
assist the auditor in ensuring that audit objectives are met and
2245
audit risk is reduced to an acceptable level.
2246
retention period established for audit
2247
documentation and is safeguarded through sound computer
2248
security.
2249
ADDITIONAL CONSIDERATIONS FOR FINANCIAL AUDITS PERFORMED IN
2250
ACCORDANCE WITH GAGAS
2251
4.25 As discussed in chapter 1, financial audits contribute to
2252
making governments more accountable for the use of public resources
2253
and the delivery of services. Because of the increased
2254
accountability associated with government audits, auditors
2255
performing financial audits in accordance with GAGAS should
2256
consider the following guidance related to audit risk and
2257
materiality (see paragraphs 4.26 and 4.27), internal control over
2258
safeguarding of assets (see paragraphs 4.28 through 4.33), internal
2259
control over compliance (see paragraphs 4.34 through 4.36), and
2260
professional judgment concerning possible fraud and illegal acts
2261
(see paragraphs 4.37 and 4.39).
2262
Audit Risk and Materiality
2263

2264

2265
4.26
2266
The AICPA standards and GAGAS require that the work is to
2267
be properly planned, and auditors should consider audit risk and
2268
materiality, among other matters, in determining the nature,
2269
timing, and extent of auditing procedures and in evaluating the
2270
results of those procedures. Auditors' consideration of audit risk
2271
and materiality is a matter of professional judgment and is
2272
influenced by their perception of the needs of a reasonable person
2273
who will rely on the financial statements. Materiality judgments
2274
are made in light of surrounding circumstances and necessarily
2275
involve both quantitative and qualitative
2276
considerations.
2277

2278

2279
4.27
2280
In an audit of a government entity or an entity that
2281
receives government assistance, auditors may need to set lower
2282
materiality levels than in audits in the private sector because of
2283
the public accountability of the audited entity, the various legal
2284
and regulatory requirements, and the visibility and sensitivity of
2285
government programs, activities, and functions.
2286

2287

2288
Internal Control Over Safeguarding of Assets
2289

2290

2291
4.28
2292
Safeguarding of assets is an internal control objective.
2293
that is especially important in performing financial audits of
2294
governmental entities or others receiving government funds.11 Given
2295
the public accountability for stewardship of resources,
2296
safeguarding of assets permeates control objectives and components
2297
as defined by the AICPA standards and GAGAS.
2298

2299

2300
4.29
2301
As applied to financial audits, internal control over
2302
safeguarding of assets constitutes a process, effected by an
2303
entity's governing body, management, and other personnel designed
2304
to provide reasonable assurance regarding prevention or timely
2305
detection of unauthorized acquisition, use, or disposition of the
2306
entity's assets that could have a material effect on the financial
2307
statements.
2308

2309

2310
4.30
2311
Internal control over the safeguarding of assets relates
2312
to the prevention or timely detection of unauthorized transactions
2313
and unauthorized access to assets that could result in losses that
2314
are material to the financial statements, such as when unauthorized
2315
expenditures or investments are made, unauthorized liabilities are
2316
incurred, inventory is stolen, or assets are converted to personal
2317
use. Such controls are designed to help ensure the use of and
2318
access to assets are in accordance with management's authorization.
2319
Authorization includes approval of transactions in accordance with
2320
control activities established by management to safeguard assets,
2321
such as establishing and complying with requirements for extending
2322
and monitoring credit or making investment decisions, and related
2323
documentation. Control over safeguarding of assets is not designed
2324
to protect against loss of assets arising from inefficiency or from
2325
management's operating decisions, such as incurring expenditures
2326
for equipment or material that proves to be unnecessary or
2327
unsatisfactory.
2328

2329

2330
4.31
2331
AICPA standards and GAGAS require auditors to obtain a
2332
sufficient understanding of internal control to plan the audit.
2333
They also require auditors to plan the audit to provide reasonable
2334
assurance of detecting material fraud, including material
2335
misappropriation of assets. Because preventing or
2336

2337

2338
11Auditors should apply the guidance contained in this section
2339
to other types of financial audits to the extent it is applicable
2340
to the nature of the engagement.
2341
detecting material misappropriations is an objective of control
2342
over safeguarding of assets, understanding this type of control can
2343
be essential to planning the audit.
2344

2345

2346
4.32
2347
Control over safeguarding of assets is not limited to
2348
preventing or detecting misappropriations. It also helps prevent or
2349
detect other material losses that could result from unauthorized
2350
acquisition, use, or disposition of assets. Such controls include,
2351
for example, the process of assessing the risk of unauthorized
2352
acquisition, use, or disposition of assets and establishing control
2353
activities to help ensure that management directives to address the
2354
risk are carried out. Such control activities would include
2355
permitting acquisition, use, or disposition of assets only in
2356
accordance with management's general or specific authorization,
2357
including compliance with established control activities for such
2358
acquisition, use, or disposition. They would also include comparing
2359
existing assets with the related records at reasonable intervals
2360
and taking appropriate action with respect to any differences.
2361
Finally, controls over safeguarding of assets against unauthorized
2362
acquisition, use, or disposition also relate to making available to
2363
management information it needs to carry out its responsibilities
2364
related to prevention or timely detection of such unauthorized
2365
activities, as well as mechanisms to enable management to monitor
2366
the continued effective operation of such controls.
2367

2368

2369
4.33
2370
Understanding the control over safeguarding of assets can
2371
help auditors assess the risk that financial statements could be
2372
materially misstated. For example, an understanding of the audited
2373
entity's control over the safeguarding of assets can help auditors
2374
recognize risk factors such as
2375

2376

2377

2378

2379
a.
2380
failure to adequately monitor decentralized
2381
operations;
2382

2383

2384
b.
2385
lack of control over activities, such as lack of
2386
separation of duties or approval for major transactions;
2387

2388

2389
c.
2390
lack of control over computerized information systems,
2391
such as a lack of control over access to applications that initiate
2392
or control the movement of assets;
2393

2394

2395
d.
2396
failure to develop or communicate adequate control
2397
activities for security of data or assets, such as allowing
2398
unauthorized personnel to have ready access to data or assets;
2399
and
2400

2401

2402
e.
2403
failure to investigate significant unreconciled
2404
differences between reconciliations of a control account and
2405
subsidiary records.
2406

2407

2408
Internal Control Over Compliance
2409

2410

2411
4.34
2412
Governmental entities are subject to a variety of laws
2413
and regulations that affect their financial statements or other
2414
financial data, which is a major factor distinguishing governmental
2415
accounting from private-sector accounting. For example, such laws
2416
and regulations may address the required fund structure,
2417
procurement or debt limitations, or authority for transactions.
2418
Accordingly, compliance with such laws and regulations may have a
2419
direct and material effect on the determination of amounts in the
2420
financial statements of governmental entities. Likewise, entities
2421
that receive government assistance, such as contractors, nonprofit
2422
entities, and other nongovernmental entities, are also subject to
2423
regulations, contract provisions, or grant agreements that could
2424
have a direct and material effect on their financial statements.
2425
Management, of both governmental entities and others receiving
2426
governmental assistance, is responsible for ensuring that the
2427
entity complies with not only the laws and regulations but also
2428
contract provisions and grant agreements applicable to its
2429
activities. That responsibility encompasses the identification of
2430
applicable laws, regulations, contract provisions, and grant
2431
agreements, as well as the establishment of controls designed to
2432
provide reasonable assurance that the entity complies with those
2433
laws, regulations, contract provisions, and grant
2434
agreements.
2435

2436

2437
4.35
2438
AICPA standards and GAGAS require auditors to design the
2439
audit to provide reasonable assurance that the financial statements
2440
are free of material misstatements resulting from noncompliance
2441
that have a direct and material effect on the determination of
2442
financial statement amounts. To meet this requirement, auditors
2443
should have an understanding of internal control relevant to
2444
financial statement assertions affected by those laws, regulations,
2445
contract provisions, or grant agreements. Auditors may find it
2446
necessary to use the work of legal counsel in (1)
2447
determining
2448

2449

2450
which laws and regulations might have a direct and material
2451
effect on the financial statements, (2) designing tests of
2452
compliance with laws and regulations, and (3) evaluating the
2453
results of those tests.12 Auditors also may find it necessary to
2454
use the work of legal counsel when an audit requires testing
2455
compliance with provisions of contracts or grant agreements.
2456
Depending on the circumstances of the audit, auditors may find it
2457
necessary to obtain information on compliance matters from others,
2458
such as investigative staff, audit organizations, and officials of
2459
government entities that provided assistance to the audited entity,
2460
and/or the applicable law enforcement authority.
2461
4.36 AICPA standards and GAGAS require that auditors use their
2462
understanding of internal control relevant to financial statement
2463
assertions affected by laws and regulations to identify types of
2464
potential misstatements, consider factors that affect the risk of
2465
material misstatement, and design substantive tests. GAGAS extends
2466
this requirement to include contract provisions and grant
2467
agreements. In applying this requirement, the following factors may
2468
influence the auditors' assessment of control risk:
2469

2470

2471
a.
2472
management's awareness or lack of awareness of applicable
2473
laws, regulations, contract provisions, or grant
2474
agreements;
2475

2476

2477
b.
2478
policy of the audited entity regarding such matters as
2479
acceptable operating practices and codes of conduct; and
2480

2481

2482
c.
2483
assignment of responsibility and delegation of authority
2484
to deal with such matters as organizational goals and objectives,
2485
operating functions, and regulatory requirements.
2486

2487

2488
12AICPA standards provide guidance for auditors who use the work
2489
of a specialist who is not a member of their staff. GAO-02-340G
2490
Government Auditing Standards Exposure Draft
2491
Professional Judgment Concerning Possible
2492
Fraud and Illegal Acts
2493

2494

2495
4.37
2496
Under AICPA standards and GAGAS, auditors are responsible
2497
for being aware of the characteristics and types of potentially
2498
material fraud that could be associated with the area being audited
2499
so that they can plan the audit to provide reasonable assurance of
2500
detecting material misstatements of the financial statements due to
2501
fraud.
2502

2503

2504
4.38
2505
Auditors should exercise professional judgment in
2506
pursuing indications of possible fraud and illegal acts so as not
2507
to interfere with potential future investigations, legal
2508
proceedings, or both. Under some circumstances, laws, regulations,
2509
or policies may require auditors to report indications of certain
2510
types of fraud or illegal acts to law enforcement or investigatory
2511
authorities before extending audit steps and procedures. Auditors
2512
may also be required to withdraw from or defer further work on the
2513
audit or a portion of the audit in order not to interfere with an
2514
investigation.
2515

2516

2517
4.39
2518
An audit made in accordance with GAGAS will not guarantee
2519
the discovery of fraud or illegal acts or contingent liabilities
2520
resulting from them. Nor does the subsequent discovery of illegal
2521
acts committed during the audit period mean that the auditors'
2522
performance was inadequate, provided the audit was made in
2523
accordance with GAGAS.
2524

2525

2526
CHAPTER 5
2527
REPORTING STANDARDS FOR FINANCIAL AUDITS
2528
INTRODUCTION
2529
5.1 This chapter presents reporting standards for financial
2530
audits, which include audits of financial statements and other work
2531
governed by the American Institute of Certified Public Accountants'
2532
(AICPA) generally accepted auditing standards and related
2533
Statements on Auditing Standards (SASs). Generally accepted
2534
government auditing standards (GAGAS) incorporate the AICPA field
2535
work and reporting standards and related SASs unless the
2536
Comptroller General of the United States excludes them by formal
2537
announcement.1 This chapter identifies the AICPA generally accepted
2538
reporting standards and prescribes for financial audits conducted
2539
in accordance with GAGAS additional reporting standards on
2540
a. reporting compliance with generally accepted government
2541
auditing standards (see paragraphs
2542
5.3 through 5.6),
2543

2544

2545
b.
2546
reporting on compliance with laws and regulations and on
2547
internal control over financial reporting (see paragraphs 5.7
2548
through 5.10),
2549

2550

2551
c.
2552
reporting deficiencies in internal control (see
2553
paragraphs 5.11 through 5.15),
2554

2555

2556
d.
2557
reporting fraud, illegal acts, and other noncompliance
2558
(see paragraphs 5.16 through 5.26),
2559

2560

2561
e.
2562
reporting views of responsible officials (see paragraph
2563
5.27 through 5.31),
2564

2565

2566
1To date, the Comptroller General has not excluded any field
2567
work or reporting standards or statements on auditing
2568
standards.
2569
GAO-02-340G Government Auditing Standards Exposure Draft
2570

2571

2572
f.
2573
privileged and confidential information (see paragraphs
2574
5.32 through 5.34), and
2575

2576

2577
g.
2578
report issuance and distribution. (See paragraphs 5.35
2579
through 5.38).
2580

2581

2582
5.2 The four AICPA generally accepted standards of reporting are
2583
as follows.
2584

2585

2586
a.
2587
The report shall state whether the financial statements
2588
are presented in accordance with generally accepted accounting
2589
principles.
2590

2591

2592
b.
2593
The report shall identify those circumstances in which
2594
such principles have not been consistently observed in the current
2595
period in relation to the preceding period.
2596

2597

2598
c.
2599
Informative disclosures in the financial statements are
2600
to be regarded as reasonably adequate unless otherwise stated in
2601
the report.
2602

2603

2604
d.
2605
The report shall either contain an expression of opinion
2606
regarding the financial statements, taken as a whole, or an
2607
assertion to the effect that an opinion cannot be expressed. When
2608
an overall opinion cannot be expressed, the reasons therefor should
2609
be stated. In all cases where an auditor's name is associated with
2610
financial statements, the report should contain a clear-cut
2611
indication of the character of the auditor's work, if any, and the
2612
degree of responsibility the auditor is taking.
2613

2614

2615
REPORTING COMPLIANCE WITH GENERALLY ACCEPTED GOVERNMENT AUDITING
2616
STANDARDS
2617
5.3 An additional reporting standard for financial audits
2618
conducted in accordance with GAGAS is:
2619
Audit reports should state that the audit was made in accordance
2620
with generally accepted government auditing standards.
2621

2622

2623
5.4
2624
The above statement refers to all the applicable
2625
standards that the auditors should have followed during their
2626
audit. The statement referencing compliance with generally accepted
2627
government auditing standards should be qualified in situations
2628
where the auditors did not follow an applicable standard. In these
2629
situations, the auditors should disclose in the scope section of
2630
the report the applicable standard that was not followed, the
2631
reasons therefore, and how not following the standard affected, or
2632
could have affected, the results of the audit.
2633

2634

2635
5.5
2636
When the report on the financial audit is submitted to
2637
comply with a legal, regulatory, or contractual requirement for a
2638
GAGAS audit, it should specifically cite GAGAS. The report on the
2639
financial audit may cite AICPA standards as well as
2640
GAGAS.
2641

2642

2643
5.6
2644
An audited entity receiving a GAGAS audit report may also
2645
need a financial audit report for purposes other than to comply
2646
with requirements calling for a GAGAS audit. For example, the
2647
audited entity may need audited financial statements to issue bonds
2648
or for other financing purposes. When a GAGAS audit is the basis
2649
for an auditor's subsequent report under the AICPA standards, it
2650
would be advantageous to users of the subsequent report for the
2651
auditor's report to include the information on compliance with laws
2652
and regulations and internal control that is required by GAGAS but
2653
not required by AICPA standards. To reissue essentially the same
2654
report omitting the information regarding compliance with laws and
2655
regulations and internal control is not in the public
2656
interest.
2657

2658

2659
REPORTING ON COMPLIANCE WITH LAWS AND REGULATIONS AND ON
2660
INTERNAL CONTROL OVER FINANCIAL REPORTING
2661
5.7 An additional reporting standard for financial statement
2662
audits2 conducted in accordance with GAGAS is:
2663
When providing an opinion on financial statements, auditors
2664
should include in their report on the financial statements either a
2665
(1) description of the scope of the auditors' testing of compliance
2666
with laws and regulations and internal control over financial
2667
reporting and the results of those tests or an opinion, if
2668
sufficient work was performed; or (2) reference to the separate
2669
report(s) containing that information. In presenting the results of
2670
those tests, auditors should report fraud, illegal acts, other
2671
material noncompliance, and reportable conditions in internal
2672
control over financial reporting.
2673

2674

2675
5.8
2676
Auditors may report on compliance with laws and
2677
regulations and internal control over financial reporting in the
2678
report on the financial statements or in separate report(s). When
2679
auditors report on compliance and internal control over financial
2680
reporting as part of the report on the financial statements,
2681
auditors should include an introduction summarizing key findings in
2682
the audit of the financial statements and the related compliance
2683
and internal control work. Auditors should not issue this
2684
introduction as a stand-alone report.
2685

2686

2687
5.9
2688
When auditors report separately (including separate
2689
reports bound in the same document) on compliance with laws and
2690
regulations and internal control over financial reporting, the
2691
report on the financial statements should state that the auditors
2692
are issuing those additional reports. The report on the financial
2693
statements should also state that the reports on compliance with
2694
laws and regulations and internal control over financial reporting
2695
are an integral part of a GAGAS audit,
2696

2697

2698
Although the following standard on reporting on compliance with
2699
laws and regulations and on internal control over financial
2700
reporting is applicable to audits of financial statements, the
2701
requirement to report deficiencies in internal control (see
2702
paragraphs 5.11 through 5.15) and reporting fraud, illegal acts,
2703
and other noncompliance (see paragraphs 5.16 through 5.26) is
2704
applicable to all financial audits.
2705
and, in considering the results of the audit, these reports
2706
should be read along with the auditors' report on the financial
2707
statements.
2708
Scope of Compliance and Internal Control Work
2709
5.10 Auditors should report the scope of their testing of
2710
compliance with laws and regulations and of internal control over
2711
financial reporting, including whether or not the tests they
2712
performed provided sufficient evidence to support an opinion on
2713
compliance with laws and regulations or internal control over
2714
financial reporting and whether the auditors are providing such
2715
opinions.3
2716
REPORTING DEFICIENCIES IN INTERNAL CONTROL
2717
5.11 The additional reporting standard for financial audits
2718
conducted in accordance with GAGAS is:
2719
Auditors should report significant deficiencies in internal
2720
control considered to be reportable conditions as defined in AICPA
2721
standards.
2722
5.12 The following are examples of matters that may be
2723
reportable conditions:4
2724

2725

2726
a.
2727
absence of appropriate segregation of duties consistent
2728
with appropriate control objectives;
2729

2730

2731
b.
2732
absence of appropriate reviews and approvals of
2733
transactions, accounting entries, or systems output;
2734

2735

2736
3Auditors should follow the AICPA's Statements on Standards for
2737
Attestation Engagements when providing opinions on internal control
2738
over compliance with laws and regulations or on internal control
2739
over financial reporting. See chapter 6 for a discussion of the
2740
attestation standards.
2741
4AICPA standards define reportable conditions as significant
2742
deficiencies in the design or operation of internal control which
2743
could adversely affect the entity's ability to record, process,
2744
summarize, and report financial data consistent with the assertions
2745
of management in the financial statements.
2746

2747

2748
c.
2749
inadequate provisions for the safeguarding of
2750
assets;
2751

2752

2753
d.
2754
evidence of failure to safeguard assets from loss,
2755
damage, or misappropriation;
2756

2757

2758
e.
2759
evidence that a system fails to provide complete and
2760
accurate output consistent with the control objectives of the
2761
audited entity because of the misapplication of control
2762
activities;
2763

2764

2765
f.
2766
evidence of intentional override of internal control by
2767
those in authority to the detriment of the overall objectives of
2768
the system;
2769

2770

2771
g.
2772
evidence of failure to perform tasks that are part of
2773
internal control, such as reconciliations not prepared or not
2774
timely prepared;
2775

2776

2777
h.
2778
absence of a sufficient level of control consciousness
2779
within the organization;
2780

2781

2782
i.
2783
significant deficiencies in the design or operation of
2784
internal control that could result in violations of laws and
2785
regulations having a direct and material effect on the financial
2786
statements; and
2787

2788

2789
j.
2790
failure to follow up and correct previously identified
2791
deficiencies in internal control.
2792

2793

2794
5.13 In reporting on deficiencies in internal control, auditors
2795
should identify those that are individually or in the aggregate
2796
considered to be material weaknesses.5 Auditors should place their
2797
findings in proper perspective by providing a description of the
2798
objectives, scope, and methodology used to conduct the work. To
2799
give the reader a basis for judging the prevalence and
2800
The AICPA standards define a material weakness as a reportable
2801
condition in which the design or operation of one or more of the
2802
internal control components does not reduce to a relatively low
2803
level the risk that misstatements caused by error or fraud in
2804
amounts that would be material in relation to the financial
2805
statements being audited may occur and not be detected within a
2806
timely period by employees in the normal course of performing their
2807
assigned functions.
2808
consequences of these findings, the instances identified should
2809
be related to the population or the number of cases examined and be
2810
quantified in terms of dollar value, if appropriate. Auditors may
2811
include such information in their audit report or may prepare a
2812
separate report. If auditors report separately, the audit report
2813
should contain a reference to the separate report containing this
2814
information6 and state that the separate report is an integral part
2815
of the audit and should be considered in assessing the results of
2816
the audit.
2817

2818

2819
5.14
2820
To the extent possible, auditors should present findings
2821
to identify the elements of criteria, condition, and effect, as
2822
well as cause when problems are found. In addition, auditors should
2823
provide recommendations for corrective action if auditors are able
2824
to sufficiently develop the findings. However, the elements needed
2825
for a finding depend entirely on the scope and objectives of the
2826
financial audit, and, as a result, may not always have all of the
2827
elements fully developed. At a minimum, auditors should identify
2828
the condition, criteria, and possible effect to provide sufficient
2829
information to federal, state, and local officials to assist them
2830
in taking corrective action.
2831

2832

2833
5.15
2834
When auditors detect deficiencies in internal control
2835
that are not reportable conditions, they should communicate those
2836
deficiencies to officials of the audited entity, preferably in
2837
writing. If the auditors have communicated other deficiencies in
2838
internal control in a management letter to officials of the audited
2839
entity, auditors should refer to that management letter when they
2840
report on internal control. Auditors should include in their audit
2841
documentation evidence of all communications to officials of the
2842
audited entity about deficiencies in internal control.
2843

2844

2845
REPORTING FRAUD, ILLEGAL ACTS, AND OTHER NONCOMPLIANCE
2846
5.16 An additional reporting standard for financial audits
2847
conducted in accordance with GAGAS is:
2848
6For audits of financial statements, such information is
2849
generally included in the reports on compliance and internal
2850
control over financial reporting.
2851
Auditors should report fraud, illegal acts, or other material
2852
noncompliance. In some circumstances, auditors should report fraud
2853
and illegal acts directly to parties external to the audited
2854
entity.
2855

2856

2857
5.17
2858
AICPA standards and GAGAS require auditors to address the
2859
effect fraud or illegal acts may have on the audit report and to
2860
determine that the audit committee or others with equivalent
2861
authority and responsibility are adequately informed about the
2862
fraud or illegal acts. The additional GAGAS standard does not
2863
modify these responsibilities. However, AICPA standards do not
2864
require that this communication be written, nor do they address
2865
communication regarding other noncompliance (violations of other
2866
compliance requirements such as provisions of contracts or grant
2867
agreements).
2868

2869

2870
5.18
2871
When auditors conclude, on the basis of evidence
2872
obtained, that fraud or an illegal act either has occurred or is
2873
likely to have occurred,7 they should report the relevant
2874
information. Auditors need not report information about fraud or an
2875
illegal act that is clearly inconsequential. Thus, auditors should
2876
include in their report the same information about fraud and
2877
illegal acts that they have informed the audit committees about
2878
under AICPA standards. Auditors should also report other
2879
noncompliance that is material to the audit.
2880

2881

2882
5.19
2883
In reporting material fraud, illegal acts, or other
2884
noncompliance, the auditors should place their findings in proper
2885
perspective by providing a description of the objectives, scope,
2886
and methodology used to conduct the work. To give the reader a
2887
basis for judging the prevalence and consequences of these
2888
findings, the instances identified should be related to the
2889
population or the number of cases examined and be quantified in
2890
terms of dollar value, if appropriate. Auditors may include such
2891
information in their audit report or may prepare a separate report.
2892
If auditors report separately, the audit report should contain a
2893
reference to the separate report containing this
2894

2895

2896
7Whether a particular act is, in fact, illegal may have to await
2897
final determination by a court of law or other adjudicative body.
2898
Thus, when auditors disclose matters that have led them to conclude
2899
that an illegal act is likely to have occurred, they should not
2900
imply that they have made a determination of illegality.
2901
information8 and state that the report is an integral part of
2902
the audit and should be considered in assessing the results of the
2903
audit.
2904

2905

2906
5.20
2907
To the extent possible, auditors should present findings
2908
to identify the elements of criteria, condition, and effect, as
2909
well as cause when problems are found. In addition, auditors should
2910
provide recommendations for corrective action if auditors are able
2911
to sufficiently develop the findings. However, the elements needed
2912
for a finding depend entirely on the scope and objectives of the
2913
financial audit, and, as a result, may not always have all of the
2914
elements fully developed. At a minimum, auditors should identify
2915
the condition, criteria, and possible effect to provide sufficient
2916
information to federal, state, and local officials to assist them
2917
in taking corrective action. Auditors should also obtain the views
2918
of responsible officials of the audited entity regarding the
2919
findings and include this information in the report as
2920
appropriate.
2921

2922

2923
5.21
2924
When auditors detect fraud, illegal acts, or other
2925
noncompliance that do not meet criteria for reporting in paragraph
2926
5.18, they should communicate those findings to officials of the
2927
audited entity, preferably in writing. If auditors have
2928
communicated those findings in a management letter to officials of
2929
the audited entity, auditors should refer to that management letter
2930
when they report on compliance. Auditors may provide less extensive
2931
disclosure of fraud and illegal acts that are not material in
2932
either a quantitative or qualitative sense.9 Auditors should
2933
include in their audit documentation evidence of all communications
2934
to officials of the audited entity about fraud, illegal acts, and
2935
other noncompliance.
2936

2937

2938
Direct Reporting of Fraud and Illegal Acts
2939
5.22 GAGAS require auditors to report fraud or illegal acts
2940
directly to parties outside the audited entity in two
2941
circumstances, as discussed below. These requirements are in
2942
addition to any legal
2943
For audits of financial statements, such information is
2944
generally included in the reports on compliance with laws and
2945
regulations and internal control over financial reporting.
2946
9Paragraphs 4.26 and 4.27 provide guidance on factors that may
2947
influence auditors' materiality judgments in audits of government
2948
entities or entities receiving government assistance. AICPA
2949
standards provide guidance on the interaction of quantitative and
2950
qualitative considerations in materiality judgments.
2951
requirements for direct reporting of fraud or illegal acts.
2952
Auditors should meet these requirements even if they have resigned
2953
or been dismissed from the audit.10
2954

2955

2956
5.23
2957
Officials of the audited entity may be required by law or
2958
regulation to report certain fraud or illegal acts to specified
2959
external parties, such as a federal inspector general or a state
2960
attorney general. If auditors have communicated such fraud or
2961
illegal acts to officials of the audited entity and they fail to
2962
report them, then the auditors should communicate such an awareness
2963
to the governing body of the audited entity. If the officials of
2964
the audited entity do not make the required report as soon as
2965
practicable after the auditors' communication with the entity's
2966
governing body, then the auditors should report the fraud or
2967
illegal acts directly to the external party specified in the law or
2968
regulation.
2969

2970

2971
5.24
2972
Management of the audited entity is responsible for
2973
taking timely and appropriate steps to remedy fraud or illegal acts
2974
that auditors report to it. When fraud or an illegal act involves
2975
assistance received directly or indirectly from a government
2976
agency, auditors may have a duty to report directly if management
2977
fails to take remedial steps. If auditors conclude that such
2978
failure is likely to cause them to depart from the standard report
2979
on the financial statements or resign from the audit, then they
2980
should communicate that conclusion to the governing body of the
2981
audited entity. Then, if officials of the audited entity do not
2982
report the fraud or illegal act as soon as practicable to the
2983
entity that provided the government assistance, the auditors should
2984
report the fraud or illegal act directly to that entity.
2985

2986

2987
5.25
2988
In both of these situations, auditors should obtain
2989
sufficient, competent, and relevant evidence, such as confirmation
2990
with outside parties, to corroborate assertions by management that
2991
it has reported fraud or illegal acts. If they are unable to do so,
2992
then the auditors should report the fraud or illegal acts directly
2993
as discussed above.
2994

2995

2996
5.26
2997
Under some circumstances, laws, regulations, or policies
2998
may require auditors to report promptly indications of certain
2999
types of fraud or illegal acts to law enforcement or
3000
investigatory
3001

3002

3003
10Internal audit organizations do not have a duty to report
3004
outside that entity unless required by law, rule, regulation, or
3005
policy.
3006
authorities. When auditors conclude that this type of fraud or
3007
illegal act either has occurred or is likely to have occurred, they
3008
should ask those authorities and/or legal counsel if reporting
3009
certain information about that fraud or illegal act would
3010
compromise investigative or legal proceedings. Auditors should
3011
limit their reporting to matters that would not compromise those
3012
proceedings, such as information that is already a part of the
3013
public record.
3014
VIEWS OF RESPONSIBLE OFFICIALS
3015
5.27 An additional reporting standard for financial audits
3016
performed in accordance with GAGAS is:
3017
If the auditors' report discloses significant deficiencies,
3018
auditors should report the views of responsible officials
3019
concerning the findings, conclusions, and recommendations, as well
3020
as corrections planned.
3021

3022

3023
5.28
3024
One of the most effective ways to ensure that a report is
3025
fair, complete, and objective is to obtain advance review and
3026
comments by responsible officials of the audited entity and others,
3027
as may be appropriate. Including the views of responsible officials
3028
produces a report that shows not only what was found and what the
3029
auditors think about it but also what the responsible persons think
3030
about it and what they plan to do about it.
3031

3032

3033
5.29
3034
Auditors should normally request that the responsible
3035
officials' views on significant findings, conclusions, and
3036
recommendations be submitted in writing. Oral comments are
3037
acceptable as well, and, in some cases, may be the only or most
3038
expeditious way to obtain comments. Cases in which obtaining oral
3039
comments can be effective include when there is a time-critical
3040
need to meet a user's needs; the auditor has worked closely with
3041
the responsible officials throughout the conduct of the work and
3042
the parties are very familiar with the findings and issues
3043
addressed in the draft product; or the auditor does not expect
3044
major disagreements with the draft report's findings, conclusions,
3045
and recommendations, or perceive any major controversies with
3046
regard to the issued discussed in the draft report. Auditors should
3047
prepare a
3048

3049

3050
GAO-02-340G Government Auditing Standards Exposure Draft
3051
summary of the officials' oral comments and provide a copy of
3052
the summary to management of the audited entity to verify that the
3053
comments are accurately stated.
3054

3055

3056
5.30
3057
Comments should be fairly and objectively evaluated and
3058
recognized, as appropriate, in the final report. Comments, such as
3059
a promise or plan for corrective action, should be noted but should
3060
not be accepted as justification for dropping a significant finding
3061
or a related recommendation.
3062

3063

3064
5.31
3065
When the comments oppose the report's findings,
3066
conclusions, or recommendations, and are not, in the auditors'
3067
opinion, valid, the auditors should state their reasons for
3068
disagreeing with the comments. The auditors' disagreement should be
3069
stated in a fair and objective manner. Conversely, the auditors
3070
should modify their report as necessary if they find the comments
3071
valid. Auditors may wish to attach the comment letter to the audit
3072
report to provide the reader with both points of view.
3073

3074

3075
PRIVILEGED AND CONFIDENTIAL INFORMATION
3076
5.32 An additional reporting standard for financial audits
3077
conducted in accordance with GAGAS is:
3078
If certain pertinent information is prohibited from general
3079
disclosure, the audit report should state the nature of the
3080
information omitted and the requirement that makes the omission
3081
necessary.
3082
5.33 Certain information may be prohibited from general
3083
disclosure by federal, state, or local laws or regulations. Such
3084
information may be provided on a need-to-know basis in a separate
3085
limited official-use report which is restricted to only persons
3086
authorized by law or regulation to receive it. The auditors should,
3087
when appropriate, consult with legal counsel regarding any
3088
requirements or other circumstances that may necessitate the
3089
omission of certain information.
3090
5.34 Additional circumstances associated with public safety and
3091
security concerns could also justify the exclusion of certain
3092
information in the report. For example, information related to
3093
computer security for a particular program should be excluded from
3094
publicly available reports because of the potential damage that
3095
could be caused by the misuse of this information. In such
3096
circumstances, auditors may issue a limited official-use report
3097
containing such information and distribute the report only to those
3098
parties responsible for acting on the auditors' recommendations. If
3099
auditors make the judgment that certain additional information
3100
should be excluded from a publicly available report, they should
3101
state the nature of the information omitted and the reasons that
3102
makes the omission necessary.
3103
REPORT ISSUANCE AND DISTRIBUTION
3104
5.35 An additional reporting standard for financial audits
3105
conducted in accordance with GAGAS is:
3106
Auditors should submit written audit reports to the appropriate
3107
officials of the audited entity and to the appropriate officials of
3108
the organizations requiring or arranging for the audits, including
3109
external funding organizations such as legislative bodies, unless
3110
legal restrictions prevent it. Auditors should also send copies of
3111
the reports to other officials who have legal oversight authority
3112
or who may be responsible for acting on audit findings and
3113
recommendations and to others authorized to receive such reports.
3114
Unless the report is restricted by law or regulation, or contains
3115
privileged and confidential information, auditors should ensure
3116
that copies be made available for public inspection.
3117

3118

3119
5.36
3120
Audit reports should be distributed in a timely manner to
3121
officials interested in the results.11 Such officials include those
3122
designated by law or regulation to receive such reports, those
3123
responsible for acting on the findings and recommendations, those
3124
of other levels of government that have provided assistance to the
3125
audited entity, and legislators. However, if the subject of the
3126
audit involves material that is classified for security purposes or
3127
not releasable to particular parties or the public for other valid
3128
reasons, auditors may limit the report distribution.
3129

3130

3131
5.37
3132
When public accountants are engaged, the engaging
3133
organization should ensure that the report is distributed
3134
appropriately. If the public accountants are to make the
3135
distribution, the engagement agreement should indicate which
3136
officials or organizations should receive the report.
3137

3138

3139
5.38
3140
Internal auditors should follow their entity's own
3141
arrangements and statutory requirements for distribution. Usually,
3142
they report to their entity's top managers, who are responsible for
3143
distribution of the report. Further distribution of reports outside
3144
the organization should be made in accordance with applicable laws,
3145
rules, regulations, or policy.
3146

3147

3148
11
3149
See the Single Audit Act Amendments of 1996 and Office of
3150
Management and Budget (OMB) Circular A-133 on single audits for the
3151
distribution of reports on single audits of state and local
3152
governmental entities and nonprofit organizations that receive
3153
federal awards.
3154
GAO-02-340G Government Auditing Standards Exposure Draft
3155
70
3156
CHAPTER 6
3157
GENERAL, FIELD WORK, AND REPORTING STANDARDS FOR ATTESTATION
3158
ENGAGEMENTS
3159
INTRODUCTION
3160
6.1 In an attestation engagement, auditors issue an examination,
3161
a review, or an agreed-upon procedures report on subject matter, or
3162
on an assertion about the subject matter, that is the
3163
responsibility of another party. Attestation engagements can cover
3164
a broad range of financial or nonfinancial objectives1 and can be
3165
part of a financial statement audit or other engagement.
3166
Attestation engagements are governed by the standards for
3167
attestation engagements issued by the American Institute of
3168
Certified Public Accountants (AICPA). Generally accepted government
3169
auditing standards (GAGAS) incorporate for attestation engagements
3170
the AICPA's general standard on criteria, its field work standards,
3171
and its reporting standards, as well as the AICPA Statements on
3172
Standards for Attestation Engagements (SSAEs), which interpret the
3173
attestation standards, unless the Comptroller General of the United
3174
States excludes them by formal announcement.2 This chapter
3175
identifies the AICPA's general standard on criteria, 3 field work
3176
standards, and reporting standards and prescribes additional field
3177
work and reporting standards, as well as guidance, for attestation
3178
engagements performed in accordance with GAGAS.
3179
1 See chapter 2 for examples of objectives for attestation
3180
engagements.
3181
2 To date, the Comptroller General has not excluded any field
3182
work standards, reporting standards, or statements on standards for
3183
attestation engagements.
3184
3 GAGAS incorporate only one of the AICPA's general standards
3185
for attestation engagements. In addition to this general standard,
3186
auditors should follow the general standards for work performed
3187
under GAGAS, as discussed in chapter 3.
3188
GAO-02-340G Government Auditing Standards Exposure Draft
3189
AICPA GENERAL AND FIELD WORK STANDARDS FOR ATTESTATION
3190
ENGAGEMENTS
3191
6.2 The AICPA's general standard related to criteria states the
3192
following.
3193
The practitioner [auditor] shall perform an engagement only if
3194
he or she has reason to believe that the subject matter is capable
3195
of evaluation against criteria that are suitable and available to
3196
users.
3197
6.3 The two AICPA field work standards for attestation
3198
engagements are as follows.
3199

3200

3201
a.
3202
The work shall be adequately planned and assistants, if
3203
any, shall be properly supervised.
3204

3205

3206
b.
3207
Sufficient evidence shall be obtained to provide a
3208
reasonable basis for the conclusion that is expressed in the
3209
report.
3210

3211

3212
ADDITIONAL FIELD WORK STANDARDS FOR ATTESTATION ENGAGEMENTS
3213
6.4 GAGAS require additional field work standards for
3214
attestation engagements in the following areas:
3215

3216

3217
a.
3218
auditor communication (see paragraphs 6.5 and
3219
6.7),
3220

3221

3222
b.
3223
considering the results of previous audits and
3224
attestation engagements (see paragraphs 6.8 through
3225
6.10),
3226

3227

3228
c.
3229
audit documentation (see paragraphs 6.11 through
3230
6.17),
3231

3232

3233
d.
3234
internal control (see paragraphs 6.18 and 6.19),
3235
and
3236

3237

3238
GAO-02-340G Government Auditing Standards Exposure Draft
3239
e. fraud, illegal acts, and other noncompliance (see paragraphs
3240
6.20 through 6.22).
3241
Auditor Communication
3242
6.5 An additional field work standard for attestation
3243
engagements performed in accordance with GAGAS is:
3244
Auditors should communicate information to officials of the
3245
audited entity and the individual contracting for the audit
3246
services regarding the nature and extent of planned testing and
3247
reporting on the subject matter or assertion.
3248
6.6 During the planning stages of an attestation engagement,
3249
auditors should communicate to officials of the audited entity and
3250
to individuals requesting or contracting for the services
3251
information regarding the nature and extent of testing and
3252
reporting, including any potential restriction of reports
3253
associated with the different levels of assurance services, to
3254
reduce the risk that the needs or expectations of the parties
3255
involved may be misinterpreted. For example, attestation standards
3256
provide for the following three levels of assurance.
3257

3258

3259
a.
3260
Examination: Auditors perform sufficient testing to
3261
express an opinion whether the subject matter is based on (or in
3262
conformity with) the criteria in all material respects or the
3263
assertion is presented (or fairly stated), in all material
3264
respects, based on the criteria.
3265

3266

3267
b.
3268
Review: Auditors perform sufficient testing to express a
3269
conclusion whether any information came to the auditors' attention
3270
on the basis of the work performed that indicates the subject
3271
matter is not based on (or in conformity with) the criteria or the
3272
assertion is not presented (or fairly stated) in all material
3273
respects based on the criteria.4
3274

3275

3276
4 As stated in the AICPA's statements on standards for
3277
attestation engagements, auditors should not perform reviewlevel
3278
work for reporting on internal control or compliance with laws and
3279
regulations.
3280
GAO-02-340G Government Auditing Standards Exposure Draft
3281
c. Agreed-upon procedures: Auditors perform testing to issue a
3282
report of findings based on specific procedures performed on
3283
subject matter.
3284
6.7 Auditors should use their professional judgment to determine
3285
the form and content of the communication, although written
3286
communication is preferred. Auditors may use an engagement letter,
3287
if appropriate, to communicate the information. If the attestation
3288
engagement is part of a larger audit, this information may be
3289
communicated as part of that audit. Whatever the form of the
3290
communication, auditors should include audit documentation
3291
regarding the communication.
3292
Considering the Results of Previous Audits and Attestation
3293
Engagements
3294
6.8 An additional field work standard for attestation
3295
engagements performed in accordance with GAGAS is:
3296
Auditors should consider the results of previous audits and
3297
attestation engagements and follow up on known significant findings
3298
and recommendations that directly relate to the subject matter of
3299
the attestation engagement being undertaken.
3300
6.9 Auditors should determine whether officials of the audited
3301
entity have taken appropriate corrective actions on known reported
3302
significant findings and recommendations.5 In addition to following
3303
up on significant reported findings and recommendations from
3304
previous financial audits or attestation engagements, auditors
3305
should consider significant findings identified in performance
3306
audits and other studies if these findings relate to subject matter
3307
or assertions of the attestation engagement. For example, an audit
3308
report on an entity's computerized information systems may contain
3309
significant findings that could relate to the attestation
3310
engagement if the entity uses such systems to process information
3311
about the subject matter or contained in an assertion about the
3312
subject matter. Following up on known significant findings and
3313
5 Significant findings and recommendations are those matters
3314
that, if not corrected, could affect the results of the auditors'
3315
work and users' conclusions about those results.
3316
GAO-02-340G Government Auditing Standards Exposure Draft
3317
recommendations identified in previous audits, attestation
3318
engagements, or studies can help auditors evaluate the subject
3319
matter or the assertion associated with the attestation
3320
engagement.
3321
6.10 Providing continuing attention to significant findings and
3322
recommendations is important to ensure the benefits of audit work
3323
are realized. Ultimately, the benefits of audit work occur when
3324
audit findings are resolved through meaningful and effective
3325
corrective action in response to the auditors' findings and
3326
recommendations. Officials of the audited organization are
3327
responsible for resolving audit findings and recommendations
3328
directed to them and for having a process to track their status. If
3329
officials of the audited organization do not have such a process,
3330
auditors may wish to establish their own process.
3331
Audit Documentation
3332
6.11 The additional field work standard related to audit
3333
documentation for attestation engagements performed in accordance
3334
with GAGAS is:
3335
Audit documentation should contain sufficient information to
3336
enable an experienced reviewer, who has had no previous connection
3337
with the attestation engagement, to ascertain from the audit
3338
documentation the evidence that supports the auditors' significant
3339
judgments and conclusions. Audit documentation that supports
3340
significant findings, conclusions, and recommendations should be
3341
complete before auditors issue their report.
3342

3343

3344
6.12
3345
AICPA standards and GAGAS require that auditors should
3346
prepare and maintain audit documentation. The form and content of
3347
audit documentation should be designed to meet the circumstances of
3348
the particular attestation engagement. The information contained in
3349
audit documentation constitutes the principal record of the work
3350
that the auditors have performed and the conclusions that the
3351
auditors have reached. The quantity, type, and content of audit
3352
documentation is a matter of the auditors' professional
3353
judgment.
3354

3355

3356
6.13
3357
GAGAS extend the level of required audit documentation to
3358
be sufficient for an experienced reviewer who has had no previous
3359
connection with the engagement to understand
3360

3361

3362
GAO-02-340G Government Auditing Standards Exposure Draft
3363
the evidence that supports the auditors' significant judgments
3364
and conclusions. Further, such documentation must be complete
3365
before auditors issue their report.
3366

3367

3368
6.14
3369
Attestation engagements done in accordance with GAGAS are
3370
subject to review by other auditors and by oversight officials more
3371
frequently than audits done in accordance with AICPA standards.
3372
Thus, whereas AICPA standards cite two main purposes of audit
3373
documentation--providing the principal support for the audit report
3374
and aiding auditors in the conduct and supervision of the
3375
audit--audit documentation serves an additional purpose in
3376
attestation engagements performed in accordance with GAGAS. Audit
3377
documentation allows for the review of audit quality by providing
3378
the reviewer documentation, either in written or electronic
3379
formats, of the evidence supporting the auditors' significant
3380
judgments and conclusions.
3381

3382

3383
6.15
3384
Audit organizations should establish reasonable policies
3385
and procedures for the safe custody and retention of audit
3386
documentation for a time sufficient to satisfy legal and
3387
administrative requirements. If audit documentation is only
3388
retained electronically, the audit organization should ensure that
3389
the electronic documentation is capable of being accessed
3390
throughout the specified retention period established for audit
3391
documentation and is safeguarded through sound computer
3392
security.
3393

3394

3395
6.16
3396
Audit documentation for attestation engagements under
3397
GAGAS should contain the following.
3398

3399

3400

3401

3402
a.
3403
The objectives, scope, and methodology, including any
3404
sampling criteria used.
3405

3406

3407
b.
3408
Documentation of the auditor's determination that certain
3409
additional government auditing standards do not apply or that an
3410
applicable standard was not followed, the reasons therefore, and
3411
the known effect that not following the standard had, or could
3412
have, on the attestation engagement.
3413

3414

3415
GAO-02-340G Government Auditing Standards Exposure Draft
3416

3417

3418
c.
3419
Documentation of the work performed to support
3420
significant judgments and conclusions, including descriptions of
3421
transactions and records examined that would enable an experienced
3422
reviewer to examine the same transactions and records.6
3423

3424

3425
d.
3426
The consideration that the planned procedures are
3427
designed to achieve objectives of the attestation engagement when
3428
evidential matter obtained is highly dependent on computerized
3429
information systems and is material to the objective of the
3430
engagement, and the auditors are not relying on the effectiveness
3431
of internal control over those computerized systems that produced
3432
the information. The audit documentation should specifically
3433
address (1) the rationale for determining the nature, timing, and
3434
extent of planned audit procedures; (2) the kinds and competence of
3435
available evidential matter produced outside a computerized
3436
information system; and (3) the effect on the attestation
3437
engagement report if evidential matter to be gathered does not
3438
afford a reasonable basis to achieve the objectives of the
3439
engagement.
3440

3441

3442
e.
3443
Evidence of supervisory reviews of the work
3444
performed.
3445

3446

3447
6.17 One factor underlying GAGAS audits is that federal, state,
3448
and local governments and other organizations cooperate in auditing
3449
programs of common interest so that auditors may use others' work
3450
and avoid duplicate audit efforts. In addition, attestation
3451
engagements performed in accordance with GAGAS are subject to
3452
quality control and assurance reviews. Auditors should make
3453
arrangements to make audit documentation available, upon request,
3454
in a timely manner to other auditors or reviewers. Contractual
3455
arrangements for attestation engagements performed in accordance
3456
with GAGAS should provide for full and timely access to audit
3457
documentation to facilitate reliance by other auditors on the
3458
auditors' work, as well as reviews of audit quality control and
3459
assurance.
3460
6 Auditors may meet this requirement by listing voucher numbers,
3461
check numbers, or other means of identifying specific documents
3462
they examined. Auditors are not required to include copies of
3463
documents they examined as part of the audit documentation, nor are
3464
auditors required to list detailed information from those
3465
documents.
3466
GAO-02-340G Government Auditing Standards Exposure Draft
3467
Internal Control
3468
6.18 An additional field work standard for attestation
3469
engagements performed in accordance with GAGAS is:
3470
In planning examination-level attestation engagements, auditors
3471
should obtain a sufficient understanding of internal control that
3472
is material to the subject matter or assertion to plan the
3473
engagement and design procedures to achieve the objectives of the
3474
attestation engagement.
3475
6.19 In planning the engagement, auditors should obtain an
3476
understanding of internal control7 as it relates to the subject
3477
matter or assertion to which the auditors are attesting. The
3478
subject matter or assertion may be of a financial or nonfinancial
3479
nature, and internal control relevant to the subject matter or
3480
assertion the auditor is testing may relate to
3481

3482

3483
a.
3484
effectiveness and efficiency of operations, including the
3485
use of an entity's resources;
3486

3487

3488
b.
3489
reliability of financial reporting, including reports on
3490
budget execution and other reports for internal and external
3491
use;
3492

3493

3494
c.
3495
compliance with applicable laws and regulations;
3496
and
3497

3498

3499
d.
3500
safeguarding of assets.
3501

3502

3503
7 Although not applicable to attestation engagements, the AICPA
3504
statements on auditing standards may provide useful guidance
3505
related to internal control for auditors performing attestation
3506
engagements in accordance with GAGAS. In addition, auditors
3507
performing attestation engagements may wish to refer to the
3508
internal control guidance published by the Committee of Sponsoring
3509
Organizations of the Treadway Commission (COSO). The Standards for
3510
Internal Control in the Federal Government (GAO/AIMD-00-21.3.1,
3511
November 1999), which incorporates the relevant guidance developed
3512
by COSO, provides definitions and fundamental concepts pertaining
3513
to internal control at the federal level and may be useful to
3514
auditors at any level of government. The related Internal Control
3515
Management and Evaluation Tool (GAO-01-1008G, August 2001), based
3516
on the federal internal control standards, provides a systematic,
3517
organized, and structured approach to assessing the internal
3518
control structure.
3519
GAO-02-340G Government Auditing Standards Exposure Draft
3520
Fraud, Illegal Acts, and Other Noncompliance
3521
6.20 An additional field work standard for attestation
3522
engagements performed in accordance with GAGAS is:
3523
In planning examination-level attestation engagements, auditors
3524
should design the engagement to provide reasonable assurance of
3525
detecting fraud, illegal acts, or other noncompliance that could
3526
have a material effect on the subject matter or assertion of the
3527
attestation engagement.
3528
6.21 Auditors should exercise professional judgment in planning
3529
the engagement by obtaining an understanding of the possible
3530
effects of fraud, illegal acts, or other noncompliance on the
3531
subject matter or assertion of the attestation engagement and by
3532
identifying and assessing any associated risks that could have a
3533
material effect on the attestation engagement.8 Auditors should
3534
include audit documentation on their assessment of risk, and, when
3535
risk factors are identified as being present, the documentation
3536
should include
3537

3538

3539
a.
3540
those risk factors identified, and
3541

3542

3543
b.
3544
the auditors' response to those risk factors,
3545
individually or in combination.
3546

3547

3548
6.22 In addition, if during the performance of the attestation
3549
engagement, risk factors or other conditions are identified that
3550
cause the auditors to believe that an additional response is
3551
required, such factors or other conditions, and any future response
3552
the auditors concluded was appropriate, should be documented.
3553
8 Although not applicable to attestation engagements, the AICPA
3554
statements on auditing standards may provide useful guidance
3555
related to fraud for auditors performing attestation engagements in
3556
accordance with GAGAS.
3557
GAO-02-340G Government Auditing Standards Exposure Draft
3558
AICPA REPORTING STANDARDS FOR ATTESTATION ENGAGEMENTS
3559
6.23 The AICPA standards for attestation engagements provide for
3560
three levels of reporting based on the type of assurance the
3561
auditor is providing. (See paragraph 6.6.) The four AICPA reporting
3562
standards for attestation engagements are as follows.
3563

3564

3565
a.
3566
The report shall identify the subject matter or the
3567
assertion being reported on and state the character of the
3568
engagement.
3569

3570

3571
b.
3572
The report shall state the practitioner's [auditors']
3573
conclusions about the subject matter or the assertion in relation
3574
to the criteria against which the subject matter was
3575
evaluated.
3576

3577

3578
c.
3579
The report shall state all of the practitioner's
3580
[auditors'] significant reservations about the engagement, the
3581
subject matter, and, if applicable, the assertion related
3582
thereto.
3583

3584

3585
d.
3586
The report shall state that the use of the report is
3587
restricted to specified parties under the following circumstances:9
3588
(1) When the criteria used to evaluate the subject matter are
3589
determined by the practitioner to be appropriate only for a limited
3590
number of parties who either participated in their establishment or
3591
can be presumed to have an adequate understanding of the criteria.
3592
(2) When the criteria used to evaluate the subject matter are
3593
available only to specified parties. (3) When reporting on subject
3594
matter and a written assertion has not been provided by the
3595
responsible party. (4) When the report is on an attest engagement
3596
to apply agreed-upon procedures to the subject matter.
3597

3598

3599
9 Auditors should, however, follow the report distribution
3600
standard. (See paragraphs 6.39 through 6.43.)
3601
GAO-02-340G Government Auditing Standards Exposure Draft
3602
ADDITIONAL REPORTING STANDARDS FOR ATTESTATION ENGAGEMENTS
3603
6.24 GAGAS require additional reporting standards for
3604
attestation engagements in the following areas:
3605
a. reporting compliance with generally accepted government
3606
auditing standards (see paragraphs
3607
6.25 through 6.27);
3608

3609

3610
b.
3611
reporting on internal control and on fraud, illegal acts,
3612
and other noncompliance (see paragraphs 6.28 through
3613
6.31);
3614

3615

3616
c.
3617
views of responsible officials (see paragraphs 6.32
3618
through 6.36);
3619

3620

3621
d.
3622
privileged and confidential information (see paragraphs
3623
6.37 and 6.38); and
3624

3625

3626
e.
3627
report issuance and distribution (see paragraphs 6.39
3628
through 6.43).
3629

3630

3631
Reporting Compliance With Generally Accepted Government Auditing
3632
Standards
3633
6.25 An additional reporting standard for attestation
3634
engagements performed in accordance with GAGAS is:
3635
Reports on attestation engagements should state that the
3636
engagement was made in accordance with generally accepted
3637
government auditing standards.
3638
6.26 The above statement refers to all the applicable standards
3639
that the auditors should have followed during the attestation
3640
engagement. The statement should be qualified in situations where
3641
the auditors did not follow an applicable standard. In these
3642
situations, the auditors should disclose in the scope section of
3643
the report the applicable standard that was not followed, the
3644
GAO-02-340G Government Auditing Standards Exposure Draft
3645
reasons therefore, and how not following the standard affected,
3646
or could have affected, the results of the attestation
3647
engagement.
3648
6.27 When the report on the attestation engagement is submitted
3649
to comply with a legal, regulatory, or contractual requirement for
3650
a GAGAS audit, it should specifically cite GAGAS. An audited entity
3651
receiving a GAGAS attestation report may also need a report on the
3652
attestation engagement for purposes other than to comply with
3653
requirements calling for a GAGAS audit. When a GAGAS attestation
3654
engagement is the basis for an auditor's subsequent report under
3655
the AICPA standards, it would be advantageous to users of the
3656
subsequent report for the auditor's report to include the
3657
information on compliance with laws and regulations and internal
3658
control that is required by GAGAS but not required by AICPA
3659
standards. To reissue essentially the same report omitting the
3660
information regarding compliance with laws and regulations and
3661
internal control is not in the public interest.
3662
Reporting on Internal Control and on Fraud, Illegal Acts, and
3663
Other Noncompliance
3664
6.28 An additional reporting standard for attestation
3665
engagements performed in accordance with GAGAS is:
3666
The report on an attestation engagement should disclose
3667
deficiencies in internal control, including internal control over
3668
compliance with laws and regulations, that are material to the
3669
subject matter or assertion. Fraud, illegal acts, and other
3670
noncompliance often result from the lack, or circumvention, of
3671
internal control. Accordingly, auditors should also disclose in the
3672
report on the attestation engagement instances of fraud, illegal
3673
acts, or other noncompliance that are material to the subject
3674
matter or the assertion.
3675
6.29 Auditors should place their findings in proper perspective
3676
by providing a description of the objectives, scope, and
3677
methodology used to conduct the work. To give the reader a basis
3678
for judging the prevalence and consequences of these findings, the
3679
instances identified should be related to the population or the
3680
number of cases examined and be quantified in terms of dollar
3681
GAO-02-340G Government Auditing Standards Exposure Draft
3682
value, if appropriate. Auditors need not report information
3683
about fraud or an illegal act that is clearly inconsequential.
3684
However, these matters should be brought to the attention of
3685
management of the audited entity.
3686

3687

3688
6.30
3689
To the extent possible, auditors should present findings
3690
to identify the elements of criteria, condition, and effect, as
3691
well as cause when problems are found. In addition, auditors should
3692
provide recommendations for corrective action if auditors are able
3693
to sufficiently develop the findings. However, the elements needed
3694
for a finding depend entirely on the scope and objectives of the
3695
attestation engagement, and, as a result, may not always have all
3696
of the elements fully developed. At a minimum, auditors should
3697
identify the condition, criteria, and possible effect to provide
3698
sufficient information to federal, state, and local officials to
3699
assist them in taking corrective action.
3700

3701

3702
6.31
3703
When auditors detect deficiencies in internal control
3704
that are not material to the subject matter or assertion or
3705
conclude, on the basis of evidence obtained, that fraud, an illegal
3706
act, or other noncompliance either has occurred or is likely to
3707
have occurred,10 they should communicate relevant information to
3708
officials of the audited entity, preferably in writing. Auditors
3709
should include in their audit documentation evidence of all
3710
communications to officials of the audited entity about
3711
deficiencies in internal control or indications of fraud, illegal
3712
acts, or other noncompliance.
3713

3714

3715
Views of Responsible Officials
3716
6.32 An additional reporting standard for attestation
3717
engagements performed in accordance with GAGAS is:
3718
10 Whether a particular act is, in fact, illegal may have to
3719
await final determination by a court of law. Thus, when auditors
3720
disclose matters that have led them to conclude that an illegal act
3721
is likely to have occurred, they should not imply that they have
3722
made a determination of illegality.
3723
GAO-02-340G Government Auditing Standards Exposure Draft
3724
If the auditor's report discloses significant deficiencies,
3725
auditors should report the views of responsible officials
3726
concerning the findings, conclusions, and recommendations, as well
3727
as corrections planned.
3728

3729

3730
6.33
3731
One of the most effective ways to ensure that a report is
3732
fair, complete, and objective is to obtain advance review and
3733
comments by responsible officials of the audited entity and others,
3734
as may be appropriate. Including the views of responsible officials
3735
produces a report that shows not only what was found and what the
3736
auditors think about it but also what the responsible persons think
3737
about it and what they plan to do about it.
3738

3739

3740
6.34
3741
Auditors should normally request that the responsible
3742
officials' views on significant findings, conclusions, and
3743
recommendations be submitted in writing. Oral comments are
3744
acceptable as well, and, in some cases, may be the only or most
3745
expeditious way to obtain comments. Cases in which obtaining oral
3746
comments can be effective include when there is a time-critical
3747
need to meet a user's needs; the auditors have worked closely with
3748
the responsible officials throughout the conduct of the work and
3749
the parties are very familiar with the findings and issues
3750
addressed in the draft product; or the auditor does not expect
3751
major disagreements with the draft report's findings, conclusions,
3752
and recommendations, or perceive any major controversies with
3753
regard to the issues discussed in the draft report. Auditors should
3754
prepare a summary of the officials' oral comments and provide a
3755
copy of the summary to management of the audited entity to verify
3756
that the comments are accurately stated.
3757

3758

3759
6.35
3760
Comments should be fairly and objectively evaluated and
3761
recognized, as appropriate, in the final report. Comments, such as
3762
a promise or plan for corrective action, should be noted but should
3763
not be accepted as justification for dropping a significant finding
3764
or a related recommendation.
3765

3766

3767
6.36
3768
When the comments oppose the report's findings,
3769
conclusions, or recommendations, and are not, in the auditors'
3770
opinion, valid, the auditors should state their reasons for
3771
disagreeing with the comments. The auditors' disagreement should be
3772
stated in a fair and objective manner. Conversely, the auditors
3773
should modify their report as necessary if they find the comments
3774
valid.
3775

3776

3777
GAO-02-340G Government Auditing Standards Exposure Draft
3778
Auditors may wish to attach the comment letter to the audit
3779
report to provide the reader with both points of view.
3780
Privileged and Confidential Information
3781
6.37 An additional reporting standard for attestation
3782
engagements performed in accordance with GAGAS is:
3783
If certain pertinent information is prohibited from general
3784
disclosure, the report on the attestation engagement should state
3785
the nature of the information omitted and the requirement that
3786
makes the omission necessary.
3787
6.38 Certain information may be prohibited from general
3788
disclosure by federal, state, or local laws or regulations. Such
3789
information may be provided on a need-to-know basis only to persons
3790
authorized by law or regulation to receive it. Additional
3791
circumstances associated with public safety and security concerns
3792
could also justify the exclusion of certain information in the
3793
report. For example, information related to computer security for a
3794
particular program should be excluded from the report because of
3795
the potential damage that could be caused by the misuse of this
3796
information. In such circumstances, auditors may issue a limited
3797
official-use report containing such information and distribute the
3798
report only to those parties responsible for acting on the
3799
auditors' recommendations.
3800
Report Issuance and Distribution
3801
6.39 An additional reporting standard for attestation
3802
engagements performed in accordance with GAGAS is:
3803
Auditors should submit written reports on the attestation
3804
engagement to the appropriate officials of the audited entity and
3805
to the appropriate officials of the organizations requiring or
3806
arranging for the engagement, including external funding
3807
organizations, unless legal restrictions prevent it. Auditors
3808
should also send copies of the reports to other officials
3809
GAO-02-340G Government Auditing Standards Exposure Draft
3810
who have legal oversight authority or who may be responsible for
3811
acting on audit findings and recommendations and to others
3812
authorized to receive such reports. Unless the report is restricted
3813
by law or regulation, auditors should ensure that copies be made
3814
available for public inspection.
3815

3816

3817
6.40
3818
Reports should be distributed in a timely manner to
3819
officials interested in the results. Such officials include those
3820
designated by law or regulation to receive such reports, those
3821
responsible for acting on the findings and recommendations
3822
contained in the report, those of other levels of government that
3823
have provided assistance to the audited entity, and
3824
legislators.
3825

3826

3827
6.41
3828
If the subject of the attestation engagement involves
3829
material that is classified for security purposes or not releasable
3830
to particular parties or the public for other valid reasons,
3831
auditors may limit the report distribution. Although AICPA
3832
standards require that a report on an engagement to evaluate an
3833
assertion that has been prepared on agreed-upon criteria or on an
3834
engagement to apply agreed-upon procedures should contain a
3835
statement limiting its use to the parties who have agreed upon such
3836
criteria or procedures, such a statement does not require that the
3837
report distribution be limited.
3838

3839

3840
6.42
3841
When public accountants are engaged, the engaging
3842
organization should ensure that the report is distributed
3843
appropriately. If the public accountants are to make the
3844
distribution, the engagement agreement should indicate which
3845
officials or organizations should receive the report and other
3846
steps being taken to ensure the availability of the report for
3847
public inspection.
3848

3849

3850
6.43
3851
Internal auditors should follow their entity's own
3852
arrangements and statutory requirements for distribution. Usually,
3853
they report to their entity's top manager, who is responsible for
3854
distribution of the report. Further distribution of reports outside
3855
the organization should be made in accordance with applicable laws,
3856
rules, regulations, or policy.
3857

3858

3859
GAO-02-340G Government Auditing Standards Exposure Draft
3860
CHAPTER 7
3861
FIELD WORK STANDARDS FOR PERFORMANCE AUDITS
3862
INTRODUCTION
3863
7.1 This chapter prescribes field work standards and provides
3864
guidance to auditors conducting performance audits in accordance
3865
with generally accepted government auditing standards (GAGAS). The
3866
field work standards for performance audits relate to planning the
3867
audit, supervising staff, obtaining sufficient, competent, and
3868
relevant evidence, and preparing audit documentation.
3869
PLANNING
3870
7.2 The field work standard related to planning for performance
3871
audits conducted in accordance with GAGAS is:
3872
Work is to be adequately planned.
3873

3874

3875
7.3
3876
In planning the audit, auditors should define the audit
3877
objectives, as well as the scope, and methodology to achieve those
3878
objectives. Audit objectives, scope, and methodologies are not
3879
determined in isolation. Auditors determine these three elements of
3880
the audit plan together, as the considerations in determining each
3881
often overlap. Planning is a continuous process throughout the
3882
audit. Therefore, auditors should consider the need to make
3883
adjustments to the audit objectives, scope, and methodology as work
3884
is being completed.
3885

3886

3887
7.4
3888
The objectives are what the audit is intended to
3889
accomplish. They identify the audit subjects and performance
3890
aspects to be included, as well as the potential finding and
3891
reporting elements
3892

3893

3894
that the auditors expect to develop.1 Audit objectives can be
3895
thought of as questions about the program2 that auditors seek to
3896
answer. (See chapter 2.)
3897

3898

3899
7.5
3900
Scope is the boundary of the audit and should be directly
3901
tied to the audit objectives. For example, the scope defines
3902
parameters of the audit such as the period of time reviewed, the
3903
availability of necessary documentation or records, and the number
3904
of locations at which field work will be conducted.
3905

3906

3907
7.6
3908
The methodology comprises the work involved in gathering
3909
and analyzing data to achieve the objectives. Audit procedures are
3910
the specific steps and tests auditors will carry out to address the
3911
audit objectives. Auditors should design the methodology to provide
3912
sufficient, competent, and relevant evidence to achieve the
3913
objectives of the audit. Methodology includes both the types and
3914
extent of audit procedures used to achieve the audit objectives.
3915
Auditors may use different methodologies drawn from a wide variety
3916
of disciplines.3
3917

3918

3919
7.7
3920
Planning should be documented and should
3921
include
3922

3923

3924

3925

3926
a.
3927
considering the significance of various programs and the
3928
needs of potential users of the audit report (see paragraphs 7.8
3929
and 7.9);
3930

3931

3932
b.
3933
obtaining an understanding of the program to be audited
3934
(see paragraph 7.10);
3935

3936

3937
1See discussion of the elements of a finding in paragraphs 7.45
3938
through 7.48.
3939
2This chapter uses only the term program; however, the concepts
3940
presented also apply to audits of organizations, activities, and
3941
services.
3942
3If the auditor chooses to apply or use standards or
3943
methodologies developed by other professional organizations when
3944
performing work under GAGAS, the auditor should also apply the
3945
standards in this chapter as appropriate. Even if auditors do not
3946
follow such other standards and methodologies, they may still serve
3947
as a useful source of guidance to auditors in planning their work
3948
under GAGAS. However, if auditors decide to perform their work in
3949
accordance with the standards for attestation engagements issued by
3950
the AICPA, auditors should apply the additional GAGAS standards for
3951
attestation engagements contained in chapter 6.
3952
GAO-02-340G Government Auditing Standards Exposure Draft
3953

3954

3955
c.
3956
obtaining an understanding of internal control as it
3957
relates to the specific objectives and scope of the audit, (see
3958
paragraphs 7 .11 through 7.16);
3959

3960

3961
d.
3962
designing the audit methodology and procedures to test
3963
compliance with legal and regulatory requirements of the program to
3964
be audited that are significant to the specific objectives and
3965
scope of the audit (see paragraphs 7.17 through 7.20);
3966

3967

3968
e.
3969
identifying the criteria needed to evaluate matters
3970
subject to audit (see paragraph 7.21);
3971

3972

3973
f.
3974
considering the results of previous audits that could
3975
affect the current audit objectives (see paragraphs 7.22 and
3976
7.23);
3977

3978

3979
g.
3980
identifying potential sources of data that could be used
3981
as audit evidence (see paragraph 7.24);
3982

3983

3984
h.
3985
considering whether the work of other auditors and
3986
experts may be used to satisfy some of the auditors' objectives
3987
(see paragraphs 7.25 and 7.27);
3988

3989

3990
i.
3991
providing appropriate and sufficient staff and other
3992
resources to perform the audit (see paragraph
3993
7.28-7.31);
3994

3995

3996
j.
3997
communicating general information concerning the planning
3998
and conduct of the audit to management officials responsible for
3999
the program being audited, and others as applicable (see paragraphs
4000
7.32 and 7.33); and
4001

4002

4003
k.
4004
documenting planning decisions (see paragraphs 7.34
4005
through 7.36). Program Significance
4006

4007

4008
7.8 The significance of a matter is its relative importance to
4009
the audit objectives and potential users of the audit report.
4010
Auditors should consider the significance of a program or program
4011
component and the potential use that will be made of the audit
4012
results or report as they plan a performance audit. Indicators of
4013
significance and/or use to consider include
4014

4015

4016
a.
4017
visibility and sensitivity of the program under
4018
audit,
4019

4020

4021
b.
4022
newness of the program or changes in its
4023
conditions,
4024

4025

4026
c.
4027
role of the audit in providing information that can
4028
improve public accountability and decisionmaking, and
4029

4030

4031
d.
4032
level and extent of review or other forms of independent
4033
oversight.
4034

4035

4036
7.9 One group of users of the auditors' report is government
4037
officials who may have authorized or requested the audit. Another
4038
important user of the auditors' report is the entity being audited,
4039
which is responsible for acting on the auditors' recommendations.
4040
Other potential users of the auditors' report include government
4041
legislators or officials (other than those who may have authorized
4042
or requested the audit), the media, interest groups, and individual
4043
citizens. In addition to an interest in the program, potential
4044
users may have an ability to influence the conduct of the program.
4045
An awareness of these potential users' interests and influence can
4046
help auditors understand why the program operates the way it does.
4047
This awareness can also help auditors judge whether possible
4048
findings could be significant to various possible users.
4049
Understanding the Program
4050
7.10 Auditors should obtain an understanding of the program to
4051
be audited to help assess, among other matters, the significance of
4052
possible audit objectives and the feasibility of achieving them.
4053
The auditors' understanding may come from knowledge they already
4054
have about the program or knowledge they gain from inquiries and
4055
observations they make in planning the audit. The extent and
4056
breadth of those inquiries and observations will vary among audits
4057
based on the audit objectives, as will the need to understand
4058
individual aspects of the program, such as the following.
4059

4060

4061
a.
4062
Laws and regulations: Government programs usually are
4063
created by law and are subject to more specific laws and
4064
regulations than the private sector. For example, laws and
4065
regulations usually set forth what is to be done, who is to do it,
4066
the purpose to be achieved, the population to be served, and how
4067
much can be spent on what. Thus, understanding the laws and the
4068
legislative history establishing a program can be essential to
4069
understanding the program itself. Obtaining that understanding is
4070
also a necessary step in identifying provisions of laws and
4071
regulations significant to audit objectives.
4072

4073

4074
b.
4075
Purpose and goals: Purpose is the result or effect that
4076
is intended or desired from a program's operation. Legislatures
4077
usually establish the program purpose when they provide authority
4078
for the program. Entity officials may provide more detailed
4079
guidance on program purpose to supplement the authorizing
4080
legislation. Entity officials are sometimes asked to set goals for
4081
program performance and operations, including both outcome and
4082
output goals. Auditors may use the stated program purpose and goals
4083
as criteria for assessing program performance or may develop
4084
additional criteria or best practices to compare the program
4085
with.
4086

4087

4088
c.
4089
Internal control: Internal control, often referred to as
4090
management controls, in the broadest sense includes the plan of
4091
organization, methods, and procedures adopted by management to meet
4092
its missions goals and objectives. Internal control includes the
4093
processes for planning, organizing, directing, and controlling
4094
program operations. It includes the systems for measuring,
4095
reporting, and monitoring program performance. Internal control
4096
also serves as the first line of defense in safeguarding assets and
4097
preventing and detecting errors and fraud. Paragraphs 7.11 through
4098
7.16 contain guidance pertaining to internal control.
4099

4100

4101
d.
4102
Efforts: Efforts are the amount of resources (in terms of
4103
money, material, personnel, and so forth) that are put into a
4104
program. These resources may come from within or outside the entity
4105
operating the program. Measures of efforts can have a number of
4106
dimensions, such as cost,
4107

4108

4109
timing, and quality. Examples of measures
4110
of efforts are dollars, employee-hours, and square feet of building
4111
space.
4112

4113

4114
e.
4115
Program operations: Program operations are the
4116
strategies, processes, and activities management uses to convert
4117
efforts into outputs. Program operations are subject to internal
4118
control.
4119

4120

4121
f.
4122
Outputs: Outputs represent the quantity of a good or
4123
service produced by a program. For example, an output measure for a
4124
job training program could be the number of persons completing
4125
training, and an output measure for an aviation safety inspection
4126
program could be the number of safety inspections
4127
completed.
4128

4129

4130
g.
4131
Outcomes: Outcomes are accomplishments or results of
4132
programs. For example, an outcome measure for a job training
4133
program could be the percentage of trained persons obtaining a job
4134
and still in the work place after a specified period of time.
4135
Examples of outcome measures for an aviation safety inspection
4136
program could be the percentage reduction in significant safety
4137
problems found in subsequent inspections and/or the percentage of
4138
significant problems deemed corrected in follow-up inspections.
4139
Such outcome measures show progress in achieving the stated program
4140
purposes of helping unemployable citizens get and keep jobs and
4141
improving the safety of aviation operations. Auditors should be
4142
aware that outcomes may be influenced by cultural, economic,
4143
physical, or technological factors outside the program. Auditors
4144
may use approaches drawn from the field of program evaluation to
4145
try to isolate the effects of the program from these other
4146
influences.
4147

4148

4149
Internal Control
4150
7.11 Auditors should obtain an understanding of the internal
4151
control environment, as well as specific internal controls, that
4152
are significant to the audit objectives, including internal control
4153
over compliance with legal and regulatory requirements, and
4154
consider whether the internal controls have been placed in
4155
operation. Auditors also need to consider whether any reliance will
4156
be placed on internal controls in designing audit procedures. If
4157
so, auditors should include
4158
GAO-02-340G Government Auditing Standards Exposure Draft
4159
specific tests of the effectiveness of internal control and
4160
consider the results in designing audit procedures.4 Management is
4161
responsible for establishing effective internal control. The lack
4162
of administrative continuity in government units because of changes
4163
in elected legislative bodies and in administrative organizations
4164
increases the need for effective internal control.
4165
7.12 The following classification of internal control is
4166
intended to help auditors better understand internal controls and
4167
determine their significance to the audit objectives.
4168

4169

4170
a.
4171
Effectiveness and efficiency of program operations:
4172
Controls over program operations include policies and procedures
4173
that management has implemented to reasonably ensure that a program
4174
meets its objectives and that unintended actions do not result,
4175
such as improper payments. Understanding these controls can help
4176
auditors understand the program operations that convert efforts to
4177
outputs or outcomes.
4178

4179

4180
b.
4181
Validity and reliability of data: Controls over the
4182
validity and reliability of data include policies and procedures
4183
that management has implemented to reasonably ensure that valid and
4184
reliable data are obtained, maintained, and fairly disclosed in
4185
reports. These controls help assure management that it is getting
4186
valid and reliable information about whether programs are operating
4187
properly on an ongoing basis. Understanding these controls can help
4188
auditors (1) assess the risk that the data gathered by the entity
4189
may not be valid or reliable and (2) design appropriate tests of
4190
the data.
4191

4192

4193
c.
4194
Compliance with applicable laws and regulations: Controls
4195
over compliance with applicable laws and regulations include
4196
policies and procedures that management has implemented to
4197
reasonably ensure that program implementation is consistent with
4198
laws and regulations.
4199

4200

4201
4
4202
Refer to internal control guidance developed for the private
4203
sector, Internal Control - Integrated Framework, published by the
4204
Committee of Sponsoring Organizations of the Treadway Commission
4205
(COSO). The publication, Standards for Internal Control in the
4206
Federal Government (GAO/AIMD-00-21.3.1, November 1999), which
4207
incorporates the relevant guidance developed by COSO, provides
4208
definitions and fundamental concepts pertaining to internal control
4209
at the federal level and may be useful to other auditors at any
4210
level of government. The related Internal Control Management and
4211
Evaluation Tool (GAO-01-1008G, August 2001), based on the federal
4212
internal control standards, provides a systematic, organized, and
4213
structured approach to assessing the internal control
4214
structure.
4215
GAO-02-340G Government Auditing Standards Exposure Draft
4216
93 Understanding the controls relevant to compliance with those
4217
laws and regulations that the auditors have determined are
4218
significant can help auditors assess the risk of illegal acts.
4219

4220

4221
7.13
4222
A subset of these categories of internal control is the
4223
safeguarding of resources. Controls over the safeguarding of
4224
resources include policies and procedures that management has
4225
implemented to reasonably prevent or promptly detect unauthorized
4226
acquisition, use, or disposition of resources.
4227

4228

4229
7.14
4230
Auditors can obtain an understanding of internal control
4231
through inquiries, observations, inspection of documents and
4232
records, or review of other auditors' reports. The procedures
4233
auditors perform to obtain an understanding of internal control
4234
will vary among audits. One factor influencing the extent of these
4235
procedures is the auditors' knowledge about internal control gained
4236
in prior audits. Also, the need to understand internal control will
4237
depend on the particular aspects of the program the auditors
4238
consider in setting objectives, scope, and methodology. The
4239
following are examples of how the auditors' understanding of
4240
internal control can influence the audit plan.
4241

4242

4243

4244

4245
a.
4246
Audit objectives: Poorly controlled aspects of a program
4247
have a higher risk of failure, so they may be more significant than
4248
others in terms of where auditors would want to focus their
4249
efforts.
4250

4251

4252
b.
4253
Audit scope: Knowledge of the internal control
4254
environment and the status of controls in a certain location may
4255
lead auditors to target their efforts there.
4256

4257

4258
c.
4259
Audit methodology: Effective controls over collecting,
4260
summarizing, and reporting data may enable auditors to limit the
4261
extent of their direct testing of data validity and reliability. In
4262
contrast, evidence suggesting ineffective controls may lead
4263
auditors to perform more direct testing of the data, look for data
4264
from outside the entity, or develop their own data.
4265

4266

4267
7.15 When internal controls are significant to the audit
4268
objectives, auditors should plan to obtain sufficient evidence to
4269
support their judgments about those controls.5 The following are
4270
examples of circumstances where internal controls can be
4271
significant to audit objectives.
4272

4273

4274
a.
4275
In determining the cause of unsatisfactory performance,
4276
that unsatisfactory performance could result from weaknesses in
4277
specific internal controls.
4278

4279

4280
b.
4281
When assessing the validity and reliability of
4282
performance measures developed by the audited entity, effective
4283
internal control over collecting, summarizing, and reporting data
4284
will help ensure valid and reliable performance
4285
measures.
4286

4287

4288
7.16 Internal auditing is an important part of internal
4289
control.6 When an assessment of internal control is called for, the
4290
work of the internal auditors can be used to help provide
4291
reasonable assurance that internal controls are functioning
4292
properly and to prevent duplication of effort.
4293
Considering Legal, Regulatory, and Other Compliance
4294
Requirements
4295
7.17 When laws, regulations, and other compliance requirements
4296
such as provisions of contracts or grant agreements are significant
4297
to the audit objectives, auditors should design the audit to
4298
provide reasonable assurance about compliance with them. This
4299
requires determining which laws, regulations, and other compliance
4300
requirements are significant to the audit objectives and assessing
4301
the risk that significant noncompliance could occur.7 Based on that
4302
risk assessment, the auditors design and perform procedures to
4303
provide reasonable assurance of detecting
4304
5
4305
The Standards for Internal Control in the Federal Government
4306
(GAO/AIMD-00-21.3.1, November 1999) is one source of established
4307
criteria auditors can use to support their judgments and
4308
conclusions about internal control.
4309
6
4310
Many government entities have these activities identified by
4311
other names, such as inspection, appraisal, investigation,
4312
organization and methods, or management analysis. These activities
4313
assist management by reviewing selected functions.
4314
7
4315
The term noncompliance includes not only illegal acts resulting
4316
from violations of laws and regulations, but also violations of
4317
provisions of contracts or grant agreements.
4318
significant instances of noncompliance. (See paragraphs 7.59
4319
through 7.63 for a discussion of evidence indicative of fraud,
4320
illegal acts, or other noncompliance.)
4321

4322

4323
7.18
4324
Auditors may find it necessary to work with legal counsel
4325
to (1) determine those laws and regulations that are significant to
4326
the audit objectives, (2) design tests of compliance with laws and
4327
regulations, or (3) evaluate the results of those tests. Auditors
4328
also may find it necessary to rely on the work of legal counsel
4329
when audit objectives require testing compliance with provisions of
4330
contracts or grant agreements.8 Depending on the circumstances of
4331
the audit, auditors may find it necessary to obtain information on
4332
compliance matters from others, such as investigative staff, other
4333
audit organizations or government entities that provided assistance
4334
to the audited entity, or the applicable law enforcement
4335
authority.
4336

4337

4338
7.19
4339
It is not practical to set precise standards for
4340
determining if laws, regulations, or other compliance requirements
4341
are significant to audit objectives because government programs are
4342
subject to many laws, regulations, and other compliance
4343
requirements, and audit objectives vary widely. However, auditors
4344
may find the following approach helpful in making that
4345
determination.
4346

4347

4348

4349

4350
a.
4351
Reduce each audit objective to questions about specific
4352
aspects of the program being audited (that is, purpose and goals,
4353
internal control, efforts, program operations, outputs, and
4354
outcomes, as discussed in paragraph 7.10).
4355

4356

4357
b.
4358
Identify laws, regulations, and other compliance
4359
requirements that directly relate to specific aspects of the
4360
program included in questions that reflect the audit
4361
objectives.
4362

4363

4364
c.
4365
Determine if violations of those laws, regulations, or
4366
other compliance requirements could significantly affect the
4367
auditors' answers to the questions that relate to the audit
4368
objectives. If they could, then those laws, regulations, and other
4369
compliance requirements are likely to be significant to the audit
4370
objectives.
4371

4372

4373
8
4374
Paragraphs 7.25 through 7.27 discuss relying on the work of
4375
others. GAO-02-340G Government Auditing Standards Exposure
4376
Draft
4377
96 7.20 In planning tests of compliance with significant laws,
4378
regulations, and other compliance requirements, auditors should
4379
assess the risk that noncompliance could occur. That risk may be
4380
affected by such factors as the complexity of the laws and
4381
regulations or their newness. The auditors' assessment of risk
4382
includes consideration of whether the entity has controls that are
4383
effective in preventing or detecting noncompliance. Management is
4384
responsible for establishing effective controls to ensure
4385
compliance with laws and regulations, as well as other compliance
4386
requirements such as provisions of contracts or grant agreements.
4387
If auditors obtain sufficient evidence of the effectiveness of
4388
these controls, they can reduce the extent of their tests of
4389
compliance.
4390
Criteria
4391
7.21 Criteria are the standards, measures, expectations of what
4392
should exist, best practices, or benchmarks against which
4393
performance is compared or evaluated. Criteria, one of the elements
4394
of a finding, provide a context for understanding the results of
4395
the audit. (See paragraphs 7.45 through 7.48 for a discussion on
4396
the other elements of a finding.) The audit plan, where possible,
4397
should state the criteria to be used. In selecting criteria,
4398
auditors have a responsibility to use criteria that are reasonable,
4399
attainable, and relevant to the objectives of the performance
4400
audit. The following are some examples of possible criteria:
4401

4402

4403
a.
4404
purpose or goals prescribed by law or regulation or set
4405
by management,
4406

4407

4408
b.
4409
policies and procedures established by management of the
4410
audited entity,
4411

4412

4413
c.
4414
technically developed standards or norms,
4415

4416

4417
d.
4418
expert opinions,
4419

4420

4421
e.
4422
prior years' performance,
4423

4424

4425
f.
4426
performance of similar entities,
4427

4428

4429
g.
4430
performance in the private sector, or
4431

4432

4433
h.
4434
best practices of leading organizations.
4435

4436

4437
Considering the Results of Previous Audits
4438

4439

4440
7.22
4441
Auditors should consider the results of previous audits
4442
and follow-up on known significant findings and recommendations9
4443
that directly relate to the audit objectives of the performance
4444
audit. Auditors should also be alert to the status of relevant
4445
findings and recommendations identified in other available audits
4446
and studies by other organizations as well. For example, an audit
4447
report on an entity's computerized information systems may contain
4448
significant findings that could relate to the audit if the entity
4449
uses such systems to process its accounting or other information
4450
the auditors plan on using. In any event, auditors need to make
4451
judgments about the extent of follow-up needed and the appropriate
4452
disclosure of uncorrected significant findings and recommendations
4453
from prior audits that affect the audit objectives.
4454

4455

4456
7.23
4457
Providing continuing attention to significant findings
4458
and recommendations is important to ensure that the benefits of
4459
audit work are realized. Ultimately, the benefits of audit work
4460
occur when audit findings are resolved through meaningful and
4461
effective corrective action taken in response to the auditors'
4462
findings and recommendations. Officials of the audited entity are
4463
responsible for resolving audit findings and recommendations
4464
directed to them and for having a process to track their status. If
4465
officials of the audited entity do not have such a process,
4466
auditors may wish to establish their own process.
4467

4468

4469
9
4470
Significant findings and recommendations are those matters that,
4471
if not corrected, could affect the results of the auditors' work
4472
and users' conclusions about those results.
4473
GAO-02-340G Government Auditing Standards Exposure Draft
4474
98 Identifying Sources of Audit Evidence
4475
7.24 In identifying potential sources of data that could be used
4476
as audit evidence, auditors should consider the validity and
4477
reliability of these data, including data collected by the audited
4478
entity, data generated by the auditors, or data provided by third
4479
parties, as well as the sufficiency and relevance of the evidence.
4480
(See paragraphs 7.41 through 7.44 for guidance concerning
4481
evidence.)
4482
Considering Work of Other Auditors
4483

4484

4485
7.25
4486
Auditors should determine if other auditors have
4487
previously done, or are doing, audits of the program or the entity
4488
that operates it. Whether other auditors have done performance
4489
audits, financial audits, or attestation engagements, the other
4490
auditors may be useful sources of information for planning and
4491
performing the audit. If other auditors have identified areas that
4492
warrant further study, their work may influence the auditors'
4493
selection of objectives. The availability of other auditors' work
4494
may also influence the selection of methodology, as the auditors
4495
may be able to rely on that work to limit the extent of their own
4496
testing.
4497

4498

4499
7.26
4500
If auditors intend to rely on the work of other auditors,
4501
they should perform procedures regarding the specific work to be
4502
relied on that provide a sufficient basis for that reliance.
4503
Auditors can obtain evidence concerning the other auditors'
4504
qualifications10 and independence through prior experience,
4505
inquiry, and/or review of the other auditors' external quality
4506
control review report. Auditors can determine the sufficiency,
4507
relevance, and competence of other auditors' evidence by reviewing
4508
their report, audit program, or audit documentation, or by
4509
performing supplemental tests of the other auditors' work. The
4510
nature and extent of evidence needed will depend on the
4511
significance of the other auditors' work and on the extent to which
4512
the auditors will rely on that work.
4513

4514

4515
10
4516
Auditors from another country engaged to conduct audits in their
4517
country should meet the professional qualifications to practice
4518
under that country's laws and regulations or other acceptable
4519
standards, such as those issued by the International Organization
4520
of Supreme Audit Institutions. Also see the International
4521
Federation of Accountants' International Standards on Auditing.
4522
GAO-02-340G Government Auditing Standards Exposure Draft
4523
99 7.27 Auditors face similar considerations when using the work
4524
of nonauditors (consultants, experts, specialists, and so forth).
4525
In addition, auditors should obtain an understanding of the methods
4526
and significant assumptions used by the nonauditors. (See paragraph
4527
3.xx for independence considerations when relying on the work of
4528
others.)
4529
Staff and Other Resources
4530
7.28 Staff planning should include, among other things,
4531

4532

4533
a.
4534
assigning staff with the appropriate collective
4535
knowledge, skills, and experience for the job,
4536

4537

4538
b.
4539
assigning an adequate number of staff and supervisors to
4540
the audit,
4541

4542

4543
c.
4544
providing for on-the-job training of staff,
4545
and
4546

4547

4548
d.
4549
engaging specialists when necessary.
4550

4551

4552

4553

4554
7.29
4555
The availability of staff and other resources and the
4556
need for specialized skills are important considerations in
4557
establishing the objectives, scope, and methodology. For example,
4558
limitations on travel funds may preclude auditors from visiting
4559
certain critical locations, or lack of expertise in a particular
4560
methodology or with computerized information systems may preclude
4561
auditors from undertaking certain objectives. Auditors may be able
4562
to overcome such limitations by using staff from any existing local
4563
field offices of the audit entity or by engaging consultants with
4564
the necessary expertise.
4565

4566

4567
7.30
4568
If the use of a specialist is planned, auditors should
4569
have sufficient knowledge to
4570

4571

4572

4573

4574
a.
4575
articulate the objectives required of the
4576
specialist,
4577

4578

4579
b.
4580
evaluate whether the specified procedures will meet
4581
auditors' objectives, and
4582

4583

4584
c.
4585
evaluate the results of the procedures applied as they
4586
relate to other planned audit procedures.
4587

4588

4589
7.31 Auditors without sufficient knowledge to perform the
4590
functions listed above may have to engage a consultant for quality
4591
control purposes for the areas related to the specialist's
4592
work.
4593
Communicating With Management and Others
4594
7.32 Auditors should communicate information about the specific
4595
nature of the audit, as well as general information concerning the
4596
planning and conduct of the performance audit, to the various
4597
parties involved in the audit to help them understand the
4598
objectives, time frames, and any data needs. Such parties may
4599
include
4600

4601

4602
a.
4603
the head of the audited entity;
4604

4605

4606
b.
4607
the audit committee or, in the absence of an audit
4608
committee, the board of directors or other equivalent oversight
4609
body;
4610

4611

4612
c.
4613
the individual who possesses a sufficient level of
4614
authority and responsibility for the program or activity being
4615
audited; and
4616

4617

4618
d.
4619
the individuals contracting for or requesting audit
4620
services, such as contracting officials or legislative members or
4621
staff, if applicable.
4622

4623

4624
7.33 Auditors should use their professional judgment to
4625
determine the form, content, and frequency of the communication,
4626
although written communication is preferred, and should document
4627
the communication. Auditors may use an engagement letter, if
4628
appropriate, to communicate the information.
4629
Documenting Planning Decisions
4630

4631

4632
7.34
4633
A written audit plan should be prepared for each audit.
4634
The form and content of the written audit plan will vary among
4635
audits but should include an audit program or project plan, a
4636
memorandum, or other appropriate documentation of key decisions
4637
about the audit objectives, scope, and methodology and of the
4638
auditors' basis for those decisions. It should be updated, as
4639
necessary, to reflect any significant changes to the plan made
4640
during the audit.
4641

4642

4643
7.35
4644
Documenting the audit plan is an opportunity for the
4645
auditors to review the work done in planning the audit to determine
4646
whether
4647

4648

4649

4650

4651
a.
4652
the proposed audit objectives are likely to result in a
4653
useful report,
4654

4655

4656
b.
4657
the proposed audit scope and methodology are adequate to
4658
satisfy the audit objectives, and
4659

4660

4661
c.
4662
sufficient staff and other resources are available to
4663
perform the audit and to meet expected time frames for completing
4664
the work.
4665

4666

4667
7.36 Written audit plans may include the following.
4668

4669

4670
a.
4671
Information about the legal authority for the audited
4672
program, its history and current objectives, its principal
4673
locations, and other background that can help auditors understand
4674
and carry out the audit plan.
4675

4676

4677
b.
4678
Information about the responsibilities of each member of
4679
the audit team (such as preparing audit programs, conducting audit
4680
work, supervising and reviewing audit work, drafting reports,
4681
handling comments from officials of the audited program, and
4682
processing the final report), which can help auditors when the work
4683
is conducted at several different locations. In these audits, use
4684
of comparable audit methods and procedures can help make the data
4685
obtained from participating locations comparable.
4686

4687

4688
c.
4689
Audit programs describing procedures to accomplish the
4690
audit objectives and providing a systematic basis for assigning
4691
work to staff and for summarizing the work performed.
4692

4693

4694
d.
4695
The general format of the audit report and the types of
4696
information to be included, which can help auditors focus their
4697
field work on the information to be reported.
4698

4699

4700
SUPERVISION
4701
7.37 The second field work standard for performance audits
4702
is:
4703
Staff are to be properly supervised.
4704

4705

4706
7.38
4707
Supervision involves directing the efforts of staff
4708
assigned to the audit to ensure that the audit objectives are
4709
accomplished. Elements of supervision include providing sufficient
4710
guidance to staff members, keeping informed of significant problems
4711
encountered, reviewing the work performed, and providing effective
4712
on-the-job training.
4713

4714

4715
7.39
4716
Supervisors should satisfy themselves that staff members
4717
clearly understand what work they are to do, why the work is to be
4718
conducted, and what the work is expected to accomplish. With
4719
experienced staff, supervisors may outline the scope of the work
4720
and leave details to the staff. With a less experienced staff,
4721
supervisors may have to specify audit procedures to be performed as
4722
well as techniques for gathering and analyzing data.
4723

4724

4725
7.40
4726
The nature of the review of audit work may vary depending
4727
on the significance of the work or the experience of the staff. For
4728
example, it may be appropriate to have experienced staff review
4729
much of the work of other staff with similar experience.
4730

4731

4732
EVIDENCE
4733
7.41 The third field work standard for performance audits
4734
is:
4735
Sufficient, competent, and relevant evidence is to be obtained
4736
to afford a reasonable basis for the auditors' findings and
4737
conclusions.
4738

4739

4740
7.42
4741
A large part of auditors' work on an audit concerns
4742
obtaining and evaluating evidence that ultimately supports their
4743
judgments and conclusions pertaining to the audit objectives. In
4744
evaluating evidence, auditors consider whether they have obtained
4745
the evidence necessary to achieve specific audit objectives. When
4746
internal control or compliance requirements are significant to the
4747
audit objectives, auditors should also collect and evaluate
4748
evidence relating to controls or compliance.
4749

4750

4751
7.43
4752
Evidence may be categorized as physical, documentary,
4753
testimonial, and analytical. Physical evidence is obtained by
4754
auditors' direct inspection or observation of people, property, or
4755
events. Such evidence may be documented in memoranda, photographs,
4756
drawings, charts, maps, or physical samples. Documentary evidence
4757
consists of created information such as letters, contracts,
4758
accounting records, invoices, and management information on
4759
performance. Testimonial evidence is obtained through inquiries,
4760
interviews, or questionnaires. Analytical evidence includes
4761
computations, comparisons, separation of information into
4762
components, and rational arguments.
4763

4764

4765
7.44
4766
The guidance in the following paragraphs is intended to
4767
help auditors judge the quality and quantity of evidence needed to
4768
satisfy audit objectives. Paragraphs 7.45 through 7.48 describe the
4769
elements of an audit finding. Paragraphs 7.49 through 7.58 provide
4770
guidance to help auditors determine what constitutes sufficient,
4771
competent, and relevant evidence to support their findings and
4772
conclusions.
4773

4774

4775
Audit Findings
4776

4777

4778
7.45
4779
Audit findings often have been regarded as containing the
4780
elements of criteria, condition, and effect, plus cause when
4781
problems are found. However, the elements needed for a finding
4782
depend entirely on the objectives of the audit. Thus, a finding or
4783
set of findings is complete to the extent that the audit objectives
4784
are satisfied and the report clearly relates those objectives to
4785
the finding's elements. Criteria are discussed in paragraph 7.21,
4786
and the other elements of a finding--condition, effect, and
4787
cause--are discussed in the following paragraphs.
4788

4789

4790
7.46
4791
Condition: Condition is a situation that exists. It has
4792
been determined and documented during the audit.
4793

4794

4795
7.47
4796
Effect: Effect has two meanings, which depend on the
4797
audit objectives. When the auditors' objectives include identifying
4798
the actual or potential consequences of a condition that varies
4799
(either positively or negatively) from the criteria identified in
4800
the audit, "effect" is a measure of those consequences. Auditors
4801
often use effect in this sense to demonstrate the need for
4802
corrective action in response to identified problems. When the
4803
auditors' objectives include estimating the extent to which a
4804
program has caused changes in physical, social, or economic
4805
conditions, "effect" is a measure of the impact achieved by the
4806
program. Here, effect is the extent to which positive or negative
4807
changes in actual physical, social, or economic conditions can be
4808
identified and attributed to program operations.
4809

4810

4811
7.48
4812
Cause: Like effect, cause also has two meanings, which
4813
depend on the audit objectives. When the auditors' objectives
4814
include explaining why a particular type of positive or negative
4815
performance identified in the audit occurred, the reasons for that
4816
performance are referred to as "cause." Identifying the cause of
4817
problems can assist auditors in making constructive recommendations
4818
for correction. Because problems can result from a number of
4819
plausible factors or multiple causes, the recommendation can be
4820
more persuasive if auditors can clearly demonstrate and explain
4821
with evidence and reasoning the link between the problems and the
4822
factor or factors they identified as the underlying cause. When the
4823
auditors' objectives include
4824

4825

4826
estimating the program's effect on changes
4827
in physical, social, or economic conditions, they seek evidence of
4828
the extent to which the program itself is the "cause" of those
4829
changes.
4830
Tests of Evidence
4831
7.49 Evidence should be sufficient, competent, and relevant to
4832
support a sound basis for audit findings, conclusions, and
4833
recommendations.
4834

4835

4836
a.
4837
Evidence should be sufficient to support the auditors'
4838
findings. In determining the sufficiency of evidence, auditors
4839
should ensure that enough evidence exists to persuade a
4840
knowledgeable person of the validity of the findings. When
4841
appropriate, statistical methods may be used to establish
4842
sufficiency.
4843

4844

4845
b.
4846
Evidence is competent if it is consistent with fact (that
4847
is, evidence is competent if it is valid and reliable). In
4848
assessing the competence of evidence, auditors should consider such
4849
factors as whether the evidence is accurate, authoritative, timely,
4850
and authentic. When appropriate, auditors may use statistical
4851
methods to derive competent evidence.
4852

4853

4854
c.
4855
Evidence is relevant if it has a logical, sensible
4856
relationship to the issue being addressed.
4857

4858

4859
7.50 The following presumptions are useful in judging the
4860
competence of evidence. However, these presumptions are not to be
4861
considered sufficient in themselves to determine competence. The
4862
amount and kinds of evidence required to support auditors'
4863
conclusions should be based on auditors' professional judgment.
4864

4865

4866
a.
4867
Evidence obtained when internal controls are effective is
4868
more competent than evidence obtained when controls are weak or
4869
nonexistent. Auditors should therefore be particularly careful in
4870
cases where controls are weak or nonexistent.
4871

4872

4873
b.
4874
Evidence obtained through the auditors' direct physical
4875
examination, observation, computation, and inspection is more
4876
competent than evidence obtained indirectly.
4877

4878

4879
c.
4880
Original documents provide more competent evidence than
4881
do copies.
4882

4883

4884
d.
4885
Testimonial evidence obtained under conditions where
4886
persons may speak freely is more competent than testimonial
4887
evidence obtained under compromising conditions (for example, where
4888
the persons may be intimidated).
4889

4890

4891
e.
4892
Testimonial evidence obtained from an individual who is
4893
not biased or has complete knowledge about the area is more
4894
competent than testimonial evidence obtained from an individual who
4895
is biased or has only partial knowledge about the area.
4896

4897

4898
f.
4899
Evidence obtained from a credible third party may in some
4900
cases be more competent than that secured from management or other
4901
officials of the audited entity.
4902

4903

4904

4905

4906
7.51
4907
Auditors may find it useful to obtain written
4908
representations concerning the competence of certain evidence from
4909
officials of the audited entity. Written representations ordinarily
4910
confirm oral representations given to auditors, indicate and
4911
document the continuing appropriateness of such representations,
4912
and reduce the possibility of misunderstanding concerning the
4913
matters that are the subject of the representations. Written
4914
representations can take several forms, including having entity
4915
management sign summary documents prepared by the
4916
auditors.
4917

4918

4919
7.52
4920
The auditors' approach to determining the sufficiency,
4921
competence, and relevance of evidence depends on the source of the
4922
information that constitutes the evidence. Information sources
4923
include original data gathered by auditors and existing data
4924
gathered by either management or a third party. Data from any of
4925
these sources may be obtained from computer-based
4926
systems.
4927

4928

4929
7.53
4930
Data gathered by auditors: Data gathered by auditors
4931
include the auditors' own observations and measurements. Among the
4932
methods for gathering this type of data are questionnaires,
4933
structured interviews, direct observations, and computations. The
4934
design of these methods and the skill of the auditors applying them
4935
are the keys to ensuring that these data constitute sufficient,
4936
competent, and relevant evidence. When these methods are applied to
4937
determine cause, auditors are concerned with eliminating rival
4938
explanations.
4939

4940

4941
7.54
4942
Data gathered by management: Auditors can use data
4943
gathered by management as part of their evidence. However, auditors
4944
should determine the validity and reliability of these data that
4945
are significant to the audit objectives and may do so by direct
4946
tests of the data. Auditors can reduce the direct tests of the data
4947
if they test the effectiveness of the entity's internal controls
4948
over the validity and reliability of the data, and these tests
4949
support the conclusion that the controls are effective. The nature
4950
and extent of testing of the data will depend on the significance
4951
of the data to support auditors' findings.
4952

4953

4954
7.55
4955
Data gathered by third parties: The auditors' evidence
4956
may also include data gathered by third parties. In some cases,
4957
these data may have been audited by others, or the auditors may be
4958
able to audit the data themselves. In other cases, however, it will
4959
not be practical to obtain evidence of the data's validity and
4960
reliability. How the use of unaudited third-party data affects the
4961
auditors' report depends on the data's significance to the
4962
auditors' findings. For example, in some circumstances, auditors
4963
may use unaudited data to provide background information; however,
4964
the use of such unaudited data would generally not be appropriate
4965
to support audit findings and conclusions.
4966

4967

4968
7.56
4969
Validity and reliability of data from computer-based
4970
systems: Auditors should obtain sufficient, competent, and relevant
4971
evidence that computer-processed data are valid and reliable when
4972
those data are significant to the auditors' findings. This work is
4973
necessary regardless of whether the data are provided to auditors
4974
or auditors independently extract them.11 Auditors
4975

4976

4977
11
4978
When computer-processed data are used by the auditor, or
4979
included in the report, for background or informational purposes
4980
and are not significant to the auditors' findings, citing the
4981
source of the data and stating that they were not verified will
4982
satisfy the reporting standards for accuracy and completeness set
4983
forth in this statement.
4984
GAO-02-340G Government Auditing Standards Exposure Draft
4985
108 should determine if other auditors have worked to establish
4986
the validity and reliability of the data or the effectiveness of
4987
the controls over the system that produced the data. If the results
4988
of such work is current, auditors may be able to rely on that work.
4989
(See paragraphs 7.25 through 7.27 for requirements when relying on
4990
the work of others.) Auditors may also determine the validity and
4991
reliability of computer-processed data by direct tests of the
4992
data.
4993
7.57 Auditors can reduce the direct tests of the data if they
4994
test the effectiveness of general and application controls over
4995
computer-processed data, and these tests support the conclusion
4996
that the controls are effective. If auditors determine that
4997
internal controls over data which are significantly dependent upon
4998
computerized information systems are not effective or if auditors
4999
do not plan to test the effectiveness of such controls, auditors
5000
should include audit documentation regarding the basis for that
5001
conclusion by addressing (1) the reasons why the design or
5002
operation of the controls is ineffective, or (2) the reasons why it
5003
is inefficient to test the controls. In such circumstances,
5004
auditors should also include audit documentation regarding their
5005
reasons for concluding that the planned audit procedures are
5006
effectively designed to achieve specific audit objectives. This
5007
documentation should address
5008

5009

5010
a.
5011
the rationale for determining the types and extent of
5012
planned audit procedures;
5013

5014

5015
b.
5016
the kinds and competence of available evidence produced
5017
outside a computerized information system; and
5018

5019

5020
c.
5021
the effect on the audit report if the evidence gathered
5022
during the audit does not allow the auditors to achieve audit
5023
objectives.
5024

5025

5026
7.58 When the auditors' tests of data disclose errors in the
5027
data, or when they are unable to obtain sufficient, competent, and
5028
relevant evidence about the validity and reliability of the data,
5029
they may find it necessary to
5030

5031

5032
a.
5033
seek evidence from other sources,
5034

5035

5036
b.
5037
redefine the audit's objectives to eliminate the need to
5038
use the data, or
5039

5040

5041
c.
5042
use the data, but clearly indicate in their report the
5043
data's limitations and refrain from making unwarranted conclusions
5044
or recommendations.
5045

5046

5047
Evidence Indicative of Fraud, Illegal Acts, Or Other
5048
Noncompliance
5049

5050

5051
7.59
5052
Auditors should be alert to situations or transactions
5053
that could be indicative of fraud, illegal acts (violations of laws
5054
and regulations), or other noncompliance (violations of other
5055
compliance requirements such as provisions of contracts or grant
5056
agreements). When information comes to the auditors' attention
5057
(through audit procedures, allegations received through fraud
5058
hotlines, or other means) indicating that fraud, illegal acts, or
5059
other noncompliance may have occurred, auditors should consider
5060
whether the possible fraud, illegal acts, or other noncompliance
5061
could significantly affect the audit results. If they could, the
5062
auditors should extend the audit steps and procedures, as
5063
necessary, (1) to determine if fraud, illegal acts, or other
5064
noncompliance are likely to have occurred and (2) if so, to
5065
determine their effect on the audit results.
5066

5067

5068
7.60
5069
Auditors' training, experience, and understanding of the
5070
program being audited may provide a basis for recognizing that some
5071
acts coming to their attention may be indicative of fraud, illegal
5072
acts, or other noncompliance. Whether an act is, in fact, illegal
5073
is a determination to be made through the judicial or other
5074
adjudicative system and is beyond auditors' professional expertise
5075
and responsibility. However, auditors are responsible for being
5076
aware of vulnerabilities to fraud, illegal acts, or other
5077
noncompliance associated with the area being audited in order to be
5078
able to identify indications that fraud, illegal acts, or other
5079
noncompliance may have occurred. In some circumstances, conditions
5080
such as the following might indicate a heightened risk of fraud,
5081
illegal acts, or other noncompliance:
5082

5083

5084

5085

5086
a.
5087
weak management which fails to enforce existing internal
5088
control or to provide adequate oversight over the control
5089
process;
5090

5091

5092
b.
5093
inadequate separation of duties, especially those that
5094
relate to controlling and safeguarding resources;
5095

5096

5097
c.
5098
transactions that are out of the ordinary and are not
5099
satisfactorily explained, such as unexplained adjustments in
5100
inventories or other resources;
5101

5102

5103
d.
5104
instances when employees of the audited entity refuse to
5105
take vacations or accept promotions;
5106

5107

5108
e.
5109
missing or altered documents, or unexplained delays in
5110
providing information;
5111

5112

5113
f.
5114
false or misleading information; or
5115

5116

5117
g.
5118
history of impropriety, such as past audits or
5119
investigations with findings of questionable or criminal
5120
activity.
5121

5122

5123

5124

5125
7.61
5126
Auditors should exercise professional judgment in
5127
pursuing indications of possible fraud, illegal acts, or other
5128
noncompliance so as not to interfere with potential investigations,
5129
legal proceedings, or both. Under some circumstances, laws,
5130
regulations, or policies require auditors to report indications of
5131
certain types of illegal acts to law enforcement or investigatory
5132
authorities before extending audit steps and procedures. Auditors
5133
may also be required to withdraw from or defer further work on the
5134
audit or a portion of the audit in order not to interfere with an
5135
investigation.
5136

5137

5138
7.62
5139
An audit made in accordance with these standards provides
5140
reasonable assurance of detecting fraud, illegal acts, or other
5141
noncompliance that could significantly affect the audit results; it
5142
does not guarantee the discovery of fraud, illegal acts, or other
5143
noncompliance. Nor
5144

5145

5146
does the subsequent discovery of such acts committed during the
5147
audit period necessarily mean that the auditors' performance was
5148
inadequate, provided the audit was made in accordance with these
5149
standards.
5150
7.63 Abuse is distinct from illegal acts and other
5151
noncompliance. When abuse occurs, no law, regulation, contract
5152
provision, or grant agreement is violated. Rather, the conduct of a
5153
government program falls far short of societal expectations for
5154
prudent program management. Auditors should be alert to situations
5155
or transactions that could be indicative of abuse. When information
5156
comes to the auditors' attention (through audit procedures,
5157
allegations received through a fraud hotline, or other means)
5158
indicating that abuse may have occurred, auditors should consider
5159
whether the possible abuse could significantly affect the audit
5160
results. If it could, the auditors should extend the audit steps
5161
and procedures, as necessary, (1) to determine if the abuse
5162
occurred and (2) if so, to determine its effect on the audit
5163
results. However, because the determination of abuse is so
5164
subjective, auditors are not expected to provide reasonable
5165
assurance of detecting it.
5166
AUDIT DOCUMENTATION
5167
7.64 The fourth field work standard for performance audits
5168
is:
5169
Auditors should prepare and maintain audit documentation. Audit
5170
documentation should contain sufficient information to enable an
5171
experienced reviewer, who has had no previous connection with the
5172
audit, to ascertain from the audit documentation the evidence that
5173
supports the auditors' significant judgments and conclusions. Audit
5174
documentation that supports significant findings, conclusions, and
5175
recommendations should be complete before auditors issue their
5176
report.
5177
7.65 The form and content of audit documentation should be
5178
designed to meet the circumstances of the particular audit. The
5179
information contained in audit documentation constitutes the
5180
principal record of the work that the auditors have performed and
5181
the conclusions that the auditors have reached. The quantity, type,
5182
and content of audit documentation is a matter of the auditors'
5183
professional judgment.
5184
7.66 Audit documentation serves three main purposes: (1) to
5185
provide the principal support for the auditors' report, (2) to aid
5186
auditors in conducting and supervising the audit, and (3) to allow
5187
for the review of audit quality. This third purpose is important
5188
because audits done in accordance with GAGAS often are subject to
5189
review by other auditors and by oversight officials.
5190
Audit documentation allows for the review of audit quality by
5191
providing the reviewer documentation, either in written or
5192
electronic formats, of the evidence supporting the auditors'
5193
significant judgments and conclusions.
5194

5195

5196
7.67
5197
Audit organizations should establish reasonable policies
5198
and procedures for the safe custody and retention of audit
5199
documentation for a time sufficient to satisfy legal and
5200
administrative requirements. If audit documentation is only
5201
retained electronically, the audit organization should ensure that
5202
the electronic documentation is capable of being accessed
5203
throughout the specified retention period established for audit
5204
documentation and is safeguarded through sound computer
5205
security.
5206

5207

5208
7.68
5209
Audit documentation should contain
5210

5211

5212

5213

5214
a.
5215
the objectives, scope, and methodology, including
5216
sampling and other selection criteria used;
5217

5218

5219
b.
5220
documentation of the auditors' determination that certain
5221
standards do not apply or that an applicable standard was not
5222
followed, the reasons therefore, and the known effect that not
5223
following the standard had, or could have, on the audit;
5224

5225

5226
c.
5227
documentation of the work performed to support
5228
significant judgments and conclusions, including descriptions of
5229
transactions and records examined that would enable an experienced
5230
reviewer to examine the same transactions and records;12
5231
and
5232

5233

5234
d.
5235
evidence of supervisory review of the work
5236
performed.
5237

5238

5239
7.69 Underlying GAGAS audits is that federal, state, and local
5240
governments and other organizations cooperate in auditing programs
5241
of common interest so that the auditors may use others' work and
5242
avoid duplicate audit efforts. In addition, audits performed in
5243
accordance with GAGAS are subject to quality control and assurance
5244
reviews. Auditors should make arrangements to make audit
5245
documentation available, upon request, in a timely manner to other
5246
auditors or reviewers. Contractual arrangements for GAGAS audits
5247
should provide for full and timely access to audit documentation to
5248
facilitate reliance by other auditors on the auditors' work, as
5249
well as reviews of audit quality control and assurance.
5250
12
5251
The nature of this documentation will vary with the nature of
5252
the work performed. For example, when this work includes
5253
examination of management's records, the audit documentation should
5254
describe those records so that an experienced reviewer would be
5255
able to examine those same records. Auditors may meet this
5256
requirement by listing file numbers, case numbers, or other means
5257
of identifying specific documents they examined. They are not
5258
required to include in the audit documentation copies of documents
5259
they examined, nor are they required to list detailed information
5260
from those documents.
5261
GAO-02-340G Government Auditing Standards Exposure Draft
5262
114
5263
CHAPTER 8
5264
REPORTING STANDARDS FOR PERFORMANCE AUDITS
5265
INTRODUCTION
5266
8.1 This chapter prescribes reporting standards and provides
5267
guidance to auditors reporting on performance audits in accordance
5268
with generally accepted government auditing standards (GAGAS). The
5269
reporting standards for performance audits relate to the form of
5270
the report, the report contents, report quality, and report
5271
issuance and distribution.
5272
FORM
5273
8.2 The first reporting standard for performance audits is:
5274
Auditors should prepare audit reports communicating the results
5275
of each audit.
5276

5277

5278
8.3
5279
The form of the audit report should be appropriate for
5280
its intended use. Auditors should use their professional judgment
5281
including consideration of users' needs, likely demand, and
5282
distribution in determining the form of the audit report. In
5283
addition to a more formal presentation of audit results, such as a
5284
chapter report or a letter report, briefing slides may be
5285
considered audit reports. Audit reports also may be presented on
5286
electronic media that are retrievable by report users and the audit
5287
organization, such as video or compact disk formats. However, to
5288
comply with these standards, audit reports, regardless of form,
5289
should comply with all applicable reporting standards.
5290

5291

5292
8.4
5293
This standard is not intended to limit or prevent
5294
discussion of findings, judgments, conclusions, and recommendations
5295
with persons who have responsibilities involving the area being
5296
audited. On the contrary, such discussions are
5297
encouraged.
5298

5299

5300
8.5
5301
Audit reports (1) communicate the results of audits to
5302
officials at various levels of government,
5303

5304

5305
(2) make the results less susceptible to misunderstanding, (3)
5306
make the results available for public inspection, and (4)
5307
facilitate follow-up to determine whether appropriate corrective
5308
actions have been taken. The need to maintain public accountability
5309
for government program demands that audit reports be
5310
retrievable.
5311
8.6 When an audit is terminated before it is completed, auditors
5312
should communicate that fact to management of the audited entity,
5313
the entity requesting the audit, and other appropriate officials,
5314
preferably in writing. In the absence of an audit report, auditors
5315
should also write a memorandum for the record that summarizes the
5316
results of the work to the date of termination and explains why the
5317
audit was terminated.
5318
REPORT CONTENTS
5319
8.7 The second reporting standard for performance audits is:
5320
The audit report should include the objectives, scope, and
5321
methodology; the audit results, including findings, conclusions,
5322
and recommendations, as appropriate; a reference to compliance with
5323
generally accepted government auditing standards; the views of
5324
responsible officials; and, if applicable, the nature of any
5325
privileged and confidential information omitted.
5326
Objectives, Scope, and Methodology
5327
8.8 Auditors should include in the report the audit objectives
5328
and the scope and methodology used for achieving the audit
5329
objectives. This information is needed by report users to
5330
understand the purpose of the audit and the nature of the audit
5331
work performed, to provide perspective as to what is reported, and
5332
to understand any significant limitations in audit objectives,
5333
scope, or methodology. Auditors should also report the status of
5334
uncorrected significant findings and recommendations1 from prior
5335
audits that affect the objectives of the current audit.
5336
Objectives
5337
8.9 Audit objectives should be communicated to knowledgeable
5338
users by reporting the questions that were to be answered in the
5339
audit in a clear, specific, and neutral manner that avoids unstated
5340
assumptions. In reporting the audit objectives, auditors should
5341
explain why the audit organization undertook the assignment and
5342
state what the report is to accomplish, and why the subject matter
5343
is important. Articulating what the report is to accomplish
5344
normally involves identifying the audit subject and the aspect of
5345
performance examined. The reported audit objectives provide more
5346
meaningful information to report users if they are measurable and
5347
feasible and avoid being presented in a broad or general manner. To
5348
reduce misunderstanding in cases where the objectives are
5349
particularly limited and broader objectives can be inferred, it may
5350
be necessary to state objectives that were not pursued.
5351
Scope and Methodology
5352
8.10 In reporting the scope of the audit, auditors should
5353
describe the depth and coverage of work conducted to accomplish the
5354
audit's objectives. Auditors should, as applicable, explain the
5355
relationship between the population of items sampled and what was
5356
audited; identify organizations, geographic locations, and the
5357
period covered; report the kinds and sources of evidence; and
5358
explain
5359
1Significant findings and recommendations are those matters,
5360
that if not corrected, could affect the results of the auditors'
5361
work and users' conclusions about those results. GAO-02-340G
5362
Government Auditing Standards Exposure Draft
5363
any problems with the evidence. Auditors should also report
5364
significant constraints imposed on the audit approach by data
5365
limitations or scope impairments.
5366

5367

5368
8.11
5369
To report the methodology used, auditors should clearly
5370
explain how the audit objectives were accomplished including the
5371
evidence gathering and analysis techniques used in sufficient
5372
detail to allow knowledgeable users of their reports to understand
5373
the work. This explanation should identify any significant
5374
assumptions made in conducting the audit; describe any comparative
5375
techniques applied; describe the criteria used; and when sampling
5376
significantly supports auditors' findings, describe the sample
5377
design and state why it was chosen, including whether the results
5378
can be projected to the intended population.
5379

5380

5381
8.12
5382
Auditors should attempt to avoid misunderstanding by the
5383
report user concerning the work that was and was not done to
5384
achieve the audit objectives, particularly when the work was
5385
limited because of constraints on time or resources. The auditors'
5386
report should clearly describe the scope of the work performed and
5387
any limitations, the applicable standards that were not followed,
5388
and the reasons therefore, and how not following the applicable
5389
standards affected or could affect the results of the work. For
5390
example, if the auditors are unable to determine the reliability of
5391
information from an agency's database, and information from this
5392
database is critical to the audit findings, the report should
5393
clearly state the limitations associated with the information and
5394
refrain from making unwarranted conclusions or recommendations. In
5395
these situations, the audit report should also include the reasons
5396
the auditors were unable to perform this work and the potential
5397
impact on the findings if the information is not
5398
reliable.
5399

5400

5401
Audit Results
5402
8.13 Auditors should report significant findings by providing
5403
credible and convincing evidence that relates to the audit
5404
objectives. An audit report is improved when it provides sufficient
5405
contextual sophistication to reflect an understanding of the issues
5406
and an awareness of the external environment, including sensitivity
5407
to relevant trends. The report should provide selective background
5408
information
5409
GAO-02-340G Government Auditing Standards Exposure Draft
5410
to provide the context for the overall message and to help the
5411
reader understand the significance of the issues discussed.2 The
5412
report should also include all significant instances of fraud,
5413
illegal acts, or other noncompliance3 and all significant instances
5414
of abuse that were found during or in connection with the audit and
5415
any significant weaknesses in internal control found during the
5416
audit, and where applicable, auditors' conclusions.4
5417
Findings
5418

5419

5420
8.14
5421
Auditors should report the significant findings developed
5422
in response to each audit objective. These findings should be
5423
supported by sufficient, competent, and relevant evidence. They
5424
also should be presented in a manner to promote adequate
5425
understanding of the matters reported and to provide convincing but
5426
fair presentations in proper perspective.
5427

5428

5429
8.15
5430
As discussed in chapter 7, findings often have been
5431
regarded as containing the elements of criteria, condition, cause,
5432
and effect. However, the elements needed for a finding depend on
5433
the audit objectives. Thus, a finding or set of findings is
5434
complete to the extent that the audit objectives are satisfied and
5435
the report clearly relates those objectives to the elements of the
5436
finding.
5437

5438

5439
8.16
5440
Auditors should develop the elements of a finding in the
5441
audit report, as appropriate to satisfy the audit objectives. In
5442
reporting on elements of findings, auditors may find it useful to
5443
consider the following guidance on each finding element.
5444

5445

5446
2Appropriate background information may include information on
5447
how programs/operations work, the significance of
5448
programs/operations (i.e., dollars, impact, purposes, and past
5449
audit work if relevant), a description of the audited entity's
5450
responsibilities, and explanation of terms, organizational
5451
structure, and statutory basis for the program/operations.
5452
3Whether a particular act is, in fact, illegal may have to await
5453
final determination by a court of law. Thus, when auditors disclose
5454
matters that have led them to conclude that an illegal act is
5455
likely to have occurred, they should take care not to imply that
5456
they have made a determination of illegality. See paragraph 8.17
5457
for additional reporting considerations.
5458
Significant weaknesses in internal controls may be discussed in
5459
the report as an element of a finding. Many times these weaknesses
5460
will be described as the cause of the finding or in "a process
5461
finding" will be the condition element. Paragraphs 7.46 through
5462
7.49 describe the elements of a finding.
5463

5464

5465
a.
5466
Criteria: An audit report is improved when it provides
5467
information so that the report user will be able to determine what
5468
is the required or desired state or what is expected from the
5469
program or operation. The criteria are easier to understand when
5470
stated fairly, explicitly, and completely, and the source of the
5471
criteria are identified in the audit report.5
5472

5473

5474
b.
5475
Condition: The audit report is improved when it provides
5476
evidence of what the auditors found regarding the actual situation.
5477
Reporting the scope or extent of the condition allows the report
5478
user to gain an accurate perspective.
5479

5480

5481
c.
5482
Cause: The audit report is improved when it provides
5483
convincing evidence on the factor or factors responsible for the
5484
difference between condition and criteria. In reporting the cause,
5485
auditors may consider whether the evidence provides a reasonable
5486
and persuasive argument for why the stated cause is the key factor
5487
or factors contributing to the difference as opposed to other
5488
possible causes, such as poorly designed criteria or factors
5489
uncontrollable by program management. The auditors also may
5490
consider whether the identified cause serves as a basis for the
5491
recommendations.
5492

5493

5494
d.
5495
Effect: The audit report is improved when it provides a
5496
clear, logical link to establish the impact of the difference
5497
between what the auditors found (condition) and what should be
5498
(criteria). Effect is easier to understand when it is stated
5499
clearly, concisely, and in concrete terms. The significance of the
5500
reported effect can be demonstrated through credible
5501
evidence.
5502

5503

5504
8.17 When auditors conclude, based on evidence obtained, that
5505
significant fraud, illegal acts, or other noncompliance either has
5506
occurred or is likely to have occurred, they should include in
5507
their audit report the relevant information. The term
5508
"noncompliance" comprises illegal acts (violations of laws and
5509
regulations) and violations of provisions of contracts or grant
5510
agreements. When auditors conclude significant abuse has or is
5511
likely to have occurred, they should also include
5512
5
5513
Common sources for criteria are laws, regulations, policy,
5514
procedures, best or standard practice, or assertions. The Standards
5515
for Internal Control in the Federal Government (GAO/AIMD-00-21.3.1,
5516
November 1999) and Internal Control-Integrated Framework, published
5517
by the Committee of Sponsoring Organizations of the Treadway
5518
Commission (COSO Report) are two sources of established criteria
5519
auditors can use to support their judgments and conclusions about
5520
internal control. 120 GAO-02-340G Government Auditing Standards
5521
Exposure Draft
5522
relevant information in the report. Abuse occurs when the
5523
conduct of a government organization, program, activity, or
5524
function falls short of societal expectations for prudent
5525
behavior.
5526

5527

5528
8.18
5529
In reporting significant instances of noncompliance,
5530
auditors should place their findings in perspective. To give the
5531
report user a basis for judging the prevalence and consequences of
5532
noncompliance, the instances of noncompliance should be related to
5533
the population or the number of cases examined and quantified in
5534
terms of dollar value, if appropriate. If the results cannot be
5535
projected, the conclusion should be limited to the items
5536
tested.
5537

5538

5539
8.19
5540
In reporting on internal control, auditors should
5541
describe the scope of internal control testing, and in presenting
5542
the results of those tests, report the significant weaknesses.6
5543
Auditors may identify significant weaknesses in internal control as
5544
the cause of deficient performance. In reporting this type of
5545
finding, the control weakness would be described as the
5546
"cause."
5547

5548

5549
8.20
5550
When auditors detect nonsignificant instances of fraud,
5551
illegal acts, or other noncompliance or nonsignificant instances of
5552
abuse or weaknesses in internal control, they should communicate
5553
them to the officials of the audited program, preferably in
5554
writing. Auditors should include in their audit documentation all
5555
communications to officials of the audited program about fraud,
5556
illegal acts, or other noncompliance and instances of abuse or
5557
internal control weaknesses. If the auditors have communicated such
5558
instances of fraud, illegal acts, or other noncompliance, abuse,
5559
and internal control weaknesses in a management letter to top
5560
management, auditors should refer to that management letter in the
5561
audit report.
5562

5563

5564
6
5565
Significant weaknesses are matters coming to the auditors'
5566
attention that they believe should be reported to officials of the
5567
audited program because they could adversely affect the program
5568
under audit. 121 GAO-02-340G Government Auditing Standards Exposure
5569
Draft
5570
Direct Reporting of Fraud and Illegal Acts
5571

5572

5573
8.21
5574
Auditors are responsible for reporting certain fraud and
5575
illegal acts directly to parties outside the audited entity in
5576
certain circumstances, as discussed in the following paragraphs.
5577
Auditors should fulfill these responsibilities even if they have
5578
resigned or been dismissed from the audit.7
5579

5580

5581
8.22
5582
Officials of the audited entity may be required by law or
5583
regulation to report certain fraud and illegal acts to specified
5584
external parties such as a federal inspector general or a state
5585
attorney general. If auditors have communicated such fraud and
5586
illegal acts to officials of the audited entity, and the latter
5587
fail to report them, then the auditors should communicate their
5588
awareness of that failure to the audited entity's governing body.
5589
If officials of the audited entity do not make the required report
5590
as soon as practical after the auditors' communication with its
5591
governing body, then the auditors should report the fraud and
5592
illegal acts directly to the external party specified in the law or
5593
regulation.
5594

5595

5596
8.23
5597
Auditors should obtain sufficient, competent, and
5598
relevant evidence, such as confirmation with outside parties, to
5599
corroborate assertions by management that it has reported fraud or
5600
illegal acts. If they are unable to do so, then the auditors should
5601
report the fraud or illegal acts directly as discussed
5602
above.
5603

5604

5605
8.24
5606
Laws, regulations, or other authority may require
5607
auditors to report promptly indications of fraud or other illegal
5608
acts to law enforcement or investigatory authorities. In such
5609
circumstances, when auditors conclude that fraud or another illegal
5610
act either has or is likely to have occurred, they should refer it
5611
to law enforcement or investigatory authorities and ask those
5612
authorities or legal counsel if reporting certain information about
5613
the potential fraud or illegal act would compromise investigative
5614
or legal proceedings. Auditors should limit the extent of their
5615
reporting to matters that would not compromise those proceedings,
5616
such as information that is already a part of the public
5617
record.
5618

5619

5620
7Internal audit organizations do not have a duty to report
5621
outside that entity unless required by law, rule, regulation, or
5622
policy.
5623
Conclusions
5624
8.25 Auditors should report conclusions when called for by the
5625
audit objectives. Conclusions are logical inferences about the
5626
program based on the auditors' findings and should flow from the
5627
findings, instead of representing a summary of them. Conclusions
5628
should be clearly stated, not implied. The strength of the
5629
auditors' conclusions depends on the persuasiveness of the evidence
5630
supporting the findings and the soundness of the logic used to
5631
formulate the conclusions. Conclusions are stronger if they set up
5632
the report's recommendations and convince the knowledgeable user of
5633
the report that action is necessary.
5634
Recommendations
5635

5636

5637
8.26
5638
If warranted, auditors should make recommendations for
5639
actions to improve programs and operations and to correct problem
5640
areas identified during the audit. Auditors should make
5641
recommendations when the potential for improvement in programs,
5642
operations, and performance is substantiated by the reported
5643
findings and conclusions. Recommendations should logically flow
5644
from the evidence and need to state clearly the actions to be
5645
taken. Recommendations to effect compliance with laws and
5646
regulations and improve internal control also should be made when
5647
significant instances of fraud, illegal acts, or other
5648
noncompliance are noted or significant abuse or weaknesses in
5649
controls are found.
5650

5651

5652
8.27
5653
Constructive recommendations can encourage improvements
5654
in the conduct of government programs and operations. For
5655
recommendations to be most constructive, they should be directed at
5656
resolving the cause of identified problems, action oriented and
5657
specific, addressed to parties that have the authority to act,
5658
practical, and, to the extent feasible, cost effective and
5659
measurable.
5660

5661

5662
Statement on Compliance With Generally
5663
Accepted Government Auditing Standards
5664
8.28 Auditors should report that the audit was made in
5665
accordance with generally accepted government auditing standards.
5666
The statement of compliance with GAGAS refers to all the applicable
5667
standards that the auditors should have followed during the audit.
5668
The statement should be qualified in situations in which the
5669
auditors did not follow an applicable standard. In these
5670
situations, auditors should report in the scope section the
5671
applicable standard that was not followed, the reasons therefore,
5672
and how not following the standard affected the results of the
5673
audit.
5674
Views of Responsible Officials
5675

5676

5677
8.29
5678
Auditors should report the views of responsible officials
5679
of the audited program concerning auditors' findings, conclusions,
5680
and recommendations. One of the most effective ways to ensure that
5681
a report is fair, complete, and objective is to obtain advance
5682
review and comments by responsible officials of the audited entity
5683
and others, as may be appropriate. Including the views of
5684
responsible officials produces a report that shows not only what
5685
was found, and what the auditors think about it, but also what the
5686
officials in the audited entity think about the report and what
5687
they plan to do about it.
5688

5689

5690
8.30
5691
Auditors should normally request that the responsible
5692
officials' views on significant findings, conclusions, and
5693
recommendations be submitted in writing. Oral comments are
5694
acceptable as well, and, in some cases, may be the only or most
5695
expeditious way to obtain comments. Cases in which obtaining oral
5696
comments can be effective include when there is a time-critical
5697
need to meet a user's needs; the auditor has worked closely with
5698
the responsible officials throughout the conduct of the work and
5699
the parties are very familiar with the findings and issues
5700
addressed in the draft product; or the auditor does not expect
5701
major disagreements with the draft report's findings, conclusions,
5702
and recommendations, or perceive any major controversies with
5703
regard to the issues discussed in the draft report. Auditors should
5704
prepare a summary of the officials' oral comments and provide a
5705
copy
5706

5707

5708
GAO-02-340G Government Auditing Standards Exposure Draft
5709
of the summary to management of the
5710
audited entity to verify that the comments are accurately
5711
stated.
5712

5713

5714
8.31
5715
Comments should be fairly and objectively evaluated and
5716
recognized, as appropriate, in the final report. Comments, such as
5717
a promise or plan for corrective action, should be noted but should
5718
not be accepted as justification for dropping a significant finding
5719
or a related recommendation.
5720

5721

5722
8.32
5723
When the audited entity's comments state that the
5724
report's findings, conclusions, or recommendations are inaccurate
5725
or misleading and those comments are not, in the auditors' opinion,
5726
valid, the auditors should state their reasons for disagreeing with
5727
the comments. The auditors' disagreement should be stated in a fair
5728
and objective manner. Conversely, the auditors should modify their
5729
report as necessary if they find the comments valid. Auditors may
5730
wish to attach the comment letter to the audit report to provide
5731
the reader with both points of view.
5732

5733

5734
Privileged and Confidential Information
5735

5736

5737
8.33
5738
If certain information is prohibited from general
5739
disclosure, auditors should report the nature of the information
5740
omitted and the requirement that makes the omission necessary.
5741
Certain information may be prohibited from general disclosure by
5742
federal, state, or local laws or regulations. In such
5743
circumstances, auditors may issue a separate limited official use
5744
report containing such information and distribute the report only
5745
to persons authorized by law or regulation to receive it. Auditors
5746
should, when appropriate, consult with legal counsel regarding any
5747
requirements or other circumstances that may necessitate the
5748
omission of certain information. If auditors make the judgment that
5749
certain pertinent information should be excluded from a publicly
5750
available report, they should state the nature of the information
5751
omitted and the reasons that make the omission
5752
necessary.
5753

5754

5755
8.34
5756
Additional circumstances associated with public safety
5757
and security concerns could also justify the exclusion of certain
5758
information in the report. For example, detailed information
5759
related to computer security for a particular program may be
5760
excluded from publicly available reports because
5761

5762

5763
GAO-02-340G Government Auditing Standards Exposure Draft
5764
of the potential damage that could be caused by the misuse of
5765
this information. In such circumstances, auditors may issue a
5766
limited official use report containing such information and
5767
distribute the report only to those parties responsible for acting
5768
on the auditors' recommendations. If auditors make the judgment
5769
that certain additional information should be excluded from a
5770
publicly available report, they should state the nature of the
5771
information omitted and the reasons that makes the omission
5772
necessary.
5773
8.35 Auditors are expected to act with integrity in judging
5774
whether any information should be excluded from publicly available
5775
reports. These judgments need to be made in a consistent manner
5776
with consideration of the broader public interest in the program or
5777
activity under review. Auditors need to weigh the need to reveal
5778
all significant facts known to them which, if not revealed, could
5779
either distort the results or conceal improper or unlawful practice
5780
against any requirements or other circumstances that may
5781
necessitate the omission of certain information.
5782
REPORT QUALITY
5783
8.36 The third reporting standard for performance audits is:
5784
The reports should be timely, fact-based, accurate, objective,
5785
convincing, clear, and as concise as the subject permits.
5786
Timely
5787

5788

5789
8.37
5790
To be of maximum use, the audit report needs to provide
5791
relevant information in time to respond to management, legislative
5792
officials, and other users' legitimate needs. Likewise, the
5793
information provided in the report needs to be current. Therefore,
5794
auditors should plan for the appropriate issuance of the report and
5795
conduct the audit with these goals in mind.
5796

5797

5798
8.38
5799
During the audit, the auditors should consider interim
5800
reporting of significant matters to appropriate entity officials.
5801
Such communication, which may be oral or written, is not a
5802
substitute for a final report, but it does alert officials to
5803
matters needing immediate attention and permits them to correct
5804
them before the final report is completed.
5805

5806

5807
Fact-Based
5808

5809

5810
8.39
5811
Being fact-based requires that the report contains all
5812
evidence needed to satisfy the audit objectives and promotes an
5813
adequate and correct understanding of the matters reported. It also
5814
means the report states information and findings completely,
5815
including all necessary facts and explanations. Giving report users
5816
an adequate and correct understanding means providing perspective
5817
on the extent and significance of reported findings, such as the
5818
frequency of occurrence relative to the number of cases or
5819
transactions tested, and the relationship of the findings to the
5820
entity's operations.
5821

5822

5823
8.40
5824
In most cases, a single example of a deficiency is not
5825
sufficient to support a broad conclusion or a related
5826
recommendation. All that it supports is that a deviation, an error,
5827
or a weakness existed. Sufficient detailed supporting data should
5828
be included to make convincing presentations.
5829

5830

5831
Accurate
5832

5833

5834
8.41
5835
Accuracy requires that the evidence presented be true and
5836
that findings be correctly portrayed. The need for accuracy is
5837
based on the need to assure report users that what is reported is
5838
credible and reliable. One inaccuracy in a report can cast doubt on
5839
the validity of an entire report and can divert attention from the
5840
substance of the report. Also, use of inaccurate evidence can
5841
damage the credibility of the issuing audit organization and reduce
5842
the effectiveness of its reports.
5843

5844

5845
8.42
5846
The report should include only information, findings, and
5847
conclusions that are supported by competent and relevant evidence
5848
in the audit documentation. If data are significant to the
5849
audit
5850

5851

5852
GAO-02-340G Government Auditing Standards Exposure Draft
5853
findings and conclusions, but are not
5854
audited, the auditors should clearly indicate in their report the
5855
data's limitations and not make unwarranted conclusions or
5856
recommendations based on those data.
5857
8.43 Reported evidence should demonstrate the correctness and
5858
reasonableness of the matters reported. Correct portrayal means
5859
describing accurately the audit scope and methodology, and
5860
presenting findings and conclusions in a manner consistent with the
5861
scope of audit work. The report should not have errors in logic and
5862
reasoning. One way to help ensure accuracy in the report is to use
5863
a quality control process such as referencing. Referencing is a
5864
process in which statements of facts, figures, and dates are traced
5865
back to the supporting working papers by an experienced auditor who
5866
is independent of the audit. This process is designed to ensure
5867
that sufficient credible evidence is present to support the
5868
report's conclusions and recommendations.
5869
Objective
5870

5871

5872
8.44
5873
Objectivity requires that the presentation of the entire
5874
report be balanced in content and tone. A report's credibility is
5875
significantly enhanced when it presents evidence in an unbiased
5876
manner so that report users can be persuaded by the facts. The
5877
report should be fair and not misleading, and should place the
5878
audit results in perspective. This means presenting the audit
5879
results impartially and fairly. In describing shortcomings in
5880
performance, auditors should put findings in context. For example,
5881
the audited entity may have faced unusual difficulties or
5882
circumstances.
5883

5884

5885
8.45
5886
The tone of reports should encourage decision makers to
5887
act on the auditors' findings and recommendations. This tone should
5888
be balanced by requiring reports to present sound and logical
5889
evidence to support conclusions, while refraining from using
5890
adjectives or adverbs that characterize evidence in a way that
5891
implies criticism or conclusion by innuendo.
5892

5893

5894
8.46
5895
The report should also recognize the positive aspects of
5896
the program reviewed if applicable to the audit objectives.
5897
Inclusion of positive program aspects may lead to improved
5898
performance by other government organizations that read the
5899
report.
5900

5901

5902
Convincing
5903
8.47 Being convincing requires that the audit results be
5904
responsive to the audit objectives, the findings be presented
5905
persuasively, and the conclusions and recommendations follow
5906
logically from the facts presented. The information presented
5907
should be sufficient to convince the report users to recognize the
5908
validity of the findings, the reasonableness of the conclusions,
5909
and the benefit of implementing the recommendations. Reports
5910
designed in this way can help focus the attention of responsible
5911
officials on the matters that warrant attention and can help
5912
stimulate correction.
5913
Clear
5914

5915

5916
8.48
5917
Clarity requires that the report be easy to read and
5918
understand. Reports should be prepared in language as clear and
5919
simple as the subject permits. Use of straightforward, nontechnical
5920
language is essential to simplicity of presentation. Whenever
5921
technical terms, abbreviations, and acronyms are used, they should
5922
be clearly defined.
5923

5924

5925
8.49
5926
Auditors may consider using a summary within the report
5927
to capture the report user's attention and highlight the overall
5928
message. If a summary is used, it generally should focus on the
5929
specific answers to the questions in the audit objectives,
5930
summarize the audit's most significant findings and the report's
5931
principal conclusions, and prepare users to anticipate the major
5932
recommendations.
5933

5934

5935
8.50
5936
Logical organization of material, and accuracy and
5937
precision in stating facts and in drawing conclusions, are
5938
essential to clarity and understanding. Effective use of titles and
5939
captions and topic sentences makes the report easier to read and
5940
understand. Visual aids (such as pictures, charts, graphs, and
5941
maps) should be used when appropriate to clarify and summarize
5942
complex material.
5943

5944

5945
Concise
5946
8.51 Being concise requires that the report be no longer than
5947
necessary to convey and support the message. Extraneous detail
5948
detracts from a report, may even conceal the real message, and may
5949
confuse or distract the users. Also, needless repetition should be
5950
avoided. Although room exists for considerable judgment in
5951
determining the content of reports, those that are fact-based, but
5952
still concise, are likely to achieve greater results.
5953
REPORT ISSUANCE AND DISTRIBUTION
5954
8.52 The fourth reporting standard for performance audits
5955
is:
5956
Audit organizations should submit audit reports to the
5957
appropriate officials of the audited program and to the appropriate
5958
officials of the organizations requiring or arranging for the
5959
audits, including external funding organizations, unless legal
5960
restrictions prevent it. Copies of the reports should also be sent
5961
to other officials who have legal oversight authority or who may be
5962
responsible for acting on audit findings and recommendations and to
5963
others authorized to receive such reports. Unless the report is
5964
restricted by law or regulation, copies should be made available
5965
for public inspection.
5966

5967

5968
8.53
5969
Audit reports should be distributed in a timely manner to
5970
officials interested in the results. Such officials include those
5971
designated by law or regulation to receive such reports, those
5972
responsible for acting on the findings and recommendations, those
5973
of other levels of government who have provided assistance to the
5974
audited entity, and legislators. However, if the subject of the
5975
audit involves material that is classified for security purposes or
5976
is not releasable to particular parties or the public for other
5977
valid reasons, auditors should limit the report
5978
distribution.
5979

5980

5981
8.54
5982
When nongovernment audit organizations are engaged, the
5983
engaging government organization should ensure that the report is
5984
distributed appropriately. If the nongovernment audit organization
5985
is to make the distribution, the engagement agreement should
5986
indicate which officials or organizations should receive the
5987
report.
5988

5989

5990
8.55
5991
Internal auditors should follow their entity's own
5992
arrangements and statutory requirements for distribution. Usually,
5993
they report to their entity's top managers, who are responsible for
5994
distribution of the report. Further distribution of reports outside
5995
the organization should be made in accordance with applicable law,
5996
rule, regulation, or policy.
5997

5998

5999

6000

6001

6002

6003