oversight

Amendment No. 2--Auditor Communication (Superseded by GAO-03-673G) A-GAGAS-2, July 1999

Published by the Government Accountability Office on 1999-07-01.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

               United   States   General   Accounting   Office


GAO            By the Comptroller General of the
               United States



July   1999
               Government                         Auditing
               Standards

               Amendment                         No. 2

               Auditor
               Communication




GAO/A-GAGAS-              A-
United    States
General     Accounting         Office
Washington,       D.C.      20648


Comptroller       General
of the United      States



This second amendment to Government Auditing
Standards (1994 revision), Amendment No. 2, Auditor
Communication, adds a field work standard and amends a
reporting standard for financial statement audits to
improve auditor communication concerning the auditor’s
work on compliance with laws and regulations and
internal control over financial reporting. This new
amendment requires specific communication with the
auditee, the individuals contracting for or requesting the
audit services, and the audit committee regarding the
scope of compliance and internal control work to be
performed under Government Auditing Standards. The
new amendment also requires the auditor to emphasize in
the auditor’s report on the financial statements the
importance of the reports on compliance with laws and
regulations and internal control over financial reporting
when these reports are issued separately from the report
on the financial statements.

The American Institute of Certified Public Accountants
(AICPA), in issuing Statement on Auditing Standards
(SAS) No. 61, Communication With Audit Committees, and
SAS No. 83, Establishing an Understanding WXh the
 Client, set requirements for auditors to establish an
understanding with the client regarding the services to be
performed and to determine that certain matters related to
the conduct of the audit under generally accepted auditing
standards are communicated to those who have
responsibility for oversight of the financial reporting
process. Amendment No. 2 broadens the parties who the
auditor must communicate with and requires the auditor
to communicate specific information regarding the nature
and extent of testing and reporting on compliance with
laws and regulations and internal control over financial
reporting during the planning stages of a financial
statement audit. The Advisory Council on Government
Auditing Standards recommended the issuance of this
amendment to reduce the risk that the needs or
expectations of the parties involved may be misinterpreted
and to highlight the importance of the auditor’s reports on
compliance with laws and regulations and internal control
over financial reporting required under Government
Auditing Standards.

Page   1
This amendment moves a reporting standard on auditor
communication, (paragraphs 5.5 through 5.10) in chapter
5, with some modification, to a field work standard
(paragraphs 4.6.3 through 4.6.9), as communication on th
scope of work to be performed on an audit is viewed
more appropriately as a field work standard. In addition,
t-his amendment revises the section entitled “Reporting 01:
Compliance With Laws and Regulations and on Internal
Controls” (paragraphs 5.15 through 5.17) in chapter 5.

This amendment includes changes resulting from
Government Auditing Standards: Amendment No. 1,
Documentation Requirements when Assessing Control
Risk at Maximum for Controls Significantly Dependent
Upon Computerized Information Systems (GAO/A-
GAGAS-1, May 1999). This amendment also includes
conforming changes to recognize, where applicable,
standards issued by the AICPA subsequent to the issuance
of the 1994 revision of Government Auditing Standards,
and the issuance of Office of Management and Budget
Circular A-133, Audits of States, Local Governments, and
Non-Profit Organizations issued in June 1997.

This amendment is effective for financial statement audits
of periods ending on or after January 1,200O. Earlier
application is permissible.

We have included as appendixes I and II versions of
chapters 4 and 5, respectively, which show the deletion of
language appearing in Government Auditing Standards
(1994 revision), as amended by Amendment No. 1, with a
strikeout and present the new or amended language with
bold and italics. Appendix III contains a list of members
to the Comptroller General’s Advisory Council on
Government Auditing Standards.

An electronic version of this amendment can be accessed
through GAO’s Internet Home Page (www.gao.gov) from
the GAO Policy and Guidance Materials or the Special
Publications sections of the GAO site, or directly at
wwwgao.gov/govautiybkOl        .h tm. This site also
contains a new electronic version of Government Auditing
Standards, which codifies the new amendment by

Page 2
reflecting changes made resulting from the issuance of
recent amendments. Printed copies of this amendment can
be obtained from the U. S. Govermnent Printing Office.

This amendment was exposed for public comment prior to
its final issuance. As a result, various suggestions were
incorporated into the final amendment. I thank those who
suggested improvements to the amendment, and I
especially commend the Advisory Council on Government
Auditing Standards and the project team for their efforts.

If you have any questions regarding this amendment,
please contact Robert W. Gramling, Director, Corporate
Audits and Standards, Accounting and Information
Management Division, (202) 512-9406. Key contributors to
this amendment were Cheryl E. Clark, Marcia B.
Buchanan, and Michael C. Hrapsky.


n
DavidM. Walker . -
Comptroller General
of the United States




Page   3
Amendment   No. 2: Auditor Communication

                Chapter 4
Field Work Standards for Financial Audit:

                            This amendment to Government Auditing Standards
                             (1994 revision) establishes a new field work standard
                            and revises a reporting standard for financial statemen
                            audits to improve auditor communication     concerning
                            the auditor’s work on compliance with laws and
                            regulations and internal control over financial reportin
                            with users of the auditor’s reports. This standard is
                            effective for financial statement audits of periods
                            ending on or after January 1,200O. Earlier application
                            is permissible.



Purpose                     4.1 This chapter prescribes standards of field work for
                            financial audits, which include financial statement
                            audits and financial related audits.



Relation to                 4.2 For financial statement audits, generally accepted
                            government auditing standards (GAGAS) incorporate
AICPA Standards             the American Institute of Certified Public Accountants’
                            (AICPA) three generally accepted standards of field
                            work, which are:

                           a. The work is to be adequately planned and assistants,
                           if any, are to be properly supervised.

                           b. A sufficient understanding of internal control is to be
                           obtained to plan the audit and to determine the nature,
                           timing, and extent of tests to be performed.

                           c. Sufficient competent evidential matter    is to be
                           obtained through inspection, observation,     inquiries,
                           and confirmations to afford a reasonable     basis for an
                           opinion regarding the financial statements     under audit.

                           4.3 The AICPA has issued statements on auditing
                           standards (SAS) that interpret its standards of field



                           Page   4
Amendment        No. 2: Auditor   Communication




work (including a SAS on compliance auditing).’                 This
chapter incorporates these SASS and prescribes
additional standards on

a. auditor communication             (see paragraphs 4.6.3
through 4.6.9),

b. audit follow-up (see paragraphs 4.7,4.10, and 4.11),

c. noncompliance  other than illegal acts (see
paragraphs 4.13 and 4.18 through 4.20),

d. documentation   requirements when assessing control
risk at maximum for controls significantly dependent
upon computerized information systems (see
paragraphs 4.21.1 through 4.21.4), and

e. working papers. (See paragraphs 4.34 through 4.38.)

4.4 This chapter also discusses three other key aspects
of financial statement audits:

a. materiality       (see paragraphs 4.6.1 and 4.6.2),

b. fraud and illegal acts (see paragraphs 4.14 through
4.17), and

c. internal control.         (See paragraphs 4.22 and 4.25
through 4.30.)

4.5 This chapter concludes by explaining which
standards auditors should follow in performing
financial related audits.




’ GAGAS incorporate any new AICPA field work standards relevant to
financial statement audits unless the General Accounting Office (GAO)
excludes them by formal announcement.
Page   5
                Amendment   No. 2: Auditor   Communication




Planning        4.6 AICPA standards and GAGAS require the
                following:

                The work is to be properly planned, and auditors
                should consider materiality,    among other matters
                in determining   the nature, timing, and extent of
                auditing procedures and in evaluating     the results
                of those procedures.

                 4.6.1 Auditors’ consideration of materiality is a matte]
                 of professional judgment and is influenced by their
                perception of the needs of a reasonable person who
                 will rely on the financial statements. Materiality
                judgments are made in light of surrounding
                 circumstances and necessarily involve both
                 quantitative and qualitative considerations.

                4.6.2 In an audit of the financial statements of a
                government entity or an entity that receives
                government assistance, auditors may set lower
                materiality levels than in audits in the private sector
                because of the public accountability of the auditee, the
                various legal and regulatory requirements, and the
                visibility and sensitivity of government programs,
                activities, and functions.


Auditor         4.6.3 The first additional planning standard for
Communication   financial statement audits is

                Auditors should communicate         information   to the
                auditee, the individuals    contracting    for or
                requesting   the audit services, and the audit
                committee   regarding the nature and extent of
                planned testing and reporting       on compliance    with
                laws and regulations     and internal    control over
                financial reporting.

                4.6.4 AICPA standards and GAGAS require auditors to
                establish an understanding with the client and to
                communicate with audit committees. GAGAS broaden
                Page   6
Amendment      No. 2: Auditor   Communication




who auditors must communicate with and require
auditors to communicate specific information
regarding the nature and extent of testing and reporting
on compliance with laws and regulations and internal
control over financial reporting during the planning
stages of a financial statement audit to reduce the risk
that the needs or expectations of the parties involved
may be misinterpreted.

4.6.6 The auditee is the organization or entity being
audited. Auditors should communicate their
responsibilities for the engagement to the appropriate
officials of the auditee (which would normally include
the head of the organization, the audit committee or
board of directors or other equivalent oversight body in
the absence of an audit committee, and the individual
who possesses a sufficient level of authority and
responsibility for the financial reporting process, such
as the chief financial officer). In situations where
auditors are performing the audit under a contract with
a party other than the auditee, or pursuant to a third-
party request, auditors should also communicate with
the individuals contracting for or requesting the audit,
such as contracting officials or legislative members or
staff. When auditors are performing the audit pursuant
to a law or regulation, auditors should communicate
with the legislative members or staff who have
oversight of the auditee.‘.’

4.6.6 During the planning stages of an audit, auditors
should communicate their responsibilities in a financial
statement audit, including their responsibilities for
testing and ,reporting on compliance with laws and
regulations and internal control over financial reporting.

 This requirement applies only to situations where the law or
regulation specifically identifies the entity to be audited, such as an
audit of a specific agency’s fiiancial statements required by the Chief
Financial Officers Act, as expanded by the Government Management
Reform Act of 1994. Situations where the financial statement audit
mandate applies to entities not specifically identified, such as audits
required by the Single Audit Act Amendments of 1996, are excluded.
Page 7
Amendment   No. 2: Auditor   Communication




Such communication should include the nature of any
additional testing of compliance and internal control
required by laws and regulations or otherwise requester
and whether the auditors are planning on providing
opinions on compliance with laws and regulations and
internal control over fmancial reporting.

 4.6.7 Auditors should use their professional judgment
to determine the form and content of the
 communication.       Written communication    is preferred.
Auditors should document the communication            in the
working papers. Auditors may use an engagement
letter to communicate the information described in
paragraph 4.6.6. To assist in understanding the
limitations of auditors’ responsibilities   for testing and
reporting on compliance and internal control over
financial reporting, auditors may want to contrast thos
responsibilities with other financial related audits of
compliance and controls. The discussion in paragraphs
4.6.8 and 4.6.9 may be helpful to auditors in explaining
their responsibilities for testing and reporting on
compliance with laws and regulations and internal
control over financial reporting to the auditee and
other interested parties.

4.6.8 Tests of compliance with laws and regulations
and internal control over financial reporting in a
fmancial statement audit contribute to the evidence
supporting the auditors’ opinion on the financial
statements. However, they generally do not provide a
basis for opining on compliance or internal control
over financial reporting. To meet certain audit report
users’ needs, laws and regulations sometimes prescribe
testing and reporting on compliance and internal




Page 8
                  Amendment      No. 2: Auditor   Communication




                   control over financial reporting to supplement the
                   financial statement audit’s coverage of these areas. 1.2

                  4.6.9 Even after auditors perform and report the
                  results of additional tests of compliance and internal
                  control over financial reporting required by laws and
                  regulations, some reasonable needs of report users still
                  may be unmet. Auditors may meet these needs by
                  performing further tests of compliance and internal
                  control in either of two ways:

                   a. supplemental       (or agreed-upon)         procedures or

                   b. examination,      resulting in an opinion.


Audit Follow-up   4.7 The second additional planning               standard for
                  financial statement audits is

                  Auditors should follow up on known material
                  findings and recommendations   from previous                    audits.

                  [Paragraphs 4.8 and 4.9 have been moved and
                  renumbered to paragraphs 4.6.1 and 4.6.2.1

                  4.10 Auditors should follow up on known material
                  findings and recommendations      from previous audits
                  that could affect the financial statement audit. They
                  should do this to determine whether the auditee has

                  1.2Forexample, when engaged to perform audits under the Single Audit
                  Act of state and local government entities and nonprofit organizations
                  that receive federal awards, auditors should be familiar with the Single
                  Audit Act Amendments of 1996 and Office of Management and Budget
                  (OMB) Circular A-133. The act and circular include specific audit
                  requirements, mainly in the areas of compliance with laws and
                  regulations and internal control, that exceed the minimum audit
                  requirements in the standards in chapters 4 and 5 of this document.
                  Audits conducted under the Chief Financial Officers Act of 1990, as
                  expanded by the Government Management Reform Act of 1994, also
                  have specific audit requirements prescribed by OMB in the areas of
                  compliance and internal control. Many state and local governments
                  have additional audit requirements.
                  Page   9
                   Amendment      No. 2: Auditor     Communication




                  taken timely and appropriate corrective actions.
                  Auditors should report the status of uncorrected
                  material findings and recommendations        from prior
                  audits that affect the financial statements.

                  4.11 Much of the benefit from audit work is not in the
                  findings reported or the recommendations made, but in
                  their effective resolution. Auditee management is
                  responsible for resolving audit findings and
                  recommendations, and having a process to track their
                  status can help it fulfii this responsibility. If management
                  does not have such a process, auditors may wish to
                  establish their own. Continued attention to material
                  findings and recommendations can help auditors assure
                  that the benefits of their work are realized.


                  4.12 AICPA standards and GAGAS require the
Fraud, Illegal    following:
Acts, and Other
Noncompliance     a. Auditors should design the audit to provide
                  reasonable assurance of detecting fraud that is
                  material to the financial statements.2

                  b. Auditors should design the audit to provide
                  reasonable assurance of detecting material
                  misstatements resulting from direct and material
                  illegal acts.3




                  %vo types of misstatements are relevant to the auditom’ consideration
                  of fraud in a financial statement audi~misstakments srising from
                  fraudulent financial statements and misstatements srising from
                  misappropriation of assets. The primmy factor that distinguishes fraud
                  from error is whether the underlying action that results in the
                  misstatement in the fmancial statements is intentional or unintentional.

                  YDirect and material illegal acts are violations of laws and
                  regulations having a direct snd material effect on the determination
                  of financial statement am0~~1t.s.

                  Page 10
                      Amendment     No. 2: Auditor    Communication




                      c. Auditors should be aware of the possibility       that
                      indirect illegal acts may have occurred.4 If
                      specific information     comes to the auditors’
                      attention   that provides evidence concerning the
                      existence of possible illegal acts that could have a
                      material indirect effect on the financial
                      statements,    the auditors should apply audit
                      procedures specifically     directed to ascertaining
                      whether an illegal act has occurred.

                      4.13 The additional compliance              standard for financial
                      statement audits is

                     Auditors should design the audit to provide
                     reasonable assurance of detecting material
                     misstatements      resulting from noncompliance            with
                     provisions of contracts or grant agreements              that
                     have a direct and material effect on the
                     determination      of financial statement       amounts.      If
                     specific information       comes to the auditors’
                     attention    that provides evidence concerning the
                     existence of possible noncompliance            that could
                     have a material indirect effect on the financial
                     statements,     auditors should apply audit
                     procedures specifically        directed to ascertaining
                     whether that noncompliance            has occurred.


Auditors’            4.14 Auditors are responsible for being aware of the
Understanding of     characteristics and types of potentially material fraud
Possible Fraud and   that could be associated with the area being audited so
                     that they can plan the audit to provide reasonable
of Laws and          assurance of detecting material fraud.
Regulations
                     4.15 Auditors should obtain an understanding of the
                     possible effects on financial statements of laws and
                     regulations that are generally recognized by auditors to
                     have a direct and material effect on the determination

                     %direct illegal acts are violations of laws and regulations having
                     material but indirect effects on the financial statements.

                     Page   11
                           Amendment   No. 2: Auditor   Communication




                           of amounts in the financial statements. Auditors may
                           find it necessary to use the work of legal counsel in
                           (1) determining which laws and regulations might have
                           a direct and material effect on the financial statements
                           (2) designing tests of compliance with laws and
                           regulations, and (3) evaluating the results of those
                           tests.6 Auditors also may find it necessary to use the
                           work of legal counsel when an audit requires testing
                           compliance with provisions of contracts or grant
                           agreements. Depending on the circumstances of the
                           audit, auditors may find it necessary to obtain
                           information on compliance matters from others, such a
                           investigative staff, audit officials of government entitie:
                           that provided assistance to the auditee, and/or the
                           applicable law enforcement authority.


Due Care               4.16 Auditors should exercise due professional care in
Concerning Possiblev pursuing indications of possible fraud and illegal acts s(
Fraud and Illegal Acts as not to interfere with potential future investigations,
                          legal proceedings, or both. Under some circumstances,
                          laws, regulations, or policies may require auditors to
                          report indications of certain types of fraud or illegal
                          acts to law enforcement or investigatory authorities
                          before extending audit steps and procedures. Auditors
                          may also be required to withdraw from or defer further
                          work on the audit or a portion of the audit in order not
                          to interfere with an investigation.

                          4.17 An audit made in accordance with GAGAS will no
                          guarantee the discovery of illegal acts or contingent
                          liabilities resulting from them. Nor does the subsequen
                          discovery of illegal acts committed during the audit
                          period necessarily mean that the auditors’ performance
                          was inadequate, provided the audit was made in
                          accordance with these standards.



                          GAICPAstandards provide guidance for auditors who use the work
                          of a specialist who is not a member of their staff.
                           Page   12
                      Amendment   No. 2: Auditor   Communication




Noncompliance          4.18 The term noncompliance has a broader meaning
Other Than Illegal     than illegal acts. Noncompliance     includes not only
                       illegal acts, but also violations of provisions of
Acts                   contracts or grant agreements. AICPA standards do not
                       discuss auditors’ responsibility for detecting
                      noncompliance other than illegal acts. But, under
                      GAGAS, auditors have the same responsibilities for
                      detecting material misstatements arising from other
                      types of noncompliance as they do for detecting those
                      arising from illegal acts.

                      4.19 Direct and material    noncompliance is
                     noncompliance having a direct and material effect on
                     the determination   of financial statement amounts.
                     Auditors should design the audit to provide reasonable
                     assurance of detecting material misstatements resulting
                     from direct and material noncompliance     with
                     provisions of contracts or grant agreements.

                     4.20 Indirect noncompliance is noncompliance having
                     material but indirect effects on the financial statements.
                     A financial statement audit provides no assurance that
                     indirect noncompliance with provisions of contracts or
                     grant agreements will be detected. However, if specific
                     information comes to the auditors’ attention that
                     provides evidence concerning the existence of possible
                     noncompliance that could have a material indirect
                     effect on the financial statements, auditors should apply
                     audit procedures specifically directed to ascertaining
                     whether that noncompliance has occurred.


                     4.21 AICPA standards and GAGAS require the
Internal Control     following:

                     Auditors    should obtain a sufficient  understanding
                     of internal   control to plan the audit and determine
                     the nature, timing, and extent of tests to be
                     performed.



                     Page   13
Amendment      No. 2: Auditor   Communication




4.21.1 AICPA standards and GAGAS require that, in all
audits, auditors obtain an understanding of internal
control sufficient to plan the audit by performing
procedures to understand (1) the design of controls
relevant to an audit of financial statements and
(2) whether the controls have been placed in operation.
This understanding should include a consideration of
the methods an entity uses to process accounting
information because such methods influence the design
of internal control. The extent to which computerized
information systems are used in significant accounting
applications, 6~1as well as the complexity of that
processing, may also influence the nature, timing, and
extent of audit procedures. Accordingly, in planning the
audit and in obtaining an understanding of internal
control over an entity’s computer processing, auditors
should consider, among other things, such matters as

a. the extent to which computer processing is used in
each significant accounting application;6,2

b. the complexity       of the entity’s computer        operations;

c. the organizational structure of the computer
processing activities; and

d. the kinds and competence of available evidential
matter, in electronic and in paper formats, to achieve
audit objectives.



 63ignificant accounting applications are those which relate to
accounting information that can materially affect the financial
statements the auditor is auditing. Significant accounting applications
could include Fmsncial as well as other systems, such as management
information systems or systems that monitor compliance, if they
provide data for material account balances, transaction classes, and
disclosure components of financial statements.

~20btaining an understanding of these elements would include
consideration of internal control related to security over computerized
information systems.
 Page   14
Amendment    No. 2: Auditor   Communication




 4.21.2 AICPA standards and GAGAS require auditors to
 document their understanding of the components of an
 entity’s internal control related to computer applications
 that process information used in preparing an entity’s
 financial statements and, based on that understanding,
to develop a planned audit approach in sufficient detail
to demonstrate its effectiveness in reducing audit risk.
In doing so, under AICPA standards and GAGAS,
auditors should consider whether specialized skills are
needed for considering the effect of computerized
information systems on the audit, understanding
internal control, or designing and performing audit
procedures, including tests of internal control. If the
use of a professional with specialized skills is planned,
auditors should have sufficient computer-related
knowledge to communicate the objectives of the other
professional’s work; to evaluate whether the specified
procedures will meet the auditors’ objectives; and to
evaluate the results of the procedures applied as they
relate to the nature, timing, and extent of other planned
audit procedures.

4.21.3 The additional internal control standard for
financial statement audits is

In planning the audit, auditors should document in
the working papers (1) the basis for assessing
control risk at the maximum    level for assertions
related to material account balances, transaction
classes, and disclosure components       of financial
statements   when such assertions are significantly
dependent upon computerized       information      systems
and (2) consideration   that the planned audit
procedures are designed to achieve audit
objectives and to reduce audit risk to an
acceptable level.

4.21.4 This additional GAGAS standard does not
increase the auditors’ responsibility for testing controls,
but rather requires that, if auditors assess control risk at
the maximum level for assertions related to material

Page 16
Amendment     No. 2: Auditor   Communication




account balances, transaction classes, and disclosure
components of financial statements when such
assertions are significantly dependent upon
computerized information systems, auditors should
document in the working papers6,3 the basis for that
conclusion by addressing (1) the ineffectiveness of the
design and/or operation of the controls, or (2) the
reasons why it would be inefficient to test the controls.
In such circtmMances,      GAGAS also require auditors to
document in the working papers the consideration that
the planned audit procedures are designed to achieve
specific audit objectives and, accordingly, to reduce
audit risk to an acceptable level. This documentation
should address

a. the rationale for determining the nature, timing,            and
extent of planned audit procedures;

b. the kinds and competence of available evidential
matter produced outside a computerized information
system; and

c. the effect on the audit opinion or report if evidential
matter to be gathered during the audit does not afford a
reasonable basis for the auditor’s opinion on the
financial statements.

4.22 Safeguarding of assets and compliance with laws
and regulations are internal control objectives that are
especially important in conducting financial statement
audits in accordance with GAGAS of governmental
entities or others receiving government funds. Given
the public accountability for stewardship of resources,
safeguarding of assets permeates control objectives and
components as defined by the AICPA standards and
GAGAS. Also, the operation of government programs
and the related transactions that materially affect the
entity’s financial statements are generally governed by
laws and regulations. Although GAGAS are not

YSee paragraphs 4.34 through 4.38 for a discussion of the working papel
standards.
Page   16
                  Amendment   No. 2: Auditor   Communication




                  prescribing additional internal control standards in
                  these areas, this chapter provides a discussion that
                  auditors may find useful in assessing audit risk and in
                  obtaining evidence needed to support their opinion on
                  the financial statements in a governmental environment.

                  [Paragraphs 4.23 and 4.24 deleted.]


Safeguarding of   4.26 As applied to financial statement audits, internal
                  control over safeguarding of assets constitutes a
Assets            process, effected by an entity’s governing body,
                  management, and other detection of unauthorized
                  acquisition, use, or disposition of the entity’s assets that
                  could have a material effect on the financial statements.

                   4.26 Internal control over the safeguarding of assets
                  relates to the prevention or timely detection of
                  unauthorized transactions and unauthorized access to
                  assets that could result in losses that are material to the
                  financial statements; for example, when unauthorized
                  expenditures or investments are made, unauthorized
                  liabilities are incurred, inventory is stolen, or assets are
                  converted to personal use. Such controls are designed to
                  help ensure the use of and access to assets are in
                  accordance with management’s authorization.
                  Authorization includes approval of transactions in
                  accordance with control activities established by
                  management to safeguard assets, such as establishing and
                  complying with requirements for extending and monitoring
                  credit or making investment decisions, and related
                  documentation. Control over safeguarding of assets is not
                  designed to protect against loss of assets arising from
                  inefficiency or from management’s operating decisions,
                  such as incurring expenditures for equipment or material
                  that proves to be unnecessary or unsatisfactory.

                  4.27 AICPA standards and GAGAS require auditors to
                  obtain a sufficient understanding of internal control to
                  plan the audit. They also require auditors to plan the
                  audit to provide reasonable assurance of detecting

                  Page 17
Amendment   No. 2: Auditor   Communication




material fraud, including material misappropriation      of
assets. Because preventing or detecting material
misappropriations    is an objective of control over
safeguarding of assets, understanding this type of
control can be essential to planning the audit.

 4.28 Control over safeguarding of assets is not limited
to preventing or detecting misappropriations,    however.
It also helps prevent or detect other material losses that
 could result from unauthorized acquisition, use, or
 disposition of assets. Such controls include, for
example, the process of assessing the risk of
unauthorized acquisition, use, or disposition of assets
and establishing control activities to help ensure that
management directives to address the risk are carried
out. Such control activities would include permitting
acquisition, use, or disposition of assets only in
accordance with management’s general or specific
authorization, including compliance with established
control activities for such acquisition, use, or
disposition. They would also include comparing
existing assets with the related records at reasonable
intervals and taking appropriate action with respect to
any differences. Finally, controls over safeguarding of
assets against unauthorized acquisition, use, or
disposition also relate to making available to
management information it needs to carry out its
responsibilities related to prevention or timely detection
of such unauthorized activities, as well as mechanisms
to enable management to monitor the continued
effective operation of such controls.

4.2.9 Understanding the control over safeguarding of
assets can help auditors assess the risk that financial
statements could be materially misstated. For example,
an understanding of an auditee’s control over the
safeguarding of assets can help auditors recognize risk
factors such as

a. failure to adequately monitor decentralized   operations;


Page   18
                  Amendment   No. 2: Auditor   Communication




                  b. lack of control over activities, such as lack of
                  documentation for major transactions;

                  c. lack of control over computerized information systems,
                  such as a lack of control over access to applications that
                  initiate or control the movement of assets;

                  d. failure to develop or communicate adequate control
                  activities for security of data or assets, such as allowing
                  unauthorized personnel to have-ready access to data or
                  assets; and

                  e. failure to investigate significant unreconciled
                  differences between reconciliations of a control account
                  and subsidiary records.

Control Over      4.29.1 Governmental entities are subject to a variety of
                  laws and regulations that affect their financial
Compliance With   statements, which is a major factor distinguishing
Laws and          governmental accounting from commercial accounting.
Regulations       For example, such laws and regulations may address the
                  required fund structure, procurement or debt
                  limitations, or authority for transactions. Accordingly,
                  compliance with such laws and regulations may have a
                  direct and material effect on the determination of
                  amounts in the financial statements of governmental
                  entities. Likewise, organizations that receive
                  government assistance, such as contractors, nonprofit
                  organizations, and other nongovernmental
                  organizations, are also subject to regulations, contract
                  provisions, or grant agreements that could have a direct
                  and material effect on their financial statements.
                  Management, of both governmental entities and others
                  receiving govenunental assistance, is responsible for
                  ensuring that the entity complies with the laws and
                  regulations applicable to its activities. That
                  responsibility encompasses the identification of
                  applicable laws and regulations and the establishment of
                  controls designed to provide reasonable assurance that
                  the entity complies with those laws and regulations.


                  Page   19
                 Amendment    No. 2: Auditor   Communication




                 4.30 AICPA standards and GAGAS require auditors to
                 design the audit to provide reasonable assurance that
                 the financial statements are free of material
                 misstatements resulting from violations of laws and
                 regulations that have a direct and material effect on the
                 determination of financial statement amounts. To meet
                 that requirement, auditors should have an understandin
                 of internal control relevant to financial statement
                 assertions affected by those laws and regulations.
                 Auditors should use that understanding to identify types
                 of potential misstatements, consider factors that affect
                 the risk of material misstatement, and design
                 substantive tests. For example, the following factors
                 may infhrence the auditors’ assessment of control risk:

                 a. management’s awareness or lack of awareness of
                 applicable laws and regulations;

                 b. auditee policy regarding such matters as acceptable
                 operating practices and codes of conduct; and

                 c. assignment of responsibility and delegation of authority to
                 deal with such matters as organizational goals and objectives,
                 operating functions, and regulatory requirements.

                 [Paragraphs 4.31 through 4.33 deleted.]


Working Papers   following:

                 A record of the auditors’   work              should   be retained
                 in the form of working    papers.

                 4.35 The additional working paper standard for
                 financial statement audits is

                 Working     papers should contain sufficient
                 information      to enable an experienced      auditor
                 having no previous       connection   with the audit to
                 ascertain    from them the evidence that supports       the
                 auditors’    significant  conclusions    and judgments.
                 Page   20
 Amendment      No. 2: Auditor   Communication




4.36 Audits done in accordance with GAGAS are subject
to review by other auditors and by oversight officials
more frequently than audits done in accordance with
AICPA standards. Thus, whereas AICPA standards cite
two main purposes of working papers-providing       the
principal support for the audit report and aiding auditors
in the conduct and supervision of the audit-working
papers serve an additional purpose in audits performed in
accordance with GAGAS. Working papers allow for the
review of audit quality by providing the reviewer written
documentation of the evidence supporting the auditors’
significant conclusions and judgments.

4.37 Working papers should contain

a. the objectives, scope, and methodology,               including       any
sampling criteria used;

b. documentation of the work performed to support
significant conclusions and judgments, including
descriptions of transactions and records examined that
would enable an experienced auditor to examine the
same transactions and record@ and

c. evidence of supervisory reviews of the work performed

4.38 One factor underlying GAGAS audits is that federal,
state, and local governments and other organizations
cooperate in auditing programs of common interest so
that auditors may use others’ work and avoid duplicate
audit efforts. Arrangementi should be made so that
working papers will be made available, upon request, to
other auditors. To facilitate reviews of audit quality and
reliance by other auditors on the auditors’ work,
contractual arrangements for GAGAS audits should
provide for access to working papers.

OAuditors may meet this requirement by listing voucher numbers,
check numbers, or other means of identii      specific documents they
examined. They are no! required to include copies of documents they
examined in the working papers, nor are they required to list detailed
information from those documents.
Page 21
                 Amendment       No. 2: Auditor    Communication




Financial        4.39 Certain AICPA standards address specific types of
                 financial related audits, and GAGAS incorporate those
Related Audits   standards, as discussed below:7

                 a. SAS No. 75, Engagements   to Apply Agreed-Upon
                 Procedures to Specific Elements, Accounts, or Items of
                 aFin.anci~Stdtement;

                 b. SAS No. 62, Special Reports, for auditing specified
                 elements, accounts, or items of a financial statement;

                 c. SAS No. 74, ComplianceAuditing  Considerations in
                 Audits of Governmental Entities and Recipients of
                 Governmental Financial Assistance, for testing
                 compliance with laws and regulations applicable                       to
                 federal financial assistance programs;

                 d. SAS No. 70, Reports on the Processing   of
                 Transactions  by Sewice Organizations,   for examining
                 descriptions of internal control of service organizations
                 that process transactions for others;

                 e. Statement      on Standards for Attestation Engagements
                 (SSAE) No. 1, Attestation     Standards, as amended by
                 SSAE No. 9, Amendments             to Statement on Standards for
                 Attestation Engagements            Nos. 1,2, and 3, for examining
                 or reviewing an entity’s assertions about fmancial
                 related matters not specifically addressed mother
                 AICPA standards;

                 f. SSAE No. 2, Reporting on an Entity’s Internal Control
                 Over Financial Reporting, as amended by SSAE No. 9,
                 Amendments     to Statement on Standards forAttestation
                 Engagements Nos. 1,2, and 3, for examining an entity’s
                 assertions about its internal control over financial
                 reporting and/or safeguarding assets;



                 ‘GAGAS incorporate      any new AICPA field work standards relevant    to
                 financial related audits unless GAO excludes them by formal
                  announcement.
                 Page 22
 Amendment     No. 2: Auditor    Communication




g. SSAE No. 3, Compliance Attestation, as amended by
SSAE No. 9, Amendments to Statement on Standards for
Attestation Engagements Nos. 1, 2, and 3, for (1)
examining or applying agreed-upon procedures to an
entity’s assertions about compliance with specified
requirements or (2) applying agreed-upon procedures to
an entity’s assertions about internal control over
compliance with laws and regulations; and

h. SSAE No. 4, Agreed-Upon Procedures Engagements,
for applying agreed-upon procedures to(l) an entity’s
assertions about internal control over financial reporting
and/or safeguarding of assets or (2) an entity’s
assertions about financial related matters not
specifically addressed in other AICPA standards.

4.40 Besides following applicable AICPA standards,
auditors should follow this chapters audit follow-up and
working paper standards. They should apply or adapt the
other standards and guidance in this chapter as
appropriate in the circumstances. For financial related
audits not described above, auditors should follow the field
work standards for performance audits in chapter 6.S




%hapter 2 provides examples of other types of financial related audits.
Page   23.
Amendment No. 2: Auditor Communication

                Chapter 5
 Reporting Standards for Financial Audits

Purpose                    5.1 This chapter prescribes standards of reporting                         for
                           financial audits, which include fmancial statement
                           audits and financial related audits.


Relation    to MCpA        5.2 For financial statement audits, generally accepted
                           government auditing standards (GAGAS) incorporate
Standards                  the American Institute of Certified Public Accountants’
                           (AICPA) four generally accepted standards of reporting,
                           which are:

                           a. The report shall state whether the financial
                           statements are presented in accordance with generally
                           accepted accounting principles.

                           b. The report shall identify those circumstances in
                           which such principles have not been consistently
                           observed in the current period in relation to the
                           preceding period.

                           c. Informative disclosures in the financial statements
                           are to be regarded as reasonably adequate unless
                           otherwise stated in the report.

                           d. The report shall either contain an expression of
                           opinion regarding the financial statements, taken as a
                           whole, or an assertion to the effect that an opinion cannot
                           be expressed. When an overall opinion cannot be
                           expressed, the reasons therefor should be stated. In all
                           cases where an auditor’s name is associated with
                           financial statements, the report should contain a clear-cut
                           indication of the character of the auditor’s work, if any,
                           and the degree of responsibility the auditor is taking.

                          5.3 The AICPA has issued statements on auditing
                          standards @AS) that interpret its standards of
                          reporting.’ This chapter incorporates these SASS and
                          prescribes additional standards on

                           ‘GAGAS       incorporate   any new AICPA reporting   standards   relevant to
                           financial     statement  audits unless the General Accounting    Office (GAO)
                           excludes      them by formal announcement.
                          Page     24
                  Amendment      No. 2: Auditor     Communication




                  a. reporting compliance            with GAGAS (see paragraphs
                  5.11 through 5.14),

                  b. reporting  on compliance with laws and regulations
                  and on internal control over financial reporting (see
                  paragraphs 5.15 through 5.28),

                  c. privileged and confidential information           (see
                  paragraphs 5.29 through 5.31), and

                  d. report distribution.         (See paragraphs 5.32 through 5.35.)

                  6.4 This chapter concludes by explaining which
                  standards auditors should follow in reporting the results
                  of financial related audits.

                  [Paragraphs      5.5 through 5.10 and footnote 2 deleted.]


                  6.11 The first additional reporting           standard for
Reporting         financial statement audits is
Compliance With
Gen&ally          Audit reports should state that the audit was made
                  in accordance with generally accepted government
Accepted          auditing standards.
Government
Auditing          5.12 The above statement refers to all the applicable
                  standards that the auditors should have followed during
Standards         their audit. The statement should be qualified in
                  situations where the auditors did not follow an
                  applicable standard. In these situations, the auditors
                  should disclose the applicable standard that was not
                  followed, the reasons therefor, and how not following
                  the standard affected the results of the audit.

                  5.13 When the report on the financial statements is
                  submitted to comply with a legal, regulatory, or
                  contractual requirement for a GAGAS audit, it should
                  specifically cite GAGAS. The report on the financial
                  statements may cite AICPA standards as well as GAGAS.


                  Page 25
                  Amendment      No. 2: Auditor   Communication




                  6.14 The auditee may need a financial statement audit
                  for purposes other than to comply with requirements
                  calling for a GAGAS audit. For example, it may need a
                  financial statement audit to issue bonds. GAGAS do not
                  prohibit auditors from issuing a separate report on the
                  financial statements conforming only to the requirements
                  of AICPA standards. However, it may be advantageous to
                  use a report issued in accordance with GAGAS for these
                  other purposes because it provides information on
                  compliance with laws and regulations and internal
                  control (as discussed below) that is not contamed in a
                  report issued in accordance with AICPA standards.


                  5.15 The second additional reporting standard for
Reporting on      financial statement audits is
Compliance With
                  The report on the financial statements            should
Laws and          either (1) describe the scope of the auditors’
Regulations and   testing of compliance       with laws and regulations
                  and internal control over financial reporting            and
on Internal       present the results of those tests or (2) refer to
Control Over      the separate report(s)       containing    that
                  information.     In presenting    the results of those
Financial         tests, auditors should report fraud, illegal acts,
Reporting         other material noncompliance,           and reportable
                  conditions    in internal control over financial
                  reporting.3    In some circumstances,        auditors should
                  report fraud and illegal acts directly to parties
                  external to the audited entity.

                  6.16 Auditors may report on compliance with laws and
                  regulations and internal control over financial reporting
                  in the report on the financial statements or in separate
                  report(s). When auditors report on compliance and

                  ‘These responsibilities are in addition to and do not modify auditors’
                  responsibilities under AICPA standards to (1) address the effect fraud or
                  illegal acts may have on the report on the fmancial statements and (2)
                  determine that the audit committee or others with equivalent authority
                  and responsibility are adequately informed about fraud, illegal acts, and
                  reportable conditions.
                  Page 26
                        Amendment     No. 2: Auditor   Communication




                       internal control over financial reporting in the report on
                       the financial statements, they should include an
                       introduction summarizing key findings in the audit of
                       the financial statements and the related compliance and
                       internal control work. Auditors should not issue this
                       introduction as a stand-alone report.

                       6.16.1 When auditors report separately (including
                       separate reports bound in the same document) on
                       compliance with laws and regulations and internal
                       control over financial reporting, the report on the
                       financial statements should state that they are issuing
                       those additional reports. The report on the financial
                       statements should also state that the reports on
                       compliance with laws and regulations and internal
                       control over financial reporting are an integral part of a
                       GAGAS audit, and, in considering the results of the
                       audit, these reports should be read along with the
                       auditors’ report on the financial statements.


Scope of Compliance    6.17 Auditors should report the scope of their testing of
and Internal Control   compliance with laws and regulations and of internal
Work                   control over financial reporting, including whether or
                       not the tests they performed provided sufficient
                       evidence to support an opinion on compliance or
                       internal control over financial reporting and whether the
                       auditors are providing such opinions.


Fraud, Illegal Acts,   6.18 When auditors conclude, based on evidence
                       obtained, that fraud or an illegal act either has occurred
and Other              or is likely to have occurred,4 they should report
Noncompliance          relevant information.    Auditors need not report
                       information about fraud or an illegal act that is clearly
                       inconsequential.    Thus, auditors should present in a

                       Whether a particular act is, in fact, illegal may have to await fmal
                       determination by a court of law. Thus, when auditors disclose matters
                       that have led them to conclude that an illegal act is likely to have
                       occurred, they should take care not to imply that they have made a
                       determination of illegality
                       Page 27
Amendment       No. 2: Auditor     Communication




report the same fraud and illegal acts that they report to
audit committees under AICPA standards. Auditors
should also report other noncompliance (for example, a
violation of a contract provision) that is material to the
financial statements.

6.19 In reporting material fraud, illegal acts, or other
noncompliance, the auditors should place their findings in
proper perspective. To give the reader a basis for judging
the prevalence and consequences of these conditions, the
instances identified should be related to the universe or
the number of cases examined and be quantified in terms
of dollar value, if appropriate.6 In presenting material
fraud, illegal acts, or other noncompliance,    auditors
should follow chapter 7’s report contents standards for
objectives, scope, and methodology; audit results; views
of responsible officials; and its report presentation
standards, as appropriate. Auditors may provide less
extensive disclosure of fraud and illegal acts that are not
material in either a quantitative or qualitative sense.”

6.20 When auditors detect fraud, illegal acts, or other
noncompliance that do not meet paragraph 5.18’s
criteria for reporting, they should communicate those
findings to the auditee, preferably in writing. If auditors
have communicated those findings in a management
letter to top management, they should refer to that
management letter when they report on compliance.

6Audit findings have often been regarded as containing the elements of
criteria, condition, and effect, plus cause when problems are found. However,
the elements needed for a finding depend entirely on the objectives of the
audit. Reportable conditions and noncompliance found by the auditor may
not always have sll of these elements fully developed, given the scope and
objectives of the specific tinsncisl audit However, auditors should identify at
least the condition, criteria, and possible asserted effect to provide sufficient
information to federal, state, and locd officials to permit them to determine
the effect and cause in order to take prompt and proper corrective action.

“Chapter 4 provides guidance on factors that may influence auditors’
materiality judgments in audits of government entities or entities
receiving government assistance. AICPA standards provide guidance on
the interaction of quantitative and qualitative considerations in
materiality judgments.
Page 28
                      Amendment      No. 2: Auditor   Communication




                      Auditors should document in their working papers all
                      communications   to the auditee about fraud, illegal acts,
                      and other noncompliance.


Direct Reporting of   6.21 GAGAS require auditors to report fraud or illegal
Fraud and Illegal     acts directly to parties outside the auditee in two
Acts                  circumstances, as discussed below. These requirements
                      are in addition to any legal requirements for direct
                      reporting of fraud or illegal acts. Auditors should meet
                      these requirements even if they have resigned or been
                      dismissed from the audit7

                       5.22 The auditee may be required by law or regulation to
                      report certain fraud or illegal acts to specified external
                      parties (for example, to a federal inspector general or a
                      state attorney general). If auditors have communicated
                      such fraud or illegal acts to the auditee, and it fails to
                      report them, then the auditors should communicate their
                      awareness of that failure to the auditee’s governing body.
                      If the auditee does not make the required report as soon
                      as practicable after the auditors’ communication with its
                      governing body, then the auditors should report the fraud
                      or illegal acts directly to the external party specified in
                      the law or regulation.

                      6.23 Management is responsible for taking timely and
                      appropriate steps to remedy fraud or illegal acts that
                      auditors report to it. When fraud or an illegal act
                      involves assistance received directly or indirectly from a
                      government agency, auditors may have a duty to report
                      it directly if management fails to take remedial steps. If
                      auditors conclude that such failure is likely to cause
                      them to depart from the standard report on the financial
                      statements or resign from the audit, then they should
                      communicate that conclusion to the auditee’s governing
                      body. Then, if the auditee does not report the fraud or
                      illegal act as soon as practicable to the entity that


                      ‘Internal auditors auditing within the entity that employs them do not
                      have a duty to report outside that entity.
                      Page   29
                   Amendment   No. 2: Auditor   Communication




                   provided the government assistance, the auditors should
                   report the fraud or illegal act directly to that entity.

                   5.24 In both of these situations, auditors should obtain
                   sufficient, competent, and relevant evidence (for
                   example, by confirmation with outside parties) to
                   corroborate assertions by management that it has
                   reported fraud or illegal acts. If they are unable to do
                   so, then the auditors should report the fraud or illegal
                   acts directly as discussed above.

                   5.26 Chapter 4 reminds auditors that under some
                   circumstances, laws, regulations, or policies may
                   require them to report promptly indications of certain
                   types of fraud or illegal acts to law enforcement or
                   investigatory authorities. When auditors conclude that
                   this type of fraud or illegal act either has occurred or is
                   likely to have occurred, they should ask those
                   authorities and/or legal counsel if reporting certain
                   information about that fraud or illegal act would
                   compromise investigative or legal proceedings.
                   Auditors should limit their reporting to matters that
                   would not compromise those proceedings, such as
                   information that is already a part of the public record.


Deficiencies in    5.26 Auditors should report deficiencies in internal
Internal Control   control that they consider to be “reportable conditions”
                   as defined in AICPA standards. The following are
                   examples of matters that may be reportable conditions:

                   a. absence of appropriate segregation of duties
                   consistent with appropriate control objectives;

                   b. absence of appropriate reviews and approvals of
                   transactions, accounting entries, or systems output;

                   c. inadequate provisions for the safeguarding    of assets;

                   d. evidence of failure to safeguard assets from loss,
                   damage, or misappropriation;

                   Page   30
Amendment      No. 2: Auditor   Communication




e. evidence that a system fails to provide complete and
accurate output consistent with the auditee’s control
objectives because of the misapplication   of control
procedures;

f. evidence of intentional override of internal control by
those in authority to the detriment of the overall
objectives of the system;

g. evidence of failure to perform tasks that are part of
internal control, such as reconciliations not prepared or
not timely prepared;

h. absence of a sufficient level of,control         consciousness
within the organization;

i. significant deficiencies in the design or operation of
internal control that could result in violations of laws
and regulations having a direct and material effect on
the financial statements; and

j. failure to follow up and correct previously          identified
 deficiencies in internal control8

5.27 In reporting reportable conditions, auditors should
identify those that are individually or cumulatively material
weaknesses? Auditors should follow chapter 7’s report
contents standards for objectives, scope, and methodology;
audit results; and views of responsible officials; and its
report presentation standards, as appropriate.

6.28 When auditors detect deficiencies in internal
control that are not reportable conditions, they should
communicate those deficiencies to the auditee,
preferably in writing. If the auditors have
communicated other deficiencies in internal control in a

8Chapter 4’s audit follow-up standard requires auditors to report the
status of uncorrected material findings and recommendations from prior
audits that affect the financial statement audit.

“See footnote 5.
Page   31
                 Amendment   No. 2: Auditor   Communication




                 management letter to top management, they should
                 refer to that management letter when they report on
                 internal control. All communications   to the auditee
                 about deficiencies in internal control should be
                 documented in the working papers.


Privileged and   5.29 The third additional reporting standard for
                 financial statement audits is
Confidential
Information      If certain information is prohibited from general
                 disclosure, the audit report should state the nature
                 of the information omitted and the requirement
                 that makes the omission necessary.

                 5.30 Certain information may be prohibited from
                 general disclosure by federal, state, or local laws or
                 regulations. Such information may be provided on a
                 need-to-know basis only to persons authorized by law or
                 regulation to receive it.

                 5.31 If such requirements prohibit auditors from
                 including pertinent data in the report, they should state
                 the nature of the information omitted and the
                 requirement that makes the omission necessary. The
                 auditors should obtain assurance that a valid
                 requirement for the omission exists and, when
                 appropriate, consult with legal counsel.


Report           5.32 The fourth additional reporting standard for
                 financial statement audits is
Distribution
                 Written audit reports are to be submitted by the
                 audit organization to the appropriate officials of
                 the auditee and to the appropriate officials of the
                 organizations requiring or arranging for the audits,
                 including external funding organizations, unless
                 legal restrictions prevent it. Copies of the reports
                 should also be sent to other officials who have
                 legal oversight authority or who may be

                 Page 32
                    Amendment       No. 2: Auditor     Communication




                    responsible    for acting on audit findings and
                    recommendations        and to others authorized     to
                    receive such reports.      Unless restricted   by law or
                    regulation,  copies should be made available for
                    public inspection.‘O

                    5.33 Audit reports should be distributed in a timely
                    manner to officials interested in the results. Such
                    officials include those designated by law or regulation to
                    receive such reports, those responsible for acting on the
                    findings and recommendations,     those of other levels of
                    government that have provided assistance to the
                    auditee, and legislators. However, if the subject of the
                    audit involves material that is classified for security
                    purposes or not releasable to particular parties or the
                    public for other valid reasons, auditors may limit the
                    report distribution.

                    5.34 When public accountants are engaged, the
                    engaging organization should ensure that the report is
                    distributed appropriately   If the public accountants are
                    to make the distribution, the engagement agreement
                    should indicate what officials or organizations should
                    receive the report.

                    5.35 Internal auditors should follow their entity’s own
                    arrangements and statutory requirements for distribution.
                    Usually, they report to their entity’s top managers, who
                    are responsible for distribution of the report.


Financial Related   5.36 Certain AICPA standards address specific types of
                    financial related audits, and GAGAS incorporate those
Audits              standards, as discussed below: l1

                    %ee the Single Audit Act Amendments        of 1996 and Office of
                    Management     and Budget (OMB) Circular A-133 for the distribution       of
                    reports on single audits of state and local governmental     entities and
                    nonprofit  organizations that receive federal awards.

                     “GAGAS    incorporate  any new AICPA reporting standards relevant        to
                    financial related audits unless GAO excludes them by formal
                    announcement.
                    Page 33
Amendment   No. 2: Auditor   Communication




a. SAS No. 75, Engagements to Apply Agreed-Upon
Procedures to Specific Elements, Accounts, or Items of
a Financial Statement;

b. SAS No. 62, Special Reports, for auditing specified
elements, accounts, or items of a financial statement;

c. SAS No. 74, Compliance Auditing Considerations in
Audits of Governmental Entities and Recipients of
Governmental Financial Assistance, for testing
compliance with laws and regulations applicable to
federal financial assistance programs;

d. SASNo. 70, Reports on the Processing of
 Bansactions by Service Organizations, for examining
descriptions of internal control of service organizations
that process transactions for others;

e. Statement on Standards for Attestation Engagements
(SSAE) No. 1, Attestation Standards, as amended by
SSAE No. 9, Amemiments to Statement on Standards
for Attestation Engagements Nos. 1, 2, and 3, for
examining or reviewing an entity’s assertions about
financial related matters not specifically addressed in
other AICPA standards;

f. SSAE No. 2, Reporting on an EntityS Internal Control
 Over Financial Reporting, as amended by SSAE No. 9,
Amenclments to Statement on Standards for Attestation
Engagements Nos. 1, 2, and 3, for examining an entity’s
assertions about its internal control over financial
reporting and/or safeguarding assets;

g. SSAE No. 3, Compliance Attestation, as amended by
SSAE No. 9, Amendments to Statement on Standards
for Attestation Engagements Nos. I, 2, and 3, for (1)
examining or applying agreed-upon procedures to an
entity’s assertions about compliance with specified
requirements or (2) applying agreed-upon procedures to
an entity’s assertions about internal control over
compliance with laws and regulations; and
Page   34
 Amendment     No. 2: Auditor   Communication




h. SSAE No. 4, Agreed-Upon Procedures Engagements,
for applying agreed-upon procedures to (1) an entity’s
assertions about internal control over financial
reporting and/or safeguarding of assets or (2) an entity’s
assertions about financial related matters not
specifically addressed in other AICPA standards.

6.37 Besides following applicable AICPA standards,
auditors should follow this chapter’s fiit (GAGAS
reference), third (privileged and confidential
information), and fourth (report distribution) additional
standards of reporting. They should apply or adapt the
other standards and guidance in this chapter as
appropriate in the circumstances. For financial related
audits not described above, auditors should follow the
reporting standards for performance audits in chapter 7.12




Whapter 2 provides examples of other types of financial related audits.
Page   36
Appendix I

                Chapter 4
Field Work Standards for Financial Audits

                        This amendment to Government Auditing Standards
                        (1994 revision) establishes       a new field work standard
                       and revises a reporting standard forj?nancial
                       statement audits to improve auditor communication
                       concerning the auo%tor’s work on compliance with
                       laws and regulations         and internal control over
                      financial    reporting with users of the auditor’s reports.
                        This standard     is t#ective forj%anciul     statement
                       audits ofperiods       ending on or clfter Januarg 1,200O.
                       Earlier application      is permissible.


Purpose                4.1 This chapter prescribes standards of field work for
                       financial audits, which include financial statement
                       audits and financial related audits.


Relation to   AJCpA   4.2 For fmancial statement audits, generally accepted
                      government auditing standards (GAGAS) incorporate
Standards             the American Institute of Certified Public Accountants’
                      (AICPA) three generally accepted standards of field
                      work, which are:

                      a. The work is to be adequately planned and assistants,
                      if any, are to be properly supervised.

                      b. A sufficient understanding of internal control is to be
                      obtained to plan the audit and to determine the nature,
                      timing, and extent of tests to be performed.

                      c. Sufficient competent evidential matter is to be
                      obtained through inspection, observation, inquiries, and
                      confirmations to afford a reasonable basis for an
                      opinion regarding the fmancial statements under audit.

                      4.3 The AICPA has issued statements on auditing
                      standards (MS) that interpret its standards of field
                      work (including a SAS on compliance auditing).’     This

                      ’ GAGAS      incorporate   any new AICPAfieZd     work standards relevant to
                      financial    statement   audits unless the General Accounting   Office (GAO)
                      excludes      them by formal announcement.
                      Page    36
           Appendix    I




           chapter incorporates these SASS and prescribes
           additional standards on

            a. auditor communication        (see paragraphs       4.6.3
            through 4.6.9),

           ab. audit follow-up (see paragraphs 4.7,4.10, and 4. ll),

           bc. noncompliance other than illegal acts (see
           paragraphs 4.13 and 4.18 through 4.20),

           ed. documentation requirements when assessing contra’
           risk at maximum for controls significantly dependent
           upon computerized information systems (see
           paragraphs 4.21.1 through 4.21.4), and

           de. working papers. (See paragraphs 4.34 through 4.38.)

           4.4 This chapter also discusses m
           &three other key aspects of financial statement        audits:

           a. materiality   (see paragraphs 4.86.1 and 4.86.2),

           b. fraud and illegal acts (see paragraphs 4.14 through
           4.17), and

           c. internal control.   (See paragraphs 4.22 and 4.25
           through 4.30.)

           4.6 This chapter concludes by explaining which
           standards auditors should follow in performing financial
           related audits.


Planning   4.6 AICPA standards and GAGAS require the following:

           The work is to be properly planned, and auditors
           should consider materiality,    among other matters,
           in determining   the nature, timing, and extent of
           auditing procedures and in evaluating    the results
           of those procedures.

           Page   37
                Appendix   I




                4.86.1 Auditors’ consideration of materiality is a matter of
                professional judgment and is influenced by their perception
                of the needs of a reasonable person who will rely on the
                financial statements. Materiality judgments are made in
                light of surrounding circumstances and necessarily involve
                both quantitative and qualitative considerations.

                4.96.2 In an audit of the fmancial statements of a
                government entity or an entity that receives government
                assistance, auditors may set lower materiality levels than
                in audits in the private sector because of the public
                accountability of the auditee, the various legal and
                regulatory requirements, and the visibility and sensitivity
                of government programs, activities, and functions.


Auditor         4.6.3 The first additional planning         standard for
Communication   financial statement audits is

                Auditors should communicate information      to the
                auditee, the individuals contracting for or
                requesting the audit services, and the audit
                 committee regarding the nature and extent of
                planned testing and reporting on compliance with
                laws and regulations and internal control over
                financial reporting.

                4.6.4 AICPA standards and GAGAS require
                auditors to establish an understanding with the
                client and to communicate with audit committees.
                 GAGAS broaden who auditors must communicate
                with and require auditors to communicate specific
                information regarding the nature and extent of
                testing and reporting on compliance with laws and
                regulations and internal control over financial
                reporting during the planning stages of a financial
                statement audit to reduce the risk that the needs
                or expectations of the parties involved may be
                misinterpreted.



                Page 33
 Appendix   I




 4.6.6 The auditee is the organization            or entity
 being audited.       Auditors      should communicate
 their responsibilities     for the engagement to the
 appropriate    officials of the auditee (which would
 normally include the head of the organization,              the
 audit committee or board of directors or other
 equivalent oversight body iu the absence of an
 audit committee,       and the individual     who possesses
a su@icient level of authority and responsibility              for
 the financial reporting process, such as the chief
8rm.ncia.l officer).     In situations    where auditors are
performing     the audit under a contract with a party
 other than the auditee, or pursuant to a third-party
request, auditors should also communicate               with the
iudividuals   contracting for or requesting the audit,
such as contracting        officials or legislative    members
or staff When auditors are performing               the audit
pursuant to a law or regulation,           auditors should
communicate       with the legislative     members or staff
who have oversight of the auditee.1*1

4.6.6 During the planning stages of an audit,
auditors should communicate              their responsibilities
in a financial statement          audit, including     their
responsibilities       for testing and reporting       on
compliance        with laws and regulations         and
internal     control over financial reporting.           Such
communication          should include the nature of any
additional      testing of compliance        and internal
control required by laws and regulations                or
otherwise requested, and whether the auditors are
planning      on providing      opinions on compliance
with laws and regulations            and internal    control
over I%m..ucial reporting.
I.’ This requirement applies only to situations where the law or
regulation specifically identifies the entity to be audited, such as
an audit of a specific agency’s finarn5a.l statements required by
the Chief Financial Officers Act, as expanded by the Government
Management      Reform Act of 1994. Situations   where the financial
statement audit mandate applies to entities not specifically
identified, such as audits required by the Single Audit Act
Amendments of 1996, are excluded.
Page   39
 Appendix   I




 4.6.7 Auditors should use tbeirprofessional               judgment
 to determiue the form and content of the
 communication.      Wtitten communication           is preferred.
Auditors should document the communication                    in the
 worhiugpapers.      Auditors may use au engagement
letter to communicate         the information     described in
paragraph 4.6.6. To assist in unde&amiing                tbe
limitations    of auditors’responsibibties         for testing and
reporting on compliance and in ternal control over
fiuancial reporting,      auditors may want to contrast
those responsibilities       with other fbmncial related
audits of compliance and controls. The discussion in
paragraphs     4.6.8 and 4.6.9 may be helpful to auditors
in explaining their responsibilities         for testing and
reporting on compliance with laws and regulations
and internal control over finaucial reporting to the
auditee and other interested parties.

 4.6.8 Tests of compliance        with laws and
regulations     and internal    control   over financial
reporting    in a fbuzncial statement       audit contribute
 to the evidence supporting       the auditors’     opinion on
 the financial statements.       However,     they generally
do not provide a basis for opining on compliance
or internal    control over financial reporting.          To
meet certain audit report users’ needs, laws and
regulations     sometimes    prescribe    testing and
reporting    on compliance     and internal      control over
financial   reporting    to supplement      the financial
statement     audit’s coverage of these areas.1*2
1,2For example, when engaged to perform audits under the Single
Audit Act of state and local government entities and nonprofit
organizations that receive federal awards, auditors should be
familiar with the Single Audit Act Amendments of 1996 aud Office
of Management and Budget (OMB) Circular A-133. The act and
circular include specific audit requirements, mainly in the areas
of compliance with laws and regulations and internal control,
that exceed the minimum audit requirements in the standards in
chapters 4 and 5 of this document. Audits conducted under the
Chief Finaucia.l Officers Act of 1990, as expanded by the
Government Management Reform Act of 1994, also have speciik
audit requirements prescribed by OMB in the areas of
compliance aud internal conSol. Many state and local
governments have additional audit requirements.
Page 40
                  Appendix    I




                  4.6.9 Even after auditors perform and report the
                  results of additional   tests of compliance and internal
                  control over fi.nanciaJ reporting required by laws and
                  regulations, some reasonable needs of report users
                  still may be unmet. Auditors may meet these needs
                  by performing further tests of compliance and
                  in ternal control in either of two ways:

                  a. supplemental       (or agreed-upon)      procedures       or

                  b. examination,      resulting   in an opinion.

Audit Follow-up   4.7 The second additional planning standard for
                  financial statement audits is

                  Auditors should follow up on known material
                  findings and recommendations   from previous             audits.


                  [Paragraphs       4.8 and 4.9 have been moved and
                  renumbered        to paragraphs  4.6.1 and 4.6.2.1


                  4.10 Auditors should follow up on known material
                  findings and recommendations      from previous audits that
                  could affect the financial statement audit. They should
                  do this to determine whether the auditee has taken
                  timely and appropriate corrective actions. Auditors
                  should report the status of uncorrected material findings
                  and recommendations      from prior audits that affect the
                  financial statements.

                  4.11 Much of the benefit from audit work is not in the
                  fmdings reported or the recommendations made, but in
                  their effective resolution. Auditee management is
                  responsible for resolving audit findings and
                  recommendations, and having a process to track their
                  status can help it fulfill this responsibility. If management
                  does not have such a process, auditors may wish to
                  establish their own. Continued attention to material
                  findings and recommendations can help auditors assure
                  that the benefits of their work are realized
                  Page   41
                      Appendix   I




                      4.12 AICPA standards and GAGAS require the following:

Fraud, Illegal        a. Auditors should design the audit to provide
                                                                        . .
Acts, and Other       reasonable assurance of detecting i
                      f?aud that are is material to the finaucial statementx2
Noncompliance
                  b. Auditors should design the audit to provide
                  reasonable assurance of detecting material
                  misstatements   resulting from direct and material
                  illegal acts.g

                  c. Auditors should be aware of the possibility that
                  indirect illegal acts may have occurred.4 If specific
                  information comes to the auditors’ attention that
                  provides evidence concerning the existence of possible
                  illegal acts that could have a material indirect effect on
                  the fZnancial statements, the auditors should apply
                  audit procedures specifically directed to ascertaining
                  whether an illegal act has occurred.

                  4.13 The additional          compliance      standard for financial
                  statement audits is

                  Auditors should design the audit to provide
                  reasonable assurance of detecting material
                  misstatements  resulting from noncompliance                            with

                  2

                  S                                               Two types of
                  misstatements are relevant to the auditors’ consideration of
                  fraud in a financia.l statement audit-misstatements      arming
                  from fraudulent financial statements and misstatements
                  arming from misappropriation      of assets. The primary factor
                  that distinguishes fraud from error is whether the
                  underlying action that results in the misstatement in the
                  financial statements is intentional    or unintentional.

                  3Direct and material illegal acts are violations of laws and
                  regulations having a direct and material effect on the determination
                  of financial statement amounts.

                  IIndirect illegal acts are violations of laws and regulations having
                  material but indirect effects on the financial statements.
                  Page 42
                     Appendix   I




                    provisions of contracts or grant agreements               that
                    have a direct and material          effect on the
                    determination      of financial statement        amounts.      If
                    specific information       comes to the auditors’
                    attention    that provides evidence concerning the
                    existence of possible noncompliance             that could
                    have a material indirect effect on the financial
                    statements,     auditors should apply audit
                    procedures specifically        directed to ascertaining
                    whether that noncompliance             has occurred.


Auditors’           4.14 Auditors are responsible for being aware of the
Understanding of    characteristics
                    .                  and types of potentially material
Possible            w               fraud that could be associated with the
                    area being audited so that they can plan the audit to
w           Fraud   provide reasonable assurance of detecting material      ‘.
and of Laws and     w                fraud.
Regulations
                    4.16 Auditors should obtain an understanding of the
                    possible effects on financial statements of laws and
                    regulations that are generally recognized by auditors to
                    have a direct and material effect on the determination      of
                    amounts in the financial statements. Auditors may find
                    it necessary to use the work of legal counsel in
                    (1) determining which laws and regulations might have
                    a direct and material effect on the financial statements,
                    (2) designing tests of compliance with laws and
                    regulations, .and (3) evaluating the results of those
                    tests6 Auditors also may find it necessary to use the
                    work of legal counsel when an audit requires testing
                    compliance with provisions of contracts or grant
                    agreements.. Depending on the circumstances of the
                    audit, auditors may find it necessary to obtain
                    information on compliance matters from others, such as
                    investigative staff, audit officials of government entities
                    that provided assistance to the auditee, and/or the
                    applicable law enforcement authority.

                    GAICPAstandards provide guidance for auditors who use the work
                    of a specialist who is not a member of their staff.
                    Page   43
                            Appendix   I




Due Care Concerning 4.16 Auditors should exercise due professional care in
Possible             pursuing indications of possible w                 fraud and
Jiq+h&k        Fraud illegal acts so as not to interfere with potential   future
                     investigations, legal proceedings, or both. Under some
and Illegal Acts     circumstances, laws, regulations, or policies may require
                           auditors to report indications of certain types of
                           HW@&&%S fraud or illegal acts to law enforcement or
                           investigatory authorities before extending audit steps and
                           procedures. Auditors may also be required to withdraw
                           from or defer further work on the audit or a portion of the
                           audit in order not to interfere with an investigation.

                           4.17 An audit made in accordance with GAGAS will not
                           guarantee the discovery of illegal acts or contingent
                           liabilities resulting from them. Nor does the subsequent
                           discovery of illegal acts committed during the audit
                           period necessarily mean that the auditors’ performance
                           was inadequate, provided the audit was made in
                           accordance with these standards.


Noncompliance       Other 4.18 The term noncompliance         has a broader meaning
Than Illegal Acts          than illegal acts. Noncompliance includes not only illegal
                           acts, but also violations of provisions of contracts or
                           grant agreements. AICPA standards do not discuss
                           auditors’ responsibility for detecting noncompliance
                           other than illegal acts. But, under GAGAS, auditors have
                           the same responsibilities for detecting material
                           misstatements arising from other types of noncompliance
                           as they do for detecting those arising from illegal acts.

                           4.19 Direct and material noncompliance is
                           noncompliance having a direct and material effect on
                           the determination of financial statement amounts.
                           Auditors should design the audit to provide reasonable
                           assurance of detecting material misstatements resulting
                           from direct and material noncompliance with provisions
                           of contracts or grant agreements.

                           4.20 Indirect noncompliance     is noncompliance having
                           material but indirect effects on the financial statements.
                           Page 44
                   Appendix    I




                   A financial statement audit provides no assurance that
                   indirect noncompliance with provisions of contracts or
                   grant agreements will be detected. However, if specific
                   information comes to the auditors’ attention that
                   provides evidence concerning the existence of possible
                   noncompliance that could have a material indirect effecl
                   on the financial statements, auditors should apply audit
                   procedures specifically directed to ascertaining whether
                   that noncompliance has occurred.


Internal Control   4.2 1 AICPA standards and GAGAS require the following:

                   Auditors  should obtain a sufficient understanding   of
                   internal control to plan the audit and determine the
                   nature, timing, and extent of tests to be performed.

                   4.21.1 AICPA standards and GAGAS require that, in all
                   audits, the auditors obtain an understanding of internal
                   control sufficient to plan the audit by performing
                   procedures to understand (1) the design of controls
                   relevant to an audit of financial statements and (2)
                   whether the controls have been placed in operation.
                   This understanding should include a consideration of
                   the methods an entity uses to process accounting
                   information because such methods influence the design
                   of internal control. The extent to which computerized
                   information systems are used in significant accounting
                   applications, 6.1as well as the complexity of that
                   processing, may also influence the nature, timing, and
                   extent of audit procedures. Accordingly, in planning the
                   audit and in obtaining an understanding of internal
                   control over an entity’s computer processing, the
                   auditors should consider, among other things, such
                   matters as
                   6~1Significsntaccounting applications are those which relate to
                   accounting information that can materially affect the financial
                   statements the auditor is auditing. Significant accounting applications
                   could include financial as well as other systems, such as management
                   information systems or systems that monitor compliance, if they provide
                   data for material account balances, transaction classes, and disclosure
                   components of financial statements.
                   Page   45
 Appendix    I




 a. the extent to which computer processing is used in
 each significant accounting application;6.2

b. the complexity       of the entity’s computer operations;

c. the organizational structure of the computer
processing activities; and

d. the kinds and competence of available evidential matter,
in electronic and in paper formats, to achieve audit
objectives.

 4.21.2 AICPA standards and GAGAS require auditors to
 document their understanding of the components of an
 entity’s internal control related to computer applications
that process information used in preparing an entity’s
financial statements and, based on that understanding, to
 develop a planned audit approach in sufficient detail to
 demonstrate its effectiveness in reducing audit risk. In
doing so, under AICPA standards and GAGAS, the
auditors should consider whether specialized skills are
needed for considering the effect of computerized
information systems on the audit, understanding internal
control, or designing and performing audit procedures,
including tests of internal control. If the use of a
professional with specialized skills is planned, the
auditors should have sufficient computer-related
knowledge to communicate the objectives of the other
professionals work; to evaluate whether the specified
procedures will meet the auditors’ objectives; and to
evaluate the results of the procedures applied as they
relate to the nature, timing, and extent of other planned
audit procedures.

4.21.3 The additional internal           control standard for
financial statement audits is



6~20btaining an understanding of these elements would include
consideration of internal control related to security over computerized
information systems.
Page 46
Appendix   I




In planning the audit, auditors should document in
the working papers (1) the basis for assessing
control risk at the maximum level for assertions
related to material account balances, transaction
classes, and disclosure components of financial
statements when such assertions are significantly
dependent upon computerized information
systems, and (2) consideration that the planned
audit procedures are designed to achieve audit
objectives and to reduce audit risk to an
acceptable level.

4.21.4 This additional GAGAS standard does not
increase the auditors’ responsibility for testing controls,
but rather requires that, if the auditors assesses control
risk at the maximum level for assertions related to
material account balances, transaction classes, and
disclosure components of financial statements when
such assertions are significantly dependent upon
computerized information systems, &he auditors should
document in the working papers6,3 the basis for that
conclusion by addressing (1) the ineffectiveness of the
design and/or operation of the controls, or (2) the
reasons why it would be inefficient to test the controls.
In such circumstances, GAGAS also require the auditors
to document in the working papers the consideration
that the planned audit procedures are designed to
achieve specific audit objectives and, accordingly, to
reduce audit risk to an acceptable level. This
documentation should address

a. the rationale for determining the nature, timing, and
extent of planned audit procedures;

b. the kinds and competence of available evidential
matter produced outside a computerized information
system; and


subSee paragraphs 4.34 through 4.38 for a discussion of the working
paper standards.
Page 47
                  Appendix   I




                  c. the effect on the audit opinion or report if evidential
                  matter to be gathered during the audit does not afford a
                  reasonable basis for the auditor’s opinion on the
                  financial statements.

                  4.22 Safeguarding of assets and compliance with laws
                  and regulations are internal control objectives that are
                  especially important in conducting financial statement
                  audits in accordance with GAGAS of governmental
                  entities or others receiving government funds. Given
                  the public accountability for stewardship of resources,
                  safeguarding of assets permeates control objectives and
                  components as defined by the AICPA standards and
                  GAGAS. Also, the operation of government programs
                  and the related transactions that materially affect the
                  entity’s financial statements are generally governed by
                  laws and regulations. Although GAGAS are not
                  prescribing additional internal control standards in
                  these areas, this chapter provides a discussion that
                  auditors may find useful in assessing audit risk and in
                  obtaining evidence needed to support their opinion on
                  the financial statements in a governmental environment.

                  [Paragraphs 4.23 and 4.24 deleted.]


Safeguarding of   4.26 As applied to financial statement audits, internal
Assets            control over safeguarding of assets constitutes a
                  process, effected by an entity’s governing body,
                  management, and other detection of unauthorized
                  acquisition, use, or disposition of the entity’s assets that
                  could have a material effect on the financial statements.

                  4.26 Internal control over the safeguarding of assets
                  relates to the prevention or timely detection of
                  unauthorized transactions and unauthorized access to
                  assets that could result in losses that are material to the
                  financial statements; for example, when unauthorized
                  expenditures or investments are made, unauthorized
                  liabilities are incurred, inventory is stolen, or assets are
                  converted to personal use. Such controls are designed

                  Page 48
Appendix   I




to help ensure the use of and access to assets are in
accordance with management’s authorization.
Authorization includes approval of transactions in
accordance with control activities established by
management to safeguard assets, such as establishing and
complying with requirements for extending and monitoring
credit or making investment decisions, and related
documentation. Control over safeguarding of assets is not
designed to protect against loss of assets arising from
inefficiency or from management’s operating decisions,
such as incurring expenditures for equipment or material
that proves to be unnecessary or unsatisfactory.

4.27 AICPA standards and GAGAS require auditors to
obtain a sufficient understanding of internal control to
plan the audit. They also require auditors to plan the
audit to provide reasonable assurance of detecting
material fraud, including material misappropriation   of
assets. Because preventing or detecting material
misappropriations    is an objective of control over
safeguarding of assets, understanding this type of
control can be essential to planning the audit.

4.28 Control over safeguarding of assets is not limited
to preventing or detecting misappropriations,    however.
It also helps prevent or detect other material losses that
could result from unauthorized acquisition, use, or
disposition of assets. Such controls include, for
example, the process of assessing the risk of
unauthorized acquisition, use, or disposition of assets
and establishing control activities to help ensure that
management directives to address the risk are carried
out. Such control activities would include permitting
acquisition, use, or disposition of assets only in
accordance with management’s general or specific
authorization, including compliance with established
control activities for such acquisition, use, or
disposition. They would also include comparing
existing assets with the related records at reasonable
intervals and taking appropriate action with respect to
any differences. Finally, controls over safeguarding of

Page 49
Appendix    I




 assets against unauthorized acquisition, use, or
 disposition also relate to making available to
 management information it needs to carry out its
 responsibilities related-to prevention or timely detection
 of such unauthorized activities, as well as mechanisms
 to enable management to monitor the continued
 effective operation of such controls.

4.29 Understanding the control over safeguarding of
assets can help auditors assess the risk that financial
statements could be materially misstated. For example,
an understanding of an auditee’s control over the
safeguarding of assets can help auditors recognize risk
factors such as

a. failure to adequately monitor decentralized   operations;

b. lack of control over activities, such as lack of
documentation for major transactions;

c. lack of control over computerized information systems,
such as a lack of control over access to applications that
initiate or control the movement of assets;

d. failure to develop or communicate adequate control
activities for security of data or assets, such as allowing
unauthorized personnel to have ready access to data or
assets; and

e. failure to investigate significant unreconciled
differences between reconciliations     of a control account
and subsidiary records.




Page   60
                   Appendix   I




Control Over       4.29.1 Governmental entities are subject to a variety of
Compliance With    laws and regulations that affect their fmancial
Laws and           statements, which is a major factor distinguishing
                   governmental accounting from commercial accounting.
Regulations        For example, such laws and regulations may address the
                   required fund structure, procurement or debt limitations,
                   or authority for transactions. Accordingly, compliance
                   with such laws and regulations may have a direct and
                   material effect on the determination of amounts in the
                   financial statements of governmental entities. Likewise,
                   organizations that receive government assistance, such as
                   contractors, nonprofit organizations, and other
                  nongovernmental organizations, are also subject to
                  regulations, contract provisions, or grant agreements that
                   could have a direct and material effect on their financial
                  statements. Management, of both governmental entities
                  and others receiving governmental assistance, is
                  responsible for ensuring that the entity complies with the
                  laws and regulations applicable to its activities. That
                  responsibility encompasses the identification of
                  applicable laws and regulations and the establishment of
                  controls designed to provide reasonable assurance that
                  the entity complies with those laws and regulations.

                  4.30 AICPA standards and GAGAS require auditors to
                  design the audit to provide reasonable assurance that the
                  financial statements are free of material misstatements
                  resulting from violations of laws and regulations that
                  have a direct and material effect on the determination of
                  fmancial statement amounts. To meet that requirement,
                  auditors should have an understanding of internal control
                  relevant to financial statement assertions affected by
                  those laws and regulations. Auditors should use that
                  understanding to identify types of potential
                  misstatements, consider factors that affect the risk of   ~
                  material misstatement, and design substantive tests. For
                  example, the following factors may influence the
                  auditors’ assessment of control risk:

                  a. management’s awareness or lack of awareness of
                  applicable laws and regulations;

                  Page 51
                 Appendix    I




                  b. auditee policy regarding such matters as acceptable
                  operating practices and codes of conduct; and

                 c. assignment of responsibility and delegation of
                 authority to deal with such matters as organizational
                 goals and objectives, operating functions, and regulatory
                 requirements.

                  [Paragraphs 4.31 through 4.33 deleted.]


Working Papers   4.34 AICPA standards and GAGAS require the
                 following:

                 A record of the auditors’ work should be retained
                 in the form of working papers.

                 4.36 The additional working paper standard for
                 financial statement audits is

                 Working papers should contain sufficient
                 information   to enable an experienced      auditor
                 having no previous connection      with the audit to
                 ascertain from them the evidence that supports the
                 auditors’ significant  conclusions    and judgments.

                 4.36 Audits done in accordance with GAGAS are subject
                 to review by other auditors and by oversight officials
                 more frequently than audits done in accordance with
                 AICPA standards. Thus, whereas AICPA standards cite
                 two main purposes of working papers-providing       the
                 principal support for the audit report and aiding auditors
                 in the conduct and supervision of the audit-working
                 papers serve an additional purpose in audits performed in
                 accordance with GAGAS. Working papers allow for the
                 review of audit quality by providing the reviewer written
                 documentation of the evidence supporting the auditors’
                 significant conclusions and judgments.




                 Page   62
                     Appendix        I




                     4.37 Working papers should contain

                     a. the objectives, scope, and methodology,                       including    any
                     sampling criteria used;

                     b. documentation of the work performed to support
                     significant conclusions and judgments, including
                     descriptions of transactions and records examined that
                     would enable an experienced auditor to examine the
                     same transactions and records;‘j and

                     c. evidence of supervisory reviews of the work performed.

                    4.38 One factor underlying GAGAS audits is that
                    federal, state, and local governments and other
                    organizations cooperate in auditing programs of
                    common interest so that auditors may use others’ work
                    and avoid duplicate audit efforts. Arrangements should
                    be made so that working papers will be made available,
                    upon request, to other auditors. To facilitate reviews of
                    audit quality and reliance by other auditors on the
                    auditors’ work, contractual arrangements for GAGAS
                    audits should provide for access to working papers.


Financial Related   4.39 Certain AICPA standards address specific types of
                    financial related audits, and GAGAS incorporate those
Audits              standards, as discussed below: 7


                       .         .
                    m                                 SAS No. 75, Engagements                     to
                    Apply       Agreed-Upon           Procedures  to Specific

                     GAuditom may meet this requirement           by listing voucher numbers,
                     check numbers,      or other means of identifying       specific documents
                    they examined.      They are not required to include copies of
                     documents     they examined     in the working     papers, nor are they
                    required   to list detailed information     from those documents.

                     ‘GAGAS incorporate      any new AICPAjZeZd    work  standards relevant
                    to financial related   audits unless GAO excludes them by formal
                    announcement.
                    Page 53
Appendix     I




Elements,        Accounts,       or Items   of a Financial
Statement;

b. SAS ni+Vo. 62, Special Reports, for auditing specified
elements, accounts, or items of a financial statement;


                      .      .
J                                        SAS No. 74,
Compliance      Auditing    Considerations    in Audits      of
Governmental      Entities and Recipients       of
Governmental      Financial    Assistance, for testing
compliance with laws and regulations applicable to
federal financial assistance programs;

d. SAS nNo. 70, Reports on the Processing    of
 Transactions by Service Organizations, for examining
descriptions of internal controls of service organizations
that process transactions for others;

e. Statement on Standards for Attestation Engagements
(SUE) rtNo. 1, Attestation Standards, as amended by
SSAE No. 9, Amendments       to Statement   on
Standards for Attestation     Engagements    Nos. 1, 2,
and 3, for &

                                          r (2) examining or
reviewing 3                                          an
entity’s assertions about financial related matters not
specifically addressed in other AICPA standards;

f. SSAJ3Ho.      2, Reporting on an Entity’s Internal
Control ,57&e&m Over Financial Reporting, as
amended by SSAE No. 9, Amendments              to
Statement     on Standards for Attestation
Engagements       Nos. 1, 2, and 3, for examining an
entity’s assertions about its internal controls over
financial reporting and/or safeguarding assets; and




Page 64
 Appendix     I




 g. SSAE tie.   3, Compliance Attestation, as amended
 by SSAE No. 9, Amendments to Statement on
 Standards for Attestation    Engagements Nos. 1,2,
 and 3, for (1) examining or applying agreed-upon
procedures to an entity’s assertions about compliance
with m                     specified kequirements or
(2) applying agreed-upon procedures to an entity’s
assertions about internal controls over compliance with
laws and regulations; and

h. SSAE No. 4, Agreed-Upon Procedures
Engagements, for applying agreed-upon procedures
to (1) an entity’s assertions about internal control
over Iitmncial reporting and/or safeguarding assets
or (2) an entity’s assertions about fiuancia.l related
matters not specifkally addressed in other AICPA
standards.

4.40 Besides following applicable AICPA standards,
auditors should follow this chapter’s audit follow-up and
working paper standards. They should apply or adapt
the other standards and guidance in this chapter as
appropriate in the circumstances. For financial related
audits not described above, auditors should follow the
field work standards for performance audits in
chapter 6.8




Thpter    2 provides examples of other types of fmancial related audits
Page 65
Appendix II

                Chapter 5
 Reporting Standards for Financial Audits

Purpose                 6.1 This chapter prescribes standards of reporting                        for
                        financial audits, which include financial statement                       audits
                        and financial related audits.


Relation      to MCpA   5.2 For financial statement audits, generally accepted
                        government auditing standards (GAGAS) incorporate
Standards               the American Institute of Certified Public Accountants’
                        (ATCPA) four generally accepted standards of reporting,
                        which are:

                        a. The report shall state whether the financial statements
                        are presented in accordance with generally accepted
                        accounting principles.

                        b. The report shall identify those circumstances in
                        which such principles have not been consistently
                        observed in the current period in relation to the
                        preceding period.

                        c. Informative disclosures in the financial statements
                        are to be regarded as reasonably adequate unless
                        otherwise stated in the report.

                        d. The report shall either contain an expression of
                        opinion regarding the financial statements, taken as a
                        whole, or an assertion to the effect that an opinion cannot
                        be expressed. When an overall opinion cannot be
                        expressed, the reasons therefor should be stated. Jn all
                        cases where an auditor’s name is associated with
                        fmancial statements, the report should contain a clearcut
                        indication of the character of the auditor’s work, if any,
                        and the degree of responsibility the auditor is taking.

                        5.3 The AICPA has issued statements on auditing
                        standards (SAS) that interpret its standards of
                        reporting.l This chapter incorporates these SASS and
                        prescribes additional standards on
                        ‘GAGAS       incorporate  sny new AICPA reporting     standards    relevant to
                        financial     statement  audits unless the General Accounting     Office (GAO)
                        excludes      them by formal announcement.

                        Page    56
 Appendix   II




ba. reporting compliance       with GAGAS (see paragraphs
5.11 through 5.14),

eb. reporting on compliance with laws and regulations
and on internal controls over financial reporting   (see
paragraphs 5.15 through 5.28),

dc. privileged and confidential information      (see
paragraphs 5.29 through 5.31), and

ed. report distribution.   (See paragraphs 5.32 through 5.35.)

6.4 This chapter concludes by explaining which
standards auditors should follow in reporting the results
of financial related audits.




Page   57
Appendix    II




Page   68
                   Appendix   II




Reporting         5.11 The seeend first additional   reporting standard for
                  financial statement audits is
Compliance With
Generally         Audit reports should state that the audit was made
                  in accordance with generally accepted government
Accepted          auditing standards.
Government        5.12 The above statement refers to all the applicable
Auditing          standards that the auditors should have followed during
                  their audit. The statement should be qualified in
Standards         situations where the auditors did not follow an
                  applicable standard. In these situations, the auditors
                  should disclose the applicable standard that was not
                  followed, the reasons therefor, and how not following
                  the standard affected the results of the audit.

                  5.13 When the report on the financial statements is
                  submitted to comply with a legal, regulatory, or
                  contractual requirement for a GAGAS audit, it should
                  specifically cite GAGAS. The report on the financial
                  statements may cite AICPA standards as well as GAGAS.

                  5.14 The auditee may need a financial statement audit
                  for purposes other than to comply with requirements
                  calling for a GAGAS audit. For example, it may need a
                  financial statement audit to issue bonds. GAGAS do not
                  prohibit auditors from issuing a separate report on the
                  financial statements conforming only to the requirements

                  Page   69
                  Appendix      II




                   of AICPA standards. However, it may be advantageous to
                   use a report issued in accordance with GAGAS for these
                   other purposes because it provides information on
                   compliance with laws and regulations and internal
                   controls (as discussed below) that is not contained in a
                   report issued in accordance with AICPA standards.


                   6.15 The third second additional                 reporting standard for
Reporting on       fmancial statement audits is
Compliance With
                  The report on the financial statements            should
Laws and          either (1) describe the scope of the auditors’
Regulations and   testing of compliance with laws and regulations                and
                  internal controls over-financial        reporting     and
on Internal       present the results of those tests or (2) refer to the
Controls Over     separate report(s)      containing    that information.        In
                  presenting   the results of those tests, auditors
Financial         should report km@dmMmjkaud,                 illegal acts, other
Reporting         material noncompliance,         and reportable      conditions
                  in internal controls overfinancial         reporting.”      In
                  some circumstances,       auditors   should report
                  .
                  mq@a&ksfraud             and illegal acts directly to
                  parties external to the audited entity.

                  5.16 Auditors may report on compliance with laws and
                  regulations and internal controls overfinancial
                  reporting    in the report on the financial statements or in
                  the separate report(s).     When auditors report on
                  compliance and internal       controls overfinancial
                  reporting    in the report on the fmancial statements, they
                  should include an introduction summarizing key findings
                  in the audit of the financial statements and the related
                  compliance and internal controls work. Auditors should
                  not issue this introduction as a stand-alone report.

                  These responsibilities     are in addition to and do not modify auditors’
                  responsibilities  under AICPA standards to (1) address the effect
                  wfiuud                 or illegal acts may have on the report on the financial
                  statements and (2) determine       that the audit committee      or others with
                  equivalent authority   and responsibility    are adequately informed about
                  hwg&&%sfiuud,          illegal acts, and reportable   conditions.

                  Page   60
                             Appendix     II




                             6.16.1 When auditors report separately (including
                             separate reports bound in the same document)            on
                             compliance    with laws and regulations       and internal
                             control over fiuancial reporting,     the report on the
                             financial statements     should state that they are
                             issuing those additional     reports.   The report on the
                             financial statements     should also state that the
                             reports on compliance      with laws and regulations
                             and internal control over financial reporting        are
                             an integral part of a GAGAS audit, and, in
                             considering   the results of the audit, these reports
                             should be read along with the auditor’s report on
                             the financial statements.


Scope of Complibce          5.17 Auditors should report the scope of their testing of
and Internal   Controls     compliance with laws and regulations and of internal
Work                        controls. over financial reporting, including4#&e




                                   .            .    .       .
                            qwhether                                  .         or not
                            the tests they performed provided sufficient evidence to
                            support an opinion on compliance or internal controls
                            over financial reporting and whether the auditors
                            are providing such opinions.


$keg&&.tiesFraud,           5.18 When auditors conclude, based on evidence
Illegal  Acts, a&   Other   obtained, that e                fraud or an illegal act either
Noncompliance               has occurred or is likely to have occurred,4 they should
                            report relevant information. Auditors need not report
                            information about ~&FM@&@            fraud or an illegal act
                            that is clearly inconsequential. ‘l’hus, auditors should

                            Whether a particular act is, in fact, illegal mayhave to await Cnal determination
                            by a court of law. Thus, when auditom disclose matters that have led them to
                            conclude that an illegal act is likely to have occurred, they should take care not
                            to imply that they have made a detenninaiion of illegality.
                            Page   61
 Appendix    II




 present in a report the same &eg&+%s         fkaud and illegal
 acts that they report to audit committees under AICPA
 standards. Auditors should also report other
 noncompliance (for example, a violation of a contract
 provision) that is material to the financial statements.

 5.19 In reporting material &w&.sSS          Sraud, illegal
acts, or other noncompliance, the auditors should place
their findings in proper perspective. To give ,the reader a
basis for judging the prevalence and consequences of
these conditions, the instances identified should be
related to the universe or the number of cases examined
and be quantified in terms of dollar value, if appropriate.6
In presenting material kzg&&%~          fraud, illegal acts, or
other noncompliance, auditors should follow chapter 7’s
report contents standards for objectives, scope, and
methodology; audit results; views of responsible offkials;
and its report presentation standards, as appropriate.
Auditors may provide less extensive disclosure of
~SE@WSS fraud and illegal acts that are not material
in either a quantitative or qualitative sense.6

5.20 When auditors detect imqyk&&            fi-aud, illegal acts,
or other noncompliance that do not meet paragraph 5.18’s
criteria for reporting, they should communicate those
findings to the auditee, preferably in writing. If auditors
have communicated those findings in a management letter


GAudit fmdmgshave often been regarded as containing the elements of
criteria, condition, and effect, plus cause when problems are found. However,
the elements needed for a finding depend entirely on the objectives of the
audit Reportable conditions and noncompliance found by the auditor may
not always have all of these elements fully developed, given the scope and
objectives of the specific financial audit. However, auditors should identity at
least the condition, criteria and possible asserted effect to provide sufficient
information to federal, state, and local officials to permit them to determine
the effect and cause in order to take prompt and proper corrective action.

‘Chapter 4 provides guidance on factors that may influence auditors’
materiality judgments in audits of government entities or entities
receiving government assistance. AICPA standards provide guidance on
the interaction of quantitative and qualitative considerations in
materiality judgments.
Page 62
                            Appendix    II




                            to top management, they should refer to that management
                            letter when they report on compliance. Auditors should
                            document in their working papers all communications to
                            the auditee about ~FK@&SH      fkaud, illegal acts, and
                            other noncompliance.


Direct Reporting of          6.21 GAGAS require auditors to report &egu&%&
w             Fraud         fraud or illegal acts directly to parties outside the
and Illegal Acts            auditee in two~circumstances, as discussed below. These
                            requirements are in addition to any legal requirements for
                            direct reporting of &eg&&&s        fraud or illegal acts.
                           “Auditors should meet these requirements even if they
                      I.    have resigned or been dismissed from the audit.7

                           6.22 The auditee may be required by law or regulation
                           to report certain w               fraud or illegal acts to
                           specified external parties (for example, to a federal
                           inspector general or a state attorney general). If
                           auditors ,have communicated      such w                fraud
                           or illegal acts to the auditee, and it fails to report them,
                           then the auditors should communicate their awareness
                           of that failure to the auditee’s governing body. If the
                           auditee does not make the required report as soon as
                           practicable after the auditors’ communication       with its
                           governing body, then the auditors should report the
                           w               fraud or illegal acts directly to the
                           external party specified in the law or regulation.

                           6.23 Management is responsible for taking timely and
                           appropriate steps to remedy w                 fraud or
                           illegal acts that auditors report to it. When an
                           in+ghk+       fraud or an illegal act involves assistance
                           received directly or indirectly from a government
                           agency, auditors may have a duty to report it directly if
                           management fails to take remedial steps. If auditors
                           conclude that such failme is likely to cause them to
                           depart from the standard report on the financial
                           statements or resign from the audit, then they should

                           ‘Internal auditors auditing within the entity that employs them do not
                           have a duty to report outside that entity.
                           Page   63
                    Appendix   II




                    communicate that conclusion to the auditee’s governing
                    body. Then, if the auditee does not report the
                    ~FE@&E@ fraud or illegal act as soon as practicable to
                    the entity that provided the government assistance, the
                    auditors should report the &eguk&@ fraud or illegal
                    act directly to that entity.

                    6.24 In both of these situations, auditors should obtain
                    sufficient, competent, and relevant evidence (for example,
                    by confirmation with outside parties) to corroborate
                    assertions by management that it has reported
                    p              fi-aud or illegal acts. If they are unable to do
                    so, then the auditors should report the &eg&a&&           &aud
                    or illegal acts directly as discussed above.

                    6.26 Chapter 4 reminds auditors that under some
                    chcumstances, laws, regulations, or policies may require
                    them to report promptly indications of certain types of
                    ER@A&&s         fraud or illegal acts to law enforcement or
                    investigatory authorities. When auditors conclude that
                    this type of isw@bk& fraud or illegal act either has
                    occurred or is likely to have occurred, they should ask
                    those authorities and/or legal counsel if reporting certain
                    information about that ieeg&x@ fraud or illegal act
                    would compromise investigative or legal proceedings.
                    Auditors should limit their reporting to matters that
                    would not compromise those proceedings, such as
                    information that is already a part of the public record.


Deficiencies in     6.26 Auditors should report deficiencies in internal
Internal Controls   controls that they consider to be “reportable conditions”
                    as defined in AICPA standards. The following are
                    examples of matters that may be reportable conditions:

                    a. absence of appropriate     segregation of duties
                    consistent with appropriate     control objectives;

                    b. absence of appropriate reviews and approvals of
                    transactions, accounting entries, or systems output;


                    Page 64
Appendix    II




c. inadequate provisions for the safeguarding of assets,

d. evidence of failure to safeguard assets from loss,
damage, or misappropriation;

e. evidence that a system fails to provide complete
and accurate output consistent with the auditee’s
control objectives because of the misapplication    of
control procedures;

f. evidence of intentional override of internal controls by
those in authority to the detriment of the overall
objectives of the system;

g. evidence of failure to perform tasks that are part of
internal controls, such as reconciliations not prepared
or not timely prepared;

h. absence of a sufficient level of control consciousness
within the organization;

i. significant deficiencies in the design or operation of
internal controls that could result in violations of laws
and regulations having a direct and material effect on
the financial statements; and

j. failure to follow up and correct previously identified
 deficiencies in internal controls.8

6.27 In reporting reportable conditions, auditors should
identify those that are individually or cumulatively
material weaknesses.g Auditors should follow chapter 7’s
report contents standards for objectives, scope, and
methodology; audit results; and views of responsible officials,
and its report presentation standards, as appropriate.


*Chapter 4’s audit follow-up standard requires auditors to report the
status of uncorrected material findings and recommendations from prior
audits that affect the financial statement audit.

See footnote 5.
Page   66
                 Appendix    II




                 6.28 When auditors detect deficiencies in internal
                 controls that are not reportable conditions, they should
                 communicate those deficiencies to the auditee,
                 preferably in writing. If the auditors have
                 communicated other deficiencies in internal controls in
                 a management letter to top management, they should
                 refer to that management letter when they report on
                 internal controls. All communications      to the auditee
                 about deficiencies in internal controls should be
                 documented in the working papers.


Privileged and   6.29 The $EW# third additional          reporting standard for
                 financial statement audits is
Confidential
Information      If certain information     is prohibited from general
                 disclosure,  the audit report should state the nature
                 of the information     omitted and the requirement
                 that makes the omission necessary.

                 6.30 Certain information may be prohibited from
                 general disclosure by federal, state, or local laws or
                 regulations. Such information may be provided on a
                 need-to-know basis only to persons authorized by law or
                 regulation to receive it.

                 5.3 1 If such requirements prohibit auditors from including
                 pertinent data in the report, they should state the nature of
                 the information omitted and the requirement that makes
                 the omission necessary The auditors should obtain
                 assurance that a valid requirement for the omission exists
                 and, when appropriate, consult with legal counsel.


Report           5.32 The W&l+ fourth additional        reporting standard for
                 financial statement audits is
Distribution
                 Written    audit reports     are to be submitted         by the
                 audit organization       to the appropriate       officials of
                 the auditee and to the appropriate           officials of the
                 organizations    requiring      or arranging    for the audits,

                 Page   66
 Appendix           II




 including external finding organizations,     unless
 legal restrictions  prevent it. Copies of the reports
 should also be sent to other offkials who have legal
 oversight authority or who may be responsible for
 acting on audit findings and recommendations        and
 to-others authorized to receive such reports.
‘Unless restricted by law or regulation,   copies
 should be made available for public inspection.lO

 6.33 Audit reports should be distributed in a timely
 manner to officials interested in the results. Such
 officials include those designated by law or regulation to
receive such reports, those responsible for acting on the
 findings and recommendations;-those-of-otherlevelsof-     --
 government that have provided assistance to the
 auditee, and legislators. However, if the subject of the
 audit involves material that is classified for security
 purposes or not releasable to particular parties or the
 public for other valid reasons, auditors may limit the
 report distribution.

6.34 When public accountants are engaged, the
engaging organization should ensure that the report is
distributed appropriately.  If the public accountants are
to make the distribution, the engagement agreement
should indicate what officials or organizations should
receive the report.

6.36 Internal auditors should follow their entity’s own
arrangements and statutory requirements for distribution.
Usually, they report to their entity’s top managers, who
are responsible for distribution of the report.




Y3ee the Single Audit Act cSlG84 Amendments                 of 1996 and OfEce of
Management     and Budget COMB) Circular               A-l-23133 for the distribution
of reports on single audits of state and local g~3~~~Mgoverments.l
entities        and nonprofit   organizations   that    receive   federal   awards.

Page       67
                          Appendix   II




financial   Related       5.36 Certain AICPA standards address specific types 01
                          financial related audits, and GAGAS incorporate those
Audits                    standards, as discussed below:”


                          .     .
                      m                                   SAS No. 75, Engagements           to
                      Applg Agreed-Upon                   Procedures   to Specific
                      Elements,   Accounts,                or Items of a Financial
                      Statement;

                      b. SAS rtNo. 62, Special &ports, for auditing specified
                      elements, accounts, or items of a financial statement;


                                                .     .
                      ;                                     SAS No. 74,
                      Compliance   Auditing    Considerations    in Audits                   of
                      Governmental   Entities   and Recipients     of
                      Governmental   Financial    Assistance,   for testing
                      compliance with laws and regulations applicable                  to
                      federal financial assistance programs;

                      d. SAS nNo. 76, Reports on the Processing of
                      Transactions by Service Organizations,      for examining
                      descriptions of internal controls of service organization:
                      that process transactions for others;

                      e. Statement            on Standards for Attestation Engagements
                      (SSAE) Ho.              1, Attestation Standards, as amended bB
                      SSAE No. 9, Amendments                    to Statement    on
                      StandardsforAttestation                   Engagements      Nos. 1,2,
                      and 3, for +

                      i                                                        examining         01
                      reviewing           3                                          an
                      entity’s assertions about financial related matters not
                      specifically addressed in other AICPA standards;

                      “GAGAS    incorporate   any new AICPA reporting  standards relevant    to
                      financial related audits unless GAO excludes them by formal
                      announcement.
                      Page      68
Appendix    II




f. SSAE tie. 2, Reporting on an Entity’s Internal Control
+&w&we Over Financial Reporting, as amended by
SSAE No. 9, Amendments        to Statement   on
Standards   for Attestation   Engagements    Nos. 1,2,
and 3, for examining an entity’s assertions about its
internal controls over financial reporting and/or
safeguarding assets; and

g. SSAE ItNo. 3, Compliance  Attestation, as amended
by SSAE No. 9, Amendments        to Statement   on
Standards    for Attestation Engagements      Nos. 1, 2,
and 3, for (1) examining or applying agreed-upon
procedures to an entity’s assertions about compliance
with m                     specified  requirements    or
(2) applying agreed-upon procedures to an entity’s
assertions about internal controls over compliance with
m                          specified    requirementss        ; and

h. SSAE No. 4, Agreed-Upon          Procedures
Engagements,       for applying agreed-upon
procedures     to (1) an entity’s assertions     about
internal   control over I3nancial reporting        andfor
safeguarding     assets or (2) an entity’s assertions
about financial      related matters    not specifklly
addressed    in other AICPA standards.

6.37 Besides following applicable AICPA standards,
auditors should follow this chapter’s seeend first
(GAGAS reference), #ew=& third (privileged and
confidential information), and #%I+ fourth (report
distribution) additional standards of reporting. They
should apply or adapt the other standards and guidance
in this chapter as appropriate in the circumstances. For
financial related audits not described above, auditors
should follow the reporting standards for performance
audits in chapter 7.12




Whapter 2 provides examples of other types of financial related audits.
Page   69
Appendix III

Advisory Council on Government
Auditing Standards

Advisory Council   Mr. Richard C. Tracy, Chair
Members            Office of City Auditor
                   Portland, Oregon

                   The Honorable James B. Thomas, Jr., Former Chair”
                   Office of Chief Inspector General
                   State of Florida

                   Mr. Robert H. Attmore
                   Office of the Comptroller
                   New York State

                   The Honorable Thomas R. Bloom
                   Defense Finance and Accounting Service

                   The Honorable June Gibbs Brown**
                   U.S. Department of Health and Human Services

                   Mr. Donald H. Chapin*
                   Consultant

                   Ms. Patricia A. Dalton
                   U.S. Department of Labor

                   The Honorable Gaston L. Gianni, Jr:
                   Federal Deposit Insurance Corporation

                   Ms. Barbara J. Hmton
                   Office of the Legislative   Post Auditor
                   State of Kansas

                   Mr. David G. Hitchcock
                   Standards & Poor’s

                   Mr. Nor-wood J. Jackson, Jr.
                   U.S. Office of Management and Budget

                   The Honorable Margaret B. Kelly*
                   Office of the State Auditor
                   State of Missouri


                   Page   70
Appendix    III




Dr. Daniel G. Kyle*
Office of the Legislative Auditor
State of Louisiana

Mr. Philip A. Leone
Joint Legislative Audit and Review Commission
Commonwealth of Virginia

Mr. George A. Lewis
Broussard, Poche, Lewis & Breaux

Ms. Nora J. E. Masters
Deloitte & Touche LLP

Mr. Sam M. McCall*
Florida Office of the Auditor General

Mr. Bruce A. Myers
Office of the Legislative Auditor
State of Maryland

Mr. John R. Milleti
KPMG Peat Mar-wick LLP

Dr. Kathryn E. Newcomer
George Washington University

Ms. Roberta E. Reese
Office of the Controller
State of Nevada

Mr. George A. Scott
Deloitte & Touche LLP

The Honorable Kurt R. Sjoberg
Office of the State Auditor
State of California

Dr. Paul M. Thompson*
AMBAC Indemnity Corporation


Page   71
Appendix      III




Mr. Cornelius E. Tierney
George Washington University

Ms. Leslie E. Ward
Office of the City Auditor
Kansas City, Missouri

Dr. Earl R. Wilson
University of Missouri-Columbia




*Term   of Appointment      to Advisory   Council   expired   December   31,199s.

**Resigned    May   1999.

Page    72
United States                          First-Class Mail
General ‘Accounting   Office         Postage & ‘Fees Paid
Washington,   D.C. 20548-0001
                                      Permit   No.‘6100
Offibial   B,usiness
Penalty    for Private   Use $300

Address    Correction    Requested