oversight

Government Auditing Standards: 2003 Revision (Superseded by GAO-07-162G)

Published by the Government Accountability Office on 2003-06-01.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

d03673g.book Page 1 Thursday, July 24, 2003 12:37 PM




                                           United States General Accounting Office

   GAO                                     By the Comptroller General of the
                                           United States



   June 2003
                                           Government
                                           Auditing Standards
                                           2003 Revision




   GAO-03-673G
d03673g.book Page 1 Thursday, July 24, 2003 12:37 PM




                                           United States General Accounting Office

   GAO                                     By the Comptroller General of the
                                           United States



   June 2003
                                           Government
                                           Auditing Standards
                                           2003 Revision




                    This revision of the standards supersedes the 1994 revision,
                    including amendments 1 through 3. Its provisions are effective for
                    financial audits and attestation engagements of periods ending on
                    or after January 1, 2004, and for performance audits beginning on
                    or after January 1, 2004. Early application is permissible.
d03673g.book Page i Thursday, July 24, 2003 12:37 PM




   Contents


   Letter                                                                                       1


   Chapter 1                                                                                    5
                                           Purpose                                            5
   Introduction                            Applicability                                      6
                                           Relationship between GAGAS and Other Professional
                                             Standards                                        8
                                           Accountability                                     9
                                           Roles and Responsibilities                        12


   Chapter 2                                                                                   17
                                           Introduction                                        17
   Types of                                Financial Audits                                    18
   Government                              Attestation Engagements                             19
                                           Performance Audits                                  21
   Audits and                              Nonaudit Services Provided by Audit Organizations   25
   Attestation
   Engagements

   Chapter 3                                                                                   27
                                           Introduction                                        27
   General                                 Independence                                        27
   Standards                               Professional Judgment                               50
                                           Competence                                          52
                                           Quality Control and Assurance                       56


   Chapter 4                                                                                   62
                                           Introduction                                        62
   Field Work                              AICPA Field Work Standards                          63
   Standards for                           Additional GAGAS Standards                          64
                                           Auditor Communication                               65
   Financial                               Considering the Results of Previous Audits and
   Audits                                     Attestation Engagements                          69



                                           Page i        GAO-03-673G Government Auditing Standards
d03673g.book Page ii Thursday, July 24, 2003 12:37 PM




                                        Detecting Material Misstatements Resulting from
                                          Violations of Contract Provisions or Grant
                                          Agreements, or from Abuse                            70
                                        Developing Elements of a Finding                       73
                                        Audit Documentation                                    74


Chapter 5                                                                                      77
                                        Introduction                                           77
Reporting                               AICPA Reporting Standards                              77
Standards for                           Additional GAGAS Reporting Standards for
                                           Financial Audits                                    78
Financial                               Reporting Auditors’ Compliance with GAGAS              79
Audits                                  Reporting on Internal Control and on
                                           Compliance with Laws, Regulations, and
                                           Provisions of Contracts or Grant Agreements         80
                                        Reporting Deficiencies in Internal Control,
                                           Fraud, Illegal Acts, Violations of Provisions of
                                           Contracts or Grant Agreements, and Abuse            82
                                        Reporting Views of Responsible Officials               90
                                        Reporting Privileged and Confidential Information      92
                                        Report Issuance and Distribution                       93


Chapter 6                                                                                      96
                                        Introduction                                           96
General, Field                          AICPA General and Field Work Standards for
Work, and                                  Attestation Engagements                             97
                                        Additional GAGAS Field Work Standards for
Reporting                                  Attestation Engagements                             98
Standards for                           Auditor Communication                                  98
                                        Considering the Results of Previous Audits and
Attestation                                Attestation Engagements                            101
Engagements                             Internal Control                                      102
                                        Detecting Fraud, Illegal Acts, Violations of
                                           Provisions of Contracts or Grant Agreements,
                                           and Abuse That Could Have a Material Effect
                                           on the Subject Matter                              104
                                        Developing Elements of Findings for Attestation
                                           Engagements                                        107
                                        Attest Documentation                                  108
                                        Page ii         GAO-03-673G Government Auditing Standards
d03673g.book Page iii Thursday, July 24, 2003 12:37 PM




                                            AICPA Reporting Standards for Attestation
                                              Engagements                                        111
                                            Additional GAGAS Reporting Standards for
                                              Attestation Engagements                            112
                                            Reporting Auditors’ Compliance with GAGAS            112
                                            Reporting Deficiencies in Internal Control,
                                              Fraud, Illegal Acts, Violations of Provisions of
                                              Contracts or Grant Agreements, and Abuse           114
                                            Reporting Views of Responsible Officials             119
                                            Reporting Privileged and Confidential Information    121
                                            Report Issuance and Distribution                     122


   Chapter 7                                                                                     125
                                            Introduction                                         125
   Field Work                               Planning                                             125
   Standards for                            Supervision                                          148
                                            Evidence                                             148
   Performance                              Audit Documentation                                  156
   Audits

   Chapter 8                                                                                     159
                                            Introduction                                         159
   Reporting                                Form                                                 159
   Standards for                            Report Contents                                      160
                                            Report Quality Elements                              173
   Performance                              Report Issuance and Distribution                     177
   Audits

   Appendix
                       Appendix I:          Advisory Council on Government Auditing
                                             Standards                                           180
                                            GAO Project Team                                     185


   Index                                                                                         186



                                            Page iii      GAO-03-673G Government Auditing Standards
d03673g.book Page iv Thursday, July 24, 2003 12:37 PM




                                        Abbreviations

                                        AICPA           American Institute of Certified Public
                                                        Accountants
                                        COSO            Committee of Sponsoring Organizations of
                                                        the Treadway Commission
                                        CPA             certified public accountant
                                        CPE             continuing professional education
                                        GAAP            generally accepted accounting principles
                                        GAAS            generally accepted auditing standards
                                        GAGAS           generally accepted government auditing
                                                        standards
                                        GAO             U.S. General Accounting Office
                                        MD&A            Management’s Discussion and Analysis
                                        OMB             U.S. Office of Management and Budget
                                        SAS             AICPA Statements on Auditing Standards
                                        SSAE            AICPA Statements on Standards for
                                                        Attestation Engagements


                                         This is a work of the U.S. government and is not subject to
                                         copyright protection in the United States. It may be reproduced
                                         and distributed in its entirety without further permission from GAO.
                                         However, because this work may contain copyrighted images or
                                         other material, permission from the copyright holder may be
                                         necessary if you wish to reproduce this material separately.


                                        Page iv           GAO-03-673G Government Auditing Standards
d03673g.book Page 1 Thursday, July 24, 2003 12:37 PM




                                                                                   Comptroller General
                                                                                    of the United States
  United States General Accounting Office
  Washington, D.C. 20548



                                           The concept of accountability for public resources is
                                           key in our nation’s governing process and a critical
                                           element for a healthy democracy. Legislators,
                                           government officials, and the public want to know
                                           whether government services are being provided
                                           efficiently, effectively, economically, and in compliance
                                           with laws and regulations. They also want to know
                                           whether government programs are achieving their
                                           objectives and desired outcomes, and at what cost.
                                           Government managers are accountable to legislative
                                           bodies and the public for their activities and related
                                           results. Government auditing is a key element in
                                           fulfilling the government’s duty to be accountable to the
                                           people. Auditing allows those parties and other
                                           stakeholders to have confidence in the reported
                                           information on the results of programs or operations, as
                                           well as in the related systems of internal control.
                                           Government auditing standards provide a framework to
                                           auditors so that their work can lead to improved
                                           government management, decision making, oversight
                                           and accountability.

                                           These standards are broad statements of auditors’
                                           responsibilities. They provide an overall framework for
                                           ensuring that auditors have the competence, integrity,
                                           objectivity, and independence in planning, conducting,
                                           and reporting on their work. Auditors will face many
                                           situations in which they could best serve the public by
                                           doing work exceeding the standards’ minimum
                                           requirements. As performance and accountability
                                           professionals, we should not strive just to comply with
                                           minimum standards, which represent the floor of
                                           acceptable behavior, but we need to do the right thing
                                           according to the facts and circumstances of each audit
                                           situation. I encourage auditors to seek opportunities to
                                           do additional work when and where it is appropriate,
                                           particularly in connection with testing and reporting on
                                           internal control.

                                                                                                           Leter




                                           Page 1         GAO-03-673G Government Auditing Standards
d03673g.book Page 2 Thursday, July 24, 2003 12:37 PM




                                       This is the fourth revision of the overall standards since
                                       they were first issued in 1972. This revision of the
                                       standards supersedes the 1994 revision, including
                                       amendments 1 through 3. This revision makes changes
                                       to these standards in the following 3 areas:

                                       • redefining the types of audits and services covered
                                         by the standards, including an expansion of the
                                         definition of performance auditing to incorporate
                                         prospective analyses and other studies and adding
                                         attestation as a separate type of audit,

                                       • providing consistency in the field work and reporting
                                         requirements among all types of audits defined under
                                         the standards, and

                                       • strengthening the standards and clarifying the
                                         language in areas that, by themselves, do not warrant
                                         a separate amendment to the standards.

                                       These standards contain requirements for auditor
                                       reporting on internal control, but they do not require the
                                       auditor to render an opinion on internal control.
                                       Nevertheless, I encourage auditors to evaluate those
                                       situations where they are reporting on internal control
                                       to determine whether providing an opinion on internal
                                       control would add value and be cost beneficial based on
                                       related risks. The Sarbanes-Oxley Act requires private
                                       sector auditors to attest to and report on the assessment
                                       made by management of each publicly traded company
                                       on the effectiveness of internal control over financial
                                       reporting. GAO strongly believes that auditor reporting
                                       on internal control is a critical component of monitoring
                                       the effectiveness of an organization’s risk management
                                       and accountability systems. Auditors can better serve
                                       their clients and other financial statement users and
                                       better protect the public interest by having a greater role
                                       in providing assurances over the effectiveness of
                                       internal control in deterring fraudulent financial
                                       reporting, protecting assets, and providing an early
                                       Page 2          GAO-03-673G Government Auditing Standards
d03673g.book Page 3 Thursday, July 24, 2003 12:37 PM




                                           warning of emerging problems. We believe auditor
                                           reporting on internal control is appropriate and
                                           necessary for publicly traded companies and major
                                           public entities. We also believe that such reporting is
                                           appropriate in other cases where management
                                           assessment and auditor examination and reporting on
                                           the effectiveness of internal control add value and
                                           mitigate risk in a cost beneficial manner. In this regard,
                                           GAO seeks to lead by example in establishing the
                                           appropriate level of auditor reporting on internal control
                                           for federal agencies, programs, and entities receiving
                                           significant amounts of federal funding. In fact, we
                                           already provide opinions on internal control for all our
                                           major federal audit clients, including the consolidated
                                           financial statements of the U.S. Government.

                                           Because of the breadth of the fourth revision to the
                                           overall standards, any new standards are applicable for
                                           financial audits and attestation engagements of periods
                                           ending on or after January 1, 2004, and for performance
                                           audits beginning on or after January 1, 2004. Early
                                           application is permissible and encouraged. An electronic
                                           version of these standards can be accessed on the Web
                                           at www.gao.gov/govaud/ybk01.htm. We have also posted
                                           a listing of the major changes from the 1994 Revision to
                                           this Web site. Printed copies can be obtained from the
                                           U.S. Government Printing Office.

                                           This revision of the standards currently incorporates the
                                           field work and the reporting standards issued by the
                                           American Institute of Certified Public Accountants
                                           (AICPA). The Sarbanes-Oxley Act gives the Public
                                           Company Accounting Oversight Board (PCAOB) the
                                           authority to set auditing standards to be used by
                                           registered public accounting firms in the preparation
                                           and issuance of audit reports for publicly traded
                                           companies. As the PCAOB promulgates auditing
                                           standards for audits of these entities, GAO will continue
                                           to closely monitor the actions of both standard setting
                                           bodies and will issue clarifying guidance as necessary on
                                           Page 3         GAO-03-673G Government Auditing Standards
d03673g.book Page 4 Thursday, July 24, 2003 12:37 PM




                                       the incorporation of future standards set by either
                                       standard setting body.

                                       This revision has gone through an extensive deliberative
                                       process including extensive public comments and input
                                       from the Comptroller General’s Advisory Council on
                                       Government Auditing Standards, which includes 21
                                       experts in financial and performance auditing and
                                       reporting drawn from all levels of government,
                                       academia, private enterprise, and public accounting. The
                                       views of all parties were thoroughly considered in
                                       finalizing the standards. I thank those who commented
                                       and suggested improvements to the standards. I
                                       especially commend the Advisory Council on
                                       Government Auditing Standards and the GAO project
                                       team for important contributions to this revision.




                                       David M. Walker
                                       Comptroller General
                                       of the United States

                                       June 2003




                                       Page 4          GAO-03-673G Government Auditing Standards
d03673g.book Page 5 Thursday, July 24, 2003 12:37 PM




   Chapter 1


   Introduction                                                                                                    Chapte1r




   Purpose                                 1.01 The standards and guidance contained in this
                                           document, often referred to as generally accepted
                                           government auditing standards (GAGAS), are intended
                                           for use by government auditors1 to ensure that they
                                           maintain competence, integrity, objectivity, and
                                           independence in planning, conducting, and reporting
                                           their work, and are to be followed by auditors and audit
                                           organizations when required by law, regulation,
                                           contract, agreement, or policy.2 The work performed in
                                           accordance with GAGAS, which is described in this
                                           chapter and more fully in chapter 2, includes financial
                                           audits, attestation engagements, and performance
                                           audits. Users of government audits and attestation
                                           engagements that are performed in accordance with
                                           GAGAS should have confidence that the work is
                                           objective and credible.

                                           1.02 GAGAS pertain to auditors’ professional
                                           qualifications and the quality of their work, the
                                           performance of field work, and the characteristics of
                                           meaningful reporting. Adherence to GAGAS can help
                                           ensure that audits and attestation engagements provide
                                           credibility to the information reported by or obtained
                                           from officials of the audited entity through objectively
                                           acquiring and evaluating evidence. When auditors
                                           perform their work in this manner and comply with
                                           GAGAS in reporting the results, their work can lead to



                                           1
                                            This document addresses the standards that should be used by the
                                           individuals in audit organizations conducting the broad array of work
                                           that is described more fully in chapter 2. Accordingly, the focus of this
                                           document is not on the wide variety of titles that are used by
                                           individuals conducting and reporting on this work, but instead the
                                           nature of the work that is being performed. The term “auditor”
                                           throughout this document includes individuals who may be titled
                                           auditor, analyst, evaluator, inspector, or who may have a similar
                                           position.
                                           2
                                            Requirements in GAGAS are identified by statements that include the
                                           word “should.” Auditors are expected to comply with these
                                           requirements if they apply to the type of work being performed.


                                           Page 5             GAO-03-673G Government Auditing Standards
d03673g.book Page 6 Thursday, July 24, 2003 12:37 PM




                                       Chapter 1
                                       Introduction




                                       improved government management, decision making,
                                       and oversight. Government auditing is also a key
                                       element in fulfilling the government’s duty to be
                                       accountable to the public.

                                       1.03 This chapter describes the applications of GAGAS
                                       by auditors and audit organizations. This chapter also
                                       describes the concept of accountability for public
                                       resources and discusses the responsibilities of managers
                                       of government programs, auditors, and audit
                                       organizations in the audit process.


Applicability                          1.04 The standards and guidance in this document apply
                                       to audits and attestation engagements of government
                                       entities, programs, activities, and functions, and of
                                       government assistance administered by contractors,
                                       nonprofit entities, and other nongovernmental entities.
                                       A number of statutes and other mandates require that
                                       auditors follow GAGAS. Where a statute or other
                                       mandate does not exist, auditors will find it useful to
                                       follow GAGAS in work regarding the use of government
                                       funds. If auditors hold themselves out as following
                                       GAGAS, regardless of whether the auditors are required
                                       to follow such standards, the auditors need to justify any
                                       departures from GAGAS.

                                       1.05 The following are among the laws, regulations, and
                                       guidelines that require use of GAGAS:

                                       a. The Inspector General Act of 1978, as amended, 5
                                       U.S.C. App. (2000) requires that the statutorily
                                       appointed federal inspectors general comply with
                                       GAGAS for audits of federal establishments,
                                       organizations, programs,3 activities, and functions. The


                                       3
                                        Henceforth, the term “program” will be used in this document to
                                       include government establishments, organizations, programs,
                                       activities, and functions.


                                       Page 6            GAO-03-673G Government Auditing Standards
d03673g.book Page 7 Thursday, July 24, 2003 12:37 PM




                                           Chapter 1
                                           Introduction




                                           act further states that the inspectors general shall take
                                           appropriate steps to assure that any work performed by
                                           nonfederal auditors complies with GAGAS.

                                           b. The Chief Financial Officers Act of 1990 (Public Law
                                           101-576), as expanded by the Government Management
                                           Reform Act of 1994 (Public Law 103-356), requires that
                                           GAGAS be followed in audits of executive branch
                                           departments’ and agencies’ financial statements.

                                           c. The Single Audit Act Amendments of 1996 (Public
                                           Law 104-156) require that GAGAS be followed in audits
                                           of state and local governments and nonprofit entities
                                           that receive federal awards.4 The Office of Management
                                           and Budget (OMB) Circular A-133, Audits of States,
                                           Local Governments, and Non-Profit Organizations,
                                           which provides the government-wide guidelines and
                                           policies on performing audits to comply with the Single
                                           Audit Act, also requires the use of GAGAS.

                                           1.06 Auditors need to be alert to other laws, regulations,
                                           or other authoritative sources that could require the use
                                           of GAGAS. For example, state and local laws and
                                           regulations may require auditors at the state and local
                                           levels of government to follow GAGAS. Also, the terms
                                           of an agreement or contract may require auditors to
                                           comply with GAGAS. Federal audit guidelines pertaining
                                           to program requirements, such as those issued for
                                           Housing and Urban Development programs and Student
                                           Financial Aid programs, may also require that GAGAS be
                                           followed.




                                           4
                                            Under the Single Audit Act, as amended, federal awards include
                                           federal financial assistance (grants, loans, loan guarantees, property,
                                           cooperative agreements, interest subsidies, insurance, food
                                           commodities, direct appropriations, or other assistance) and cost-
                                           reimbursement contracts.


                                           Page 7             GAO-03-673G Government Auditing Standards
d03673g.book Page 8 Thursday, July 24, 2003 12:37 PM




                                       Chapter 1
                                       Introduction




                                       1.07 Even if not required to do so, auditors may find it
                                       useful to follow GAGAS in performing audits of federal,
                                       state, and local government programs as well as in
                                       performing audits of government awards administered
                                       by contractors, nonprofit entities, and other
                                       nongovernment entities. Many audit organizations not
                                       formally required to do so, both in the United States of
                                       America and in other countries, voluntarily follow
                                       GAGAS.

                                       1.08 Auditors may provide professional services, other
                                       than audits and attestation engagements, that consist
                                       solely of gathering, providing, and explaining
                                       information requested by decision makers or by
                                       providing advice or assistance to officials of the audited
                                       entity. GAGAS are not applicable to nonaudit services,
                                       which are described more fully in chapter 2. However,
                                       providing nonaudit services may affect an audit
                                       organization’s independence to conduct audits, which is
                                       discussed in chapter 3.


Relationship                           1.09 GAGAS may be used in conjunction with
between GAGAS                          professional standards issued by other authoritative
and Other                              bodies. For example, the American Institute of Certified
                                       Public Accountants (AICPA) has issued professional
Professional
                                       standards that apply in financial audits and attestation
Standards                              engagements performed by certified public accountants
                                       (CPA). GAGAS incorporate the AICPA’s field work and
                                       reporting standards and the related statements on
                                       auditing standards for financial audits unless
                                       specifically excluded, as discussed in chapters 4 and 5.
                                       GAGAS incorporate the AICPA’s general standard on
                                       criteria, and the field work and reporting standards and
                                       the related statements on the standards for attestation
                                       engagements, unless specifically excluded, as discussed
                                       in chapter 6. To meet the needs of users of government
                                       audits and attestation engagements, GAGAS also



                                       Page 8          GAO-03-673G Government Auditing Standards
d03673g.book Page 9 Thursday, July 24, 2003 12:37 PM




                                           Chapter 1
                                           Introduction




                                           prescribe requirements in addition to those provided by
                                           the AICPA for these types of work.

                                           1.10 Other professional standards that may be used by
                                           auditors are issued by such bodies as the Institute of
                                           Internal Auditors (Codification of the Standards for the
                                           Professional Practice of Internal Auditing, The
                                           Institute of Internal Auditors, Inc.) and the American
                                           Evaluation Association (Guiding Principles for
                                           Evaluators, a report from the American Evaluation
                                           Association Task Force on Guiding Principles for
                                           Evaluators; The Program Evaluation Standards, Joint
                                           Committee on Standards for Education Evaluation; and
                                           Standards for Educational and Psychological Testing,
                                           American Psychological Association.) These other
                                           professional standards are not incorporated into
                                           GAGAS, but can be used in conjunction with GAGAS. To
                                           the extent of any inconsistencies between the standards,
                                           GAGAS should prevail as the controlling (authorative)
                                           source if GAGAS are cited in the report.


   Accountability                          1.11 The concept of accountability for public resources
                                           is key in our nation’s governing processes. Legislators,
                                           other government officials, and the public want to know
                                           whether (1) government resources are managed
                                           properly and used in compliance with laws and
                                           regulations, (2) government programs are achieving
                                           their objectives and desired outcomes, and
                                           (3) government services are being provided efficiently,
                                           economically, and effectively. Managers of these
                                           programs are accountable to legislative bodies and the
                                           public. Auditors of these programs, when they adhere to
                                           GAGAS, provide reports that enhance the credibility and
                                           reliability of the information that is reported by or
                                           obtained from officials of the audited entity.

                                           1.12 Financial audits contribute to making governments
                                           more accountable for the use of public resources. The

                                           Page 9         GAO-03-673G Government Auditing Standards
d03673g.book Page 10 Thursday, July 24, 2003 12:37 PM




                                       Chapter 1
                                       Introduction




                                       auditors, in providing an independent report on whether
                                       an entity’s financial information is presented fairly in
                                       accordance with recognized criteria, provide users with
                                       statements concerning the reliability of the information.
                                       Financial audits performed in accordance with GAGAS
                                       also provide information about internal control,
                                       compliance with laws and regulations, and provisions of
                                       contracts and grant agreements as they relate to
                                       financial transactions, systems, and processes.

                                       1.13 Attestation engagements also contribute to
                                       governments’ accountability for the use of public
                                       resources and the delivery of services. In an attestation
                                       engagement, auditors issue an examination, a review, or
                                       an agreed-upon procedures report on a subject matter or
                                       on an assertion about a subject matter, based on or in
                                       conformity with criteria that is the responsibility of
                                       another party. Attestation engagements can cover a
                                       broad range of financial or nonfinancial objectives and
                                       provide various levels of assurance about the subject
                                       matter or assertion dependent upon the user’s needs.

                                       1.14 Performance audits also contribute to
                                       governments’ accountability for the use of public
                                       resources and the delivery of services. The term
                                       performance audit is used to include a variety of
                                       objectives to meet users’ needs. Performance audits
                                       provide an independent assessment of the performance
                                       and management of government programs against
                                       objective criteria or an assessment of best practices and
                                       other information. Performance audits provide
                                       information to improve program operations, facilitate
                                       decision making by parties with responsibility to
                                       oversee or initiate corrective action, and contribute to
                                       public accountability. The term performance audit is
                                       used generically to include work classified by some
                                       audit organizations as program evaluations, program
                                       effectiveness and results audits, economy and efficiency
                                       audits, operational audits, and value-for-money audits.

                                       Page 10          GAO-03-673G Government Auditing Standards
d03673g.book Page 11 Thursday, July 24, 2003 12:37 PM




                                           Chapter 1
                                           Introduction




                                           1.15 Given the importance and complexity of
                                           government programs in providing a variety of public
                                           services, auditors are increasingly being called on by
                                           legislative bodies and government agencies to expand
                                           the variety of performance audits to include work that
                                           has a prospective focus or provides guidance, best
                                           practice information, or information on issues that
                                           affect multiple programs or entities already studied or
                                           under study by an audit organization. This work may
                                           also include an assessment of policy alternatives,
                                           identification of risks and risk mitigation efforts, and a
                                           variety of analytical services to aid government officials
                                           in performing their responsibilities and carrying out
                                           their stewardship of government resources. Such work,
                                           like other performance audits, (1) involves a level of
                                           analysis, research, or evaluation, (2) may provide
                                           conclusions and recommendations, and (3) results in a
                                           report.

                                           1.16 Audit organizations may also seek to achieve
                                           improvement through cooperative engagements with
                                           affected agencies while continuing to maintain
                                           independence under the standards. Such “constructive
                                           engagement” approaches, where appropriate, can
                                           facilitate management improvements on a real-time
                                           basis without compromising the audit organization’s
                                           independence and objectivity. Efforts to provide
                                           technical advice and expertise to agencies for use in
                                           responding to current risks, correcting internal control
                                           deficiencies, or responding to the audit organization’s
                                           recommendations are examples of constructive
                                           engagements. Constructive engagement approaches will
                                           not impair independence when conducted within the
                                           framework of an audit or as technical advice to
                                           agencies. However, audit organizations need to take
                                           care to avoid making management decisions or to avoid
                                           situations that would result in the audit organization
                                           auditing its own work, such as directing agencies to
                                           undertake a specific activity in a specific manner as
                                           discussed more fully in chapter 3 of these standards. By
                                           Page 11        GAO-03-673G Government Auditing Standards
d03673g.book Page 12 Thursday, July 24, 2003 12:37 PM




                                       Chapter 1
                                       Introduction




                                       limiting the audit organization’s role in this way, the
                                       overarching principles of independence are not violated.


Roles and                              1.17 Officials of the audited entity entrusted with
Responsibilities                       handling public resources and auditors of government
                                       programs fulfill essential roles and responsibilities in
                                       ensuring that public resources are used efficiently,
                                       economically, effectively, and legally. Audit
                                       organizations also have the important responsibility of
                                       ensuring that auditors can meet their responsibilities.
                                       These unique roles involve using sound management
                                       practices and providing professional audits and
                                       attestation engagements.


Management’s Role                      1.18 Officials of the audited entity (for example,
                                       managers of a state or local governmental entity or a
                                       nonprofit entity that receives federal awards) are
                                       responsible for

                                       a. applying those resources efficiently, economically,
                                       effectively, and legally to achieve the purposes for which
                                       the resources were furnished or the program was
                                       established;5

                                       b. complying with applicable laws and regulations,
                                       including identifying the requirements with which the
                                       entity and the official must comply and implementing
                                       systems designed to achieve that compliance;

                                       c. establishing and maintaining effective internal control
                                       to help ensure that appropriate goals and objectives are
                                       met; resources are used efficiently, economically, and


                                       5
                                        This responsibility applies to all resources, both financial and
                                       physical, as well as informational resources, whether entrusted to
                                       public officials or others by their own constituencies or by other levels
                                       of government.


                                       Page 12            GAO-03-673G Government Auditing Standards
d03673g.book Page 13 Thursday, July 24, 2003 12:37 PM




                                           Chapter 1
                                           Introduction




                                           effectively, and are safeguarded; laws and regulations
                                           are followed; and reliable data are obtained, maintained,
                                           and fairly disclosed;

                                           d. providing appropriate reports to those who oversee
                                           their actions and to the public in order to be accountable
                                           for the resources used to carry out government
                                           programs and the results of these programs;

                                           e. addressing the findings and recommendations of
                                           auditors, and for establishing and maintaining a process
                                           to track the status of such findings and
                                           recommendations; and

                                           f. following sound procurement practices when
                                           contracting for audits and attestation engagements,
                                           including ensuring procedures are in place for
                                           monitoring contract performance. The objectives and
                                           scope of the audit or attestation engagement need to be
                                           made clear. In addition to price, other factors that may
                                           be considered in evaluating bid proposals include the
                                           responsiveness of the bidder to the request for proposal;
                                           the prior performance and experience of the bidder; the
                                           availability of the bidder’s staff who have the
                                           appropriate professional qualifications and technical
                                           abilities; and the results of the bidder’s peer reviews.


   Auditors’                               1.19 In discharging their professional responsibilities,
   Responsibilities                        auditors need to observe the principles of serving the
                                           public interest and maintaining the highest degree of
                                           integrity, objectivity, and independence. The public
                                           interest is defined as the collective well-being of the
                                           community of people and entities the auditors serve.
                                           These principles are fundamental to the responsibilities
                                           of auditors.

                                           1.20 Auditors should act in a way that will serve the
                                           public interest, honor the public trust, and uphold their

                                           Page 13        GAO-03-673G Government Auditing Standards
d03673g.book Page 14 Thursday, July 24, 2003 12:37 PM




                                       Chapter 1
                                       Introduction




                                       professionalism. A distinguishing mark of a profession is
                                       acceptance of its responsibility to the public. This
                                       responsibility is critical when auditing in the
                                       government environment. GAGAS embody the concept
                                       of accountability, which is fundamental to serving the
                                       public interest.

                                       1.21 Auditors need to make decisions that are
                                       consistent with the public interest in the program or
                                       activity under audit. In discharging their professional
                                       responsibilities, auditors may encounter conflicting
                                       pressures from management of the audited entity,
                                       various levels of government, and others who rely on the
                                       objectivity and independence of the auditors. In
                                       resolving those conflicts, auditors are responsible for
                                       acting with integrity, guided by the precept that when
                                       auditors fulfill their responsibilities to the public, these
                                       individuals’ and organizations’ interests are best served.

                                       1.22 To maintain and broaden public confidence,
                                       auditors need to perform all professional
                                       responsibilities with the highest degree of integrity.
                                       Auditors need to be professional, objective, fact-based,
                                       nonpartisan, and non-ideological in their relationships
                                       with audited entities and users of the auditors’ reports.
                                       Auditors should be honest and candid with the audited
                                       entity and users of the auditors’ work in the conduct of
                                       their work, within the constraints of the audited entity’s
                                       confidentiality laws, rules, or policies. Auditors need to
                                       be prudent in the use of information acquired in the
                                       course of their duties. They should not use such
                                       information for any personal gain or in any manner that
                                       would be detrimental to the legitimate and ethical
                                       objectives of the audited entity.

                                       1.23 Service and the public trust should not be
                                       subordinated to personal gain and advantage. Integrity
                                       can accommodate the inadvertent error and the honest
                                       difference of opinion; it cannot accommodate deceit or

                                       Page 14          GAO-03-673G Government Auditing Standards
d03673g.book Page 15 Thursday, July 24, 2003 12:37 PM




                                           Chapter 1
                                           Introduction




                                           subordination of principle. Integrity requires auditors to
                                           observe both the form and the spirit of technical and
                                           ethical standards; circumvention of those standards
                                           constitutes subordination of judgment. Integrity also
                                           requires auditors to observe the principles of objectivity
                                           and independence.

                                           1.24 Auditors should be objective and free of conflicts
                                           of interest in discharging their professional
                                           responsibilities. Auditors are also responsible for being
                                           independent in fact and appearance when providing
                                           audit and attestation services. Objectivity is a state of
                                           mind that requires auditors to be impartial, intellectually
                                           honest, and free of conflicts of interest. Independence
                                           precludes relationships that may in fact or appearance
                                           impair auditors’ objectivity in performing the audit or
                                           attestation engagement. The maintenance of objectivity
                                           and independence requires continuing assessment of
                                           relationships with the audited entities in the context of
                                           the auditors’ responsibility to the public.

                                           1.25 In applying GAGAS, auditors are responsible for
                                           using professional judgment when establishing scope
                                           and methodologies for their work, determining the tests
                                           and procedures to be performed, conducting the work,
                                           and reporting the results. Auditors need to maintain
                                           integrity and objectivity when doing their work to make
                                           decisions that are consistent with the broader public
                                           interest in the program or activity under review. When
                                           reporting on the results of their work, auditors are
                                           responsible for disclosing all material or significant facts
                                           known to them which, if not disclosed, could mislead
                                           knowledgeable users, misrepresent the results, or
                                           conceal improper or unlawful practices.




                                           Page 15         GAO-03-673G Government Auditing Standards
d03673g.book Page 16 Thursday, July 24, 2003 12:37 PM




                                       Chapter 1
                                       Introduction




                                       1.26 Auditors are responsible for helping management
                                       and other report users6 understand the auditors’
                                       responsibilities under GAGAS and other audit or
                                       attestation coverage required by law or regulation. To
                                       help managers and other report users understand an
                                       engagement’s objectives, time frames, and data needs,
                                       auditors need to communicate information concerning
                                       planning, conduct, and reporting of the engagement to
                                       the parties involved during the planning stages of the
                                       audit or attestation engagement.


Audit Organizations’                   1.27 Audit organizations also have responsibility for
Responsibilities                       ensuring that (1) independence and objectivity are
                                       maintained in all phases of the assignment,
                                       (2) professional judgment is used in planning and
                                       performing the work and in reporting the results, (3) the
                                       work is performed by personnel who are professionally
                                       competent and collectively have the necessary skills and
                                       knowledge, and (4) an independent peer review is
                                       periodically performed resulting in an opinion issued as
                                       to whether an audit organization’s system of quality
                                       control is designed and being complied with to provide
                                       reasonable assurance of conforming with professional
                                       standards.

                                       1.28 While management is responsible for addressing
                                       audit and attestation engagement findings and
                                       recommendations and tracking their status of
                                       resolution, audit organizations are responsible for
                                       establishing policies and procedures for follow-up to
                                       determine whether previous significant findings and
                                       recommendations are addressed and are considered in
                                       planning future engagements.


                                       6
                                         Other report users may include officials of the audited entity, the audit
                                       committee, the board of directors or other audit oversight body,
                                       management or auditors of granting or funding agencies, and
                                       individuals contracting for or requesting audit services.


                                       Page 16             GAO-03-673G Government Auditing Standards
d03673g.book Page 17 Thursday, July 24, 2003 12:37 PM




   Chapter 2


   Types of Government Audits and
   Attestation Engagements                                                                             Chapte2r




   Introduction                            2.01 This chapter describes the types of audits and
                                           attestation engagements that audit organizations
                                           perform, or arrange to have performed, of government
                                           entities, programs, and federal awards administered by
                                           contractors, nonprofit entities, and other
                                           nongovernment entities. This description is not intended
                                           to limit or require the types of audits or attestation
                                           engagements that may be performed or arranged to be
                                           performed. In performing work described below in
                                           accordance with generally accepted government
                                           auditing standards (GAGAS), auditors should follow the
                                           applicable standards included and incorporated in
                                           chapters 3 through 8. This chapter also describes
                                           nonaudit services that audit organizations may provide,
                                           although these services are not covered by GAGAS.

                                           2.02 All engagements begin with objectives, and those
                                           objectives determine the type of work to be performed
                                           and the auditing standards to be followed. The types of
                                           work, as defined by their objectives that are covered by
                                           GAGAS, are classified in this document as financial
                                           audits, attestation engagements, and performance
                                           audits.

                                           2.03 Engagements may have a combination of
                                           objectives that include more than one type of work
                                           described in this chapter or may have objectives limited
                                           to only some aspects of one type of work. Auditors
                                           should follow the standards that are applicable to the
                                           individual objectives of the audit or attestation
                                           engagement.

                                           2.04 In some engagements, the applicable standards
                                           that apply to the specific audit objective will be
                                           apparent. For example, if the audit objective is to
                                           express an opinion on financial statements, the
                                           standards for financial audits apply. However, for some
                                           engagements, there may be overlap between the
                                           applicable objectives. For example, if the objectives are
                                           Page 17        GAO-03-673G Government Auditing Standards
d03673g.book Page 18 Thursday, July 24, 2003 12:37 PM




                                       Chapter 2
                                       Types of Government Audits and
                                       Attestation Engagements




                                       to determine the reliability of performance measures,
                                       this work can be done in accordance with either the
                                       standards for attestation engagements or for
                                       performance audits. In cases where there is a choice
                                       between applicable standards, auditors should consider
                                       users’ needs and the auditors’ knowledge, skills, and
                                       experience in deciding which standards to follow.
                                       Auditors should apply the standards that are applicable
                                       to the type of assignment conducted (the financial audit
                                       standards, the attestation engagement standards, or the
                                       performance auditing standards).


Financial Audits                       2.05 Financial audits are primarily concerned with
                                       providing reasonable assurance about whether financial
                                       statements are presented fairly in all material respects in
                                       conformity with generally accepted accounting
                                       principles (GAAP),7 or with a comprehensive basis of
                                       accounting other than GAAP. Other objectives of
                                       financial audits, which provide for different levels of
                                       assurance and entail various scopes of work, may
                                       include

                                       a. providing special reports for specified elements,
                                       accounts, or items of a financial statement;8



                                       7
                                        The three authoritative bodies for establishing accounting principles
                                       and financial reporting standards are the Federal Accounting
                                       Standards Advisory Board (federal government), the Governmental
                                       Accounting Standards Board (state and local governments), and the
                                       Financial Accounting Standards Board (nongovernmental entities).
                                       8
                                         Special reports apply to auditors’ reports issued in connection with
                                       the following: (1) financial statements that are prepared in conformity
                                       with a comprehensive basis of accounting other than generally
                                       accepted accounting principles; (2) specified elements, accounts, or
                                       items of a financial statement; (3) compliance with aspects of
                                       contractual agreements or regulatory requirements related to audited
                                       financial statements; (4) financial presentations to comply with
                                       contractual agreements or regulatory requirements; or (5) financial
                                       information presented in prescribed forms or schedules that require a
                                       prescribed form of auditors’ report.


                                       Page 18            GAO-03-673G Government Auditing Standards
d03673g.book Page 19 Thursday, July 24, 2003 12:37 PM




                                           Chapter 2
                                           Types of Government Audits and
                                           Attestation Engagements




                                           b. reviewing interim financial information;

                                           c. issuing letters for underwriters and certain other
                                           requesting parties;

                                           d. reporting on the processing of transactions by service
                                           organizations; and

                                           e. auditing compliance with regulations relating to
                                           federal award expenditures and other governmental
                                           financial assistance in conjunction with or as a by-
                                           product of a financial statement audit.

                                           2.06 Financial audits are performed under the American
                                           Institute of Certified Public Accountants’ (AICPA)
                                           generally accepted auditing standards for field work and
                                           reporting, as well as the related AICPA Statements on
                                           Auditing Standards (SAS). GAGAS prescribe general
                                           standards and additional field work and reporting
                                           standards beyond those provided by the AICPA when
                                           performing financial audits. (See chapters 3, 4, and 5 for
                                           standards and guidance for auditors performing a
                                           financial audit in accordance with GAGAS.)


   Attestation                             2.07 Attestation engagements9 concern examining,
   Engagements                             reviewing, or performing agreed-upon procedures on a
                                           subject matter or an assertion10 about a subject matter
                                           and reporting on the results. The subject matter of an
                                           attestation engagement may take many forms, including
                                           historical or prospective performance or condition,
                                           physical characteristics, historical events, analyses,
                                           systems and processes, or behavior. Attestation

                                           9
                                            For consistency within GAGAS, the word “auditor” is used to describe
                                           individuals conducting and reporting on attestation engagements.
                                           10
                                             An assertion is any declaration or set of declarations made by
                                           management about whether the subject matter is based on or in
                                           conformity with the criteria selected.


                                           Page 19           GAO-03-673G Government Auditing Standards
d03673g.book Page 20 Thursday, July 24, 2003 12:37 PM




                                       Chapter 2
                                       Types of Government Audits and
                                       Attestation Engagements




                                       engagements can cover a broad range of financial or
                                       nonfinancial subjects and can be part of a financial audit
                                       or performance audit. Possible subjects of attestation
                                       engagements could include reporting on

                                       a. an entity’s internal control over financial reporting;

                                       b. an entity’s compliance with requirements of specified
                                       laws, regulations, rules, contracts, or grants;

                                       c. the effectiveness of an entity’s internal control over
                                       compliance with specified requirements, such as those
                                       governing the bidding for, accounting for, and reporting
                                       on grants and contracts;

                                       d. management’s discussion and analysis (MD&A)
                                       presentation;

                                       e. prospective financial statements or pro-forma
                                       financial information;

                                       f. the reliability of performance measures;

                                       g. final contract cost;

                                       h. allowability and reasonableness of proposed contract
                                       amounts; and

                                       i. specific procedures performed on a subject matter
                                       (agreed-upon procedures).

                                       2.08 Attestation engagements are performed under the
                                       AICPA’s attestation standards, as well as the related
                                       AICPA Statements on Standards for Attestation
                                       Engagements (SSAE). GAGAS prescribe general
                                       standards and additional field work and reporting
                                       standards beyond those provided by the AICPA for
                                       attestation engagements. (See chapters 3 and 6 for


                                       Page 20          GAO-03-673G Government Auditing Standards
d03673g.book Page 21 Thursday, July 24, 2003 12:37 PM




                                           Chapter 2
                                           Types of Government Audits and
                                           Attestation Engagements




                                           standards and guidance for auditors performing an
                                           attestation engagement in accordance with GAGAS.)


   Performance                             2.09 Performance audits entail an objective and
   Audits                                  systematic examination of evidence to provide an
                                           independent assessment of the performance and
                                           management of a program against objective criteria as
                                           well as assessments that provide a prospective focus or
                                           that synthesize information on best practices or cross-
                                           cutting issues. Performance audits provide information
                                           to improve program operations and facilitate decision
                                           making by parties with responsibility to oversee or
                                           initiate corrective action, and improve public
                                           accountability. Performance audits encompass a wide
                                           variety of objectives, including objectives related to
                                           assessing program effectiveness and results; economy
                                           and efficiency; internal control;11 compliance with legal
                                           or other requirements; and objectives related to
                                           providing prospective analyses, guidance, or summary
                                           information. Performance audits may entail a broad or
                                           narrow scope of work and apply a variety of
                                           methodologies; involve various levels of analysis,
                                           research, or evaluation; generally provide findings,
                                           conclusions, and recommendations; and result in the
                                           issuance of a report. (See chapters 3, 7, and 8 for
                                           standards and guidance for auditors performing a
                                           performance audit in accordance with GAGAS.)

                                           2.10 Program effectiveness and results audit objectives
                                           address the effectiveness of a program and typically
                                           measure the extent to which a program is achieving its
                                           goals and objectives. Economy and efficiency audit
                                           objectives concern whether an entity is acquiring,


                                           11
                                             The term “internal control” in this document is synonymous with the
                                           term management control and, unless otherwise stated, covers all
                                           aspects of an entity’s operations (programmatic, financial, and
                                           compliance).


                                           Page 21           GAO-03-673G Government Auditing Standards
d03673g.book Page 22 Thursday, July 24, 2003 12:37 PM




                                       Chapter 2
                                       Types of Government Audits and
                                       Attestation Engagements




                                       protecting, and using its resources in the most
                                       productive manner to achieve program objectives.
                                       Program effectiveness and results audit objectives and
                                       economy and efficiency audit objectives are often
                                       interrelated and may be concurrently addressed in a
                                       performance audit. Examples of these audit objectives
                                       include assessing

                                       a. the extent to which legislative, regulatory, or
                                       organizational goals and objectives are being achieved;

                                       b. the relative ability of alternative approaches to yield
                                       better program performance or eliminate factors that
                                       inhibit program effectiveness;

                                       c. the relative cost and benefits or cost effectiveness of
                                       program performance;12

                                       d. whether a program produced intended results or
                                       produced effects that were not intended by the
                                       program’s objectives;

                                       e. the extent to which programs duplicate, overlap, or
                                       conflict with other related programs;

                                       f. whether the audited entity is following sound
                                       procurement practices;

                                       g. the validity and reliability of performance measures
                                       concerning program effectiveness and results, or
                                       economy and efficiency; and

                                       h. the reliability, validity, or relevance of financial
                                       information related to the performance of a program.


                                       12
                                         These objectives focus on combining cost information with
                                       information about outputs or the benefit provided and outcomes or the
                                       results achieved.


                                       Page 22           GAO-03-673G Government Auditing Standards
d03673g.book Page 23 Thursday, July 24, 2003 12:37 PM




                                           Chapter 2
                                           Types of Government Audits and
                                           Attestation Engagements




                                           2.11 Internal control audit objectives relate to
                                           management’s plans, methods, and procedures used to
                                           meet its mission, goals, and objectives. Internal control
                                           includes the processes and procedures for planning,
                                           organizing, directing, and controlling program
                                           operations, and the system put in place for measuring,
                                           reporting, and monitoring program performance.
                                           Examples of audit objectives related to internal control
                                           include the extent that internal control of a program
                                           provides reasonable assurance that

                                           a. organizational missions, goals, and objectives are
                                           achieved effectively and efficiently;

                                           b. resources are used in compliance with laws,
                                           regulations, or other requirements;

                                           c. resources are safeguarded against unauthorized
                                           acquisition, use, or disposition;

                                           d. management information and public reports that are
                                           produced, such as performance measures, are complete,
                                           accurate, and consistent to support performance and
                                           decision making;

                                           e. security over computerized information systems will
                                           prevent or timely detect unauthorized access; and

                                           f. contingency planning for information systems
                                           provides essential back-up to prevent unwarranted
                                           disruption of activities and functions the systems
                                           support.

                                           2.12 Compliance audit objectives relate to compliance
                                           criteria established by laws, regulations, contract




                                           Page 23        GAO-03-673G Government Auditing Standards
d03673g.book Page 24 Thursday, July 24, 2003 12:37 PM




                                       Chapter 2
                                       Types of Government Audits and
                                       Attestation Engagements




                                       provisions, grant agreements, and other requirements13
                                       that could affect the acquisition, protection, and use of
                                       the entity’s resources and the quantity, quality,
                                       timeliness, and cost of services the entity produces and
                                       delivers. Compliance objectives also concern the
                                       purpose of the program, the manner in which it is to be
                                       conducted and services delivered, and the population it
                                       serves.

                                       2.13 Audit organizations also undertake work that
                                       provides a prospective focus or may provide guidance,
                                       best practice information, and information that cuts
                                       across program or organizational lines, or summary
                                       information on issues already studied or under study by
                                       an audit organization. Examples of objectives pertaining
                                       to this work include

                                       a. assessing program or policy alternatives, including
                                       forecasting program outcomes under various
                                       assumptions;

                                       b. assessing the advantages and disadvantages of
                                       legislative proposals;

                                       c. analyzing views of stakeholders on policy proposals
                                       for decision makers;

                                       d. analyzing budget proposals or budget requests to
                                       assist legislatures in the budget process;

                                       e. identifying best practices for users in evaluating
                                       program or management system approaches, including
                                       financial and information management systems; and




                                       13
                                        Compliance requirements can be either financial or nonfinancial in
                                       nature.


                                       Page 24           GAO-03-673G Government Auditing Standards
d03673g.book Page 25 Thursday, July 24, 2003 12:37 PM




                                           Chapter 2
                                           Types of Government Audits and
                                           Attestation Engagements




                                           f. producing a high-level summary or a report that
                                           affects multiple programs or entities on issues studied
                                           or under study by the audit organization.


   Nonaudit Services                       2.14 Audit organizations may also provide nonaudit
   Provided by Audit                       services that are not covered by GAGAS.14 Nonaudit
   Organizations                           services generally differ from financial audits,
                                           attestation engagements, and performance audits in that
                                           auditors may (1) perform tasks requested by
                                           management that directly support the entity’s
                                           operations, such as developing or implementing
                                           accounting systems; determining account balances;
                                           developing internal control systems; establishing
                                           capitalization criteria; processing payroll; posting
                                           transactions; evaluating assets; designing or
                                           implementing information technology or other systems;
                                           or performing actuarial studies or (2) provide
                                           information or data to a requesting party without
                                           providing verification, analysis, or evaluation of the
                                           information or data, and, therefore, the work does not
                                           usually provide a basis for conclusions,
                                           recommendations, or opinions on the information or
                                           data. These services may or may not result in the
                                           issuance of a report. In the case of nongovernment
                                           auditors who conduct audits under GAGAS, the term
                                           nonaudit services is synonymous with consulting
                                           services.

                                           2.15 GAGAS do not cover nonaudit services described
                                           in this chapter since such services are not audits or
                                           attestation engagements. Therefore, auditors should not
                                           report that nonaudit services were conducted in
                                           accordance with GAGAS. However, audit organizations


                                           14
                                             If audit organizations provide nonaudit services, audit organizations
                                           need to consider whether providing these services creates a personal
                                           impairment either in fact of appearance that adversely affects their
                                           independence for conducting audits.


                                           Page 25            GAO-03-673G Government Auditing Standards
d03673g.book Page 26 Thursday, July 24, 2003 12:37 PM




                                       Chapter 2
                                       Types of Government Audits and
                                       Attestation Engagements




                                       are encouraged to establish policies for maintaining the
                                       quality of this type of work, and may wish to disclose
                                       such policies in any product resulting from this work,
                                       any other professional standards followed, and the
                                       quality control steps taken.

                                       2.16 Importantly, although GAGAS do not provide
                                       standards for conducting nonaudit services, auditors
                                       providing such services need to ensure that their
                                       independence to provide audit services is not impaired
                                       by providing nonaudit services. (See chapter 3, general
                                       standards on independence.)




                                       Page 26          GAO-03-673G Government Auditing Standards
d03673g.book Page 27 Thursday, July 24, 2003 12:37 PM




   Chapter 3


   General Standards                                                                                            Chapte3r




   Introduction                            3.01 This chapter prescribes general standards and
                                           provides guidance for performing financial audits,
                                           attestation engagements,15 and performance audits.
                                           These general standards concern the fundamental
                                           requirements for ensuring the credibility of auditors’
                                           results. Credibility is essential to all audit organizations
                                           performing work that government leaders and other
                                           users rely on for making decisions, and is what the
                                           public expects of information provided by auditors.
                                           These general standards encompass the independence
                                           of the audit organization and its individual auditors; the
                                           exercise of professional judgment in the performance of
                                           work and the preparation of related reports; the
                                           competence of audit staff, including the need for their
                                           continuing professional education; and the existence of
                                           quality control systems and external peer reviews.

                                           3.02 These general standards provide the underlying
                                           framework that is critical in effectively applying the field
                                           work and reporting standards described in the following
                                           chapters when performing the detailed work associated
                                           with audits or attestation engagements and when
                                           preparing related reports and other products. Therefore,
                                           these general standards are required to be followed by
                                           all auditors and audit organizations, both government
                                           and nongovernment, performing work under generally
                                           accepted government auditing standards (GAGAS).


   Independence                            3.03 The general standard related to independence is:

                                           In all matters relating to the audit work, the audit
                                           organization and the individual auditor, whether
                                           government or public, should be free both in fact



                                           15
                                             See chapter 6 for an additional general standard auditors should
                                           follow when performing an attestation engagement.


                                           Page 27           GAO-03-673G Government Auditing Standards
d03673g.book Page 28 Thursday, July 24, 2003 12:37 PM




                                       Chapter 3
                                       General Standards




                                       and appearance from personal, external, and
                                       organizational impairments to independence.

                                       3.04 Auditors and audit organizations have a
                                       responsibility to maintain independence so that
                                       opinions, conclusions, judgments, and
                                       recommendations will be impartial and will be viewed
                                       as impartial by knowledgeable third parties. Auditors
                                       should avoid situations that could lead reasonable third
                                       parties with knowledge of the relevant facts and
                                       circumstances to conclude that the auditors are not able
                                       to maintain independence and, thus, are not capable of
                                       exercising objective and impartial judgment on all issues
                                       associated with conducting and reporting on the work.

                                       3.05 Auditors need to consider three general classes of
                                       impairments to independence—personal, external, and
                                       organizational.16 If one or more of these impairments
                                       affects an individual auditor’s capability to perform the
                                       work and report results impartially, that auditor should
                                       either decline to perform the work, or in those situations
                                       in which the government auditor, because of a legislative
                                       requirement or for other reasons, cannot decline to
                                       perform the work, the impairment or impairments
                                       should be reported in the scope section of the audit
                                       report.




                                       16
                                        Nongovernment auditors should also follow the AICPA code of
                                       professional conduct and the code of professional conduct of the state
                                       board with jurisdiction over the practice of the public accountant and
                                       the audit organization. All auditors should also be aware of and
                                       comply with any applicable government ethics laws and regulations
                                       and any other ethics requirements (such as those of the state boards of
                                       accountancy) associated with their activities.


                                       Page 28            GAO-03-673G Government Auditing Standards
d03673g.book Page 29 Thursday, July 24, 2003 12:37 PM




                                           Chapter 3
                                           General Standards




                                           3.06 In using the work of a specialist,17 auditors need to
                                           consider the specialist as a member of the audit team
                                           and, accordingly, assess the specialist’s ability to
                                           perform the work and report results impartially. In
                                           conducting this assessment, auditors should provide the
                                           specialist with the GAGAS independence requirements
                                           and obtain representations from the specialist regarding
                                           the specialist’s independence from the activity or
                                           program under audit. If the specialist has an impairment
                                           to independence, auditors should not use the work of
                                           that specialist.


   Personal                                3.07 The audit organization should have an internal
   Impairments                             quality control system to help determine whether
                                           auditors have any personal impairments to
                                           independence that could affect their impartiality or the
                                           appearance of impartiality. The audit organization needs
                                           to be alert for personal impairments to independence of
                                           its staff members. Personal impairments of staff
                                           members result from relationships and beliefs that
                                           might cause auditors to limit the extent of the inquiry,
                                           limit disclosure, or weaken or slant audit findings in any
                                           way. Auditors are responsible for notifying the
                                           appropriate officials within their audit organizations if
                                           they have any personal impairments to independence.
                                           Examples of personal impairments of individual
                                           auditors include, but are not limited to, the following:

                                           a. immediate family or close family member18 who is a
                                           director or officer of the audited entity, or as an


                                           17
                                             Specialists to whom this section applies include, but are not limited
                                           to, actuaries, appraisers, attorneys, engineers, environmental
                                           consultants, medical professionals, statisticians, and geologists. This
                                           section applies to external consultants and firms performing work for
                                           the audit organization.
                                           18
                                             Immediate family member is a spouse, spouse equivalent, or
                                           dependent (whether or not related). A close family member is a parent,
                                           sibling, or nondependent child.


                                           Page 29            GAO-03-673G Government Auditing Standards
d03673g.book Page 30 Thursday, July 24, 2003 12:37 PM




                                       Chapter 3
                                       General Standards




                                       employee of the audited entity, is in a position to exert
                                       direct and significant influence over the entity or the
                                       program under audit;

                                       b. financial interest that is direct, or is
                                       significant/material though indirect, in the audited entity
                                       or program;19

                                       c. responsibility for managing an entity or decision
                                       making that could affect operations of the entity or
                                       program being audited; for example as a director,
                                       officer, or other senior position of the entity, activity, or
                                       program being audited, or as a member of management
                                       in any decision making, supervisory, or ongoing
                                       monitoring function for the entity, activity, or program
                                       under audit;20, 21




                                       19
                                        Auditors are not precluded from auditing pension plans that they
                                       participate in if (1) the auditor has no control over the investment
                                       strategy, benefits, or other management issues associated with the
                                       pension plan and (2) the auditor belongs to such pension plan as part
                                       of his/her employment with the audit organization, provided that the
                                       plan is normally offered to all employees in equivalent employment
                                       positions.
                                       20
                                         If the auditor has performed nonaudit services for a client that affect
                                       information that is the subject of the audit, and management is unable
                                       or unwilling to take responsibility for this information, the risk that the
                                       auditor may be perceived to have a personal impairment to
                                       independence is increased. See paragraphs 3.10 through 3.18 for
                                       additional guidance on impairments to independence associated with
                                       the scope of services that may be provided by audit organizations to
                                       entities they audit.
                                       21
                                        The auditor needs to be free from this personal impairment for the
                                       period covered by the activity under audit, including any financial
                                       statements being audited, and for the period in which the audit is being
                                       performed and reported.


                                       Page 30             GAO-03-673G Government Auditing Standards
d03673g.book Page 31 Thursday, July 24, 2003 12:37 PM




                                           Chapter 3
                                           General Standards




                                           d. concurrent or subsequent performance of an audit by
                                           the same individual who maintained the official
                                           accounting records when such services involved
                                           preparing source documents or originating data, in
                                           electronic or other form; posting transactions (whether
                                           coded by management or not coded); authorizing,
                                           executing, or consummating transactions (for example,
                                           approving invoices, payrolls, claims, or other payments
                                           of the entity or program being audited); maintaining an
                                           entity’s bank account or otherwise having custody of the
                                           audited entity’s funds; or otherwise exercising authority
                                           on behalf of the entity, or having authority to do so;22

                                           e. preconceived ideas toward individuals, groups,
                                           organizations, or objectives of a particular program that
                                           could bias the audit;

                                           f. biases, including those induced by political,
                                           ideological, or social convictions, that result from
                                           employment in, or loyalty to, a particular type of policy,
                                           group, organization, or level of government; and

                                           g. seeking employment with an audited organization
                                           during the conduct of the audit.

                                           3.08 Audit organizations and auditors may encounter
                                           many different circumstances or combination of
                                           circumstances that could create a personal impairment.
                                           Therefore, it is impossible to identify every situation that
                                           could result in a personal impairment. Accordingly,
                                           audit organizations should include as part of their
                                           internal quality control system requirements to identify
                                           personal impairments and assure compliance with
                                           GAGAS independence requirements. At a minimum,
                                           audit organizations should



                                           22
                                            See footnote 21.


                                           Page 31             GAO-03-673G Government Auditing Standards
d03673g.book Page 32 Thursday, July 24, 2003 12:37 PM




                                       Chapter 3
                                       General Standards




                                       a. establish policies and procedures that will enable the
                                       identification of personal impairments to independence,
                                       including whether performing nonaudit services affects
                                       the subject matter of audits and applying safeguards to
                                       appropriately reduce that risk (See paragraphs 3.10
                                       through 3.18.);

                                       b. communicate the audit organization’s policies and
                                       procedures to all auditors in the organization and assure
                                       understanding of requirements through training or other
                                       means such as auditors periodically acknowledging
                                       their understanding;

                                       c. establish internal policies and procedures to monitor
                                       compliance with the audit organization’s policies and
                                       procedures;

                                       d. establish a disciplinary mechanism to promote
                                       compliance with the audit organization’s policies and
                                       procedures; and

                                       e. stress the importance of independence and the
                                       expectation that auditors will always act in the public
                                       interest.




                                       Page 32          GAO-03-673G Government Auditing Standards
d03673g.book Page 33 Thursday, July 24, 2003 12:37 PM




                                           Chapter 3
                                           General Standards




                                           3.09 When the audit organization identifies a personal
                                           impairment to independence, the impairment needs to
                                           be resolved in a timely manner. In situations in which
                                           the personal impairment is applicable only to an
                                           individual auditor on a particular assignment, the audit
                                           organization may be able to mitigate the personal
                                           impairment by requiring the auditor to eliminate the
                                           personal impairment. For example, the auditor could
                                           sell a financial interest that created the personal
                                           impairment, or the audit organization could remove that
                                           auditor from any work on that audit assignment.23 If the
                                           personal impairment cannot be mitigated through these
                                           means, the audit organization should withdraw from the
                                           audit. In situations in which government auditors cannot
                                           withdraw from the audit, they should follow the
                                           requirement in paragraph 3.05.

                                           3.10 Audit organizations that provide other professional
                                           services (nonaudit services) should consider whether
                                           providing these services creates a personal impairment
                                           either in fact or appearance that adversely affects their
                                           independence for conducting audits.24




                                           23
                                             Auditors participating in the audit assignment need to be free from
                                           personal impairments. This includes those who review the work or
                                           the report, and all others within the audit organization who can
                                           directly influence the outcome of the audit.
                                           24
                                             GAO has issued further guidance in the form of questions and
                                           answers to assist in implementation of the standards associated with
                                           nonaudit services. This guidance, Answers to Independence Standard
                                           Questions, can be found on GAO’s Government Auditing Standards
                                           Web page (http://www.gao.gov/govaud/ybk01.htm).


                                           Page 33            GAO-03-673G Government Auditing Standards
d03673g.book Page 34 Thursday, July 24, 2003 12:37 PM




                                       Chapter 3
                                       General Standards




                                       3.11 Nonaudit services generally differ from financial
                                       audits, attestation engagements, and performance audits
                                       described in chapter 2 in that auditors may (1) perform
                                       tasks requested by management that directly support
                                       the entity’s operations, such as developing or
                                       implementing accounting systems; determining account
                                       balances;25 developing internal control systems;
                                       establishing capitalization criteria; processing payroll;
                                       posting transactions; evaluating assets; designing or
                                       implementing information technology or other systems;
                                       or performing actuarial studies, or (2) provide
                                       information or data to a requesting party without
                                       providing verification, analysis, or evaluation of the
                                       information or data, circumstances in which the work
                                       does not usually provide a basis for conclusions,
                                       recommendations, or opinions on the information or
                                       data. These other services may or may not result in a
                                       report. In the case of nongovernment auditors who
                                       perform audits of government entities under GAGAS,
                                       the term “nonaudit services” is synonymous with
                                       consulting services.

                                       3.12 Audit organizations have the capability of
                                       performing a range of services for their clients.
                                       However, in certain circumstances, it is not appropriate
                                       for the audit organization to perform both audit and
                                       certain nonaudit services for the same client. In these
                                       circumstances, auditors and/or the audited entity will
                                       have to make a choice as to which of these services the
                                       audit organization will provide. GAGAS recognize that
                                       nonaudit services are provided by audit organizations
                                       and that care needs to be taken to avoid situations that
                                       can impair auditor independence, either in fact or
                                       appearance, when performing financial audits,


                                       25
                                         The determination of account balances is used by management to
                                       prepare financial statements, such as determining for management the
                                       balance of accounts receivable or accounts payable or the value of
                                       inventory as of a specific date.


                                       Page 34           GAO-03-673G Government Auditing Standards
d03673g.book Page 35 Thursday, July 24, 2003 12:37 PM




                                           Chapter 3
                                           General Standards




                                           attestation engagements, or performance audits in
                                           accordance with GAGAS.

                                           3.13 Before an audit organization agrees to perform
                                           nonaudit services, it should carefully consider the
                                           requirements of paragraph 3.04 that auditors should
                                           avoid situations that could lead reasonable third parties
                                           with knowledge of the relevant facts and circumstances
                                           to conclude that auditors are not able to maintain
                                           independence in conducting audits. In conducting the
                                           assessment, the audit organization should apply two
                                           overarching principles: (1) audit organizations should
                                           not provide nonaudit services that involve performing
                                           management functions or making management
                                           decisions and (2) audit organizations should not audit
                                           their own work or provide nonaudit services in
                                           situations where the nonaudit services are
                                           significant/material to the subject matter of audits. If the
                                           audit organization makes the determination that the
                                           nonaudit service does not violate these principles, it
                                           should comply with all the safeguards stated in
                                           paragraph 3.17.

                                           3.14 Audit organizations should not perform
                                           management functions or make management decisions.
                                           Performing management functions or making
                                           management decisions creates a situation that impairs
                                           the audit organization’s independence, both in fact and
                                           in appearance, to perform audits of that subject matter
                                           and may affect the audit organization’s independence to
                                           conduct audits of related subject matter. For example,
                                           auditors should not serve as members of an entity’s
                                           management committee or board of directors, make
                                           policy decisions that affect future direction and
                                           operation of an entity’s programs, supervise entity




                                           Page 35         GAO-03-673G Government Auditing Standards
d03673g.book Page 36 Thursday, July 24, 2003 12:37 PM




                                       Chapter 3
                                       General Standards




                                       employees, develop programmatic policy, authorize an
                                       entity’s transactions, or maintain custody of an entity’s
                                       assets.26

                                       3.15 Auditors may participate on committees or task
                                       forces in a purely advisory capacity to advise entity
                                       management on issues related to the knowledge and
                                       skills of the auditors without impairing their
                                       independence. However, auditors should not make
                                       management decisions or perform management
                                       functions. For example, auditors can provide routine
                                       advice to the audited entity and management to assist
                                       them in activities such as establishing internal controls
                                       or implementing audit recommendations and can
                                       answer technical questions and/or provide training. The
                                       decision to follow the auditors’ advice remains with
                                       management of the audited entity. These types of
                                       interactions are normal between auditors and officials
                                       of the audited entity given the auditors’ technical
                                       expertise and the knowledge auditors gain of the
                                       audited entity’s operations. Auditors may also provide
                                       tools and methodologies, such as best practice guides,
                                       benchmarking studies, and internal control assessment
                                       methodologies that can be used by management. By
                                       their very nature, these are routine activities that would
                                       not require the audit organization to apply the
                                       safeguards described in paragraph 3.17.

                                       3.16 Audit organizations should not audit their own
                                       work or provide nonaudit services if the services are
                                       significant/material to the subject matter of the audits.
                                       In considering whether the nonaudit service can have a
                                       significant or material affect on the subject matter of the
                                       audits, audit organizations should consider (1) ongoing


                                       26
                                         Entity assets are intended to include all of the entity’s property
                                       including bank accounts, investment accounts, inventories, equipment
                                       or other assets owned, leased, or otherwise in the entity’s possession,
                                       and financial records, both paper and electronic.


                                       Page 36            GAO-03-673G Government Auditing Standards
d03673g.book Page 37 Thursday, July 24, 2003 12:37 PM




                                           Chapter 3
                                           General Standards




                                           audits; (2) planned audits; (3) requirements and
                                           commitments for providing audits, which includes laws,
                                           regulations, rules, contracts, and other agreements; and
                                           (4) policies placing responsibilities on the audit
                                           organization for providing audit services. Government
                                           auditors generally have broad audit responsibilities that
                                           may extend to a level of government or a particular
                                           entity within a level of government. Given their broad
                                           area of audit responsibility, government auditors need to
                                           be especially careful in providing nonaudit services to
                                           the entity so that their independence is not impaired for
                                           fulfilling their full range of audit responsibilities.
                                           Nongovernment audit organizations may provide audit
                                           and nonaudit services (commonly referred to as
                                           consulting) under contractual commitments to an entity
                                           and need to consider whether nonaudit services they
                                           have provided or are committed to provide have a
                                           significant or material effect on the subject matter of the
                                           audits.

                                           3.17 Audit organizations may perform nonaudit services
                                           that do not violate the principles stated in paragraph
                                           3.13 only if the audit organization and the audited entity
                                           comply with the following safeguards. These safeguards
                                           would not apply in connection with the type of routine
                                           activities described in paragraph 3.15. The intent in this
                                           paragraph is not for the audit organization to apply these
                                           safeguards to every interaction it has with management.

                                           a. The audit organization should document its
                                           consideration of the nonaudit services as discussed in
                                           paragraph 3.13, including documentation for its
                                           rationale that providing the nonaudit services does not
                                           violate the two overarching principles.

                                           b. Before performing nonaudit services, the audit
                                           organization should establish and document an
                                           understanding with the audited entity regarding the
                                           objectives, scope of work, and product or deliverables

                                           Page 37        GAO-03-673G Government Auditing Standards
d03673g.book Page 38 Thursday, July 24, 2003 12:37 PM




                                       Chapter 3
                                       General Standards




                                       of the nonaudit service. The audit organization should
                                       also establish and document an understanding with
                                       management that (1) management is responsible for the
                                       substantive outcomes of the work and, therefore, has a
                                       responsibility to be in a position in fact and appearance
                                       to make an informed judgment on the results of the
                                       nonaudit service and (2) the audited entity complies
                                       with the following:

                                       1. designates a management-level individual to be
                                       responsible and accountable for overseeing the
                                       nonaudit service,

                                       2. establishes and monitors the performance of the
                                       nonaudit service to ensure that it meets management’s
                                       objectives,

                                       3. makes any decisions that involve management
                                       functions related to the nonaudit service and accepts
                                       full responsibility for such decisions, and

                                       4. evaluates the adequacy of the services performed and
                                       any findings that result.

                                       c. The audit organization should preclude personnel
                                       who provided the nonaudit services from planning,
                                       conducting, or reviewing audit work of subject matter
                                       involving the nonaudit service under the overarching
                                       principle that auditors cannot audit their own work.27

                                       d. The audit organization is precluded from reducing the
                                       scope and extent of the audit work below the level that
                                       would be appropriate if the nonaudit work were
                                       performed by an unrelated party.



                                       27
                                        Personnel who provided the nonaudit service are permitted to
                                       convey to the audit assignment team the knowledge gained about the
                                       audited entity and its operations.


                                       Page 38          GAO-03-673G Government Auditing Standards
d03673g.book Page 39 Thursday, July 24, 2003 12:37 PM




                                           Chapter 3
                                           General Standards




                                           e. The audit organization’s quality control systems for
                                           compliance with independence requirements should
                                           include: (1) policies and procedures to assure
                                           consideration of the effect on the ongoing, planned, and
                                           future audits when deciding whether to provide
                                           nonaudit services, and (2) a requirement to have the
                                           understanding with management of the audited entity
                                           documented. The understanding should be
                                           communicated to management in writing and can be
                                           included in the engagement letter. In addition, the
                                           documentation should specifically identify
                                           management’s compliance with the elements discussed
                                           in paragraph 3.17b, including evidence of the
                                           management-level individual responsible for overseeing
                                           the nonaudit service’s qualifications to conduct the
                                           required oversight and that the tasks required of
                                           management were performed.

                                           f. By their nature, certain nonaudit services impair the
                                           audit organization’s ability to meet either or both of the
                                           overarching principles in paragraph 3.13 for certain
                                           types of audit work. In these cases, the audit
                                           organization should communicate to management of the
                                           audited entity that the audit organization will not be able
                                           to perform subsequent audit work related to the subject
                                           matter of the nonaudit service. It should be clear to
                                           management up front that the audit organization would
                                           be in violation of the independence standard if it were to
                                           perform such audit work and that another audit
                                           organization that meets the independence standard will
                                           have to be engaged to perform the audit. For example, if
                                           the audit organization has been responsible for
                                           designing, developing, and/or installing the entity’s
                                           accounting system or is operating the system and then
                                           performs a financial statement audit of the entity, the
                                           audit organization would clearly be in violation of the
                                           two overarching principles of the GAGAS independence
                                           standard discussed in paragraph 3.13. Likewise, if the
                                           audit organization developed an entity’s performance
                                           measurement system, the audit organization would not
                                           Page 39        GAO-03-673G Government Auditing Standards
d03673g.book Page 40 Thursday, July 24, 2003 12:37 PM




                                       Chapter 3
                                       General Standards




                                       be deemed independent in conducting a performance
                                       audit to evaluate whether the system was adequate. In
                                       both of these examples, the audit organization could
                                       decide to perform the nonaudit service but would then
                                       not be independent under GAGAS with regard to the
                                       subsequent audit because it would be in violation of one
                                       or both of the two overarching principles. It becomes a
                                       matter of choice for the audit organization and the
                                       audited entity. But the audit organization cannot
                                       maintain independence under GAGAS while providing
                                       both the nonaudit service and performing the audit if
                                       either of the two overarching principles would be
                                       violated.

                                       g. For individual audits selected for inspection during a
                                       peer review, all related nonaudit services should be
                                       disclosed to the audit organization’s peer reviewer, and
                                       the audit documentation required by paragraphs 3.17a
                                       through 3.17e should be made available for inclusion in
                                       the audit organization’s peer review.

                                       3.18 Audit organizations and auditors may encounter
                                       many different circumstances or combinations of
                                       circumstances; therefore, it is impossible to define every
                                       situation that could result in an impairment, as
                                       discussed in paragraph 3.12. The following are examples
                                       of nonaudit services performed by an audit organization
                                       that typically would not create an impairment to the
                                       audit organization’s independence as long as
                                       (1) auditors avoid situations that would conflict with the
                                       two overarching principles listed in paragraph 3.13 and
                                       (2) the audit organization complies with the safeguards
                                       in paragraph 3.17:

                                       a. Providing basic accounting assistance limited to
                                       services such as preparing draft financial statements
                                       that are based on management’s chart of accounts and
                                       trial balance and any adjusting, correcting, and closing
                                       entries that have been approved by management;

                                       Page 40          GAO-03-673G Government Auditing Standards
d03673g.book Page 41 Thursday, July 24, 2003 12:37 PM




                                           Chapter 3
                                           General Standards




                                           preparing draft notes to the financial statements based
                                           on information determined and approved by
                                           management; preparing a trial balance based on
                                           management’s chart of accounts; maintaining
                                           depreciation schedules for which management has
                                           determined the method of depreciation, rate of
                                           depreciation, and salvage value of the asset.28 The audit
                                           organization, however, cannot maintain or prepare the
                                           audited entity’s basic accounting records or maintain or
                                           take responsibility for basic financial or other records
                                           that the audit organization will audit.29 As part of this
                                           prohibition, auditors should not post transactions
                                           (whether coded or not coded) to the entity’s financial
                                           records or to other records that subsequently provide
                                           data to the entity’s financial records.

                                           b. Providing payroll services limited to services such as
                                           computing pay amounts for the entity’s employees based
                                           on entity-maintained and approved time records,
                                           salaries or pay rates, and deductions from pay;
                                           generating unsigned payroll checks; transmitting client-
                                           approved payroll data to a financial institution provided
                                           management has approved the transmission and limited
                                           the financial institution to making payments only to
                                           previously approved individuals. In cases in which the


                                           28
                                             If the audit organization has prepared draft financial statements and
                                           notes and performed the financial statement audit, management
                                           should acknowledge the audit organization’s role in preparing the
                                           financial statements and related notes and management’s review,
                                           approval, and responsibility for the financial statements and related
                                           notes in the management representation letter. Likewise, if the audit
                                           organization converts cash-based financial statements to accrual-
                                           based financial statements, management should also acknowledge the
                                           audit organization’s role in reflecting accruals and management’s
                                           review, approval, and responsibility for the accrual adjustments in the
                                           management representation letter. A management representation
                                           letter is required by generally accepted auditing standards (GAAS) and
                                           GAGAS.
                                           29
                                             Proposing adjusting and correcting entries that are identified during
                                           the audit is a routine byproduct of audit services that is always
                                           permissible so long as management makes the decision to accept the
                                           entries.


                                           Page 41            GAO-03-673G Government Auditing Standards
d03673g.book Page 42 Thursday, July 24, 2003 12:37 PM




                                       Chapter 3
                                       General Standards




                                       audit organization was processing the entity’s entire
                                       payroll and payroll was a material amount to the subject
                                       matter of the audit, this would be a violation of one of
                                       the overarching principles in paragraph 3.13, and
                                       auditors would not be deemed independent under
                                       GAGAS.

                                       c. Providing appraisal or valuation services limited to
                                       services such as reviewing the work of the entity or a
                                       specialist employed by the entity where the entity or
                                       specialist provides the primary evidence for the
                                       balances recorded in financial statements or other
                                       information that will be audited; valuing an entity’s
                                       pension, other post-employment benefit, or similar
                                       liabilities provided management has determined and
                                       taken responsibility for all significant assumptions and
                                       data.

                                       d. Preparing an entity’s indirect cost proposal30 or cost
                                       allocation plan provided management assumes
                                       responsibility for all significant assumptions and data.

                                       e. Providing advisory services on information
                                       technology limited to services such as advising on
                                       system design, system installation, and system security
                                       if management, in addition to the safeguards in
                                       paragraph 3.17, acknowledges responsibility for the
                                       design, installation, and internal control over the entity’s
                                       system and does not rely on the auditors’ work as the
                                       primary basis for determining (1) whether to implement
                                       a new system, (2) the adequacy of the new system
                                       design, (3) the adequacy of major design changes to an
                                       existing system, and (4) the adequacy of the system to


                                       30
                                        The Office of Management and Budget prohibits an auditor who
                                       prepared the entity’s indirect cost proposal from conducting the
                                       required audit when indirect costs recovered by the entity during the
                                       prior year exceeded $1 million under OMB Circular A-133, Audits of
                                       States, Local Governments, and Non-Profit Organizations, Subpart
                                       C.305(b), revised June 24, 1997.


                                       Page 42           GAO-03-673G Government Auditing Standards
d03673g.book Page 43 Thursday, July 24, 2003 12:37 PM




                                           Chapter 3
                                           General Standards




                                           comply with regulatory or other requirements. However,
                                           the audit organization should not operate or supervise
                                           the operation of the entity’s information technology
                                           system.

                                           f. Providing human resource services to assist
                                           management in its evaluation of potential candidates
                                           when the services are limited to activities such as
                                           serving on an evaluation panel to review applications or
                                           interviewing candidates to provide input to management
                                           in arriving at a listing of best qualified applicants to be
                                           provided to management. The auditors should not
                                           recommend a single individual for a specific position,
                                           nor should the auditors conduct an executive search or
                                           a recruiting program for the audited entity.

                                           g. Preparing routine tax filings in accordance with
                                           federal tax laws, rules, and regulations of the Internal
                                           Revenue Service, and state and local tax authorities, and
                                           any other applicable laws.

                                           h. Gathering and reporting on unverified external or
                                           third-party data to aid legislative and administrative
                                           decision making.

                                           i. Advising an entity regarding its performance of
                                           internal control self-assessments.

                                           j. Assisting a legislative body by developing questions
                                           for use at a hearing.


   External                                3.19 Factors external to the audit organization may
   Impairments                             restrict the work or interfere with auditors’ ability to
                                           form independent and objective opinions and
                                           conclusions. External impairments to independence
                                           occur when auditors are deterred from acting
                                           objectively and exercising professional skepticism by
                                           pressures, actual or perceived, from management and

                                           Page 43        GAO-03-673G Government Auditing Standards
d03673g.book Page 44 Thursday, July 24, 2003 12:37 PM




                                       Chapter 3
                                       General Standards




                                       employees of the audited entity or oversight
                                       organizations. For example, under the following
                                       conditions, auditors may not have complete freedom to
                                       make an independent and objective judgment and an
                                       audit may be adversely affected:

                                       a. external interference or influence that could
                                       improperly or imprudently limit or modify the scope of
                                       an audit or threaten to do so, including pressure to
                                       reduce inappropriately the extent of work performed in
                                       order to reduce costs or fees;

                                       b. external interference with the selection or application
                                       of audit procedures or in the selection of transactions to
                                       be examined;

                                       c. unreasonable restrictions on the time allowed to
                                       complete an audit or issue the report;

                                       d. interference external to the audit organization in the
                                       assignment, appointment, and promotion of audit
                                       personnel;

                                       e. restrictions on funds or other resources provided to
                                       the audit organization that adversely affect the audit
                                       organization’s ability to carry out its responsibilities;

                                       f. authority to overrule or to inappropriately influence
                                       the auditors’ judgment as to the appropriate content of
                                       the report;

                                       g. threat of replacement over a disagreement with the
                                       contents of an audit report, the auditors’ conclusions, or
                                       the application of an accounting principle or other
                                       criteria; and

                                       h. influences that jeopardize the auditors’ continued
                                       employment for reasons other than incompetence,
                                       misconduct, or the need for audit services.

                                       Page 44          GAO-03-673G Government Auditing Standards
d03673g.book Page 45 Thursday, July 24, 2003 12:37 PM




                                           Chapter 3
                                           General Standards




                                           3.20 An audit organization’s internal quality control
                                           system for compliance with GAGAS independence
                                           requirements, as stated in paragraph 3.08, should
                                           include internal policies and procedures for reporting
                                           and resolving external impairments.


   Organizational                          3.21 In addition to the preceding paragraphs that
   Impairments                             address personal and external impairments, a
                                           government audit organization’s ability to perform the
                                           work and report the results impartially can be affected
                                           by its place within government and the structure of the
                                           government entity that the audit organization is assigned
                                           to audit. Whether performing work to report externally
                                           to third parties outside the audited entity or internally to
                                           top management within the audited entity, audit
                                           organizations need to be free from organizational
                                           impairments to independence.

   Organizational                          3.22 Government auditors can be presumed to be free
   Impairment                              from organizational impairments to independence when
   Considerations When                     reporting externally to third parties if their audit
   Reporting Externally                    organization is organizationally independent from the
   to Third Parties                        audited entity. Government audit organizations can meet
                                           the requirement for organizational independence in a
                                           number of ways.

                                           3.23 First, a government audit organization may be
                                           presumed to be free from organizational impairments to
                                           independence from the audited entity to report
                                           externally, if the audit organization is

                                           a. assigned to a level of government other than the one
                                           to which the audited entity is assigned (federal, state, or
                                           local), for example, a federal auditor auditing a state
                                           government program, or

                                           b. assigned to a different branch of government within
                                           the same level of government as the audited entity; for

                                           Page 45         GAO-03-673G Government Auditing Standards
d03673g.book Page 46 Thursday, July 24, 2003 12:37 PM




                                       Chapter 3
                                       General Standards




                                       example, a legislative auditor auditing an executive
                                       branch program.

                                       3.24 Second, a government audit organization may also
                                       be presumed to be free from organizational impairments
                                       for external reporting if the audit organization’s head
                                       meets any of the following criteria:

                                       a. directly elected by voters of the jurisdiction being
                                       audited;

                                       b. elected or appointed by a legislative body subject to
                                       removal by a legislative body, and reports the results of
                                       audits to and is accountable to a legislative body;

                                       c. appointed by someone other than a legislative body,
                                       so long as the appointment is confirmed by a legislative
                                       body and removal from the position is subject to
                                       oversight or approval by a legislative body,31 and reports
                                       the results of audits to and is accountable to a legislative
                                       body; or

                                       d. appointed by, accountable to, reports to, and can only
                                       be removed by a statutorily created governing body, the
                                       majority of whose members are independently elected
                                       or appointed and come from outside the organization
                                       being audited.

                                       3.25 In addition to the presumptive criteria in
                                       paragraphs 3.23 and 3.24, GAGAS recognize that there
                                       may be other organizational structures under which a
                                       government audit organization could be considered to
                                       be free from organizational impairments and thereby be

                                       31
                                         Legislative bodies may exercise their confirmation powers through a
                                       variety of means as long as they are involved in the approval of the
                                       individual to head the audit organization. This involvement can be
                                       demonstrated by approving the individual after the appointment or by
                                       initially selecting or nominating an individual or individuals for
                                       appointment by the appropriate authority.


                                       Page 46           GAO-03-673G Government Auditing Standards
d03673g.book Page 47 Thursday, July 24, 2003 12:37 PM




                                           Chapter 3
                                           General Standards




                                           considered organizationally independent for reporting
                                           externally. These other structures should provide
                                           sufficient safeguards to prevent the audited entity from
                                           interfering with the audit organization’s ability to
                                           perform the work and report the results impartially. For
                                           an audit organization to be considered free from
                                           organizational impairments for reporting externally
                                           under a structure different from the ones listed in
                                           paragraphs 3.23 and 3.24, the audit organization should
                                           have all of the following safeguards:

                                           a. statutory protections that prevent the abolishment of
                                           the audit organization by the audited entity;

                                           b. statutory protections that require that if the head of
                                           the audit organization is removed from office, the head
                                           of the agency should report this fact and the reasons for
                                           the removal to the legislative body;

                                           c. statutory protections that prevent the audited entity
                                           from interfering with the initiation, scope, timing, and
                                           completion of any audit;

                                           d. statutory protections that prevent the audited entity
                                           from interfering with the reporting on any audit,
                                           including the findings, conclusions, and
                                           recommendations, or the manner, means, or timing of
                                           the audit organization’s reports;

                                           e. statutory protections that require the audit
                                           organization to report to a legislative body or other
                                           independent governing body on a recurring basis;

                                           f. statutory protections that give the audit organization
                                           sole authority over the selection, retention,
                                           advancement, and dismissal of its staff; and




                                           Page 47        GAO-03-673G Government Auditing Standards
d03673g.book Page 48 Thursday, July 24, 2003 12:37 PM




                                       Chapter 3
                                       General Standards




                                       g. statutory access to records and documents that relate
                                       to the agency, program, or function being audited.32

                                       3.26 If the head of the audit organization concludes that
                                       the organization meets all the safeguards listed in
                                       paragraph 3.25, the audit organization should be
                                       considered free from organizational impairments to
                                       independence when reporting the results of its audits
                                       externally to third parties. The audit organization should
                                       document the statutory provisions in place that allow it
                                       to meet these safeguards. Those provisions should be
                                       reviewed during an external peer review to ensure that
                                       all the necessary safeguards have been met.

Organizational                         3.27 Certain federal, state, or local government audit
Impairment                             organizations or audit organizations within other
Considerations When                    government entities, such as public colleges,
Reporting Internally                   universities, and hospitals, employ auditors to work for
to Management                          management of the audited entities. These auditors may
                                       be subject to administrative direction from persons
                                       involved in the government management process. Such
                                       audit organizations are internal audit organizations. A
                                       government internal audit organization can be presumed
                                       to be free from organizational impairments to
                                       independence when reporting internally to management
                                       if the head of the audit organization meets all of the
                                       following criteria:

                                       a. accountable to the head or deputy head of the
                                       government entity,

                                       b. required to report the results of the audit
                                       organization’s work to the head or deputy head of the
                                       government entity, and




                                       32
                                         Statutory authority to issue a subpoena to obtain the needed records
                                       is one way to meet the requirement for statutory access to records.


                                       Page 48           GAO-03-673G Government Auditing Standards
d03673g.book Page 49 Thursday, July 24, 2003 12:37 PM




                                           Chapter 3
                                           General Standards




                                           c. located organizationally outside the staff or line
                                           management function of the unit under audit.

                                           3.28 If the conditions of paragraph 3.27 are met, the
                                           audit organization should be considered free of
                                           organizational impairments to independence to audit
                                           internally and report objectively to the entity’s
                                           management. Further distribution of reports outside the
                                           organization should only be made in accordance with
                                           applicable law, rule, regulation, or policy. In these
                                           situations, the fact that the auditors are auditing in their
                                           employing organizations should be clearly reflected in
                                           the auditors’ reports.

                                           3.29 Auditors need to be sufficiently removed from
                                           political pressures to ensure that they can conduct their
                                           audits objectively and report their findings, opinions,
                                           and conclusions objectively without fear of political
                                           repercussions. Whenever feasible, auditors within
                                           internal audit organizations should be under a personnel
                                           system in which compensation, training, job tenure, and
                                           advancement are based on merit.

                                           3.30 The audit organization’s independence is enhanced
                                           when it also reports regularly to the entity’s independent
                                           audit committee and/or the appropriate government
                                           oversight body.

                                           3.31 When internal audit organizations that are free of
                                           organizational impairments to independence, under the
                                           criteria in paragraph 3.27, perform audits external to the
                                           government entities to which they are directly assigned,
                                           such as auditing contractors or outside party
                                           agreements, and no personal or external impairments
                                           exist, they may be considered independent of the
                                           audited entities and free to report objectively to the
                                           heads or deputy heads of the government entities to
                                           which they are assigned and to parties outside the


                                           Page 49         GAO-03-673G Government Auditing Standards
d03673g.book Page 50 Thursday, July 24, 2003 12:37 PM




                                       Chapter 3
                                       General Standards




                                       organizations in accordance with applicable law, rule,
                                       regulation, or policy.

                                       3.32 The audit organization should document the
                                       conditions that allow it to be considered free of
                                       organizational impairments to independence to report
                                       internally. Those conditions should be reviewed during
                                       the peer review to ensure that all the necessary
                                       safeguards have been met.


Professional                           3.33 The general standard related to professional
Judgment                               judgment is:

                                       Professional judgment should be used in planning
                                       and performing audits and attestation
                                       engagements and in reporting the results.

                                       3.34 This standard requires auditors to exercise
                                       reasonable care and diligence and to observe the
                                       principles of serving the public interest and maintaining
                                       the highest degree of integrity, objectivity, and
                                       independence in applying professional judgment to all
                                       aspects of their work. This standard also imposes a
                                       responsibility upon each auditor performing work under
                                       GAGAS to observe GAGAS. If auditors state they are
                                       performing their work in accordance with GAGAS, they
                                       should justify any departures from GAGAS.

                                       3.35 Auditors should use professional judgment in
                                       determining the type of assignment to be performed and
                                       the standards that apply to the work; defining the scope
                                       of work; selecting the methodology; determining the
                                       type and amount of evidence to be gathered; and
                                       choosing the tests and procedures for their work.
                                       Professional judgment also should be applied in
                                       performing the tests and procedures and in evaluating
                                       and reporting the results of the work.


                                       Page 50          GAO-03-673G Government Auditing Standards
d03673g.book Page 51 Thursday, July 24, 2003 12:37 PM




                                           Chapter 3
                                           General Standards




                                           3.36 Professional judgment requires auditors to
                                           exercise professional skepticism, which is an attitude
                                           that includes a questioning mind and a critical
                                           assessment of evidence. Auditors use the knowledge,
                                           skills, and experience called for by their profession to
                                           diligently perform, in good faith and with integrity, the
                                           gathering of evidence and the objective evaluation of the
                                           sufficiency, competency, and relevancy of evidence.
                                           Since evidence is gathered and evaluated throughout the
                                           assignment, professional skepticism should be
                                           exercised throughout the assignment.

                                           3.37 Auditors neither assume that management is
                                           dishonest nor assume unquestioned honesty. In
                                           exercising professional skepticism, auditors should not
                                           be satisfied with less than persuasive evidence because
                                           of a belief that management is honest.

                                           3.38 The exercise of professional judgment allows
                                           auditors to obtain reasonable assurance that material
                                           misstatements or significant inaccuracies in data will
                                           likely be detected if they exist. Absolute assurance is not
                                           attainable because of the nature of evidence and the
                                           characteristics of fraud. Therefore, an audit or
                                           attestation engagement conducted in accordance with
                                           GAGAS may not detect a material misstatement or
                                           significant inaccuracy, whether from error or fraud,
                                           illegal acts, or violations of provisions of contracts or
                                           grant agreements. Accordingly, while this standard
                                           places responsibility on each auditor and audit
                                           organization to exercise professional judgment in
                                           planning and performing an assignment, it does not
                                           imply unlimited responsibility, nor does it imply
                                           infallibility on the part of either the individual auditor or
                                           the audit organization.




                                           Page 51         GAO-03-673G Government Auditing Standards
d03673g.book Page 52 Thursday, July 24, 2003 12:37 PM




                                       Chapter 3
                                       General Standards




Competence                             3.39 The general standard related to competence is:

                                       The staff assigned to perform the audit or
                                       attestation engagement should collectively
                                       possess adequate professional competence for the
                                       tasks required.

                                       3.40 This standard places responsibility on audit
                                       organizations to ensure that each audit or attestation
                                       engagement is performed by staff who collectively have
                                       the knowledge, skills, and experience necessary for that
                                       assignment. Accordingly, audit organizations should
                                       have a process for recruitment, hiring, continuous
                                       development, and evaluation of staff to assist the
                                       organization in maintaining a workforce that has
                                       adequate competence. The nature, extent, and formality
                                       of the process will depend on various factors such as the
                                       size of the audit organization, its work, and its structure.

                                       3.41 The competencies discussed below apply to the
                                       knowledge, skills, and experience of audit organizations
                                       and not necessarily to each individual auditor. An audit
                                       organization may need to employ personnel or hire
                                       specialists who are knowledgeable, skilled, or
                                       experienced in such areas as accounting, statistics, law,
                                       engineering, audit design and methodology, information
                                       technology, public administration, economics, social
                                       sciences, or actuarial science.


Technical                              3.42 Audit organizations should ensure that staff
Knowledge and                          members assigned to conduct an audit or attestation
Competence                             engagement under GAGAS should collectively possess
                                       the technical knowledge, skills, and experience
                                       necessary to be competent for the type of work being
                                       performed before beginning work on that assignment.
                                       Staff members should collectively possess



                                       Page 52          GAO-03-673G Government Auditing Standards
d03673g.book Page 53 Thursday, July 24, 2003 12:37 PM




                                           Chapter 3
                                           General Standards




                                           a. knowledge of GAGAS applicable to the type of work
                                           they are assigned and the education, skills, and
                                           experience to apply such knowledge to the work being
                                           performed;

                                           b. general knowledge of the environment in which the
                                           audited entity operates and the subject matter under
                                           review;

                                           c. skills to communicate clearly and effectively, both
                                           orally and in writing; and

                                           d. skills appropriate for the work being performed. For
                                           example:

                                           (1) if the work requires use of statistical sampling, the
                                           staff or specialists should include persons with
                                           statistical sampling skills;

                                           (2) if the work requires extensive review of information
                                           systems, the staff or specialists should include persons
                                           with information technology skills;

                                           (3) if the work involves review of complex engineering
                                           data, the staff or specialists should include persons with
                                           engineering skills; or

                                           (4) if the work involves the use of specialized audit
                                           methodologies or analytical techniques, such as the use
                                           of complex survey instruments, actuarial-based
                                           estimates, or statistical analysis tests, the staff or
                                           specialists should include persons with skills in those
                                           methodologies or techniques.




                                           Page 53        GAO-03-673G Government Auditing Standards
d03673g.book Page 54 Thursday, July 24, 2003 12:37 PM




                                       Chapter 3
                                       General Standards




Additional                             3.43 Auditors performing financial audits should be
Qualifications for                     knowledgeable in generally accepted accounting
Financial Audits and                   principles (GAAP)33 and the AICPA’s generally accepted
Attestation                            auditing standards for field work and reporting and the
Engagements                            related Statements on Auditing Standards (SAS), and
                                       they should be competent in applying these standards
                                       and SASs to the task assigned. Similarly, when
                                       performing an attestation engagement, auditors should
                                       be knowledgeable in the AICPA general attestation
                                       standard related to criteria, and the AICPA attestation
                                       standards for field work and reporting and the related
                                       Statements on Standards for Attestation Engagements
                                       (SSAE), and they should be competent in applying these
                                       standards and SSAEs to the task assigned.

                                       3.44 Auditors engaged to perform financial audits or
                                       attestation engagements should be licensed certified
                                       public accountants or persons working for a licensed
                                       certified public accounting firm or a government
                                       auditing organization.34 Public accountants and
                                       accounting firms meeting licensing requirements should
                                       also comply with the applicable provisions of the public
                                       accountancy law and rules of the jurisdiction(s) where
                                       the audit is being performed and the jurisdiction(s) in
                                       which the public accountants and their firms are
                                       licensed.




                                       33
                                        If GAAP is not the basis of accounting being used on a particular
                                       assignment, then auditors should be knowledgeable about the
                                       appropriate accounting principles used, such as regulatory accounting
                                       principles.
                                       34
                                        Public accountants licensed on or before December 31, 1970, or
                                       persons working for a public accounting firm licensed on or before
                                       December 31, 1970, are also considered qualified under this standard.


                                       Page 54           GAO-03-673G Government Auditing Standards
d03673g.book Page 55 Thursday, July 24, 2003 12:37 PM




                                           Chapter 3
                                           General Standards




   Continuing                              3.45 Auditors performing work under GAGAS, including
   Professional                            planning, directing, performing field work, or reporting
   Education                               on an audit or attestation engagement under GAGAS,
                                           need to maintain their professional competence through
                                           continuing professional education (CPE). Therefore,
                                           each auditor performing work under GAGAS should
                                           complete, every 2 years, at least 80 hours of CPE that
                                           directly enhance the auditor’s professional proficiency
                                           to perform audits and/or attestation engagements.35 At
                                           least 24 of the 80 hours of CPE should be in subjects
                                           directly related to government auditing, the government
                                           environment, or the specific or unique environment in
                                           which the audited entity operates.36 At least 20 hours of
                                           the 80 should be completed in any 1 year of the 2-year
                                           period.

                                           3.46 CPE may include a variety of topics that contribute
                                           to auditors’ proficiency to perform audits and/or
                                           attestation engagements, such as developments in
                                           auditing standards and methodology, accounting
                                           principles, assessment of internal control, principles of
                                           management or supervision, information systems
                                           management, audit sampling, financial statement
                                           analysis, evaluation design, and data analysis. It may
                                           also include subjects related to specific fields of work,
                                           such as public administration, public policy and
                                           structure, industrial engineering, finance, economics,
                                           social sciences, and information technology.



                                           35
                                             Although staff members must collectively possess the technical
                                           knowledge, skills, and experience necessary to be competent for the
                                           type of work being performed before beginning work on a GAGAS
                                           assignment as discussed in paragraph 3.42, individual auditors have 2
                                           years from the date they start an audit or attestation engagement
                                           conducted under GAGAS to comply with the CPE requirements.
                                           36
                                             Staff members not involved in planning, directing, or reporting on the
                                           audit or attestation engagement, and who charge less than 20 percent
                                           annually of their time to audits and attestation engagements following
                                           GAGAS, do not have to comply with the 24-hour CPE requirement.


                                           Page 55            GAO-03-673G Government Auditing Standards
d03673g.book Page 56 Thursday, July 24, 2003 12:37 PM




                                       Chapter 3
                                       General Standards




                                       3.47 The audit organization is responsible for ensuring
                                       that auditors meet the continuing education
                                       requirements and should maintain documentation of the
                                       CPE completed. The U.S. General Accounting Office
                                       (GAO) has developed guidance pertaining to CPE
                                       requirements to assist auditors and audit organizations
                                       in exercising professional judgment in complying with
                                       the CPE requirements.37

                                       3.48 External and internal specialists assisting in
                                       performing a GAGAS assignment should be qualified
                                       and should maintain professional competence in their
                                       areas of specialization but are not required to meet the
                                       CPE requirements described here. However, auditors
                                       who use the work of external and internal specialists
                                       should ensure that such specialists are qualified in their
                                       areas of specialization and should document such
                                       assurance.


Quality Control                        3.49 The general standard related to quality control and
and Assurance                          assurance is:

                                       Each audit organization performing audits and/or
                                       attestation engagements in accordance with
                                       GAGAS should have an appropriate internal
                                       quality control system in place and should undergo
                                       an external peer review.

                                       3.50 An audit organization’s system of quality control
                                       encompasses the audit organization’s structure and the
                                       policies adopted and procedures established to provide
                                       the organization with reasonable assurance of
                                       complying with applicable standards governing audits
                                       and attestation engagements. An audit organization’s


                                       37
                                        This guidance, Interpretation of Continuing Education and
                                       Training Requirements, can be found on GAO’s Government Auditing
                                       Standards Web page (http://www.gao.gov/govaud/ybk01.htm).


                                       Page 56          GAO-03-673G Government Auditing Standards
d03673g.book Page 57 Thursday, July 24, 2003 12:37 PM




                                           Chapter 3
                                           General Standards




                                           internal quality control system should include
                                           procedures for monitoring, on an ongoing basis,
                                           whether the policies and procedures related to the
                                           standards are suitably designed and are being effectively
                                           applied.

                                           3.51 The nature and extent of an audit organization’s
                                           internal quality control system depends on a number of
                                           factors, such as its size, the degree of operating
                                           autonomy allowed its personnel and its audit offices, the
                                           nature of its work, its organizational structure, and
                                           appropriate cost-benefit considerations. Thus, the
                                           systems established by individual audit organizations
                                           will vary as will the need for, and extent of, their
                                           documentation of the systems. However, each audit
                                           organization should prepare appropriate documentation
                                           for its system of quality control to demonstrate
                                           compliance with its policies and procedures. The form
                                           and content of such documentation is a matter of
                                           judgment. Documentation of compliance should be
                                           retained for a period of time sufficient to enable those
                                           performing monitoring procedures and peer reviews to
                                           evaluate the extent of the audit organization’s
                                           compliance with the quality control policies and
                                           procedures.

                                           3.52 Audit organizations performing audits and
                                           attestation engagements in accordance with GAGAS
                                           should have an external peer review of their auditing
                                           and attestation engagement practices at least once every
                                           3 years by reviewers independent of the audit
                                           organization being reviewed.38 The external peer review


                                           38
                                             Audit organizations should have an external peer review conducted
                                           within 3 years from the date they start (that is, start of field work) their
                                           first assignment in accordance with GAGAS. Subsequent external peer
                                           reviews should be conducted every 3 years. Extensions of these time
                                           frames beyond 3 months to meet the external peer review
                                           requirements can only be granted by GAO and should only be
                                           requested for extraordinary circumstances.


                                           Page 57             GAO-03-673G Government Auditing Standards
d03673g.book Page 58 Thursday, July 24, 2003 12:37 PM




                                       Chapter 3
                                       General Standards




                                       should determine whether, during the period under
                                       review, the reviewed audit organization’s internal quality
                                       control system was adequate and whether quality
                                       control policies and procedures were being complied
                                       with to provide the audit organization with reasonable
                                       assurance of conforming with applicable professional
                                       standards. Audit organizations should take remedial,
                                       corrective actions as needed based on the results of the
                                       peer review.

                                       3.53 Members of the external peer review team should
                                       meet the following requirements:

                                       a. Each review team member should have current
                                       knowledge of GAGAS and of the government
                                       environment relative to the work being reviewed.

                                       b. Each review team member should be independent (as
                                       defined in GAGAS) of the audit organization being
                                       reviewed, its staff, and the audits and attestation
                                       engagements selected for the external peer review. A
                                       review team or a member of the review team is not
                                       permitted to review the audit organization that
                                       conducted its audit organization’s most recent external
                                       peer review.

                                       c. Each review team member should have knowledge on
                                       how to perform a peer review. Such knowledge may be
                                       obtained from on-the-job training, training courses, or a
                                       combination of both.

                                       3.54 The peer review should meet the following
                                       requirements:

                                       a. The peer review should include a review of the audit
                                       organization’s internal quality control policies and
                                       procedures, including related monitoring procedures,
                                       audit and attestation engagement reports, audit and
                                       attest documentation, and other necessary documents

                                       Page 58          GAO-03-673G Government Auditing Standards
d03673g.book Page 59 Thursday, July 24, 2003 12:37 PM




                                           Chapter 3
                                           General Standards




                                           (for example, independence documentation, CPE
                                           records, and personnel management files related to
                                           compliance with hiring, performance evaluation, and
                                           assignment policies). The review should also include
                                           interviews with various levels of the reviewed audit
                                           organization’s professional staff to assess their
                                           understanding of and compliance with relevant quality
                                           control policies and procedures.

                                           b. The review team should use one of the following
                                           approaches to selecting audits and attestation
                                           engagements for review: (1) select audits and attestation
                                           engagements that provide a reasonable cross section of
                                           the assignments performed by the reviewed audit
                                           organization in accordance with GAGAS or (2) select
                                           audits and attestation engagements that provide a
                                           reasonable cross section of the reviewed audit
                                           organization’s work subject to quality control
                                           requirements, including one or more assignments
                                           performed in accordance with GAGAS.

                                           c. The peer review should be sufficiently comprehensive
                                           to provide a reasonable basis for concluding whether
                                           the reviewed audit organization’s system of quality
                                           control was complied with to provide the organization
                                           with reasonable assurance of conforming with
                                           professional standards in the conduct of its work. The
                                           review team should consider the adequacy and results of
                                           the reviewed audit organization’s monitoring efforts to
                                           efficiently plan its peer review procedures.




                                           Page 59        GAO-03-673G Government Auditing Standards
d03673g.book Page 60 Thursday, July 24, 2003 12:37 PM




                                       Chapter 3
                                       General Standards




                                       d. The review team should prepare a written report(s)
                                       communicating the results of the external peer review.
                                       The report should indicate the scope of the review,
                                       including any limitations thereon, and should express an
                                       opinion on whether the system of quality control of the
                                       reviewed audit organization’s audit and/or attestation
                                       engagement practices was adequate and was being
                                       complied with during the year reviewed to provide the
                                       audit organization with reasonable assurance of
                                       conforming with professional standards for audits and
                                       attestation engagements. The report should state the
                                       professional standards39 to which the reviewed audit
                                       organization is being held. The report should also
                                       describe the reasons for any modification of the opinion.
                                       When there are matters that resulted in a modification to
                                       the opinion, reviewers should report a detailed
                                       description of the findings and recommendations, either
                                       in the peer review report or in a separate letter of
                                       comment or management letter, to enable the reviewed
                                       audit organization to take appropriate actions. The
                                       written report should refer to the letter of comment or
                                       management letter if such a letter is issued along with a
                                       modified report.

                                       3.55 Audit organizations seeking to enter into a contract
                                       to perform an assignment in accordance with GAGAS
                                       should provide their most recent external peer review
                                       report and any letter of comment, and any subsequent
                                       peer review reports and letters of comment received
                                       during the period of the contract, to the party
                                       contracting for the audit or attestation engagement.
                                       Information in the external peer review report and letter
                                       of comment is often relevant to decisions on procuring
                                       audit or attestation engagement services. Auditors who
                                       are relying on another audit organization’s work should
                                       request a copy of the audit organization’s peer review


                                       39
                                        “Professional standards” refers to both the auditing standards and
                                       quality control standards used by the reviewed audit organization.


                                       Page 60           GAO-03-673G Government Auditing Standards
d03673g.book Page 61 Thursday, July 24, 2003 12:37 PM




                                           Chapter 3
                                           General Standards




                                           report and any letter of comment, and the audit
                                           organization should provide the peer review report and
                                           letter of comment when requested.

                                           3.56 Government audit organizations also should
                                           transmit their external peer review reports to
                                           appropriate oversight bodies. It is also recommended
                                           that, upon request, the peer review report and letter of
                                           comment be made available to the public in a timely
                                           manner.




                                           Page 61        GAO-03-673G Government Auditing Standards
d03673g.book Page 62 Thursday, July 24, 2003 12:37 PM




   Chapter 4


   Field Work Standards for Financial Audits                                                                     Chapte4r




   Introduction                            4.01 This chapter prescribes field work standards and
                                           provides guidance for financial audits performed in
                                           accordance with generally accepted government
                                           auditing standards (GAGAS). Financial audits consist of
                                           all work performed under the American Institute of
                                           Certified Public Accountants’ (AICPA) generally
                                           accepted auditing standards and governed by the AICPA
                                           Statements on Auditing Standards (SAS). GAGAS
                                           incorporate the AICPA generally accepted field work
                                           standards for audits and the related SASs unless the
                                           Comptroller General of the United States excludes them
                                           by formal announcement.40 This chapter identifies the
                                           AICPA field work standards and prescribes additional
                                           standards for financial audits performed in accordance
                                           with GAGAS.

                                           4.02 Financial audits performed in a government
                                           environment primarily include audits of financial
                                           statements.41 The SASs also govern and provide
                                           guidance for other types of financial audits which may
                                           be performed in a government environment, such as




                                           40
                                             To date, the Comptroller General has not excluded any field work
                                           standards or SASs.
                                           41
                                             The term “financial statements” refers to a presentation of financial
                                           data, including accompanying notes, derived from accounting records
                                           and intended to communicate an entity’s economic resources or
                                           obligations at a point in time or the changes for a period of time in
                                           conformity with an identifiable framework, such as generally accepted
                                           accounting principles (GAAP) or another comprehensive basis of
                                           accounting. Audits of financial statements include all services
                                           governed by the AICPA SASs for which the auditors are engaged to
                                           provide a level of assurance on the fair presentation of financial
                                           statements in accordance with stated criteria.


                                           Page 62            GAO-03-673G Government Auditing Standards
d03673g.book Page 63 Thursday, July 24, 2003 12:37 PM




                                       Chapter 4
                                       Field Work Standards for Financial
                                       Audits




                                       compliance auditing, issuing special reports,42 audits of
                                       service organizations, reviews of interim financial
                                       information, and issuing letters to underwriters and
                                       certain other requesting parties. These other services
                                       may be performed in conjunction with an audit of
                                       financial statements.


AICPA Field Work                       4.03 The three AICPA generally accepted standards of
Standards                              field work are as follows:

                                       a. The work is to be adequately planned, and
                                       assistants, if any, are to be properly supervised.

                                       b. A sufficient understanding of internal control43
                                       is to be obtained to plan the audit and to
                                       determine the nature, timing, and extent of tests
                                       to be performed.




                                       42
                                         The term “special report” applies to auditors’ reports issued in
                                       connection with the following: (1) financial statements that are
                                       prepared in conformity with a comprehensive basis of accounting
                                       other than GAAP; (2) specified elements, accounts, or items of a
                                       financial statement; (3) compliance with aspects of contractual
                                       agreements or regulatory requirements related to audited financial
                                       statements; (4) financial presentations to comply with contractual
                                       agreements or regulatory provisions; or (5) financial information
                                       presented in prescribed forms or schedules that require a prescribed
                                       form of auditors’ report. Under GAGAS, an audit of financial
                                       statements prepared in conformity with a comprehensive basis of
                                       accounting other than GAAP (item 1 above) would be subject to the
                                       same GAGAS requirements applicable to audits of financial statements
                                       prepared in conformity with GAAP.
                                       43
                                        The AICPA standards incorporate the concepts contained in Internal
                                       Control – Integrated Framework, published by the Committee of
                                       Sponsoring Organizations (COSO) of the Treadway Commission.
                                       Internal control consists of five interrelated components, which are
                                       (1) control environment, (2) risk assessment, (3) control activities,
                                       (4) information and communication, and (5) monitoring. The
                                       objectives of internal control relate to (1) financial reporting, (2)
                                       operations, and (3) compliance. Safeguarding of assets is a subset of
                                       these objectives. In that respect, internal control should be designed to
                                       provide reasonable assurance regarding prevention of or prompt
                                       detection of unauthorized acquisition, use, or disposition of assets.


                                       Page 63            GAO-03-673G Government Auditing Standards
d03673g.book Page 64 Thursday, July 24, 2003 12:37 PM




                                           Chapter 4
                                           Field Work Standards for Financial
                                           Audits




                                           c. Sufficient competent evidential matter is to be
                                           obtained through inspection, observation,
                                           inquiries, and confirmations to afford a reasonable
                                           basis for an opinion regarding the financial
                                           statements under audit.

                                           4.04 Auditors should use professional judgment and
                                           consider the needs of users in applying the AICPA
                                           standards and related guidance to audits of a
                                           government entity or an entity that receives government
                                           awards. For example, auditors may need to set lower
                                           materiality levels than in audits in the private sector
                                           because of the public accountability of the audited
                                           entity, various legal and regulatory requirements, and
                                           the visibility and sensitivity of government programs.
                                           Also, auditors need to be sensitive to the concerns of
                                           oversight officials regarding previously reported internal
                                           control deficiencies of the audited entity and,
                                           accordingly, may need to test the effectiveness of
                                           internal control that have been changed in response to
                                           reported deficiencies even if auditors do not plan to rely
                                           on the effectiveness of such internal control.


   Additional GAGAS                        4.05 GAGAS prescribe additional standards for financial
   Standards                               audits that go beyond the requirements contained in the
                                           AICPA SASs. Auditors must comply with these
                                           additional standards when citing GAGAS in their audit
                                           reports. The additional GAGAS standards relate to

                                           a. auditor communication (see paragraphs 4.06 through
                                           4.13);

                                           b. considering the results of previous audits and
                                           attestation engagements (see paragraphs 4.14 through
                                           4.16);




                                           Page 64         GAO-03-673G Government Auditing Standards
d03673g.book Page 65 Thursday, July 24, 2003 12:37 PM




                                       Chapter 4
                                       Field Work Standards for Financial
                                       Audits




                                       c. detecting material misstatements resulting from
                                       violations of contract provisions or grant agreements or
                                       from abuse (see paragraphs 4.17 through 4.20);

                                       d. developing elements of a finding for financial audits
                                       (see paragraph 4.21); and

                                       e. audit documentation (see paragraphs 4.22 through
                                       4.26).


Auditor                                4.06 The standard related to auditor communication for
Communication                          financial audits performed in accordance with GAGAS
                                       is:

                                       Auditors should communicate information
                                       regarding the nature, timing, and extent of
                                       planned testing and reporting and the level of
                                       assurance provided to officials of the audited
                                       entity and to the individuals contracting for or
                                       requesting the audit.

                                       4.07 AICPA standards and GAGAS require auditors to
                                       establish an understanding with the client and to
                                       communicate with audit committees. GAGAS broaden
                                       the parties with whom auditors must communicate and
                                       require auditors to communicate specific information
                                       during the planning stages of a financial audit, including
                                       any potential restriction of the auditors’ reports, to
                                       reduce the risk that the needs or expectations of the
                                       parties involved may be misinterpreted. Auditors should
                                       use their professional judgment to determine the form,
                                       content, and frequency of the communication, although
                                       written communication is preferred. Auditors may use
                                       an engagement letter, if appropriate, to communicate
                                       the information. Auditors should document the
                                       communication in their audit documentation.




                                       Page 65          GAO-03-673G Government Auditing Standards
d03673g.book Page 66 Thursday, July 24, 2003 12:37 PM




                                           Chapter 4
                                           Field Work Standards for Financial
                                           Audits




                                           4.08 Auditors should communicate their responsibilities
                                           for the engagement to the appropriate officials of the
                                           audited entity, including

                                           a. the head of the audited entity,

                                           b. the audit committee or board of directors or other
                                           equivalent oversight body in the absence of an audit
                                           committee, and

                                           c. the individual who possesses a sufficient level of
                                           authority and responsibility for the financial reporting
                                           process, such as the chief financial officer.

                                           4.09 In situations in which auditors are performing the
                                           audit under a contract with a party other than the
                                           officials of the audited entity, or pursuant to a third-
                                           party request, auditors should also communicate with
                                           the individuals contracting for or requesting the audit,
                                           such as contracting officials or members or staff of
                                           legislative committees. When auditors are performing
                                           the audit pursuant to a law or regulation, auditors
                                           should communicate with the members or staff of
                                           legislative committees who have oversight of the
                                           auditee.44 Auditors should coordinate communications
                                           with the responsible government audit organization
                                           and/or management of the audited entity and may use
                                           the engagement letter to keep interested parties
                                           informed. If an audit is terminated before it is
                                           completed, auditors should write a memorandum for the
                                           record that summarizes the results of the work and


                                           44
                                             This requirement applies only to situations where the law or
                                           regulation specifically identifies the entity to be audited, such as an
                                           audit of a specific agency’s financial statements required by the Chief
                                           Financial Officers Act of 1990, as expanded by the Government
                                           Management Reform Act of 1994. Situations in which the mandate to
                                           audit financial statements applies to entities not specifically identified,
                                           such as audits required by the Single Audit Act Amendments of 1996,
                                           are excluded.


                                           Page 66             GAO-03-673G Government Auditing Standards
d03673g.book Page 67 Thursday, July 24, 2003 12:37 PM




                                       Chapter 4
                                       Field Work Standards for Financial
                                       Audits




                                       explains the reasons why the audit was terminated. In
                                       addition, auditors should communicate the reason for
                                       terminating the audit to management of the audited
                                       entity, the entity requesting the audit, and other
                                       appropriate officials, preferably in writing. This
                                       communication should be documented.

                                       4.10 In communicating the nature of services and level
                                       of assurance provided, auditors should specifically
                                       address their planned work and reporting related to
                                       testing internal control over financial reporting and
                                       compliance with laws, regulations, and provisions of
                                       contracts or grant agreements. During the planning
                                       stages of an audit, auditors should communicate their
                                       responsibilities for testing and reporting on internal
                                       control over financial reporting and compliance with
                                       laws, regulations, and provisions of contracts or grant
                                       agreements. Such communication should include the
                                       nature of any additional testing of internal control and
                                       compliance required by laws, regulations, and
                                       provisions of contracts or grant agreements, or
                                       otherwise requested, and whether the auditors are
                                       planning on providing opinions on internal control over
                                       financial reporting and compliance with laws,
                                       regulations, and provisions of contracts or grant
                                       agreements.

                                       4.11 To assist in understanding the limitations of
                                       auditors’ responsibilities for testing and reporting on
                                       internal control over financial reporting and compliance
                                       with laws, regulations, and provisions of contracts or
                                       grant agreements, auditors may want to contrast those
                                       responsibilities with other audits of internal control and
                                       compliance. The discussion in paragraphs 4.12 and 4.13
                                       may be helpful to auditors in explaining their
                                       responsibilities for testing and reporting on internal
                                       control over financial reporting and compliance to
                                       officials of the audited entity and other interested
                                       parties.

                                       Page 67          GAO-03-673G Government Auditing Standards
d03673g.book Page 68 Thursday, July 24, 2003 12:37 PM




                                           Chapter 4
                                           Field Work Standards for Financial
                                           Audits




                                           4.12 Tests of internal control over financial reporting
                                           and compliance with laws, regulations, and provisions
                                           of contracts or grant agreements in a financial statement
                                           audit contribute to the evidence supporting the auditors’
                                           opinion on the financial statements or other conclusions
                                           regarding financial data. However, such tests generally
                                           are not sufficient in scope to opine on internal control
                                           over financial reporting or compliance with laws,
                                           regulations, and provisions of contracts or grant
                                           agreements. To meet certain audit report users’ needs,
                                           laws and regulations sometimes prescribe testing and
                                           reporting on internal control over financial reporting
                                           and compliance with laws, regulations, and provisions
                                           of contracts and grant agreements to supplement
                                           coverage of these areas.45

                                           4.13 Even after auditors perform and report the results
                                           of additional tests of internal control over financial
                                           reporting and compliance with laws, regulations, and
                                           provisions of contracts and grant agreements, some
                                           reasonable needs of officials of the audited entity or
                                           individuals contracting for or requesting the audit still
                                           may be unmet. Auditors may meet these needs by
                                           performing further tests of internal control and
                                           compliance with laws, regulations, and provisions of
                                           contracts or grant agreements using the AICPA
                                           Statements on Standards for Attestation Engagements
                                           and additional GAGAS requirements (see chapter 6), or


                                           45
                                             For example, when engaged to perform audits under the Single Audit
                                           Act Amendments of 1996 for state and local government entities and
                                           nonprofit entities that receive federal awards, auditors should be
                                           familiar with the Office of Management and Budget (OMB) Circular A-
                                           133 on single audits. The act and circular include specific audit
                                           requirements, mainly in the areas of internal control and compliance
                                           with laws and regulations, that exceed the minimum audit
                                           requirements in the standards in chapters 4 and 5 of this document.
                                           Audits performed under the Chief Financial Officers Act of 1990, as
                                           expanded by the Government Management Reform Act of 1994, also
                                           have specific audit requirements prescribed by OMB in the areas of
                                           internal control and compliance. In addition, some state and local
                                           governments may have additional audit requirements that the auditors
                                           would need to consider in planning the audit.


                                           Page 68           GAO-03-673G Government Auditing Standards
d03673g.book Page 69 Thursday, July 24, 2003 12:37 PM




                                       Chapter 4
                                       Field Work Standards for Financial
                                       Audits




                                       the performance audit standards (see chapters 7 and 8),
                                       to achieve these objectives.


Considering the                        4.14 The standard related to considering the results of
Results of                             previous audits and attestation engagements for
Previous Audits                        financial audits performed in accordance with GAGAS
and Attestation                        is:
Engagements
                                       Auditors should consider the results of previous
                                       audits and attestation engagements and follow up
                                       on known significant findings and
                                       recommendations that directly relate to the
                                       objectives of the audit being undertaken.

                                       4.15 Auditors should ask audited entity officials to
                                       identify previous financial audits, attestation
                                       engagements, performance audits, or other studies
                                       related to the objectives of the audit being undertaken
                                       and to identify corrective actions taken to address
                                       significant findings and recommendations,46 including
                                       those related to reportable conditions. For example, an
                                       audit report on an entity’s computerized information
                                       systems may contain significant findings that could
                                       relate to the financial audit if the entity uses such
                                       systems to process its accounting information. Auditors
                                       should use professional judgment in determining
                                       (1) prior periods to be considered, (2) the level of work
                                       necessary to follow up on significant findings and
                                       recommendations that affect the audit, and (3) the effect
                                       on the risk assessment and audit procedures in planning
                                       the current audit.

                                       4.16 Providing continuing attention to significant
                                       findings and recommendations is important to ensure


                                       46
                                        Significant findings and recommendations are those matters that, if
                                       not corrected, could affect the results of the auditors’ work and the
                                       auditors’ conclusions and recommendations about those results.


                                       Page 69           GAO-03-673G Government Auditing Standards
d03673g.book Page 70 Thursday, July 24, 2003 12:37 PM




                                           Chapter 4
                                           Field Work Standards for Financial
                                           Audits




                                           that the benefits of the auditors’ work are realized.
                                           Ultimately, the benefits of audit work occur when
                                           management of the audited entity takes meaningful and
                                           effective corrective action in response to the auditors’
                                           findings and recommendations. Management of the
                                           audited entity is responsible for resolving audit findings
                                           and recommendations directed to them and for having a
                                           process to track their status. If management of the
                                           audited entity does not have such a process, auditors
                                           may wish to establish their own process.


   Detecting Material                      4.17 The standard related to violations of contract
   Misstatements                           provisions or grant agreements or abuse for financial
   Resulting from                          audits performed in accordance with GAGAS is:
   Violations of
                                           a. Auditors should design the audit to provide
   Contract
                                           reasonable assurance of detecting material
   Provisions or                           misstatements resulting from violations of
   Grant Agreements,                       provisions of contracts or grant agreements that
   or from Abuse                           have a direct and material effect on the
                                           determination of financial statement amounts or
                                           other financial data significant to the audit
                                           objectives. If specific information comes to the
                                           auditors’ attention that provides evidence
                                           concerning the existence of possible violations of
                                           provisions of contracts or grant agreements that
                                           could have a material indirect effect on the
                                           determination of financial statement amounts or
                                           other financial data significant to the audit
                                           objectives, auditors should apply audit procedures
                                           specifically directed to ascertain whether
                                           violations of provisions of contracts or grant
                                           agreements have occurred or are likely to have
                                           occurred.

                                           b. Auditors should be alert to situations or
                                           transactions that could be indicative of abuse, and
                                           if indications of abuse exist that could

                                           Page 70         GAO-03-673G Government Auditing Standards
d03673g.book Page 71 Thursday, July 24, 2003 12:37 PM




                                       Chapter 4
                                       Field Work Standards for Financial
                                       Audits




                                       significantly affect the financial statement
                                       amounts or other financial data, auditors should
                                       apply audit procedures specifically directed to
                                       ascertain whether abuse has occurred and the
                                       effect on the financial statement amounts or other
                                       financial data.

                                       4.18 AICPA standards and GAGAS require auditors to
                                       assess the risk of material misstatements of financial
                                       statement amounts or other financial data significant47
                                       to the audit objectives due to fraud and to consider that
                                       assessment in designing the audit procedures to be
                                       performed.48 Auditors are also required to design the
                                       audit to provide reasonable assurance of detecting
                                       material misstatements resulting from direct and
                                       material illegal acts (violations of laws and regulations)
                                       and to be aware of the possibility that indirect illegal
                                       acts49 may have occurred.50 Under GAGAS, auditors have
                                       the same responsibilities for detecting material
                                       misstatements arising from violations of provisions of
                                       contracts or grant agreements as they do for detecting
                                       those arising from fraud and illegal acts. Auditors should


                                       47
                                         The terms “material” and “significant” are synonymous under
                                       GAGAS. “Material” is used in the AICPA standards in relation to audits
                                       of financial statements. “Significant” is used in relation to other types
                                       of audits governed by GAGAS, such as performance audits, where the
                                       term “material” is generally not used.
                                       48
                                         Two types of misstatements are relevant to the auditors’
                                       consideration of fraud in an audit of financial statements—
                                       misstatements arising from fraudulent financial reporting and
                                       misstatements arising from misappropriation of assets. The primary
                                       factor that distinguishes fraud from error is whether the underlying
                                       action that results in the misstatement in the financial statements is
                                       intentional or unintentional.
                                       49
                                        Indirect illegal acts are violations of laws and regulations having
                                       material but indirect effects on the financial statements.
                                       50
                                        Whether a particular act is, in fact, illegal may have to await final
                                       determination by a court of law or other adjudicative body. Thus, when
                                       auditors disclose matters that have led them to conclude that an illegal
                                       act is likely to have occurred, they should not imply that they have
                                       made a determination of illegality.


                                       Page 71            GAO-03-673G Government Auditing Standards
d03673g.book Page 72 Thursday, July 24, 2003 12:37 PM




                                           Chapter 4
                                           Field Work Standards for Financial
                                           Audits




                                           design the audit to provide reasonable assurance of
                                           detecting material misstatements resulting from direct
                                           and material violations of provisions of contracts or
                                           grant agreements. If specific information comes to the
                                           auditors’ attention that provides evidence concerning
                                           the existence of possible violations of provisions of
                                           contracts or grant agreements that could have a material
                                           indirect effect on the financial statements or significant
                                           indirect effect on other financial data needed to achieve
                                           audit objectives, auditors should apply audit procedures
                                           specifically directed to ascertain whether violations
                                           have occurred or are likely to have occurred.

                                           4.19 Abuse is distinct from fraud, illegal acts, and
                                           violations of provisions of contracts or grant
                                           agreements. When abuse occurs, no law, regulation, or
                                           provision of a contract or grant agreement is violated.
                                           Rather, abuse involves behavior that is deficient or
                                           improper when compared with behavior that a prudent
                                           person would consider reasonable and necessary
                                           business practice given the facts and circumstances.51
                                           Auditors should be alert to situations or transactions
                                           that could be indicative of abuse. When information
                                           comes to the auditors’ attention (through audit
                                           procedures, allegations received through a fraud hotline,
                                           or other means) indicating that abuse may have
                                           occurred, auditors should consider whether the possible
                                           abuse could affect the financial statement amounts or
                                           other financial data significantly. If indications of
                                           possible abuse exist that significantly affect the financial
                                           statement amounts or other financial data, the auditors


                                           51
                                             For example, in a financial statement audit, auditors might find abuse
                                           when examining sensitive payments such as travel of senior
                                           management officials to locations chosen for personal reasons rather
                                           than less costly locations which would have been appropriate to
                                           satisfy the business objectives of the travel. While auditors generally
                                           will not view travel expenses of senior management officials as
                                           quantitatively material to the financial statements, this expense
                                           generally would be considered qualitatively material to the financial
                                           statements.


                                           Page 72            GAO-03-673G Government Auditing Standards
d03673g.book Page 73 Thursday, July 24, 2003 12:37 PM




                                       Chapter 4
                                       Field Work Standards for Financial
                                       Audits




                                       should extend the audit steps and procedures, as
                                       necessary, to (1) determine whether the abuse occurred
                                       and, if so, (2) determine its effect on the financial
                                       statement amounts or other financial data. Auditors
                                       should consider both quantitative and qualitative factors
                                       in making judgments regarding the materiality of
                                       possible abuse and whether they need to extend the
                                       audit steps and procedures. However, because the
                                       determination of abuse is subjective, auditors are not
                                       expected to provide reasonable assurance of detecting
                                       abuse.

                                       4.20 Auditors should exercise professional judgment in
                                       pursuing indications of possible fraud, illegal acts,
                                       violations of provisions of contracts or grant
                                       agreements, or abuse, in order not to interfere with
                                       potential investigations, legal proceedings, or both.
                                       Under some circumstances, laws, regulations, or
                                       policies require auditors to report indications of certain
                                       types of fraud, illegal acts, violations of provisions of
                                       contracts or grant agreements, and abuse to law
                                       enforcement or investigatory authorities before
                                       extending audit steps and procedures. Auditors may also
                                       be required to withdraw from or defer further work on
                                       the engagement or a portion of the engagement in order
                                       not to interfere with an investigation.


Developing                             4.21 Audit findings, such as deficiencies in internal
Elements of a                          control, fraud, illegal acts, violations of provisions of
Finding                                contracts or grant agreements, and abuse, have often
                                       been regarded as containing the elements of criteria,
                                       condition, and effect, plus cause when problems are
                                       found. However, the elements needed for a finding
                                       depend entirely on the objectives of the audit. Thus, a
                                       finding or set of findings is complete to the extent that
                                       the audit objectives are satisfied. When problems are
                                       identified, to the extent possible, auditors should plan
                                       audit procedures to develop the elements of a finding to

                                       Page 73          GAO-03-673G Government Auditing Standards
d03673g.book Page 74 Thursday, July 24, 2003 12:37 PM




                                           Chapter 4
                                           Field Work Standards for Financial
                                           Audits




                                           facilitate developing the auditors’ report. (See paragraph
                                           5.15 for a description of the elements of a finding.)


   Audit                                   4.22 The standard related to audit documentation for
   Documentation                           financial audits performed in accordance with GAGAS
                                           is:

                                           Audit documentation related to planning,
                                           conducting, and reporting on the audit should
                                           contain sufficient information to enable an
                                           experienced auditor who has had no previous
                                           connection with the audit to ascertain from the
                                           audit documentation the evidence that supports
                                           the auditors’ significant judgments and
                                           conclusions. Audit documentation should contain
                                           support for findings, conclusions, and
                                           recommendations before auditors issue their
                                           report.

                                           4.23 AICPA standards and GAGAS require auditors to
                                           prepare and maintain audit documentation. The form
                                           and content of audit documentation should be designed
                                           to meet the circumstances of the particular audit. The
                                           information contained in audit documentation
                                           constitutes the principal record of the work that the
                                           auditors have performed in accordance with
                                           professional standards and the conclusions that the
                                           auditors have reached. The quantity, type, and content of
                                           audit documentation are a matter of the auditors’
                                           professional judgment.

                                           4.24 Audit documentation serves to (1) provide the
                                           principal support for the auditors’ report, (2) aid
                                           auditors in conducting and supervising the audit, and
                                           (3) allow for the review of audit quality. The preparation
                                           of audit documentation should be appropriately detailed
                                           to provide a clear understanding of its purpose and
                                           source and the conclusions the auditors reached, and it

                                           Page 74         GAO-03-673G Government Auditing Standards
d03673g.book Page 75 Thursday, July 24, 2003 12:37 PM




                                       Chapter 4
                                       Field Work Standards for Financial
                                       Audits




                                       should be appropriately organized to provide a clear link
                                       to the findings, conclusions, and recommendations
                                       contained in the audit report. Audit documentation for
                                       financial audits performed under GAGAS should contain
                                       the following additional items not explicitly addressed
                                       in the AICPA standards or elsewhere in GAGAS:

                                       a. the objectives, scope, and methodology of the audit.

                                       b. the auditors’ determination that certain additional
                                       government auditing standards do not apply or that an
                                       applicable standard was not followed, the reasons
                                       therefor, and the known effect that not following the
                                       applicable standard had, or could have had, on the audit.

                                       c. the auditors’ consideration that the planned audit
                                       procedures are designed to achieve audit objectives
                                       when evidential matter obtained is highly dependent on
                                       computerized information systems and is material to the
                                       objective of the audit and that the auditors are not
                                       relying on the effectiveness of internal control over
                                       those computerized systems that produced the
                                       information. The audit documentation should
                                       specifically address (1) the rationale for determining the
                                       nature, timing, and extent of planned audit procedures;
                                       (2) the kinds and competence of available evidential
                                       matter produced outside a computerized information
                                       system and/or plans for direct testing of data produced
                                       from a computerized information system; and (3) the
                                       effect on the audit report if evidential matter to be
                                       gathered does not afford a reasonable basis for
                                       achieving the objectives of the audit.52




                                       52
                                        This documentation requirement does not increase the auditors’
                                       responsibility for testing internal control but is intended to assist the
                                       auditors in ensuring that audit objectives are met and audit risk is
                                       reduced to an acceptable level.


                                       Page 75             GAO-03-673G Government Auditing Standards
d03673g.book Page 76 Thursday, July 24, 2003 12:37 PM




                                           Chapter 4
                                           Field Work Standards for Financial
                                           Audits




                                           d. evidence of supervisory review, before the audit
                                           report is issued, of the work performed that supports
                                           findings, conclusions, and recommendations contained
                                           in the audit report.

                                           4.25 Underlying GAGAS audits is the premise that
                                           federal, state, and local governments and other
                                           organizations cooperate in auditing programs of
                                           common interest so that auditors may use others’ work
                                           and avoid duplication of audit efforts. Auditors should
                                           make arrangements to make audit documentation
                                           available, upon request, in a timely manner to other
                                           auditors or reviewers. Contractual arrangements for
                                           GAGAS audits should provide for full and timely access
                                           to audit documentation to facilitate reliance by others
                                           on the auditors’ work.

                                           4.26 Audit organizations need to adequately safeguard
                                           the audit documentation associated with any particular
                                           engagement. Audit organizations should develop clearly
                                           defined policies and criteria to deal with situations
                                           where requests are made by outside parties to obtain
                                           access to audit documentation, especially in connection
                                           with situations where an outside party attempts to
                                           obtain indirectly through the auditor information that it
                                           is unable to obtain directly from the audited entity. In
                                           developing such policies, audit organizations need to
                                           consider applicable laws and regulations that apply to
                                           the audit organizations or the audited entity.




                                           Page 76         GAO-03-673G Government Auditing Standards
d03673g.book Page 77 Thursday, July 24, 2003 12:37 PM




   Chapter 5


   Reporting Standards for Financial Audits                                                                    Chapte5r




   Introduction                            5.01 This chapter prescribes reporting standards and
                                           provides guidance for financial audits performed in
                                           accordance with generally accepted government
                                           auditing standards (GAGAS). Financial audits consist of
                                           all work performed under the American Institute of
                                           Certified Public Accountants’ (AICPA) generally
                                           accepted auditing standards and related Statements on
                                           Auditing Standards (SAS). GAGAS incorporate the
                                           AICPA reporting standards and SASs unless the
                                           Comptroller General of the United States excludes them
                                           by formal announcement.53 This chapter identifies the
                                           AICPA reporting standards and prescribes additional
                                           standards for financial audits performed in accordance
                                           with GAGAS.

                                           5.02 Financial audits performed in a government
                                           environment primarily include audits of financial
                                           statements. The AICPA SASs also govern and provide
                                           guidance for other types of financial audits that may be
                                           performed in a government environment, such as
                                           compliance auditing, issuing special reports, audits of
                                           service organizations, reviews of interim financial
                                           information, and issuing letters to underwriters and
                                           certain other requesting parties. These other services
                                           may be performed in conjunction with an audit of
                                           financial statements.


   AICPA Reporting                         5.03 The four AICPA generally accepted standards of
   Standards                               reporting are as follows:

                                           a. The report shall state whether the financial
                                           statements are presented in accordance with
                                           generally accepted accounting principles.



                                           53
                                             To date, the Comptroller General has not excluded any reporting
                                           standards or SASs.


                                           Page 77           GAO-03-673G Government Auditing Standards
d03673g.book Page 78 Thursday, July 24, 2003 12:37 PM




                                       Chapter 5
                                       Reporting Standards for Financial
                                       Audits




                                       b. The report shall identify those circumstances in
                                       which such principles have not been consistently
                                       observed in the current period in relation to the
                                       preceding period.

                                       c. Informative disclosures in the financial
                                       statements are to be regarded as reasonably
                                       adequate unless otherwise stated in the report.

                                       d. The report shall either contain an expression of
                                       opinion regarding the financial statements, taken
                                       as a whole, or an assertion to the effect that an
                                       opinion cannot be expressed. When an overall
                                       opinion cannot be expressed, the reasons therefor
                                       should be stated. In all cases where an auditor’s
                                       name is associated with financial statements, the
                                       report should contain a clear-cut indication of the
                                       character of the auditor’s work, if any, and the
                                       degree of responsibility the auditor is taking.


Additional GAGAS                       5.04 GAGAS prescribe additional reporting standards
Reporting                              for financial audits that go beyond the requirements
Standards for                          contained in the AICPA SASs. Auditors must comply
                                       with these additional standards when citing GAGAS in
Financial Audits
                                       their audit reports. The additional GAGAS standards
                                       relate to

                                       a. reporting auditors’ compliance with GAGAS (see
                                       paragraphs 5.05 through 5.07);

                                       b. reporting on internal control and on compliance with
                                       laws, regulations, and provisions of contracts or grant
                                       agreements (see paragraphs 5.08 through 5.11);

                                       c. reporting deficiencies in internal control, fraud, illegal
                                       acts, violations of provisions of contracts or grant
                                       agreements, and abuse (see paragraphs 5.12 through
                                       5.25);

                                       Page 78          GAO-03-673G Government Auditing Standards
d03673g.book Page 79 Thursday, July 24, 2003 12:37 PM




                                           Chapter 5
                                           Reporting Standards for Financial
                                           Audits




                                           d. reporting views of responsible officials (see
                                           paragraph 5.26 through 5.30);

                                           e. reporting privileged and confidential information (see
                                           paragraphs 5.31 through 5.33); and

                                           f. report issuance and distribution (see paragraphs 5.34
                                           through 5.38).


   Reporting                               5.05 The standard related to reporting auditors’
   Auditors’                               compliance with GAGAS for financial audits performed
   Compliance with                         in accordance with GAGAS is:
   GAGAS
                                           Audit reports should state that the audit was
                                           performed in accordance with GAGAS.

                                           5.06 When the report on the financial audit is submitted
                                           to comply with a legal, regulatory, or contractual
                                           requirement for a GAGAS audit, or when GAGAS are
                                           voluntarily followed, the report should specifically cite
                                           GAGAS and may also cite AICPA standards. “GAGAS”
                                           refers to all the applicable standards that the auditors
                                           should follow during the audit, and the statement of
                                           compliance should be qualified in situations in which
                                           the auditors did not follow an applicable standard. In
                                           these situations, the auditors should disclose in the
                                           scope section of the report the applicable standard that
                                           was not followed, the reasons therefor, and how not
                                           following the standard affected, or could have affected,
                                           the results of the audit. In assessing the impact on the
                                           results of the audit of not following an applicable
                                           standard, auditors may need to qualify the assurances
                                           provided, disclaim from providing any assurances, or
                                           withdraw from the audit.

                                           5.07 An audited entity receiving a GAGAS audit report
                                           may also request auditors to issue a financial audit
                                           report for purposes other than complying with

                                           Page 79         GAO-03-673G Government Auditing Standards
d03673g.book Page 80 Thursday, July 24, 2003 12:37 PM




                                       Chapter 5
                                       Reporting Standards for Financial
                                       Audits




                                       requirements calling for a GAGAS audit. For example,
                                       the audited entity may need audited financial statements
                                       to issue bonds or for other financing purposes. GAGAS
                                       do not prohibit auditors from issuing a separate report
                                       conforming only to the requirements of AICPA
                                       standards. When a GAGAS audit is the basis for an
                                       auditors’ subsequent report under the AICPA standards,
                                       it would be advantageous to users of the subsequent
                                       report for the auditors’ report to include the information
                                       on internal control, compliance with laws, regulations,
                                       and provisions of contracts or grant agreements, fraud,
                                       and abuse that is required by GAGAS but not required by
                                       AICPA standards.


Reporting on                           5.08 The standard related to reporting on internal
Internal Control                       control and compliance for financial statement audits
and on                                 performed in accordance with GAGAS is:
Compliance with
                                       When providing an opinion or a disclaimer on
Laws, Regulations,
                                       financial statements, auditors should include in
and Provisions of                      their report on the financial statements either a
Contracts or Grant                     (1) description of the scope of the auditors’
Agreements                             testing of internal control over financial reporting
                                       and compliance with laws, regulations, and
                                       provisions of contracts or grant agreements and
                                       the results of those tests or an opinion, if
                                       sufficient work was performed, or (2) reference to
                                       the separate report(s) containing that
                                       information. If auditors report separately, the
                                       opinion or disclaimer should contain a reference to
                                       the separate report containing this information
                                       and state that the separate report is an integral
                                       part of the audit and should be considered in
                                       assessing the results of the audit.

                                       5.09 For audits of financial statements in which auditors
                                       provide an opinion or disclaimer, auditors should report
                                       the scope of their testing of internal control over

                                       Page 80          GAO-03-673G Government Auditing Standards
d03673g.book Page 81 Thursday, July 24, 2003 12:37 PM




                                           Chapter 5
                                           Reporting Standards for Financial
                                           Audits




                                           financial reporting and of compliance with laws,
                                           regulations, and provisions of contracts or grant
                                           agreements including whether or not the tests they
                                           performed provided sufficient evidence to support an
                                           opinion on the effectiveness of internal control over
                                           financial reporting and on compliance with laws,
                                           regulations, and provisions of contracts or grant
                                           agreements.

                                           5.10 Auditors may report on internal control over
                                           financial reporting and on compliance with laws,
                                           regulations, and provisions of contracts or grant
                                           agreements in the opinion or disclaimer on the financial
                                           statements or in a separate report or reports. When
                                           auditors report on internal control over financial
                                           reporting and compliance as part of the opinion or
                                           disclaimer on the financial statements, they should
                                           include an introduction summarizing key findings in the
                                           audit of the financial statements and the related internal
                                           control and compliance work. Auditors should not issue
                                           this introduction as a stand-alone report.

                                           5.11 When auditors report separately (including
                                           separate reports bound in the same document) on
                                           internal control over financial reporting and compliance
                                           with laws and regulations and provisions of contracts or
                                           grant agreements, the opinion or disclaimer on the
                                           financial statements should state that the auditors are
                                           issuing those additional reports. The opinion or
                                           disclaimer on the financial statements should also state
                                           that the reports on internal control over financial
                                           reporting and compliance with laws and regulations and
                                           provisions of contracts or grant agreements are an
                                           integral part of a GAGAS audit and should be considered
                                           in assessing the results of the audit.




                                           Page 81         GAO-03-673G Government Auditing Standards
d03673g.book Page 82 Thursday, July 24, 2003 12:37 PM




                                       Chapter 5
                                       Reporting Standards for Financial
                                       Audits




Reporting                              5.12 The standard related to reporting deficiencies in
Deficiencies in                        internal control, fraud, illegal acts, violations of
Internal Control,                      provisions of contracts or grant agreements, and abuse
Fraud, Illegal Acts,                   for financial audits performed in accordance with
                                       GAGAS is:
Violations of
Provisions of                          For financial audits, including audits of financial
Contracts or Grant                     statements in which the auditor provides an
Agreements, and                        opinion or disclaimer, auditors should report, as
Abuse                                  applicable to the objectives of the audit,
                                       (1) deficiencies in internal control considered to
                                       be reportable conditions as defined in AICPA
                                       standards, (2) all instances of fraud and illegal
                                       acts unless clearly inconsequential,54 and
                                       (3) significant violations of provisions of contracts
                                       or grant agreements and abuse. In some
                                       circumstances, auditors should report fraud,
                                       illegal acts, violations of provisions of contracts or
                                       grant agreements, and abuse directly to parties
                                       external to the audited entity.


Reporting                              5.13 For all financial audits, auditors should report
Deficiencies in                        deficiencies in internal control considered to be
Internal Control                       reportable conditions as defined in AICPA standards.55
                                       The following are examples of matters that may be
                                       reportable conditions:




                                       54
                                        If the auditor is performing an audit in accordance with OMB
                                       Circular A-133, Audits of States, Local Governments, and Non-Profit
                                       Organizations, the thresholds for reporting are defined in the circular.
                                       These reporting thresholds are sufficient to meet the requirements of
                                       GAGAS.
                                       55
                                        AICPA standards define reportable conditions as significant
                                       deficiencies in the design or operation of internal control that could
                                       adversely affect the entity’s ability to record, process, summarize, and
                                       report financial data consistent with the assertions of management in
                                       the financial statements.


                                       Page 82            GAO-03-673G Government Auditing Standards
d03673g.book Page 83 Thursday, July 24, 2003 12:37 PM




                                           Chapter 5
                                           Reporting Standards for Financial
                                           Audits




                                           a. absence of appropriate segregation of duties
                                           consistent with appropriate control objectives;

                                           b. absence of appropriate reviews and approvals of
                                           transactions, accounting entries, or systems output;

                                           c. inadequate provisions for the safeguarding of assets;

                                           d. evidence of failure to safeguard assets from loss,
                                           damage, or misappropriation;

                                           e. evidence that a system fails to provide complete and
                                           accurate output consistent with the control objectives of
                                           the audited entity because of the misapplication of
                                           control activities;

                                           f. evidence of intentional override of internal control by
                                           those in authority to the detriment of the overall
                                           objectives of the system;

                                           g. evidence of failure to perform tasks that are a
                                           significant part of internal control, such as
                                           reconciliations not prepared or not timely prepared;

                                           h. a weakness in the control environment at an entity
                                           such as the absence of a sufficient positive and
                                           supportive attitude towards internal control by
                                           management within the organization;

                                           i. deficiencies in the design or operation of internal
                                           control that could result in violations of laws,
                                           regulations, provisions of contracts or grant agreements;
                                           fraud; or abuse having a direct and material effect on the
                                           financial statements or the audit objectives; and

                                           j. failure to follow up and correct previously identified
                                           deficiencies in internal control.



                                           Page 83         GAO-03-673G Government Auditing Standards
d03673g.book Page 84 Thursday, July 24, 2003 12:37 PM




                                       Chapter 5
                                       Reporting Standards for Financial
                                       Audits




                                       5.14 When reporting deficiencies in internal control,
                                       auditors should identify those reportable conditions that
                                       are individually or in the aggregate considered to be
                                       material weaknesses.56 Auditors should place their
                                       findings in proper perspective by providing a description
                                       of the work performed that resulted in the finding. To
                                       give the reader a basis for judging the prevalence and
                                       consequences of these findings, the instances identified
                                       should be related to the population or the number of
                                       cases examined and be quantified in terms of dollar
                                       value, if appropriate.

                                       5.15 To the extent possible, in presenting audit findings
                                       such as deficiencies in internal control, auditors should
                                       develop the elements of criteria, condition, cause, and
                                       effect to assist management or oversight officials of the
                                       audited entity in understanding the need for taking
                                       corrective action. In addition, if auditors are able to
                                       sufficiently develop the findings, they should provide
                                       recommendations for corrective action. Following is
                                       guidance for reporting on elements of findings:




                                       56
                                         The AICPA standards define a material weakness as a reportable
                                       condition in which the design or operation of one or more of the
                                       internal control components does not reduce to a relatively low level
                                       the risk that misstatements caused by error or fraud in amounts that
                                       would be material in relation to the financial statements being audited
                                       may occur and not be detected within a timely period by employees in
                                       the normal course of performing their assigned functions.


                                       Page 84            GAO-03-673G Government Auditing Standards
d03673g.book Page 85 Thursday, July 24, 2003 12:37 PM




                                           Chapter 5
                                           Reporting Standards for Financial
                                           Audits




                                           a. Criteria: An audit report is improved when it provides
                                           information so that the report user will be able to
                                           determine what is the required or desired state or what
                                           is expected from the program or operation. The criteria
                                           are easier to understand when stated fairly, explicitly,
                                           and completely, and the source of the criteria is
                                           identified in the audit report.57

                                           b. Condition: The audit report is improved when it
                                           provides evidence of what the auditors found regarding
                                           the actual situation. Reporting the scope or extent of the
                                           condition allows the report user to gain an accurate
                                           perspective.

                                           c. Cause: The audit report is improved when it provides
                                           persuasive evidence on the factor or factors responsible
                                           for the difference between condition and criteria. In
                                           reporting the cause, auditors may consider whether the
                                           evidence provides a reasonable and convincing
                                           argument for why the stated cause is the key factor or
                                           factors contributing to the difference as opposed to
                                           other possible causes, such as poorly designed criteria
                                           or factors uncontrollable by program management. The
                                           auditors also may consider whether the identified cause
                                           could serve as a basis for the recommendations.

                                           d. Effect: The audit report is improved when it provides
                                           a clear, logical link to establish the impact of the
                                           difference between what the auditors found (condition)



                                           57
                                             Common sources for criteria include laws, regulations, policies,
                                           procedures, and best or standard practices. The Standards for
                                           Internal Control in the Federal Government, GAO/AIMD-00-21.3.1
                                           (Washington, D.C.: Nov. 1999) and Internal Control—Integrated
                                           Framework, published by the Committee of Sponsoring Organizations
                                           of the Treadway Commission (COSO) are two sources of established
                                           criteria auditors can use to support their judgments and conclusions
                                           about internal control. The related Internal Control Management and
                                           Evaluation Tool (GAO-01-1008G, Aug. 2001), based on the federal
                                           internal control standards, provides a systematic, organized, and
                                           structured approach to assessing internal control.


                                           Page 85           GAO-03-673G Government Auditing Standards
d03673g.book Page 86 Thursday, July 24, 2003 12:37 PM




                                       Chapter 5
                                       Reporting Standards for Financial
                                       Audits




                                       and what should be (criteria). Effect is easier to
                                       understand when it is stated clearly, concisely, and, if
                                       possible, in quantifiable terms. The significance of the
                                       reported effect can be demonstrated through credible
                                       evidence.

                                       5.16 When auditors detect deficiencies in internal
                                       control that are not reportable conditions, they should
                                       communicate those deficiencies separately in a
                                       management letter to officials of the audited entity
                                       unless the deficiencies are clearly inconsequential
                                       considering both quantitative and qualitative factors.
                                       Auditors should refer to that management letter in the
                                       report on internal control. Auditors should use their
                                       professional judgment in deciding whether or how to
                                       communicate to officials of the audited entity
                                       deficiencies in internal control that are clearly
                                       inconsequential. Auditors should include in their audit
                                       documentation evidence of all communications to
                                       officials of the audited entity about deficiencies in
                                       internal control found during the audit.


Reporting Fraud,                       5.17 AICPA standards and GAGAS require auditors to
Illegal Acts,                          address the effect fraud or illegal acts may have on the
Violations of                          audit report and to determine that the audit committee
Provisions of                          or others with equivalent authority and responsibility
Contracts or Grant                     are adequately informed about the fraud or illegal acts.
Agreements, and                        GAGAS further require that this information be in
Abuse                                  writing and also include reporting on significant
                                       violations of provisions of contracts or grant agreements
                                       and significant abuse.58 Therefore, when auditors
                                       conclude, on the basis of evidence obtained, that fraud,
                                       an illegal act, a significant violation of a contract or
                                       grant agreement, or significant abuse either has




                                       58
                                         See paragraph 4.19 for a discussion of abuse.


                                       Page 86            GAO-03-673G Government Auditing Standards
d03673g.book Page 87 Thursday, July 24, 2003 12:37 PM




                                           Chapter 5
                                           Reporting Standards for Financial
                                           Audits




                                           occurred or is likely to have occurred,59 they should
                                           include in their audit report the relevant information.60

                                           5.18 When reporting instances of fraud, illegal acts,
                                           violations of provisions of contracts or grant
                                           agreements, or abuse, auditors should place their
                                           findings in proper perspective by providing a description
                                           of the work performed that resulted in the finding. To
                                           give the reader a basis for judging the prevalence and
                                           consequences of these findings, the instances identified
                                           should be related to the population or the number of
                                           cases examined and be quantified in terms of dollar
                                           value, if appropriate. If the results cannot be projected,
                                           auditors should limit their conclusion to the items
                                           tested.

                                           5.19 To the extent possible, auditors should develop in
                                           their report the elements of criteria, condition, cause,
                                           and effect when fraud, illegal acts, violations of
                                           provisions of contracts or grant agreements, or abuse is
                                           found. Auditors should develop their findings following
                                           the guidance for reporting deficiencies in internal
                                           control in paragraph 5.15.

                                           5.20 When auditors detect inmaterial violations of
                                           provisions of contracts or grant agreements or abuse,
                                           they should communicate those findings in a
                                           management letter to officials of the audited entity
                                           unless the findings are clearly inconsequential
                                           considering both qualitative and quantitative factors.


                                           59
                                             Whether a particular act is, in fact, illegal may have to await final
                                           determination by a court of law or other adjudicative body. Thus, when
                                           auditors disclose matters that have led them to conclude that an illegal
                                           act is likely to have occurred, they should not unintentionally imply
                                           that a final determination of illegality has been made.
                                           60
                                             Auditors should include information about fraud or abuse in the audit
                                           reports required by paragraph 5.08 as applicable to internal control
                                           and compliance with laws, regulations, and provisions of contracts
                                           and grant agreements.


                                           Page 87            GAO-03-673G Government Auditing Standards
d03673g.book Page 88 Thursday, July 24, 2003 12:37 PM




                                       Chapter 5
                                       Reporting Standards for Financial
                                       Audits




                                       Auditors should refer to that management letter in their
                                       audit report on compliance. Auditors should use their
                                       professional judgment in determining whether and how
                                       to communicate to officials of the audited entity fraud,
                                       illegal acts, violations of provisions of contracts or grant
                                       agreements, or abuse that is clearly inconsequential.
                                       Auditors should include in their audit documentation
                                       evidence of all communications to officials of the
                                       audited entity about fraud, illegal acts, violations of
                                       provisions of contracts or grant agreements, and abuse.


Direct Reporting of                    5.21 GAGAS require auditors to report fraud, illegal
Fraud, Illegal Acts,                   acts, violations of provisions of contracts or grant
Violations of                          agreements, and abuse directly to parties outside the
Provisions of                          audited entity in two circumstances, as discussed
Contracts or Grant                     below.61 These requirements are in addition to any legal
Agreements, and                        requirements for direct reporting of fraud, illegal acts,
Abuse                                  violations of provisions of contracts or grant
                                       agreements, or abuse. Auditors should meet these
                                       requirements even if they have resigned or been
                                       dismissed from the audit prior to its completion.

                                       5.22 The audited entity may be required by law or
                                       regulation to report certain fraud, illegal acts, violations
                                       of provisions of contracts or grant agreements, or abuse
                                       to specified external parties, such as a federal inspector
                                       general or a state attorney general. If auditors have
                                       communicated such fraud, illegal acts, violations of
                                       provisions of contracts or grant agreements, or abuse to
                                       the audited entity and the audited entity fails to report
                                       them, then the auditors should communicate such an
                                       awareness to the governing body of the audited entity. If
                                       the audited entity does not make the required report as


                                       61
                                        Internal audit organizations do not have a duty to report outside that
                                       entity unless required by law, rule, regulation, or policy. See paragraph
                                       3.28 for reporting requirements for internal audit organizations when
                                       reporting externally.


                                       Page 88            GAO-03-673G Government Auditing Standards
d03673g.book Page 89 Thursday, July 24, 2003 12:37 PM




                                           Chapter 5
                                           Reporting Standards for Financial
                                           Audits




                                           soon as possible after the auditors’ communication with
                                           the entity’s governing body, then the auditors should
                                           report such fraud, illegal acts, violations of provisions of
                                           contracts or grant agreements, or abuse directly to the
                                           external party specified in the law or regulation.

                                           5.23 Management of the audited entity is responsible for
                                           taking timely and appropriate steps to remedy fraud,
                                           illegal acts, violations of provisions of contracts or grant
                                           agreements, or abuse that auditors report to it. When
                                           fraud, illegal acts, violations of provisions of contracts
                                           or grant agreements, or abuse involve awards received
                                           directly or indirectly from a government agency,
                                           auditors may have a duty to report directly if
                                           management fails to take remedial steps. If auditors
                                           conclude that such failure is likely to cause them to
                                           depart from the standard report on the financial
                                           statements or resign from the audit, they should
                                           communicate that conclusion to the governing body of
                                           the audited entity. Then, if the audited entity does not
                                           report the fraud, illegal act, violation of provisions of
                                           contracts or grant agreements, or abuse as soon as
                                           possible to the entity that provided the government
                                           assistance, the auditors should report the fraud, illegal
                                           act, violation of provisions of contracts or grant
                                           agreements, or abuse directly to that entity.

                                           5.24 In these situations, auditors should obtain
                                           sufficient, competent, and relevant evidence, such as
                                           confirmation from outside parties, to corroborate
                                           assertions by management that it has reported fraud,
                                           illegal acts, violations of provisions of contracts or grant
                                           agreements, or abuse. If they are unable to do so, then
                                           the auditors should report such fraud, illegal acts,
                                           violations of provisions of contracts or grant
                                           agreements, or abuse directly as discussed above.

                                           5.25 Laws, regulations, or policies may require auditors
                                           to report promptly indications of certain types of fraud,

                                           Page 89         GAO-03-673G Government Auditing Standards
d03673g.book Page 90 Thursday, July 24, 2003 12:37 PM




                                       Chapter 5
                                       Reporting Standards for Financial
                                       Audits




                                       illegal acts, violations of provisions of contracts or grant
                                       agreements, or abuse to law enforcement or
                                       investigatory authorities. In such circumstances, when
                                       auditors conclude that these types of fraud, illegal acts,
                                       violations of provisions of contracts or grant
                                       agreements, or abuse either have occurred or are likely
                                       to have occurred, they should ask those authorities
                                       and/or legal counsel if publicly reporting certain
                                       information about the potential fraud, illegal acts,
                                       violations of provisions of contracts or grant
                                       agreements, or abuse would compromise investigative
                                       or legal proceedings. Auditors should limit their public
                                       reporting to matters that would not compromise those
                                       proceedings, such as information that is already a part of
                                       the public record.


Reporting Views of                     5.26 The standard related to reporting the views of
Responsible                            responsible officials for financial audits performed in
Officials                              accordance with GAGAS is:

                                       If the auditors’ report discloses deficiencies in
                                       internal control, fraud, illegal acts, violations of
                                       provisions of contracts or grant agreements, or
                                       abuse, auditors should obtain and report the views
                                       of responsible officials concerning the findings,
                                       conclusions, and recommendations, as well as
                                       planned corrective actions.

                                       5.27 One of the most effective ways to ensure that a
                                       report is fair, complete, and objective is to obtain
                                       advance review and comments by responsible officials
                                       of the audited entity and others, as may be appropriate.
                                       Including the views of responsible officials results in a
                                       report that presents not only the deficiencies in internal
                                       control, fraud, illegal acts, violations of provisions of
                                       contracts or grant agreements, or abuse the auditors
                                       identified but also what the responsible officials of the
                                       audited entity think about the deficiencies in internal

                                       Page 90          GAO-03-673G Government Auditing Standards
d03673g.book Page 91 Thursday, July 24, 2003 12:37 PM




                                           Chapter 5
                                           Reporting Standards for Financial
                                           Audits




                                           control, fraud, illegal acts, violations of provisions of
                                           contracts or grant agreements, or abuse and what
                                           corrective actions officials of the audited entity plan to
                                           take. Auditors should include in their report a copy of
                                           the officials’ written comments or a summary of the
                                           comments received.

                                           5.28 Auditors should normally request that the
                                           responsible officials submit in writing their views on the
                                           auditors’ reported findings, conclusions, and
                                           recommendations, as well as management’s planned
                                           corrective actions. Oral comments are acceptable as
                                           well, and, in some cases, may be the only or most
                                           expeditious way to obtain comments. Cases in which
                                           obtaining oral comments can be effective include when
                                           there is a time-critical requirement to meet a user’s
                                           needs; auditors have worked closely with the
                                           responsible officials throughout the conduct of the work
                                           and the parties are very familiar with the findings and
                                           issues addressed in the draft report; or the auditors do
                                           not expect major disagreements with the draft report’s
                                           findings, conclusions, and recommendations, or
                                           perceive any major controversies with regard to the
                                           issues discussed in the draft report. Auditors should
                                           prepare a summary of the officials’ oral comments and
                                           provide a copy of the summary to officials of the audited
                                           entity to verify that the comments are accurately stated
                                           prior to finalizing the report.

                                           5.29 Comments should be fairly and objectively
                                           evaluated and recognized, as appropriate, in the final
                                           report. Comments, such as a promise or plan for
                                           corrective action, should be noted but should not be
                                           accepted as justification for deleting a significant finding
                                           or a related recommendation.

                                           5.30 When the audited entity’s comments oppose the
                                           report’s findings, conclusions, or recommendations, and
                                           are not, in the auditors’ opinion, valid, or when planned

                                           Page 91         GAO-03-673G Government Auditing Standards
d03673g.book Page 92 Thursday, July 24, 2003 12:37 PM




                                       Chapter 5
                                       Reporting Standards for Financial
                                       Audits




                                       corrective actions do not adequately address the
                                       auditors’ recommendations, the auditors should state
                                       their reasons for disagreeing with the comments or
                                       planned corrective actions. The auditors’ disagreement
                                       should be stated in a fair and objective manner.
                                       Conversely, the auditors should modify their report as
                                       necessary if they find the comments valid.


Reporting                              5.31 The standard related to reporting privileged and
Privileged and                         confidential information for financial audits performed
Confidential                           in accordance with GAGAS is:
Information
                                       If certain pertinent information is prohibited from
                                       general disclosure, the audit report should state
                                       the nature of the information omitted and the
                                       requirement that makes the omission necessary.

                                       5.32 Certain information may be prohibited from
                                       general disclosure by federal, state, or local laws or
                                       regulations. In such circumstances, auditors may issue a
                                       separate limited-official-use report containing such
                                       information and distribute the report only to persons
                                       authorized by law or regulation to receive it. Additional
                                       circumstances associated with public safety and
                                       security concerns could also justify the exclusion of
                                       certain information in the report. For example, detailed
                                       information related to computer security for a particular
                                       program may be excluded from publicly available
                                       reports because of the potential damage that could be
                                       caused by the misuse of this information. In such
                                       circumstances, auditors may issue a limited-official-use
                                       report containing such information and distribute the
                                       report only to those parties responsible for acting on the
                                       auditors’ recommendations. The auditors should, when
                                       appropriate, consult with legal counsel regarding any
                                       requirements or other circumstances that may
                                       necessitate the omission of certain information.



                                       Page 92          GAO-03-673G Government Auditing Standards
d03673g.book Page 93 Thursday, July 24, 2003 12:37 PM




                                           Chapter 5
                                           Reporting Standards for Financial
                                           Audits




                                           5.33 Auditors’ judgments that certain information
                                           should be excluded from publicly available reports
                                           should be made in a manner consistent with
                                           consideration of the broader public interest in the
                                           program or activity under review. When circumstances
                                           call for omission of certain information, auditors should
                                           consider whether this omission could distort the
                                           engagement results or conceal improper or unlawful
                                           practices. If auditors make the judgment that certain
                                           information should be excluded from a publicly
                                           available report, they should state the general nature of
                                           the information omitted and the reasons that make the
                                           omission necessary in the report.


   Report Issuance                         5.34 The standard related to report issuance and
   and Distribution                        distribution for financial audits performed in
                                           accordance with GAGAS is:

                                           Government auditors should submit audit reports
                                           to the appropriate officials of the audited entity
                                           and to appropriate officials of the organizations
                                           requiring or arranging for the audits, including
                                           external funding organizations such as legislative
                                           bodies, unless legal restrictions prevent it.
                                           Auditors should also send copies of the reports to
                                           other officials who have legal oversight authority
                                           or who may be responsible for acting on audit
                                           findings and recommendations and to others
                                           authorized to receive such reports. Unless the
                                           report is restricted by law or regulation, or
                                           contains privileged and confidential information,
                                           auditors should clarify that copies are made
                                           available for public inspection. Nongovernment
                                           auditors should clarify report distribution
                                           responsibilities with the party contracting for the
                                           audit and follow the agreements reached.




                                           Page 93         GAO-03-673G Government Auditing Standards
d03673g.book Page 94 Thursday, July 24, 2003 12:37 PM




                                       Chapter 5
                                       Reporting Standards for Financial
                                       Audits




                                       5.35 Audit reports should be distributed in a timely
                                       manner to officials interested in the results.62 Such
                                       officials include those designated by law or regulation to
                                       receive such reports, those responsible for acting on the
                                       findings and recommendations contained in the report,
                                       those in other levels of government that have provided
                                       assistance to the audited entity, and legislators.
                                       However, if the subject of the audit involves material
                                       that is classified for security purposes or not releasable
                                       to particular parties or the public for other valid
                                       reasons, auditors should limit the report distribution.
                                       See paragraphs 5.31 through 5.33 for additional guidance
                                       on limited report distribution when reports contain
                                       privileged or confidential information. The availability of
                                       the report for public inspection should be documented
                                       in the audit documentation.

                                       5.36 When public accountants are engaged to conduct
                                       an audit under GAGAS, they should clarify report
                                       distribution responsibilities with the engaging
                                       organization. If the public accountants are to make the
                                       distribution, the engagement agreement should indicate
                                       which officials or organizations should receive the
                                       report and other steps being taken to ensure the
                                       availability of the report for public inspection. The
                                       availability of the report for public inspection should be
                                       documented in the audit documentation.

                                       5.37 Internal auditors should follow their entity’s own
                                       arrangements and statutory requirements for
                                       distribution. Usually, they report to their entity’s head or
                                       deputy head, who are responsible for distribution of the
                                       report. Further distribution of reports outside the



                                       62
                                        See the Single Audit Act Amendments of 1996 and Office of
                                       Management and Budget (OMB) Circular A-133 on single audits for the
                                       distribution of reports on single audits of state and local governmental
                                       entities and nonprofit organizations that receive federal awards.


                                       Page 94            GAO-03-673G Government Auditing Standards
d03673g.book Page 95 Thursday, July 24, 2003 12:37 PM




                                           Chapter 5
                                           Reporting Standards for Financial
                                           Audits




                                           organization should be made in accordance with
                                           applicable laws, rules, regulations, or policy.

                                           5.38 If an audit is terminated before it is completed but
                                           the auditors do not issue an audit report, auditors
                                           should write a memorandum for the record that
                                           summarizes the results of the work to the date of
                                           termination and explains why the audit was terminated.
                                           In addition, auditors should communicate the reasons
                                           for terminating the audit to management of the audited
                                           entity, the entity requesting the audit, and other
                                           appropriate officials, preferably in writing. This
                                           communication should be documented.




                                           Page 95         GAO-03-673G Government Auditing Standards
d03673g.book Page 96 Thursday, July 24, 2003 12:37 PM




   Chapter 6


   General, Field Work, and Reporting
   Standards for Attestation Engagements                                                                         Chapte6r




   Introduction                            6.01 This chapter prescribes standards and provides
                                           guidance for attestation engagements performed in
                                           accordance with generally accepted government
                                           auditing standards (GAGAS). Attestation engagements
                                           consist of work governed by the American Institute of
                                           Certified Public Accountants’ (AICPA) standards for
                                           attestation engagements. GAGAS incorporate the AICPA
                                           general standard on criteria, its field work standards,
                                           and its reporting standards for attestation engagements,
                                           as well as the AICPA Statements on Standards for
                                           Attestation Engagements (SSAE), unless the
                                           Comptroller General of the United States excludes them
                                           by formal announcement.63 This chapter identifies the
                                           AICPA general standard on criteria,64 field work
                                           standards, and reporting standards for attestation
                                           engagements and prescribes additional standards for
                                           attestation engagements performed in accordance with
                                           GAGAS. In addition to the AICPA general standard on
                                           criteria, auditors should also follow all of the general
                                           standards for work performed under GAGAS, as
                                           discussed in chapter 3.

                                           6.02 In an attestation engagement, auditors issue an
                                           examination, a review, or an agreed-upon procedures
                                           report on a subject matter, or an assertion about a
                                           subject matter, that is the responsibility of another party.
                                           Attestation engagements can cover a broad range of
                                           financial or nonfinancial objectives65 and can be part of
                                           an audit or a separate engagement. The three levels of
                                           attestation engagements include the following.




                                           63
                                             To date, the Comptroller General has not excluded any field work
                                           standards, reporting standards, or SSAEs.
                                           64
                                             GAGAS incorporate only one of the AICPA general standards for
                                           attestation engagements.
                                           65
                                            See chapter 2 for examples of subjects of attestation engagements.


                                           Page 96           GAO-03-673G Government Auditing Standards
d03673g.book Page 97 Thursday, July 24, 2003 12:37 PM




                                       Chapter 6
                                       General, Field Work, and Reporting
                                       Standards for Attestation
                                       Engagements




                                       a. Examination: Auditors perform sufficient testing to
                                       express an opinion on whether the subject matter is
                                       based on (or in conformity with) the criteria in all
                                       material respects or the assertion is presented (or fairly
                                       stated), in all material respects, based on the criteria.

                                       b. Review: Auditors perform sufficient testing to express
                                       a conclusion about whether any information came to the
                                       auditors’ attention on the basis of the work performed
                                       that indicates the subject matter is not based on (or in
                                       conformity with) the criteria or the assertion is not
                                       presented (or fairly stated) in all material respects based
                                       on the criteria.66

                                       c. Agreed-Upon Procedures: Auditors perform testing to
                                       issue a report of findings based on specific procedures
                                       performed on subject matter.


AICPA General                          6.03 The AICPA general standard related to criteria
and Field Work                         states the following:
Standards for
Attestation                            The practitioner [auditor] shall perform an
Engagements                            engagement only if he or she has reason to believe
                                       that the subject matter is capable of evaluation
                                       against criteria that are suitable and available to
                                       users.

                                       6.04 The two AICPA field work standards for attestation
                                       engagements are as follows:

                                       a. The work shall be adequately planned and
                                       assistants, if any, shall be properly supervised.




                                       66
                                         As stated in the AICPA SSAEs, auditors should not perform review-
                                       level work for reporting on internal control or compliance with laws
                                       and regulations.


                                       Page 97           GAO-03-673G Government Auditing Standards
d03673g.book Page 98 Thursday, July 24, 2003 12:37 PM




                                           Chapter 6
                                           General, Field Work, and Reporting
                                           Standards for Attestation
                                           Engagements




                                           b. Sufficient evidence shall be obtained to provide
                                           a reasonable basis for the conclusion that is
                                           expressed in the report.


   Additional GAGAS                        6.05 GAGAS prescribe additional attestation
   Field Work                              engagement field work standards that go beyond the
   Standards for                           requirements contained in the AICPA SSAEs. Auditors
   Attestation                             must comply with these additional standards when
                                           citing GAGAS in their attestation engagement reports.
   Engagements                             The additional GAGAS field work standards relate to

                                           a. auditor communication (see paragraphs 6.06 through
                                           6.09);

                                           b. considering the results of previous audits and
                                           attestation engagements (see paragraphs 6.10 through
                                           6.12);

                                           c. internal control (see paragraphs 6.13 and 6.14);

                                           d. detecting fraud, illegal acts, violations of contract
                                           provisions or grant agreements, and abuse that could
                                           have a material effect on the subject matter (see
                                           paragraphs 6.15 through 6.20);

                                           e. developing elements of findings for attestation
                                           engagements (paragraph 6.21); and

                                           f. attest documentation (see paragraphs 6.22 through
                                           6.26).


   Auditor                                 6.06 The standard related to auditor communication for
   Communication                           attestation engagements performed in accordance with
                                           GAGAS is:

                                           Auditors should communicate information
                                           regarding the nature, timing, and extent of

                                           Page 98         GAO-03-673G Government Auditing Standards
d03673g.book Page 99 Thursday, July 24, 2003 12:37 PM




                                       Chapter 6
                                       General, Field Work, and Reporting
                                       Standards for Attestation
                                       Engagements




                                       planned testing and reporting on the subject
                                       matter or assertion about the subject matter,
                                       including the level of assurance provided, to
                                       officials of the audited entity and to the
                                       individuals contracting for or requesting the
                                       attestation engagement.

                                       6.07 During the planning stages of an attestation
                                       engagement, auditors should communicate to officials
                                       of the audited entity and to individuals contracting for or
                                       requesting the services information regarding the nature,
                                       timing, and extent of testing and reporting including the
                                       level of assurance provided and any potential restriction
                                       of reports associated with the different levels of
                                       assurance services, to reduce the risk that the needs or
                                       expectations of the parties involved may be
                                       misinterpreted. See paragraph 6.02 for a discussion of
                                       the levels of attestation services. Auditors should use
                                       their professional judgment to determine the form and
                                       content of the communication, although written
                                       communication is preferred. Auditors may use an
                                       engagement letter, if appropriate, to communicate the
                                       information. If the attestation engagement is part of a
                                       larger audit, this information may be communicated as
                                       part of that audit. Auditors should document the
                                       communication in their attest documentation.

                                       6.08 Auditors should communicate their responsibilities
                                       for the engagement to the appropriate officials of the
                                       audited entity, including

                                       a. the head of the audited entity,

                                       b. the audit committee or board of directors or other
                                       equivalent oversight body in the absence of an audit
                                       committee, and




                                       Page 99          GAO-03-673G Government Auditing Standards
d03673g.book Page 100 Thursday, July 24, 2003 12:37 PM




                                           Chapter 6
                                           General, Field Work, and Reporting
                                           Standards for Attestation
                                           Engagements




                                           c. the individual who possesses a sufficient level of
                                           authority and responsibility for the subject matter or the
                                           assertion.

                                           6.09 In situations where auditors are performing the
                                           engagement under a contract with a party other than the
                                           officials of the audited entity, or pursuant to a third-
                                           party request, auditors should also communicate with
                                           the individuals contracting for or requesting the
                                           engagement, such as contracting officials or legislative
                                           members or staff. When auditors are performing the
                                           engagement pursuant to a law or regulation, auditors
                                           should communicate with the legislative members or
                                           staff who have oversight of the auditee.67 Auditors
                                           should coordinate communications with the responsible
                                           government audit organization and/or management of
                                           the audited entity, and may use the engagement letter to
                                           keep interested parties informed. If an engagement is
                                           terminated before it is completed, auditors should write
                                           a memorandum for the record that summarizes the
                                           results of the work and explains why the engagement
                                           was terminated. In addition, auditors should
                                           communicate the reason for terminating the
                                           engagement to management of the audited entity, the
                                           entity requesting the engagement, and other appropriate
                                           officials, preferably in writing. This communication
                                           should be documented.




                                           67
                                             This requirement applies only to situations in which the law or
                                           regulation specifically identifies the entity to be subject to an
                                           attestation engagement. Situations in which the mandate to have an
                                           attestation engagement not specifically identified, such as attestation
                                           engagements required by the U.S. Department of Education, are
                                           excluded.


                                           Page 100           GAO-03-673G Government Auditing Standards
d03673g.book Page 101 Thursday, July 24, 2003 12:37 PM




                                       Chapter 6
                                       General, Field Work, and Reporting
                                       Standards for Attestation
                                       Engagements




Considering the                        6.10 The standard related to considering the results of
Results of                             previous audits and attestation engagements for
Previous Audits                        attestation engagements performed in accordance with
and Attestation                        GAGAS is:
Engagements
                                       Auditors should consider the results of previous
                                       audits and attestation engagements and follow up
                                       on known significant findings and
                                       recommendations that directly relate to the
                                       subject matter or the assertion of the attestation
                                       engagement being undertaken.

                                       6.11 Auditors should ask audited entity officials to
                                       identify previous financial audits, attestation
                                       engagements, performance audits, or other studies
                                       related to the subject matter or assertions of the
                                       attestation engagement being undertaken and to identify
                                       corrective actions taken to address significant findings
                                       and recommendations.68 For example, an audit report on
                                       an entity’s computerized information systems may
                                       contain significant findings that could relate to the
                                       attestation engagement if the entity uses such systems
                                       to process information about the subject matter or
                                       contained in an assertion about the subject matter.
                                       Following up on known significant findings and
                                       recommendations identified in previous audits,
                                       attestation engagements, or studies can help auditors
                                       evaluate the subject matter or the assertion associated
                                       with the attestation engagement. Auditors should use
                                       professional judgment in determining (1) prior periods
                                       to be considered, (2) the level of work necessary to
                                       follow up on significant findings and recommendations
                                       that affect the attestation engagement, and (3) the effect



                                       68
                                        Significant findings and recommendations are those matters that, if
                                       not corrected, could affect the results of the auditors’ work and the
                                       auditors’ conclusions and recommendations regarding those results.


                                       Page 101          GAO-03-673G Government Auditing Standards
d03673g.book Page 102 Thursday, July 24, 2003 12:37 PM




                                           Chapter 6
                                           General, Field Work, and Reporting
                                           Standards for Attestation
                                           Engagements




                                           on the risk assessment and attestation procedures in
                                           planning the current attestation engagement.

                                           6.12 Providing continuing attention to significant
                                           findings and recommendations is important to ensure
                                           that the benefits of the auditors’ work are realized.
                                           Ultimately, the benefits of auditors’ work occur when
                                           management of the audited entity takes meaningful and
                                           effective corrective action in response to the auditors’
                                           findings and recommendations. Management of the
                                           audited entity is responsible for resolving findings and
                                           recommendations directed to them and for having a
                                           process to track their status. If management of the
                                           audited entity does not have such a process, auditors
                                           may wish to establish their own process.


   Internal Control                        6.13 The standard related to internal control for
                                           examination-level attestation engagements performed in
                                           accordance with GAGAS is:

                                           In planning examination-level attestation
                                           engagements, auditors should obtain a sufficient
                                           understanding of internal control that is material
                                           to the subject matter or assertion to plan the
                                           engagement and design procedures to achieve the
                                           objectives of the attestation engagement.




                                           Page 102        GAO-03-673G Government Auditing Standards
d03673g.book Page 103 Thursday, July 24, 2003 12:37 PM




                                       Chapter 6
                                       General, Field Work, and Reporting
                                       Standards for Attestation
                                       Engagements




                                       6.14 In planning an examination-level attestation
                                       engagement, auditors should obtain an understanding of
                                       internal control69 as it relates to the subject matter or
                                       assertion to which the auditors are attesting. The subject
                                       matter or assertion may be of a financial or nonfinancial
                                       nature, and internal control material to the subject
                                       matter or assertion the auditor is testing may relate to

                                       a. effectiveness and efficiency of operations, including
                                       the use of an entity’s resources;

                                       b. reliability of financial reporting, including reports on
                                       budget execution and other reports for internal and
                                       external use;

                                       c. compliance with applicable laws and regulations,
                                       provisions of contract, or grant agreements; and

                                       d. safeguarding of assets.




                                       69
                                         Although not applicable to attestation engagements, the AICPA SASs
                                       may provide useful guidance related to internal control for auditors
                                       performing attestation engagements in accordance with GAGAS. In
                                       addition, auditors performing attestation engagements may wish to
                                       refer to the internal control guidance published by the Committee of
                                       Sponsoring Organizations of the Treadway Commission (COSO). The
                                       Standards for Internal Control in the Federal Government,
                                       GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov. 1999), which
                                       incorporates the relevant guidance developed by COSO, provides
                                       definitions and fundamental concepts pertaining to internal control at
                                       the federal level and may be useful to auditors at any level of
                                       government. The related Internal Control Management and
                                       Evaluation Tool, GAO-01-1008G (Washington, D.C.: Aug. 2001) based
                                       on the federal internal control standards, provides a systematic,
                                       organized, and structured approach to assessing internal control.


                                       Page 103          GAO-03-673G Government Auditing Standards
d03673g.book Page 104 Thursday, July 24, 2003 12:37 PM




                                           Chapter 6
                                           General, Field Work, and Reporting
                                           Standards for Attestation
                                           Engagements




   Detecting Fraud,                        6.15 The standard related to fraud, illegal acts,
   Illegal Acts,                           violations of provisions of contracts or grant
   Violations of                           agreements, and abuse for attestation engagements
   Provisions of                           performed in accordance with GAGAS is:
   Contracts or Grant
                                           a. In planning examination-level attestation
   Agreements, and                         engagements, auditors should design the
   Abuse That Could                        engagement to provide reasonable assurance of
   Have a Material                         detecting fraud, illegal acts, or violations of
   Effect on the                           provisions of contracts or grant agreements that
   Subject Matter                          could have a material effect on the subject matter
                                           or assertion of the attestation engagement, and
                                           should be alert to situations or transactions that
                                           could be indicative of abuse.

                                           b. In planning review-level or agreed-upon-
                                           procedure-level attestation engagements, auditors
                                           should be alert to situations or transactions that
                                           could be indicative of fraud, illegal acts, violations
                                           of provisions of contracts or grant agreements,
                                           and if indications of fraud, illegal acts, violations
                                           of provisions of contracts or grant agreements,
                                           exist that could materially affect the subject
                                           matter or assertion, auditors should apply
                                           procedures specifically directed to ascertain
                                           whether violations of provisions of contracts or
                                           grant agreements, and if indications of fraud,
                                           illegal acts, violations of provisions of contracts or
                                           grant agreements, has occurred and the effect on
                                           the subject matter or assertion.

                                           c. Auditors should be alert to situations or
                                           transactions that could be indicative of abuse, and
                                           if indications of abuse exist that could
                                           significantly affect the results of the attestation
                                           engagement, auditors should apply audit
                                           procedures specifically directed to ascertain
                                           whether abuse has occurred and the effect on the
                                           results of the attestation engagement.
                                           Page 104        GAO-03-673G Government Auditing Standards
d03673g.book Page 105 Thursday, July 24, 2003 12:37 PM




                                       Chapter 6
                                       General, Field Work, and Reporting
                                       Standards for Attestation
                                       Engagements




                                       6.16 Auditors should exercise professional judgment in
                                       planning an examination-level attestation engagement
                                       by obtaining an understanding of the possible effects of
                                       fraud,70 illegal acts, or violations of provisions of
                                       contracts or grant agreements on the subject matter or
                                       assertion of the attestation engagement and by
                                       identifying and assessing any associated risks that could
                                       have a material effect on the attestation engagement.
                                       Auditors should include attest documentation on their
                                       assessment of risk, and, when risk factors are identified
                                       as being present, the documentation should include

                                       a. those risk factors identified, and

                                       b. the auditors’ response to those risk factors,
                                       individually or in combination.

                                       6.17 In addition, if during the performance of the
                                       attestation engagement, risk factors or other conditions
                                       are identified that cause the auditors to believe that an
                                       additional response is required, such factors or other
                                       conditions, and any future response the auditors
                                       conclude is appropriate, should be documented.

                                       6.18 For attestation engagements involving review-level
                                       or agreed-upon-procedure-level of reporting, auditors
                                       should be alert to situations or transactions that could
                                       be indicative of fraud, illegal acts, or violations of
                                       provisions of contracts or grant agreements. When
                                       information comes to the auditors’ attention (through
                                       audit procedures, allegations received through fraud
                                       hotlines, or other means) indicating that fraud, illegal
                                       acts, or violations of provisions of contracts or grant


                                       70
                                          Fraud is a type of illegal act involving the obtaining of something of
                                       value through willful misrepresentation. Although not applicable to
                                       attestation engagements, the AICPA SASs may provide useful guidance
                                       related to fraud for auditors performing attestation engagements in
                                       accordance with GAGAS.


                                       Page 105           GAO-03-673G Government Auditing Standards
d03673g.book Page 106 Thursday, July 24, 2003 12:37 PM




                                           Chapter 6
                                           General, Field Work, and Reporting
                                           Standards for Attestation
                                           Engagements




                                           agreements may have occurred, auditors should
                                           consider whether the possible fraud, illegal acts, or
                                           violation of provisions of contracts or grant agreements
                                           could materially affect the results of the attestation
                                           engagement. If such acts could materially affect the
                                           results of the engagement, auditors should extend the
                                           audit steps and procedures, as necessary, to
                                           (1) determine if fraud, illegal acts, or violations of
                                           provisions of contracts or grant agreements are likely to
                                           have occurred and, if so, (2) determine their effect on
                                           the results of the attestation engagement. Because the
                                           scope of review-level and agreed-upon-procedures-level
                                           engagements is limited, auditors are not expected to
                                           provide reasonable assurance of detecting fraud, illegal
                                           acts, or violations of contract or grant agreements for
                                           these types of engagements.

                                           6.19 Abuse is distinct from fraud, illegal acts, or
                                           violations of provisions of contracts or grant
                                           agreements. When abuse occurs, no law, regulation, or
                                           provision of a contract or grant agreement is violated.
                                           Rather, abuse involves behavior that is deficient or
                                           improper when compared with behavior that a prudent
                                           person would consider reasonable and necessary
                                           business practice given the facts and circumstances.71
                                           For all levels of attestation engagements, auditors
                                           should be alert to situations or transactions that could
                                           be indicative of abuse. When information comes to the
                                           auditors’ attention (through audit procedures,
                                           allegations received through a fraud hotline, or other


                                           71
                                             For example, in an attestation engagement that has as its subject
                                           reporting on an entity’s internal controls over compliance with
                                           specified requirements governing the procurement of motor vehicles,
                                           auditors might find abuse when considering purchases of passenger
                                           cars for official senior management use if costly luxury cars were
                                           purchased when less expensive models would have been appropriate.
                                           While auditors generally will not view the procurement of costly
                                           luxury cars as quantitatively significant to the subject matter, this
                                           action generally would be considered qualitatively significant to the
                                           subject matter or assertion.


                                           Page 106          GAO-03-673G Government Auditing Standards
d03673g.book Page 107 Thursday, July 24, 2003 12:37 PM




                                       Chapter 6
                                       General, Field Work, and Reporting
                                       Standards for Attestation
                                       Engagements




                                       means) indicating that abuse may have occurred,
                                       auditors should consider whether the possible abuse
                                       could affect the assertion significantly. Auditors should
                                       consider both quantitative and qualitative factors in
                                       making judgments regarding the significance of possible
                                       abuse and whether they need to extend the audit steps
                                       and procedures. If indications of the possible abuse
                                       exist that significantly affect the results of the
                                       attestation engagement, the auditors should extend the
                                       audit steps and procedures, as necessary, to (1)
                                       determine whether the abuse occurred and, if so,
                                       (2) determine its effect on the results of the attestation
                                       engagement. However, because the determination of
                                       abuse is so subjective, auditors are not expected to
                                       provide reasonable assurance of detecting abuse.

                                       6.20 Auditors should exercise professional judgment in
                                       pursuing indications of possible fraud, illegal acts,
                                       violations of provisions of contracts or grant
                                       agreements, or abuse, in order not to interfere with
                                       potential investigations, legal proceedings, or both.
                                       Under some circumstances, laws, regulations, or
                                       policies require auditors to report indications of certain
                                       types of fraud, illegal acts, violations of provisions of
                                       contracts or grant agreements, or abuse to law
                                       enforcement or investigatory authorities before
                                       extending audit steps and procedures. Auditors may also
                                       be required to withdraw from or defer further work on
                                       the engagement or a portion of the engagement in order
                                       not to interfere with an investigation.


Developing                             6.21 Attest findings, such as deficiencies in internal
Elements of                            control, illegal acts, violations of provisions of contracts
Findings for                           or grant agreements, and abuse, have often been
Attestation                            regarded as containing the elements of criteria,
                                       condition, and effect, plus cause when problems are
Engagements                            found. However, the elements needed for a finding
                                       depend entirely on the objectives of the attestation

                                       Page 107          GAO-03-673G Government Auditing Standards
d03673g.book Page 108 Thursday, July 24, 2003 12:37 PM




                                           Chapter 6
                                           General, Field Work, and Reporting
                                           Standards for Attestation
                                           Engagements




                                           engagement. Thus, a finding or set of findings is
                                           complete to the extent that the objectives of the
                                           attestation engagement are satisfied. When problems are
                                           identified, to the extent possible, auditors should plan
                                           attest procedures to develop the elements of a finding to
                                           facilitate developing the auditors’ report. (See paragraph
                                           6.34 for a description of the elements of a finding.)


   Attest                                  6.22 The standard related to attest documentation for
   Documentation                           attestation engagements performed in accordance with
                                           GAGAS is:

                                           Attest documentation related to planning,
                                           conducting, and reporting on the attestation
                                           engagement should contain sufficient information
                                           to enable an experienced auditor who has had no
                                           previous connection with the attestation
                                           engagement to ascertain from the attest
                                           documentation the evidence that supports the
                                           auditors’ significant judgments and conclusions.
                                           Attest documentation should contain support for
                                           findings, conclusions, and recommendations
                                           before auditors issue their report.

                                           6.23 AICPA standards and GAGAS require that auditors
                                           prepare and maintain attest documentation. The form
                                           and content of attest documentation should be designed
                                           to meet the circumstances of the particular attestation
                                           engagement. The information contained in attest
                                           documentation constitutes the principal record of the
                                           work that the auditors have performed in accordance
                                           with professional standards and the conclusions that the
                                           auditors have reached. The quantity, type, and content of
                                           attest documentation are a matter of the auditors’
                                           professional judgment.

                                           6.24 Attest documentation serves to (1) provide the
                                           principal support for the auditors’ report, (2) aid

                                           Page 108        GAO-03-673G Government Auditing Standards
d03673g.book Page 109 Thursday, July 24, 2003 12:37 PM




                                       Chapter 6
                                       General, Field Work, and Reporting
                                       Standards for Attestation
                                       Engagements




                                       auditors in conducting and supervising the attestation
                                       engagement, and (3) allow for the review of the quality
                                       of the attestation engagement. The preparation of attest
                                       documentation should be appropriately detailed to
                                       provide a clear understanding of its purpose and source
                                       and the conclusions the auditors reached, and it should
                                       be appropriately organized to provide a clear link to the
                                       findings, conclusions, and recommendations contained
                                       in the auditors’ report. Attest documentation for
                                       attestation engagements performed under GAGAS
                                       should contain the following additional items not
                                       explicitly addressed in the AICPA SSAEs or elsewhere in
                                       GAGAS:

                                       a. the objectives, scope, and methodology of the
                                       attestation engagement, including any sampling and
                                       other selection criteria used;

                                       b. the auditor’s determination that certain additional
                                       government auditing standards do not apply or that an
                                       applicable standard was not followed, the reasons
                                       therefor, and the known effect that not following the
                                       applicable standard had, or could have had, on the
                                       attestation engagement;

                                       c. the work performed to support significant judgments
                                       and conclusions, including descriptions of transactions
                                       and records examined;72

                                       d. the auditors’ consideration that the planned
                                       attestation procedures are designed to achieve
                                       objectives of the attestation engagement when
                                       evidential matter obtained is highly dependent on


                                       72
                                        Auditors may meet this requirement by listing voucher numbers,
                                       check numbers, or other means of identifying specific documents they
                                       examined. Auditors are not required to include copies of documents
                                       they examined as part of the attest documentation, nor are auditors
                                       required to list detailed information from those documents.


                                       Page 109          GAO-03-673G Government Auditing Standards
d03673g.book Page 110 Thursday, July 24, 2003 12:37 PM




                                           Chapter 6
                                           General, Field Work, and Reporting
                                           Standards for Attestation
                                           Engagements




                                           computerized information systems and is material to the
                                           objective of the engagement, and the auditors are not
                                           relying on the effectiveness of internal control over
                                           those computerized systems that produced the
                                           information. The attest documentation should
                                           specifically address (1) the rationale for determining the
                                           nature, timing, and extent of planned audit procedures;
                                           (2) the kinds and competence of available evidential
                                           matter produced outside a computerized information
                                           system, and/or plans for direct testing of data produced
                                           from a computerized information system; and (3) the
                                           effect on the attestation engagement report if evidential
                                           matter to be gathered does not afford a reasonable basis
                                           for achieving the objectives of the engagement; and

                                           e. evidence of supervisory reviews, before the report on
                                           the attestation engagement is issued, of the work
                                           performed that supports findings, conclusions, and
                                           recommendations contained in the report.

                                           6.25 Underlying GAGAS attestation engagements is the
                                           premise that federal, state, and local governments and
                                           other organizations cooperate in auditing programs of
                                           common interest so that auditors may use others’ work
                                           and avoid duplication of efforts. Auditors should make
                                           arrangements to make attest documentation available,
                                           upon request, in a timely manner to other auditors or
                                           reviewers. Contractual arrangements for GAGAS
                                           attestation engagements should provide for full and
                                           timely access to attest documentation to facilitate
                                           reliance by others on the auditors’ work.

                                           6.26 Audit organizations need to adequately safeguard
                                           the audit documentation associated with any particular
                                           engagement. Audit organizations should develop clearly
                                           defined policies and criteria to deal with situations
                                           where requests are made by outside parties to obtain
                                           access to audit documentation, especially in connection
                                           with situations where an outside party attempts to

                                           Page 110        GAO-03-673G Government Auditing Standards
d03673g.book Page 111 Thursday, July 24, 2003 12:37 PM




                                       Chapter 6
                                       General, Field Work, and Reporting
                                       Standards for Attestation
                                       Engagements




                                       obtain indirectly through the auditor information that it
                                       is unable to obtain directly from the audited entity. In
                                       developing such policies, audit organizations need to
                                       consider applicable laws and regulations applying to the
                                       audit organizations or the audited entity.


AICPA Reporting                        6.27 As discussed in paragraph 6.02, the AICPA SSAEs
Standards for                          provide for different levels of reporting based on the
Attestation                            type of assurance the auditors are providing. The four
Engagements                            AICPA reporting standards for all levels of reporting
                                       under attestation engagements are as follows:

                                       a. The report shall identify the subject matter or
                                       the assertion being reported on and state the
                                       character of the engagement.

                                       b. The report shall state the practitioner’s
                                       [auditor’s] conclusions about the subject matter or
                                       the assertion in relation to the criteria against
                                       which the subject matter was evaluated.

                                       c. The report shall state all of the practitioner’s
                                       [auditor’s] significant reservations about the
                                       engagement, the subject matter, and, if applicable,
                                       the assertion related thereto.

                                       d. The report shall state that the use of the report
                                       is restricted to specified parties under the
                                       following circumstances:73 (1) when the criteria
                                       used to evaluate the subject matter are
                                       determined by the practitioner to be appropriate
                                       only for a limited number of parties who either
                                       participated in their establishment or can be
                                       presumed to have an adequate understanding of


                                       73
                                        Auditors should, however, follow the report distribution standard
                                       (see paragraphs 6.49 through 6.54).


                                       Page 111          GAO-03-673G Government Auditing Standards
d03673g.book Page 112 Thursday, July 24, 2003 12:37 PM




                                           Chapter 6
                                           General, Field Work, and Reporting
                                           Standards for Attestation
                                           Engagements




                                           the criteria, (2) when the criteria used to evaluate
                                           the subject matter are available only to specified
                                           parties, (3) when reporting on subject matter and
                                           a written assertion has not been provided by the
                                           responsible party, and (4) when the report is on an
                                           attest engagement to apply agreed-upon
                                           procedures to the subject matter.


   Additional GAGAS                        6.28 GAGAS prescribe additional reporting standards
   Reporting                               for attestation engagements that go beyond the
   Standards for                           requirements contained in the AICPA SSAEs. Auditors
   Attestation                             must comply with these additional standards when
                                           citing GAGAS in their attestation engagement reports.
   Engagements                             The additional GAGAS standards relate to

                                           a. reporting auditors’ compliance with GAGAS (see
                                           paragraphs 6.29 through 6.31);

                                           b. reporting deficiencies in internal control, fraud, illegal
                                           acts, violations of provisions of contracts or grant
                                           agreements, and abuse (see paragraphs 6.32 through
                                           6.40);

                                           c. reporting views of responsible officials (see
                                           paragraphs 6.41 through 6.45);

                                           d. reporting privileged and confidential information (see
                                           paragraphs 6.46 through 6.48); and

                                           e. report issuance and distribution (see paragraphs 6.49
                                           through 6.54).


   Reporting                               6.29 The standard related to reporting auditors’
   Auditors’                               compliance with GAGAS for attestation engagements
   Compliance with                         performed in accordance with GAGAS is:
   GAGAS

                                           Page 112        GAO-03-673G Government Auditing Standards
d03673g.book Page 113 Thursday, July 24, 2003 12:37 PM




                                       Chapter 6
                                       General, Field Work, and Reporting
                                       Standards for Attestation
                                       Engagements




                                       Reports on attestation engagements should state
                                       that the engagement was made in accordance with
                                       GAGAS.

                                       6.30 When the report on the attestation engagement is
                                       submitted to comply with a legal, regulatory, or
                                       contractual requirement, or when GAGAS are
                                       voluntarily used, the report should specifically cite
                                       GAGAS and may cite AICPA standards as well. The
                                       statement referencing compliance with GAGAS refers to
                                       all the applicable standards that the auditors should
                                       have followed during the attestation engagement, and
                                       the statement of compliance should be qualified in
                                       situations in which the auditors did not follow an
                                       applicable standard. In these situations, the auditors
                                       should disclose in the scope section of the report the
                                       applicable standard that was not followed, the reasons
                                       therefor, and how not following the standard affected, or
                                       could have affected, the results of the attestation
                                       engagement. In assessing the impact of not following an
                                       applicable standard on the results of the attestation
                                       engagement, auditors may need to qualify the
                                       assurances provided, disclaim from providing any
                                       assurances, or withdraw from the engagement.

                                       6.31 An audited entity receiving a GAGAS report on an
                                       attestation engagement may also need a report on the
                                       attestation engagement for purposes other than
                                       complying with requirements calling for a GAGAS
                                       attestation engagement. GAGAS do not prohibit auditors
                                       from issuing a separate report conforming only to the
                                       requirements of AICPA standards. When a GAGAS
                                       attestation engagement is the basis for an auditors’
                                       subsequent report under the AICPA standards, it would
                                       be advantageous to users of the subsequent report for
                                       the auditors’ report to include the information on
                                       internal control and fraud, illegal acts, violations of
                                       provisions of contracts and grant agreements, and abuse
                                       that are required by GAGAS but not required by AICPA
                                       standards.
                                       Page 113          GAO-03-673G Government Auditing Standards
d03673g.book Page 114 Thursday, July 24, 2003 12:37 PM




                                           Chapter 6
                                           General, Field Work, and Reporting
                                           Standards for Attestation
                                           Engagements




   Reporting                               6.32 The standard related to reporting deficiencies in
   Deficiencies in                         internal control, fraud, illegal acts, violations of
   Internal Control,                       provisions of contracts or grant agreements, and abuse
   Fraud, Illegal Acts,                    for attestation engagements performed in accordance
                                           with GAGAS is:
   Violations of
   Provisions of                           The report on an attestation engagement should
   Contracts or Grant                      disclose (1) deficiencies in internal control,
   Agreements, and                         including internal control over compliance with
   Abuse                                   laws, regulations, and provisions of contracts or
                                           grant agreements that are material to the subject
                                           matter or assertion, (2) all instances of fraud and
                                           illegal acts unless clearly inconsequential, and
                                           (3) violations of provisions of contracts or grant
                                           agreements and abuse that are material to the
                                           subject matter or assertion of the engagement. In
                                           some circumstances, auditors should report fraud,
                                           illegal acts, violations of provisions of contracts or
                                           grant agreements, and abuse directly to parties
                                           external to the audited entity.

                                           6.33 When reporting deficiencies in internal control or
                                           instances of fraud, illegal acts,74 violations of provisions
                                           of contracts or grant agreements, or abuse, auditors
                                           should place their findings in proper perspective by
                                           providing a description of the work performed that
                                           resulted in the finding. To give the reader a basis for
                                           judging the prevalence and consequences of these
                                           findings, the deficiencies or instances identified should
                                           be related to the population or the number of cases
                                           examined and be quantified in terms of dollar value, if
                                           appropriate. If the results cannot be projected, auditors
                                           should limit their conclusion to the items tested.


                                           74
                                             Whether a particular act is, in fact, illegal may have to await final
                                           determination by a court of law. Thus, when auditors disclose matters
                                           that have led them to conclude that an illegal act is likely to have
                                           occurred, they should not unintentionally imply that a final
                                           determination of illegality has been made.


                                           Page 114           GAO-03-673G Government Auditing Standards
d03673g.book Page 115 Thursday, July 24, 2003 12:37 PM




                                       Chapter 6
                                       General, Field Work, and Reporting
                                       Standards for Attestation
                                       Engagements




                                       6.34 To the extent possible, in presenting findings,
                                       auditors should develop the elements of criteria,
                                       condition, cause, and effect to assist management or
                                       oversight officials of the audited entity in understanding
                                       the need for taking corrective action. In addition, if
                                       auditors are able to sufficiently develop the findings,
                                       auditors should provide recommendations for
                                       corrective action. The following list contains guidance
                                       for reporting on elements of findings:

                                       a. Criteria: An attestation engagement report is
                                       improved when it provides information so that the
                                       report user will be able to determine what is the
                                       required or desired state or what is expected from the
                                       program or operation. The criteria are easier to
                                       understand when stated fairly, explicitly, and
                                       completely, and the source of the criteria is identified in
                                       the attestation engagement report.75

                                       b. Condition: The attestation engagement report is
                                       improved when it provides evidence of what the
                                       auditors found regarding the actual situation. Reporting
                                       the scope or extent of the condition allows the report
                                       user to gain an accurate perspective.

                                       c. Cause: The attestation engagement report is improved
                                       when it provides persuasive evidence on the factor or
                                       factors responsible for the difference between condition
                                       and criteria. In reporting the cause, auditors may



                                       75
                                         Common sources for criteria are laws, regulations, policies,
                                       procedures, best or standard practices, or assertions. The Standards
                                       for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1
                                       (Washington, D.C.: Nov. 1999) and Internal Control—Integrated
                                       Framework, published by the Committee of Sponsoring Organizations
                                       of the Treadway Commission (COSO) are two sources of established
                                       criteria auditors can use to support their judgments and conclusions
                                       about internal control. The related Internal Control Management and
                                       Evaluation Tool (GAO-01-1008G, Aug. 2001), based on the federal
                                       internal control standards, provides a systematic, organized, and
                                       structured approach to assessing internal control.


                                       Page 115          GAO-03-673G Government Auditing Standards
d03673g.book Page 116 Thursday, July 24, 2003 12:37 PM




                                           Chapter 6
                                           General, Field Work, and Reporting
                                           Standards for Attestation
                                           Engagements




                                           consider whether the evidence provides a reasonable
                                           and convincing argument for why the stated cause is the
                                           key factor or factors contributing to the difference as
                                           opposed to other possible causes, such as poorly
                                           designed criteria or factors uncontrollable by program
                                           management. The auditors also may consider whether
                                           the identified cause could serve as a basis for the
                                           recommendations.

                                           d. Effect: The attestation engagement report is improved
                                           when it provides a clear, logical link to establish the
                                           impact of the difference between what the auditors
                                           found (condition) and what should be (criteria). Effect
                                           is easier to understand when it is stated clearly,
                                           concisely, and, if possible, in quantifiable terms. The
                                           significance of the reported effect can be demonstrated
                                           through credible evidence.

                                           6.35 When auditors detect internal control deficiencies,
                                           fraud, illegal acts, violations of provisions of contracts
                                           or grant agreements, or abuse that is not material to the
                                           subject matter or assertion, they should communicate
                                           those findings to the audited entity in a management
                                           letter, unless they are clearly inconsequential,
                                           considering both qualitative and quantitative factors.
                                           The auditor should refer to the management letter in the
                                           report on the attestation engagement. Auditors should
                                           use their professional judgment in determining whether
                                           and how to communicate to officials of the audited
                                           entity internal control deficiencies, fraud, illegal acts,
                                           violations of provisions of contracts or grant
                                           agreements, or abuse that are clearly inconsequential.
                                           Auditors should include in their attest documentation
                                           evidence of all communication to officials of the audited
                                           entity about fraud, illegal acts, violations of provisions
                                           of contracts or grant agreements, and abuse.




                                           Page 116        GAO-03-673G Government Auditing Standards
d03673g.book Page 117 Thursday, July 24, 2003 12:37 PM




                                       Chapter 6
                                       General, Field Work, and Reporting
                                       Standards for Attestation
                                       Engagements




Direct Reporting of                    6.36 GAGAS require auditors to report fraud, illegal
Fraud, Illegal Acts,                   acts, violations of provisions of contracts or grant
Violations of                          agreements, and abuse directly to parties outside the
Provisions of                          audited entity in two circumstances, as discussed
Contracts or Grant                     below.76 These requirements are in addition to any legal
Agreements, and                        requirements for direct reporting of fraud, illegal acts,
Abuse                                  violations of provisions of contracts or grant
                                       agreements, or abuse. Auditors should meet these
                                       requirements even if they have resigned or been
                                       dismissed from the attestation engagement prior to its
                                       completion.

                                       6.37 The audited entity may be required by law or
                                       regulation to report certain fraud, illegal acts, violations
                                       of provisions of contracts or grant agreements, or abuse
                                       to specified external parties, such as a federal inspector
                                       general or a state attorney general. If auditors have
                                       communicated such fraud, illegal acts, violations of
                                       provisions of contracts or grant agreements, or abuse to
                                       the audited entity and the entity fails to report them,
                                       then the auditors should communicate such an
                                       awareness to the governing body of the audited entity. If
                                       the audited entity does not make the required report as
                                       soon as possible after the auditors’ communication with
                                       the entity’s governing body, then the auditors should
                                       report such fraud, illegal acts, violations of provisions of
                                       contracts or grant agreements, or abuse directly to the
                                       external party specified in the law or regulation.

                                       6.38 Officials of the audited entity are responsible for
                                       taking timely and appropriate steps to remedy fraud,
                                       illegal acts, violations of provisions of contracts or grant
                                       agreements, or abuse that auditors report to them. When
                                       fraud, illegal acts, violations of provisions of contracts


                                       76
                                        Internal audit organizations do not have a duty to report outside that
                                       entity unless required by law, rule, regulation, or policy. See paragraph
                                       3.28 for reporting requirements for internal audit organizations when
                                       reporting externally.


                                       Page 117           GAO-03-673G Government Auditing Standards
d03673g.book Page 118 Thursday, July 24, 2003 12:37 PM




                                           Chapter 6
                                           General, Field Work, and Reporting
                                           Standards for Attestation
                                           Engagements




                                           or grant agreements, or abuse involves assistance
                                           received directly or indirectly from a government
                                           agency, auditors may have a duty to report directly if
                                           management fails to take remedial steps. If auditors
                                           conclude that such failure is likely to cause them to
                                           depart from the standard report on the attestation
                                           engagement or resign from the engagement, they should
                                           communicate that conclusion to the governing body of
                                           the audited entity. Then, if the audited entity does not
                                           report the fraud, illegal acts, violations of provisions of
                                           contracts or grant agreements, or abuse as soon as
                                           possible to the entity that provided the government
                                           assistance, the auditors should report the fraud, illegal
                                           acts, violations of provisions of contracts or grant
                                           agreements, or abuse directly to that entity.

                                           6.39 In these situations, auditors should obtain
                                           sufficient, competent, and relevant evidence, such as
                                           confirmation from outside parties, to corroborate
                                           assertions by management that management has
                                           reported fraud, illegal acts, violations of provisions of
                                           contracts or grant agreements, or abuse. If they are
                                           unable to do so, the auditors should report the fraud,
                                           illegal acts, violations of provisions of contracts or grant
                                           agreements, or abuse directly as discussed above.

                                           6.40 Laws, regulations, or policies may require auditors
                                           to report promptly indications of certain types of fraud,
                                           illegal acts, violations of provisions of contracts or grant
                                           agreements, or abuse to law enforcement or
                                           investigatory authorities. In such circumstances, when
                                           auditors conclude that these types of fraud, illegal acts,
                                           violations of provisions of contracts or grant
                                           agreements, or abuse either have occurred or are likely
                                           to have occurred, they should ask those authorities
                                           and/or legal counsel if publicly reporting certain
                                           information about the potential fraud, illegal acts,
                                           violations of provisions of contracts or grant
                                           agreements, or abuse would compromise investigative
                                           or legal proceedings. Auditors should limit their public
                                           Page 118        GAO-03-673G Government Auditing Standards
d03673g.book Page 119 Thursday, July 24, 2003 12:37 PM




                                       Chapter 6
                                       General, Field Work, and Reporting
                                       Standards for Attestation
                                       Engagements




                                       reporting to matters that would not compromise those
                                       proceedings, such as information that is already a part of
                                       the public record.


Reporting Views of                     6.41 The standard related to reporting the views of
Responsible                            responsible officials for attestation engagements
Officials                              performed in accordance with GAGAS is:

                                       If the auditors’ report on the attestation
                                       engagement discloses deficiencies in internal
                                       control, fraud, illegal acts, violations of provisions
                                       of contracts or grant agreements, or abuse,
                                       auditors should obtain and report the views of
                                       responsible officials concerning the findings,
                                       conclusions, and recommendations, as well as
                                       planned corrective actions.

                                       6.42 One of the most effective ways to ensure that a
                                       report is fair, complete, and objective is to obtain
                                       advance review and comments by responsible officials
                                       of the audited entity and others, as may be appropriate.
                                       Including the views of responsible officials results in a
                                       report that presents not only the deficiencies in internal
                                       control, fraud, illegal acts, violations of provisions of
                                       contracts or grant agreements, or abuse the auditors
                                       identified, but also what the responsible officials of the
                                       audited entity think about the deficiencies in internal
                                       control, fraud, illegal acts, violations of provisions of
                                       contracts or grant agreements, or abuse and what
                                       corrective actions the officials plan to take. Auditors
                                       should include in their report a copy of the officials’
                                       written comments or a summary of the comments
                                       received.

                                       6.43 Auditors should normally request that the
                                       responsible officials submit in writing their views on the
                                       auditors’ reported findings, conclusions, and
                                       recommendations, as well as management’s planned

                                       Page 119          GAO-03-673G Government Auditing Standards
d03673g.book Page 120 Thursday, July 24, 2003 12:37 PM




                                           Chapter 6
                                           General, Field Work, and Reporting
                                           Standards for Attestation
                                           Engagements




                                           corrective actions. Oral comments are acceptable as
                                           well, and, in some cases, may be the only or most
                                           expeditious way to obtain comments. Cases in which
                                           obtaining oral comments can be effective include
                                           circumstances in which there is a time-critical
                                           requirement to meet a user’s needs; the auditors have
                                           worked closely with the responsible officials throughout
                                           the conduct of the work and the parties are familiar with
                                           the findings and issues addressed in the draft product; or
                                           the auditors do not expect major disagreements with the
                                           draft report’s findings, conclusions, and
                                           recommendations, or perceive any major controversies
                                           with regard to the issues discussed in the draft report.
                                           Before finalizing the report, auditors should prepare a
                                           summary of the officials’ oral comments and provide a
                                           copy of the summary to officials of the audited entity to
                                           verify that the comments are accurately stated.

                                           6.44 Comments should be fairly and objectively
                                           evaluated and recognized, as appropriate, in the final
                                           report. Comments, such as a promise or plan for
                                           corrective action, should be noted but should not be
                                           accepted as justification for deleting a significant finding
                                           or a related recommendation.

                                           6.45 When the audited entity’s comments oppose the
                                           report’s findings, conclusions, or recommendations, and
                                           are not, in the auditors’ opinion, valid, or when planned
                                           corrective actions do not adequately address the
                                           auditors’ recommendations, the auditors should state
                                           their reasons for disagreeing with the comments or
                                           planned corrective actions. The auditors’ disagreement
                                           should be stated in a fair and objective manner.
                                           Conversely, the auditors should modify their report as
                                           necessary if they find the comments valid.




                                           Page 120        GAO-03-673G Government Auditing Standards
d03673g.book Page 121 Thursday, July 24, 2003 12:37 PM




                                       Chapter 6
                                       General, Field Work, and Reporting
                                       Standards for Attestation
                                       Engagements




Reporting                              6.46 The standard related to reporting privileged and
Privileged and                         confidential information for attestation engagements
Confidential                           performed in accordance with GAGAS is:
Information
                                       If certain pertinent information is prohibited from
                                       general disclosure, the report on the attestation
                                       engagement should state the nature of the
                                       information omitted and the requirement that
                                       makes the omission necessary.

                                       6.47 Certain information may be prohibited from
                                       general disclosure by federal, state, or local laws or
                                       regulations. In such circumstances, auditors may issue a
                                       separate limited-official-use report containing such
                                       information and distribute the report only to persons
                                       authorized by law or regulation to receive it. Additional
                                       circumstances associated with public safety and
                                       security concerns could also justify the exclusion of
                                       certain information in the report. For example, detailed
                                       information related to computer security for a particular
                                       program may be excluded from publicly available
                                       reports if potential damage could be caused by the
                                       misuse of this information. In such circumstances,
                                       auditors may issue a limited-official-use report
                                       containing such information and distribute the report
                                       only to those parties responsible for acting on the
                                       auditors’ recommendations. The auditors should, when
                                       appropriate, consult with legal counsel regarding any
                                       requirements or other circumstances that may
                                       necessitate the omission of certain information.

                                       6.48 Auditors’ judgments that certain information
                                       should be excluded from publicly available reports
                                       should be made in a manner consistent with
                                       consideration of the broader public interest in the
                                       program or activity under review. When circumstances
                                       call for omission of certain information, auditors should
                                       consider whether this omission could distort the
                                       engagement results or conceal improper or unlawful
                                       Page 121          GAO-03-673G Government Auditing Standards
d03673g.book Page 122 Thursday, July 24, 2003 12:37 PM




                                           Chapter 6
                                           General, Field Work, and Reporting
                                           Standards for Attestation
                                           Engagements




                                           practices. If auditors make the judgment that certain
                                           information should be excluded from a publicly
                                           available report, they should state the general nature of
                                           the information omitted and the reasons that make the
                                           omission necessary in the report.


   Report Issuance                         6.49 The standard related to report issuance and
   and Distribution                        distribution for attestation engagements performed in
                                           accordance with GAGAS is:

                                           Government auditors should submit reports on the
                                           attestation engagement to the appropriate
                                           officials of the audited entity and to the
                                           appropriate officials of the organizations requiring
                                           or arranging for the engagement, including
                                           external funding organizations such as legislative
                                           bodies, unless legal restrictions prevent it.
                                           Auditors should also send copies of the reports to
                                           other officials who have legal oversight authority
                                           or who may be responsible for acting on the
                                           findings and recommendations and to others
                                           authorized to receive such reports. Unless the
                                           report is restricted by law or regulation, or
                                           contains privileged or confidential information,
                                           auditors should clarify that copies are made
                                           available for public inspection. Nongovernment
                                           auditors should clarify report distribution
                                           responsibilities with the party contracting for the
                                           audit and follow the agreements reached.

                                           6.50 Reports on attestation engagements should be
                                           distributed in a timely manner to officials interested in
                                           the results. Such officials include those designated by
                                           law or regulation to receive such reports, those
                                           responsible for acting on the findings and
                                           recommendations contained in the reports, those in
                                           other levels of government that have provided
                                           assistance to the audited entity, and legislators.

                                           Page 122        GAO-03-673G Government Auditing Standards
d03673g.book Page 123 Thursday, July 24, 2003 12:37 PM




                                       Chapter 6
                                       General, Field Work, and Reporting
                                       Standards for Attestation
                                       Engagements




                                       However, if the subject matter or assertion of the
                                       attestation engagement involves material that is
                                       classified for security purposes or not releasable to
                                       particular parties or the public for other valid reasons,
                                       auditors should limit the report distribution. The
                                       availability of the report for public inspection should be
                                       documented in the audit documentation.

                                       6.51 Although AICPA standards require that a report on
                                       an engagement to evaluate an assertion based on
                                       agreed-upon criteria or on an engagement to apply
                                       agreed-upon procedures should contain a statement
                                       limiting its use to the parties who have agreed upon such
                                       criteria or procedures, such a statement does not require
                                       that the report distribution be limited. (See paragraphs
                                       6.46 through 6.48 for additional guidance on limited
                                       report distribution.) The availability of the report for
                                       public inspection should be documented in the audit
                                       documentation.

                                       6.52 When nongovernment auditors are engaged to
                                       conduct an attestation engagement under GAGAS, they
                                       should clarify report distribution responsibilities with
                                       the engaging organization. If the public accountants are
                                       to make the distribution, the engagement agreement
                                       should indicate which officials or organizations should
                                       receive the report and the steps being taken to ensure
                                       the availability of the report for public inspection. The
                                       availability of the report for public inspection should be
                                       documented in the audit documentation.

                                       6.53 Internal auditors should follow their entity’s own
                                       arrangements and statutory requirements for
                                       distribution. Usually, they report to their entity’s head or
                                       deputy head, who is responsible for distribution of the
                                       report. Further distribution of reports outside the
                                       organization should be made in accordance with
                                       applicable laws, rules, regulations, or policies.



                                       Page 123          GAO-03-673G Government Auditing Standards
d03673g.book Page 124 Thursday, July 24, 2003 12:37 PM




                                           Chapter 6
                                           General, Field Work, and Reporting
                                           Standards for Attestation
                                           Engagements




                                           6.54 If an attestation engagement is terminated before it
                                           is completed but the auditors do not issue a report on
                                           the engagement, auditors should write a memorandum
                                           for the record that summarizes the results of the work to
                                           the date of termination and explains why the attestation
                                           engagement was terminated. In addition, auditors
                                           should communicate the reasons for terminating the
                                           attest engagement to management of the audited entity,
                                           the entity requesting the attestation engagement, and
                                           other appropriate officials, preferably in writing. This
                                           communication should be documented.




                                           Page 124        GAO-03-673G Government Auditing Standards
d03673g.book Page 125 Thursday, July 24, 2003 12:37 PM




   Chapter 7


   Field Work Standards for Performance
   Audits                                                                                          Chapte7r




   Introduction                            7.01 This chapter prescribes field work standards and
                                           provides guidance to auditors conducting performance
                                           audits in accordance with generally accepted
                                           government auditing standards (GAGAS). The field
                                           work standards for performance audits relate to
                                           planning the audit; supervising staff; obtaining
                                           sufficient, competent, and relevant evidence; and
                                           preparing audit documentation.


   Planning                                7.02 The field work standard related to planning for
                                           performance audits performed in accordance with
                                           GAGAS are:

                                           Work is to be adequately planned.

                                           7.03 In planning the audit, auditors should define the
                                           audit objectives, as well as the scope and methodology
                                           to achieve those objectives. Audit objectives, scope, and
                                           methodologies are not determined in isolation. Auditors
                                           determine these three elements of the audit plan
                                           together, as the considerations in determining each
                                           often overlap. Planning is a continuous process
                                           throughout the audit. Therefore, auditors should
                                           consider the need to make adjustments to the audit
                                           objectives, scope, and methodology as work is being
                                           completed.




                                           Page 125       GAO-03-673G Government Auditing Standards
d03673g.book Page 126 Thursday, July 24, 2003 12:37 PM




                                       Chapter 7
                                       Field Work Standards for
                                       Performance Audits




                                       7.04 The objectives are what the audit is intended to
                                       accomplish. They identify the audit subjects and
                                       performance aspects to be included, as well as the
                                       potential finding and reporting elements that the
                                       auditors expect to develop.77 Audit objectives can be
                                       thought of as questions about the program78 that
                                       auditors seek to answer. (See paragraphs 2.09 through
                                       2.13.)

                                       7.05 Scope is the boundary of the audit and should be
                                       directly tied to the audit objectives. For example, the
                                       scope defines parameters of the audit such as the period
                                       of time reviewed, the availability of necessary
                                       documentation or records, and the locations at which
                                       field work will be performed.

                                       7.06 The methodology comprises the work involved in
                                       gathering and analyzing data to achieve the objectives.
                                       Audit procedures are the specific steps and tests
                                       auditors will carry out to address the audit objectives.
                                       Auditors should design the methodology to provide
                                       sufficient, competent, and relevant evidence to achieve
                                       the objectives of the audit. Methodology includes both
                                       the types and extent of audit procedures used to achieve
                                       the audit objectives.

                                       7.07 Planning should be documented and should
                                       include

                                       a. considering the significance of various programs and
                                       the needs of potential users of the audit report (see
                                       paragraphs 7.08 and 7.09);




                                       77
                                        See discussion of the elements of a finding in paragraph 7.28 and
                                       paragraphs 7.62 through 7.65.
                                       78
                                        This chapter uses only the term “program;” however, the concepts
                                       presented also apply to audits of entities, activities, and services.


                                       Page 126           GAO-03-673G Government Auditing Standards
d03673g.book Page 127 Thursday, July 24, 2003 12:37 PM




                                           Chapter 7
                                           Field Work Standards for
                                           Performance Audits




                                           b. obtaining an understanding of the program to be
                                           audited (see paragraph 7.10);

                                           c. obtaining an understanding of internal control as it
                                           relates to the specific objectives and scope of the audit
                                           (see paragraphs 7.11 through 7.16);

                                           d. designing methodology and procedures to detect
                                           significant violations of legal and regulatory
                                           requirements, contract provisions, or grant agreements
                                           (see paragraphs 7.17 through 7.27);

                                           e. identifying the criteria needed to evaluate matters
                                           subject to audit (see paragraph 7.28);

                                           f. considering the results of previous audits and
                                           attestation engagements that could affect the current
                                           audit objectives (see paragraphs 7.29 and 7.30);

                                           g. identifying potential sources of data that could be
                                           used as audit evidence (see paragraph 7.31);

                                           h. considering whether the work of other auditors and
                                           experts may be used to satisfy some of the audit
                                           objectives (see paragraphs 7.32 through 7.34);

                                           i. providing appropriate and sufficient staff and other
                                           resources to perform the audit (see paragraphs 7.35
                                           through 7.38);

                                           j. communicating general information concerning the
                                           planning and performance of the audit to management
                                           officials responsible for the program being audited and
                                           others as applicable (see paragraphs 7.39 and 7.40); and

                                           k. preparing an audit plan (see paragraphs 7.41 through
                                           7.43).



                                           Page 127        GAO-03-673G Government Auditing Standards
d03673g.book Page 128 Thursday, July 24, 2003 12:37 PM




                                       Chapter 7
                                       Field Work Standards for
                                       Performance Audits




Program                                7.08 The significance of a matter is its relative
Significance                           importance to the audit objectives and potential users of
                                       the audit report. Auditors should consider the
                                       significance of a program or program component and
                                       the potential use that will be made of the audit results or
                                       report as they plan a performance audit. Indicators of
                                       significance and/or use to consider include

                                       a. visibility and sensitivity of the program under audit,

                                       b. newness of the program or changes in its conditions,

                                       c. role of the audit in providing information that can
                                       improve public accountability and decision making, and

                                       d. level and extent of review or other forms of
                                       independent oversight.

                                       7.09 One group of users of the auditors’ report is
                                       government officials who may have authorized or
                                       requested the audit. Other important users of the
                                       auditors’ report are the entity being audited and
                                       legislative bodies, which are responsible for acting on
                                       the auditors’ recommendations. Other potential users of
                                       the auditors’ report include government legislators or
                                       officials (other than those who may have authorized or
                                       requested the audit), the media, interest groups, and
                                       individual citizens. In addition to an interest in the
                                       program, potential users may have an ability to influence
                                       the conduct of the program. An awareness of these
                                       potential users’ interests and influence can help auditors
                                       understand why the program operates the way it does.
                                       This awareness can also help auditors judge whether
                                       possible findings could be significant to various possible
                                       users.


Understanding the                      7.10 Auditors should obtain an understanding of the
Program                                program to be audited to help assess, among other

                                       Page 128          GAO-03-673G Government Auditing Standards
d03673g.book Page 129 Thursday, July 24, 2003 12:37 PM




                                           Chapter 7
                                           Field Work Standards for
                                           Performance Audits




                                           matters, the significance of possible audit objectives and
                                           the feasibility of achieving them. The auditors’
                                           understanding may come from knowledge they already
                                           have about the program or knowledge they gain from
                                           inquiries and observations they make in planning the
                                           audit. The extent and breadth of those inquiries and
                                           observations will vary among audits based on the audit
                                           objectives, as will the need to understand individual
                                           aspects of the program, such as the following:

                                           a. Laws, regulations, and provisions of contracts or
                                           grant agreements: Government programs usually are
                                           created by law and are subject to specific laws and
                                           regulations. For example, laws and regulations usually
                                           set forth what is to be done, who is to do it, the purpose
                                           to be achieved, the population to be served, and how
                                           much can be spent on what. Government programs may
                                           also be subject to provisions of contracts and grant
                                           agreements. Thus, understanding the laws and the
                                           legislative history establishing a program and the
                                           provisions of any contracts or grant agreements can be
                                           essential to understanding the program itself. Obtaining
                                           that understanding is also a necessary step in identifying
                                           provisions of laws, regulations, contracts, or grant
                                           agreements significant to audit objectives.

                                           b. Purpose and goals: Purpose is the result or effect that
                                           is intended or desired from a program’s operation.
                                           Legislatures usually establish the program purpose
                                           when they provide authority for the program. Entity
                                           officials may provide more detailed guidance on
                                           program purpose to supplement the authorizing
                                           legislation. Entity officials are sometimes asked to set
                                           goals for program performance and operations,
                                           including both output and outcome goals. Auditors may
                                           use the stated program purpose and goals as criteria for
                                           assessing program performance or may develop
                                           additional criteria or best practices to compare the
                                           program against.

                                           Page 129        GAO-03-673G Government Auditing Standards
d03673g.book Page 130 Thursday, July 24, 2003 12:37 PM




                                       Chapter 7
                                       Field Work Standards for
                                       Performance Audits




                                       c. Internal control: Internal control, often referred to as
                                       management controls, in the broadest sense includes the
                                       plan of organization, methods, and procedures adopted
                                       by management to meet its missions, goals, and
                                       objectives. Internal control includes the processes for
                                       planning, organizing, directing, and controlling program
                                       operations. It includes the systems for measuring,
                                       reporting, and monitoring program performance.
                                       Internal control also serves as the first line of defense in
                                       safeguarding assets and preventing and detecting errors,
                                       fraud, and violations of laws, regulations, and provisions
                                       of contracts and grant agreements. Paragraphs 7.11
                                       through 7.16 contain guidance pertaining to internal
                                       control.

                                       d. Efforts: Efforts are the amount of resources (in terms
                                       of money, material, personnel, etc.) that are put into a
                                       program. These resources may come from within or
                                       outside the entity operating the program. Measures of
                                       efforts can have a number of dimensions, such as cost,
                                       timing, and quality. Examples of measures of efforts are
                                       dollars, employee-hours, and square feet of building
                                       space.

                                       e. Program operations: Program operations are the
                                       strategies, processes, and activities management uses to
                                       convert efforts into outputs. Program operations are
                                       subject to internal control.

                                       f. Outputs: Outputs represent the quantity of goods or
                                       services produced by a program. For example, an output
                                       measure for a job training program could be the number
                                       of persons completing training, and an output measure
                                       for an aviation safety inspection program could be the
                                       number of safety inspections completed.

                                       g. Outcomes: Outcomes are accomplishments or results
                                       of programs. For example, an outcome measure for a
                                       job training program could be the percentage of trained

                                       Page 130          GAO-03-673G Government Auditing Standards
d03673g.book Page 131 Thursday, July 24, 2003 12:37 PM




                                           Chapter 7
                                           Field Work Standards for
                                           Performance Audits




                                           persons obtaining a job and still in the work place after a
                                           specified period of time. Examples of outcome
                                           measures for an aviation safety inspection program
                                           could be the percentage reduction in significant safety
                                           problems found in subsequent inspections and/or the
                                           percentage of significant problems deemed corrected in
                                           follow-up inspections. Such outcome measures show
                                           progress in achieving the stated program purposes of
                                           helping unemployable citizens obtain and retain jobs,
                                           and improving the safety of aviation operations.
                                           Auditors should be aware that outcomes may be
                                           influenced by cultural, economic, physical, or
                                           technological factors outside the program. Auditors may
                                           use approaches drawn from other disciplines, such as
                                           program evaluation, to try to isolate the effects of the
                                           program from these other influences.


   Considering Internal                    7.11 The lack of administrative continuity in
   Control                                 government units because of changes in elected
                                           legislative bodies and in other government officials
                                           increases the need for effective internal control.
                                           Auditors should obtain an understanding of internal
                                           control significant to the audit objectives and consider
                                           whether specific internal control procedures have been
                                           properly designed and placed in operation. Auditors also
                                           need to consider whether they plan to modify the
                                           nature, timing, or extent of their audit procedures based
                                           on the effectiveness of internal controls. If so, auditors
                                           should include specific tests of the effectiveness of
                                           internal control and consider the results in designing




                                           Page 131        GAO-03-673G Government Auditing Standards
d03673g.book Page 132 Thursday, July 24, 2003 12:37 PM




                                       Chapter 7
                                       Field Work Standards for
                                       Performance Audits




                                       audit procedures.79 Officials of the audited entity are
                                       responsible for establishing effective internal control.

                                       7.12 The following discussion of internal control
                                       objectives is intended to help auditors better understand
                                       internal controls and determine their significance to the
                                       audit objectives:

                                       a. Effectiveness and efficiency of program operations:
                                       Controls over program operations include policies and
                                       procedures that officials of the audited entity have
                                       implemented to reasonably ensure that a program meets
                                       its objectives and that unintended actions do not result.
                                       Understanding these controls can help auditors
                                       understand the program operations that convert efforts
                                       to outputs or outcomes.

                                       b. Validity and reliability of data: Controls over the
                                       validity and reliability of data include policies and
                                       procedures that officials of the audited entity have
                                       implemented to reasonably ensure that valid and



                                       79
                                         Refer to the internal control guidance contained in Internal
                                       Control—Integrated Framework, published by the Committee of
                                       Sponsoring Organizations of the Treadway Commission (COSO). As
                                       discussed in the COSO study, internal control consists of five
                                       interrelated components, which are (1) control environment, (2) risk
                                       assessment, (3) control activities, (4) information and communication,
                                       and
                                       (5) monitoring. The objectives of internal control relate to
                                       (1) financial reporting, (2) operations, and (3) compliance.
                                       Safeguarding of assets is a subset of these objectives. In that respect,
                                       internal control should be designed to provide reasonable assurance
                                       regarding prevention of or prompt detection of unauthorized
                                       acquisition, use, or disposition of assets. In addition to the COSO
                                       document, the publication, Standards for Internal Control in the
                                       Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov.
                                       1999), which incorporates the relevant guidance developed by COSO,
                                       provides definitions and fundamental concepts pertaining to internal
                                       control at the federal level and may be useful to other auditors at any
                                       level of government. The related Internal Control Management and
                                       Evaluation Tool, GAO-01-1008G (Washington, D.C.: Aug. 2001), based
                                       on the federal internal control standards, provides a systematic,
                                       organized, and structured approach to assessing the internal control
                                       structure.


                                       Page 132           GAO-03-673G Government Auditing Standards
d03673g.book Page 133 Thursday, July 24, 2003 12:37 PM




                                           Chapter 7
                                           Field Work Standards for
                                           Performance Audits




                                           reliable data are obtained, maintained, and fairly
                                           disclosed in reports. These controls help assure
                                           management that it is getting valid and reliable
                                           information about whether programs are operating
                                           properly on an ongoing basis. Understanding these
                                           controls can help auditors (1) assess the risk that the
                                           data gathered by the entity may not be valid or reliable
                                           and (2) design appropriate tests of the data.

                                           c. Compliance with applicable laws and regulations and
                                           provisions of contracts or grant agreements: Controls
                                           over compliance include policies and procedures that
                                           officials of the audited entity have implemented to
                                           reasonably ensure that program implementation is
                                           consistent with laws, regulations, and provisions of
                                           contracts or grant agreements. Understanding the
                                           relevant controls concerning compliance with those
                                           laws and regulations and provisions of contracts or
                                           grant agreements that the auditors have determined are
                                           significant can help auditors assess the risk of illegal
                                           acts80 and violations of provisions of contracts or grant
                                           agreements.

                                           7.13 A subset of these categories of internal control
                                           objectives is the safeguarding of resources. Controls
                                           over the safeguarding of resources include policies and
                                           procedures that officials of the audited entity have
                                           implemented to reasonably prevent or promptly detect
                                           unauthorized acquisition, use, or disposition of
                                           resources.

                                           7.14 Auditors can obtain an understanding of internal
                                           control through inquiries, observations, inspection of
                                           documents and records, or review of other auditors’
                                           reports. The procedures auditors perform to obtain an
                                           understanding of internal control will vary among


                                           80
                                            Violations of laws or regulations are illegal acts.


                                           Page 133           GAO-03-673G Government Auditing Standards
d03673g.book Page 134 Thursday, July 24, 2003 12:37 PM




                                       Chapter 7
                                       Field Work Standards for
                                       Performance Audits




                                       audits. One factor influencing the extent of these
                                       procedures is the auditors’ knowledge about internal
                                       control gained in prior audits. Also, the need to
                                       understand internal control will depend on the
                                       particular aspects of the program the auditors consider
                                       in setting objectives, scope, and methodology. The
                                       following are examples of how the auditors’
                                       understanding of internal control can influence the audit
                                       plan:

                                       a. Audit objectives: Poorly controlled aspects of a
                                       program have a higher risk of failure, so they may be
                                       more significant than others in terms of where auditors
                                       may want to focus their efforts.

                                       b. Audit scope: Knowledge that internal controls are not
                                       properly designed or placed in operation at a certain
                                       location may lead auditors to target their efforts there.

                                       c. Audit methodology: Effective controls at the audited
                                       entity over collecting, summarizing, and reporting data
                                       may enable auditors to limit the extent of their direct
                                       testing of data validity and reliability. In contrast,
                                       evidence suggesting ineffective controls may lead
                                       auditors to perform more direct testing of the data, look
                                       for data from outside the entity, or develop their own
                                       data.

                                       7.15 When internal controls are significant to the audit
                                       objectives, auditors should plan to obtain sufficient
                                       evidence to support their judgments about those
                                       controls. The following are examples of circumstances
                                       in which internal controls can be significant to audit
                                       objectives:

                                       a. In determining the cause of unsatisfactory
                                       performance, auditors may consider that unsatisfactory
                                       performance could result from deficiencies in internal
                                       controls.

                                       Page 134          GAO-03-673G Government Auditing Standards
d03673g.book Page 135 Thursday, July 24, 2003 12:37 PM




                                           Chapter 7
                                           Field Work Standards for
                                           Performance Audits




                                           b. When assessing the validity and reliability of
                                           performance measures developed by the audited entity,
                                           effective internal control by the audited entity over
                                           collecting, summarizing, and reporting data will help
                                           ensure that the performance measures are valid and
                                           reliable.

                                           7.16 Internal auditing is an important part of internal
                                           control.81 When an assessment of internal control is
                                           called for, the work of the internal auditors can be used
                                           to help provide reasonable assurance that internal
                                           controls are effectively designed and functioning
                                           properly, and to prevent duplication of effort.


   Designing the Audit                     7.17 When laws, regulations, or provisions of contracts
   to Detect Violations                    or grant agreements are significant to the audit
   of Legal and                            objectives, auditors should design the audit
   Regulatory                              methodology and procedures to provide reasonable
   Requirements,                           assurance of detecting violations that could have a
   Contract Provisions,                    significant effect on the audit results. Auditors should
   or Grant Agreement,                     determine which laws, regulations, and provisions of
   Fraud, and Abuse                        contracts or grant agreements are significant to the
                                           audit objectives and assess the risk that illegal acts or
                                           violations of provisions of contracts or grant agreements
                                           could occur. Based on that risk assessment, the auditors
                                           design and perform procedures to provide reasonable
                                           assurance of detecting significant instances of illegal
                                           acts or violations of provisions of contracts or grant
                                           agreements. Auditors should include audit
                                           documentation on their assessment of risk.

                                           7.18 It is not practical to set precise standards for
                                           determining whether laws, regulations, or provisions of


                                           81
                                             Many government entities have these activities identified by other
                                           names, such as inspection, appraisal, investigation, organization and
                                           methods, or management analysis. These activities assist management
                                           by reviewing selected functions.


                                           Page 135          GAO-03-673G Government Auditing Standards
d03673g.book Page 136 Thursday, July 24, 2003 12:37 PM




                                       Chapter 7
                                       Field Work Standards for
                                       Performance Audits




                                       contracts or grant agreements are significant to audit
                                       objectives because government programs are subject to
                                       many laws, regulations, and provisions of contracts or
                                       grant agreements, and audit objectives vary widely.
                                       However, auditors may find the following approach
                                       helpful in making that determination:

                                       a. Reduce each audit objective to questions about
                                       specific aspects of the program being audited (that is,
                                       purpose and goals, internal control, efforts, program
                                       operations, outputs, and outcomes, as discussed in
                                       paragraph 7.10).

                                       b. Identify laws, regulations, and provisions of contracts
                                       or grant agreements that directly relate to specific
                                       aspects of the program included in questions that reflect
                                       the audit objectives.

                                       c. Determine if violations of those laws, regulations, or
                                       provisions of contracts or grant agreements could
                                       significantly affect the auditors’ answers to the
                                       questions that relate to the audit objectives. If they
                                       could, then those laws, regulations, and provisions of
                                       contracts or grant agreements are likely to be significant
                                       to the audit objectives.

                                       7.19 Auditors may find it necessary to rely on the work
                                       of legal counsel to (1) determine those laws and
                                       regulations that are significant to the audit objectives,
                                       (2) design tests of compliance with laws and regulations,
                                       or (3) evaluate the results of those tests.82 Auditors also
                                       may find it necessary to rely on the work of legal
                                       counsel when audit objectives require testing
                                       compliance with provisions of contracts or grant
                                       agreements. Depending on the circumstances of the
                                       audit, auditors may find it necessary to obtain


                                       82
                                         Paragraphs 7.32 through 7.34 discuss relying on the work of others.


                                       Page 136           GAO-03-673G Government Auditing Standards
d03673g.book Page 137 Thursday, July 24, 2003 12:37 PM




                                           Chapter 7
                                           Field Work Standards for
                                           Performance Audits




                                           information on compliance matters from others, such as
                                           investigative staff, other audit organizations or
                                           government entities that provided assistance to the
                                           audited entity, or the applicable law enforcement
                                           authority.

                                           7.20 In planning tests of compliance with significant
                                           laws, regulations, and provisions of contracts or grant
                                           agreements, auditors should assess the risk that
                                           violations could occur. That risk may be affected by
                                           such factors as the complexity or newness of the laws,
                                           regulations, and provisions of contracts or grant
                                           agreements. The auditors’ assessment of risk includes
                                           consideration of whether the entity has controls that are
                                           effective in preventing or detecting violations of laws,
                                           regulations, and provisions of contracts or grant
                                           agreements. If auditors obtain sufficient evidence of the
                                           effectiveness of these controls, they can reduce the
                                           extent of their tests of compliance.

                                           7.21 In planning the audit, auditors should consider
                                           risks due to fraud83 that could significantly84 affect their
                                           audit objectives and the results of their audit. The audit
                                           team should discuss potential fraud risks, considering
                                           fraud factors such as individuals’ incentives or pressures
                                           to commit fraud, the opportunity for fraud to occur, and
                                           rationalizations or attitudes that could allow individuals
                                           to commit fraud. Auditors should gather and assess
                                           information necessary to identify fraud risks which
                                           could be relevant to the audit objectives or affect the
                                           results of their audit. For example, auditors may need to
                                           obtain information through discussion with officials of

                                           83
                                             Fraud is a type of illegal act involving the obtaining something of
                                           value through willful misrepresentation.
                                           84
                                             The terms “material” and “significant” are synonymous under
                                           GAGAS. “Material” is used in the AICPA standards in relation to audits
                                           of financial statements. “Significant” is used in relation to other types
                                           of audits governed by GAGAS, such as performance audits, where the
                                           term “material” is generally not used.


                                           Page 137           GAO-03-673G Government Auditing Standards
d03673g.book Page 138 Thursday, July 24, 2003 12:37 PM




                                       Chapter 7
                                       Field Work Standards for
                                       Performance Audits




                                       the audited entity or through other means to determine
                                       the susceptibility of the program to fraud, the status of
                                       internal controls the entity has established to detect and
                                       prevent fraud, or the risk that officials of the audited
                                       entity could override internal control. Auditors should
                                       exercise professional skepticism in assessing these risks
                                       to determine which factors or risks could significantly
                                       affect the results of their work if fraud has occurred or is
                                       likely to have occurred.

                                       7.22 When auditors identify factors or risks related to
                                       fraud that they believe could significantly affect the
                                       audit objectives or the results of the audit, auditors
                                       should respond by designing procedures to provide
                                       reasonable assurance of detecting fraud significant to
                                       the audit objectives. Auditors should prepare audit
                                       documentation related to their identification and
                                       assessment of and response to fraud risks. Auditors
                                       should also be aware that assessing the risk of fraud is
                                       an ongoing process throughout the audit and relates not
                                       only to planning the audit but also to evaluating
                                       evidence obtained during the audit.

                                       7.23 Auditors should also be alert to situations or
                                       transactions that could be indicative of fraud. When
                                       information comes to the auditors’ attention (through
                                       audit procedures, allegations received through fraud
                                       hotlines, or other means) indicating that fraud may have
                                       occurred, auditors should consider whether the possible
                                       fraud could significantly affect the audit results. If the
                                       fraud could significantly affect the audit results, auditors
                                       should extend the audit steps and procedures, as
                                       necessary, to (1) determine if fraud likely has occurred
                                       and (2) if so, determine its effect on the audit results.

                                       7.24 Auditors’ training, experience, and understanding
                                       of the program being audited may provide a basis for
                                       recognizing that some acts coming to their attention
                                       may be indicative of fraud. Whether an act is, in fact,

                                       Page 138          GAO-03-673G Government Auditing Standards
d03673g.book Page 139 Thursday, July 24, 2003 12:37 PM




                                           Chapter 7
                                           Field Work Standards for
                                           Performance Audits




                                           fraud is a determination to be made through the judicial
                                           or other adjudicative system and is beyond auditors’
                                           professional expertise and responsibility. However,
                                           auditors are responsible for being aware of
                                           vulnerabilities to fraud associated with the area being
                                           audited in order to be able to identify indications that
                                           fraud may have occurred. In some circumstances,
                                           conditions such as the following might indicate a
                                           heightened risk of fraud:

                                           a. weak management that fails to enforce existing
                                           internal control or to provide adequate oversight over
                                           the control process;

                                           b. inadequate separation of duties, especially those that
                                           relate to controlling and safeguarding resources;

                                           c. transactions that are out of the ordinary and are not
                                           satisfactorily explained, such as unexplained
                                           adjustments in inventories or other resources;

                                           d. instances when employees of the audited entity
                                           refuse to take vacations or accept promotions;

                                           e. missing or altered documents, or unexplained delays
                                           in providing information;

                                           f. false or misleading information; or

                                           g. a history of impropriety, such as past audits or
                                           investigations with findings of questionable or criminal
                                           activity.




                                           Page 139        GAO-03-673G Government Auditing Standards
d03673g.book Page 140 Thursday, July 24, 2003 12:37 PM




                                       Chapter 7
                                       Field Work Standards for
                                       Performance Audits




                                       7.25 Abuse is distinct from fraud, illegal acts, or
                                       violations of provisions of contracts or grant
                                       agreements. When abuse occurs, no law, regulation, or
                                       provision of a contract or grant agreement is violated.
                                       Rather, abuse involves behavior that is deficient or
                                       improper when compared with behavior that a prudent
                                       person would consider reasonable and necessary
                                       business practice given the facts and circumstances.85
                                       Auditors should be alert to situations or transactions
                                       that could be indicative of abuse. When information
                                       comes to the auditors’ attention (through audit
                                       procedures, allegations received through a fraud hotline,
                                       or other means) indicating that abuse may have
                                       occurred, auditors should consider whether the possible
                                       abuse affects the audit results significantly. If
                                       indications of abuse exist that significantly affect the
                                       audit results, the auditors should extend the audit steps
                                       and procedures, as necessary, to (1) determine whether
                                       the abuse occurred and, if so, (2) determine its effect on
                                       the audit results. However, because the determination of
                                       abuse is subjective, auditors are not expected to provide
                                       reasonable assurance of detecting it. Auditors should
                                       consider both quantitative and qualitative factors in
                                       making judgments regarding the significance of possible
                                       abuse and whether they need to extend the audit steps
                                       and procedures.

                                       7.26 Auditors should exercise professional judgment in
                                       pursuing indications of possible fraud, illegal acts,
                                       violations of provisions of contracts or grant
                                       agreements, or abuse in order to not interfere with
                                       potential investigations, legal proceedings, or both.
                                       Under some circumstances, laws, regulations, or


                                       85
                                        For example, in a performance audit of management’s efficient use of
                                       funds for office building maintenance, auditors might find abuse if
                                       renovation of senior management’s offices far exceed usual office
                                       space specifications. While auditors might not view the renovation
                                       costs as quantitatively significant to the audit results, these expenses
                                       would be considered qualitatively significant to this audit objective.


                                       Page 140           GAO-03-673G Government Auditing Standards
d03673g.book Page 141 Thursday, July 24, 2003 12:37 PM




                                           Chapter 7
                                           Field Work Standards for
                                           Performance Audits




                                           policies require auditors to report indications of certain
                                           types of fraud, illegal acts, violations of provisions of
                                           contracts or grant agreements, or abuse to law
                                           enforcement or investigatory authorities before
                                           extending audit steps and procedures. Auditors may also
                                           be required to withdraw from or defer further work on
                                           the audit or a portion of the audit in order not to
                                           interfere with an investigation.

                                           7.27 An audit made in accordance with these standards
                                           provides reasonable assurance of detecting illegal acts,
                                           violations of provisions of contracts or grant
                                           agreements, or fraud that could significantly affect the
                                           audit results; however, it does not guarantee the
                                           discovery of illegal acts, violations of provisions of
                                           contracts or grant agreements, or fraud. Nor does the
                                           subsequent discovery of illegal acts, violations of
                                           contracts or grant agreements, or fraud committed
                                           during the audit period necessarily mean that the
                                           auditors’ performance was inadequate, provided the
                                           audit was made in accordance with these standards.


   Identifying Audit                       7.28 Criteria are the standards, measures, expectations
   Criteria                                of what should exist, best practices, and benchmarks
                                           against which performance is compared or evaluated.
                                           Criteria, one of the elements of a finding, provide a
                                           context for understanding the results of the audit. (See
                                           paragraphs 7.62 through 7.65 for a discussion on the
                                           other elements of a finding.) The audit plan, where
                                           possible, should state the criteria to be used. In selecting
                                           criteria, auditors have a responsibility to use criteria that
                                           are reasonable, attainable, and relevant to the objectives
                                           of the performance audit. The following are some
                                           examples of possible criteria:

                                           a. purpose or goals prescribed by law or regulation or
                                           set by officials of the audited entity,



                                           Page 141        GAO-03-673G Government Auditing Standards
d03673g.book Page 142 Thursday, July 24, 2003 12:37 PM




                                       Chapter 7
                                       Field Work Standards for
                                       Performance Audits




                                       b. policies and procedures established by officials of the
                                       audited entity,

                                       c. technically developed standards or norms,

                                       d. expert opinions,

                                       e. prior periods’ performance,

                                       f. performance of similar entities,

                                       g. performance in the private sector, or

                                       h. best practices of leading organizations.


Considering the                        7.29 Auditors should consider the results of previous
Results of Previous                    audits and attestation engagements and follow up on
Audits and                             known significant findings and recommendations86
Attestation                            identified in previous audit reports that directly relate to
Engagements                            the objectives of the audit being undertaken. Auditors
                                       should ask audited entity officials to identify previous
                                       financial audits, attestation engagements, performance
                                       audits, or other studies related to the objectives of the
                                       audit being undertaken and to identify corrective
                                       actions taken to address significant findings and
                                       recommendations. For example, an audit report on an
                                       entity’s computerized information systems may contain
                                       significant findings that could relate to the performance
                                       audit if the entity uses such systems to process its
                                       accounting or other information the auditors plan on
                                       using. Auditors should use professional judgment in
                                       determining (1) prior periods to be considered, (2) the
                                       level of work necessary to follow up on significant
                                       findings and recommendations that affect the audit, and

                                       86
                                        Significant findings and recommendations are those matters that, if
                                       not corrected, could affect the results of the auditors’ work and the
                                       auditors’ conclusions and recommendations about those results.


                                       Page 142          GAO-03-673G Government Auditing Standards
d03673g.book Page 143 Thursday, July 24, 2003 12:37 PM




                                           Chapter 7
                                           Field Work Standards for
                                           Performance Audits




                                           (3) the risk assessment used in planning the current
                                           audit and designing audit procedures to be performed.

                                           7.30 Providing continuing attention to significant
                                           findings and recommendations is important to ensure
                                           that the benefits of audit work are realized. Ultimately,
                                           the benefits of audit work occur when officials of the
                                           audited entity take meaningful and effective corrective
                                           action in response to the auditors’ findings and
                                           recommendations. Officials of the audited entity are
                                           responsible for resolving audit findings and
                                           recommendations directed to them and for having a
                                           process to track their status. If the audited entity does
                                           not have such a process, auditors may wish to establish
                                           their own process.


   Identifying Sources                     7.31 In identifying potential sources of data that could
   of Audit Evidence                       be used as audit evidence, auditors should consider the
                                           validity and reliability of the data, including data
                                           collected by the audited entity, data generated by the
                                           auditors, or data provided by third parties, as well as the
                                           sufficiency and relevance of the evidence. (See
                                           paragraphs 7.48 through 7.65 for standards and guidance
                                           concerning evidence.)


   Considering Work of                     7.32 Auditors should determine whether other auditors
   Others                                  have previously done, or are doing, audits of the
                                           program or the entity that operates it. Whether other
                                           auditors have done performance audits, financial audits,
                                           or attestation engagements, the other auditors may be
                                           useful sources of information for planning and
                                           performing the audit. If other auditors have identified
                                           areas that warrant further study, their work may
                                           influence the auditors’ selection of performance audit
                                           objectives. The availability of other auditors’ work may
                                           also influence the selection of methodology, since the
                                           auditors may be able to rely on that work to limit the
                                           extent of their own testing.
                                           Page 143        GAO-03-673G Government Auditing Standards
d03673g.book Page 144 Thursday, July 24, 2003 12:37 PM




                                       Chapter 7
                                       Field Work Standards for
                                       Performance Audits




                                       7.33 If auditors intend to rely on the work of other
                                       auditors, they should perform procedures regarding the
                                       specific work to be relied on that provide a sufficient
                                       basis for that reliance. Auditors should obtain evidence
                                       concerning the other auditors’ qualifications and
                                       independence through prior experience, inquiry, and/or
                                       review of the other auditors’ external quality control
                                       review report. Auditors should determine the
                                       sufficiency, relevance, and competence of other
                                       auditors’ evidence by reviewing their report, audit
                                       program, or audit documentation, or by performing
                                       supplemental tests of the other auditors’ work. The
                                       nature and extent of evidence needed will depend on the
                                       significance of the other auditors’ work, on the extent to
                                       which the auditors will rely on that work, and whether
                                       auditors will refer to that work in their work.

                                       7.34 Auditors face similar considerations when using
                                       the work of nonauditors (such as specialists). In
                                       addition, auditors should obtain an understanding of the
                                       methods and significant assumptions used by the
                                       nonauditors. (See paragraph 3.06 for independence
                                       considerations when relying on the work of others.)


Assigning Staff and                    7.35 Staff planning should include, among other things:
Other Resources
                                       a. assigning staff with the appropriate collective
                                       knowledge, skills, and experience for the job;

                                       b. assigning an adequate number of staff and
                                       supervisors to the audit;

                                       c. providing for on-the-job training of staff; and

                                       d. engaging specialists when necessary.

                                       7.36 The availability of staff and other resources and the
                                       need for specialized skills are important considerations

                                       Page 144          GAO-03-673G Government Auditing Standards
d03673g.book Page 145 Thursday, July 24, 2003 12:37 PM




                                           Chapter 7
                                           Field Work Standards for
                                           Performance Audits




                                           in establishing the audit objectives, scope, and
                                           methodology. For example, limitations on travel funds
                                           may preclude auditors from visiting certain critical
                                           locations, or lack of appropriate expertise in a particular
                                           methodology or with computerized information systems
                                           may preclude auditors from undertaking certain
                                           objectives. Auditors may be able to overcome such
                                           limitations by engaging specialists with the necessary
                                           expertise.

                                           7.37 If the use of a specialist is planned, auditors should
                                           have sufficient knowledge to

                                           a. articulate the objectives required of the specialist,

                                           b. evaluate whether the specified procedures will meet
                                           auditors’ objectives, and

                                           c. evaluate the results of the procedures applied as they
                                           relate to other planned audit procedures.

                                           7.38 Auditors without sufficient knowledge to perform
                                           the functions listed above should consider alternative
                                           measures for ensuring audit quality related to the
                                           specialist’s work, such as engaging another specialist to
                                           review the specialist’s work.


   Communicating                           7.39 Auditors should communicate information about
   with Management                         the specific nature of the performance audit, as well as
   and Others                              general information concerning the planning and
                                           conduct of the audit and reporting—such as the form of
                                           the report and any potential restrictions on the report—
                                           to the various parties involved in the audit to help them
                                           understand the objectives, time frames, and any data
                                           needs. Parties involved may include

                                           a. the head of the audited entity;


                                           Page 145        GAO-03-673G Government Auditing Standards
d03673g.book Page 146 Thursday, July 24, 2003 12:37 PM




                                       Chapter 7
                                       Field Work Standards for
                                       Performance Audits




                                       b. the audit committee or, in the absence of an audit
                                       committee, the board of directors or other equivalent
                                       oversight body;

                                       c. the individual who possesses a sufficient level of
                                       authority and responsibility for the program or activity
                                       being audited; and

                                       d. the individuals contracting for or requesting audit
                                       services, such as contracting officials or legislative
                                       members or staff, if applicable.

                                       7.40 Auditors should use their professional judgment to
                                       determine the form, content, and frequency of the
                                       communication, although written communication is
                                       preferred. Auditors may use an engagement letter, if
                                       appropriate, to communicate the information. Auditors
                                       should include the communication in the audit
                                       documentation. If the audit does not result in a product,
                                       auditors should document the audit by preparing a
                                       memorandum for the record that summarizes the results
                                       of the work and explain the reason the audit was
                                       terminated. If the audit is terminated before it is
                                       completed, auditors should communicate the reason for
                                       terminating it to management of the audited entity, the
                                       entity requesting the audit, and other appropriate
                                       officials, preferably in writing. This communication
                                       should be documented.


Preparing the Audit                    7.41 A written audit plan should be prepared for each
Plan                                   audit. The form and content of the written audit plan
                                       will vary among audits but should include an audit
                                       program or project plan, a memorandum, or other
                                       appropriate documentation of key decisions about the
                                       audit objectives, scope, and methodology and of the
                                       auditors’ basis for those decisions. It should be updated,
                                       as necessary, to reflect any significant changes to the
                                       plan made during the audit.

                                       Page 146          GAO-03-673G Government Auditing Standards
d03673g.book Page 147 Thursday, July 24, 2003 12:37 PM




                                           Chapter 7
                                           Field Work Standards for
                                           Performance Audits




                                           7.42 Documenting the audit plan is an opportunity for
                                           the auditors to supervise audit planning and to
                                           determine whether

                                           a. the proposed audit objectives are likely to result in a
                                           useful report,

                                           b. the proposed audit scope and methodology are
                                           adequate to satisfy the audit objectives, and

                                           c. sufficient staff and other resources are available to
                                           perform the audit and to meet expected time frames for
                                           completing the work.

                                           7.43 Written audit plans may include the following:

                                           a. information about the legal authority for the audited
                                           program, its history and current objectives, its principal
                                           locations, and other background that can help auditors
                                           understand and carry out the audit plan;

                                           b. information about the responsibilities of each
                                           member of the audit team (such as preparing audit
                                           programs, conducting audit work, supervising and
                                           reviewing audit work, drafting reports, handling
                                           comments from officials of the audited program, and
                                           processing the final report), which can help auditors
                                           when the work is conducted at several different
                                           locations. In these audits, use of comparable audit
                                           methods and procedures can help make the data
                                           obtained from participating locations comparable;

                                           c. audit programs describing procedures to accomplish
                                           the audit objectives and providing a systematic basis for
                                           assigning work to staff and for summarizing the work
                                           performed; and




                                           Page 147        GAO-03-673G Government Auditing Standards
d03673g.book Page 148 Thursday, July 24, 2003 12:37 PM




                                       Chapter 7
                                       Field Work Standards for
                                       Performance Audits




                                       d. the general format of the audit report and the types of
                                       information to be included, which can help auditors
                                       focus their field work on the information to be reported.


Supervision                            7.44 The field work standard related to supervision for
                                       performance audits performed in accordance with
                                       GAGAS is:

                                       Staff are to be properly supervised.

                                       7.45 Supervision involves directing the efforts of staff
                                       assigned to the audit to ensure that the audit objectives
                                       are accomplished. Elements of supervision include
                                       providing sufficient guidance to staff members, staying
                                       informed about significant problems encountered,
                                       reviewing the work performed, and providing effective
                                       on-the-job training.

                                       7.46 Supervisors should satisfy themselves that staff
                                       members clearly understand what work they are to do,
                                       why the work is to be conducted, and what the work is
                                       expected to accomplish. With experienced staff,
                                       supervisors may outline the scope of the work and leave
                                       details to the staff. With less experienced staff,
                                       supervisors may have to specify audit procedures to be
                                       performed as well as techniques for gathering and
                                       analyzing data.

                                       7.47 Reviews of audit work should be documented. The
                                       nature and extent of the review of audit work may vary
                                       depending on a number of factors, such as the size of the
                                       audit organization, the significance of the work, and the
                                       experience of the staff.


Evidence                               7.48 The field work standard related to evidence for
                                       performance audits performed in accordance with
                                       GAGAS is:

                                       Page 148          GAO-03-673G Government Auditing Standards
d03673g.book Page 149 Thursday, July 24, 2003 12:37 PM




                                           Chapter 7
                                           Field Work Standards for
                                           Performance Audits




                                           Sufficient, competent, and relevant evidence is to
                                           be obtained to provide a reasonable basis for the
                                           auditors’ findings and conclusions.

                                           7.49 A large part of auditors’ work on an audit concerns
                                           obtaining and evaluating evidence that ultimately
                                           supports their judgments and conclusions pertaining to
                                           the audit objectives. In evaluating evidence, auditors
                                           consider whether they have obtained the evidence
                                           necessary to achieve specific audit objectives. When
                                           internal control or compliance requirements are
                                           significant to the audit objectives, auditors should also
                                           collect and evaluate evidence relating to controls or
                                           compliance.

                                           7.50 Evidence may be categorized as physical,
                                           documentary, testimonial, and analytical. Physical
                                           evidence is obtained by auditors’ direct inspection or
                                           observation of people, property, or events. Such
                                           evidence may be documented in memoranda,
                                           photographs, drawings, charts, maps, or physical
                                           samples. Documentary evidence consists of created
                                           information such as letters, contracts, accounting
                                           records, invoices, and management information on
                                           performance. Testimonial evidence is obtained through
                                           inquiries, interviews, or questionnaires. Analytical
                                           evidence includes computations, comparisons,
                                           separation of information into components, and rational
                                           arguments.

                                           7.51 The guidance in the following paragraphs is
                                           intended to help auditors judge the quality and quantity
                                           of evidence needed to satisfy audit objectives.
                                           Paragraphs 7.52 through 7.61 are intended to help
                                           auditors determine what constitutes sufficient,
                                           competent, and relevant evidence to support their
                                           findings and conclusions. Paragraphs 7.62 through 7.65
                                           describe the elements of an audit finding.



                                           Page 149        GAO-03-673G Government Auditing Standards
d03673g.book Page 150 Thursday, July 24, 2003 12:37 PM




                                       Chapter 7
                                       Field Work Standards for
                                       Performance Audits




Tests of Evidence                      7.52 Evidence should be sufficient, competent, and
                                       relevant to support a sound basis for audit findings,
                                       conclusions, and recommendations:

                                       a. Evidence should be sufficient to support the auditors’
                                       findings. In determining the sufficiency of evidence,
                                       auditors should ensure that enough evidence exists to
                                       persuade a knowledgeable person of the validity of the
                                       findings. When appropriate, statistical methods may be
                                       used to establish sufficiency.

                                       b. Evidence is competent if it is valid, reliable, and
                                       consistent with fact. In assessing the competence of
                                       evidence, auditors should consider such factors as
                                       whether the evidence is accurate, authoritative, timely,
                                       and authentic. When appropriate, auditors may use
                                       statistical methods to derive competent evidence.

                                       c. Evidence is relevant if it has a logical relationship
                                       with, and importance to, the issue being addressed.

                                       7.53 The following presumptions are useful in judging
                                       the competence of evidence. However, these
                                       presumptions are not to be considered sufficient in
                                       themselves to determine competence. The amount and
                                       kinds of evidence required to support auditors’
                                       conclusions should be based on auditors’ professional
                                       judgment.

                                       a. Evidence obtained when internal controls are
                                       effective is more competent than evidence obtained
                                       when controls are weak or nonexistent. Auditors should
                                       be particularly careful in cases where controls are weak
                                       or nonexistent and should, therefore, plan alternative
                                       audit procedures to corroborate such evidence.

                                       b. Evidence obtained through the auditors’ direct
                                       physical examination, observation, computation, and


                                       Page 150          GAO-03-673G Government Auditing Standards
d03673g.book Page 151 Thursday, July 24, 2003 12:37 PM




                                           Chapter 7
                                           Field Work Standards for
                                           Performance Audits




                                           inspection is more competent than evidence obtained
                                           indirectly.

                                           c. Examination of original documents provides more
                                           competent evidence than do copies.

                                           d. Testimonial evidence obtained under conditions
                                           where persons may speak freely is more competent than
                                           testimonial evidence obtained under compromising
                                           conditions (for example, where the persons may be
                                           intimidated).

                                           e. Testimonial evidence obtained from an individual
                                           who is not biased or has complete knowledge about the
                                           area is more competent than testimonial evidence
                                           obtained from an individual who is biased or has only
                                           partial knowledge about the area.

                                           f. Evidence obtained from a credible third party may in
                                           some cases be more competent than that secured from
                                           management or other officials of the audited entity.

                                           7.54 Auditors may find it useful to obtain written
                                           representations concerning the competence and
                                           completeness of certain evidence from officials of the
                                           audited entity. Written representations ordinarily
                                           confirm oral representations given to auditors, indicate
                                           and document the continuing appropriateness of such
                                           representations, and reduce the possibility of
                                           misunderstandings concerning the matters that are the
                                           subject of the representations. Written representations
                                           can take several forms, including summary documents
                                           prepared by the auditors and signed by the entity’s
                                           management. If officials of the audited entity refuse to
                                           provide a written representation that the auditors have
                                           requested, the auditors should consider the effects of
                                           the refusal on results of the audit.




                                           Page 151        GAO-03-673G Government Auditing Standards
Chapter 7
Field Work Standards for
Performance Audits




7.55 The auditors’ approach to determining the
sufficiency, competence, and relevance of evidence
depends on the source of the information that
constitutes the evidence. Information sources include
original data gathered by auditors and existing data
gathered by either officials of the audited entity or a
third party. Data from any of these sources may be
obtained from computer-based systems. (See paragraph
7.60 for additional documentation requirements when
using information from a computer-based system.)

7.56 Data gathered by auditors: Data gathered by
auditors include the auditors’ own observations and
measurements. Among the methods for gathering this
type of data are questionnaires, structured interviews,
direct observations, and computations. The design of
these methods and the skill of the auditors applying
them are the keys to ensuring that these data constitute
sufficient, competent, and relevant evidence. When
these methods are applied to determine cause, auditors
are concerned with eliminating conflicting explanations.

7.57 Data gathered by management: Auditors can use
data gathered by officials of the audited entity as part of
their evidence. However, auditors should determine the
validity and reliability of data that are significant to the
audit objectives and may do so by direct tests of the
data. Auditors can reduce the direct tests of the data if
they test the effectiveness of the entity’s internal
controls over the validity and reliability of the data and
these tests support the conclusion that the controls are
effective. The nature and extent of data testing will
depend on the significance of the data to support the
auditors’ findings. How the use of unaudited data
gathered by officials of the audited entity affect the
auditors’ report depends on the data’s significance to the
auditors’ findings. For example, in some circumstances,
auditors may use unaudited data to provide background
information; however, the use of such unaudited data

Page 152        GAO-03-673G Government Auditing Standards
d03673g.book Page 153 Thursday, July 24, 2003 12:37 PM




                                           Chapter 7
                                           Field Work Standards for
                                           Performance Audits




                                           would generally not be appropriate to support audit
                                           findings and conclusions.

                                           7.58 Data gathered by third parties: The auditors’
                                           evidence may also include data gathered by third
                                           parties. In some cases, these data may have been
                                           audited by others, or the auditors may be able to audit
                                           the data themselves. In other cases, however, it will not
                                           be practical to obtain evidence of the data’s validity and
                                           reliability. How the use of unaudited third-party data
                                           affects the auditors’ report depends on the data’s
                                           significance to the auditors’ findings. For example, in
                                           some circumstances, auditors may use unaudited data to
                                           provide background information; however, the use of
                                           such unaudited data would generally not be appropriate
                                           to support audit findings and conclusions.

                                           7.59 Validity and reliability of data from computer-based
                                           systems: Auditors should obtain sufficient, competent,
                                           and relevant evidence that computer-processed data are
                                           valid and reliable when these data are significant to the
                                           auditors’ findings. This work is necessary regardless of
                                           whether the data are provided to auditors or auditors
                                           independently extract them. Auditors should determine
                                           if officials of the audited entity or other auditors have
                                           worked to establish the validity and reliability of the
                                           data or the effectiveness of the controls over the system
                                           that produced the data. If the results of such work are
                                           current, auditors may be able to rely on that work. (See
                                           paragraphs 7.32 through 7.34 for requirements when
                                           relying on the work of others.) Auditors may also
                                           determine the validity and reliability of computer-
                                           processed data by direct tests of the data.

                                           7.60 Auditors can reduce the direct tests of the data if
                                           they test the effectiveness of general and application
                                           controls over computer-processed data and these tests
                                           support the conclusion that the controls are effective. If
                                           auditors determine that internal controls over data that

                                           Page 153        GAO-03-673G Government Auditing Standards
d03673g.book Page 154 Thursday, July 24, 2003 12:37 PM




                                       Chapter 7
                                       Field Work Standards for
                                       Performance Audits




                                       are significantly dependent upon computerized
                                       information systems are not effective or if auditors do
                                       not plan to test the effectiveness of such controls,
                                       auditors should include audit documentation regarding
                                       the basis for that conclusion by addressing (1) the
                                       reasons why the design or operation of the controls is
                                       ineffective, or (2) the reasons why it is inefficient to test
                                       the controls. In such circumstances, auditors should
                                       also include audit documentation regarding their
                                       reasons for concluding that the planned audit
                                       procedures, such as direct tests of the data, are
                                       effectively designed to achieve specific audit objectives.
                                       This documentation should address

                                       a. the rationale for determining the types and extent of
                                       planned audit procedures;

                                       b. the kinds and competence of available evidence
                                       produced outside a computerized information system;
                                       and

                                       c. the effect on the audit report if the evidence gathered
                                       during the audit does not allow the auditors to achieve
                                       audit objectives.

                                       7.61 When the auditors’ tests of data disclose errors in
                                       the data, or when they are unable to obtain sufficient,
                                       competent, and relevant evidence about the validity and
                                       reliability of the data, they may find it necessary to

                                       a. seek evidence from other sources,

                                       b. redefine the audit’s objectives to eliminate the need to
                                       use the data, or

                                       c. use the data, but clearly indicate in their report the
                                       data’s limitations and refrain from making unwarranted
                                       conclusions or recommendations.


                                       Page 154          GAO-03-673G Government Auditing Standards
d03673g.book Page 155 Thursday, July 24, 2003 12:37 PM




                                           Chapter 7
                                           Field Work Standards for
                                           Performance Audits




   Audit Findings                          7.62 Audit findings often have been regarded as
                                           containing the elements of criteria, condition, and effect,
                                           plus cause when problems are found. However, the
                                           elements needed for a finding depend entirely on the
                                           objectives of the audit. Thus, a finding or set of findings
                                           is complete to the extent that the audit objectives are
                                           satisfied and the report clearly relates those objectives
                                           to the elements of a finding. Criteria are discussed in
                                           paragraph 7.28, and the other elements of a finding—
                                           condition, effect, and cause—are discussed in the
                                           following paragraphs:

                                           7.63 Condition: Condition is a situation that exists. It
                                           has been determined and documented during the audit.

                                           7.64 Effect: Effect has two meanings that depend on the
                                           audit objectives. When the auditors’ objectives include
                                           identifying the actual or potential consequences of a
                                           condition that varies (either positively or negatively)
                                           from the criteria identified in the audit, “effect” is a
                                           measure of those consequences. Auditors often use
                                           effect in this sense to demonstrate the need for
                                           corrective action in response to identified problems.
                                           When the auditors’ objectives include estimating the
                                           extent to which a program has caused changes in
                                           physical, social, or economic conditions, “effect” is a
                                           measure of the impact achieved by the program. Here,
                                           effect is the extent to which positive or negative changes
                                           in actual physical, social, or economic conditions can be
                                           identified and attributed to program operations.

                                           7.65 Cause: Like effect, cause also has two meanings
                                           that depend on the audit objectives. When the auditors’
                                           objectives include explaining why a particular type of
                                           positive or negative performance identified in the audit
                                           occurred, the reasons for that performance are referred
                                           to as “cause.” Identifying the cause of problems can
                                           assist auditors in making constructive recommendations
                                           for correction. Because problems can result from a

                                           Page 155        GAO-03-673G Government Auditing Standards
d03673g.book Page 156 Thursday, July 24, 2003 12:37 PM




                                       Chapter 7
                                       Field Work Standards for
                                       Performance Audits




                                       number of plausible factors or multiple causes, the
                                       recommendation can be more persuasive if auditors can
                                       clearly demonstrate and explain with evidence and
                                       reasoning the link between the problems and the factor
                                       or factors they have identified as the cause. When the
                                       auditors’ objectives include estimating the program’s
                                       effect on changes in physical, social, or economic
                                       conditions, auditors seek evidence of the extent to
                                       which the program itself is the “cause” of those changes.
                                       Auditors may identify significant deficiencies in internal
                                       control as the cause of deficient performance. In
                                       reporting this type of finding, the internal control
                                       deficiency would be described as the “cause.”


Audit                                  7.66 The field work standard related to audit
Documentation                          documentation for performance audits performed in
                                       accordance with GAGAS is:

                                       Auditors should prepare and maintain audit
                                       documentation. Audit documentation related to
                                       planning, conducting, and reporting on the audit
                                       should contain sufficient information to enable an
                                       experienced auditor, who has had no previous
                                       connection with the audit, to ascertain from the
                                       audit documentation the evidence that supports
                                       the auditors’ significant judgments and
                                       conclusions. Audit documentation should contain
                                       support for findings, conclusions, and
                                       recommendations before auditors issue their
                                       report.

                                       7.67 The form and content of audit documentation
                                       should be designed to meet the circumstances of the
                                       particular audit. The information contained in audit
                                       documentation constitutes the principal record of the
                                       work that the auditors have performed in accordance
                                       with standards and the conclusions that the auditors
                                       have reached. The quantity, type, and content of audit

                                       Page 156          GAO-03-673G Government Auditing Standards
d03673g.book Page 157 Thursday, July 24, 2003 12:37 PM




                                           Chapter 7
                                           Field Work Standards for
                                           Performance Audits




                                           documentation are a matter of the auditors’ professional
                                           judgment.

                                           7.68 Audit documentation serves to (1) provide the
                                           principal support for the auditors’ report, (2) aid
                                           auditors in conducting and supervising the audit, and
                                           (3) allow for the review of audit quality. Audit
                                           documentation should be appropriately detailed to
                                           provide a clear understanding of its purpose and source
                                           and the conclusions the auditors reached, and it should
                                           be appropriately organized to provide a clear link to the
                                           findings, conclusions, and recommendations contained
                                           in the audit report. Audit documentation for
                                           performance audits should contain the following items
                                           not explicitly addressed elsewhere in GAGAS:

                                           a. the objectives, scope, and methodology of the audit,
                                           including sampling and other selection criteria used;

                                           b. the auditors’ determination that certain standards do
                                           not apply or that an applicable standard was not
                                           followed, the reasons therefor, and the known effect
                                           that not following the applicable standard had, or could
                                           have had, on the audit;

                                           c. the work performed to support significant judgments
                                           and conclusions, including descriptions of transactions
                                           and records examined;87 and

                                           d. evidence of supervisory reviews, before the audit
                                           report is issued, of the work performed that supports
                                           findings, conclusions, and recommendations contained
                                           in the audit report.


                                           87
                                             Auditors may meet this requirement by listing file numbers, case
                                           numbers, or other means of identifying specific documents they
                                           examined. They are not required to include copies of documents they
                                           examined as part of the audit documentation, nor are they required to
                                           list detailed information from those documents.


                                           Page 157          GAO-03-673G Government Auditing Standards
d03673g.book Page 158 Thursday, July 24, 2003 12:37 PM




                                       Chapter 7
                                       Field Work Standards for
                                       Performance Audits




                                       7.69 Audit organizations should establish reasonable
                                       policies and procedures for the safe custody and
                                       retention of audit documentation for a time sufficient to
                                       satisfy legal and administrative requirements. Audit
                                       documentation allows for the review of audit quality by
                                       providing the reviewer with documentation, either in
                                       written or electronic formats, of the evidence supporting
                                       the auditors’ significant judgments and conclusions. If
                                       audit documentation is only retained electronically, the
                                       audit organization should ensure that the electronic
                                       documentation is capable of being accessed throughout
                                       the specified retention period established for audit
                                       documentation and that it is safeguarded through sound
                                       computer security.

                                       7.70 Underlying GAGAS audits is the premise that
                                       federal, state, and local governments and other
                                       organizations cooperate in auditing programs of
                                       common interest so that the auditors may use others’
                                       work and avoid duplication of effort. Auditors should
                                       make arrangements to make audit documentation
                                       available, upon request, in a timely manner to other
                                       auditors or reviewers. Contractual arrangements for
                                       GAGAS audits should provide for full and timely access
                                       to audit documentation to facilitate reliance by others
                                       on the auditors’ work.

                                       7.71 Audit organizations need to adequately safeguard
                                       the audit documentation associated with any particular
                                       engagement. Audit organizations should develop clearly
                                       defined policies and criteria to deal with situations
                                       where requests are made by outside parties to obtain
                                       access to audit documentation, especially in connection
                                       with situations where an outside party attempts to
                                       obtain indirectly through the auditor information that it
                                       is unable to obtain directly from the audited entity. In
                                       developing such policies, audit organizations need to
                                       consider applicable laws and regulations applying to the
                                       audit organizations or the audited entity.

                                       Page 158          GAO-03-673G Government Auditing Standards
d03673g.book Page 159 Thursday, July 24, 2003 12:37 PM




   Chapter 8


   Reporting Standards for Performance
   Audits                                                                                              Chapte8r




   Introduction                            8.01 This chapter prescribes reporting standards and
                                           provides guidance to auditors reporting on performance
                                           audits in accordance with generally accepted
                                           government auditing standards (GAGAS). The reporting
                                           standards for performance audits relate to the form of
                                           the report, the report contents, report quality, and report
                                           issuance and distribution.


   Form                                    8.02 The reporting standard related to the form of the
                                           report for performance audits performed in accordance
                                           with GAGAS is:

                                           Auditors should prepare audit reports
                                           communicating the results of each audit.

                                           8.03 The form of the audit report should be appropriate
                                           for its intended use, but should be written or in some
                                           other retrievable form. Auditors should use their
                                           professional judgment including consideration of users’
                                           needs, likely demand, and distribution in determining
                                           the form of the audit report. In addition to a more formal
                                           presentation of audit results, such as a chapter report or
                                           a letter report, briefing slides may be considered audit
                                           reports. Audit reports also may be presented on
                                           electronic media that are retrievable by report users and
                                           the audit organization, such as video or compact disc
                                           formats. However, regardless of form, audit reports
                                           should comply with all applicable reporting standards.

                                           8.04 This standard is not intended to limit or prevent
                                           discussion of findings, judgments, conclusions, and
                                           recommendations with persons who have
                                           responsibilities involving the area being audited. On the
                                           contrary, such discussions are encouraged.

                                           8.05 Audit reports (1) communicate the results of audits
                                           to officials at various levels of government, (2) make the

                                           Page 159       GAO-03-673G Government Auditing Standards
d03673g.book Page 160 Thursday, July 24, 2003 12:37 PM




                                       Chapter 8
                                       Reporting Standards for Performance
                                       Audits




                                       results less susceptible to misunderstanding, (3) make
                                       the results available for public inspection, and
                                       (4) facilitate follow-up to determine whether
                                       appropriate corrective actions have been taken. The
                                       need to maintain public accountability for government
                                       programs demands that audit reports be retrievable.

                                       8.06 If an audit is terminated before it is completed but
                                       the auditors do not issue an audit report, auditors
                                       should follow the requirements in paragraph 7.40.


Report Contents                        8.07 The reporting standard related to the contents of
                                       the report for performance audits conducted in
                                       accordance with GAGAS is:

                                       The audit report should include the objectives,
                                       scope, and methodology; the audit results,
                                       including findings, conclusions, and
                                       recommendations, as appropriate; a reference to
                                       compliance with generally accepted government
                                       auditing standards; the views of responsible
                                       officials; and, if applicable, the nature of any
                                       privileged and confidential information omitted.


Objectives, Scope,                     8.08 Auditors should include in the report the audit
and Methodology                        objectives and the scope and methodology used for
                                       achieving the audit objectives. This information is
                                       needed by report users to understand the purpose of the
                                       audit and the nature of the audit work performed, to
                                       provide perspective as to what is reported, and to
                                       understand any significant limitations in audit
                                       objectives, scope, or methodology.

                                       8.09 Audit objectives should be communicated in the
                                       audit report in a clear, specific, and neutral manner that
                                       avoids unstated assumptions. Auditors should explain
                                       why the audit organization undertook the assignment

                                       Page 160          GAO-03-673G Government Auditing Standards
d03673g.book Page 161 Thursday, July 24, 2003 12:37 PM




                                           Chapter 8
                                           Reporting Standards for Performance
                                           Audits




                                           and state what the report is to accomplish and why the
                                           subject matter is important. Articulating what the report
                                           is to accomplish normally involves identifying the audit
                                           subject and the aspect of performance examined. The
                                           reported audit objectives provide more meaningful
                                           information to report users if they are measurable and
                                           feasible and avoid being presented in a broad or general
                                           manner. To reduce misunderstanding in cases where the
                                           objectives are particularly limited and broader
                                           objectives can be inferred, it may be necessary to state
                                           objectives that were not pursued.

                                           8.10 In reporting the scope of the audit, auditors should
                                           describe the depth and coverage of work conducted to
                                           accomplish the audit’s objectives. Auditors should, as
                                           applicable, explain the relationship between the
                                           population of items sampled and what was audited;
                                           identify organizations, geographic locations, and the
                                           period covered; report the kinds and sources of
                                           evidence; and explain any problems with the evidence.
                                           Auditors should also report significant constraints
                                           imposed on the audit approach by data limitations or
                                           scope impairments, including demands of access to
                                           certain records or individuals.

                                           8.11 To report the methodology used, auditors should
                                           clearly explain how the audit objectives were
                                           accomplished, including the evidence gathering and
                                           analysis techniques used, in sufficient detail to allow
                                           knowledgeable users of their reports to understand the
                                           work. This explanation should identify any significant
                                           assumptions made in conducting the audit; describe any
                                           comparative techniques applied; describe the criteria
                                           used; and, when sampling significantly supports
                                           auditors’ findings, describe the sample design and state
                                           why it was chosen, including whether the results can be
                                           projected to the intended population.




                                           Page 161        GAO-03-673G Government Auditing Standards
d03673g.book Page 162 Thursday, July 24, 2003 12:37 PM




                                       Chapter 8
                                       Reporting Standards for Performance
                                       Audits




                                       8.12 Auditors should attempt to avoid misunderstanding
                                       by the report user concerning the work that was and
                                       was not done to achieve the audit objectives,
                                       particularly when the work was limited because of
                                       constraints on time or resources. The auditors’ report
                                       should clearly describe the scope of the work performed
                                       and any limitations; any applicable standards that were
                                       not followed, and the reasons therefor; and how not
                                       following the applicable standards affected or could
                                       affect the results of the work. For example, if the
                                       auditors are unable to determine the reliability of
                                       information from an agency’s database, and information
                                       from this database is critical to achieving the audit
                                       objectives, the report should clearly state the limitations
                                       associated with the information and refrain from making
                                       unwarranted conclusions or recommendations. In these
                                       situations, the audit report should also include the
                                       reasons the auditors were unable to perform this work
                                       and the potential impact on the findings if the
                                       information is not reliable.88




                                       88
                                        When computer-processed data are included in the report for
                                       background or informational purposes and are not significant to the
                                       auditors’ findings, citing the source of the data and stating that they
                                       were not verified will satisfy the reporting standards.


                                       Page 162           GAO-03-673G Government Auditing Standards
d03673g.book Page 163 Thursday, July 24, 2003 12:37 PM




                                           Chapter 8
                                           Reporting Standards for Performance
                                           Audits




   Findings                                8.13 Auditors should report findings by providing
                                           credible evidence that relates to the audit objectives.
                                           These findings should be supported by sufficient,
                                           competent, and relevant evidence. They also should be
                                           presented in a manner to promote adequate
                                           understanding of the matters reported and to provide
                                           convincing but fair presentations in proper perspective.
                                           The audit report should provide selective background
                                           information to provide the context for the overall
                                           message and to help the reader understand the findings
                                           and significance of the issues discussed.89

                                           8.14 As discussed in chapter 7, audit findings have often
                                           been regarded as containing the elements of criteria,
                                           condition, cause, and effect. However, the elements
                                           needed for a finding depend on the audit objectives. For
                                           example, an audit objective may be limited to
                                           determining the current status or condition of
                                           implementing legislative requirements, and not the
                                           related cause or effect. Thus, a finding or set of findings
                                           is complete to the extent that the audit objectives are
                                           satisfied and the report clearly relates those objectives
                                           to the elements of the finding.

                                           8.15 To the extent possible, in presenting findings,
                                           auditors should develop the elements of criteria,
                                           condition, cause, and effect to assist officials of the
                                           audited entity or oversight officials of the audited entity
                                           in understanding the need for taking corrective action.
                                           In addition, if auditors are able to sufficiently develop
                                           the findings, auditors should provide recommendations




                                           89
                                             Appropriate background information may include information on
                                           how programs and operations work; the significance of programs and
                                           operations (e.g., dollars, impact, purposes, and past audit work if
                                           relevant); a description of the audited entity’s responsibilities; and
                                           explanation of terms, organizational structure, and the statutory basis
                                           for the program and operations.


                                           Page 163           GAO-03-673G Government Auditing Standards
d03673g.book Page 164 Thursday, July 24, 2003 12:37 PM




                                       Chapter 8
                                       Reporting Standards for Performance
                                       Audits




                                       for corrective action. Following is guidance for
                                       reporting on elements of findings:

                                       a. Criteria provides information so that the report user
                                       will be able to determine what is the required or desired
                                       state or what is expected from the program or operation.
                                       The criteria are easier to understand when stated fairly,
                                       explicitly, and completely and when the source of the
                                       criteria is identified in the audit report.90

                                       b. Condition provides evidence on what the auditors
                                       found regarding the actual situation. Reporting the
                                       scope or extent of the condition allows the report user
                                       to gain an accurate perspective.

                                       c. Cause provides persuasive evidence on the factor or
                                       factors responsible for the difference between condition
                                       and criteria. In reporting the cause, auditors may
                                       consider whether the evidence provides a reasonable
                                       and convincing argument for why the stated cause is the
                                       key factor or factors contributing to the difference as
                                       opposed to other possible causes, such as poorly
                                       designed criteria or factors uncontrollable by program
                                       management. The auditors also may consider whether
                                       the identified cause could serve as a basis for the
                                       recommendations.

                                       d. Effect provides a clear, logical link to establish the
                                       impact of the difference between what the auditors


                                       90
                                        Common sources for criteria include laws, regulations, policies,
                                       procedures, and best or standard practices. The Standards for
                                       Internal Control in the Federal Government, GAO/AIMD-00-21.3.1
                                       (Washington, D.C.: Nov. 1999) and Internal Control—Integrated
                                       Framework, published by the Committee of Sponsoring Organizations
                                       of the Treadway Commission (COSO) are two sources of established
                                       criteria auditors can use to support their judgments and conclusions
                                       about internal control. The related Internal Control Management and
                                       Evaluation Tool, GAO-01-1008G (Washington, D.C.: Aug. 2001), based
                                       on the federal internal control standards, provides a systematic,
                                       organized, and structured approach to assessing internal control.


                                       Page 164          GAO-03-673G Government Auditing Standards
d03673g.book Page 165 Thursday, July 24, 2003 12:37 PM




                                           Chapter 8
                                           Reporting Standards for Performance
                                           Audits




                                           found (condition) and what should be (criteria). Effect
                                           is easier to understand when it is stated clearly,
                                           concisely, and, if possible, in quantifiable terms. The
                                           significance of the reported effect can be demonstrated
                                           through credible evidence.

                                           8.16 The audit report should also include any significant
                                           deficiencies91 in internal control, all instances of fraud
                                           and illegal acts unless they are clearly inconsequential,92
                                           significant violations of provisions of contracts or grant
                                           agreements, and significant abuse.

   Internal Control                        8.17 Auditors should include in the audit report the
   Deficiencies                            scope of their work on internal control and any
                                           significant deficiencies found during the audit. When
                                           auditors detect deficiencies in internal control that are
                                           not significant, they should communicate those
                                           deficiencies in a separate letter to officials of the audited
                                           entity unless the deficiencies are clearly inconsequential
                                           considering both qualitative and quantitative factors. If
                                           the auditors have communicated deficiencies in a
                                           separate letter to officials of the audited entity, they
                                           should refer to that letter in the audit report. Auditors
                                           should use professional judgment in determining
                                           whether or how to communicate deficiencies that are
                                           clearly inconsequential to officials of the audited entity.
                                           Auditors should include in their audit documentation
                                           evidence of all communications about internal control
                                           deficiencies found during the audit.



                                           91
                                             Significant deficiencies are those matters coming to the auditor’s
                                           attention that, in the auditor’s judgment, affect the results of the
                                           auditors’ work and the auditors’ conclusions and recommendations
                                           about those results.
                                           92
                                             Whether a particular act is, in fact, illegal may have to await final
                                           determination by a court of law. Thus, when auditors disclose matters
                                           that have led them to conclude that an illegal act is likely to have
                                           occurred, they should take care not to unintentionally imply that a
                                           final determination of illegality has been made.


                                           Page 165           GAO-03-673G Government Auditing Standards
d03673g.book Page 166 Thursday, July 24, 2003 12:37 PM




                                       Chapter 8
                                       Reporting Standards for Performance
                                       Audits




                                       8.18 In a performance audit, auditors may identify
                                       significant deficiencies in internal control as the cause
                                       of deficient performance. In reporting this type of
                                       finding, the internal control weakness would be
                                       described as the cause.

Fraud, Illegal Acts,                   8.19 When auditors conclude, based on evidence
Violations of                          obtained, that fraud, illegal acts, significant violations of
Provisions of                          provisions of contracts or grant agreements, or
Contracts or Grant                     significant abuse either has occurred or is likely to have
Agreements, and                        occurred, they should include in their audit report
Abuse                                  relevant information.93 Abuse occurs when the conduct
                                       of a government program or entity falls far short of
                                       behavior that is expected to be reasonable and
                                       necessary business practices by a prudent person.

                                       8.20 When reporting instances of fraud, illegal acts,
                                       violations of provisions of contracts or grant
                                       agreements, and abuse, auditors should place their
                                       findings in proper perspective by providing a description
                                       of the work conducted that resulted in the finding. To
                                       give the reader a basis for judging the prevalence and
                                       consequences of these findings, the instances identified
                                       should be related to the population or the number of
                                       cases examined and be quantified in terms of dollar
                                       value, if appropriate. If the results cannot be projected,
                                       auditors should limit their conclusion to the items
                                       tested.

                                       8.21 When auditors detect violations of provisions of
                                       contracts or grant agreements; or abuse that is not
                                       significant, they should communicate those findings in a
                                       separate letter to officials of the audited entity unless
                                       the findings are clearly inconsequential, considering
                                       both qualitative and quantitative factors. If the auditors


                                       93
                                        See paragraphs 8.22 through 8.26 for additional reporting
                                       considerations.


                                       Page 166          GAO-03-673G Government Auditing Standards
d03673g.book Page 167 Thursday, July 24, 2003 12:37 PM




                                           Chapter 8
                                           Reporting Standards for Performance
                                           Audits




                                           have communicated instances of fraud, illegal acts,
                                           violations of provisions of contracts or grant
                                           agreements, or abuse in a separate letter to officials of
                                           the audited entity, auditors should refer to that letter in
                                           the audit report. Auditors should use their professional
                                           judgment in determining whether and how to
                                           communicate to officials of the audited entity fraud,
                                           illegal acts, violations of provisions of contracts or grant
                                           agreements, and abuse that are clearly inconsequential.
                                           Auditors should include in their audit documentation
                                           evidence of all communications to officials of the
                                           audited entity about instances of fraud, illegal acts,
                                           violations of provisions of contracts or grant
                                           agreements, and abuse.

   Direct Reporting of                     8.22 GAGAS require auditors to report fraud, illegal
   Fraud, Illegal Acts,                    acts, violations of provisions of contracts or grant
   Violations of                           agreements, and abuse directly to parties outside the
   Provisions of                           audited entity in certain circumstances, as discussed
   Contracts or Grant                      below.94 These requirements are in addition to any legal
   Agreements, and                         requirements for direct reporting of fraud, illegal acts,
   Abuse                                   violations of provisions of contracts or grant
                                           agreements, and abuse. Auditors should meet these
                                           requirements even if they have resigned or been
                                           dismissed from the audit.

                                           8.23 The audited entity may be required by law or
                                           regulation to report certain fraud, illegal acts, violations
                                           of provisions of contracts or grant agreements, or abuse
                                           to specified external parties, such as a federal inspector
                                           general or a state attorney general. If auditors have
                                           communicated such fraud, illegal acts, violations of
                                           provisions of contracts or grant agreements, or abuse to
                                           the audited entity and it fails to report them, then the


                                           94
                                             Internal audit organizations do not have a duty to report outside the
                                           entity unless required by law, rule, regulation, or policy. See paragraph
                                           3.28 for reporting requirements for internal audit organizations when
                                           reporting externally.


                                           Page 167           GAO-03-673G Government Auditing Standards
d03673g.book Page 168 Thursday, July 24, 2003 12:37 PM




                                       Chapter 8
                                       Reporting Standards for Performance
                                       Audits




                                       auditors should communicate their awareness of that
                                       failure to the governing body of the audited entity. If the
                                       audited entity does not make the required report as soon
                                       as possible after the auditors’ communication with the
                                       entity’s governing body, then the auditors should report
                                       such fraud, illegal acts, violations of provisions of
                                       contracts or grant agreements, or abuse directly to the
                                       external party specified in the law or regulation.

                                       8.24 Officials of the audited entity are responsible for
                                       taking timely and appropriate steps to remedy fraud,
                                       illegal acts, violations of provisions of contracts or grant
                                       agreements, or abuse that auditors report to them. When
                                       fraud, illegal acts, violations of provisions of contracts
                                       or grant agreements, or abuse involves assistance
                                       received directly or indirectly from a government
                                       agency, auditors may have a duty to report such fraud,
                                       illegal acts, violations of provisions of contracts or grant
                                       agreements, or abuse directly to that government agency
                                       if officials of the audited entity fail to take remedial
                                       steps. If auditors conclude that such failure is likely to
                                       cause them to report such findings or resign from the
                                       audit, they should communicate that conclusion to the
                                       governing body of the audited entity. Then, if the audited
                                       entity does not report the fraud, illegal act, violation of
                                       provisions of contracts or grant agreements, or abuse as
                                       soon as possible to the entity that provided the
                                       government assistance, the auditors should report the
                                       fraud, illegal act, violation of provisions of contracts or
                                       grant agreements, or abuse directly to that entity.

                                       8.25 In these situations, auditors should obtain
                                       sufficient, competent, and relevant evidence, such as
                                       confirmation with outside parties, to corroborate
                                       assertions by officials of the audited entity that the
                                       officials have reported fraud, illegal acts, violations of
                                       provisions of contracts or grant agreements, or abuse. If
                                       the officials are unable to do so, then the auditors
                                       should report such fraud, illegal acts, violations of

                                       Page 168          GAO-03-673G Government Auditing Standards
d03673g.book Page 169 Thursday, July 24, 2003 12:37 PM




                                           Chapter 8
                                           Reporting Standards for Performance
                                           Audits




                                           provisions of contracts or grant agreements, or abuse
                                           directly as discussed above.

                                           8.26 Laws, regulations, or other authority may require
                                           auditors to report promptly indications of certain types
                                           of fraud, illegal acts, violations of provisions of
                                           contracts or grant agreements, or abuse to law
                                           enforcement or investigatory authorities. In such
                                           circumstances, when auditors conclude that these types
                                           of fraud, illegal acts, violations of provisions of
                                           contracts or grant agreements, or abuse either have
                                           occurred or are likely to have occurred, they should ask
                                           those authorities or legal counsel if publicly reporting
                                           certain information about the potential fraud, illegal
                                           acts, violations of provisions of contracts or grant
                                           agreements, or abuse would compromise investigative
                                           or legal proceedings. Auditors should limit the extent of
                                           their public reporting to matters that would not
                                           compromise those proceedings, such as information
                                           that is already a part of the public record.


   Conclusions                             8.27 Auditors should report conclusions when called for
                                           by the audit objectives and the results of the audit.
                                           Conclusions are logical inferences about the program
                                           based on the auditors’ findings and should represent
                                           more than just a summary of the findings. Conclusions
                                           should be clearly stated, not implied. The strength of the
                                           auditors’ conclusions depends on the persuasiveness of
                                           the evidence supporting the findings and the soundness
                                           of the logic used to formulate the conclusions.
                                           Conclusions are stronger if they set up the report’s
                                           recommendations and convince the knowledgeable user
                                           of the report that action is necessary.


   Recommendations                         8.28 If warranted, auditors should make
                                           recommendations for actions to correct problems
                                           identified during the audit and to improve programs and
                                           operations. Auditors should make recommendations
                                           Page 169        GAO-03-673G Government Auditing Standards
d03673g.book Page 170 Thursday, July 24, 2003 12:37 PM




                                       Chapter 8
                                       Reporting Standards for Performance
                                       Audits




                                       when the potential for improvement in programs,
                                       operations, and performance is substantiated by the
                                       reported findings and conclusions. Recommendations
                                       should logically flow from the findings and conclusions
                                       and need to state clearly the actions to be taken.
                                       Recommendations to effect compliance with laws and
                                       regulations and improve internal control also should be
                                       made when significant instances of possible fraud,
                                       illegal acts, or violations of provisions of contracts or
                                       grant agreements are noted, or when abuse or
                                       deficiencies in internal control are found.

                                       8.29 Constructive recommendations can encourage
                                       improvements in the conduct of government programs
                                       and operations. For recommendations to be most
                                       constructive, they should be directed at resolving the
                                       cause of identified problems, action oriented and
                                       specific, addressed to parties that have the authority to
                                       act, practical and, to the extent feasible, cost effective
                                       and measurable.


Statement on                           8.30 Auditors should report that the audit was made in
Compliance with                        accordance with GAGAS. The statement of compliance
GAGAS                                  with GAGAS refers to all the applicable standards that
                                       the auditors should have followed during the audit. The
                                       statement referencing compliance with GAGAS should
                                       be qualified in situations in which the auditors did not
                                       follow an applicable standard. In these situations,
                                       auditors should disclose in the scope section of the
                                       report the applicable standard that was not followed, the
                                       reasons therefor, and how not following the standard
                                       affected, or could have affected, the results of the audit.
                                       In assessing the impact of not following an applicable
                                       standard on the results of the audit, auditors may need
                                       to qualify any assurances, disclaim from providing any
                                       assurances, or withdraw from the audit.




                                       Page 170          GAO-03-673G Government Auditing Standards
d03673g.book Page 171 Thursday, July 24, 2003 12:37 PM




                                           Chapter 8
                                           Reporting Standards for Performance
                                           Audits




   Reporting Views of                      8.31 Auditors should report the views of responsible
   Responsible                             officials of the audited program concerning auditors’
   Officials                               findings, conclusions, and recommendations; as well as
                                           planned corrective actions. One of the most effective
                                           ways to ensure that a report is fair, complete, and
                                           objective is to obtain advance review and comments by
                                           responsible officials of the audited entity and others, as
                                           may be appropriate. Including the views of responsible
                                           officials results in a report that presents not only the
                                           auditors’ findings, conclusions, and recommendations,
                                           but also what the responsible officials of the audited
                                           entity think about the audit results and what corrective
                                           actions officials of the audited entity plan to take.
                                           Auditors should include in their report a copy of the
                                           officials’ written comments or a summary of the
                                           comments received.

                                           8.32 Auditors should normally request that the
                                           responsible officials submit in writing their views on
                                           reported findings, conclusions, and recommendations,
                                           as well as management’s planned corrective actions.
                                           Oral comments are acceptable as well and, in some
                                           cases, may be the only or most expeditious way to
                                           obtain comments. Cases in which obtaining oral
                                           comments can be effective include when there is a time-
                                           critical requirement to meet a user’s needs; the auditors
                                           have worked closely with the responsible officials
                                           throughout the conduct of the work and the parties are
                                           very familiar with the findings and issues addressed in
                                           the draft report; or the auditors do not expect major
                                           disagreements with the draft report’s findings,
                                           conclusions, and recommendations, or perceive any
                                           major controversies with regard to the issues discussed
                                           in the draft report. Auditors should prepare a summary
                                           of the officials’ oral comments and provide a copy of the
                                           summary to officials of the audited entity to verify that
                                           the comments are accurately stated prior to finalizing
                                           the report.


                                           Page 171        GAO-03-673G Government Auditing Standards
d03673g.book Page 172 Thursday, July 24, 2003 12:37 PM




                                       Chapter 8
                                       Reporting Standards for Performance
                                       Audits




                                       8.33 Comments should be fairly and objectively
                                       evaluated and recognized, as appropriate, in the final
                                       report. Comments, such as a promise or plan for
                                       corrective action, should be noted but should not be
                                       accepted as justification for dropping a finding or a
                                       related recommendation.

                                       8.34 When the audited entity’s comments oppose the
                                       report’s findings, conclusions, or recommendations and
                                       are not, in the auditors’ opinion, valid, or when planned
                                       corrective actions do not adequately address the
                                       auditors’ recommendations, the auditors should state
                                       their reasons for disagreeing with the comments or
                                       planned corrective actions. The auditors’ disagreement
                                       should be stated in a fair and objective manner.
                                       Conversely, the auditors should modify their report as
                                       necessary if they find the comments valid.


Reporting Privileged                   8.35 If certain pertinent information is prohibited from
and Confidential                       general disclosure, the audit report should state the
Information                            nature of the information omitted and the requirement
                                       that makes the omission necessary.

                                       8.36 Certain information may be prohibited from
                                       general disclosure by federal, state, or local laws or
                                       regulations. In such circumstances, auditors may issue a
                                       separate limited-official-use report containing such
                                       information and distribute the report only to persons
                                       authorized by law or regulation to receive it. Additional
                                       circumstances associated with public safety and
                                       security concerns could also justify the exclusion of
                                       certain information in the report. For example, detailed
                                       information related to computer security for a particular
                                       program may be excluded from publicly available
                                       reports because of the potential damage that could be
                                       caused by the misuse of this information. In such
                                       circumstances, auditors may issue a limited-official-use
                                       report containing such information and distribute the
                                       report only to those parties responsible for acting on the
                                       Page 172          GAO-03-673G Government Auditing Standards
d03673g.book Page 173 Thursday, July 24, 2003 12:37 PM




                                           Chapter 8
                                           Reporting Standards for Performance
                                           Audits




                                           auditors’ recommendations. The auditors should, when
                                           appropriate, consult with legal counsel regarding any
                                           requirements or other circumstances that may
                                           necessitate the omission of certain information.

                                           8.37 Auditors’ judgments that certain information
                                           should be excluded from publicly available reports
                                           should be made in a manner consistent with
                                           consideration of the broader public interest in the
                                           program or activity under review. When circumstances
                                           call for omission of certain information, auditors should
                                           consider whether this omission could distort the
                                           engagement results or conceal improper or unlawful
                                           practices. If auditors make the judgment that certain
                                           information should be excluded from a publicly
                                           available report, they should state the general nature of
                                           the information omitted and the reasons that make the
                                           omission necessary in the report.


   Report Quality                          8.38 The reporting standard related to report quality for
   Elements                                performance audits performed in accordance with
                                           GAGAS is:

                                           The report should be timely, complete, accurate,
                                           objective, convincing, clear, and as concise as the
                                           subject permits.


   Timely                                  8.39 To be of maximum use, the audit report needs to
                                           provide relevant information in time to respond to
                                           officials of the audited entity, legislative officials, and
                                           other users’ legitimate needs. Likewise, the information
                                           provided in the report needs to be current. Therefore,
                                           auditors should plan for the appropriate issuance of the
                                           report and conduct the audit with these goals in mind.

                                           8.40 During the audit, the auditors should consider
                                           interim reporting of significant matters to appropriate

                                           Page 173        GAO-03-673G Government Auditing Standards
d03673g.book Page 174 Thursday, July 24, 2003 12:37 PM




                                       Chapter 8
                                       Reporting Standards for Performance
                                       Audits




                                       entity officials. Such communication, which may be oral
                                       or written, is not a substitute for a final report, but it
                                       does alert officials to matters needing immediate
                                       attention and permits them to take corrective action
                                       before the final report is completed.


Complete                               8.41 Being complete requires that the report contain all
                                       evidence needed to satisfy the audit objectives and
                                       promote an adequate and correct understanding of the
                                       matters reported. It also means the report states
                                       information and findings completely, including all
                                       necessary facts and explanations. Giving report users an
                                       adequate and correct understanding means providing
                                       perspective on the extent and significance of reported
                                       findings, such as the frequency of occurrence relative to
                                       the number of cases or transactions tested and the
                                       relationship of the findings to the entity’s operations.

                                       8.42 In most cases, a single example of a deficiency is
                                       not sufficient to support a broad conclusion or a related
                                       recommendation. All that it supports is that a deviation,
                                       an error, or a weakness existed. Sufficient detailed
                                       supporting data should be included to make convincing
                                       presentations.


Accurate                               8.43 Accuracy requires that the evidence presented be
                                       true and that findings be correctly portrayed. The need
                                       for accuracy is based on the need to assure report users
                                       that what is reported is credible and reliable. One
                                       inaccuracy in a report can cast doubt on the reliability of
                                       an entire report and can divert attention from the
                                       substance of the report. Also, use of inaccurate evidence
                                       can damage the credibility of the issuing audit
                                       organization and reduce the effectiveness of its reports.

                                       8.44 The report should include only information,
                                       findings, and conclusions that are supported by
                                       sufficient, competent, and relevant evidence in the audit
                                       Page 174          GAO-03-673G Government Auditing Standards
d03673g.book Page 175 Thursday, July 24, 2003 12:37 PM




                                           Chapter 8
                                           Reporting Standards for Performance
                                           Audits




                                           documentation. If data are significant to the audit
                                           findings and conclusions, but are not audited, the
                                           auditors should clearly indicate in their report the data’s
                                           limitations and not make unwarranted conclusions or
                                           recommendations based on those data.

                                           8.45 Evidence included in audit reports should
                                           demonstrate the correctness and reasonableness of the
                                           matters reported. Correct portrayal means describing
                                           accurately the audit scope and methodology and
                                           presenting findings and conclusions in a manner
                                           consistent with the scope of audit work. The report also
                                           should not have errors in logic and reasoning. One way
                                           to help ensure that the audit report meets these
                                           reporting standards is to use a quality control process
                                           such as referencing. Referencing is a process in which
                                           an experienced auditor who is independent of the audit
                                           verifies that statements of facts, figures, and dates are
                                           correctly reported, that the findings are adequately
                                           supported by the audit documentation, and that the
                                           conclusions and recommendations flow logically from
                                           the support.


   Objective                               8.46 Objectivity requires that the presentation of the
                                           entire report be balanced in content and tone. A report’s
                                           credibility is significantly enhanced when it presents
                                           evidence in an unbiased manner so that report users can
                                           be persuaded by the facts. The report should be fair and
                                           not misleading and should place the audit results in
                                           perspective. This means presenting the audit results
                                           impartially and fairly. In describing shortcomings in
                                           performance, auditors should put findings in context.
                                           For example, the audited entity may have faced unusual
                                           difficulties or circumstances.

                                           8.47 The tone of reports should encourage decision
                                           makers to act on the auditors’ findings and
                                           recommendations. This tone should be balanced by
                                           requiring reports to present sound and logical evidence
                                           Page 175        GAO-03-673G Government Auditing Standards
d03673g.book Page 176 Thursday, July 24, 2003 12:37 PM




                                       Chapter 8
                                       Reporting Standards for Performance
                                       Audits




                                       to support conclusions while refraining from using
                                       adjectives or adverbs that characterize evidence in a
                                       way that implies criticism or unsupported conclusions.

                                       8.48 The report should recognize the positive aspects of
                                       the program reviewed if applicable to the audit
                                       objectives. Inclusion of positive program aspects may
                                       lead to improved performance by other government
                                       organizations that read the report. Such information
                                       allows for a fairer presentation of the situation by
                                       providing appropriate balance to the report. In addition,
                                       inclusion of such accomplishments may lead to
                                       improved performance by other government
                                       organizations that read the report.


Convincing                             8.49 Being convincing requires that the audit results be
                                       responsive to the audit objectives, that the findings be
                                       presented persuasively, and that the conclusions and
                                       recommendations follow logically from the facts
                                       presented. The information presented should be
                                       sufficient to convince the report users to recognize the
                                       validity of the findings, the reasonableness of the
                                       conclusions, and the benefit of implementing the
                                       recommendations. Reports designed in this way can
                                       help focus the attention of responsible officials on the
                                       matters that warrant attention and can provide an
                                       incentive for taking corrective action.


Clear                                  8.50 Clarity requires that the report be easy to read and
                                       understand. Reports should be prepared in language as
                                       clear and simple as the subject permits. Use of
                                       straightforward, nontechnical language is essential to
                                       simplicity of presentation. Whenever technical terms,
                                       abbreviations, and acronyms are used, they should be
                                       clearly defined.

                                       8.51 Auditors may consider using a summary within the
                                       report to capture the report user’s attention and
                                       Page 176          GAO-03-673G Government Auditing Standards
d03673g.book Page 177 Thursday, July 24, 2003 12:37 PM




                                           Chapter 8
                                           Reporting Standards for Performance
                                           Audits




                                           highlight the overall message. If a summary is used, it
                                           generally should focus on the specific answers to the
                                           questions in the audit objectives, summarize the audit’s
                                           most significant findings and the report’s principal
                                           conclusions, and prepare users to anticipate the major
                                           recommendations.

                                           8.52 Logical organization of material, and accuracy and
                                           precision in stating facts and in drawing conclusions, are
                                           essential to clarity and understanding. Effective use of
                                           titles and captions and topic sentences makes the report
                                           easier to read and understand. Visual aids (such as
                                           pictures, charts, graphs, and maps) should be used when
                                           appropriate to clarify and summarize complex material.


   Concise                                 8.53 Being concise requires that the report be no longer
                                           than necessary to convey and support the message.
                                           Extraneous detail detracts from a report, may even
                                           conceal the real message, and may confuse or distract
                                           the users. Also, needless repetition should be avoided.
                                           Although room exists for considerable judgment in
                                           determining the content of reports, those that are fact-
                                           based but concise are likely to achieve greater results.


   Report Issuance                         8.54 The reporting standard related to report issuance
   and Distribution                        and distribution for performance audits performed in
                                           accordance with GAGAS is:

                                           Government auditors should submit audit reports
                                           to the appropriate officials of the audited entity
                                           and to the appropriate officials of the
                                           organizations requiring or arranging for the
                                           audits, including external funding organizations,
                                           such as legislative bodies, unless legal restrictions
                                           prevent it. Auditors should also send copies of the
                                           reports to other officials who have legal oversight
                                           authority or who may be responsible for acting on

                                           Page 177        GAO-03-673G Government Auditing Standards
d03673g.book Page 178 Thursday, July 24, 2003 12:37 PM




                                       Chapter 8
                                       Reporting Standards for Performance
                                       Audits




                                       audit findings and recommendations, and also to
                                       others authorized to receive such reports. Unless
                                       the report is restricted by law or regulation, or
                                       contains privileged or confidential information,
                                       auditors should clarify that copies are made
                                       available for public inspection. Nongovernment
                                       auditors should clarify report distribution
                                       responsibilities with the party contracting for the
                                       audit and follow the agreements reached.

                                       8.55 Audit reports should be distributed in a timely
                                       manner to officials interested in the results. Such
                                       officials include those designated by law or regulation to
                                       receive such reports, those responsible for acting on the
                                       findings and recommendations contained in the report,
                                       those in other levels of government who have provided
                                       assistance to the audited entity, and legislators.
                                       However, if the subject of the audit involves material
                                       that is classified for security purposes or is not
                                       releasable to particular parties or the public for other
                                       valid reasons, auditors should limit the report
                                       distribution. (See paragraphs 8.35 through 8.37 for
                                       additional guidance on limited report distribution.) The
                                       availability of the report for public inspection should be
                                       documented in the audit documentation.

                                       8.56 When nongovernment auditors are engaged to
                                       perform the audit under GAGAS, they should clarify
                                       report distribution responsibilities with the engaging
                                       organization. If the nongovernment auditors are to make
                                       the distribution, the engagement agreement should
                                       indicate which officials or organizations should receive
                                       the report and any other steps being taken to ensure the
                                       availability of the report for public inspection. The
                                       availability of the report for public inspection should be
                                       documented in the audit documentation.

                                       8.57 Internal auditors should follow their entity’s own
                                       arrangements and statutory requirements for

                                       Page 178          GAO-03-673G Government Auditing Standards
d03673g.book Page 179 Thursday, July 24, 2003 12:37 PM




                                           Chapter 8
                                           Reporting Standards for Performance
                                           Audits




                                           distribution. Usually, they report to their entity’s head or
                                           deputy head, who is responsible for distribution of the
                                           report. Further distribution of reports outside the
                                           organization should be made in accordance with
                                           applicable laws, rules, regulations, or policy.




                                           Page 179        GAO-03-673G Government Auditing Standards
d03673g.book Page 180 Thursday, July 24, 2003 12:37 PM




   Appendix I


   Advisory Council on Government Auditing                                                       Appendx
                                                                                                       ies




   Standards                                                                                      Append
                                                                                                       x
                                                                                                       Ii




   Advisory Council                        Mr. Jack R. Miller, Chair
   Members                                 KMPG LLP
                                           (member 1997-1998; chair 2001-2003)

                                           Mr. Richard C. Tracy, Former Chair
                                           Office of City Auditor
                                           Portland, Oregon
                                           (member 1997-1998; chair 1999-2000)

                                           The Honorable James B. Thomas, Former Chair
                                           Office of the Chief Inspector General
                                           State of Florida
                                           (chair 1997-1998)

                                           The Honorable Ernest A. Almonte
                                           Office of the Auditor General
                                           State of Rhode Island
                                           (member 2001-2003)

                                           Mr. Robert H. Attmore
                                           Office of the Comptroller
                                           New York State
                                           (member 1997-1999)

                                           The Honorable Thomas R. Bloom
                                           Defense Finance and Accounting Service
                                           (member 1997-2000)

                                           The Honorable June Gibbs Brown
                                           U.S. Department of Health and Human Services
                                           (member 1997-1999)

                                           The Honorable Ralph Campbell, Jr.
                                           Office of the State Auditor
                                           State of North Carolina
                                           (member 2000-2002)




                                           Page 180      GAO-03-673G Government Auditing Standards
d03673g.book Page 181 Thursday, July 24, 2003 12:37 PM




                                       Appendix I
                                       Advisory Council on Government
                                       Auditing Standards




                                       Mr. Donald H. Chapin
                                       Consultant
                                       (member 1997-1998)

                                       Ms. Patricia A. Dalton
                                       U.S. Department of Labor
                                       (member 1997-1999)

                                       The Honorable Debra K. Davenport
                                       Office of the Auditor General
                                       State of Arizona
                                       (member 2002-2004)

                                       The Honorable Bert T. Edwards
                                       Department of Interior
                                       (member 2000-2002)

                                       Dr. John H. Engstrom
                                       University of Northern Illinois
                                       (member 2002-2004)

                                       The Honorable Richard L. Fair
                                       Office of the State Auditor
                                       State of New Jersey
                                       (member 2002-2004)

                                       Dr. Ehsan Feroz
                                       University of Minnesota Duluth
                                       (member 2002-2004)

                                       The Honorable Gregory H. Friedman
                                       Department of Energy
                                       (member 2002-2004)

                                       The Honorable Gaston L. Gianni, Jr.
                                       Federal Deposit Insurance Corporation
                                       (member 1999-2001)



                                       Page 181          GAO-03-673G Government Auditing Standards
d03673g.book Page 182 Thursday, July 24, 2003 12:37 PM




                                           Appendix I
                                           Advisory Council on Government
                                           Auditing Standards




                                           Ms. Barbara J. Hinton
                                           Office of the Legislative Post Auditor
                                           State of Kansas
                                           (member 1999-2001)

                                           Mr. David G. Hitchcock
                                           Standards & Poor’s
                                           (member 1999-2001)

                                           Dr. Jesse W. Hughes
                                           Consultant
                                           (member 2000-2002)

                                           Dr. Rhoda C. Icerman
                                           Florida State University
                                           (member 2001-2003)

                                           Mr. Norwood J. Jackson, Jr.
                                           U.S. Office of Management and Budget
                                           (member 1997-2000)

                                           The Honorable Auston G. Johnson
                                           Office of the State Auditor
                                           State of Utah
                                           (member 2000-2002)

                                           The Honorable Margaret B. Kelly
                                           Office of the State Auditor
                                           State of Missouri
                                           (member 1997-1998)

                                           Dr. Daniel G. Kyle
                                           Office of the Legislative Auditor
                                           State of Louisiana
                                           (member 1997-1998)




                                           Page 182       GAO-03-673G Government Auditing Standards
d03673g.book Page 183 Thursday, July 24, 2003 12:37 PM




                                       Appendix I
                                       Advisory Council on Government
                                       Auditing Standards




                                       Mr. Philip A. Leone
                                       Joint Legislative Audit and Review Commission
                                       Commonwealth of Virginia
                                       (member 1997-2000)

                                       Mr. George A. Lewis
                                       Broussard, Poche, Lewis & Breaux
                                       (member 1997-2000)

                                       Ms. Nora J.E. Masters
                                       Deliotte & Touche LLP
                                       (member 1997-1999)

                                       Mr. Sam M. McCall
                                       Office of the City Auditor
                                       Tallahassee, Florida
                                       (member 1997-1998; 2000-2002)

                                       Mr. Harold L. Monk
                                       Davis, Monk & Company, CPAs
                                       (member 2002-2004)

                                       Mr. Stephen L. Morgan
                                       Office of the City Auditor
                                       Austin, Texas
                                       (member 2001-2003)

                                       The Honorable Everett L. Mosley
                                       U.S. Agency for International Development
                                       (member 2001-2003)

                                       Mr. Bruce A. Myers
                                       Office of the Legislative Auditor
                                       State of Maryland
                                       (member 1999-2001)

                                       Dr. Kathryn E. Newcomer
                                       George Washington University
                                       (member 1999-2001)

                                       Page 183          GAO-03-673G Government Auditing Standards
d03673g.book Page 184 Thursday, July 24, 2003 12:37 PM




                                           Appendix I
                                           Advisory Council on Government
                                           Auditing Standards




                                           Mr. Robert M. Reardon, Jr.
                                           State Farm Insurance Companies
                                           (member 2002-2004)

                                           Ms. Roberta Reese
                                           Office of the Controller
                                           State of Nevada
                                           (member 1997-1999)

                                           Mr. George A. Scott
                                           Deloitte & Touche LLP
                                           (member 1999-2001)

                                           Mr. Gerald Silva
                                           Office of the City Auditor
                                           City of San Jose, California
                                           (member 2002-2004)

                                           The Honorable Kurt R. Sjoberg
                                           Office of the State Auditor
                                           State of California
                                           (member 1997-2000)

                                           Mr. Barry R. Snyder
                                           Federal Reserve Board
                                           (member 2001-2003)

                                           Dr. Daniel Stufflebeam
                                           Western Michigan University
                                           (member 2002-2004)

                                           Dr. Paul M. Thompson
                                           AMBAC Indemnity Corporation
                                           (member 1997-1998)

                                           Mr. Cornelius E. Tierney
                                           George Washington University
                                           (member 1997-1999)


                                           Page 184       GAO-03-673G Government Auditing Standards
d03673g.book Page 185 Thursday, July 24, 2003 12:37 PM




                                       Appendix I
                                       Advisory Council on Government
                                       Auditing Standards




                                       The Honorable Nikki Tinsley
                                       Environmental Protection Agency
                                       (member 2002-2004)

                                       Ms. Leslie E. Ward
                                       Office of the City Auditor
                                       Kansas City, Missouri
                                       (member 1999-2001)

                                       The Honorable Jacquelyn L. Williams-Bridgers
                                       U.S. Department of State
                                       (member 2000-2002)

                                       Dr. Earl R. Wilson
                                       University of Missouri-Columbia
                                       (member 1999-2001)


GAO Project Team                       Jeffrey C. Steinhoff, Managing Director
                                       Jeanette M. Franzel, Director
                                       Marcia B. Buchanan, Assistant Director
                                       Cheryl E. Clark, Assistant Director
                                       Michael C. Hrapsky, Project Manager
                                       Robert W. Gramling, Consultant




                                       Page 185          GAO-03-673G Government Auditing Standards
d03673g.book Page 186 Thursday, July 24, 2003 12:37 PM




   Index




   abuse
     attestation engagement                                  6.15, 6.19-6.20, 6.32-6.40
     defined                                                 4.19, 6.19, 7.25, 8.19
     financial audit                                         4.17, 4.19, 4.20, 5.12, 5.17-5.25
     performance audit                                       7.25-7.26, 8.19-8.26
     pursuing indications of                                 4.20, 6.20, 7.26
     reporting                                               5.12, 5.17-5.25, 6.32-6.40, 8.19-8.26
     reporting, direct                                       5.21-5.25, 6.36-6.40, 8.22-8.26
   accountability                                            1.11-1.16
   AICPA standards
     attestation engagement                                  2.08, 6.01, 6.03-6.04, 6.23, 6.27, 6.51
     financial audit                                         2.06, 4.01-4.02, 4.03-4.04, 5.01-5.02, 5.03,
                                                             5.17
     relationship to GAGAS                                   1.09, 4.01, 5.01, 6.01
   American Institute of Certified Public Accountants (see
    AICPA standards)
   attestation engagements                                   1.13, 2.07-2.08, 6.01-6.54
     abuse                                                   6.15, 6.19-6.20, 6.32-6.40
     communication, auditor                                  6.06-6.09, 6.35, 6.54
     compliance with GAGAS, reporting auditors’              6.29-6.31
     corrective actions                                      6.34, 6.41-6.45
     defined                                                 1.13, 2.07, 6.02
     distribution, report issuance and                       6.46, 6.49-6.54
     distribution, limited                                   6.27d, 6.47, 6.50-6.51
     documentation
       access to                                             6.25-6.26
       attest                                                6.07, 6.16-6.17, 6.22-6.26, 6.35, 6.54
       of communication                                      6.07, 6.09, 6.35, 6.54
       safeguarding                                          6.26
     findings                                                6.21, 6.33-6.35
     fraud and illegal acts                                  6.15-6.18, 6.20, 6.32-6.40
     internal control                                        2.07, 6.13-6.14, 6.32-6.35
     levels of                                               6.02
       agreed-upon-procedures                                6.02c, 6.15b, 6.18, 6.27d, 6.51
       examination                                           6.02a, 6.13-6.14, 6.15a, 6.16

                                           Page 186      GAO-03-673G Government Auditing Standards
d03673g.book Page 187 Thursday, July 24, 2003 12:37 PM




                                       Index




(Continued From Previous Page)
   review                                                   6.02b, 6.15b, 6.18
 planning                                                   6.04, 6.13-6.14, 6.15-6.16
 previous engagements, considering results of               6.10-6.12
 privileged and confidential information                    6.46-6.48
 recommendations                                            6.34
 reporting                                                  6.27-6.54
 reporting, direct                                          6.36-6.40
 qualifications for auditors, additional                    3.43-3.44
 termination                                                6.54
 views of responsible officials                             6.41-6.45
 violations of provisions of contracts or grant             6.15-6.18, 6.20, 6.32-6.35, 6.36-6.40
    agreements
 work of others, using                                      6.25
audit objectives (see objectives)
audit organizations’ responsibilities (see also under       1.27-1.28, 3.38
  independence)
auditors, qualifications of (see competence)
auditors’ responsibilities                                  1.19-1.26, 4.11, 4.18
audits and attestation engagements, types of (see also      2.01-2.16
  attestation engagements; financial audits;
  performance audits)


cause                                                       5.15c, 6.34c, 7.65, 8.15c, 8.18
comments (see letters of comment; views of responsible
  officials)
communication, auditor (see also under attestation          1.26, 3.17e-3.17f
  engagements; financial audits; performance audits)
competence (see also continuing professional                3.39-3.48
  education)
 technical knowledge                                        3.42
 qualifications for financial audits and attestation        3.43-3.44
   engagements, additional
compliance                                                  1.18b, 4.12-4.13, 4.17-4.18, 5.08-5.11, 6.15-
                                                            6.20, 6.32, 6.36-6.40, 7.12c, 7.19-7.20, 7.49
 tests of                                                   4.12-4.13, 4.17-4.18, 6.15-6.20, 7.07d, 7.17-
                                                            7.20
compliance with GAGAS (see under GAGAS)
computer-based systems, data from                           7.59-7.61
conclusions                                                 6.27b, 8.27, 8.42, 8.44, 8.47, 8.49
condition                                                   5.15b, 6.34b, 7.63, 8.15b

                                       Page 187          GAO-03-673G Government Auditing Standards
d03673g.book Page 188 Thursday, July 24, 2003 12:37 PM




                                           Index




   (Continued From Previous Page)
   conditions, reportable (see reportable conditions under
     financial audits)
   confidential information (see privileged and confidential
     information under attestation engagements; financial
     audits; performance audits)
   conflict of interest (see independence)
   constructive engagement                                     1.16
   consulting services (see nonaudit services)
   continuing professional education (CPE) (see also           3.45-3.48
     documentation, continuing professional education)
   corrective actions (see under attestation engagements;
     financial audits; performance audits)
   criteria                                                    5.15a, 6.03, 6.34a, 7.28, 8.15a


   data (see also evidence)                                    7.31, 7.55-7.61
     sources of                                                7.31, 7.55-7.59
     tests of                                                  7.60-7.61
     unaudited                                                 8.44
     validity and reliability of                               7.12b, 7.15b, 7.57, 7.59
   diligence (see professional judgment)
   direct reporting (see under attestation engagements;
      financial audits; performance audits)
   distribution, limited (see under attestation engagements;
     financial audits; performance audits)
   distribution, report issuance and                           5.31-5.33, 5.34-5.38, 6.46-6.48, 6.49-6.54,
                                                               8.35-8.37, 8.54-8.57
   documentation
     access to                                                 4.25-4.26, 6.25-6.26, 7.69-7.71
     attestation engagement                                    6.07, 6.09, 6.16-6.17, 6.22-6.26, 6.35, 6.50-
                                                               6.51, 6.54
     audit plan                                                7.41-7.43
     of audit reviews                                          7.47
     of communication                                          4.07, 4.09, 5.16, 5.20, 5.38, 6.07, 6.09, 6.35,
                                                               6.54, 7.40, 8.17, 8.21
     of continuing professional education                      3.47
     of evidence                                               7.54, 7.60, 7.66-7.68
     financial audit                                           4.07, 4.09, 4.22-4.26, 5.16, 5.20, 5.35-5.36,
                                                               5.38
     independence                                              3.17a, 3.17e, 3.26, 3.32
     peer review                                               3.17g, 3.54

                                           Page 188        GAO-03-673G Government Auditing Standards
d03673g.book Page 189 Thursday, July 24, 2003 12:37 PM




                                       Index




(Continued From Previous Page)
 performance audit                                          7.07, 7.17, 7.22, 7.40-7.43, 7.47, 7.54, 7.60,
                                                            7.66-7.71, 8.17, 8.21, 8.55-8.56
 of planning                                                7.07
 quality control                                            3.51
 safeguarding                                               4.26, 6.26, 7.69, 7.71
 of specialists’ qualifications                             3.48


economy and efficiency (see under objectives)
effect                                                      5.15d, 6.34d, 7.64, 8.15d
effectiveness (see under objectives)
engagement letter                                           3.17e, 4.07-4.09, 6.07-6.09, 7.40
evidence (see also data)
 attestation engagement                                     6.04b, 6.34, 6.39
 financial audits                                           4.03c, 4.12, 5.15, 5.24
 performance audit                                          7.31, 7.48-7.51, 7.52-7.65, 8.13, 8.15, 8.25,
                                                            8.41-8.47
 tests of                                                   7.52-7.61
 types of                                                   7.50
external quality control review (see peer review)


field work                                                  4.01-4.26, 6.03-6.26, 7.01-7.71
financial audits                                            1.12, 2.05-2.06, 4.01-4.26, 5.01-5.38
 abuse                                                      4.17, 4.19, 4.20, 5.12, 5.17-5.25
 communication, auditor                                     4.06-4.13, 5.16, 5.20, 5.22-5.23, 5.38
 compliance                                                 4.10-4.13, 4.17-4.20, 5.08-5.11, 5.12, 5.17-
                                                            5.25
 compliance with GAGAS, reporting auditors’                 5.05-5.07
 conclusions                                                5.18
 corrective actions                                         4.15-4.16, 5.15, 5.26-5.30
 defined                                                    1.12, 2.05, 4.02
 distribution, limited                                      5.32, 5.35
 distribution, report issuance and                          5.31-5.33, 5.34-5.38
 documentation
   access to                                                4.25-4.26
   audit                                                    4.22-4.26
   of communication                                         4.07, 4.09, 5.16, 5.20, 5.38
   safeguarding                                             4.26

                                       Page 189          GAO-03-673G Government Auditing Standards
d03673g.book Page 190 Thursday, July 24, 2003 12:37 PM




                                           Index




   (Continued From Previous Page)
     field work                                                 4.01-4.26
     findings                                                   4.21, 5.14-5.15, 5.18-5.20
     fraud and illegal acts                                     4.17-4.18, 4.20, 5.12, 5.17-5.25
     internal control                                           4.03b, 4.04, 4.10-4.13, 5.08-5.11, 5.12-5.16
     material misstatement, detecting                           4.17-4.18
     material weakness                                          5.14
     previous engagements, considering results of               4.04, 4.14-4.16
     privileged and confidential information                    5.31-5.33
     procedures, audit                                          4.17-4.21
     reportable conditions                                      5.12-5.16
     reporting                                                  5.01-5.38
     reporting, direct                                          5.12, 5.21-5.25
     qualifications for auditors, additional                    3.43-3.44
     termination                                                4.09, 5.38
     users (of the audit report)                                4.04, 5.07, 5.15
     views of responsible officials                             5.26-5.30
     violations of provisions of contracts or grant             4.17-4.18, 4.20, 5.12, 5.17-5.25
        agreements
   findings                                                     4.21, 5.14-5.15, 5.18-5.20, 6.21, 6.33-6.35,
                                                                7.28, 7.62-7.65, 8.13-8.16
   findings, elements of                                        5.15, 6.34, 7.28, 7.62-7.65, 8.14-8.15
   follow-up (see also previous engagements, considering        1.28
      results of)
   fraud and illegal acts (see also laws, regulations, and
      provisions of contracts or grant agreements)
     attestation engagement                                     6.15-6.18, 6.20, 6.32-6.35, 6.36-6.40
     financial audit                                            4.17-4.18, 4.20, 5.12, 5.17-5.19, 5.21-5.25
     performance audit                                          7.17, 7.21-7.24, 7.26-7.27, 8.16, 8.19-8.26
     pursuing indications of                                    4.20, 6.20, 7.26
     reporting                                                  5.12, 5.17-5.19, 5.21-5.25, 6.32-6.40, 8.19-
                                                                8.26
     reporting, direct                                          5.21-5.25, 6.36-6.40, 8.22-8.26


   GAGAS (generally accepted government auditing                1.01-1.03
    standards; see also individual standards)
     applicability                                              1.04-1.08
     attestation engagement standards                           1.09, 2.08, 6.01-6.45
     compliance with, reporting auditors’                       2.15, 5.05-5.07, 6.29-6.31, 8.30


                                           Page 190          GAO-03-673G Government Auditing Standards
d03673g.book Page 191 Thursday, July 24, 2003 12:37 PM




                                       Index




(Continued From Previous Page)
 financial audit standards                                     1.09, 2.06, 4.01-4.26, 5.01-5.38
 laws, regulations, and guidelines requiring                   1.05-1.06
 and nonaudit services                                         2.14-2.16
 performance audit standards                                   7.01-7.71, 8.01-8.57
 professional judgment                                         3.34
 relationship to other standards                               1.09-1.10, 4.01, 5.01, 6.01


illegal acts (see fraud and illegal acts)
independence                                                   3.03-3.32
 external impairments                                          3.19-3.20
 and nonaudit services                                         3.07, 3.10-3.18
 organizational impairments                                    3.21-3.32
 organizations, responsibilities of audit                      3.07-3.10, 3.12-3.14, 3.16-3.18, 3.20, 3.26,
                                                               3.28, 3.32
 and reporting                                                 3.22-3.32
 personal impairments                                          3.07-3.18
 specialists, using work of                                    3.06
internal auditing                                              3.27-3.29, 3.31-3.32, 5.37, 6.53, 7.16, 8.57
internal control
 attestation engagement                                        6.13-6.14, 6.32-6.35
 and compliance                                                5.08-5.11, 6.13, 6.32
 components of                                                 4.03 (footnote)
 deficiencies                                                  5.12-5.16, 6.32-6.35, 7.65, 8.16, 8.17-8.18
 financial audit                                               4.03b, 4.04, 4.10-4.13, 5.08-5.11, 5.12-5.16
 management’s role                                             1.18
 performance audit                                             2.11, 7.10c, 7.11-7.16, 7.49, 7.65, 8.16,
                                                               8.17-8.18
 safeguarding resources                                        7.13
 tests of                                                      4.12-4.13, 5.08-5.09, 7.60
 understanding                                                 7.14
internal quality control system (see also quality control      3.07-3.08, 3.17e, 3.20, 3.49-3.52
   and assurance)
issuance and distribution, report (see distribution, report
   issuance and)




                                       Page 191             GAO-03-673G Government Auditing Standards
d03673g.book Page 192 Thursday, July 24, 2003 12:37 PM




                                           Index




   (Continued From Previous Page)
   laws, regulations, and provisions of contracts or grant      7.10a, 7.12c, 7.17-7.20, 8.23, 8.26
     agreements (see also fraud and illegal
     acts; violations of provisions of
     contracts or grant agreements)
   legal counsel                                                7.19
   letters of comment                                           3.54-3.56
   limited official use (see distribution, limited, under
      attestation engagements, financial audits,
      performance audits)


   management letters                                           5.16, 5.20, 6.35, 8.17, 8.21
   management controls (see internal control)
   management’s role (see also officials, responsibilities of) 1.17, 1.18, 1.28, 3.17b, 4.16, 6.12, 7.30
   material misstatements, detecting                            4.17-4.18
   material weakness                                            5.14
   methodology and procedures                                   7.03, 7.06, 7.14c, 7.17-7.27, 7.32, 8.08, 8.11


   nonaudit services                                            1.08, 2.14-2.16, 3.08a, 3.10-3.18


   objectives                                                   2.02-2.04, 2.09-2.13
     compliance                                                 2.12, 7.10a, 7.12c
     economy and efficiency                                     2.10, 7.12a
     effectiveness and results                                  2.10, 7.10g, 7.12a
     internal control                                           2.11, 7.12-7.16
     performance audit                                          2.09-2.13, 7.03-7.06, 7.12-7.16, 7.18a, 8.08-
                                                                8.12
     prospective                                                2.13
     types of                                                   2.10-2.13
   objectivity (see also auditors’ responsibilities; audit      8.46-8.48
     organizations’ responsibilities; independence)
   officials, reporting views of responsible (see views of
      responsible officials)
   officials, responsibilities of (see also management’s role) 4.16, 5.23, 6.12, 6.38, 7.30, 8.24


   peer review (see also under documentation)                   1.27, 3.17g, 3.26, 3.32, 3.49, 3.52-3.56
   performance audits                                           1.14-1.15, 2.09-2.13, 7.01-7.71, 8.01-8.57
     abuse                                                      7.25-7.26, 8.19-8.26
     accomplishments, reporting                                 8.48
     communication, auditor                                     7.39-7.40, 8.17, 8.21, 8.40

                                           Page 192          GAO-03-673G Government Auditing Standards
d03673g.book Page 193 Thursday, July 24, 2003 12:37 PM




                                       Index




(Continued From Previous Page)
 compliance                                                 2.12, 7.07d, 7.12c, 7.19-7.20, 7.49
 compliance with GAGAS, auditors’                           8.30
 conclusions                                                8.20, 8.27, 8.47, 8.49
 corrective actions                                         7.29-7.30, 8.05, 8.15, 8.31-8.34, 8.40, 8.49,
 defined                                                    2.09
 distribution, limited                                      8.36, 8.55
 distribution, report issuance and                          8.36, 8.54-8.57
 documentation
   access to                                                7.69-7.71
   audit                                                    7.22, 7.60, 7.66-7.71
   audit plan                                               7.41-7.43
   of communication                                         7.40, 8.17, 8.21
   of evidence                                              7.54, 7.60, 7.66-7.68
   of planning                                              7.07
   safeguarding                                             7.69, 7.71
 field work                                                 7.01-7.71
 findings                                                   7.28, 7.62-7.65, 8.13-8.16, 8.20
 fraud and illegal acts                                     7.17, 7.21-7.24, 7.26-7.27, 8.16, 8.19-8.26,
                                                            8.28
 internal control                                           2.11, 7.10c, 7.11-7.16, 7.49, 7.65, 8.16,
                                                            8.17-8.18
 methodology and procedures                                 7.03, 7.06, 7.14, 7.17-7.27, 7.32, 8.08, 8.12
 objectives                                                 2.10-2.13, 7.03-7.06, 7.12-7.16, 7.18, 8.08-
                                                            8.12
 planning                                                   7.02-7.43
 plan, preparing an audit                                   7.03, 7.14, 7.28, 7.41-7.43
 previous engagements, considering results of               7.29-7.30
 privileged and confidential information                    8.35-8.37
 program significance                                       7.08-7.09
 program, understanding                                     7.10, 7.12
 recommendations                                            8.28-8.29
 referencing                                                8.45
 report
   contents                                                 8.07-8.37
   elements                                                 8.38-8.53
   form                                                     8.02-8.06
 reporting                                                  8.01-8.57

                                       Page 193          GAO-03-673G Government Auditing Standards
d03673g.book Page 194 Thursday, July 24, 2003 12:37 PM




                                           Index




   (Continued From Previous Page)
       accurate                                               8.43-8.45
       clear                                                  8.50-8.52
       complete                                               8.41-8.42
       concise                                                8.53
       convincing                                             8.49
       objective                                              8.46-8.48
       timely                                                 8.39-8.40
     reporting, direct                                        8.22-8.26
     reporting, interim                                       8.40
     scope                                                    7.03, 7.05, 7.14b, 7.36, 8.08, 8.10, 8.12,
                                                              8.17, 8.30, 8.45
     significance                                             4.15 (footnote), 4.18 (footnote), 7.08
     staffing                                                 7.35-7.38
     supervision                                              7.44-7.47
     termination of audit                                     7.40, 8.06
     users (of the audit report)                              2.04, 7.08-7.09, 8.03, 8.08-8.09, 8.11-8.12,
                                                              8.32, 8.39
     views of responsible officials                           8.31-8.34
     violations of provisions of contracts or grant           7.17-7.20, 7.26-7.27, 8.16, 8.19-8.21, 8.22-
        agreements                                            8.26
     work of others, considering                              7.32-7.34, 7.70
   planning                                                   4.03, 4.06-4.07, 4.15-4.18, 6.04, 6.06-6.16,
                                                              7.02-7.43
   previous engagements, considering results of (see also     4.04, 4.14-4.16, 6.10-6.12, 7.07, 7.29-7.30
     work of others, considering)
   privileged and confidential information (see under
     attestation engagements; financial audits; performance
     audits)
   procurement for audits                                     1.18f
   professional judgment                                      1.25, 3.33-3.38, 4.04
   program (see also performance audits)
     aspects                                                  7.10
     significance                                             7.08-7.09
   program audits (see performance audits)


   quality control and assurance (see also internal quality   3.49-3.56
     control system; see also under documentation)


   recommendations                                            5.15, 6.34, 8.28-8.29

                                           Page 194       GAO-03-673G Government Auditing Standards
d03673g.book Page 195 Thursday, July 24, 2003 12:37 PM




                                       Index




(Continued From Previous Page)
referencing (see under performance audits)
reportable conditions (see under financial audits)
reporting (see also under attestation engagements;           1.26, 5.01-5.38, 6.27-6.54, 8.01-8.57
  financial audits; performance audits)
roles and responsibilities (see also audit organizations’    1.17-1.28
  responsibilities; auditors’ responsibilities;
  management’s role; officials, responsibilities of)


scope                                                        5.08-5.09, 7.03, 7.05, 7.14b, 7.36, 8.08,
                                                             8.10, 8.12, 8.17, 8.45
significance                                                 4.15, 4.18, 7.08-7.09
significance, program (see under program)
specialists, use of (see also under documentation)           3.06, 3.48, 7.37
supervision                                                  4.03, 6.03, 7.44-7.47


users (of the audit report) (see also under financial        1.01, 1.22, 1.25-1.26, 2.04, 3.01
  audits, performance audits)


views of responsible officials                               5.26-5.30, 6.41-6.45, 8.31-8.34
violations of provisions of contracts or grant agreements
  (see also laws, regulations, and provisions of contracts
  and grant agreements)
 attestation engagement                                      6.15-6.18, 6.20, 6.32-6.35, 6.36-6.40
 financial audit                                             4.17-4.18, 4.20, 5.12, 5.17-5.25
 performance audit                                           7.17-7.20, 7.26-7.27, 8.16, 8.19-8.21, 8.22-
                                                             8.26
 pursuing indications of                                     4.20, 6.20, 7.26
 reporting                                                   5.12, 5.17-5.25, 6.32-6.40, 8.19-8.26
 reporting, direct                                           5.21-5.25, 6.36-6.40, 8.22-8.26


working papers (see documentation)
work of others, considering (see also previous               4.25, 6.25, 7.32-7.34, 7.70
  engagements, considering the results of)




                                       Page 195          GAO-03-673G Government Auditing Standards
United States                                 First Class
General Accounting Office
Washington, D.C. 20548-0001    PRIORITY   Postage & Fees Paid
                                                 GAO
                                            Permit No. GI00
Official Business
Penalty for Private Use $300

Address Service Requested