Assessing Compliance With Applicable Laws and Regulations

Published by the Government Accountability Office on 1989-12-01.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

               Applicable Laws and


             There is much concern about illegal acts and abuse
             occurring in the public and private sectors. The
             media frequently report instances of illegal acts and
             circumstances in which those in positions of author-
             ity and trust have failed to effectively fulfill t,heir

             There is also an increasing expectation that the
             audit/evaluation community must strengthen its
             efforts to evaluate compliance with laws and regu-
             lations and detect and report significant illegal acts
             and abuses. In 1988, the American Institute of Cer-
             tified Public Accountants strengthened its require-
             ments to test for errors, irregularities, and illegal
             acts. Also, GAO’s Government Auditing Standards
             were revised in 1988 to strengthen requirements for
             testing compliance with laws and regulations.

             The key compliance steps are to

         l clearly define the assignment’s objective(s),
         . identify laws and regulations relevant to these
         l assess the inherent risk of noncompliance,
         l assess internal control effectiveness,
         . design audit steps directed toward areas of vulnera-
           bility, and
         l report instances of noncompliance.

             The purpose of this guide is to help GAO staff
             implement the strengthened requirement for
             detecting noncompliance. Chapter 1 provides a gen-
             eral overview of compliance testing. Chapter 2 dis-
             cusses how assignment objectives influence
             compliance testing and how to identify applicable
             laws and regulations. Chapter 3 explains how to
             perform a vulnerability assessment to determine
             the extent of compliance testing, Chapter 4 dis-
             cusses compliance testing and reporting require-
             ments for performance audits. Chapter 5 addresses
             the requirements for financial audits.

             Page 1                                    GAO/OP-4.1.2

  Major contributors to this guide were Ben B. Cox,
  Policy Advisor, and Timothy P. Gonzalez, Evalu-
  ator. Par further assistance, please call 2756172.

 Werner Grosshans       Donald H. Chapin
 Director               Assistant Comptroller General
 Office of Policy       Accounting and Financial
                          Management Division

 Page 2                                   GAO/OP4.1.2
Page 3   GAO/OP-4.1.2

Preface                                                                     1

Chapter 1                                                                6
Introduction      Government Auditing Standards                          6
                  Purpose of Guide                                       7
                  General Kequiremcnts                                   8
                  Terms Defined                                          9
                  What the Yellow Books Says                            10
                  Matcriality/Significancc and Sensitivity              11
                  Coordination Wit.h OGC                                12
                  Due Care Conwrning Illegal Acts and                   13

Chapter 2                                                               1.5
Identifying       Importance of Assignment Objectives                   15
                  Identifying Laws and Kcgulat.ions                     18
Applicable Laws
and Regulations
Chapter 3                                                               23
Determining the   Vulnerability Assessment                              23
Extent of
Chapter 4                                                               32
Performance       Case Example                                          32
                  Reporting Kcquirements                                40
Audits: Audit
Steps and

                  Page 4                                     GAO,‘OP4.1.2

Chapter 5                                                               42
Financial Audits:   Case Example                                        42
                    Reporting Requirements                              45
Audit Steps and     Sample Compliance Report                            46
Reporting           Sample Compliance Report                            48
Table               Table 3.1: Rclatlonships Between Inherent           23
                        Risk, Internal Controls, Vulnerability,
                        and Testing Extent


                    AICPA      American Institute of CertificBdPublic
                    HA         Fe&ml     Managers’Financial Integrity
                                    Act of 1982
                    GAO        General Accounting O ffice
                    GI’M       General Policy Manual
                    IG         Inspector General
                    OGC        O ffice of t,he General Counsel
                    OSM        objcctiws, scope, and methodology
                    I’M        Project Manual
                    SAS        Statements on Auditing Standards
                               savings and loan institutions

                     Page 5                                  GAO,‘OP4.1.2
Chapter 1

                 This chapt,er discusses

                 the government auditing standards contained in
                 GAO’s “Yellow Hook,”
                 the purpose of this guide,
                 the general requirements and expectations for GAO
                 staff to use professional judgment in designing and
                 performing compliance tests,
                 what. the “YeHow Hook” says,
                 how materiality/significance and sensitivity influ-
                 ence testing,
                 the need for coordination between auditors/evalu-
                 ators and the Office of t.he General Counsel (OGC),
               . due care and precautions concerning illegal acts and

Government       GAO’s Government Auditing Standards (commonly
                 referred to as t.he “Yellow Book”) and chapters 4
Auditing         (“Standards”) of the General Policy Manual and the
Standards        Project Manual (PM) require that all audits/evalua-
                 tions includt an assessment of compliance with rele-
                 vant laws and regulations that are material to t.he
                 assignment ob.jcr:tives.

                 For pcrformamc audits, the standard provides the

               9 An assessment is to be made of compliance with
                 applicable requirements       of laws and regulations
                 when necessary    to satisfy the audit objectives.
               9 Where a compliance assessment is required,
                 auditors should design the audit to provide rea-
                 sonable assurance of detecting abuse or illegal
                 acts that could significantly      affect the audit
               . Auditors should be alert to situations or trans-
                 actions that could be indicative        of abuse or ille-
                 gal acts.

                 For financial audits, the standard provides the

                 Page   6                                      GAO,‘OP4.1.2
                       Chapter 1

                   l A test should be made of compliance with appli-
                     cable laws and regulations.
                   . The auditor should design audit steps and proce-
                     dures to provide reasonable assurance of
                     detecting errors, irregularities,     and illegal acts
                     that could have a direct and material effect on
                     the financial statement amounts or the results
                     of financial-related    audits.
                   9 The auditor should also be aware of the possibil-
                     ity of illegal acts that could have an indirect      and
                     material    effect on the financial statements or
                     results of financial-related     audits.

                       Government organizations and programs are cre-
                       ated and governed by laws and regulations whose
                       purpose is to ensure that government activities
                       achieve their object,ivcs effectively.

                       Often these laws and regulations affect private
                       organizations and individuals as well. For example,
                       the federal government insures deposits in savings
                       and loan associations (S&Ls) and regulates S&Ls to
                       ensure that they arc operated in a safe and sound
                       manner and comply with laws and regulations.

                       Violation of laws and regulations can result in civil
                       and criminal penalties and can have dramatic and
                       profound adverse long-term implications for the
                       government and the nation. For example, on
                       *June Ifi, 1989, GAO reported that the cost of rescu-
                       ing failed S&Ls will exceed $100 billion. (SW report
                       entitled Thrift, Failures: Costly Failures Resulted
                       From Regulatory Violations and IJnsafe Practices,
                       GAO/AFMD-89-62.) According to GAO’s report,
                       there were numerous and sometimes blatant viola-
                       tions of laws and regulations and indications of
                       fraud or insider abuse at all S&I,s reviewed.

                       The purpose of this guide is to assist GAO staff in
Purpose of Guide       determining

                       Page 7                                    GAO/OP-4.1.2
                   Chapter 1

               l when testing for compliance with laws and regula-
                 tions should be performed,
               l how to identify the relevant laws and regulations,
               . how to evaluate the likelihood that noncompliance
                 could occur and not be detected or prevented by
                 internal controls,
               l to what extent testing is to be dorm, and
               l how to deal with and report suspected or actual
                 instances of noncompliance.

General            GAO expects all audits/evaluations to be properly
                   planned and to include steps to provide reasonable
Requirements       assurance-not absolute or complete-that mate-
                   rial instances of noncompliance that directly relate
                   to the assignment’s objective(s) are detected and
                   reported. This guide provides principles and con-
                   cepts to use in determining if assessment of compli-
                   ance with laws and regulations is required and the
                   tests to be done. The effectiveness of the steps
                   depends on staff perception, judgment, and
                   resourcefulness Auditors/evaluators should not
                   presume that agencies are in compliance but should
                   do sufficient testing to provide reasonable assur-
                   ance that nomompliance, which is individually or in
                   the aggregate material, would have been identified.

                   Auditors/evaluators must perform sufficient steps
                   to detect major noncompliance without spending an
                   unreasonable amount of resources on those steps.
                   Erring in either direction has undesirable conse-
                   quences--too much audit effort would waste valu-
                   able resources needed elsewhere, while not enough
                   work risks instances of material noncompliance
                   going undet,ccted.

                   This guide provides assistance for determining the
                   audit/evaluation steps and procedures to be used to
                   evaluate compliance with laws and regulations and
                   to detect major noncompliance    (errors, fraud, illegal
                   acts, or irregularities) and abuse.

                   Page 8                                     GAO/OP-4.1.2
                Chapter 1

                The standard does not expect auditors/evaluators
                to uncover every impropriety; instead, it requires
                reasonable tests to assure dct.cction of major

Terms Defined   h’oncomplianer with laws and regulations as used in
                this guide includes both intentional and uninten-
                tional acts as well as a variety of other terms, such
                as “fraud,” “abusr~,”“f:rrors,” and “irregulariti~ls,” and
                ttlcsc and ottlt~r terms ilrt' defined a.5foll0ws:

                Errors - 1Jnintentionat noncompliance with applica-
                ble laws and regulations and/or misstatements or
                omissions of amounts or disclosures in financial

                Fraud - Action t,hat violates a fraud-related statute
                of the IJnited States Code or a state statute.

                Illegal acts - Failure to follow requirements of laws
                or implementing regulations, including intentional
                and unintentional noncompliance and criminal acts,

                Criminal acts - An illegal act, for which incarcera-
                tion, as well as ot.hcr penalties, is available if the
                government, obtains a guilty verdict.

                Civil acts - An illegal act for which penalties that do
                not include incarceration are available for a statu-
                tory violation. Penalties may include monetary pay-
                ments and corrcbctive actions.
                Irregularities ~ lnlcntional noncompliance with
                applicable laws and regulations and/or misstatc-
                mcnts or omissions of amounts or disclosures in
                financial statements.

                Abuse is distinguished from noncompliance in that
                abusive conditions may not directly violate laws or
                regulations. Abusivc5 activities may be within the
                letter of the laces and rcagulationsbut violate tGtht:r

                Page 9                                      GAO/OP4.1.2
                      Chapter 1

                      their spirit or the more general standards of impar-
                      tial and ethical behavior. This guide does not pro-
                      vide an all-inclusive trratmcnt of the subject nf
                      abuse. but SW page 19 for additional guidance.

                      On pcrformanw and financial ~udits/cvahlations.
What the Yellow       the Yellow lkwk rrquircs allditors/ev~luators to
Book Says



                       Chaytm 1

                       are particularly applicable to detecting and report-
                       ing noncompliance with laws and regulations on
                       financial audits:
                   a Compliance Auditing Applicable to Government
                     Entities and Other Recipients of Governmental
                     Financial Assistance (SAS 63),
                   l Consideration of the Internal Control Strncture in a
                     Financial Statement. Audit (SAS 55),
                   9 Illegal Acts by Clients (SAS 54), and
                   l The Auditor’s Kcsponsibilities to Detect and Report
                     Errors and Irregularities (SAS 53).

Materiality/           When performing an audit/evaluation and rcport-
                       ing results, GAO staff need to consider materiality/
Significance and       significance and sensitivity.
                       Materiality concerns the magnitude of omissions or
                       misstatements of xcounting information that, in
                       the light of circumstances, makes it probable that
                       the judgment of a reasonable person relying on the
                       information would ha\:e been changed or influenced
                       by omissions or misst at.cments. Materiality judg-
                       ments involve both quantitative and qualitat ivc
                       Significance c’onc’ernsthe importance, in relation to
                       the audit ob.jec’tivcs,of items, events, information,
                       matters or problems the auditor identifies.

                       Sensitivity involvc5 how given matters will be pcr-
                       ceived by c&hers. It is possible for mat.ters to be
                       both rnalerial/si~nifi(~~~~~t
                                                   and sensitive. For exam-
                       ple, a former highlc5el official used inflrience to
                       convince an agency to fund construction of certain
                       projects and, for minimal effort, the former official
                       wits paid a large fee>by the prc!jcct developers. AS
                       reported, these situat,ions of imprudent USC' of' pub-
                       lic>funds could amount to hundreds of millions of
                       dollars. Disclosures of t.hcsc cWumstanccs rtbc+eivcd
                       ;I lot of publicity.

                       Page 11
                 Chapter 1

                 Generally. the greater the materiality/significance
                 and sensitivity, the greater the degree of required
                 compliance testing.

Coordination     Many of t.hcl&.t.ers discussed in this guide involve
                 decisions that. arc essentially legal or have legal
With OGC         implications. Auditors/evaluators must consult
                 with OGC in making decisions that arc essentially
                 Icgal. Examples include determining if (1) certain
                 actions by an agency or ot.hcrs violate laws and reg-
                 ulations and i 2) cxw should be refcrrcd to law
                 onforccmrnt. agoncics for possible prosecution.

                 OGC may also bc helpful to the audit, t.eam by pro
                 viding adviw in

               . idrnt ifying laws and regulations relevant. to assign-
                 mcnt. objcctivw
                     Chapter 1

                     regulations and there may not be as compelling a
                     need for direct, OGC involvement.

                     Whenever there is reasonable cause t,o believe that
                     coordination is necessary or desirable, auditors/
                     evaluators should initiat,c contacts with OGC and,
                     after discussion, decide whether direct OGC partici-
                     pation is CippIYJpriiW.

Due Care             Auditors/tvaluators should exercise caution when
                     dealing with suspcttcd illrgal acts and abuse.
Concerning Illegal
Acts and Abuses      During the init.ial stages of an assignment, they
                     should ascertain whei.hcr other audit, CVdUittitJn, or
                     investigative grotlps have initiated investigations
                     into alleged illegal acts or abuses that might affect,
                     the assignment.. (See I’M, ch 6.1.)

                     If, as the assignment proceeds, possible illegal acts
                     or abuses are idcni ified. a~tditors/ev;~lui~torsshould
                     promptly consult with OGC for advice and assis-
                     tance on how to proceed. Early consultation is par-
                     ticularly important in casts involving fraud and
                     illegal acts carrying civil or criminal pcnaltics. GAO
                     Order 1 130.1 contains instructions on how to han-
                     dle these cases arrd how to refer them to federal lag
                     enforccnicnt agcncics.

                     The programming division should, in coordination
                     with OGC.,detrrminc whether t hc ~tudit/~‘valuation
                     should continue, bc modified to defer work rt>l;1ting
                     to the violations, or bthsuspcndcd.

                     If the assignment is a congressional request, GAO
                     staff should discbusswith the requester the need to
                     defer or modify the scope of work until t,hc invcsti-
                     gation is complet,ed and GAO evaluates the results.
                     If the requester dots not consent to changes that
                     GAO believes ncccssary, the division dircct.orate
                     and the Officr of Congressional Kelations should be
                     consulted beforc proceeding and the product should

                     Page 13                                   GAO/OP4.1.2
Chapter 1

clearly disclose t.hc requirements and constraints
imposed on GAO’s work.


Page 14                                  GAO,‘OP-4+1.2
Chapter 2
Identifying Applicable Laws
and Regulations

                This chapter discwses how assignment objcct.ivc>s
                influence the scope of compliance testing to bc per-
                formed and how to identify applicable laws and wg-
                ulations for cwmplianer twting.

Importance of   Clearly defining t hc assignment obj,jcctive(s) is a
                must for each audit, sinw it guidrs the dcwlopmcnt
Assignment      of the audit plan, as well as the dctwmination of
Objectives      scope and methodology. Compliance testing for
                broadly stated assignment. objectives is grncrally
                mow difficult sinw many laws u~uld bcxapplicable
                and testing w~~~ldnormally bc more cxtcnsivc than
                a narro~vt~r-sc.c)Dc’
                                     d            ‘l’hcwfow. t 0 t.hc
                extent possible, the assignment objwtivcs sho~lld bc
                defined 21spwc%cly as possibltb t.o prwludc rmnec-
                t5xmy work. while mwting thn priqxw        of t lw

                Page 15                                  GAO;‘OP-4.12
Chapter 2
Identifying  Applicable   Laws
and Regulations

The following follr casts illustrate the relationship
between the assignment objective(s) and the dctcr-
mination of whether compliance testing is ncc’cssary
and the cxWnt of testing.

Cast 1, If GAO is asked tn determine how much
grant money is awarded to the states without cl&x-
mining the appropriateness of that. award, the
assignment would be designed to compile informa-
tion to respond to the question and would not nor-
mally include steps t.o test for noncompliancbe.The
objcct,ivts, sc~pt~,and methodology (OSM) section of
the product should st.ate clearly the limited nature
uf the information provided. A statement of non-
conformity with guncrally accepted government
auditing standards would not he required bccxusc~
tests for noncompliance would not. reasonably be
cxpet*ted given the limited nature of t hc assignment.
ob.jcctivc. Dc)pt’ndingon the circumstancrs. such an
effort. might. bc categorized as an “other assign-
ment” rather t ban an audit/c~v;llrlation. (SW Gcn-
era1 I’olicy Manual, p. 4.0-2.)

Case 2. If the assignment ob.jectivc is to determine if
acurt;lin grant award was proper, the applicable
laws and rc#&ltions should be identified and then
the grant award should bc cxamincd to SW if t hcsc
laws and regulations were complied with. Auditors;
evaluators should also ;LSWSS    the inherent risk of
noncolnplianc~~itnd obtain an underst,anding of
internal cant rols applicable to grant awards. If non-
compliance is dctrctrd. the internal controls t.hat
we’re supposed to prevent or detect the nonc’ompli-
ante should bc identified as a basis for establishing
its cause. If internal controls are weak or nonexis-
tent, widcspr(>ild noncompliance may have occ~r~rrr~~
and GAO sl tiff’ should consider whether t11c assign-
ment scope should bc cxpandcd, a follow-up assign-
ment should by pcrformcd, and/or the mat tcr
should be rcportr>d to the rtrsponsiblc agcnc~y.l’hc
assignmt~nt product should discloscl wcakncsscs
idcnt ificd.

Page 16                                   GAO/OP-4.1.2
Chapter 2
Identifying  Applicahlr   Laws
and Regulations

Case 3. If the assignment objective is to make an
overall asscssmant,of whether an agency awards
grant.s in accordance with applicable laws, the steps
called for in cast 2 would be expanded to (1) test
int,ernal controls and assess t,he risk that the inter-
nal controls will not prevent/detect noncompliance
and (2) examine a sample of actual grant awards to
ascertain if the agrbncyfollowed the applicable laws
when awarding grant funds. IIowever, specific
stops would not bc required at t,he user level to test
for possible rccipicnt misuse of the funds since the
assignment objcctivcs do not concern rrcipirWs’ use
of funds.

In cases 1, 2, or 3, if c,redible indications of illegal ot
inappropriate IW of funds by grant recipients are
dctectcd [cvon though audit./cvaluat.ion steps were
not intended to identify such indications), arrangc-
ments should bc made to ( 1) expand the scope of
the assignments, (2) schedule follow-up assign-
mtlnts, or (3) rcfur the matters to the agency’s
Inspector General (IG) or GAO’s Office of Special
Investigations for further review. If suspcctcd ille-
gal acts are not pursued and resolved by expanding
the current assignments. the OSM sections should
dest&ribtbwhat, further action is batingtaken to
resolve t.he mat t u-s.

Case 4. If the assignment objrlctive is to test proper
use of grant funds. then testing of recipient’s cligi-
bility and use of the funds bt?comesa paramount
point of the ~lIldit/‘cvaluat,ion and cxtcnsivc testing
would bc rcquirntl to dcttbrmine compliance wit.11
laws and regulations directly relating to recipients
W-X:of grant. funds. IiMcnsive testing would he
rvquircd because multiplr lcvt~ls (federal, st.ato. and
local) and organizations would bc involved. Each
organization has diffc>rent rules, risks, and internal
c~ontrolstruct tirts

Page 17                                       GAO/OP4.1.2
                       Chapter       2
                       Identifying  Applicable   Laws
                       and Regulations

Identifying Laws       During the early phase of an assignment where
                       compliance assessment is called for by the assign-
and Regulations        ment object.ives, auditors/evaluators should iden-
                       tify the laws and regulations that apply to the
                       assignment subject area and might significantly
                       affect assignment objectives.

                       The first step in this process is to identify general
                       laws and regulations applicable to the subject of the
                       assignment. For orample, on an assignment involv-
                       ing procurcmcnt., t hc Federal Acquisit,ion Rcgula-
                       tion and the (loml-,ctit.ion-in-contracting Act. might
                       The swond step is to identify more specific laws
                       and regulations applicable to the agency or activity.
                       For example. t hr agcncg may have its own procure-
                       mcnt regulations or proccdurcs.

                       As the GAO staff gain a greater familiarity with the
                       activities being cxamincd, t,hc third step is t.o idcn-
                       tify those provisions of laws and regulations rrla-
                       ing directly to assignment objectives. For cxamplc,
                       if an assignment objcctivc is dircctcd toward asscss-
                       ing govcrnmcnt urntrat%)rs cmploymcnt and pcr-
                       sonncl prac.t,ic*cs.the applicable laws and
                       regulations would br thnsc rclatcd to that sub,icct
                       and other laws and regulations (cg, those relat.ing
                       to contract pricing or timely dclivrry trf product.s)
                       would not bc)of paramount importance.

                       In consultation with the Office of the Gcncral Coun-
                       scl, the sour(‘cs of informat.ion that. the GAO staff
                       can USCto identify applicablt laws and regulations

                   9 the Unit.cd States-s,
                   n the Code of Fcdcral Regulations.
                   l the Federal A~‘qllisit,i(~nYRcgulations.
                   l Office of Managcmrnt and Rudgct publicat ions,
                   l prior GAO produc?s,
                   l pcrmancnt files kept by GAO audit sites,
                   l the agency’s OGC’.

                       Pagr 18                                   GAO/OP4.1.2
                             Chapter 2
                             Identifying  Applicable   Laws
                             and Regulations

                     . the agency IG or the equivalent, and
                     l       agency program rcpresent.at,ivcs.

Performance                  On performance audits/evaluations, the assignment
Audits/Evaluations           plan should idcnt.ify the steps to be performed to
                             provide reasonablr xwnxwe of dctect,ing noncom-
                             pliance with laws and regulations t.hat could signifi-
                             cantly affwt the assignment objwtives. I!sually.
                             such laws and regulat.ions arc t.hosc directly wlating
                             to the particular programs or activity, such as agri-
                             cultural priw support! defense weapons systems,
                             veterans bcncfits, or student loans. IIowewr, t.htl
                             assignment plan should also identify steps to trst
                             for complianw with indirect laws and regulations
                             which, if violat.cd, could have a mat.erial impact on
                             thu objcctivc. Such indirect laws and rrgulations
                             include those wlat ing to

                         l contract and procurement improprieties;
                         . conflict-of-intcrcst and ethics violations;
                         l fraud. waste, and abuse in govrrnmcnt programs1
                           activiks, and functions;
                         l environmental issues; and
                         0 violations of ~yual employment, opportunity

                             At times, these indirect laws may have a more
                             profound impact on the audit objcct.ivc than the
                             direct laws. l’hcrcfore. staff must bc cspccially alert
                             to thtw pottwtial impacts and?as warrantr>d by the
                             vulnerability assessment, design the ncccssary
                             steps t 0 reasonably dctcct major non~omplianw

                             Government auditing standards also require that
                             performanw audit.s be designed t.o provide reason-
                             able assurance of dctwting abuse (as well as illegal
                             acts) that could significantly affect the assignment
                             objective. Thrt cloments of significance and rclation-
                             ship to assignment ob,jcctives are imporkmt hudi-
                             tars/evaluators XC not cxpcctcd to dctct:t iIll

                             Page 19                                    GAO/OP-4.1.2
Chapter 2
Identifying Applicable   Laws
and Regulations

safety and health, environmental p-ok&ion, qua1
employment, and theft.

Page 22                              GAO,‘OP4.1.2
                       Chapter 2
                       Identifying Applicable   Lawn
                       and Regulations

                   l   imprudently using funds to purchase unneeded
                       items at year-end,
                   l   being unreasonably   and unjustifiably lenient in
                       reducing fines or pcnaltics, and
                   l   the rwovcring trf overpayments by states or ot,hel
                       intcrmediarics under programs finanwd by the fed-
                       eral government without. returning the f<hdcralgov-
                       ernment ‘s share of rccovcrics.

                       In addit,ion to performing the st,cps and proc~cdurw
                       specifi~;tlly intcndcd to detect noncompliance and
                       abuse, GAO staff should contimlally be alert for
                       “red Hags,” or indicators of noncomplianw w&h
                       laws, rclgulations, ;mtl abuse as audit.,/cvaluation
                       work is pcrformcd. (SW p. 26.) If such indicxtors
                       ;w not.cd and it’the potc‘ntial noncompliancc~is sig-
                       nificant and rc~latcdto thy ;asignmrnt, objct.tivcs,
                       the assignment plan sho~lld bc modified to tlct,cr-
                       mine if the pot rwtial noncompliant ac*t.uall\
                       wcurwd. how it af’fccted assignment objwt iws,
                       and how it sl~ould brbrcportcd. (For flu-&r g~~irl-
                       ;trw on hrnv to prowcd whr~~act.~~alor susptwt,cd
                       illegal ;wts and ab~~rcsat-~’dctccted, SW p, 1:I.)

Financial Audits

                       Page 21
    Chapter 2
    Identifying  Applicable   Laws
    and Regulations

    possible abuse; instead, they arc required to undcr-
    take steps that arc appropriat,e in the circumstances
    to identify abuse that could have a major impact on
    the results of t.hc audit/evaluation.

    Determining whcthcr abuse has occurred is usually
    more difficult than determining noncompliance with
    laws and regulations since there generally is no
    clear criterion for making these .judgmcnts. Tests of
    compliance w&h laws and regulations to discwvct
    illegal acts will normally scrvc to help identify abw
    sive situations that violaw thr spirit but not. the let -
    ter of the laws and regulations. To identify thcsr
    situations, thr allditor/ovaluator in condwting tests
    of complianw must have an overall comprehension
    of t.he purpose ol’the law and be sensitive to that
    purpose in making tests.

    Another kind of xbus~ may violate gcncwl staw
    dards of impartial and ethical behavior. Thr>audi-
    tor/evaluator in pursuing work, cspccially
    evaluation of tht: int.urnal control cnvironmcnt,
    must be scnsit ivc to thtr possibilit.ics of abuse and
    pursue significant. matters that. come t,o his/he1
    at,tcntion t.hat may violate gcnerill standards of
    impart ial and t>thiwl behavior.

. allowing fornwr higtl-level officials ac’ccsst.0 cur-
  rent officials and giving t.hcm the opport,unity to
  influcnw dt~c,isionmxkinji through prcfcrcntial
  trcatniwt on grants or contracts or in dispwsing
. subordimws performing tasks of a prrsonal n;lt.ur(>
  for supervisors,
l making unntwssary trips at governmrnt       expcnsc,
l assigning govcrnmcwt inspectors an unrealistic
  “q~wta” of violations to dctwt or fines to aswss,

    Page 20                                    GAO/OP4.1.2
Chapter 3
Determining the &knt                                  of
Compliance Testtig

Vulnerability                   A vulnerability assessment should be made to
                                determine the extent of compliance testing to be
Assessment                      performed.

                                A vulnerability      assessment determines the
                                probability     that noncompliance     and abuse,
                                which is individually      or in the aggregate mate-
                                rial, could occur and not be prevented or
                                detected in a timely manner by internal

                                The assessment cvaluatcs (1) t.he inherent risk of a
                                law or rc@..Uic~n to noncompliance   and abuse
                                before wnsidrring internal controls and (2) whether
                                internal controls will prevent or detect noncompli-
                                ance and abuse. (SW wble 3.1 .)

Table 3.1: Relationships   Between    Inherent   Risk, Internal    Controls,   Vulnerability,   and
Testing Extent

     Inherent                  Internal
     risk             X        controls           =         Vulnerability/     testing extent

k-                                                          High
     High                      Weak

     Low                      Weak                          Low to moderate
                              Adequate                      Low
                              Strong                        Very low
                                The extent of complianw testing is directly related
                                to an activity’s dcgrcc of vulnerability. The higher
                                the vulnerability. the mow extensive the compli-
                                anw testing needs to he and vice wrsa. Thus, Cvcn

                                Page 23                                                GAO/OP4.1.2
                         Chapter 3
                         Determining     the Extent   of
                         Compliance     Testing

                         though an activity may be inherently risky to non-
                         compliance and abuse, strong internal controls can
                         reduce vulnerability to a relatively low level,
                         thereby reducing necessary compliance test,ing to a
                         relat~ively low level.

                         The rationale for performing a vulnerability assess-
                         ment is that audit,ors/evaluators can limit testing
                         and focus on those arc&q most vulnerable to non-
                         compliance and abuse if internal controls arc found
                         to bc rcliablc. This produces a more-cost-effective
                         and timely audit/c~aluat,itrn.

~_______        -.
Inherent Risk            Inherent risk is the probabiIity that a law/regu-
                         lation related to assignment objectives will not
                         be complied with or that the area being reviewed
                         is highly susceptible to noncompliance    (e.g., pil-
                         ferage of cash).

                         Inherent risk is assessedbefore considering
                         whet her the internal wntrols would prevent, or
                         detect such noncompliant or abuse. Assessing
                         inherent risk involves

                     -   ctrnsidcring  thcbrcquircwwnts of applicable laws and
                     l   establishing suswpt ibility to noncomplianw.
                     l   assessing mana#mcnt’s commitment to rcdwc and
                         control rionc~c)rn~)li;tn(~4~~

                         Page 24                                   GAO/OP4.1.2
                            Chapter 3
                            Determining    the Extent   of
                            Compliance    Testing

                            Laws and regulations that are clear, understanda-
                            ble, and consistent with other laws and regulations
                            are easier to adhere to and to check for compliance
                            than laws and regulations lacking these

                        l   Do the laws and regulations relate to a new pro-
                            gram, or have they undergone recent or frequent         i
                            major changes;‘?

                            Laws and regulations that have recently been
                            implemented or changed may be more likely to be
                            violated because people are less familiar with them.

Susceptibility to           GAO staff should also identify the characteristics
Noncompliance               that increase the susceptibility to noncompliance.
                            Some questions to consider are as follows:

                        l   Do incentives of noncompliance outweigh the poten-
                            tial penalties?

                            If the law or regulation provides a benefit based on
                            need, individuals will have an incentive to overstate
                            their need in order to qualify or to get a larger

                    0 Is it practicable or reasonable to expect compliance,
                      or are the laws and regulations so burdensome or
                      onerous that noncompliance could reasonably be
                    l Does the activity have numerous transactions’?

                            The more transactions there are, the greater the
                            chances that noncompliance could occur due to
                            errors, irregularities, and abuse. Also, a large
                            number of transactions increases the difficulty of
                            detecting noncompliance.

                    l       Have important government. activities/programs
                            been contracted out or delegated to those outside
                            the government without ensuring that adequate

                            Page 25                                  GAO/OP-4.1.2
    Chapter 3
    Determining    the Extent   of
    Compliance    Testing

  internal control systems and active monitoring/
  oversight are in place?
. Does the activity have a significant amount of
  assets that are readily marketable (i.e., cash, securi-
  ties, or drugs) or could be used for personal pur-
  poses (i.e., tools, cars, auto repair parts, or

    Such assets are very susceptible to improper use or

l   Are significant benefits of government programs
    extended to individuals or corporations by govern-
    ment officials whose actions are generally not sub-
    ject to public examinations and evaluations?

    Auditors/evaluators should be alert for and con-
    sider any “red flags,” or indicators of susceptibility
    to noncompliance, Any such indicators would vary
    on the basis of the subject and the objective of the
    audit. The following are examples of susceptibility
    indicators that might be identified:

l a pattern of certain contractors’ bidding against
  each other or, conversely, certain contractors’ not
  bidding against each other;
. use of materials on commercial contracts that were
  intended for use on government contracts;
l a high default, rate on government-backed loans;
. complex transactions;
l poor records/documentation;
l activities that are dominated and controlled by a
  single person or small group;
l unreasonable explanations to inquiries by auditors/
l auditee annoyance at reasonable questions by audi-
l employees’refusal to give others custody of
9 employees’refusal to take vacations and/or accept
  promotions; and

    Page 26                                    GAO,‘OP-4.1.2
                               Chapter 3
                               Determining    the Extent   of
                               Compliance    Testing

-~~           ~~   ~
                           . extravagant lifestyle of employees.

ManagementCommitment           GAO staff should consider management’s commit-
                               ment to reduce and control noncompliance. A strong
                               commitment by management to comply is a positive
                               factor in reducing the risk of noncompliance. Some
                               questions to consider are as follows:

                           l Have problems been repeatedly disclosed in prior
                             audits/evaluations by GAO, the Inspector General,
                             or others‘?
                           l Does management promptly respond when prob-
                             lems are first identified?
                           l Are recurring complaints received through “hot-
                             line” allegations?
                           l Is management willing to discuss its approach
                             toward compliance?
                           . Is management knowledgeable of the subject area
                             and potential problems?
                           9 Does management have a constructive attitude,
                             including a willingness to consider innovative
                           l Is there a stable management team with continuity
                             and a good reputation, or is there high turnover
                             and/or poor management reputation?

T135tingTransactions           The final step of assessing inherent risk involves
                       I       testing a limited number of transactions. This test-
                               ing usually occurs during the survey stage of an
                               assignment and is not intended to be a representa-
                               tive sample of transactions. Rather, GAO staff
                               should perform limited work to gain a better under-
                               standing of the processes followed by the agency
                               and to confirm other observations made about
                               inherent risk of noncompliance.

Internal Controls              Internal controls consist of policies and proce-
                               dures used to provide reasonable assurance that
                               goals and objectives are met; resources are ade-
                               quately safeguarded, efficiently    utilized, and

                               Page 27                                 GAO/OP4.1.2
                                     Chapter 3
                                     Determining    the Extent   of
                                     Compliance    Testing

                                     reliably accounted for; and laws and regulations
                                     are complied with.

                                     Evaluating internal controls involves

                                 l   identifying internal control objectives (policies) that
                                     management has designed to ensure that laws and
                                     regulations are complied with and the control
                             l       identifying key internal control techniques (proce-
                                     dures) that management has established to achieve
                             l       testing control procedures, and
                             l       identifying needed follow-on actions.

                                     In some instances, GAO staff may be able to make
                                     this evaluation on the basis of recentIy completed

Identifying Objectives               The control objective is a positive thing that man-
                                     agement tries to attain or an adverse condition/ncg-
                                     ative effect that management is seeking to avoid.
                                     For example, the Department of Education has a
                                     control objective of not paying interest and special
                                     allowances under the Stafford Student Loan Pro-
                                     gram for ineligible students. (See case example on p.
                                     32.) Auditors/evaluators should determine what
                                     control objectives related to assignment objectives
                                     management has established.

                                     The control environment reflects the overall atti-
                                     tude toward and awareness of management regard-
                                     ing the importance of internal controls. A good
                                     control environment is a positive factor in establish-
                                     ing and enhancing the effectiveness of specific poli-
                                     cies and procedures, while a poor control
                                     environment has the opposite effect. Factors affect-
                                     ing the control environment include

                         9 management’s philosophy and operating style (tone
                           at the top);
                         l the entity’s organizational structure;

                                     Page 28                                   GAO,‘OP4.1.2
                             Chapter   3
                             Determining the Extent   of
                             Compliance Testing

                         l methods of delcgat,ing authority and responsibility;
                         . management’s methods for monitoring and follow-
                           ing up on performance, including internal auditing
                           and corrcctivc! action taken on recommendations;
                         . personnel policies and practices.

Identifying Procedures       Control objectives and environment represent those
                             goals and actions management wishes to achieve,
                             while control procedures are the specific steps
                             designed and prescribed by management to provide
                             reasonable assurance that its control objectives will
                             be achieved. For example, to limit spending to the
                             amounts appropriated, government organizations
                             have implemcntcd detailed procedures for ckontrol-
                             ling expenditurts. The control objective is to limit
                             spending to the amount appropriated, and the con-
                             trol procedures arc those steps that must bc per-
                             formed befort funds can be obligated and/or spent.
                             These steps may include such actions as requiring
                             certification by the accounting department that suf-
                             ficient funds arc available before obligating or
                             expending funds.

                             The auditor/evaluator can obtain information on
                             the control environment, ob.jectivcs, and procedures
                             by reading agency manuals, reviewing past audit/
                             evaluat,ion reports? interviewing management and
                             employees, and making observat.ions.

                             F%ccause  of inhcr~~ntlimitations in the design and
                             the operation of any internal control system, audi-
                             tors/evaluators should not expect internal cont,rols
                             to prevent or dctcct. all instances of noncompliance
                             or abuse. The most pervasive limitation is that the
                             cost of internal controls should not, exceed t.hcit
                             benefits. In dc>cidinghow extensive the system of
                             internal controls should be, management compares
                             the costs of more’c~ont.rolswith the benefits to be

                             Page 29                                  GAO/OP4.1+2
         Chapter 3
         Determining    the Extent   of
         Compliance    Testing

        Other limitations include the possibility that man-
        agement may override the internal control system;
        employees may secretly be working together (collu-
        sion) to avoid or circumvent the controls; and
        employees may not be correctly applying the con-
        trol technique due to fatigue, boredom, inattention,
        lack of knowlcdgc, or misunderstanding. As a
        result, auditors/evaluators should always test
        actual transactions to have a reasonable basis for
        evaluating Mcrnal controls.

        The auditors’/cvaluators’ understanding of the
        internal control system should be documented in the
        workpapers. This can be done through flowcharts;
        narratives; questionnaire responses; records of
        interviews; and copies of policies and procr>durrs,
        documents, and records.

        For internal control procedures to be effective, they
        must be designed to achieve t.he intended objec-
        tive( s) and must be correctly and consistently
        applied by thcl authorized employee(s). The bcst-
        designed internal controls are of little valucbif the
        procedures arc not correctly followed. For example,
        if the cntit,y has a procedure requiring t.hc mana-
        ger’s approval for all purchases over $25.000 but,
        tbc manager docls not review the purchase orders,
        this procedure will not. bc very cffcctivc in prevcnt-
        ing or detecting ImnC’ccssary purchases.

        Testing intc72ial c*ontrols consists of the following

  defining what constitlites cff’cctivc internal

  cant rols;
l stlect,ing a small sample of transactions, either ran-
  domly or nonrandomly;
9 evaluating whcthor the sample t,ransac:t.ionswcrc
  executed in xcordancc with the laws and rcrgula-
  tions and intt~rnal controls;
l            ing t hc cwlrlation
        document                 results; and

        Page 30                                    GAO,‘OP4.1.2
                                Chapter 3
                                Determining    the Extent   of
                                Compliance    Testing

                            l   determining the probability that noncompliance will
                                not be detected or prevented by the internal

                                Auditors/evaluators can use the results of the
                                transaction tests to assessthe probability that
                                internal controls will not prevent or detect

NeedledCorrective Actions       If testing reveals material noncompliance or abuse,
                                the auditor/evaluator should determine what inter-
                                nal controls were intended to prevent or detect the
                                noncompliance or abuse and ascertain the reasons
                                they did not. If internal controls are weak or nonex-
                                istent, many more transactions may be in noncom-
                                pliance. Auditors/evaluators should consider (I)
                                expanding tests to dctcrmine the impact of wcak-
                                nesses on assignment ob.jectives and of doing fo-
                                low-on work later or i 2) referring the matter t.o a
                                third party, such as the agency’s IG.

                                A detailed discussion of internal controls is con-
                                tained in GAO’s Guide for Incorporating Internal
                                Control EvaluaMns Into GAO Work.

                                Page 31                                  GAO/OP4.1.2
Chapter 4
Performance Audits: Audit Steps and
Reporting Requirements

                      This chapter discusses a case example of how to
                      make a vulnerability assessment and determine the
                      extent of compliance testing, expected under condi-
                      tions of high and moderate vulnerability. It also dis-
                      cusses how to report noncompliance.

Case Example          The following case illustrates how to apply the
                      requirements, the concepts, and the principles dis-
                      cussed in this guide to an assignment. The circum-
                      stances of this case arc’hypothetical and ;-LIT
                      intended to illustrate the factors affecting the
                      extent of compliancr testing.

Assignment            Assume that GAO has been requested to determine
Objectives            if the IIcpartmc~nt of Education is paying t hc correct
                      amount of in1ercst and special allowance (,intercst
                      subsidy) to lenders for eligible students under the
                      Stafford Stlltlt~tl~ I,oan I’rogram.

Background            IYnder the program, private lenders make loans at
                      low interest rates to qualified students attending
                      ayprovcd educational institutions. Education pays
                      the interest while the loan recipient attends school
                      and for a stipulatc>d time thercaft~cr (tlw grace
                      period). E;ducation also funds special allowarwc
                      payments during thr lift> of t hc loan to provide
                      lenders the differcnc.c between thr> loan inlcrclst rate
                      and the rate on 9OMay Treasury bills, plus 3-l/4
                      percent,. For fkal year 1988, I+;ducation reported
                      that it, paid about $2.4 billion in interest and special

Assignment Approach   During the survey stage, auditors/evaluattol.s
                      should idcnt,ify t hc laws and regulations dircac*t
                      applicable to Education’s policies and proccdurcs in
                      making loans and determinations of the propel
                      interest and special allowance payments. Sllbsc-
                      yuent steps should include

                      Page 32                                    GAO/OP4.1.2
                          Chapter 4
                          Performance Audits: Audit
                          Steps and
                          Reporting Requirements

                  . risk assessment-assessing the likelihood that such
                    payments may hc significantly incorrect,
                  9 internal control assessment-assessing internal
                    control effectiveness to prevent and/or detect incor-
                    rect payments. and
                  l compliance testing-determining the extent of (‘om-
                    pliance testing on t,ht basis of the above steps.

                          These cffort.s focus on formulat,ing auditlevalnation
                          steps and procedures for inclusion in the assign-
                          ment plan to provide reasonable assurance of
                          detecting signific’ant. errors or nonwmplianw dur-
                          ing implement ation.

                          The primary laws and regulations idcnt,ificd as
                          directly applic~ablcto assignment objectives are

                      . the Ihghcr Education Act of 1965, as amended;
                      l Education’s program regulations;
                      n recent appropriation acts;
                      l regulations or guidelines issued by state agcncics
                        acting as intermediaries and performing some func-
                        tions for Education; and
                      l the Financial Integrity Act,.

Risk Assessment           The first step of the vulnerability assessment
                          involves assessing the inherent risk that, Educa-
                          tion’s interest and special allowance payments may
                          be incorrect, may be paid to the wrong lender, or
                          may be paid on behalf’of ineligible persons. After
                          obtaining a good understanding of applicable laws
                          and regulations, iludit,ors/‘evaluators should formw
                          late questions to be answered to discern the inhcr-
                          cnt risk, such as the following:

                  l       Ilave past c>fforts by GAO and other audit/cvalua-
                          tion groups identified significant erroneous pay-
                          ments of intwcst and special allowances? If so, has
                          Education bcrn slow in implementing corrective
                  l       Are Education’s laws and regulations complex and
                          somct.imcs dit’ficrrlt to understand’?

                          Page 33                                   GAO/OP4.1.2
                       Chapter 4
                       Performance Audits: Audit
                       Steps and
                       Reporting Requirrments

                   l   Have there been frtlquent changes in applicabIe
                       laws and regulations?
                   l   Do students have an incentive to withhold informa-
                       tion and/or provide inaccurate information to lend-
                       ers, educational institutions, intermediaries, and/or
                       Education that would cause inWrest and special
                       allowance overpayments‘?
                   9   Do the lenders have a disincentive to get and use
                       current information?
                   .   Does the program involve numerous lcndcrs and
                   w   Is program management highly deccntralizcd? Are
                       significant, loan decisions made by many persons at
                       widely scattered bcations’? (Too much dccentraliza-
                       tion without adequate monitoring and control may
                       increase the risk of misstatements.)
                   l   Are there numerous transactions?
                   l   Arc significant aspects of t,hc program (e.g.,
                       approval of applicants for loans and determining
                       loan amounts) administcrcd by those not under
                       Education’s direct control (e.g.) employees of lend-
                       ers, educational institutions. and intermediaries)‘)
                   l   Do lenders, educational institutions, and/at
                       intermediaries have difficulty maintaining a staff
                       with adequate tcc*hnical knowledge to ensure accu-
                       rate and consist,ent program administration’?
                   .   Is there a lack of incentives for lenders, educational
                       institutions, and intermediaries to carefully fulfill
                       their program responsibilities? Are t.hc penalties for
                       doing a poor job insignificant, or noncxistcnt?

                       “Yes” answers to the above quest,ions gt~ncrally
                       indicate high risk, whereas “no” answers indicate
                       low risk.

Internal Control       The second step of the vulnerability assessment
Assessment             involves assessing internal control effectiveness. To
                       make this assessment, auditors,/evaluators should
                       formulate questions focusing on undcrst,anding the
                       internal control structure, determining if internal
                       controls have been placed in operation. and testing

                       Page 34                                   GAO/OP-U.Z
            Chapter 4
            Performance Audits: Audit
            Steps and
            Reporting Requirements

            their effectiveness In this case, the following ques-
            tions might be addressed:

        . IIas Education declared its internal control objeo-
          tives for interest and special allowance payments?
          Are they compatible with applicable laws and
        l Have internal control procedures been prescribed?
          Do they present a logical sequenceof steps which, if
          followed, will limit payment.s to those made on
          behalf of eligible students for appropriate periods?
        l Does Education assess lenders’internal controls
          before allowing t.hcm to participate in the program?
          IIas Education specified minimum systems and
          internal controls as a requirement before approval‘?
        * What is the attitude of Education top management
          toward monitoring the program and taking actions,
          when needed, to correct any problems in program
          administration:’ Do the same problems recur with-
          out management attempts to correct them‘? Are cor-
          rective actions promised in response to audit/
          evaluation rccnmmendations actually implemented‘?
    l     What were t.hcbresults of any Education internal
          studies or reviews (including Financial Integrity Act
          reviews) of the program’? For cxamplc, has the
          Inspector Gcncral recently examined the program?
          What were the findin@ and conclusions and any
          actions taken?
    l     What reviews or monitoring act,ivit.ies does Educa-
          t.ion perform to dcterminc if lenders (1) verify
          app1icant.s’inc.omc and resources to determine eligi-
          bility and (2) fulfill other responsibilities?
    l     Does Education verify that lenders determine the
          date that students graduate or stop at tending
          school’?(This date det,crmincs when borrowers,
          rather than Education. should begin paying loan
n         Has Education spelled out minimum follow-up times
          with schools to confirm student, status’?
l         Does Education test-check lenders quarterly

            Page 36                                  GAO/OP-4+1.2
                                      Chapter 4
                                      Perfunnance Audits: Audit
                                      Steps and
                                      Reporting Rwtuirc=tnetits

                                    . Ilow does Education ensure that quarterly interest
                                      and special allowance billings cover only approved
                                      loans for students in an approved status’?
                                    9 IIow does E:ducation ensure that there are no dupli-
                                      catc billings and ttrat the interest and special allow-
                                      ance costs attributable to each approved student
                                      are paid only omt~‘?(Lenders and secondary-market
                                      institutions frcqucnt,ly buy and sell insured student
                                      loans, and there is the possibility of overlapping or
                                      duplicattx billings for a singlcbstudent.)

Compliance Testing

     1: I Iigh F’ulnccability         As a result of information developed during the vul-
                                      nerability asscssmcnt, assume that auditors/evalu-
                                      ators concludt~that inherent risk is high; internal
                                      controls arc weak; and as a result, the assignment
                                      plan must provide for extensive testing to dcter-
                                      mine c’omplianc~c~ with laws and regulations. Tests
                                      should bc dircctcd toward those areas deemed most
                                      vulnerable to noncompliance and abuse. For cxam-
                                      plo, such tests might include t.he following:

                                l     Select.a sample of lcndcrs’ billings that will provide
                                      a rcasonablc basis t’trr determining the rrliability of
                                      the payment proc’css.
                                    * Verify t.hat thcxstlldcnts met financial and ot,her eli-
                                      gibility rcquircmcnts by examining documents such
                                      as loan applications, tuition and other relevant
                                      costs, copies of tax returns, etct.
                                l     Verify that tlrc loans wcrc approved fur insnrancc
                                      under the program.
                                l     Verify that s~~lroolswcrc on EJducation’sapproved
                                l     l)etcrminc that t.hc correct int crest, rate was used to
                                      compute int.c7cst,
                                l     Dcterminc whcthcr borrowers wet-c active studtnts
                                      (or were in the grxc’ period) to dccidc who was lia-
                                      blc for the intrbrc3t.

                                      Page 36                                     GAO/OP-4.1.2
    Chapter   4
    Performanw  Audits: Audit
    Steps and
    Reporting Requirrmrnts

. Recompute loan balances to verify that, the lenders
  correctly computed them.
l Verify that lenders had the loan in their portfolios
  for the billing periods in question. (I,cnders often
  sell loans t.o other insLitutions in what is commonly
  referred to as the secondary market,.)

    For each of the above tests, auditors/cvalliaLors
    should also dcvisc detail& tasks necessary to per-
    form the tests. For example, in determining whether
    bnrrowcrs were active students (or were in the
    grace period) (thus making Education liable for loan
    interest, payments), specific tasks could in4udc the

l Check individual loan files at Icnding institutions to
  determine if lenders inquired whether borrowers
  were act.ivc students at the school.
l If schools rcspondcd to Icndcr inquiries, note datrs
  of student attcndancc and credit hours taken.
l Compare dates of attcndancc with the periods WV-
  crcd by the Icndcrs’intcrcst, billings paid by E:duc.a-
  tinn to set if they correspond
9 If lenders’files do not contain ncedcd information,
  contact. schools and rcyucst dates of studrnt

    The above tcst.s and tasks il1ust.rat.ethe work steps
    that might be rod in the example. In practic>e,the
    work to be done must be adapted to the needs of a
    particular assignment,,including time and cost

    ‘I’hroughoW the assignment, aaditnrs/evaluat,oru
    should remain alert, for indications of violations of
    indirect. laws and regulations that could signifi-
    cantly affect assignment ob.jcctivcs. If such indica-
    Lions arc noted, compliance tests should bc
    uxt,cndcd to dctcrminc the impact of any such viola-
    t ions. If such violations concern possible illegal act.s
    and abuses, ca\ltion should bc used to ensure that

    Payr 37                                     GAO/OP-4.1.2
                          Chapter 4
                          Performance Audits: Audit
                          Steps aad
                          Reporting Requirements

                          GAO does not interfere with, jeopardize, or dupli-
                          cate any ongoing or planned investigation and/or
                          proceedings. (See p. 13.)

&se 2: Moderate           As an alternate sccnario, assume that auditors/
Vulnerabilit,y            evaluators conclude t,hat although inherent risk is
                          high, internal controls are strong and, as a result,
                          there is a modcratc vulnerability to noncompliance
                          and the assignment plan should provide a modcratc
                          degree of testing. As in the high vulnerability
                          assessment, the tests should bc designed to achieve
                          the assignment objrctive and bc dircctcd toward
                          those arcas docmcd most vulnerable t.o noncompli-
                          ance and abrlsc.

                          Assume that one principal consideration influencing
                          the assessment of strong internal cant rols was a
                          recent audit by Education’s Inspector Gcncral of
                          interest and special allowances. Assume that GAO
                          inquiries have dctcrmincd that the IG audit

                      l   was u)mprchcnsive in swpc, examining interest. and
                          special allowar~ payments made to a rcprcscnta-
                          tivc sample of lcndcrs ovc’r a wide geographic~al
                  l       was carefully planned and supcrvisrd, was based
                          on a logical mc~~hc~dology,   and includrd an cvalua-
                          tion of internal cant rol cffr>cTivcness;and
                  l       identified significxlt, ovcrpayn1cnt.s and rmdcrpay-
                          ments and made rccommendat ions for improvtl-
                          ment , whic<hWncation managcmcnt agreed to

                          IIo~wer,    assume that, the IG alldit did not verify
                          that ( 1) thr srh(xjls had been approved by ICduca-
                          tion for program participation and (2) lcnclcrs had
                          the loans in th4r portfolios and the loans had not
                          been sold to st~c,ond~lry-mi~rkctinstitutions.

                          IJndcr thcsc ciruunslanccs. GAO’s alttiit trsts might

                          Page 38                                   GAOjOP4.1.2
                                     Chapter 4
                                     Performance Audits: Audit
                                     Steps and
                                     Reporting Requirements

                             l reviewing     the workpapers to examine t.hc ;idcqu;tcy
                               and the thoroughness of IG work,
                             l making supplemental tests of a small judgmental
                               sample of transac’tions examined by the ICror simi-
                               lar transactions,
                             . determining if the corre&ivc actions promised by
                               Education managcmcnt have been implemented.
                             l selecting a rcprcscnttitivc sample of lenders’billings
                               and determining whether (1) the schools wc’rc on
                               Education’s :ipl,rovod list and (2) lenders h;id       the

                               loans in their portfolios.

                                     Auditol.s/evaluators would be expected to design
                                     detailed tasks to perform the above tests. For exam-
                                     ple, to determine if lc>ndershad the loans in their
                                     portfolios, the following tasks might be performed:

                             l       Obt.ain ti ~otnputer printout showing borrowers’
                                     identification nrlmbors zit lenders sclcct.ed for
                             l       Select a rcprcsrnt ative sample from the uomputcr
                                     printout   ;tnd examine*lender documrntation to con-
                                     firm th:it loans W.TC in their portfolios and wcrc not,
                                     sold to sr~l,ondar-y-m;lrkct institutions.

C;tse3: IAW L’ulnerability           This case does not lend itself to a low vulnerability
                                     assessment brc*:n~scof the inherent risk.

                                     In situat.ions of low vulnerability, the following
                                     minimum steps should bc included in the assign-
                                     ment plan:

                             l       Review Education’s latest FIA and IG reports t,o
                                     determine whether issues were’reported concerning
                                     payment. of intrrrst and special allowance.
                                 l   Discuss with the division’s FIA t,cam members
                                     whether they havr :tny knowledge of internal con-
                                     trol wCaknCss(bsnot disclostadin Education’s FIA
                             l       Discuss with E:dlu&ion officials and obtain their
                                     comments and any available reports, managcmrnt

                                     Page 39                                    GAU,‘OP4.1.2
               Chapter 4
               Performance Audits: Audit
               Steps and
               E&porting Requirements

               studies, or other information relating to (1) whether
               interest and special allowance payments were cval-
               uated under PIA and what t.he results were, (2)
               whether control objectives and procedures were
               established and tested to ensure they worked as
               intended, and (3) how adequate internal controls
               were to ensure proper interest and special allow-
               ance payments.
               Check for proper implememation of prior
               recommendat ions.
               Select a sample of lenders’billings and determine if
               Education records show that borrowers were eligi-
               ble for loans.

Reporting      GAO’s governnrqnt auditing standards require the
               The report should include all significant
               instances of noncompliance       and abuse and all
               indications   or instances of illegal acts that could
               result in criminal prosecution that were found
               during or in connection with the audit.

               GAO products should contain sufficient information
               to placaethe uoncompliancc in proper prrspcct ive.
               For example, if GAO finds that a single contract
               was awarded (~mtrary to laws or regulations, the
               product should disclose the total number and the
               dollar values of conlrac’t,s examined, as well as the
               dollar vahrt of lhc improperly awarded contract.

               If inclusion in the overall product of instances
               involving possible criminal prosccut ion would delay
               or compromise investigative or legal proceedings ot
               otherwise pre(*hlde the product. from being released
               to the public. such instances should be covered in a
               separate report to officials of t.he audited agoncy,
               law enforcement agencies, or the rcqucstcr, as
               appropriate. ‘I’hc Office of the General Counsel
               should be consulted in det,ermining how possible
               criminal prosccut.ion should be reported.

               Page 40                                   GAO,‘OP-4.1.2
Chapter 4
Performance Audits: Audit
Steps md
Reporting Requirements

Other instances of noncompliance not included in
the overall product because of insignificanw should
be separately wmmunicated to agency manage-
ment, the IG, intcxrnal auditors, or the requester, as
appropriate. The overall product should state that
the noncompliawe is being scparateIy reported.

Page 41                                  GAO,‘OP4.1.2
Chapter 5
Financial Audits: Audit Steps and
Rqxrting Requirements

                  This chapter discusses a cast example illustrating
                  how ttr make a vulnerability assessment and deter-
                  mine the cxtcnt, of expected compliance testing,
                  assuming conditions of moderate vulnerability. It
                  also discusses the requirement for preparing a oom-
                  pliancc report on testing results.
Case Example      The following caw illustrates how to apply the
                  requirements, the concepts. and the principles dis-
                  cussed in this g111dcto a financial audit. The condi-
                  tions dcscribcd in this guide arc hypothetical and
                  arc intended to illustrate the factors that affect the
                  rxtcnt of’wmplianw testing.

Assignment        Assume that GAO has been requested to determine
Objectives        if Education has fairly statcld the interest and the
                  special allowancespaid for the Stafford Stlldcant
                  Loan l’rogr;~m loans for the fiscal year cndrd Scp-
                  tcmbcr 30. 1088.

Risk Assessment

                  Page 42                                   GAO,‘OP4.l.2
                       Chapter 5
                       Financial Audits: Audit Steps
                       and Reporting Requirements

                       good understanding of applicable laws and regula-
                       tions, auditors!evaluators should formulat,e qucs-
                       tions to ask to discern the inherent risk. Besides the
                       questions identified in the prior case studies (see p.
                       33) examples of other questions to ask inelude the

                   l 13ecauseof budgetary constraints or other factors
                     imposed on the program, are there incentives for
                     E:dueation t.o ovcrstatu or understate interest and
                     special allowance payments?
                   9 Arc t.hcrc any ptnalties for misreporting of imerest
                     and spc~ial alIow;mee payments?
                   . Are interest and spwial allowance payments based
                     on a relatively simpIe c‘akulation, or is the det.crmi-
                     nation a eomplcx one using various intcrcst rates‘!

Internal Control       The second step of the vulnerability asscssmunt
Assessment             involvcs determining internal control effectiveness.
                       To do this, arlditors/cvalllat.ors should formulate
                       questions f0cttsin.g on understanding the internal
                       wntrol strtlc’ture: determining if internal controls
                       are in operation, and testing their cffwlivcncss.
                       1Scsidcsthe questions identified in tltc previotis ease
                       study ( SCC~p. 35 ), some additional questions to own-
                       sidcr arc as f~~llows:
                         Chapter   5
                         Financial Audits: Audit Steps
                         and Reporting Requirements

Compliance Testing       As a result of information developed during t.he vul-
                         nerability assessment,assume t,hat auditors/cvalu-
                         ators conclude that inherent risk is high but that
                         internal controls are strong and, as a result, the
                         assignment plan must provide for moderate testing
                         to determine compliance with laws and regulations.
                         For example, such tests might include t.he following:
                     l Examine Education’s summary account for interest
                       and special             payments. Select a sample

                       and trace selected entries to supporting subsidiary
                       accounts or other documentation. Fully rcsolvc any
                     l Obtain from Icndcrs a printout or data tape showing
                       the individual loans for which they billed Educat.ion
                       for interest and/or special allowance payments for
                       the fiscal year ended September 30, 1988; the pay-
                       ment amoums; and the loan balances.
                     l Test the data for accuracy, unusual items. and
                     l Test the reasonablenessof interest and special
                       allowance payments by relating them to loan
                     . Take a sample of payments and trace them to lend-
                       ers’quarterly billings. Reconcile any discrepancies.
                     l Determine how lenders periodically notify borrow-
                       ers of outstanding balances. For loans in the sample,
                       examine loan not ices sent to borrowers and com-
                       pare t.hcm with Education’s records. Reconcile any
                       discrcpancics between E:ducat.ionrecords and
                       notices to bar-rowers.
                     l Examine lender records and files to determine if
                       borrowers reported discrepancies between loan bal-
                       ances and balanc~csreported by lenders.

                         As in the prior case examples, auditors/evalu~~tors
                         would bc expected to dcvisc detailed tasks to cff.ec-
                         tively perform t hr above tests.

                         Page 44                                  GAO/OP4+12
                 Chapter 5
                 Financial Audits: Audit Steps
                 and Reporting Requirements

Reporting        GAO’s government auditing standards require the
                 The auditors should prepare a written report on
                 their tests of compliance with applicable laws
                 and regulations.   This report, which may be
                 included in either the report on the financial
                 audit or a separate report, should contain a
                 statement of positive assurance on those items
                 which were tested for compliance and negative
                 assurance on those items not tested. It should
                 include all material instances of noncompliance
                 and all instances or indications   of illegal acts
                 which could result in criminal prosecution.

                 If auditors/evaluators find no instances or indica-
                 tions of material noncompliance, the compliance
                 report should include

               9 a statement of positive assurance that the tests
                 results indicate that with respect to the items
                 tested, the entity complied in all material respects
                 with the laws and regulations referred to in the
                 scope and
               4 a statement of negative assurance t,hat with respect
                 to items not tcstcd, nothing came to the auditors’/
                 evaluators’ attention that caused them to believe
                 that the entity had not complied in all material
                 respects with these laws and regulations.

                 If auditors/evaluators find instances of maturial
                 noncompliance, they should state that t,hcy consid-
                 ered these instances in forming their opinion on the
                 financial statements and whether these instances
                 affected their opinion and how. The statement, on
                 assurance should be similar to the following:

                 “Except as dcsc.ribcd above, the results of wr tests of’ wmpli-
                 anw with laws and rcgnlations indicate that with rrspwt to
                 the items tested, the Administration   complied in all material
                 resprcts with the provisions referred to above. Keith respect
                 to items not tcstcd. nothmg came to our attcnlion thirt caused
                 us to brlicvc that t tw Administration  had not compllctl in all
                 material rrspwts with those same provisions.”

                 Page 45                                           GAO/OP-4.1.2
                Chapter 5
                Financial Audits: Audit Steps
                and Reporting Requirements

                Instances of noncompliance with laws and regula-
                tions that are nonmaterial from a quantitative and
                qualitative perspective should be reported to top
                management via a management letter. If applicable,
                the compliance report should state that the audi-
                tors/evaluators found instances of nonmaterial non-
                compliance with laws and regulations that are being
                separately reported to management.

                Further information on compliance reports can be
                found in chapter 5 of the Yellow Book and State-
                ment on Auditing Standards 63 issued by the Amer-
                ican Institute of Certified Public Accountants:
                Compliance Auditing Applicable to Government
                Entities and Other Recipients of Governmental
                Financial Assistance.

                Two sample compliance reports are presented


No Material     To the Administrator
Noncompliance   Federal Administration Agency

                We have audited the consolidated financial state-
                ments of the Federal Administration Agency
                (Administration) for the fiscal year ended Septem-
                ber 30, 19xx, and have issued our opinion thereon
                dated [date of opinion]. As part of our audit, we
                tested the Administration’s compliance with certain
                laws and regulat.ions that, if not followed, could
                have a direct and material impact on the financial
                statements.  This report pertains only to our consid-
                eration of compliance with laws and regulations for
                the year ended September 30, 19xx. Our report on
                compliance with laws and regulations for the year

                Page 46                                  GAO/OP-4.1.2
Chapter 6
Financial Audits: Audit Steps
and Reporting Requirements

ended September 30, 19xX [the prior year], is pre-
sented in GAO/AFMD-xx-xx dated

We conducted our audit in accordance with gener-
ally accepted government auditing standards
[except as described in the following paragraph].
Those standards require that we plan and perform
the audit to obtain reasonable assurance about
whether the financial statements are free of mate-
rial misstatement.

[Summarize scope limitations, if any.]

Compliance with laws and regulations applicable to
the Administration is the responsibility of the
Administration’s management. As part of obtaining
reasonable assurance as to whether the consoli-
dated financial statements were free of material
misstatement, we tested the Administration’s com-
pllance with the following provisions of laws and
regulations [or as listed in an attachment]. However,
our primary ob~jectivewas not to provide an opinion
on overall compliance with such provisions.

[List provisions tested.]

Our test results indicate that with respect to the
items tested, the Administration complied, in all
material respects, with the provisions referred to
above. With respect to items not tested, nothing
came to our attention t,hat caused us to believe that
the Administration had not complied, in all material
respects, wit.h these provisions. IIowevor, we found
matters involving compliance issues meriting man-
agement’s attention, and they are being reported
separately to management..


Page 47                                  GAO/OP-4.1.2
                Chapter 5
                Financial Audits: Audit Steps
                and Reporting Requirements


Material        To the Administrator
Noncompliance   Federal Administration Agency

                We have audited the consolidated financial state-
                ments of the Federal Administration Agency
                (Administration) for the fiscal year ended Septem-
                ber 30, 19xx, and have issued our opinion thereon
                dated [date of opinion]. As part of our audit, we
                tested the Administration’s compliance with certain
                laws and regulations which, if not followed, could
                have a direct. and material impact on the financial
                statements. This report pertains only to our consid-
                eration of compliance with laws and regulations for
                the year ended September 30, 19xx. Our report. on
                compliance with laws and regulations for the year
                ended September 30, 19xx [the prior year], is pre-
                sented in GAO/AFMD-xx-xx dated

                We conducted our audit in accordance with gener-
                ally accepted government auditing standards
                [except as described in the following paragraph].
                Those standards rcquirc that we plan and perform
                the audit to obtain reasonable assurance about
                whether the financial statements are free of mate-
                rial misstatement.

                [Summarize scope bmitations, if any.]

                Compliance with laws and regulations applicable to
                the Administ.ration is the responsibility of the
                Administration’s management. As part of obtaining
                reasonable assurance as to whether the consoli-
                dated financial statements were free of material
                misstatement, we tested the Administration’s com-
                pliance with the following provisions of laws and
                regulations [or as listed in an attachment]. Ilowever,

                Page 48                                   GAO,‘OP-4.1.2
Chapter   5
Financial Audits Audit Steps
and Reporting Requirements

our primary objective was not to provide an opinion
on overall compliance with such provisions.

[List provisions tested.1

During our audit, we noted the following instances
of noncompliance.

(Describe each significant, instance of noncompli-
ance and recommendedcorrective action. One of the
recommendations should suggest that the agency
report these weaknessesin its next Financial Integ-
rity Act report.]

We considered these material instances of noncom-
pliance in forming our opinion on whether the
Administration’s 1Hxx consolidated financial state-
rrrclntsarc pre’sc>nt
                    CY~fairly, in all material rcspcrls,
in c*trnformit.ywith gctncrally acc’cptcd accacmnting
principlrs, and this rapporttlocs not affec? our report
on 1host ctrr~soIiclalc~~financial statcmcnt 5.
Except as described above, the results of our tests
of compliance with laws and regulatirrns indicate
that with respect to the items tested, the Adminis-
tration complied, in all material respects, with the
provisions referred to above. With respect to items
not tested, nothing came t.o our attention that,
caused us to believe that the Administration had
not complied, in all material respects, with these

We found other matters involving compliance issues
meriting managcment,‘satt.cntion. They are being
reported separately to management.


Page 49                                    GAO,‘OP-4.1.2
Requests for copies of GAO documents
should be sent to:

U.S. General Accounting Office
Post Office Box 6015
Gaithersburg, Maryland 20877

Telephone 202-275-6241

The first five copies of each report are free.
Additional copies are $2.00 each.

There is a 26% discount on orders for 100 or
more copies mailed to a single address.

Orders must be prepaid by cash or by check
or money order made out to the Superinten-
dent of Documents.
United States                    First-Class Mail
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548                  GAO
                                 Permit No. GlOO
Official Business
Penalty for Private Use $300