Applicable Laws and Regulations GAO/OP-4.1.2 Reface There is much concern about illegal acts and abuse occurring in the public and private sectors. The media frequently report instances of illegal acts and circumstances in which those in positions of author- ity and trust have failed to effectively fulfill t,heir responsibilities. There is also an increasing expectation that the audit/evaluation community must strengthen its efforts to evaluate compliance with laws and regu- lations and detect and report significant illegal acts and abuses. In 1988, the American Institute of Cer- tified Public Accountants strengthened its require- ments to test for errors, irregularities, and illegal acts. Also, GAO’s Government Auditing Standards were revised in 1988 to strengthen requirements for testing compliance with laws and regulations. The key compliance steps are to l clearly define the assignment’s objective(s), . identify laws and regulations relevant to these objective(s), l assess the inherent risk of noncompliance, l assess internal control effectiveness, . design audit steps directed toward areas of vulnera- bility, and l report instances of noncompliance. The purpose of this guide is to help GAO staff implement the strengthened requirement for detecting noncompliance. Chapter 1 provides a gen- eral overview of compliance testing. Chapter 2 dis- cusses how assignment objectives influence compliance testing and how to identify applicable laws and regulations. Chapter 3 explains how to perform a vulnerability assessment to determine the extent of compliance testing, Chapter 4 dis- cusses compliance testing and reporting require- ments for performance audits. Chapter 5 addresses the requirements for financial audits. Page 1 GAO/OP-4.1.2 Preface Major contributors to this guide were Ben B. Cox, Policy Advisor, and Timothy P. Gonzalez, Evalu- ator. Par further assistance, please call 2756172. Lie-Q* Werner Grosshans Donald H. Chapin Director Assistant Comptroller General Office of Policy Accounting and Financial Management Division Page 2 GAO/OP4.1.2 Page 3 GAO/OP-4.1.2 contents Preface 1 Chapter 1 6 Introduction Government Auditing Standards 6 Purpose of Guide 7 General Kequiremcnts 8 Terms Defined 9 What the Yellow Books Says 10 Matcriality/Significancc and Sensitivity 11 Coordination Wit.h OGC 12 Due Care Conwrning Illegal Acts and 13 Abuses Chapter 2 1.5 Identifying Importance of Assignment Objectives 15 Identifying Laws and Kcgulat.ions 18 Applicable Laws and Regulations Chapter 3 23 Determining the Vulnerability Assessment 23 Extent of Compliance Testing ~- Chapter 4 32 Performance Case Example 32 Reporting Kcquirements 40 Audits: Audit Steps and Reporting Requirements Page 4 GAO,‘OP4.1.2 Cantents Chapter 5 42 Financial Audits: Case Example 42 Reporting Requirements 45 Audit Steps and Sample Compliance Report 46 Reporting Sample Compliance Report 48 Requirements Table Table 3.1: Rclatlonships Between Inherent 23 Risk, Internal Controls, Vulnerability, and Testing Extent Abbreviations AICPA American Institute of CertificBdPublic Accountants HA Fe&ml Managers’Financial Integrity Act of 1982 GAO General Accounting O ffice GI’M General Policy Manual IG Inspector General OGC O ffice of t,he General Counsel OSM objcctiws, scope, and methodology I’M Project Manual SAS Statements on Auditing Standards savings and loan institutions Page 5 GAO,‘OP4.1.2 Chapter 1 Introduction This chapt,er discusses the government auditing standards contained in GAO’s “Yellow Hook,” the purpose of this guide, the general requirements and expectations for GAO staff to use professional judgment in designing and performing compliance tests, what. the “YeHow Hook” says, how materiality/significance and sensitivity influ- ence testing, the need for coordination between auditors/evalu- ators and the Office of t.he General Counsel (OGC), and . due care and precautions concerning illegal acts and abuses. Government GAO’s Government Auditing Standards (commonly referred to as t.he “Yellow Book”) and chapters 4 Auditing (“Standards”) of the General Policy Manual and the Standards Project Manual (PM) require that all audits/evalua- tions includt an assessment of compliance with rele- vant laws and regulations that are material to t.he assignment ob.jcr:tives. For pcrformamc audits, the standard provides the following: 9 An assessment is to be made of compliance with applicable requirements of laws and regulations when necessary to satisfy the audit objectives. 9 Where a compliance assessment is required, auditors should design the audit to provide rea- sonable assurance of detecting abuse or illegal acts that could significantly affect the audit objectives. . Auditors should be alert to situations or trans- actions that could be indicative of abuse or ille- gal acts. For financial audits, the standard provides the following: Page 6 GAO,‘OP4.1.2 Chapter 1 Introduction l A test should be made of compliance with appli- cable laws and regulations. . The auditor should design audit steps and proce- dures to provide reasonable assurance of detecting errors, irregularities, and illegal acts that could have a direct and material effect on the financial statement amounts or the results of financial-related audits. 9 The auditor should also be aware of the possibil- ity of illegal acts that could have an indirect and material effect on the financial statements or results of financial-related audits. Government organizations and programs are cre- ated and governed by laws and regulations whose purpose is to ensure that government activities achieve their object,ivcs effectively. Often these laws and regulations affect private organizations and individuals as well. For example, the federal government insures deposits in savings and loan associations (S&Ls) and regulates S&Ls to ensure that they arc operated in a safe and sound manner and comply with laws and regulations. Violation of laws and regulations can result in civil and criminal penalties and can have dramatic and profound adverse long-term implications for the government and the nation. For example, on *June Ifi, 1989, GAO reported that the cost of rescu- ing failed S&Ls will exceed $100 billion. (SW report entitled Thrift, Failures: Costly Failures Resulted From Regulatory Violations and IJnsafe Practices, GAO/AFMD-89-62.) According to GAO’s report, there were numerous and sometimes blatant viola- tions of laws and regulations and indications of fraud or insider abuse at all S&I,s reviewed. The purpose of this guide is to assist GAO staff in Purpose of Guide determining Page 7 GAO/OP-4.1.2 Chapter 1 Introduction l when testing for compliance with laws and regula- tions should be performed, l how to identify the relevant laws and regulations, . how to evaluate the likelihood that noncompliance could occur and not be detected or prevented by internal controls, l to what extent testing is to be dorm, and l how to deal with and report suspected or actual instances of noncompliance. General GAO expects all audits/evaluations to be properly planned and to include steps to provide reasonable Requirements assurance-not absolute or complete-that mate- rial instances of noncompliance that directly relate to the assignment’s objective(s) are detected and reported. This guide provides principles and con- cepts to use in determining if assessment of compli- ance with laws and regulations is required and the tests to be done. The effectiveness of the steps depends on staff perception, judgment, and resourcefulness Auditors/evaluators should not presume that agencies are in compliance but should do sufficient testing to provide reasonable assur- ance that nomompliance, which is individually or in the aggregate material, would have been identified. Auditors/evaluators must perform sufficient steps to detect major noncompliance without spending an unreasonable amount of resources on those steps. Erring in either direction has undesirable conse- quences--too much audit effort would waste valu- able resources needed elsewhere, while not enough work risks instances of material noncompliance going undet,ccted. This guide provides assistance for determining the audit/evaluation steps and procedures to be used to evaluate compliance with laws and regulations and to detect major noncompliance (errors, fraud, illegal acts, or irregularities) and abuse. Page 8 GAO/OP-4.1.2 Chapter 1 Introduction The standard does not expect auditors/evaluators to uncover every impropriety; instead, it requires reasonable tests to assure dct.cction of major improprieties. Terms Defined h’oncomplianer with laws and regulations as used in this guide includes both intentional and uninten- tional acts as well as a variety of other terms, such as “fraud,” “abusr~,”“f:rrors,” and “irregulariti~ls,” and ttlcsc and ottlt~r terms ilrt' defined a.5foll0ws: Errors - 1Jnintentionat noncompliance with applica- ble laws and regulations and/or misstatements or omissions of amounts or disclosures in financial statements. Fraud - Action t,hat violates a fraud-related statute of the IJnited States Code or a state statute. Illegal acts - Failure to follow requirements of laws or implementing regulations, including intentional and unintentional noncompliance and criminal acts, Criminal acts - An illegal act, for which incarcera- tion, as well as ot.hcr penalties, is available if the government, obtains a guilty verdict. Civil acts - An illegal act for which penalties that do not include incarceration are available for a statu- tory violation. Penalties may include monetary pay- ments and corrcbctive actions. Irregularities ~ lnlcntional noncompliance with applicable laws and regulations and/or misstatc- mcnts or omissions of amounts or disclosures in financial statements. Abuse is distinguished from noncompliance in that abusive conditions may not directly violate laws or regulations. Abusivc5 activities may be within the letter of the laces and rcagulationsbut violate tGtht:r Page 9 GAO/OP4.1.2 Chapter 1 Introduction their spirit or the more general standards of impar- tial and ethical behavior. This guide does not pro- vide an all-inclusive trratmcnt of the subject nf abuse. but SW page 19 for additional guidance. On pcrformanw and financial ~udits/cvahlations. What the Yellow the Yellow lkwk rrquircs allditors/ev~luators to Book Says . . . . Chaytm 1 Introduction are particularly applicable to detecting and report- ing noncompliance with laws and regulations on financial audits: a Compliance Auditing Applicable to Government Entities and Other Recipients of Governmental Financial Assistance (SAS 63), l Consideration of the Internal Control Strncture in a Financial Statement. Audit (SAS 55), 9 Illegal Acts by Clients (SAS 54), and l The Auditor’s Kcsponsibilities to Detect and Report Errors and Irregularities (SAS 53). Materiality/ When performing an audit/evaluation and rcport- ing results, GAO staff need to consider materiality/ Significance and significance and sensitivity. Sensitivity Materiality concerns the magnitude of omissions or misstatements of xcounting information that, in the light of circumstances, makes it probable that the judgment of a reasonable person relying on the information would ha\:e been changed or influenced by omissions or misst at.cments. Materiality judg- ments involve both quantitative and qualitat ivc c:onsidcratitrns. Significance c’onc’ernsthe importance, in relation to the audit ob.jec’tivcs,of items, events, information, matters or problems the auditor identifies. Sensitivity involvc5 how given matters will be pcr- ceived by c&hers. It is possible for mat.ters to be both rnalerial/si~nifi(~~~~~t and sensitive. For exam- ple, a former highlc5el official used inflrience to convince an agency to fund construction of certain projects and, for minimal effort, the former official wits paid a large fee>by the prc!jcct developers. AS reported, these situat,ions of imprudent USC' of' pub- lic>funds could amount to hundreds of millions of dollars. Disclosures of t.hcsc cWumstanccs rtbc+eivcd ;I lot of publicity. Page 11 Chapter 1 Introduction Generally. the greater the materiality/significance and sensitivity, the greater the degree of required compliance testing. Coordination Many of t.hcl&.t.ers discussed in this guide involve decisions that. arc essentially legal or have legal With OGC implications. Auditors/evaluators must consult with OGC in making decisions that arc essentially Icgal. Examples include determining if (1) certain actions by an agency or ot.hcrs violate laws and reg- ulations and i 2) cxw should be refcrrcd to law onforccmrnt. agoncics for possible prosecution. OGC may also bc helpful to the audit, t.eam by pro viding adviw in . idrnt ifying laws and regulations relevant. to assign- mcnt. objcctivw Chapter 1 Introduction regulations and there may not be as compelling a need for direct, OGC involvement. Whenever there is reasonable cause t,o believe that coordination is necessary or desirable, auditors/ evaluators should initiat,c contacts with OGC and, after discussion, decide whether direct OGC partici- pation is CippIYJpriiW. Due Care Auditors/tvaluators should exercise caution when dealing with suspcttcd illrgal acts and abuse. Concerning Illegal Acts and Abuses During the init.ial stages of an assignment, they should ascertain whei.hcr other audit, CVdUittitJn, or investigative grotlps have initiated investigations into alleged illegal acts or abuses that might affect, the assignment.. (See I’M, ch 6.1.) If, as the assignment proceeds, possible illegal acts or abuses are idcni ified. a~tditors/ev;~lui~torsshould promptly consult with OGC for advice and assis- tance on how to proceed. Early consultation is par- ticularly important in casts involving fraud and illegal acts carrying civil or criminal pcnaltics. GAO Order 1 130.1 contains instructions on how to han- dle these cases arrd how to refer them to federal lag enforccnicnt agcncics. The programming division should, in coordination with OGC.,detrrminc whether t hc ~tudit/~‘valuation should continue, bc modified to defer work rt>l;1ting to the violations, or bthsuspcndcd. If the assignment is a congressional request, GAO staff should discbusswith the requester the need to defer or modify the scope of work until t,hc invcsti- gation is complet,ed and GAO evaluates the results. If the requester dots not consent to changes that GAO believes ncccssary, the division dircct.orate and the Officr of Congressional Kelations should be consulted beforc proceeding and the product should Page 13 GAO/OP4.1.2 i Chapter 1 Introduction clearly disclose t.hc requirements and constraints imposed on GAO’s work. 1 Page 14 GAO,‘OP-4+1.2 Chapter 2 Identifying Applicable Laws and Regulations ..-.- This chapter discwses how assignment objcct.ivc>s influence the scope of compliance testing to bc per- formed and how to identify applicable laws and wg- ulations for cwmplianer twting. Importance of Clearly defining t hc assignment obj,jcctive(s) is a must for each audit, sinw it guidrs the dcwlopmcnt Assignment of the audit plan, as well as the dctwmination of Objectives scope and methodology. Compliance testing for broadly stated assignment. objectives is grncrally mow difficult sinw many laws u~uld bcxapplicable and testing w~~~ldnormally bc more cxtcnsivc than a narro~vt~r-sc.c)Dc’ assignment. d ‘l’hcwfow. t 0 t.hc extent possible, the assignment objwtivcs sho~lld bc defined 21spwc%cly as possibltb t.o prwludc rmnec- t5xmy work. while mwting thn priqxw of t lw audit. Page 15 GAO;‘OP-4.12 Chapter 2 Identifying Applicable Laws and Regulations The following follr casts illustrate the relationship between the assignment objective(s) and the dctcr- mination of whether compliance testing is ncc’cssary and the cxWnt of testing. Cast 1, If GAO is asked tn determine how much grant money is awarded to the states without cl&x- mining the appropriateness of that. award, the assignment would be designed to compile informa- tion to respond to the question and would not nor- mally include steps t.o test for noncompliancbe.The objcct,ivts, sc~pt~,and methodology (OSM) section of the product should st.ate clearly the limited nature uf the information provided. A statement of non- conformity with guncrally accepted government auditing standards would not he required bccxusc~ tests for noncompliance would not. reasonably be cxpet*ted given the limited nature of t hc assignment. ob.jcctivc. Dc)pt’ndingon the circumstancrs. such an effort. might. bc categorized as an “other assign- ment” rather t ban an audit/c~v;llrlation. (SW Gcn- era1 I’olicy Manual, p. 4.0-2.) Case 2. If the assignment ob.jectivc is to determine if acurt;lin grant award was proper, the applicable laws and rc#<ions should be identified and then the grant award should bc cxamincd to SW if t hcsc laws and regulations were complied with. Auditors; evaluators should also ;LSWSS the inherent risk of noncolnplianc~~itnd obtain an underst,anding of internal cant rols applicable to grant awards. If non- compliance is dctrctrd. the internal controls t.hat we’re supposed to prevent or detect the nonc’ompli- ante should bc identified as a basis for establishing its cause. If internal controls are weak or nonexis- tent, widcspr(>ild noncompliance may have occ~r~rrr~~ and GAO sl tiff’ should consider whether t11c assign- ment scope should bc cxpandcd, a follow-up assign- ment should by pcrformcd, and/or the mat tcr should be rcportr>d to the rtrsponsiblc agcnc~y.l’hc assignmt~nt product should discloscl wcakncsscs idcnt ificd. Page 16 GAO/OP-4.1.2 Chapter 2 Identifying Applicahlr Laws and Regulations Case 3. If the assignment objective is to make an overall asscssmant,of whether an agency awards grant.s in accordance with applicable laws, the steps called for in cast 2 would be expanded to (1) test int,ernal controls and assess t,he risk that the inter- nal controls will not prevent/detect noncompliance and (2) examine a sample of actual grant awards to ascertain if the agrbncyfollowed the applicable laws when awarding grant funds. IIowever, specific stops would not bc required at t,he user level to test for possible rccipicnt misuse of the funds since the assignment objcctivcs do not concern rrcipirWs’ use of funds. In cases 1, 2, or 3, if c,redible indications of illegal ot inappropriate IW of funds by grant recipients are dctectcd [cvon though audit./cvaluat.ion steps were not intended to identify such indications), arrangc- ments should bc made to ( 1) expand the scope of the assignments, (2) schedule follow-up assign- mtlnts, or (3) rcfur the matters to the agency’s Inspector General (IG) or GAO’s Office of Special Investigations for further review. If suspcctcd ille- gal acts are not pursued and resolved by expanding the current assignments. the OSM sections should dest&ribtbwhat, further action is batingtaken to resolve t.he mat t u-s. Case 4. If the assignment objrlctive is to test proper use of grant funds. then testing of recipient’s cligi- bility and use of the funds bt?comesa paramount point of the ~lIldit/‘cvaluat,ion and cxtcnsivc testing would bc rcquirntl to dcttbrmine compliance wit.11 laws and regulations directly relating to recipients W-X:of grant. funds. IiMcnsive testing would he rvquircd because multiplr lcvt~ls (federal, st.ato. and local) and organizations would bc involved. Each organization has diffc>rent rules, risks, and internal c~ontrolstruct tirts Page 17 GAO/OP4.1.2 Chapter 2 Identifying Applicable Laws and Regulations Identifying Laws During the early phase of an assignment where compliance assessment is called for by the assign- and Regulations ment object.ives, auditors/evaluators should iden- tify the laws and regulations that apply to the assignment subject area and might significantly affect assignment objectives. The first step in this process is to identify general laws and regulations applicable to the subject of the assignment. For orample, on an assignment involv- ing procurcmcnt., t hc Federal Acquisit,ion Rcgula- tion and the (loml-,ctit.ion-in-contracting Act. might apply, The swond step is to identify more specific laws and regulations applicable to the agency or activity. For example. t hr agcncg may have its own procure- mcnt regulations or proccdurcs. As the GAO staff gain a greater familiarity with the activities being cxamincd, t,hc third step is t.o idcn- tify those provisions of laws and regulations rrla- ing directly to assignment objectives. For cxamplc, if an assignment objcctivc is dircctcd toward asscss- ing govcrnmcnt urntrat%)rs cmploymcnt and pcr- sonncl prac.t,ic*cs.the applicable laws and regulations would br thnsc rclatcd to that sub,icct and other laws and regulations (cg, those relat.ing to contract pricing or timely dclivrry trf product.s) would not bc)of paramount importance. In consultation with the Office of the Gcncral Coun- scl, the sour(‘cs of informat.ion that. the GAO staff can USCto identify applicablt laws and regulations include 9 the Unit.cd States-s, n the Code of Fcdcral Regulations. l the Federal A~‘qllisit,i(~nYRcgulations. l Office of Managcmrnt and Rudgct publicat ions, l prior GAO produc?s, l pcrmancnt files kept by GAO audit sites, l the agency’s OGC’. Pagr 18 GAO/OP4.1.2 Chapter 2 Identifying Applicable Laws and Regulations . the agency IG or the equivalent, and l agency program rcpresent.at,ivcs. Performance On performance audits/evaluations, the assignment Audits/Evaluations plan should idcnt.ify the steps to be performed to provide reasonablr xwnxwe of dctect,ing noncom- pliance with laws and regulations t.hat could signifi- cantly affwt the assignment objwtives. I!sually. such laws and regulat.ions arc t.hosc directly wlating to the particular programs or activity, such as agri- cultural priw support! defense weapons systems, veterans bcncfits, or student loans. IIowewr, t.htl assignment plan should also identify steps to trst for complianw with indirect laws and regulations which, if violat.cd, could have a mat.erial impact on thu objcctivc. Such indirect laws and rrgulations include those wlat ing to l contract and procurement improprieties; . conflict-of-intcrcst and ethics violations; l fraud. waste, and abuse in govrrnmcnt programs1 activiks, and functions; l environmental issues; and 0 violations of ~yual employment, opportunity reqliirC~mcnts. At times, these indirect laws may have a more profound impact on the audit objcct.ivc than the direct laws. l’hcrcfore. staff must bc cspccially alert to thtw pottwtial impacts and?as warrantr>d by the vulnerability assessment, design the ncccssary steps t 0 reasonably dctcct major non~omplianw impacts. Government auditing standards also require that performanw audit.s be designed t.o provide reason- able assurance of dctwting abuse (as well as illegal acts) that could significantly affect the assignment objective. Thrt cloments of significance and rclation- ship to assignment ob,jcctives are imporkmt hudi- tars/evaluators XC not cxpcctcd to dctct:t iIll Page 19 GAO/OP-4.1.2 Chapter 2 Identifying Applicable Laws and Regulations safety and health, environmental p-ok&ion, qua1 employment, and theft. Page 22 GAO,‘OP4.1.2 Chapter 2 Identifying Applicable Lawn and Regulations l imprudently using funds to purchase unneeded items at year-end, l being unreasonably and unjustifiably lenient in reducing fines or pcnaltics, and l the rwovcring trf overpayments by states or ot,hel intcrmediarics under programs finanwd by the fed- eral government without. returning the f<hdcralgov- ernment ‘s share of rccovcrics. In addit,ion to performing the st,cps and proc~cdurw specifi~;tlly intcndcd to detect noncompliance and abuse, GAO staff should contimlally be alert for “red Hags,” or indicators of noncomplianw w&h laws, rclgulations, ;mtl abuse as audit.,/cvaluation work is pcrformcd. (SW p. 26.) If such indicxtors ;w not.cd and it’the potc‘ntial noncompliancc~is sig- nificant and rc~latcdto thy ;asignmrnt, objct.tivcs, the assignment plan sho~lld bc modified to tlct,cr- mine if the pot rwtial noncompliant ac*t.uall\ wcurwd. how it af’fccted assignment objwt iws, and how it sl~ould brbrcportcd. (For flu-&r g~~irl- ;trw on hrnv to prowcd whr~~act.~~alor susptwt,cd illegal ;wts and ab~~rcsat-~’dctccted, SW p, 1:I.) .~ Financial Audits Page 21 Chapter 2 Identifying Applicable Laws and Regulations possible abuse; instead, they arc required to undcr- take steps that arc appropriat,e in the circumstances to identify abuse that could have a major impact on the results of t.hc audit/evaluation. Determining whcthcr abuse has occurred is usually more difficult than determining noncompliance with laws and regulations since there generally is no clear criterion for making these .judgmcnts. Tests of compliance w&h laws and regulations to discwvct illegal acts will normally scrvc to help identify abw sive situations that violaw thr spirit but not. the let - ter of the laws and regulations. To identify thcsr situations, thr allditor/ovaluator in condwting tests of complianw must have an overall comprehension of t.he purpose ol’the law and be sensitive to that purpose in making tests. Another kind of xbus~ may violate gcncwl staw dards of impartial and ethical behavior. Thr>audi- tor/evaluator in pursuing work, cspccially evaluation of tht: int.urnal control cnvironmcnt, must be scnsit ivc to thtr possibilit.ics of abuse and pursue significant. matters that. come t,o his/he1 at,tcntion t.hat may violate gcnerill standards of impart ial and t>thiwl behavior. . allowing fornwr higtl-level officials ac’ccsst.0 cur- rent officials and giving t.hcm the opport,unity to influcnw dt~c,isionmxkinji through prcfcrcntial trcatniwt on grants or contracts or in dispwsing favors, . subordimws performing tasks of a prrsonal n;lt.ur(> for supervisors, l making unntwssary trips at governmrnt expcnsc, l assigning govcrnmcwt inspectors an unrealistic “q~wta” of violations to dctwt or fines to aswss, Page 20 GAO/OP4.1.2 Chapter 3 Determining the &knt of Compliance Testtig Vulnerability A vulnerability assessment should be made to determine the extent of compliance testing to be Assessment performed. A vulnerability assessment determines the probability that noncompliance and abuse, which is individually or in the aggregate mate- rial, could occur and not be prevented or detected in a timely manner by internal controls. The assessment cvaluatcs (1) t.he inherent risk of a law or rc@..Uic~n to noncompliance and abuse before wnsidrring internal controls and (2) whether internal controls will prevent or detect noncompli- ance and abuse. (SW wble 3.1 .) Table 3.1: Relationships Between Inherent Risk, Internal Controls, Vulnerability, and Testing Extent Inherent Internal risk X controls = Vulnerability/ testing extent k- High High Weak Low Weak Low to moderate Adequate Low Strong Very low ____- The extent of complianw testing is directly related to an activity’s dcgrcc of vulnerability. The higher the vulnerability. the mow extensive the compli- anw testing needs to he and vice wrsa. Thus, Cvcn Page 23 GAO/OP4.1.2 Chapter 3 Determining the Extent of Compliance Testing though an activity may be inherently risky to non- compliance and abuse, strong internal controls can reduce vulnerability to a relatively low level, thereby reducing necessary compliance test,ing to a relat~ively low level. The rationale for performing a vulnerability assess- ment is that audit,ors/evaluators can limit testing and focus on those arc&q most vulnerable to non- compliance and abuse if internal controls arc found to bc rcliablc. This produces a more-cost-effective and timely audit/c~aluat,itrn. ~_______ -. Inherent Risk Inherent risk is the probabiIity that a law/regu- lation related to assignment objectives will not be complied with or that the area being reviewed is highly susceptible to noncompliance (e.g., pil- ferage of cash). Inherent risk is assessedbefore considering whet her the internal wntrols would prevent, or detect such noncompliant or abuse. Assessing inherent risk involves - ctrnsidcring thcbrcquircwwnts of applicable laws and rcgulat,ions, l establishing suswpt ibility to noncomplianw. l assessing mana#mcnt’s commitment to rcdwc and control rionc~c)rn~)li;tn(~4~~ Page 24 GAO/OP4.1.2 Chapter 3 Determining the Extent of Compliance Testing Laws and regulations that are clear, understanda- ble, and consistent with other laws and regulations are easier to adhere to and to check for compliance than laws and regulations lacking these characteristics, l Do the laws and regulations relate to a new pro- gram, or have they undergone recent or frequent i major changes;‘? Laws and regulations that have recently been implemented or changed may be more likely to be violated because people are less familiar with them. Susceptibility to GAO staff should also identify the characteristics Noncompliance that increase the susceptibility to noncompliance. Some questions to consider are as follows: l Do incentives of noncompliance outweigh the poten- tial penalties? If the law or regulation provides a benefit based on need, individuals will have an incentive to overstate their need in order to qualify or to get a larger benefit, 0 Is it practicable or reasonable to expect compliance, or are the laws and regulations so burdensome or onerous that noncompliance could reasonably be expected? l Does the activity have numerous transactions’? The more transactions there are, the greater the chances that noncompliance could occur due to errors, irregularities, and abuse. Also, a large number of transactions increases the difficulty of detecting noncompliance. l Have important government. activities/programs been contracted out or delegated to those outside the government without ensuring that adequate Page 25 GAO/OP-4.1.2 Chapter 3 Determining the Extent of Compliance Testing internal control systems and active monitoring/ oversight are in place? . Does the activity have a significant amount of assets that are readily marketable (i.e., cash, securi- ties, or drugs) or could be used for personal pur- poses (i.e., tools, cars, auto repair parts, or computers)? Such assets are very susceptible to improper use or theft. l Are significant benefits of government programs extended to individuals or corporations by govern- ment officials whose actions are generally not sub- ject to public examinations and evaluations? Auditors/evaluators should be alert for and con- sider any “red flags,” or indicators of susceptibility to noncompliance, Any such indicators would vary on the basis of the subject and the objective of the audit. The following are examples of susceptibility indicators that might be identified: l a pattern of certain contractors’ bidding against each other or, conversely, certain contractors’ not bidding against each other; . use of materials on commercial contracts that were intended for use on government contracts; l a high default, rate on government-backed loans; . complex transactions; l poor records/documentation; l activities that are dominated and controlled by a single person or small group; l unreasonable explanations to inquiries by auditors/ evaluators; l auditee annoyance at reasonable questions by audi- tors/evaluators; l employees’refusal to give others custody of records; 9 employees’refusal to take vacations and/or accept promotions; and Page 26 GAO,‘OP-4.1.2 Chapter 3 Determining the Extent of Compliance Testing -~~ ~~ ~ . extravagant lifestyle of employees. ManagementCommitment GAO staff should consider management’s commit- ment to reduce and control noncompliance. A strong commitment by management to comply is a positive factor in reducing the risk of noncompliance. Some questions to consider are as follows: l Have problems been repeatedly disclosed in prior audits/evaluations by GAO, the Inspector General, or others‘? l Does management promptly respond when prob- lems are first identified? l Are recurring complaints received through “hot- line” allegations? l Is management willing to discuss its approach toward compliance? . Is management knowledgeable of the subject area and potential problems? 9 Does management have a constructive attitude, including a willingness to consider innovative approaches‘? l Is there a stable management team with continuity and a good reputation, or is there high turnover and/or poor management reputation? T135tingTransactions The final step of assessing inherent risk involves I testing a limited number of transactions. This test- ing usually occurs during the survey stage of an assignment and is not intended to be a representa- tive sample of transactions. Rather, GAO staff should perform limited work to gain a better under- standing of the processes followed by the agency and to confirm other observations made about inherent risk of noncompliance. Internal Controls Internal controls consist of policies and proce- dures used to provide reasonable assurance that goals and objectives are met; resources are ade- quately safeguarded, efficiently utilized, and Page 27 GAO/OP4.1.2 Chapter 3 Determining the Extent of Compliance Testing reliably accounted for; and laws and regulations are complied with. Evaluating internal controls involves l identifying internal control objectives (policies) that management has designed to ensure that laws and regulations are complied with and the control environment. l identifying key internal control techniques (proce- dures) that management has established to achieve object.ives, l testing control procedures, and l identifying needed follow-on actions. In some instances, GAO staff may be able to make this evaluation on the basis of recentIy completed audits/evahiations. Identifying Objectives The control objective is a positive thing that man- agement tries to attain or an adverse condition/ncg- ative effect that management is seeking to avoid. For example, the Department of Education has a control objective of not paying interest and special allowances under the Stafford Student Loan Pro- gram for ineligible students. (See case example on p. 32.) Auditors/evaluators should determine what control objectives related to assignment objectives management has established. The control environment reflects the overall atti- tude toward and awareness of management regard- ing the importance of internal controls. A good control environment is a positive factor in establish- ing and enhancing the effectiveness of specific poli- cies and procedures, while a poor control environment has the opposite effect. Factors affect- ing the control environment include 9 management’s philosophy and operating style (tone at the top); l the entity’s organizational structure; Page 28 GAO,‘OP4.1.2 Chapter 3 Determining the Extent of Compliance Testing l methods of delcgat,ing authority and responsibility; . management’s methods for monitoring and follow- ing up on performance, including internal auditing and corrcctivc! action taken on recommendations; and . personnel policies and practices. Identifying Procedures Control objectives and environment represent those goals and actions management wishes to achieve, while control procedures are the specific steps designed and prescribed by management to provide reasonable assurance that its control objectives will be achieved. For example, to limit spending to the amounts appropriated, government organizations have implemcntcd detailed procedures for ckontrol- ling expenditurts. The control objective is to limit spending to the amount appropriated, and the con- trol procedures arc those steps that must bc per- formed befort funds can be obligated and/or spent. These steps may include such actions as requiring certification by the accounting department that suf- ficient funds arc available before obligating or expending funds. The auditor/evaluator can obtain information on the control environment, ob.jectivcs, and procedures by reading agency manuals, reviewing past audit/ evaluat,ion reports? interviewing management and employees, and making observat.ions. F%ccause of inhcr~~ntlimitations in the design and the operation of any internal control system, audi- tors/evaluators should not expect internal cont,rols to prevent or dctcct. all instances of noncompliance or abuse. The most pervasive limitation is that the cost of internal controls should not, exceed t.hcit benefits. In dc>cidinghow extensive the system of internal controls should be, management compares the costs of more’c~ont.rolswith the benefits to be gained. Page 29 GAO/OP4.1+2 Chapter 3 Determining the Extent of Compliance Testing Other limitations include the possibility that man- agement may override the internal control system; employees may secretly be working together (collu- sion) to avoid or circumvent the controls; and employees may not be correctly applying the con- trol technique due to fatigue, boredom, inattention, lack of knowlcdgc, or misunderstanding. As a result, auditors/evaluators should always test actual transactions to have a reasonable basis for evaluating Mcrnal controls. The auditors’/cvaluators’ understanding of the internal control system should be documented in the workpapers. This can be done through flowcharts; narratives; questionnaire responses; records of interviews; and copies of policies and procr>durrs, documents, and records. For internal control procedures to be effective, they must be designed to achieve t.he intended objec- tive( s) and must be correctly and consistently applied by thcl authorized employee(s). The bcst- designed internal controls are of little valucbif the procedures arc not correctly followed. For example, if the cntit,y has a procedure requiring t.hc mana- ger’s approval for all purchases over $25.000 but, tbc manager docls not review the purchase orders, this procedure will not. bc very cffcctivc in prevcnt- ing or detecting ImnC’ccssary purchases. Testing intc72ial c*ontrols consists of the following steps: defining what constitlites cff’cctivc internal l cant rols; l stlect,ing a small sample of transactions, either ran- domly or nonrandomly; 9 evaluating whcthor the sample t,ransac:t.ionswcrc executed in xcordancc with the laws and rcrgula- tions and intt~rnal controls; l ing t hc cwlrlation document results; and Page 30 GAO,‘OP4.1.2 Chapter 3 Determining the Extent of Compliance Testing l determining the probability that noncompliance will not be detected or prevented by the internal controls. Auditors/evaluators can use the results of the transaction tests to assessthe probability that internal controls will not prevent or detect noncompliance. NeedledCorrective Actions If testing reveals material noncompliance or abuse, the auditor/evaluator should determine what inter- nal controls were intended to prevent or detect the noncompliance or abuse and ascertain the reasons they did not. If internal controls are weak or nonex- istent, many more transactions may be in noncom- pliance. Auditors/evaluators should consider (I) expanding tests to dctcrmine the impact of wcak- nesses on assignment ob.jectives and of doing fo- low-on work later or i 2) referring the matter t.o a third party, such as the agency’s IG. ***** A detailed discussion of internal controls is con- tained in GAO’s Guide for Incorporating Internal Control EvaluaMns Into GAO Work. Page 31 GAO/OP4.1.2 Chapter 4 Performance Audits: Audit Steps and Reporting Requirements This chapter discusses a case example of how to make a vulnerability assessment and determine the extent of compliance testing, expected under condi- tions of high and moderate vulnerability. It also dis- cusses how to report noncompliance. Case Example The following case illustrates how to apply the requirements, the concepts, and the principles dis- cussed in this guide to an assignment. The circum- stances of this case arc’hypothetical and ;-LIT intended to illustrate the factors affecting the extent of compliancr testing. -.-. Assignment Assume that GAO has been requested to determine Objectives if the IIcpartmc~nt of Education is paying t hc correct amount of in1ercst and special allowance (,intercst subsidy) to lenders for eligible students under the Stafford Stlltlt~tl~ I,oan I’rogram. Background IYnder the program, private lenders make loans at low interest rates to qualified students attending ayprovcd educational institutions. Education pays the interest while the loan recipient attends school and for a stipulatc>d time thercaft~cr (tlw grace period). E;ducation also funds special allowarwc payments during thr lift> of t hc loan to provide lenders the differcnc.c between thr> loan inlcrclst rate and the rate on 9OMay Treasury bills, plus 3-l/4 percent,. For fkal year 1988, I+;ducation reported that it, paid about $2.4 billion in interest and special allow;rnct~s. Assignment Approach During the survey stage, auditors/evaluattol.s should idcnt,ify t hc laws and regulations dircac*t ly applicable to Education’s policies and proccdurcs in making loans and determinations of the propel interest and special allowance payments. Sllbsc- yuent steps should include Page 32 GAO/OP4.1.2 Chapter 4 Performance Audits: Audit Steps and Reporting Requirements . risk assessment-assessing the likelihood that such payments may hc significantly incorrect, 9 internal control assessment-assessing internal control effectiveness to prevent and/or detect incor- rect payments. and l compliance testing-determining the extent of (‘om- pliance testing on t,ht basis of the above steps. These cffort.s focus on formulat,ing auditlevalnation steps and procedures for inclusion in the assign- ment plan to provide reasonable assurance of detecting signific’ant. errors or nonwmplianw dur- ing implement ation. The primary laws and regulations idcnt,ificd as directly applic~ablcto assignment objectives are . the Ihghcr Education Act of 1965, as amended; l Education’s program regulations; n recent appropriation acts; l regulations or guidelines issued by state agcncics acting as intermediaries and performing some func- tions for Education; and l the Financial Integrity Act,. Risk Assessment The first step of the vulnerability assessment involves assessing the inherent risk that, Educa- tion’s interest and special allowance payments may be incorrect, may be paid to the wrong lender, or may be paid on behalf’of ineligible persons. After obtaining a good understanding of applicable laws and regulations, iludit,ors/‘evaluators should formw late questions to be answered to discern the inhcr- cnt risk, such as the following: l Ilave past c>fforts by GAO and other audit/cvalua- tion groups identified significant erroneous pay- ments of intwcst and special allowances? If so, has Education bcrn slow in implementing corrective action? l Are Education’s laws and regulations complex and somct.imcs dit’ficrrlt to understand’? Page 33 GAO/OP4.1.2 Chapter 4 Performance Audits: Audit Steps and Reporting Requirrments l Have there been frtlquent changes in applicabIe laws and regulations? l Do students have an incentive to withhold informa- tion and/or provide inaccurate information to lend- ers, educational institutions, intermediaries, and/or Education that would cause inWrest and special allowance overpayments‘? 9 Do the lenders have a disincentive to get and use current information? . Does the program involve numerous lcndcrs and borrowers?’ w Is program management highly deccntralizcd? Are significant, loan decisions made by many persons at widely scattered bcations’? (Too much dccentraliza- tion without adequate monitoring and control may increase the risk of misstatements.) l Are there numerous transactions? l Arc significant aspects of t,hc program (e.g., approval of applicants for loans and determining loan amounts) administcrcd by those not under Education’s direct control (e.g.) employees of lend- ers, educational institutions. and intermediaries)‘) l Do lenders, educational institutions, and/at intermediaries have difficulty maintaining a staff with adequate tcc*hnical knowledge to ensure accu- rate and consist,ent program administration’? . Is there a lack of incentives for lenders, educational institutions, and intermediaries to carefully fulfill their program responsibilities? Are t.hc penalties for doing a poor job insignificant, or noncxistcnt? “Yes” answers to the above quest,ions gt~ncrally indicate high risk, whereas “no” answers indicate low risk. Internal Control The second step of the vulnerability assessment Assessment involves assessing internal control effectiveness. To make this assessment, auditors,/evaluators should formulate questions focusing on undcrst,anding the internal control structure, determining if internal controls have been placed in operation. and testing Page 34 GAO/OP-U.Z Chapter 4 Performance Audits: Audit Steps and Reporting Requirements their effectiveness In this case, the following ques- tions might be addressed: . IIas Education declared its internal control objeo- tives for interest and special allowance payments? Are they compatible with applicable laws and regulations’? l Have internal control procedures been prescribed? Do they present a logical sequenceof steps which, if followed, will limit payment.s to those made on behalf of eligible students for appropriate periods? l Does Education assess lenders’internal controls before allowing t.hcm to participate in the program? IIas Education specified minimum systems and internal controls as a requirement before approval‘? * What is the attitude of Education top management toward monitoring the program and taking actions, when needed, to correct any problems in program administration:’ Do the same problems recur with- out management attempts to correct them‘? Are cor- rective actions promised in response to audit/ evaluation rccnmmendations actually implemented‘? l What were t.hcbresults of any Education internal studies or reviews (including Financial Integrity Act reviews) of the program’? For cxamplc, has the Inspector Gcncral recently examined the program? What were the findin@ and conclusions and any actions taken? l What reviews or monitoring act,ivit.ies does Educa- t.ion perform to dcterminc if lenders (1) verify app1icant.s’inc.omc and resources to determine eligi- bility and (2) fulfill other responsibilities? l Does Education verify that lenders determine the date that students graduate or stop at tending school’?(This date det,crmincs when borrowers, rather than Education. should begin paying loan interest.) n Has Education spelled out minimum follow-up times with schools to confirm student, status’? l Does Education test-check lenders quarterly billings? Page 36 GAO/OP-4+1.2 Chapter 4 Perfunnance Audits: Audit Steps and Reporting Rwtuirc=tnetits . Ilow does Education ensure that quarterly interest and special allowance billings cover only approved loans for students in an approved status’? 9 IIow does E:ducation ensure that there are no dupli- catc billings and ttrat the interest and special allow- ance costs attributable to each approved student are paid only omt~‘?(Lenders and secondary-market institutions frcqucnt,ly buy and sell insured student loans, and there is the possibility of overlapping or duplicattx billings for a singlcbstudent.) -. Compliance Testing C2.s~~ 1: I Iigh F’ulnccability As a result of information developed during the vul- nerability asscssmcnt, assume that auditors/evalu- ators concludt~that inherent risk is high; internal controls arc weak; and as a result, the assignment plan must provide for extensive testing to dcter- mine c’omplianc~c~ with laws and regulations. Tests should bc dircctcd toward those areas deemed most vulnerable to noncompliance and abuse. For cxam- plo, such tests might include t.he following: l Select.a sample of lcndcrs’ billings that will provide a rcasonablc basis t’trr determining the rrliability of the payment proc’css. * Verify t.hat thcxstlldcnts met financial and ot,her eli- gibility rcquircmcnts by examining documents such as loan applications, tuition and other relevant costs, copies of tax returns, etct. l Verify that tlrc loans wcrc approved fur insnrancc under the program. l Verify that s~~lroolswcrc on EJducation’sapproved list. l l)etcrminc that t.hc correct int crest, rate was used to compute int.c7cst, l Dcterminc whcthcr borrowers wet-c active studtnts (or were in the grxc’ period) to dccidc who was lia- blc for the intrbrc3t. Page 36 GAO/OP-4.1.2 Chapter 4 Performanw Audits: Audit Steps and Reporting Requirrmrnts . Recompute loan balances to verify that, the lenders correctly computed them. l Verify that lenders had the loan in their portfolios for the billing periods in question. (I,cnders often sell loans t.o other insLitutions in what is commonly referred to as the secondary market,.) For each of the above tests, auditors/cvalliaLors should also dcvisc detail& tasks necessary to per- form the tests. For example, in determining whether bnrrowcrs were active students (or were in the grace period) (thus making Education liable for loan interest, payments), specific tasks could in4udc the following: l Check individual loan files at Icnding institutions to determine if lenders inquired whether borrowers were act.ivc students at the school. l If schools rcspondcd to Icndcr inquiries, note datrs of student attcndancc and credit hours taken. l Compare dates of attcndancc with the periods WV- crcd by the Icndcrs’intcrcst, billings paid by E:duc.a- tinn to set if they correspond 9 If lenders’files do not contain ncedcd information, contact. schools and rcyucst dates of studrnt attendanc,c. The above tcst.s and tasks il1ust.rat.ethe work steps that might be rod in the example. In practic>e,the work to be done must be adapted to the needs of a particular assignment,,including time and cost considerations. ‘I’hroughoW the assignment, aaditnrs/evaluat,oru should remain alert, for indications of violations of indirect. laws and regulations that could signifi- cantly affect assignment ob.jcctivcs. If such indica- Lions arc noted, compliance tests should bc uxt,cndcd to dctcrminc the impact of any such viola- t ions. If such violations concern possible illegal act.s and abuses, ca\ltion should bc used to ensure that Payr 37 GAO/OP-4.1.2 Chapter 4 Performance Audits: Audit Steps aad Reporting Requirements GAO does not interfere with, jeopardize, or dupli- cate any ongoing or planned investigation and/or proceedings. (See p. 13.) &se 2: Moderate As an alternate sccnario, assume that auditors/ Vulnerabilit,y evaluators conclude t,hat although inherent risk is high, internal controls are strong and, as a result, there is a modcratc vulnerability to noncompliance and the assignment plan should provide a modcratc degree of testing. As in the high vulnerability assessment, the tests should bc designed to achieve the assignment objrctive and bc dircctcd toward those arcas docmcd most vulnerable t.o noncompli- ance and abrlsc. Assume that one principal consideration influencing the assessment of strong internal cant rols was a recent audit by Education’s Inspector Gcncral of interest and special allowances. Assume that GAO inquiries have dctcrmincd that the IG audit l was u)mprchcnsive in swpc, examining interest. and special allowar~ payments made to a rcprcscnta- tivc sample of lcndcrs ovc’r a wide geographic~al arra: l was carefully planned and supcrvisrd, was based on a logical mc~~hc~dology, and includrd an cvalua- tion of internal cant rol cffr>cTivcness;and l identified significxlt, ovcrpayn1cnt.s and rmdcrpay- ments and made rccommendat ions for improvtl- ment , whic<hWncation managcmcnt agreed to iniplcnirW. IIo~wer, assume that, the IG alldit did not verify that ( 1) thr srh(xjls had been approved by ICduca- tion for program participation and (2) lcnclcrs had the loans in th4r portfolios and the loans had not been sold to st~c,ond~lry-mi~rkctinstitutions. IJndcr thcsc ciruunslanccs. GAO’s alttiit trsts might inchtd(> Page 38 GAOjOP4.1.2 Chapter 4 Performance Audits: Audit Steps and Reporting Requirements l reviewing the workpapers to examine t.hc ;idcqu;tcy and the thoroughness of IG work, l making supplemental tests of a small judgmental sample of transac’tions examined by the ICror simi- lar transactions, . determining if the corre&ivc actions promised by Education managcmcnt have been implemented. and l selecting a rcprcscnttitivc sample of lenders’billings and determining whether (1) the schools wc’rc on Education’s :ipl,rovod list and (2) lenders h;id the loans in their portfolios. Auditol.s/evaluators would be expected to design detailed tasks to perform the above tests. For exam- ple, to determine if lc>ndershad the loans in their portfolios, the following tasks might be performed: l Obt.ain ti ~otnputer printout showing borrowers’ identification nrlmbors zit lenders sclcct.ed for examination. l Select a rcprcsrnt ative sample from the uomputcr printout ;tnd examine*lender documrntation to con- firm th:it loans W.TC in their portfolios and wcrc not, sold to sr~l,ondar-y-m;lrkct institutions. C;tse3: IAW L’ulnerability This case does not lend itself to a low vulnerability assessment brc*:n~scof the inherent risk. In situat.ions of low vulnerability, the following minimum steps should bc included in the assign- ment plan: l Review Education’s latest FIA and IG reports t,o determine whether issues were’reported concerning payment. of intrrrst and special allowance. l Discuss with the division’s FIA t,cam members whether they havr :tny knowledge of internal con- trol wCaknCss(bsnot disclostadin Education’s FIA report. l Discuss with E:dlu&ion officials and obtain their comments and any available reports, managcmrnt Page 39 GAU,‘OP4.1.2 Chapter 4 Performance Audits: Audit Steps and E&porting Requirements studies, or other information relating to (1) whether interest and special allowance payments were cval- uated under PIA and what t.he results were, (2) whether control objectives and procedures were established and tested to ensure they worked as intended, and (3) how adequate internal controls were to ensure proper interest and special allow- ance payments. Check for proper implememation of prior recommendat ions. Select a sample of lenders’billings and determine if Education records show that borrowers were eligi- ble for loans. Reporting GAO’s governnrqnt auditing standards require the following: Requirements The report should include all significant instances of noncompliance and abuse and all indications or instances of illegal acts that could result in criminal prosecution that were found during or in connection with the audit. GAO products should contain sufficient information to placaethe uoncompliancc in proper prrspcct ive. For example, if GAO finds that a single contract was awarded (~mtrary to laws or regulations, the product should disclose the total number and the dollar values of conlrac’t,s examined, as well as the dollar vahrt of lhc improperly awarded contract. If inclusion in the overall product of instances involving possible criminal prosccut ion would delay or compromise investigative or legal proceedings ot otherwise pre(*hlde the product. from being released to the public. such instances should be covered in a separate report to officials of t.he audited agoncy, law enforcement agencies, or the rcqucstcr, as appropriate. ‘I’hc Office of the General Counsel should be consulted in det,ermining how possible criminal prosccut.ion should be reported. Page 40 GAO,‘OP-4.1.2 Chapter 4 Performance Audits: Audit Steps md Reporting Requirements Other instances of noncompliance not included in the overall product because of insignificanw should be separately wmmunicated to agency manage- ment, the IG, intcxrnal auditors, or the requester, as appropriate. The overall product should state that the noncompliawe is being scparateIy reported. Page 41 GAO,‘OP4.1.2 Chapter 5 Financial Audits: Audit Steps and Rqxrting Requirements This chapter discusses a cast example illustrating how ttr make a vulnerability assessment and deter- mine the cxtcnt, of expected compliance testing, assuming conditions of moderate vulnerability. It also discusses the requirement for preparing a oom- pliancc report on testing results. ~I-~~ Case Example The following caw illustrates how to apply the requirements, the concepts. and the principles dis- cussed in this g111dcto a financial audit. The condi- tions dcscribcd in this guide arc hypothetical and arc intended to illustrate the factors that affect the rxtcnt of’wmplianw testing. Assignment Assume that GAO has been requested to determine Objectives if Education has fairly statcld the interest and the special allowancespaid for the Stafford Stlldcant Loan l’rogr;~m loans for the fiscal year cndrd Scp- tcmbcr 30. 1088. Risk Assessment Page 42 GAO,‘OP4.l.2 Chapter 5 Financial Audits: Audit Steps and Reporting Requirements good understanding of applicable laws and regula- tions, auditors!evaluators should formulat,e qucs- tions to ask to discern the inherent risk. Besides the questions identified in the prior case studies (see p. 33) examples of other questions to ask inelude the following: l 13ecauseof budgetary constraints or other factors imposed on the program, are there incentives for E:dueation t.o ovcrstatu or understate interest and special allowance payments? 9 Arc t.hcrc any ptnalties for misreporting of imerest and spc~ial alIow;mee payments? . Are interest and spwial allowance payments based on a relatively simpIe c‘akulation, or is the det.crmi- nation a eomplcx one using various intcrcst rates‘! Internal Control The second step of the vulnerability asscssmunt Assessment involvcs determining internal control effectiveness. To do this, arlditors/cvalllat.ors should formulate questions f0cttsin.g on understanding the internal wntrol strtlc’ture: determining if internal controls are in operation, and testing their cffwlivcncss. 1Scsidcsthe questions identified in tltc previotis ease study ( SCC~p. 35 ), some additional questions to own- sidcr arc as f~~llows: Chapter 5 Financial Audits: Audit Steps and Reporting Requirements Compliance Testing As a result of information developed during t.he vul- nerability assessment,assume t,hat auditors/cvalu- ators conclude that inherent risk is high but that internal controls are strong and, as a result, the assignment plan must provide for moderate testing to determine compliance with laws and regulations. For example, such tests might include t.he following: l Examine Education’s summary account for interest and special payments. Select a sample allowance and trace selected entries to supporting subsidiary accounts or other documentation. Fully rcsolvc any discrepancies. l Obtain from Icndcrs a printout or data tape showing the individual loans for which they billed Educat.ion for interest and/or special allowance payments for the fiscal year ended September 30, 1988; the pay- ment amoums; and the loan balances. l Test the data for accuracy, unusual items. and completeness. l Test the reasonablenessof interest and special allowance payments by relating them to loan balances. . Take a sample of payments and trace them to lend- ers’quarterly billings. Reconcile any discrepancies. l Determine how lenders periodically notify borrow- ers of outstanding balances. For loans in the sample, examine loan not ices sent to borrowers and com- pare t.hcm with Education’s records. Reconcile any discrcpancics between E:ducat.ionrecords and notices to bar-rowers. l Examine lender records and files to determine if borrowers reported discrepancies between loan bal- ances and balanc~csreported by lenders. As in the prior case examples, auditors/evalu~~tors would bc expected to dcvisc detailed tasks to cff.ec- tively perform t hr above tests. Page 44 GAO/OP4+12 Chapter 5 Financial Audits: Audit Steps and Reporting Requirements Reporting GAO’s government auditing standards require the following: Requirements The auditors should prepare a written report on their tests of compliance with applicable laws and regulations. This report, which may be included in either the report on the financial audit or a separate report, should contain a statement of positive assurance on those items which were tested for compliance and negative assurance on those items not tested. It should include all material instances of noncompliance and all instances or indications of illegal acts which could result in criminal prosecution. If auditors/evaluators find no instances or indica- tions of material noncompliance, the compliance report should include 9 a statement of positive assurance that the tests results indicate that with respect to the items tested, the entity complied in all material respects with the laws and regulations referred to in the scope and 4 a statement of negative assurance t,hat with respect to items not tcstcd, nothing came to the auditors’/ evaluators’ attention that caused them to believe that the entity had not complied in all material respects with these laws and regulations. If auditors/evaluators find instances of maturial noncompliance, they should state that t,hcy consid- ered these instances in forming their opinion on the financial statements and whether these instances affected their opinion and how. The statement, on assurance should be similar to the following: “Except as dcsc.ribcd above, the results of wr tests of’ wmpli- anw with laws and rcgnlations indicate that with rrspwt to the items tested, the Administration complied in all material resprcts with the provisions referred to above. Keith respect to items not tcstcd. nothmg came to our attcnlion thirt caused us to brlicvc that t tw Administration had not compllctl in all material rrspwts with those same provisions.” Page 45 GAO/OP-4.1.2 Chapter 5 Financial Audits: Audit Steps and Reporting Requirements Instances of noncompliance with laws and regula- tions that are nonmaterial from a quantitative and qualitative perspective should be reported to top management via a management letter. If applicable, the compliance report should state that the audi- tors/evaluators found instances of nonmaterial non- compliance with laws and regulations that are being separately reported to management. Further information on compliance reports can be found in chapter 5 of the Yellow Book and State- ment on Auditing Standards 63 issued by the Amer- ican Institute of Certified Public Accountants: Compliance Auditing Applicable to Government Entities and Other Recipients of Governmental Financial Assistance. Two sample compliance reports are presented below. Sample Compliance Report No Material To the Administrator Noncompliance Federal Administration Agency We have audited the consolidated financial state- ments of the Federal Administration Agency (Administration) for the fiscal year ended Septem- ber 30, 19xx, and have issued our opinion thereon dated [date of opinion]. As part of our audit, we tested the Administration’s compliance with certain laws and regulat.ions that, if not followed, could have a direct and material impact on the financial statements. This report pertains only to our consid- eration of compliance with laws and regulations for the year ended September 30, 19xx. Our report on compliance with laws and regulations for the year Page 46 GAO/OP-4.1.2 Chapter 6 Financial Audits: Audit Steps and Reporting Requirements ended September 30, 19xX [the prior year], is pre- sented in GAO/AFMD-xx-xx dated We conducted our audit in accordance with gener- ally accepted government auditing standards [except as described in the following paragraph]. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of mate- rial misstatement. [Summarize scope limitations, if any.] Compliance with laws and regulations applicable to the Administration is the responsibility of the Administration’s management. As part of obtaining reasonable assurance as to whether the consoli- dated financial statements were free of material misstatement, we tested the Administration’s com- pllance with the following provisions of laws and regulations [or as listed in an attachment]. However, our primary ob~jectivewas not to provide an opinion on overall compliance with such provisions. [List provisions tested.] Our test results indicate that with respect to the items tested, the Administration complied, in all material respects, with the provisions referred to above. With respect to items not tested, nothing came to our attention t,hat caused us to believe that the Administration had not complied, in all material respects, wit.h these provisions. IIowevor, we found matters involving compliance issues meriting man- agement’s attention, and they are being reported separately to management.. Signature Date Page 47 GAO/OP-4.1.2 Chapter 5 Financial Audits: Audit Steps and Reporting Requirements Sample Compliance Report Material To the Administrator Noncompliance Federal Administration Agency We have audited the consolidated financial state- ments of the Federal Administration Agency (Administration) for the fiscal year ended Septem- ber 30, 19xx, and have issued our opinion thereon dated [date of opinion]. As part of our audit, we tested the Administration’s compliance with certain laws and regulations which, if not followed, could have a direct. and material impact on the financial statements. This report pertains only to our consid- eration of compliance with laws and regulations for the year ended September 30, 19xx. Our report. on compliance with laws and regulations for the year ended September 30, 19xx [the prior year], is pre- sented in GAO/AFMD-xx-xx dated We conducted our audit in accordance with gener- ally accepted government auditing standards [except as described in the following paragraph]. Those standards rcquirc that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of mate- rial misstatement. [Summarize scope bmitations, if any.] Compliance with laws and regulations applicable to the Administ.ration is the responsibility of the Administration’s management. As part of obtaining reasonable assurance as to whether the consoli- dated financial statements were free of material misstatement, we tested the Administration’s com- pliance with the following provisions of laws and regulations [or as listed in an attachment]. Ilowever, Page 48 GAO,‘OP-4.1.2 Chapter 5 Financial Audits Audit Steps and Reporting Requirements our primary objective was not to provide an opinion on overall compliance with such provisions. [List provisions tested.1 During our audit, we noted the following instances of noncompliance. (Describe each significant, instance of noncompli- ance and recommendedcorrective action. One of the recommendations should suggest that the agency report these weaknessesin its next Financial Integ- rity Act report.] We considered these material instances of noncom- pliance in forming our opinion on whether the Administration’s 1Hxx consolidated financial state- rrrclntsarc pre’sc>nt CY~fairly, in all material rcspcrls, in c*trnformit.ywith gctncrally acc’cptcd accacmnting principlrs, and this rapporttlocs not affec? our report on 1host ctrr~soIiclalc~~financial statcmcnt 5. Except as described above, the results of our tests of compliance with laws and regulatirrns indicate that with respect to the items tested, the Adminis- tration complied, in all material respects, with the provisions referred to above. With respect to items not tested, nothing came t.o our attention that, caused us to believe that the Administration had not complied, in all material respects, with these provisions. We found other matters involving compliance issues meriting managcment,‘satt.cntion. They are being reported separately to management. Signature Date Page 49 GAO,‘OP-4.1.2 Requests for copies of GAO documents should be sent to: U.S. General Accounting Office Post Office Box 6015 Gaithersburg, Maryland 20877 Telephone 202-275-6241 The first five copies of each report are free. Additional copies are $2.00 each. There is a 26% discount on orders for 100 or more copies mailed to a single address. Orders must be prepaid by cash or by check or money order made out to the Superinten- dent of Documents. United States First-Class Mail General Accounting Office Postage & Fees Paid Washington, D.C. 20548 GAO Permit No. GlOO Official Business Penalty for Private Use $300
Assessing Compliance With Applicable Laws and Regulations
Published by the Government Accountability Office on 1989-12-01.
Below is a raw (and likely hideous) rendition of the original report. (PDF)