financial internal audit

8/7/2019 Financial Internal Audit

1/507

July 2001 GAO/PCIE Financial Audit Manual Forward-1

Financial Audit Manual

Foreword

On behalf of the General Accounting Office (GAO) and the Presidents Council on Integrityand Efficiency (PCIE), we are pleased to present the first-ever GAO/PCIE Financial Audit

Manual.

With passage of the Government Management and Reform Act of 1994, executive branchInspectors General and GAO gained statutory responsibility for auditing agency andgovernment-wide consolidated financial statements, respectively. Since that time, GAO andthe PCIE community have worked cooperatively to ensure that these audits are of thehighest possible quality, consistency, and cost-effectiveness. This manual is a naturaloutgrowth of that cooperation. More importantly, the new manual represents our ongoingefforts to ensure that financial statement audits achieve their intended outcomes ofproviding enhanced accountability over taxpayer-provided resources.

We extend our thanks to the many individuals and organizations that provided commentsand insights to make the manual stronger. The Task Force assembled by GAO and the PCIEalso deserves much credit for its dedication to completing this project.

Jeffrey C. Steinhoff The Honorable Gregory H. FriedmanManaging Director Chair, Audit CommitteeU.S. General Accounting Office Presidents Council on Integrity

and Efficiency


2/507

[This pa ge int ent iona lly left blan k.]


3/507

CONTENTS


4/507

[This pa ge int ent iona lly left blan k]


5/507

CONTENTS

J uly 2001 GAO/PCIE Financia l Audit Manual Con ten ts-1

100 INTRODUCTION

200 P LANNING P HASE

210 Overview

220 Un dersta nd th e E nt ity's Opera tion s

225 P er for m P r elim in a ry An a lyt ica l P r oced ur es

230 Det er m in e P la n n in g, Des ign , a n d Test Ma t er ia lit y

235 Ident ify Significant Line It ems , Accounts , Assert ions , and

RSSI

240 Ident i fy Significant Cycles, Account ing Applicat ions , and Financial

Management Systems

245 Ident ify Significant Provis ions of Laws and Regula t ions

250 Iden tify Releva nt Bu dget Rest rict ion s260 Ident ify Risk Factors

270 Determine Likelihood of Effect ive Informat ion Sys tem Cont rols

275 I den t ify Relevan t Oper a t ions Con t r ols to Eva lua t e and Tes t

280

285

Plan Other Audit Pr ocedures

Inquiries of Attorneys

Management Representations

Related P ar ty Transa ctions

Sensitive Paymen ts

Reaching an Underst an ding with Man agement an d Requesters

Other Audit RequirementsPla n Locat ions t o Visit

290 Documenta t ion

Appen dixes to Sec t ion 200:

295 A Pot en t ia l I nher en t Ris k Cond it ions

295 B Potent ial Control Environment , Risk Assessment , Communicat ion ,

and Monitoring Weaknesses

295 C An Approach for Mult iple-Locat ion Audits

295 D Inter im Substant ive Test ing of Balance Sheet Accounts

295 E Effect of Risk on Extent of Audit Procedures

295 F Types of Informat ion Sys tem Cont rols

295 G Bu dget Con trols

295 H Laws Ident ified in OMB Audit Guidance and Other General Laws

295 I Examples of Auditor Responses to Fraud Risk Factor s

295 J Steps in Assess ing Informat ion Sys tem Cont rols


6/507

Contents

J uly 2001 GAO/PCIE Financia l Audit Manual Content s-2

300 INTERNAL CONTROL P HASE

310 Overview320 Un der sta nd In form at ion Syst em s

330 Iden tify Con tr ol Object ives

340 I den t ify and Unders tand Relevan t Con t r ol Act ivit ies

350 Det er mine t he Na t ur e, Timing, and Ext en t of Con t r ol Tes ts and of

Tests for Syst ems' Complian ce with F FMIA Requirement s

360 Per for m Nonsampling Con t r ol Test s and Tes ts for Sys tems '

Complian ce with F FMIA Requiremen ts

370 Assess Con tr ols on a P relim in ar y Ba sis

380 Other Considera t ions

390 Documenta t ionAppen dixes to Sect ion 300:

395 A Typical Relat ionships of Accounting Applications to Line

Items/Accounts

395 B Fina ncial Sta tement Assertions an d Potential

Misstatements

395 C Typ ica l Con t r ol Act ivit ie s

395 D Selected Sta tu tes Relevant to Budget Execut ion

395 E Bu dget Execu t ion Pr ocess

395 F Bu dget Con t rol Object ives

395 F

Sup

Budget Control ObjectivesFeder al Credit Reform Act Su pplement

395 G Rot a t ion Tes ting of Con t r ols

395 H Specific Cont rol Evaluat ion Worksheet

395 I Accou n t Risk An a lysis F or m


7/507

Contents

J uly 2001 GAO/PCIE Financia l Audit Manual Con ten ts-3

400 TESTING P HASE

410 Overview420 Con sid er th e N a tu r e, Tim in g, a n d E xt en t of Test s

430 Design Efficien t Tests

440 P erform Tests an d E va lu ate Resu lt s

450 Sampling Control Tests

460 Compliance Test s

470 Substant ive TestsOverview

475 Su bst an tive An alyt ica l P rocedu res

480 Substant ive Deta il Tests

490 Documenta t ion

Appen dixes to Sec t ion 400:495 A Determining Whether Substant ive Analyt ical Procedures Will Be

Efficient and Effective

495 B Example Procedures for Tes ts of Budget Informat ion

495 C Gu id an ce for In t er im Test in g

495 D Example of Audit Matr ix with Stat is t ical Risk Factors

495 E Sampling

495 F Manua lly Select ing a Dolla r Un it Sampling


8/507

Contents

J uly 2001 GAO/PCIE Financia l Audit Manual Content s-4

500 REP ORTING P HASE

510 Overview520 P er for m Over all An alyt ica l P rocedu res

530 Det er mine Adequacy of Aud it P r ocedur es and Audit Scope

540 Evalua te Missta tements

550 Con clu de Ot her Au dit P rocedu res

Inqu iries of Att orneys

Subsequent Events

Management Representations

Relat ed Par ty Tran sactions

560 Det er m in e Con for m it y Wit h Gen er a lly Accep ted

Accoun tin g Pr inciples570 Det er min e Com plia n ce wit h GAO/P CIE Financial Audit Manu al

580 Draft Repor t s

Financial Sta tements

Intern al Cont rol

Fina ncial Management Systems

Complian ce with Laws an d Regula tions

Oth er In forma tion in th e Accoun ta bility Report

590 Documenta t ion

Appen dixes to Sect ion 500:

595 A E xa m ple Au dit or 's Repor tUnqualified595 B Sugges ted Modificat ions to Auditor 's Repor t

595 C Example Summary of Possib le Adjus tments

595 D Example Summary of Unadjust ed Mis st a t emen t s

APPENDIXES

A Consulta t ions

B In st an ces Wh er e t he Au dit or "Mu st " Com ply wit h t he F AM

GLOSSARY

ABBREVIATIONS

INDEX


9/507

SECTION 100

Introduction


10/507

Figu re 100.1: Meth odology Overview

Pl anni ng Phas e Section Understand the en tity's operat ions 220

Perform preliminary analyt ical procedures 225

Determine planning, design, and test mater ia lity 230

Iden tify s ign ifica nt lin e it em s, a ccou nt s, a sser tion s, a nd RSSI 235 Ident ify significan t cycles, accountin g applications, an d finan cial

management systems 240

Ident ify sign ificant provisions of laws and regulat ions 245

Ident ify relevant budget rest r ict ions 250

Assess r isk factors 260

Det er min e likelih ood of effect ive in for ma tion syst em con tr ols 270

Ident ify relevant opera t ions cont rols to evaluate and test 275

Plan other audit procedures 280

Plan loca tions to visit 285

Internal Control Pha se Section Understand informat ion systems 320

Ident ify con t rol object ives 330

Ident ify and understand relevant cont rol act ivit ies 340

Determ ine the n at ure, timing, and extent of cont rol tests an d of tests

for systems compliance with FFMIA requirements 350

Per form nonsa mpling cont rol tes ts a nd t ests for syst ems complian ce

with FFMIA requirements 360

Assess cont rols on a preliminary basis 370

Testing Ph ase Section Consider the nature, t iming, and extent of test s 420

Design efficien t test s 430

Perform tests and evaluate result s 440

Sampling cont rol test s 450

Compliance test s 460

Substant ive test s 470

Substant ive analyt ica l procedures 475

Substant ive deta il tests 480

Report ing P hase Section Perform overa ll analyt ica l procedures 520 Determine adequacy of audit procedures and audit scope 530

Evaluate missta tements 540

Conclude other audit procedures: 550

Inquire of attorneys

Consider subsequent events

Obtain mana gement representations

Consider related par ty tra nsa ctions

Determine conformity with generally accepted accounting principles 560

Determine compliance with GAO/PCIE Financial Audit Manu al 570

Draft repor ts 580


11/507

100 INTRODU CTION

J uly 2001 GAO/PCIE Financia l Audit Manua l Page 100-1

.01 This int roduction provides a n overview of th e m eth odology of the Genera lAccoun tin g Office (GAO) an d t he P residen ts Council on I n tegr ity and

Efficiency (PCIE) for performing financial statement audits of federal

ent ities, describes how th e meth odology relat es to relevan t a uditin g and

at testat ion stan dards an d Office of Mana gement a nd Budget (OMB)

guidan ce, an d outlines k ey issues to be considered in u sing th e met hodology.

OVERVIEW OF THE METHODOLOGY

.02 The overa ll pur poses of perform ing finan cial sta tem ent au dits of federa lent ities include providing decisionm ak ers (finan cial sta tem ent user s) withassur an ce as to wheth er th e finan cial stat ements a re reliable, interna l

cont rol is effective, an d laws an d regula tions ar e complied with . To achieve

th ese purposes, th e appr oach to federa l fina ncial stat emen t au dits involves

four ph ases:

Plan th e au dit to obta in relevant inform at ion in t he m ost efficient

manner .

Eva luat e th e effectiveness of th e ent ity's int ern al cont rol and, for Ch ief

Fin an cial Officers (CFO) Act Agencies an d component s designa ted byOMB, whether financial management systems substantially comply with

the r equirements of th e Federal Fina ncial Mana gement Improvement

Act of 1996 (FF MIA): federa l finan cial ma na gement systems


12/507

100 INTRODU CTION

J uly 2001 GAO/PCIE F inancia l Audit Manual Page 100-2

requirements, applicable federal accounting standards,1

and the U.S.

Government Standard General Ledger(SGL) at th e tra nsa ction level.2

Test th e significan t assertions r elat ed to the finan cial statem ents a nd

test complian ce with la ws and r egulat ions.

Report th e result s of au dit procedur es perform ed.

These phases a re illustr at ed in figure 100.1 an d a re sum ma rized below.3

Planning Phase

.03 Although pla nn ing cont inu es th roughout t he a udit, th e objectives of th isinitial pha se ar e to identify significan t a rea s an d to design efficient a udit

procedur es. To accomplish th is, th e meth odology includes guida nce to help in

understanding the entity's operations, including its organization,

ma na gement style, an d intern al an d externa l factors influencing the

operat ing environm ent;

identifying significan t accoun ts, a ccoun ting applicat ions, a nd finan cial

management systems; important budget restrictions, significant

1 In October 1999 th e American Inst itut e of Certified Pu blic Accoun ta nt s(AICPA) recognized the Federal Accounting Standards Advisory Board

(FASAB) as th e a ccoun ting st an dar ds-sett ing body for federal govern men t

ent ities under Rule 203 of th e AICPAs Code of Pr ofessional Cond uct. Thu s,

FASAB sta nda rds a re r ecognized as gener ally accepted a ccoun ting pr inciples

(GAAP) for federa l entities. FASAB stan dar ds (Sta tem ent of Feder al

Fina ncial Accoun ting St an dar ds No. 8, para gra ph .40) allow governm ent

corporat ions a nd certa in other federal ent ities to report u sing GAAP issued

by the F inan cial Accoun ting St an dar ds Boar d (FASB).

2Testin g for FF MIA is most efficient ly accomplished, for t he m ost pa rt , as

part of the work done in un derstan ding agency systems in th e Intern al

Cont rol pha se of th e au dit.

3The m eth odology present ed is for per form an ce of a finan cial sta tem ent au dit.

If the a uditor is to use t he work of an oth er a udit or, see FAM section 650

(under revision).


13/507

100 INTRODU CTION


provisions of laws a nd regula tions; an d relevan t cont rols over th e ent ity's

operations;

det erm ining th e likelihood of effective informa tion syst ems (IS) contr ols;

perform ing a prelimina ry risk assessm ent t o identify high-risk ar eas,

including considering t he r isk of fra ud; an d

plan ning ent ity field locat ions to visit.

Intern al Cont rol Ph ase

.04 This phase ent ails evalua ting an d testing interna l contr ol to support th eau ditor's conclusions about th e a chievemen t of the following inter na l control

objectives:

Reliability of fina ncial reportin gtr an sactions ar e pr operly r ecorded,

processed, an d summ ar ized to perm it the pr epar at ion of th e principal

stat ements a nd r equired supplementa ry stewardship informa tion (RSSI)

in accordance with generally accepted accounting principles (GAAP), and

asset s are sa feguar ded again st loss from un au th orized acquisition, use,

or disposition.

Complian ce with a pplicable laws and r egulat ionstra nsa ctions areexecut ed in accordan ce with (a) laws governing th e u se of budget

au thority and other laws an d regulations th at could ha ve a direct a nd

ma ter ial effect on th e principal sta tem ent s or RSSI an d (b) an y oth er

laws, regula tions, an d govern men twide policies identified by OMB in its

au dit guidance.

OMB audit guidance requires the a uditor t o test contr ols tha t h ave been

properly designed to achieve th ese objectives an d placed in opera tion, t o

support a low assessed level of cont rol risk. This ma y be enough testin g to

give an opinion on int ern al cont rol. GAO au dits sh ould be designed t o give


14/507

100 INTRODU CTION


an opinion on int ern al cont rol.4

If the a uditor does not give an opinion,

genera lly accepted governm ent a uditin g stan dar ds (GAGAS) requ ire the

report t o sta te whet her test s were sufficient t o give an opinion.

.05 OMBs a udit guidan ce includes a th ird objective of inter na l cont rol, relat ed toperforma nce measur es. The auditor is required to un derstan d the

componen ts of inter na l cont rol relating to th e existen ce an d completen ess

assertions a nd t o report on int erna l contr ols tha t h ave not been properly

designed a nd placed in operat ion, ra th er th an to test cont rols.

.06 This ma nu al also provides guidance on evalua ting inter na l controls relat ed toopera ting objectives tha t th e aud itor elects to evalua te. Such cont rols include

those related to safeguarding assets from waste or preparing statistical

reports.

.07 To evaluate int erna l contr ol, the au ditor identifies and u ndersta nds t herelevant cont rols an d test s th eir effectiveness. Where cont rols ar e considered

to be effective, the exten t of subst an tive testin g can be redu ced.

.08 The methodology includes guidance on as sessing specific levels of contr ol risk,

selecting controls to test,

determining the effectiveness of IS controls, and

testin g cont rols, including coordina ting cont rol tests with th e testin g

phase.

.09 Also, durin g th e inter na l cont rol phase, for CF O Act a gencies an d th eircomponen ts iden tified in OMBs a udit guidan ce, the au ditor should

un derstan d th e entitys significan t fina ncial ma na gement systems a nd test

their compliance with FFMIA requirements.

4AICPA attesta tion stan dards allow th e au ditor t o give an opinion on interna l

cont rol or on m an agemen ts a ssertion a bout th e effectiveness of inter na l

cont rol (except t ha t if ma ter ial weakn esses are pr esent, th e opinion m ust be

on inter na l cont rol, not ma na gement s assert ion). The example report in th is

ma nu al a ssum es th e opinion will be on int ern al cont rol directly.


15/507

100 INTRODU CTION


Testing Pha se

.10 The objectives of th is pha se ar e to (1) obta in r easona ble assur an ce aboutwhether t he financial stat ements a re free from mat erial misstat ements,

(2) determin e whet her th e ent ity complied with significan t provisions of

app licable laws a nd regula tions, a nd (3) assess th e effectiveness of inter na l

control th rough cont rol test s tha t a re coordina ted with other t ests.

.11 To achieve these objectives, th e met hodology includes gu idan ce on designing a nd perform ing substa nt ive, complian ce, and cont rol tests;

designing and evalua ting au dit samples;

correlating risk an d ma teriality with th e nat ure, timing, an d extent of

substan tive tests; an d

designing multipurpose tests tha t use a common sa mple to test several

different controls and specific accounts or transactions.

Reporting P ha se

.12 This pha se completes th e aud it by reporting useful inform at ion a bout t heent ity, based on th e result s of au dit procedur es performed in th e preceding

pha ses. This involves developing the a uditor's report on th e entity's

(1) finan cial stat emen ts (also called Principal Sta tem ent s) an d oth er

inform a tion (ma na gemen ts discus sion a nd a na lysis [MD&A] or the overview,

RSSI, other required supplementary information, and other accompanying

inform at ion), (2) inter na l cont rol, (3) wheth er t he finan cial m an agemen t

systems su bsta nt ially comply with F FMIA requiremen ts, an d (4) complian ce

with laws an d regulat ions. To assist in th is process, th e meth odology

includes guida nce on form ing opinions on th e principal stat emen ts a nd

conclusions on int ern al cont rol, as well as h ow t o determ ine wh ich findings

should be reported. Also included is an examp le report designed t o be

un derstan dable to th e reader.


16/507

100 INTRODU CTION


RELATIONS HIP TO AP P LICABLE STANDARDS

.13 The following section describes the relationship of this audit methodology toapplicable au diting sta nda rds, OMB guidan ce, and other policyrequirements. It is organized into th ree areas:

relevan t au diting stan dards a nd OMB guidance,

au dit r equirem ent s beyond th e yellow book, an d

au diting sta nda rds an d other policies not addressed in t his man ua l.

Relevant Auditing Standa rds an d OMB Guidance

.14 This ma nu al provides a fra mework for perform ing fina ncial stat emen t au ditsin a ccorda nce with Government Auditing Standards (also known as gen era lly

accepted governm ent a uditin g stan dar ds or GAGAS) issued by the

Compt roller Gener al of th e Un ited St a tes ("yellow book"); incorporat ed

generally accepted au diting sta nda rds (GAAS) and a ttesta tion stan dar ds

esta blished by t he American In stitu te of Certified Pu blic Accoun ta nt s

(AICPA); an d OMBs a ud it gu idan ce.

.15 This man ua l describes an au dit meth odology th at both integrates th erequirements of the sta nda rds an d provides implementa tion guidance. The

met hodology is designed t o achieve

effect ive au dits by considering complian ce with th e CF O Act, F FMIA,

GAGAS, and OMB guidance;

efficient au dits by focusing a udit procedur es on a rea s of higher risk a nd

ma teriality and by providing an integrated a pproach designed to gather

evidence efficiently;

qual i ty control th rough a n a greed-upon fram ework t ha t can be followed

by all personn el; an d

consis te ncy of appl icat ion th rough a docum ent ed meth odology.

.16 The ma nu al supplemen ts GAGAS an d OMBs aud it guidance. References arema de to Stat emen ts on Auditin g Sta nda rds (preceded by the pr efix "AU") an d

Statements on Standards for Attestation Engagements (SSAE) (preceded by


17/507

100 INTRODU CTION


the pr efix "AT") of th e Codification of S tatem ents on Au diting S tandard s,

issued by th e AICPA, tha t a re incorporat ed into GAGAS.

Audit Requ irem ent s Beyond th e Yellow Book

.17 In a ddition t o meet ing GAGAS requ iremen ts, au dits of federa l entities towhich OMB's audit gu idance applies must be designed to achieve th e

following objectives d escribed in OMBs a udit guida nce:

responsibility for performing sufficient tests of internal controls that

ha ve been properly designed a nd placed in operat ion, to support a low

as sessed level of cont rol risk;

expan sion of the n at ure of contr ols that ar e evalua ted an d tested t o

include cont rols related to RSSI, budget execut ion, a nd complian ce with

laws and regulations;

responsibility to under sta nd t he componen ts of inter na l cont rol relat ing

to the existence an d completeness asser tions r elevan t t o th e perform an ce

mea sur es included in t he MD&A, in order t o report on cont rols th at ha ve

not been properly designed an d placed in operat ion;

responsibility t o consider t he en tit y's process for complying with 31

U.S.C. 3512 (th e Feder al Ma na gers' Fina ncial Int egrity Act (FMFIA));

responsibility t o perform test s at CFO Act a gencies an d componen ts

identified by OMB to report on t he en tity's finan cial ma na gement

systems' substantial compliance with FFMIA requirements;

responsibility t o test for complian ce with laws, regulat ions, a nd

govern men twide policies ident ified in OMBs au dit gu idan ce a t CF O Act

agencies (regar dless of th eir ma ter iality to th e au dit); an d

responsibility t o consider conform ity of th e MD&A, RSSI, r equir ed

supplemen ta ry inform at ion, an d oth er accompa nying inform at ion with

FASAB requiremen ts an d OMB guidan ce.


18/507

100 INTRODU CTION


.18 To help achieve th e goals of th e CFO Act, GAO au dits sh ould be designed t oachieve th e following objectives,

5in a ddit ion t o those described in OMBs

au dit guidance:

Pr ovide an opinion on inter na l cont rol.

Determ ine th e effects of missta tem ent s an d intern al cont rol weakn esses

on (1) th e achievemen t of opera tions cont rol objectives, (2) th e accur acy of

reports pr epar ed by th e entity, an d (3) th e form ula tion of th e budget.

Determ ine whet her specific cont rol activities ar e properly designed a nd

placed in operat ion, even if a poor cont rol environm ent precludes th eir

effectiveness.

Understand the components of internal control relating to the valuation

asser tion relevan t to perform an ce measu res reported in t he MD&A in

order t o report on cont rols th at ha ve not been pr operly designed an d

placed in operat ion.

Auditing Stan dards an d Oth er P olicies Not Addressed in t he Man ua l

.19 This ma nu al was designed to supplemen t fina ncial audit a nd other policiesan d procedur es adopted by GAO an d Inspectors Genera l (IGs). As such, it

was not intended to address in deta il all requirement s. For exam ple, reportprocessing is not a ddressed.

.20 Updat es to this ma nua l tha t include additiona l audit guidance and pra cticeaids, such as checklists an d au dit program s, will be issued from tim e to time.

GAO an d a team representing th e PCIE au dit committ ee will be responsible

for pr epar ing th e upda tes. There will be an exposur e process for significan t

updates.

KEY IMPLEMENTATION ISSU ES

.21 The a uditor sh ould consider th e following factors in applying th emet hodology to a par ticular en tity:

5

The m an ua l refers specifically to objectives of GAO au dits in var ious

sections. Such objectives are optiona l for other au dit organizat ions.


19/507

100 INTRODU CTION


audit objectives,

exercise of professiona l judgmen t,

referen ces to positions,

use of IS a uditors,

complian ce with policies and p rocedur es in th e ma nu al,

use of technical term s, and

referen ce t o GAO/PCI E Financial Audit Manu al (FAM).

Audit Objectives

.22 While cert ain federa l entities ar e not subject t o OMB audit gu idan ce,finan cial sta tem ent au dits of all federa l entities should be condu cted in

accorda nce with th is guida nce to the extent app licable to achieve th e au dit's

objectives. The ma nu al gener ally assu mes th at t he objective of th e audit is to

render an opinion on th e curr ent year financial sta tement s, a report on

inter na l cont rol, an d a report on complian ce. Where these ar e not th e

objectives, th e aud itor should use judgment in a pplying th e guidance. In

some circum sta nces, the a uditor will expect t o issue a disclaimer on t he

curren t year fina ncial stat emen ts (becau se of scope limita tions). In th ese

circumsta nces, th e au ditor may develop a m ultiyear p lan t o be able to ren der

an opinion when th e finan cial stat emen ts ar e expected to become audita ble.

Exercise of Professiona l J udgm ent

.23 In performing a financial sta tement au dit, the a uditor should exerciseprofessiona l judgment . Consequ ent ly, th e auditor should ta ilor th e guidan ce

in the ma nu al to respond to situ ations encoun tered in an au dit. However,

th e auditor must exercise judgment properly, assuring tha t, at a m inimum,

th e work m eets professiona l stan dar ds. Pr oper a pplicat ion of professiona l

judgment could resu lt in add itiona l or m ore extensive aud it procedur es tha n

described in t his man ua l.

.24 In a ddition, when exercising judgment , the au ditor should consider t he n eedsof, and consult in a timely ma nn er with, oth er a uditors who plan to use th e

work being perform ed. In tu rn , th e auditor should coordina te with oth er

au ditors whose work h e or sh e wishes to use so th at th e judgm ent s exercised

can sat isfy the needs of both au ditors. For examp le, au ditors of a

consolidated ent ity (such as the US Governm ent or a n entire depar tmen t or

agency) ar e likely to plan to use t he work of auditors of subsidiary en tities


20/507

100 INTRODU CTION


(such as individual depart ment s a nd agencies or bu reau s a nd components of

a d epar tm ent ). This coordinat ion can resu lt in m ore economy, efficiency, an d

effectiveness of government audits in general and avoid duplication of effort.

.25 Man y aspects of th e audit requ ire techn ical judgm ent s. The au ditor shouldensu re a person(s) with a dequa te techn ical expertise is (ar e) ava ilable,

especially in t he following a rea s:

quan tifying plan ning m at eriality, design m ater iality, and test

ma teriality and using ma teriality as one consideration in determining

the extent of testing (see section 230);

specifying a m inimu m level of subst an tive assur an ce based on the

assessed combined r isk, ana lytical pr ocedur es, and deta il tests (see

sections 470, 480, an d 495 D);

docum ent ing wheth er selections are sa mples (inten ded to be

repr esenta tive an d pr ojected to popula tions) or n onsa mpling selections

that are not projectible (see section 480);

using sa mpling met hods, such a s dollar -un it sam pling, classical var iables

estima tion sa mpling, or classical probability p roport iona l to size (PP S)

sam pling, for su bsta nt ive or mult ipurpose testing (including

nonstatistical sampling) (see section 480);

using sampling for cont rol testing, oth er th an at tribute sampling using

th e ta bles in section 450 to determ ine sam ple size when n ot per forming a

mu ltipurpose test;

using sa mpling for complian ce test ing of laws an d regulat ions, other t ha n

at tribute sampling using the ta bles in section 460 to determine sa mple

size when not perform ing a mu ltipurp ose test; an d

placing complete or pa rt ial reliance on a na lytical pr ocedur es, using test

ma ter iality to calculate t he limit. The limit is th e am oun t of difference

between the expected a nd r ecorded a mounts tha t can be accepted without

fur th er investigation (see section 475).


21/507

100 INTRODU CTION


References to Positions

.26 Var ious sections of th is man ua l mak e referen ce to consu ltat ion with au ditma na gement a nd/or persons with technical expert ise to obta in appr oval oradd itiona l guidan ce. Key consu ltat ions should be docum ent ed in th e audit

workp aper s. Ea ch au dit orga nizat ion should docum ent , in the work paper s or

its a ud it policy ma nu a l, the s pecific positions of persons wh o will perform

th ese fun ctions. An IG using a firm to perform an au dit in accorda nce with

th is man ua l should clar ify an d docum ent th e positions of th e persons th e firm

should consu lt in va rious circum sta nces.

Th e Assistant Direc tor is th e top person responsible for th e da y-to-daycondu ct of th e au dit.

Th e Audit Direc tor is the sen ior m an ager r esponsible for the t echn ical

quality of the fina ncial sta tement au dit, reporting t o the Assistan t

Inspector Genera l for Audit or, a t GAO, to the Ma na ging Director.

Th e Revi ewer is the sen ior m an ager r esponsible for t he qu ality of th e

au ditor's reports, reporting to the Assista nt Inspector Genera l for Audit

(or higher position) or, at GAO, is th e Man aging Director or th e second

par tn er. The Reviewer ma y consu lt with oth ers.

Th e Stat is t ician is the person t he a udit or consu lts for t echn icalexpertise in a reas such as a udit sam pling, audit sam ple evaluation, an d

selecting en tit y field locations t o visit.

Th e Data Extract ion Special is t is the person with technical expert isein extra cting da ta from agen cy records.

Th e Technica l Accou nting and Audit ing Expert is th e senior

ma na ger reporting to the Assistan t In spector Genera l for Audit or h igher

or, at GAO, is the Chief Accoun ta nt . The Techn ica l Accoun tin g an d

Auditin g Expert advises on a ccoun ting an d au diting professiona l mat ter san d related na tional issues. The Techn ical Accoun ting an d Auditin g

Expert r eviews reports on fina ncial sta tement s an d reports th at cont ain

opinions on financial information.

Th e Office of General Coun sel (OGC) provides a ssistan ce t o th e

au ditor in (1) identifying provisions of laws a nd regula tions to test ,


22/507

100 INTRODU CTION


(2) identifying budget restrictions, and (3) identifying and resolving legal

issues encoun tered in t he fina ncial sta tement au dit, such as evalua ting

potentia l inst an ces of noncomplian ce.

Th e Spec ial Invest igator Unit investigates specific allegations

involving conflict-of-inter est an d eth ics m at ter s, cont ra ct an d

procur ement irregula rities, official misconduct an d a buse, an d frau d in

federa l progra ms or a ctivities. In t he offices of th e IGs th is is th e

investigation un it; at GAO, it is Special Investigations. The Special

Investigat or U nit pr ovides assista nce to th e au ditor by (1) inform ing th e

au ditor of relevant pending or completed invest igations of th e ent ity an d

(2) investigat ing possible insta nces of federa l fra ud, wa ste, an d a buse.

Use of Inform at ion Systems Auditors

.27 The au dit sta nda rds (SAS 94) require th at th e au dit tea m possess sufficientkn owledge of inform at ion syst ems (IS) to deter min e th e effect of IS on th e

au dit, to un derst an d th e IS cont rols, an d to design an d perform tests of IS

cont rols an d substa nt ive test s. This is gener ally done by having IS au ditors

as pa rt of th e audit t eam . IS au ditors should possess sufficient technical

kn owledge an d experience to under sta nd t he r elevan t concepts discussed in

the m an ua l and to apply th em to the au dit. While the au ditor is ultima tely

responsible for a ssessing inh erent an d cont rol risk, assessing th e

effectiveness of IS cont rols requ ires a person with IS a udit technical skills.Specialized techn ical skills generally ar e needed in situ at ions wh ere, (1) th e

ent itys systems, aut oma ted cont rols, or th e man ner in which th ey ar e used

in condu cting th e en titys bu siness a re complex, (2) significan t cha nges h ave

been ma de to existing system s or new system s implement ed, (3) dat a a re

extensively sha red a mong systems, (4) th e ent ity par ticipa tes in electr onic

comm erce, (5) th e ent ity us es emer ging techn ologies, or (6) significan t a ud it

eviden ce is ava ilable only in electr onic form . Appen dix V of GAOs Federal

Inform ation S ystem Controls Aud it M anual (FISCAM) cont ain s exam ples of

kn owledge, skills, an d abilities needed by IS au ditors. Certa in fina ncial

au ditors also ma y possess IS au dit technical skills. In some cases, the

au ditor ma y require out side consu ltan ts to provide these skills.

Complian ce With Policies and P rocedur es in the Ma nu al

.28 The following term s ar e used th roughout t he m an ua l to describe the degree ofcompliance with the policy or procedure required.


23/507

100 INTRODU CTION


Must: Complian ce with th is policy or p rocedur e is ma nda tory

un less an exception is appr oved in writing by th e Reviewer,6

such a s in certa in inst an ces when a d isclaimer of opinion is

anticipated.

Should: Compliance with this policy or procedure is expected unless

th ere is a rea sona ble basis for depar tu re from it. Any such

depart ure a nd t he basis for it a re to be docum ented in a

mem ora ndu m. The Assistan t Director should approve th is

mem ora ndu m an d copies should be sent t o th e Audit

Director an d th e Reviewer.

General ly

Should: Compliance with this policy or procedure is strongly

encour aged. Depar tu re from such policy or pr ocedur e

should be discussed with t he Assista nt Director or th e au dit

manager.

May: Complian ce with th is policy or pr ocedu re is optional.

When t he a uditor deviates from a policy or pr ocedur e th at is expressed by

use of th e ter m "must " or "should" in t he F AM, he or sh e should consider th e

needs of, and consult in a timely mann er with, other au ditors who plan touse th e work of th e au ditor and pr ovide an opport un ity for th e oth er a uditors

to review the docum ent at ion explainin g th ese deviat ion d ecisions.

Use of Techn ica l Terms

.29 The ma nu al uses ma ny existing techn ical au diting term s an d introducesma ny other s. To assist you, a glossar y of significan t t erm s is included in th is

manual .

6

Capita lized positions a re described in par agra ph 100.25.


24/507

100 INTRODU CTION


Referen ce to GAO/PCI E Financial Audit Man ual

.30 When cited in workpa pers, corr esponden ce, or oth er comm un icat ion, t heletters FAM should precede section or pa ra graph nu mbers from th is

ma nu al. For exam ple, this para graph sh ould be referred to as FAM 100.30.


25/507

SECTION 200

Plan ning Pha se


26/507

Figu re 200.1: Meth odology Overview

Pl anni ng Phas e Section Understand the ent ity's operat ions 220

Perform preliminary analyt ical procedures 225

Determine planning, design, and test mater ia lity 230

Iden tify sign ifica nt lin e it em s, a ccou nt s, a sser tion s a nd RSSI 235 Ident ify significan t cycles, account ing applications, an d financial

management systems 240

Ident ify significant provisions of laws and regu lat ions 245

Ident ify relevant budget rest r ict ions 250

Assess r isk factors 260

Det er m in e lik elih ood of effect ive in for m at ion sys tem con t rols 270

Ident ify relevant operat ions cont rols to eva lua te and test 275

Plan other audit procedures 280

Plan locat ions to visit 285

Internal Control Ph ase Section Understand informat ion systems 320

Ident ify cont rol object ives 330

Ident ify and understand relevan t cont rol act ivit ies 340

Determine t he na tur e, timing, an d extent of contr ol tests a nd of tests

for systems compliance with FFMIA requirements 350

Per form nonsa mpling cont rol tests a nd tes ts for syst ems complia nce

with FFMIA requirements 360

Assess con t rols on a preliminary basis 370

Testing Ph ase Section Consider the nature, t iming, and exten t of tests 420

Design efficient test s 430

Perform tests and evaluate results 440

Sampling con trol test s 450

Compliance test s 460

Substant ive test s 470

Substan tive analyt ical procedures 475

Substant ive deta il test s 480

Report ing P hase Section Perform overall analyt ical procedures 520

Determine adequacy of audit procedures and audit scope 530

Evaluate missta tements 540

Conclude other audit procedures: 550

Inquire of att orn eys

Consider subsequent events

Obtain mana gement representations

Consider related par ty tra nsa ctions

Determine conformity with generally accepted accounting principles 560

Determine compliance with GAO/PCIE Financial Audit Man ual 570

Draft repor ts 580


27/507

Planning Phase

210 - OVERVIEW

J uly 2001 GAO/PCIE Financia l Audit Manual Page 210-1

.01 The auditor performs planning to determine an effect ive and efficient way to

obtain t he evidential ma tter necessary to report on th e entity's

Accoun ta bility Report (or an nu al finan cial stat emen t). The nat ur e, extent ,

an d timing of plan ning var ies with , for exam ple, th e ent ity's size an d

complexity, th e au ditor's experience with th e entity, an d th e au ditor's

kn owledge of th e entity's operations. Pr ocedur es perform ed in th e plann ing

pha se are sh own in figure 200.1.

.02 A key to a qual ity audit , planning requires the involvement of senior

members of the a udit team . Although concentra ted in the plann ing phase,

planning is an itera tive process performed th roughout the a udit. For

examp le, findings from th e inter na l contr ol pha se directly affect pla nn ing th esubst an tive au dit procedur es. Also, th e results of cont rol an d substa nt ive

tests ma y require cha nges in th e plan ned au dit approach.

.03 Auditors should cons ider the needs of, and consult in a t imely manner with,

other a udit ors wh o plan to use t he work being perform ed, especially when

ma king decisions t ha t requ ire th e au ditor to exercise significan t judgmen t.


28/507



29/507

Planning Phase

220 - UNDERSTAND THE ENTITY'S

OPERATIONS


.01 The auditor should obtain an u nderstanding of the ent i ty sufficient to plan

an d perform the a udit in a ccorda nce with a pplicable auditing stan dards a nd

requirements. In planning the audit, the au ditor gathers informa tion to

obta in an overall under sta ndin g of th e entity an d its origin and h istory, size

an d location, organizat ion, mission, business, str at egies, inh eren t r isks,

fra ud r isks, control environmen t, risk assessm ent , comm un icat ions, an d

monitoring. Un derst an ding th e ent ity's opera tions in th e plan ning process

ena bles the au ditor to ident ify, respond t o, and r esolve accoun ting a nd

au diting problems ear ly in th e au dit.

.02 The auditor 's unders tanding of the ent i ty and it s operat ions does not need tobe compr ehen sive but should include:

entity man agement an d organ izat ion,

extern al factors a ffecting opera tions,

inter na l factors affecting operat ions, a nd

accounting policies and issues.

.03 The auditor should ident ify key members of management and obta in a

general understa nding of the organizat iona l structure. The auditor 's main

objective is to un derstan d how the entity is man aged an d how theorganization is stru ctu red for t he pa rticular ma na gement style.

.04 The auditor should ident ify significant external and internal factors that

a ffect the en tit y's opera tions. Ext ern al factors might include (1) sour ce(s) of

funds, (2) seasonal fluctuations, (3) current political climate, and (4) relevant

legislat ion. Int ern al factors m ight include (1) size of th e ent ity, (2) nu mber

of locations, (3) st ru ctur e of th e ent ity (cent ra lized or decent ra lized), (4)

complexity of opera tions, (5) inform at ion syst em st ru ctur e, (6) qua lificat ions

an d compet ence of key personnel, an d (7) tu rn over of key personn el.

.05 In identifying account ing policies and issues, the auditor should consider

genera lly accepted a ccoun ting pr inciples, including wheth er t he en tity is

likely to be in comp liance;

cha nges in GAAP t ha t a ffect t he ent ity; an d


30/507

Pl anning Phas e

220 - Unde rstand th e Enti ty's Operat ions


whet her en tity ma na gement a ppear s to follow aggressive or conser vative

accoun tin g policies.

.06 The auditor also should cons ider whether the ent i ty will repor t any required

supplemen ta ry stewa rdsh ip inform at ion (RSSI). This includes stewar dship

property, plant, and equipment (PP&E) (heritage assets, national defense

assets, and stewardship land), stewardship investments (nonfederal physical

property, human capital, and research and development), social insurance,

an d risk-assum ed inform at ion. RSSI an d deferred ma inten an ce, which is

considered r equired sup plement ar y inform at ion, should be designa ted

"unaudited."

.07 The auditor should develop and document a high-level understanding of theent ity's u se of inform at ion syst ems (IS) an d h ow IS a ffect t he gen era tion of

finan cial sta tement informa tion, RSSI, an d th e data th at support

perform an ce mea sur es reported in t he MD&A (overview) of the

Accoun ta bility Report (CFO report). An IS a uditor ma y assist th e au ditor in

un derst an ding the en tity's use of IS. Append ix I of th e GAO Federal

Information System Controls Manual (FISCAM) can be u sed t o docum ent

this u nderstanding.

.08 The auditor gathers planning informat ion through different methods

(observat ion, int erviews, rea ding policy an d pr ocedur e ma nu als, etc.) and

from a var iety of sources, includ ing

top-level entity management,

ent ity man agemen t responsible for significan t program s,

Office of Inspector Genera l (IG) an d inter na l aud it ma na gement

(includin g an y inte rn al cont rol officer),

oth ers in t he a udit organ izat ion concernin g oth er completed, plan ned or

in-progress assignments,

personn el in OGC,

personn el in th e Special Investigator Unit, an d

entity legal representa tives.


31/507


32/507



33/507

Planning Phase

225 - P ERFORM P RELIMINARY ANALYTICAL

PROCEDURES


.01 During the planning phase, preliminary analyt ical procedures are performed

to help the a uditor

un derstan d th e entity's business, including curr ent-year t ran sactions a nd

events;

identify accoun t balances or tra nsa ctions t ha t ma y signa l inherent or

cont rol risks (see section 260);

identify an d un derst an d th e significan t a ccount ing policies;

deter mine plan ning, design, an d test m at eriality (see section 230); an d

determine th e na tur e, timing, and extent of au dit procedures to be

performed.

.02 GAAS requires the audi tor to perform preliminary analyt ical procedures (AU

329). The resources spent in perform ing these procedur es should be

comm ensu ra te with th e expected reliability of compa ra tive inform at ion. For

examp le, in a first -year a udit, compa ra tive inform at ion m ight be un reliable;

th erefore, preliminar y an alytical pr ocedur es genera lly should be limited.

.03 The auditor generally should perform the following s teps to achieve the

objectives of preliminary analytical procedures.

a . Compare current-year amoun ts with relevan t comparat ive

f inan cial information: The financial data used in prelimina ry

an alytical procedur es gener ally ar e summ ar ized at a high level, such

as th e level of fina ncial sta tem ent s. If finan cial stat emen ts ar e not

available, the budget or fina ncial sum ma ries tha t sh ow th e entity's

finan cial position a nd resu lts of opera tions m ay be u sed.

The au ditor compar es curr ent-year a mounts with r elevan t

compar at ive fina ncial inform at ion. Use of un au dited compa ra tive

dat a m ight n ot a llow th e au ditor to ident ify significan t fluctu at ions,

par ticularly if an item consisten tly has been t rea ted incorr ectly. Also,th e au ditor ma y identify fluctua tions th at are not rea lly fluctua tions

due to errors in the un au dited compa rat ive data .

A key to effective prelimina ry a na lytical procedur es is t o use

informa tion t ha t is compa ra ble in term s of th e time period present ed


34/507

Pl anning Phas e

225 - Pe rform P rel iminary Analyt ical Procedu res


an d th e presen ta tion (i.e., sam e level of deta il and consisten t

grouping of deta il accoun ts int o sum ma rized am oun ts u sed for

comparison).

The au ditor m ay perform rat io an alysis on curren t-year da ta an d

compa re t he curr ent year's ra tios with t hose derived from prior

periods or budgets. The au ditor does this to stu dy the relat ionsh ips

am ong componen ts of th e finan cial stat emen ts an d to increase

kn owledge of th e entity's activities. The au ditor uses rat ios tha t ar e

relevant in dicat ors or mea sur es for th e entity. Also, th e audit or

should consider a ny tren ds in the perform an ce indicators prepa red by

th e ent ity.

b. Ident i fy s ignif icant f luctuat ions : Fluctu at ions a re differen ces

between t he recorded am oun ts an d th e amount s expected by the

au ditor, based on compa ra tive finan cial inform at ion a nd t he au ditor's

kn owledge of th e entity. Fluctu at ions refer to both u nexpected

differen ces between cur ren t-year a moun ts an d compa ra tive finan cial

inform at ion as well as th e absence of expected differences. The

identificat ion of fluctua tions is a ma tt er of th e au ditor's judgmen t.

The a uditor esta blishes pa ra met ers for ident ifying significan t

fluctu ations. When setting these param eters, the auditor genera lly

considers t he a moun t of th e fluctua tion in ter ms of absolut e sizean d/or the percenta ge differen ce. The amoun t an d percent age used

ar e left to the a uditor's judgm ent . An exam ple of a pa ra met er is "All

fluctu at ions in excess of $10 million a nd /or 15 percent of th e prior-

year ba lance or other un usu al fluctua tions will be considered

significant."

c. Inquire about s ignif icant f luctua t ions: The a uditor discusses th e

identified fluctua tions with a ppropriat e entity personnel. The focus

of the discussion is to achieve the purposes of the procedures

described in pa ra graph 225.01. For preliminar y ana lyticalprocedur es, the a uditor does not n eed to corr obora te th e explan at ions

since th ey will be tested lat er. However, the explana tions should

appear reasonable and consistent t o th e auditor. The inability of

ent ity personn el to explain t he cause of a fluctu at ion m ay indicat e the

existen ce of cont rol, fra ud, a nd/or in her ent risks.


35/507


36/507

Pl anning Phas e

230 - Determin e P lanning , Design, and Test Material i ty


Planning material i ty is a preliminar y estimat e of ma ter iality, in

relation t o the financial sta tement s ta ken a s a wh ole, used to determine

th e nat ure, timing, an d extent of substan tive au dit procedures an d toidentify significan t laws a nd regulat ions for complian ce test ing.

Design Material i ty is the portion of plann ing mater iality th at ha s been

allocated t o line item s, accoun ts, or classes of tra nsa ctions (such a s

disbursem ent s). This am oun t will be the sa me for all line items or

accoun ts (except for certa in int ra governm ent al or offsett ing balan ces as

discussed in pa ra grap h 230.10).

Test ma terial i ty is the ma teriality actua lly used by the a uditor in

tes tin g a specific line item , accoun t, or clas s of tr an sactions . Bas ed onth e au ditor 's judgment , test ma teriality can be equal to or less tha n

design ma teriality, as discussed in para graph 230.13. Test mat eriality

ma y be differen t for differen t line items or a ccoun ts.

.06 The following other uses of the term "mat erial ity" relate principally to the

reporting ph ase:

Disclosure ma terial i ty is the t hr eshold for deter mining whether an

item should be reported or presented separ at ely in th e finan cial

stat ements or in th e related notes. This value ma y differ from plan ning

materiality.

FMFIA mate riality is the thr eshold for determ ining whether a m att er

meets OMB criter ia for report ing mat ter s un der F MFIA as described in

paragraphs 580.35-.37.

Report ing ma terial i ty is the t hreshold for determ ining whether a n

un qua lified opinion can be issued. In th e report ing pha se, th e auditor

considers whether u na djusted misstat ements a re quan titat ively or

qua lita tively ma ter ial. If considered to be mat erial, th e audit or would be

precluded from issuing a n u nqu alified opinion on t he finan cialstatements. See section 540.

Un less otherwise specified, such as t hr ough using th e term s above, the ter m

"ma ter iality" in th is man ua l refers to th e overall finan cial stat emen t

ma teriality as defined in par agraph 230.01.


37/507


38/507

Pl anning Phas e

230 - Determin e P lanning , Design, and Test Material i ty


au ditor would comput e separa te plan ning ma ter iality for auditin g (1) th e

offsett ing accoun ts, u sing th e ba lance of th e offsett ing accoun ts as th e

ma teriality base an d (2) the r est of th e finan cial statemen ts u sing thema teriality base guidance in pa ragra ph 230.09.

.11 Planning mater iality general ly should be 3 percent of the mater ial ity base.

Although a mecha nical mea ns m ight be used to comput e plann ing

ma teriality, the au ditor should use judgment in evalua ting whether t he

compu ted level is appropriat e. The au ditor also should consider a djusting

th e ma ter iality base for t he impa ct of such items a s un recorded liabilities,

cont ingencies, and other items th at ar e not incorporated in the entity's

finan cial statemen ts (and n ot r eflected in t he ma teriality base) but t ha t m ay

be importan t to the financial stat ement u ser.

.12 Design mater iality for the audi t should be one-thi rd of planning mater ial ity

to allow for the pr ecision of au dit pr ocedu res. This guideline recognizes th at

misstatemen ts ma y occur thr oughout th e entity's various a ccoun ts. The

design mat eriality represents th e mat eriality used as a sta rting point to

design a udit pr ocedur es for line item s or a ccoun ts so tha t a n a ggregate

ma terial misstat ement in th e financial statemen ts will be detected, for a

given level of audit a ssur an ce (discussed in par agra ph 260.04).

.13 Generally, the test mater ial ity used for a specific test is the same as the

design ma teriality. However, the a uditor may use a test m at eriality lowerth an th e design m at eriality for substa nt ive test ing of specific line item s an d

asser tions (which increa ses th e extent of test ing) when

th e au dit is being perform ed at some, but not a ll, entity locat ions

(requirin g increased a udit assu ra nce for t hose locations visited - see

section 285);

th e area tested is deemed to be sensitive to the fina ncial sta tement users;

or


39/507

Pl anni ng Phas e

230 - Determin e Plann ing, Design, and Test Material i ty

1 If th e au ditor uses softwa re t o calculate sa mple size, he or sh e shouldun derst an d how th e softwa re considers expected missta tem ent s. For

example, if the au ditor uses Int eractive Data Extra ction an d Analysis

(IDEA) to calculate sa mple size when t est m at eriality is lower th an design

ma teriality, becau se th e au ditor expects m issta tement s, the a uditor sh ould

use design m at eriality in IDEA becau se he or she separa tely inpu ts th e

expected misstat ement. See para graph 480.27.

J u ly 2001 GAO/PCIE Financia l Audit Manual Page 230-5

th e au ditor expects to find a significan t a moun t of missta tem ent s.1


40/507



41/507


42/507

Pl anning Phas e

235 - Ident i fy Signi fi cant Lines I tems , Accounts , Assert ions , and

RSSI


Presentat ion and di sc losure: The par ticular componen ts of th efinan cial sta tem ent s a re properly classified, described, an d disclosed.

.03 A line item or an account in the financial statements or RSSI should be

cons idered significant if it h as one or more of th e following cha ra cterist ics:

Its ba lance is ma ter ial (exceeds design ma ter iality) or compr ises a

significan t portion of a m at erial finan cial stat emen t or RSSI am ount .

A high combined r isk (inh erent an d cont rol risk, as discussed in

para graph 260.02) of material m issta tement (eith er overstat ement orun derstat ement) is associated with one or m ore a ssertions r elating t o the

line item or account . For examp le, a zero or unu sua lly small bala nce

accoun t ma y have a high risk of ma terial underst at ement.

Special audit concern s, such as r egulatory requirements, warr an t a dded

consideration.

The auditor should determine that any accounts considered insignificant are

not significan t in th e aggregate.

.04 An assert ion is s ignificant if misstatements in the assert ion could exceed testma ter iality for th e related line item , accoun t, or disclosur e. Certa in

asser tions for a specific line item or accoun t, su ch as completeness a nd

disclosur e, could be significan t even t hough th e r ecorded balan ce of the

relat ed line item or accoun t is not ma ter ial. For example, (1) th e

completeness assertion could be significant for an accrued payroll account

with a h igh combined r isk of ma ter ial und erst at emen t even if its recorded

bala nce is zero an d (2) th e disclosure a sser tion could be significan t for a

cont ingent liability even if no amoun t is recorda ble.

.05 Assert ions are l ikely to vary in degree of s ignificance, and some assert ionsma y be insignifican t or irrelevan t for a given line item or account . For

example:

The completeness a ssert ion for liabilities m ay be of great er significan ce

th an th e existen ce asser tion for liabilities.


43/507


44/507



45/507

Planning Phase

240 - IDENTIFY SIGNIFICANT CYCLES,

ACCOUN TING AP P LICATIONS, AND

FIN ANCIAL MANAGEMENT SYSTEMS


.01 In the internal control phase, the auditor evaluates controls for each

significan t cycle and a ccoun ting a pplicat ion a nd det erm ines wheth er

significan t fina ncial ma na gement syst ems subst an tially comply with federa l

financial ma na gement systems r equirements, federal accoun ting stan dar ds,

an d th e SGL at th e tra nsa ction level. A cycle or a n a ccoun ting ap plicat ion

should be considered significan t if it p rocesses an am ount of tra nsa ctions in

excess of design ma ter iality or if it su pports a significan t accoun t balan ce in

th e fina ncial sta tem ent s or significan t RSSI. A finan cial ma na gement

system gener ally consists of one or more account ing app licat ions . If one or

more of th e account ing applicat ions ma king up a fina ncial man agemen t

system ar e considered significan t, th en t ha t financial man agement system

genera lly should be considered significan t for det erm ining whet her th e

system substan tially complies with FF MIA requirements. The au ditor ma y

identify oth er cycles, accoun ting a pplicat ions, or fina ncial ma na gement

systems as significan t based on qualitat ive considera tions. For example,

finan cial ma na gement systems covered by FFMIA include not only systems

involved in processing finan cial tra nsa ctions a nd pr epar ing finan cial

stat ements, but also systems supporting fina ncial plann ing, ma na gement

reportin g, or bu dgeting activities, systems a ccumu latin g an d report ing cost

inform at ion, a nd th e fina ncial port ion of mixed system s, such a s benefitpaym ent , logistics, personn el, and a cquisition syst ems.

.02 The enti ty's account ing system may be viewed as consist ing of logical

groupings of relat ed tr an sactions a nd a ctivities, or account ing applicat ions.

Ea ch significan t line it em/accoun t is affected by input from one or m ore

account ing applications (sources of debits or credits). Relat ed accoun tin g

app licat ions m ay be grouped int o cycles by th e au ditor an d int o fina ncial

ma na gement system s by th e entity. Account ing applicat ions ar e classified as

(1) tra nsa ction-related or (2) line item/account -relat ed.

.03 A t ransact ion-related account ing applicat ion cons is ts of the methods and

records esta blished to identify, assem ble, ana lyze, classify, an d r ecord (in t he

genera l ledger) a par ticular type of tr an saction. Typical tra nsa ction-related

accoun ting a pplicat ions include billing, cash receipts, p ur cha sing, cash

disbursem ent s, an d payroll. A line item/accoun t-related accoun ting

app licat ion consists of th e met hods an d records est ablished to report a n


46/507

Pl anning Phas e

240 - Ident i fy Signi fi cant Cycles , Account ing Appl icat ions , and

Financia l Manageme nt Sys tems


ent ity's recorded tr an sactions a nd t o ma inta in account ability for related

asset s an d liabilities. Typical line item /accoun t-related a ccount ingapp lications include cash balan ces, accoun ts receivable, inventory cont rol,

property a nd equipment, an d accoun ts pa yable.

.04 Within a given ent ity, there may be several examples of each account ing

app licat ion. For exam ple, a differen t billing app lication m ay exist for ea ch

program t ha t u ses a billing process. Accoun ting app licat ions t ha t pr ocess a

relat ed group of tr an sactions a nd a ccoun ts compr ise cycles. For insta nce, th e

billing, ret ur ns, cash receipts, a nd accoun ts r eceivable accoun ting

app lications m ight be grouped to form th e revenu e cycle. Similarly, relat ed

accoun ting a pplicat ions a lso compr ise finan cial ma na gement systems.

.05 For each s ignificant l ine item and account , the auditor should use the

Accoun t Risk Ana lysis form (ARA) (see section 395 I) or a n equ ivalent

workp aper to documen t t he significan t t ra nsa ction cycles (such a s revenu e,

pur cha sing, an d pr oduction) an d t he specific significan t accoun ting

app lications th at a ffect th ese significan t line item s an d accoun ts. For

example, the a uditor might determ ine tha t billing, retu rns, cash r eceipts,

an d a ccount s receivable a re significan t a ccoun ting a pplicat ions th at affect

accoun ts r eceivable (a significant line item). The Account Risk Ana lysis form

provides a convenient way for docum ent ing th e specific risks of misstat emen t

for significan t line items for considera tion in determ ining th e na tu re, timing,an d extent of au dit procedures. If an equivalent workpaper is used, rat her

th an th e ARA, it sh ould docum ent th e inform at ion discussed in section 395 I.

.06 Related account ing applicat ions may be grouped into cycles to aid in

preparing workpa pers. This helps the au ditor design a udit procedures tha t

ar e both efficient a nd r elevan t to the report ing objectives. The au ditor may

docum ent insignifican t a ccoun ts in each line item on t he ARA or equivalent,

indicat ing th eir insignifican ce an d consequ ent lack of audit procedur es

app lied to th em. In such insta nces, th e cycle ma tr ix ma y not be necessar y.

Oth erwise, th e au ditor should prepar e a cycle mat rix or equivalent docum entth at link s each of th e ent ity's a ccount s (in th e char t of accoun ts) to a cycle, an

accoun ting app licat ion, an d a finan cial sta tem ent or RSSI line item.

.07 Based on discuss ions with ent ity personnel, the auditor should determine the

accoun ting ap plication t ha t is the best source of th e finan cial stat emen t

inform at ion. When a significan t line item h as m ore th an one source of


47/507

Pl anni ng Phas e

240 - Ident ify Signi fi cant Cycles , Account ing Appl icat ions , and

Financia l Manageme nt Sys tems


finan cial data , the au ditor should consider t he var ious sources and

deter mine which is best for finan cial aud it purp oses. The au ditor needs toconsider t he likelihood of missta tem ent an d a udita bility in choosing th e

source to use. For au dit pu rposes, th e best sour ce of finan cial inform at ion

sometimes ma y be operat iona l inform at ion pr epar ed out side th e account ing

system.

.08 Once the s ignificant account ing applicat ions are ident i fied, the audi tor

deter mines wh ich compu ter systems a re involved in th ose applicat ions.

Those particular computer systems are then considered in assessing

compu ter -relat ed cont rols usin g an appr opriate m eth odology.

.09 An a ppropr iate methodology would require the au ditor to obtain sufficient

kn owledge of th e inform at ion syst em r elevan t t o finan cial reporting t o

un derst an d th e accoun ting processing from initiat ion of a t ra nsa ction to its

inclusion in t he fina ncial stat emen ts, including electronic mea ns u sed to

tr an smit, pr ocess, ma inta in, an d a ccess inform at ion (see AU 319.49, SAS 94).

AU 319.61 requ ires documen ta tion of th is un derst an ding. OMB au dit

guidan ce notes tha t t he componen ts of inter na l control include genera l and

app licat ion cont rols. Genera l cont rols are t he ent itywide secur ity

ma na gement program , access cont rol, applicat ion softwa re developmen t a nd

chan ge cont rol, system softwa re cont rol, segregat ion of dut ies, and service

cont inuit y control. Applicat ion cont rols ar e au th orizat ion cont rol,completen ess cont rol, accura cy cont rol, an d cont rol over int egrity of

processing and da ta files. OMB au dit guidan ce also requ ires tha t, for

cont rols th at ha ve been pr operly designed a nd pla ced in opera tion, th e

au ditor sha ll perform sufficient t ests t o support a low assessed level of

cont rol risk. The au ditor should docum ent t he basis for believing th at t he

met hodology used is appropriat e to satisfy these r equiremen ts for a ssessing

genera l an d applicat ion cont rols. The GAO Federal Information S ystem

Controls Aud it Man ual (FISCAM) is designed to meet t hese requ iremen ts.

See section 295 J for a flowchar t of steps gener ally followed in a ssessin g

inform at ion system cont rols in a fina ncial sta tem ent a udit . IS secur itycont rols are also addr essed in OMB Circular A-130,Management of Federal

Information Resources, in the Nat iona l Institu te of Stan dar ds and

TechnologysAn Int rodu ction to Com puter S ecurity: T he NIS T H and book,

and in other publications.


48/507



49/507


50/507

Pl anning Phas e

245 - Ident i fy Significant P rovis ions of Laws an d Regu lat ions


ma terial to th e consolidated fina ncial sta tement s of th e Un ited Stat es

Governm ent . In ad dition, the au ditor should identify (with OGC

assista nce) an y laws or r egulat ions (in add ition t o those ident ified byOMB and t he ent ity) tha t h ave a direct effect on determ ining amounts in

th e finan cial sta tem ent s. The mea ning of direct effect is discussed below

in para graph 245.03.

b. For each such law or regulation, the auditor should identify those

pr ovisions th at a re significant . A pr ovision should be cons idered

significant if (1) compliance with the provision can be measured

objectively an d (2) it meets one of th e following criter ia for deter min ing

th at th e provision ha s a ma terial effect on determining fina ncial

statement amounts:

Transac t ion-based p rovis ions: Tra nsa ctions processed by th e

ent ity tha t ar e subject to the provision exceed plann ing mat eriality in

th e aggregate.

Quantitat ive-based p rovis ions: The qu an titat ive informa tion

requ ired by t he p rovision or by esta blished rest rictions exceeds

plann ing ma teriality.

Procedural-based provis ions: The pr ovision broad ly affects a ll or

a segmen t of th e entity's opera tions th at process tra nsa ctionsexceeding plan ning ma ter iality in the aggregate. For exam ple, a

provision m ay require th at t he ent ity establish procedur es to monitor

th e receipt of cert ain in form at ion from gran tees; in det erm ining

whet her to test complian ce with th is provision, th e au ditor should

consider whet her t he tota l amount of money gra nt ed exceeded

plann ing ma teriality.

.03 A direct effect means that the provis ion specifies

th e nat ure a nd/or dollar am oun t of tra nsactions th at ma y be incurr ed(such as obliga tion, out lay, or borr owing r est rictions),

th e meth od used t o record su ch tra nsa ctions (such a s revenu e recognition

policies), or


51/507

Pl anni ng Phas e

245 - Ident i fy Signif icant P rovis ions of Laws an d Regu lat ions


th e na tu re a nd exten t of inform at ion t o be reported or disclosed in th e

an nu al finan cial stat ements (such a s the sta tement of budgetary

resources).

For exam ple, ent ity-ena bling legislation ma y conta in pr ovisions t ha t limit

th e na tu re a nd am oun t of obligat ions or outlays an d th erefore h ave a direct

effect on determ ining amoun ts in th e finan cial stat emen ts. If a pr ovision's

effect on t he finan cial sta tem ent s is limited t o cont ingent liabilities as a

result of noncompliance (typically for fines, penalties, and interest), such a

provision d oes not h ave a direct effect on det erm ining finan cial sta tem ent

am ount s. Laws identified by th e au ditor th at h ave a direct effect might

include (1) new la ws an d regu lat ions (not yet r eflected on OMB's list) an d (2)

en tit y-specific laws a nd r egula tions. The concept of direct effect is discussedin AU 801 (SAS 74) an d AU 317.

.04 In contras t , indirect laws relate more to the ent i ty's operat ing aspects than

to its finan cial an d accoun ting asp ects, an d th eir fina ncial stat emen t effect is

indirect. In oth er words, their effect m ay be limited to recording or

disclosing liab ilities ar ising from noncomplian ce. Exa mples of indir ect laws

and regulations include those related to environmental protection and

occupational safety and health.

.05 The auditor is not responsible for test ing compliance controls over or

complian ce with a ny indirect laws an d regula tions not oth erwise ident ifiedby OMB or t he en tity (see par agra ph 245.02.a.). However, as discussed in

AU 317, th e au ditor should mak e inquiries of ma na gement regar ding policies

an d procedur es for t he pr evention of noncomplian ce with indirect laws a nd

regula tions. Un less possible insta nces of noncomplian ce with indirect laws

or r egulat ions come t o the a uditor 's att ention during th e au dit, no furt her

procedur es with respect to indirect laws an d regulat ions a re necessary.

.06 The auditor may elect to tes t compliance with indirect laws and regulat ions .

For example, if the au ditor becomes a ware t ha t t he ent ity has operations

similar to those of an oth er ent ity tha t was r ecent ly in noncomplian ce withenvironmen ta l laws an d regulat ions, th e aud itor may elect to test complian ce

with such laws an d regulat ions. The au ditor may also elect to test provisions

of direct laws a nd r egulations tha t do not meet th e ma teriality criteria in

par agraph 245.02.b. but th at ar e deemed significan t, such as laws an d

regulations t ha t h ave generated significan t int erest by the Congress, the

media, or th e public.


52/507

Pl anning Phas e

245 - Ident i fy Significant P rovis ions of Laws an d Regu lat ions


.07 The significant provisions identified by the above procedures are intended to

include pr ovisions of all laws an d regulat ions th at ha ve a direct an d ma ter ial

effect on the deter mining of finan cial stat emen t am oun ts an d th ereforecomp ly with GAGAS, AU 801 (SAS 74), an d OMB aud it gu idan ce.

.08 In considering regulat ions to test for compliance, the auditor should consider

extern ally imposed requirement s issued pursu an t t o the Administrat ive

Pr ocedur es Act, which ha s a defined du e process. This would include

regulations in t he Code of Federal Regula tions, but would n ot in clude OMB

circulars an d bulletins. Such circula rs an d bulletins genera lly implement

laws, an d th e provisions of th e laws th emse lves could be considered for

complian ce testing. Int ern al policies, ma nu als, an d directives ma y be the

basis for in ter na l cont rols, but ar e not r egulations to consider for t esting forcompliance.


53/507

Planning Phase

250 - IDENTIFY RELEVANT BUDGET

RESTRICTIONS


.01 To evaluate budget controls (see section 295 G) and to design compliance-

related audit procedures relevant to budget restrictions, the auditor should

un derst an d th e following inform at ion (which m ay be obta ined from th e

entity or OGC):

th e Ant ideficiency Act (title 31 of th e U.S. Code, sections 1341, 1342,

1349-1351, 1511-1519);

th e Pu rpose Sta tu te (title 31 of the U .S. Code, section 1301);

th e Time St at ut e (title 31 of the U.S. Code, section 1502);

OMB Circula r A-34;

tit le 7 of th e GAO Policy and Procedu res Manua l for Guida nce of Federal

Agencies;

th e Impoundm ent Contr ol Act; and

th e F edera l Credit Reform Act of 1990.

.02 The auditor should read the following informat ion relat ing to the ent ity 's

app ropriat ion (or other budget a ut hority) for t he per iod of au dit inter est:

au th orizing legislat ion;

enabling legislation an d a mendm ents;

appropriation legislation and supplemental appropriation legislation; apport ionm ent s an d budget execut ion r eport s (includin g OMB form s 132

an d 133 an d supporting docum enta tion);

Impoun dmen t Contr ol Act r eport s regar ding rescissions a nd deferra ls, if

any;

th e system of fun ds cont rol documen t a pproved by OMB; an d

an y oth er informa tion deemed by the a uditor t o be relevan t to

un derstan ding the entity's budget a ut hority, such as legislative history

cont ained in comm ittee r eport s or conference reports.

Although legislat ive histories ar e not legally bindin g, th ey may h elp the

au ditor un derstan d t he political environm ent surr oun ding the entity (i.e.,

why th e ent ity has un derta ken certa in activities an d t he objectives of th ese

activities).

.03 Through d iscussions with OGC and the ent ity and by using the above

inform at ion, th e au ditor should ident ify all legally binding rest rictions on t he


54/507


55/507

Planning Phase

260 - IDENTIFY RISK FACTORS


.01 The auditor 's consideration of inherent r isk, frau d r isk, control environment,

risk a ssessmen t, comm un icat ion, an d monitoring (par ts of inter na l cont rol)

affects th e nat ur e, timing, and extent of subst an tive an d cont rol test s. This

section describes (1) the impact of risk factors identified during this

considera tion on su bsta nt ive and control tests, (2) th e pr ocess for identifying

th ese risk factors, an d (3) th e au ditor's considera tion of the en tity's process

for reporting under FMFIA (both for internal control (section 2 of FMFIA)

an d for finan cial ma na gement systems' conform an ce with system

requ iremen ts (section 4 of FMF IA)) and for form ulat ing th e budget.

IMP ACT ON S UBS TANTIVE TES TING

.02 AU 312 provides guidance on the cons iderat ion of audit r i sk and defines

"au dit risk" as t he r isk tha t t he a uditor m ay un knowingly fail to

appr opriately modify an opinion on financial statem ents th at ar e ma terially

missta ted. Audit r isk can be thought of in ter ms of th e following thr ee

component risks:

Inheren t risk is the susceptibility of an asser tion t o a m at erial

misstatemen t, assuming tha t th ere are no relat ed int erna l contr ols.

Control risk is the risk that a m at erial misstat ement t ha t could occur inan asser tion will not be prevent ed or det ected a nd corr ected on a t imely

basis by the en tity's int ern al cont rol. Int ern al cont rol consists of five

componen ts: (1) th e cont rol environment , (2) risk a ssessmen t,

(3) monit oring, (4) inform at ion a nd comm un icat ion, a nd (5) con tr ol

activities (defined in par agr ap h 260.08 below). This section will discuss

th e first t hr ee of th e componen ts a nd comm un icat ion a nd section 300

(Int ern al Cont rol Ph ase) will discuss t he inform at ion system s an d control

activities.

Detec t ion risk is th e risk that th e auditor will not detect a m at erial

misstatemen t th at exists in an a ssertion.

AU 316 (SAS 82) requires th e a uditor t o consider fraud risk , which is a pa rt

of au dit risk, ma king up a portion of inher ent a nd cont rol risk. Fr au d risk

consists of th e risk of fra udu lent fina ncial report ing an d th e risk of

misappropriat ion of assets th at cau se a ma terial misstatement of the


56/507

Pl anning Phas e

2 60 - Id e n ti fy Ri sk Fa c to rs

1 Assur an ce is not the sam e as sta tistical confidence. Assur an ce is a

combinat ion of quan titat ive measu rement an d au ditor judgment.

J u ly 2001 GAO/PCIE Financia l Audit Manua l Page 260-2

finan cial sta tem ent s. The au ditor should specifically consider a nd docum ent

the r isk of ma terial misstatemen ts of the fina ncial stat ements du e to frau d

an d keep in mind t he considera tion of fra ud r isk in designing au ditprocedur es. Considering th e risk of ma ter ial fra ud gener ally should be done

concur ren tly with th e considera tion of inher ent an d cont rol risk, but it

should be a separa te conclusion. The au ditor also should consider t he risk of

fra ud th roughout th e au dit. Section 290 includes docum ent at ion

requirem ent s for t he considera tion of fra ud r isk.

.03 Based on the level of audit r isk and an assessment of the ent i ty's inherent

an d cont rol risk, including th e considerat ion of fra ud risk, th e au ditor

determines th e na tur e, timing, and extent of substan tive audit procedures

necessary to achieve th e resulta nt det ection risk. For example, in responseto a high level of inher ent an d cont rol risk, th e au ditor ma y perform

additional audit procedures that provide more competent evidential

ma tt er (nat ur e of procedur es);

subst an tive tests at or closer to the finan cial stat emen t da te (timing of

procedures); or

more extensive subst an tive tests (extent of procedur es), as discussed in

section 295 E.

.04 Audit assurance is the complement of audit r isk. The auditor can determine

the level of audit a ssura nce obtained by subtr acting the a udit r isk from 1.(Assur an ce equa ls 1 minus r isk).1 AU 350.48 uses 5 percent as t he a llowable

au dit risk in explaining th e au dit risk model (95 percent au dit assur an ce).

The a udit organ ization sh ould deter mine t he level of assu ra nce to use, which

ma y vary between aud its based on risk. GAO auditors should use

95 percent . In other words, the GAO au ditor, in order t o provide an opinion,

should design th e au dit to achieve at least 95 percent au dit assur an ce tha t

the fina ncial sta tement s ar e not ma terially misstated (5 percent au dit risk).

Section 470 pr ovides guida nce to th e a uditor on how to combine (1) the

assessm ent of inher ent an d cont rol risk (including fra ud r isk) an d (2)

substan tive tests to achieve the a udit assu ran ce required by the a uditorganization.


57/507

Pl anni ng Phas e


2 See also GAOs S tan dard s for Int ernal Control in th e Federal Governm ent,

GAO/AIMD-00-21.3.1, November 1999.

J u ly 2001 GAO/PCIE Financia l Audit Manual Page 260-3

.05 The auditor may consider i t necessary to achieve increased audit assurance if

th e ent ity is politically sensitive or if th e Congress ha s expressed concerns

about t he ent ity's finan cial report ing. In th is case, th e level of au ditassu ra nce should be appr oved by th e Reviewer.

RELATIONSHIP TO CONTROL ASS ESS MENT

.06 Internal control, as identified in AU 319 (SAS 55 amended by SAS 78), is a

processeffected by an ent ity's governin g body, man agemen t, an d other

personneldesigned to provide reasonable assurance regarding the

achievemen t of objectives in th e following categories (OMB au dit gu idan ce

expan ds t he cat egory definitions a s noted):2

Reliability off inancial report ingtr an sactions a re properly recorded,

processed, an d sum ma rized to perm it the pr epar at ion of th e finan cial

sta tem ent s an d RSSI in a ccorda nce with gener ally accepted account ing

principles, and assets are safeguarded against loss from unauthorized

acqu isition, use, or disposition. (Note th at safeguarding controls (see

par agra phs 310.02-.04) ar e considered a s pa rt of finan cial reporting

cont rols, alth ough th ey ar e a lso opera tions cont rols.)

Compliance with a pplicable laws an d regulat ionstransactions are

execut ed in accorda nce with (a) laws governing th e u se of budget

au th ority and other laws an d regulations th at could ha ve a direct a ndma ter ial effect on th e fina ncial stat emen ts or RSSI, an d (b) an y oth er

laws, regulat ions, a nd governm ent wide policies identified by OMB in its

au dit guidance. (Note th at budget cont rols a re pa rt of fina ncial

reporting cont rols as th ey relat e to th e stat emen ts of budgeta ry resources

an d of fina ncing, but th at th ey are a lso pa rt of complian ce cont rols in

tha t t hey are used to man age and cont rol the u se of appropriated fun ds

an d other form s of budget a ut hority in a ccorda nce with applicable law.

These cont rols a re described in more det ail in section 295 G.)

Effectiveness and efficiency ofoperat ions. Thes e cont rols includepolicies an d pr ocedur es t o car ry out organ izat iona l objectives, such a s

planning, productivity, programmatic, quality, economy, efficiency, and


58/507

Pl anning Phas e



effectiveness objectives. Man agem en t uses th ese contr ols to pr ovide

rea sona ble assu ra nce tha t th e entity (1) achieves its mission,

(2) ma intains qu ality sta nda rds, and (3) does what man agement directsit to do. (Note tha t performance m easures controls (those designed to

provide rea sona ble assur an ce about reliability of perform an ce reportin g

tra nsactions an d oth er data tha t support reported performa nce measu res

ar e properly r

financial internal audit

Documents