United States General Accounting Office

GAO By the Comptroller General of theUnited States

June 1994

Government AuditingStandards

1994 Revision

United States General Accounting Office

GAO By the Comptroller General of theUnited States

June 1994

Government AuditingStandards

1994 Revision

This revision of the standards supersedes the 1988revision. Its provisions are effective for financialaudits of periods ending on or after January 1, 1995,and for performance audits beginning on or afterJanuary 1, 1995. Early application is permissible.

Foreword

To meet demands for more responsive andcost-effective governments, policymakers andmanagers need reliable financial and performanceinformation. The assurance auditors provide aboutthat information, as well as about systems producingit, may be more important now than ever before. Thisreliance on auditors enhances the need for standardsto guide auditors and allow others to rely on auditors’work.

Certain laws, regulations, and contracts requireauditors to follow generally accepted governmentauditing standards promulgated by the ComptrollerGeneral of the United States. This is the third revisionof the standards since my predecessor issued them in 1972.

These standards are broad statements of auditors’responsibilities. Auditors will face many situations inwhich they could best serve the public by doing workexceeding the standards’ minimum requirements. Iencourage auditors to seek opportunities to do thatadditional work, particularly in testing and reportingon internal controls.

I thank those who suggested improvements to thestandards, and I especially commend the GovernmentAuditing Standards Advisory Council and the projectteam for their efforts.

Charles A. BowsherComptroller Generalof the United States

June 1994

Page 1

Contents

Foreword 5

Chapter 1 Introduction

8Purpose 8Applicability 8Accountability 10Basic Premises 10Auditors’ Responsibilities 12Procurement of Audit Services 13

Chapter 2 Types ofGovernmentAudits

14Purpose 14Financial Audits 14Performance Audits 16Other Activities of an Audit Organization 19

Chapter 3 GeneralStandards

20Purpose 20Qualifications 20Independence 24Due Professional Care 29Quality Control 30

Chapter 4 Field WorkStandards forFinancial Audits

34Purpose 34Relation to AICPA Standards 34Planning 35Irregularities, Illegal Acts, and Other

Noncompliance37

Internal Controls 40Working Papers 46Financial Related Audits 47

Page 2

Contents

Chapter 5 ReportingStandards forFinancial Audits

49Purpose 49Relation to AICPA Standards 49Communication With Audit Committees or

Other Responsible Individuals50

Reporting Compliance With GenerallyAccepted Government Auditing Standards

53

Reporting on Compliance With Laws andRegulations and on Internal Controls

54

Privileged and Confidential Information 60Report Distribution 60Financial Related Audits 62

Chapter 6 Field WorkStandards forPerformanceAudits

64Purpose 64Planning 64Supervision 73Compliance With Laws and Regulations 74Management Controls 79Evidence 82

Chapter 7 ReportingStandards forPerformanceAudits

90Purpose 90Form 90Timeliness 91Report Contents 91Report Presentation 100Report Distribution 103

Appendix Appendix I: Government Auditing StandardsAdvisory Council

106

Index 108

Page 3

Contents

Abbreviations

AICPA American Institute of Certified PublicAccountants

FASAB Federal Accounting Standards AdvisoryBoard

FASB Financial Accounting Standards BoardGAGAS generally accepted government auditing

standardsGASB Governmental Accounting Standards

BoardGAO U.S. General Accounting OfficeOMB Office of Management and BudgetSAS AICPA’s statement on auditing standardsSSAE AICPA’s statement on standards for

attestation engagements

Page 4

Page 5

Chapter 1

Introduction

Purpose 1.1 This document contains standards for audits ofgovernment organizations, programs, activities, andfunctions, and of government assistance received bycontractors, nonprofit organizations, and othernongovernment organizations. These standards, oftenreferred to as generally accepted government auditingstandards (GAGAS), are to be followed by auditors andaudit organizations when required by law, regulation,agreement, contract, or policy. The standards pertainto auditors’ professional qualifications, the quality ofaudit effort, and the characteristics of professionaland meaningful audit reports.

Applicability 1.2 Federal legislation requires that the federalinspectors general comply with the ComptrollerGeneral’s standards for audits of federalorganizations, programs, activities, and functions. Thelegislation further states that the inspectors generalare to ensure that nonfederal auditors comply withthese standards when they audit federalorganizations, programs, activities, and functions.1

1.3 Other federal auditors must also follow thesestandards. The Office of Management and Budget(OMB) included these standards in OMB Circular A-732

as basic audit criteria for federal executivedepartments and agencies.

1.4 The Chief Financial Officers Act of 1990 requiresthat these standards be followed in audits of federaldepartments and agencies.3

1The Inspector General Act of 1978, as amended, 5 U.S.C. App.(1982).

2Section 6 of OMB Circular A-73, “Audit of Federal Operations andPrograms.”

3The Chief Financial Officers Act of 1990 (Public Law 101-576).

Page 6

Chapter 1

Introduction

1.5 The Single Audit Act of 1984 requires that thesestandards be followed in audits of state and localgovernments which receive federal financialassistance.4

1.6 Other federal policies and regulations, such asOMB Circular A-133, require that these standards befollowed in audits of institutions of higher educationand other nonprofit organizations that receive federalfinancial assistance.5

1.7 Auditors conducting audits under agreement orcontract also may be required to comply with thesestandards under the terms of the agreement orcontract.

1.8 The standards in this document are generallyrelevant to and recommended for use by state andlocal government auditors and public accountants inaudits of state and local government organizations,programs, activities, and functions. Several state andlocal audit organizations, as well as several nations,have officially adopted these standards.

1.9 The American Institute of Certified PublicAccountants (AICPA) has issued auditing andattestation standards that apply in financial audits, asdiscussed in chapters 4 and 5. The Institute of InternalAuditors and the American Evaluation Association(formerly the Evaluation Research Society) haveissued related standards.6

4The Single Audit Act of 1984 (31 U.S.C. 7501-7507).

5OMB Circular A-133, “Audits of Institutions of Higher Educationand Other Nonprofit Institutions.”

6Codification of the Standards for the Professional Practice ofInternal Auditing, The Institute of Internal Auditors, Inc., copyright1993; and New Directions for Program Evaluation: Standards forEvaluation Practice, no. 15. San Francisco: Jossey-Bass,September 1982.

Page 7

Chapter 1

Introduction

Accountability 1.10 Our system of managing public programs todayrests on an elaborate structure of relationships amongall levels of government. Officials and employees whomanage these programs need to render an account oftheir activities to the public. While not alwaysspecified by law, this accountability concept isinherent in the governing processes of this nation.

1.11 The need for accountability has caused ademand for more information about governmentprograms and services. Public officials, legislators,and citizens want and need to know whethergovernment funds are handled properly and incompliance with laws and regulations. They also wantand need to know whether government organizations,programs, and services are achieving their purposesand whether these organizations, programs, andservices are operating economically and efficiently.

1.12 This document provides auditing standards tohelp provide accountability and to assist publicofficials and employees in carrying out theirresponsibilities. These standards are more than thecodification of current practices. They includeconcepts and audit areas that are still evolving andare vital to the accountability objectives sought inauditing governments and their programs andservices.

Basic Premises 1.13 The following premises underlie these standardsand were considered in their development.

a. The term “audit” includes both financial andperformance audits.

b. Public officials and others entrusted with handlingpublic resources (for example, managers of anot-for-profit organization that receives federalassistance) are responsible for applying those

Page 8

Chapter 1

Introduction

resources efficiently, economically, and effectively toachieve the purposes for which the resources werefurnished. This responsibility applies to all resources,whether entrusted to public officials or others bytheir own constituencies or by other levels ofgovernment.

c. Public officials and others entrusted with publicresources are responsible for complying withapplicable laws and regulations. That responsibilityencompasses identifying the requirements with whichthe entity and the official must comply andimplementing systems designed to achieve thatcompliance.

d. Public officials and others entrusted with publicresources are responsible for establishing andmaintaining effective controls to ensure thatappropriate goals and objectives are met; resourcesare safeguarded; laws and regulations are followed;and reliable data are obtained, maintained, and fairlydisclosed.

e. Public officials and others entrusted with publicresources are accountable both to the public and toother levels and branches of government for theresources provided to carry out government programsand services. Consequently, they should provideappropriate reports to those to whom they areaccountable.

f. Audit of government reporting is an essentialelement of public control and accountability. Auditingprovides credibility to the information reported by orobtained from management through objectivelyacquiring and evaluating evidence. The importanceand comprehensive nature of auditing place a specialresponsibility on public officials or others entrustedwith public resources who authorize or arrange auditsto be done in accordance with these standards. This

Page 9

Chapter 1

Introduction

responsibility is to provide audit coverage that isbroad enough to help fulfill the reasonable needs ofpotential users of the audit report. Auditors can assistpublic officials and others in understanding theauditors’ responsibilities under GAGAS and other auditcoverage required by law or regulation. Thiscomprehensive nature of auditing also highlights theimportance of auditors clearly understanding theaudit objectives, the scope of the work to beconducted, and the reporting requirements.

g. Financial auditing contributes to providingaccountability since it provides independent reportson whether an entity’s financial information ispresented fairly and/or on its internal controls andcompliance with laws and regulations.

h. Performance auditing contributes to providingaccountability because it provides an independentassessment of the performance of a governmentorganization, program, activity, or function in order toprovide information to improve public accountabilityand facilitate decision-making by parties withresponsibility to oversee or initiate corrective action.

i. To realize governmental accountability, the citizens,their elected representatives, and program managersneed information to assess the integrity, performance,and stewardship of the government’s activities. Thus,unless legal restrictions or ethical considerationsprevent it, audit reports should be available to thepublic and to other levels of government that havesupplied resources.7

Auditors’Responsibilities

1.14 The comprehensive nature of auditing done inaccordance with these standards places on the auditorganization the responsibility for ensuring that

7The Single Audit Act (31 U.S.C. 7502(f)) requires that the report onsingle audits be made available for public inspection.

Page 10

Chapter 1

Introduction

(1) the audit is conducted by personnel whocollectively have the necessary skills,(2) independence is maintained, (3) applicablestandards are followed in planning and conductingaudits and reporting the results, (4) the organizationhas an appropriate internal quality control system inplace, and (5) the organization undergoes an externalquality control review.

Procurement ofAudit Services

1.15 While not an audit standard, it is important thata sound procurement practice be followed whencontracting for audit services. Sound contract awardand approval procedures, including the monitoring ofcontract performance, should be in place. Theobjectives and scope of the audit should be madeclear. In addition to price, other factors to beconsidered include the responsiveness of the bidderto the request for proposal; the experience of thebidder; availability of bidder staff with professionalqualifications and technical abilities; and the resultsof the bidders’ external quality control reviews.8

8See How to Avoid a Substandard Audit: Suggestions for Procuringan Audit, National Intergovernmental Audit Forum, May 1988.

Page 11

Chapter 2

Types of Government Audits

Purpose 2.1 This chapter describes the types of audits thatgovernment and nongovernment audit organizationsconduct and that organizations arrange to haveconducted, of government organizations, programs,activities, functions, and funds. This description is notintended to limit or require the types of audits thatmay be conducted or arranged. In conducting thesetypes of audits, auditors should follow the applicablestandards included and incorporated in the chapterswhich follow.

2.2 All audits begin with objectives, and thoseobjectives determine the type of audit to beconducted and the audit standards to be followed.The types of audits, as defined by their objectives, areclassified in these standards as financial audits orperformance audits.

2.3 Audits may have a combination of financial andperformance audit objectives or may have objectiveslimited to only some aspects of one audit type. Forexample, auditors conduct audits of governmentcontracts and grants with private sectororganizations, as well as government and nonprofitorganizations, that often include both financial andperformance objectives. These are commonlyreferred to as “contract audits” or “grant audits.”Other examples of such audits include audits ofspecific internal controls, compliance issues, andcomputer-based systems. Auditors should follow thestandards that are applicable to the individualobjectives of the audit.

Financial Audits 2.4 Financial audits include financial statement andfinancial related audits.

a. Financial statement audits provide reasonableassurance about whether the financial statements ofan audited entity present fairly the financial position,

Page 12

Chapter 2

Types of Government Audits

results of operations, and cash flows in conformitywith generally accepted accounting principles.1

Financial statement audits also include audits offinancial statements prepared in conformity with anyof several other bases of accounting discussed inauditing standards issued by the American Institute ofCertified Public Accountants (AICPA).

b. Financial related audits include determiningwhether (1) financial information is presented inaccordance with established or stated criteria, (2) theentity has adhered to specific financial compliancerequirements, or (3) the entity’s internal controlstructure over financial reporting and/or safeguardingassets is suitably designed and implemented toachieve the control objectives.

2.5 Financial related audits may, for example, includeaudits of the following items:

a. Segments of financial statements; financialinformation (for example, statement of revenue andexpenses, statement of cash receipts anddisbursements, statement of fixed assets); budgetrequests; and variances between estimated and actualfinancial performance.

b. Internal controls over compliance with laws andregulations, such as those governing the (1) biddingfor, (2) accounting for, and (3) reporting on grants

1Three authoritative bodies for generally accepted accountingprinciples are the Governmental Accounting Standards Board(GASB), the Financial Accounting Standards Board (FASB), andthe sponsors of the Federal Accounting Standards Advisory Board(FASAB). GASB establishes accounting principles and financialreporting standards for state and local government entities. FASBestablishes accounting principles and financial reporting standardsfor nongovernment entities. The sponsors of FASAB—the Secretaryof the Treasury, the Director of the Office of Management andBudget, and the Comptroller General—jointly establish accountingprinciples and financial reporting standards for the federalgovernment, based on recommendations from FASAB.

Page 13

Chapter 2

Types of Government Audits

and contracts (including proposals, amounts billed,amounts due on termination claims, and so forth).

c. Internal controls over financial reporting and/orsafeguarding assets, including controls usingcomputer-based systems.

d. Compliance with laws and regulations andallegations of fraud.

PerformanceAudits

2.6 A performance audit is an objective andsystematic examination of evidence for the purposeof providing an independent assessment of theperformance of a government organization, program,activity, or function in order to provide information toimprove public accountability and facilitatedecision-making by parties with responsibility tooversee or initiate corrective action.

2.7 Performance audits include economy andefficiency and program audits.

a. Economy and efficiency audits include determining(1) whether the entity is acquiring, protecting, andusing its resources (such as personnel, property, andspace) economically and efficiently, (2) the causes ofinefficiencies or uneconomical practices, and(3) whether the entity has complied with laws andregulations on matters of economy and efficiency.

b. Program audits include determining (1) the extentto which the desired results or benefits established bythe legislature or other authorizing body are beingachieved, (2) the effectiveness of organizations,programs, activities, or functions, and (3) whether theentity has complied with significant laws andregulations applicable to the program.

Page 14

Chapter 2

Types of Government Audits

2.8 Economy and efficiency audits may, for example,consider whether the entity

a. is following sound procurement practices;

b. is acquiring the appropriate type, quality, andamount of resources at an appropriate cost;

c. is properly protecting and maintaining itsresources;

d. is avoiding duplication of effort by employees andwork that serves little or no purpose;

e. is avoiding idleness and overstaffing;

f. is using efficient operating procedures;

g. is using the optimum amount of resources (staff,equipment, and facilities) in producing or deliveringthe appropriate quantity and quality of goods orservices in a timely manner;

h. is complying with requirements of laws andregulations that could significantly affect theacquisition, protection, and use of the entity’sresources;

i. has an adequate management control system formeasuring, reporting, and monitoring a program’seconomy and efficiency; and

j. has reported measures of economy and efficiencythat are valid and reliable.

Page 15

Chapter 2

Types of Government Audits

2.9 Program audits2 may, for example

a. assess whether the objectives of a new, or ongoingprogram are proper, suitable, or relevant;

b. determine the extent to which a program achievesa desired level of program results;

c. assess the effectiveness of the program and/or ofindividual program components;

d. identify factors inhibiting satisfactory performance;

e. determine whether management has consideredalternatives for carrying out the program that mightyield desired results more effectively or at a lowercost;

f. determine whether the program complements,duplicates, overlaps, or conflicts with other relatedprograms;

g. identify ways of making programs work better;

h. assess compliance with laws and regulationsapplicable to the program;

i. assess the adequacy of the management controlsystem for measuring, reporting, and monitoring aprogram’s effectiveness; and

j. determine whether management has reportedmeasures of program effectiveness that are valid andreliable.

2These audits may apply to services, activities, and functions aswell as programs.

Page 16

Chapter 2

Types of Government Audits

Other Activitiesof an AuditOrganization

2.10 Auditors may perform services other than audits.For example, some auditors may

a. assist a legislative body by developing questions foruse at hearings,

b. develop methods and approaches to be applied inevaluating a new or a proposed program,

c. forecast potential program outcomes under variousassumptions without evaluating current operations,and

d. perform investigative work.

2.11 The head of the audit organization may wish toestablish policies applying standards in this statementto its employees performing these and other types ofnonaudit work.

Page 17

Chapter 3

General Standards

Purpose 3.1 This chapter prescribes general standards forconducting financial and performance audits. Thesegeneral standards relate to the qualifications of thestaff, the audit organization’s and the individualauditor’s independence, the exercise of dueprofessional care in conducting the audit and inpreparing related reports, and the presence of qualitycontrols. General standards are distinct from thosestandards that relate to conducting field work andpreparing related reports.

3.2 These general standards apply to all auditorganizations, both government and nongovernment(for example, public accounting firms and consultingfirms), conducting audits of governmentorganizations, programs, activities, and functions andof government assistance received by nongovernmentorganizations.

Qualifications 3.3 The first general standard is:

The staff assigned to conduct the audit should

collectively possess adequate professional

proficiency for the tasks required.

3.4 This standard places responsibility on the auditorganization to ensure that each audit is conducted bystaff who collectively have the knowledge and skillsnecessary for that audit. They should also have athorough knowledge of government auditing and ofthe specific or unique environment in which theaudited entity operates, relative to the nature of theaudit being conducted.

3.5 The qualifications mentioned here apply to theknowledge and skills of the audit organization as awhole and not necessarily to each individual auditor.An organization may need to employ personnel orhire outside consultants knowledgeable in such areas

Page 18

Chapter 3

General Standards

as accounting, statistics, law, engineering, auditdesign and methodology, automated data processing,public administration, economics, social sciences, oractuarial science.

ContinuingEducationRequirements

3.6 To meet this standard, the audit organizationshould have a program to ensure that its staffmaintain professional proficiency through continuingeducation and training. Thus, each auditorresponsible for planning, directing, conducting, orreporting on audits under these standards shouldcomplete, every 2 years, at least 80 hours ofcontinuing education and training which contributesto the auditor’s professional proficiency. At least 20hours should be completed in any 1 year of the 2-yearperiod. Individuals responsible for planning ordirecting an audit, conducting substantial portions ofthe field work, or reporting on the audit under thesestandards should complete at least 24 of the 80 hoursof continuing education and training in subjectsdirectly related to the government environment and togovernment auditing. If the audited entity operates ina specific or unique environment, auditors shouldreceive training that is related to that environment.

3.7 The audit organization is responsible forestablishing and implementing a program to ensurethat auditors meet the continuing education andtraining requirements just stated. The organizationshould maintain documentation of the education andtraining completed.1

1The qualifications standard and continuing education requirementsplace responsibilities on both the audit organization and individualauditors. Carrying out these responsibilities requires soundprofessional judgment. To assist audit organizations and individualauditors in exercising that judgment, the General Accounting Office(GAO) issued Interpretation of Continuing Education and TrainingRequirements, April 1991, Government Printing Office stocknumber 020-000-00250-6.

Page 19

Chapter 3

General Standards

3.8 The continuing education and training mayinclude such topics as current developments in auditmethodology, accounting, assessment of internalcontrols, principles of management or supervision,financial management, statistical sampling, evaluationdesign, and data analysis. It may also include subjectsrelated to the auditor’s field of work, such as publicadministration, public policy and structure, industrialengineering, economics, social sciences, or computerscience.

3.9 External consultants and internal experts andspecialists should be qualified and maintainprofessional proficiency in their areas of expertiseand/or specialization but are not required to meet theabove continuing education and trainingrequirements. Auditors performing nonaudit activitiesand services also are not required to meet the abovecontinuing education and training requirements.

Staff Qualifications 3.10 Qualifications for staff members conductingaudits include:

a. Knowledge of the methods and techniquesapplicable to government auditing and the education,skills, and experience to apply such knowledge to theaudit being conducted.

b. Knowledge of government organizations, programs,activities, and functions.

c. Skills to communicate clearly and effectively, bothorally and in writing.

Page 20

Chapter 3

General Standards

d. Skills appropriate for the audit work beingconducted. For instance

(1) if the work requires use of statistical sampling, thestaff or consultants to the staff should includepersons with statistical sampling skills;

(2) if the work requires extensive review ofcomputerized systems, the staff or consultants to thestaff should include persons with computer auditskills;

(3) if the work involves review of complexengineering data, the staff or consultants to the staffshould include persons with engineering skills; or

(4) if the work involves the use of nontraditional auditmethodologies, the staff or consultants to the staffshould include persons with skills in thosemethodologies.

e. The following qualifications are needed forfinancial audits that lead to an expression of anopinion.

(1) The auditors should be proficient in theappropriate accounting principles and in governmentauditing standards.

(2) The public accountants engaged to conduct auditsshould be (a) licensed certified public accountants orpersons working for a licensed certified publicaccounting firm or (b) public accountants licensed onor before December 31, 1970, or persons working fora public accounting firm licensed on or beforeDecember 31, 1970.2

2Accountants and accounting firms meeting these licensingrequirements should also comply with the applicable provisions ofthe public accountancy law and rules of the jurisdiction(s) wherethe audit is being conducted and the jurisdiction(s) in which theaccountants and their firms are licensed.

Page 21

Chapter 3

General Standards

Independence 3.11 The second general standard is:

In all matters relating to the audit work, the

audit organization and the individual auditors,

whether government or public, should be free

from personal and external impairments to

independence, should be organizationally

independent, and should maintain an

independent attitude and appearance.

3.12 This standard places responsibility on eachauditor and the audit organization to maintainindependence so that opinions, conclusions,judgments, and recommendations will be impartialand will be viewed as impartial by knowledgeablethird parties.

3.13 Auditors should consider not only whether theyare independent and their attitudes and beliefs permitthem to be independent but also whether there isanything about their situations that might lead othersto question their independence. All situations deserveconsideration because it is essential not only thatauditors are, in fact, independent and impartial, butalso that knowledgeable third parties consider themso.

3.14 Government auditors, including hiredconsultants and internal experts and specialists, needto consider three general classes of impairments toindependence—personal, external, andorganizational. If one or more of these impairmentsaffects an auditor’s ability to do the work and reportfindings impartially, that auditor should either declineto perform the audit, or in those situations where thatauditor cannot decline to perform the audit, theimpairment(s) should be reported in the scopesection of the audit report. Also, when auditors areemployees of the audited entity, that fact should bereflected in a prominent place in the audit report.

Page 22

Chapter 3

General Standards

3.15 Nongovernment auditors also need to considerthose personal and external impairments that mightaffect their ability to do their work and report theirfindings impartially. If their ability is adverselyaffected, they should decline to perform the audit.Public accountants should also follow the AmericanInstitute of Certified Public Accountants (AICPA) codeof professional conduct, the code of professionalconduct of the state board with jurisdiction over thepractice of the public accountant and the auditorganization, and the guidance on personal andexternal impairments in these standards.

PersonalImpairments

3.16 There are circumstances under which auditorsmay not be impartial, or may not be perceived asimpartial. The audit organization is responsible forhaving policies and procedures in place to helpdetermine if auditors have any personal impairments.Managers and supervisors need to be alert forpersonal impairments of their staff members.Auditors are responsible for notifying the appropriateofficial within their audit organization if they have anypersonal impairments. These impairments apply toindividual auditors, but they may also apply to theaudit organization. Personal impairments mayinclude, but are not limited to, the following:

a. official, professional, personal, or financialrelationships that might cause an auditor to limit theextent of the inquiry, to limit disclosure, or to weakenor slant audit findings in any way;

b. preconceived ideas toward individuals, groups,organizations, or objectives of a particular programthat could bias the audit;

c. previous responsibility for decision-making ormanaging an entity that would affect currentoperations of the entity or program being audited;

Page 23

Chapter 3

General Standards

d. biases, including those induced by political orsocial convictions, that result from employment in, orloyalty to, a particular group, organization, or level ofgovernment;

e. subsequent performance of an audit by the sameindividual who, for example, had previously approvedinvoices, payrolls, claims, and other proposedpayments of the entity or program being audited;

f. concurrent or subsequent performance of an auditby the same individual who maintained the officialaccounting records;3 and

g. financial interest that is direct, or is substantialthough indirect, in the audited entity or program.

ExternalImpairments

3.17 Factors external to the audit organization mayrestrict the audit or interfere with an auditor’s abilityto form independent and objective opinions andconclusions. For example, under the followingconditions, an audit may be adversely affected and anauditor may not have complete freedom to make anindependent and objective judgment:

a. external interference or influence that improperlyor imprudently limits or modifies the scope of anaudit;

3For example, an individual performs a substantial part of theaccounting process or cycle, such as analyzing, journalizing,posting, preparing, adjusting and closing entries, and preparing thefinancial statements, and later the same individual performs anaudit. In instances in which the auditor acts as the main processorfor transactions initiated by the audited entity, but the auditedentity acknowledges responsibility for the financial records andfinancial statements, the independence of the auditor is notnecessarily impaired.

Page 24

Chapter 3

General Standards

b. external interference with the selection orapplication of audit procedures or in the selection oftransactions to be examined;

c. unreasonable restrictions on the time allowed tocomplete an audit;

d. interference external to the audit organization inthe assignment, appointment, and promotion of auditpersonnel;

e. restrictions on funds or other resources providedto the audit organization that would adversely affectthe audit organization’s ability to carry out itsresponsibilities;

f. authority to overrule or to influence the auditor’sjudgment as to the appropriate content of an auditreport; and

g. influences that jeopardize the auditor’s continuedemployment for reasons other than competency orthe need for audit services.

OrganizationalIndependence

3.18 Government auditors’ independence can beaffected by their place within the structure of thegovernment entity to which they are assigned andalso by whether they are auditing internally orauditing other entities.

Internal Auditors 3.19 A federal, state, or local government auditorganization, or an audit organization within othergovernment entities, such as a public college,university, or hospital, may be subject toadministrative direction from persons involved in thegovernment management process. To help achieveorganizational independence, audit organizationsshould report the results of their audits and beaccountable to the head or deputy head of the

Page 25

Chapter 3

General Standards

government entity and should be organizationallylocated outside the staff or line management functionof the unit under audit. The audit organization’sindependence is enhanced when it also reportsregularly to the entity’s independent audit committeeand/or the appropriate government oversight body.

3.20 Auditors should also be sufficiently removedfrom political pressures to ensure that they canconduct their audits objectively and can report theirfindings, opinions, and conclusions objectivelywithout fear of political repercussion. Wheneverfeasible, they should be under a personnel system inwhich compensation, training, job tenure, andadvancement are based on merit.

3.21 If the above conditions are met, and no personalor external impairments exist, the audit staff shouldbe considered organizationally independent to auditinternally and free to report objectively to topmanagement.

3.22 When organizationally independent internalauditors conduct audits external to the governmententity to which they are directly assigned, they maybe considered independent of the audited entity andfree to report objectively to the head or deputy headof the government entity to which they are assigned.

External Auditors 3.23 Government auditors employed by auditorganizations whose heads are elected and legislativeauditors auditing executive entities may beconsidered free of organizational impairments whenauditing outside the government entity to which theyare assigned.

3.24 Government auditors may be presumed to beindependent of the audited entity, assuming nopersonal or external impairments exist, if the entity is

Page 26

Chapter 3

General Standards

a. a level of government other than the one to whichthey are assigned (federal, state, or local) or

b. a different branch of government within the level ofgovernment to which they are assigned (legislative,executive, or judicial).

3.25 Government auditors may also be presumed tobe independent, assuming no personal or externalimpairments exist, if the audit organization’s head is

a. elected by the citizens of their jurisdiction,

b. elected or appointed by a legislative body of thelevel of government to which they are assigned andreport the results of audits to, and are accountable tothe legislative body, or

c. appointed by the chief executive but confirmed by,report the results of audits to, and are accountable toa legislative body of the level of government to whichthey are assigned.

Due ProfessionalCare

3.26 The third general standard is:

Due professional care should be used in

conducting the audit and in preparing related

reports.

3.27 This standard requires auditors to work with dueprofessional care. Due care imposes a responsibilityupon each auditor within the audit organization toobserve generally accepted government auditingstandards.

3.28 Exercising due professional care means usingsound judgment in establishing the scope, selectingthe methodology, and choosing tests and proceduresfor the audit. The same sound judgment should be

Page 27

Chapter 3

General Standards

applied in conducting the tests and procedures and inevaluating and reporting the audit results.

3.29 Auditors should use sound professionaljudgment in determining the standards that apply tothe work to be conducted. The auditors’determination that certain standards do not apply tothe audit should be documented in the workingpapers. Situations may occur in which governmentauditors are not able to follow an applicable standardand are not able to withdraw from the audit. In thosesituations, the auditors should disclose in the scopesection of their report, the fact that an applicablestandard was not followed, the reasons therefor, andthe known effect that not following the standard hadon the results of the audit.

3.30 While this standard places responsibility on eachauditor and audit organization to exercise dueprofessional care in the performance of an auditassignment, it does not imply unlimited responsibility;neither does it imply infallibility on the part of eitherthe individual auditor or the audit organization.

Quality Control 3.31 The fourth general standard is:

Each audit organization conducting audits in

accordance with these standards should have an

appropriate internal quality control system in

place and undergo an external quality control

review.

3.32 The internal quality control system establishedby the audit organization should provide reasonableassurance that it (1) has adopted, and is following,applicable auditing standards and (2) has established,and is following, adequate audit policies andprocedures. The nature and extent of anorganization’s internal quality control system depend

Page 28

Chapter 3

General Standards

on a number of factors, such as its size, the degree ofoperating autonomy allowed its personnel and itsaudit offices, the nature of its work, its organizationalstructure, and appropriate cost-benefitconsiderations. Thus, the systems established byindividual organizations will vary, as will the extent oftheir documentation.

3.33 Organizations conducting audits in accordancewith these standards should have an external qualitycontrol review at least once every 3 years by anorganization not affiliated with the organization beingreviewed.4 The external quality control review shoulddetermine whether the organization’s internal qualitycontrol system is in place and operating effectively toprovide reasonable assurance that establishedpolicies and procedures and applicable auditingstandards are being followed.

3.34 An external quality control review 5 under thisstandard should meet the following requirements.

a. Reviewers should be qualified and have currentknowledge of the type of work to be reviewed and theapplicable auditing standards. For example,individuals reviewing government audits should havea thorough knowledge of the governmentenvironment and government auditing relative to thework being reviewed.

4Audit organizations should have an external quality control reviewcompleted (that is, report issued) within 3 years from the date theystart their first audit in accordance with these standards.Subsequent external quality control reviews should be completedwithin 3 years after the issuance of the prior review.

5External quality control reviews conducted through or by theAICPA, National State Auditors Association, National Associationof Local Government Auditors, President’s Council on Integrity andEfficiency, Executive Council on Integrity and Efficiency, andInstitute of Internal Auditors meet these requirements.

Page 29

Chapter 3

General Standards

b. Reviewers should be independent (as defined inthese standards) of the audit organization beingreviewed, its staff, and its auditees whose audits areselected for review. An audit organization is notpermitted to review the organization that conductedits most recent external quality control review.

c. Reviewers should use sound professional judgmentin conducting and reporting the results of the externalquality control review.

d. Reviewers should use one of the followingapproaches to selecting audits for review: (1) selectaudits that provide a reasonable cross section of theaudits conducted in accordance with these standardsor (2) select audits that provide a reasonable crosssection of the organization’s audits, including one ormore audits conducted in accordance with thesestandards.

e. This review should include a review of the auditreports, working papers, and other necessarydocuments (for example, correspondence andcontinuing education documentation) as well asinterviews with the reviewed organization’sprofessional staff.

f. A written report should be preparedcommunicating the results of the external qualitycontrol review.

3.35 External quality control review proceduresshould be tailored to the size and nature of anorganization’s audit work. For example, anorganization that performs only a few audits may bemore effectively reviewed by emphasizing a review ofthe quality of those audits rather than theorganization’s internal quality control policies andprocedures.

Page 30

Chapter 3

General Standards

3.36 Audit organizations seeking to enter into acontract to perform an audit in accordance with thesestandards should provide their most recent externalquality control review report6 to the party contractingfor the audit. Information in the external qualitycontrol review report often would be relevant todecisions on procuring audit services. Auditorganizations also should make their external qualitycontrol review reports available to auditors usingtheir work and to appropriate oversight bodies. It isrecommended that the report be made available tothe public.

6The term “report” does not include separate letters of comment.

Page 31

Chapter 4

Field Work Standards forFinancial Audits

Purpose 4.1 This chapter prescribes standards of field workfor financial audits, which include financial statementaudits and financial related audits.

Relation toAICPA Standards

4.2 For financial statement audits, generally acceptedgovernment auditing standards (GAGAS) incorporatethe American Institute of Certified PublicAccountants’ (AICPA) three generally acceptedstandards of field work, which are:

a. The work is to be adequately planned andassistants, if any, are to be properly supervised.

b. A sufficient understanding of the internal controlstructure is to be obtained to plan the audit and todetermine the nature, timing, and extent of tests to beperformed.

c. Sufficient competent evidential matter is to beobtained through inspection, observation, inquiries,and confirmations to afford a reasonable basis for anopinion regarding the financial statements underaudit.

4.3 The AICPA has issued statements on auditingstandards (SAS) that interpret its standards of fieldwork (including a SAS on compliance auditing).1 Thischapter incorporates these SASs and prescribesadditional standards on

a. audit follow-up (see paragraphs 4.7, 4.10, and 4.11),

b. noncompliance other than illegal acts (seeparagraphs 4.13 and 4.18 through 4.20), and

1GAGAS incorporate any new AICPA standards relevant to financialstatement audits unless the General Accounting Office (GAO)excludes them by formal announcement.

Page 32

Chapter 4

Field Work Standards for

Financial Audits

c. working papers. (See paragraphs 4.35 through4.38.)

4.4 This chapter also presents guidance on threeother key aspects of financial statement audits:

a. materiality (see paragraphs 4.8 and 4.9),

b. irregularities and illegal acts (see paragraphs 4.14through 4.17), and

c. internal controls. (See paragraphs 4.21 through4.33.)

4.5 This chapter concludes by explaining whichstandards auditors should follow in performingfinancial related audits.

Planning 4.6 AICPA standards and GAGAS require the following:

The work is to be properly planned, and auditors

should consider materiality, among other

matters, in determining the nature, timing, and

extent of auditing procedures and in evaluating

the results of those procedures.

4.7 The additional planning standard for financialstatement audits is:

Auditors should follow up on known material

findings and recommendations from previous

audits.

Materiality 4.8 Auditors’ consideration of materiality is a matterof professional judgment and is influenced by theirperception of the needs of a reasonable person whowill rely on the financial statements. Materialityjudgments are made in light of surrounding

Page 33

Chapter 4

Field Work Standards for

Financial Audits

circumstances and necessarily involve bothquantitative and qualitative considerations.

4.9 In an audit of the financial statements of agovernment entity or an entity that receivesgovernment assistance, auditors may set lowermateriality levels than in audits in the private sectorbecause of the public accountability of the auditee,the various legal and regulatory requirements, and thevisibility and sensitivity of government programs,activities, and functions.

Audit Follow-up 4.10 Auditors should follow up on known materialfindings and recommendations from previous auditsthat could affect the financial statement audit. Theyshould do this to determine whether the auditee hastaken timely and appropriate corrective actions.Auditors should report the status of uncorrectedmaterial findings and recommendations from prioraudits that affect the financial statement audit.

4.11 Much of the benefit from audit work is not in thefindings reported or the recommendations made, butin their effective resolution. Auditee management isresponsible for resolving audit findings andrecommendations, and having a process to track theirstatus can help it fulfill this responsibility. Ifmanagement does not have such a process, auditorsmay wish to establish their own. Continued attentionto material findings and recommendations can helpauditors assure that the benefits of their work arerealized.

Page 34

Chapter 4

Field Work Standards for

Financial Audits

Irregularities,Illegal Acts, andOtherNoncompliance

4.12 AICPA standards and GAGAS require the following:

a. Auditors should design the audit to provide

reasonable assurance of detecting irregularities

that are material to the financial statements.2

b. Auditors should design the audit to provide

reasonable assurance of detecting material

misstatements resulting from direct and

material illegal acts.3

c. Auditors should be aware of the possibility

that indirect illegal acts may have occurred.4 Ifspecific information comes to the auditors’

attention that provides evidence concerning the

existence of possible illegal acts that could have

a material indirect effect on the financial

statements, the auditors should apply audit

procedures specifically directed to ascertaining

whether an illegal act has occurred.

4.13 The additional compliance standard for financialstatement audits is:

Auditors should design the audit to provide

reasonable assurance of detecting material

misstatements resulting from noncompliance

with provisions of contracts or grant agreements

that have a direct and material effect on the

determination of financial statement amounts. If

2Irregularities are intentional misstatements or omissions ofamounts or disclosures in financial statements.

3Direct and material illegal acts are violations of laws andregulations having a direct and material effect on the determinationof financial statement amounts.

4Indirect illegal acts are violations of laws and regulations havingmaterial but indirect effects on the financial statements.

Page 35

Chapter 4

Field Work Standards for

Financial Audits

specific information comes to the auditors’

attention that provides evidence concerning the

existence of possible noncompliance that could

have a material indirect effect on the financial

statements, auditors should apply audit

procedures specifically directed to ascertaining

whether that noncompliance has occurred.

Auditors’Understanding ofPossibleIrregularities and ofLaws andRegulations

4.14 Auditors are responsible for being aware of thecharacteristics and types of potentially materialirregularities that could be associated with the areabeing audited so that they can plan the audit toprovide reasonable assurance of detecting materialirregularities.

4.15 Auditors should obtain an understanding of thepossible effects on financial statements of laws andregulations that are generally recognized by auditorsto have a direct and material effect on thedetermination of amounts in the financial statements.Auditors may find it necessary to use the work oflegal counsel in (1) determining which laws andregulations might have a direct and material effect onthe financial statements, (2) designing tests ofcompliance with laws and regulations, and(3) evaluating the results of those tests.5 Auditors alsomay find it necessary to use the work of legal counselwhen an audit requires testing compliance withprovisions of contracts or grant agreements.Depending on the circumstances of the audit, auditorsmay find it necessary to obtain information oncompliance matters from others, such as investigativestaff, audit officials of government entities thatprovided assistance to the auditee, and/or theapplicable law enforcement authority.

5AICPA standards provide guidance for auditors who use the workof a specialist who is not a member of their staff.

Page 36

Chapter 4

Field Work Standards for

Financial Audits

Due CareConcerning PossibleIrregularities andIllegal Acts

4.16 Auditors should exercise due professional carein pursuing indications of possible irregularities andillegal acts so as not to interfere with potential futureinvestigations, legal proceedings, or both. Under somecircumstances, laws, regulations, or policies mayrequire auditors to report indications of certain typesof irregularities or illegal acts to law enforcement orinvestigatory authorities before extending audit stepsand procedures. Auditors may also be required towithdraw from or defer further work on the audit or aportion of the audit in order not to interfere with aninvestigation.

4.17 An audit made in accordance with GAGAS will notguarantee the discovery of illegal acts or contingentliabilities resulting from them. Nor does thesubsequent discovery of illegal acts committed duringthe audit period necessarily mean that the auditors’performance was inadequate, provided the audit wasmade in accordance with these standards.

NoncomplianceOther Than IllegalActs

4.18 The term noncompliance has a broader meaningthan illegal acts. Noncompliance includes not onlyillegal acts, but also violations of provisions ofcontracts or grant agreements. AICPA standards do notdiscuss auditors’ responsibility for detectingnoncompliance other than illegal acts. But, underGAGAS, auditors have the same responsibilities fordetecting material misstatements arising from othertypes of noncompliance as they do for detecting thosearising from illegal acts.

4.19 Direct and material noncompliance isnoncompliance having a direct and material effect onthe determination of financial statement amounts.Auditors should design the audit to providereasonable assurance of detecting materialmisstatements resulting from direct and material

Page 37

Chapter 4

Field Work Standards for

Financial Audits

noncompliance with provisions of contracts or grantagreements.

4.20 Indirect noncompliance is noncompliancehaving material but indirect effects on the financialstatements. A financial statement audit provides noassurance that indirect noncompliance withprovisions of contracts or grant agreements will bedetected. However, if specific information comes tothe auditors’ attention that provides evidenceconcerning the existence of possible noncompliancethat could have a material indirect effect on thefinancial statements, auditors should apply auditprocedures specifically directed to ascertainingwhether that noncompliance has occurred.

Internal Controls 4.21 AICPA standards and GAGAS require the following:

Auditors should obtain a sufficient

understanding of internal controls to plan the

audit and determine the nature, timing, and

extent of tests to be performed.

4.22 GAGAS do not prescribe additional internalcontrol standards for financial statement audits.However, this chapter provides guidance on thefollowing four aspects of internal controls that areimportant to the judgments auditors make about auditrisk and about the evidence needed to support theiropinion on the financial statements:

a. control environment,

b. safeguarding controls,

c. controls over compliance with laws andregulations, and

d. control risk assessments.

Page 38

Chapter 4

Field Work Standards for

Financial Audits

ControlEnvironment

4.23 Auditors’ judgments about the controlenvironment may influence—either positively ornegatively—their judgments about specific controlprocedures. For example, evidence indicating that thecontrol environment is ineffective may lead auditorsto question the likely effectiveness of a controlprocedure for a particular financial statementassertion. Conversely, based on evidence indicatingthat the control environment is effective, auditorsmay decide to reduce the number of locations wherethey will perform auditing procedures.

4.24 Auditors’ judgments about the controlenvironment also can be affected by the results oftheir tests of other internal controls. If auditors obtainevidence that specific control procedures areineffective, they may find it necessary to reevaluatetheir earlier conclusion about the controlenvironment and other planning decisions they hadmade based on that conclusion.

SafeguardingControls

4.25 Internal controls over safeguarding of assets(safeguarding controls) constitute a process, effectedby an entity’s governing body, management, and otherpersonnel, designed to provide reasonable assuranceregarding prevention or timely detection ofunauthorized acquisition, use, or disposition of theentity’s assets that could have a material effect on thefinancial statements.

4.26 Safeguarding controls relate to the prevention ortimely detection of unauthorized transactions andunauthorized access to assets that could result inlosses that are material to the financial statements,for example, when unauthorized expenditures orinvestments are made, unauthorized liabilities areincurred, inventory is stolen, or assets are convertedto personal use. Such controls are designed to helpensure that use of and access to assets are in

Page 39

Chapter 4

Field Work Standards for

Financial Audits

accordance with management’s authorization.Authorization includes approval of transactions inaccordance with policies and procedures establishedby management to safeguard assets, such asestablishing and complying with requirements forextending and monitoring credit or makinginvestment decisions, and related documentation.Safeguarding controls are not designed to protectagainst loss of assets arising from inefficiency or frommanagement’s operating decisions, such as incurringexpenditures for equipment or material that proves tobe unnecessary or unsatisfactory.

4.27 AICPA standards and GAGAS require auditors toobtain a sufficient understanding of internal controlsto plan the audit. They also require auditors to planthe audit to provide reasonable assurance of detectingmaterial irregularities, including materialmisappropriation of assets. Because preventing ordetecting material misappropriations is an objectiveof safeguarding controls, understanding thosecontrols can be essential to planning the audit.

4.28 Safeguarding controls are not limited topreventing or detecting misappropriations, however.They also help prevent or detect other material lossesthat could result from unauthorized acquisition, use,or disposition of assets. Such controls include, forexample, the process of assessing the risk ofunauthorized acquisition, use, or disposition of assetsand establishing control activities to help ensure thatmanagement directives to address the risk are carriedout. Such control activities would include controls topermit acquisition, use, or disposition of assets onlyin accordance with management’s general or specificauthorization, including compliance with establishedpolicies and procedures for such acquisition, use, ordisposition. They would also include comparingexisting assets with the related records at reasonableintervals and taking appropriate action with respect

Page 40

Chapter 4

Field Work Standards for

Financial Audits

to any differences. Finally, controls over thesafeguarding of assets against unauthorizedacquisition, use, or disposition also relate to makingavailable to management information it needs to carryout its responsibilities related to prevention or timelydetection of such unauthorized activities, as well asmechanisms to enable management to monitor thecontinued effective operation of such controls.

4.29 Understanding these safeguarding controls canhelp auditors assess the risk that financial statementscould be materially misstated. For example, anunderstanding of an auditee’s safeguarding controlscan help auditors recognize risk factors such as

a. failure to adequately monitor decentralizedoperations;

b. lack of controls over activities, such as lack ofdocumentation for major transactions;

c. lack of controls over computer processing, such asa lack of controls over access to applications thatinitiate or control the movement of assets;

d. failure to develop or communicate adequatepolicies and procedures for security of data or assets,such as allowing unauthorized personnel to haveready access to data or assets; and

e. failure to investigate significant unreconcileddifferences between reconciliations of a controlaccount and subsidiary records.

Controls OverCompliance WithLaws andRegulations

4.30 Auditors should design the audit to providereasonable assurance that the financial statementsare free of material misstatements resulting fromviolations of laws and regulations that have a directand material effect on the determination of financial

Page 41

Chapter 4

Field Work Standards for

Financial Audits

statement amounts. To meet that requirement,auditors should have an understanding of internalcontrols relevant to financial statement assertionsaffected by those laws and regulations. Auditorsshould use that understanding to identify types ofpotential misstatements, consider factors that affectthe risk of material misstatement, and designsubstantive tests. For example, the following controlenvironment factors may influence the auditors’assessment of control risk:

a. management’s awareness or lack of awareness ofapplicable laws and regulations,

b. auditee policy regarding such matters asacceptable operating practices and codes of conduct,and

c. assignment of responsibility and delegation ofauthority to deal with such matters as organizationalgoals and objectives, operating functions, andregulatory requirements.

Control RiskAssessments

4.31 When auditors assess control risk below themaximum for a given financial statement assertion,they reduce their need for evidence from substantivetests of that assertion. Auditors are not required toassess control risk below the maximum, but thelikelihood that they will find it efficient and effectiveto do so increases with the size of the entities theyaudit and the complexity of their operations. Auditorsshould do the following when assessing control riskbelow the maximum:

a. identify internal controls that are relevant to aspecific financial statement assertion;

b. perform tests that provide sufficient evidence thatthose controls are effective; and

Page 42

Chapter 4

Field Work Standards for

Financial Audits

c. document the tests of controls.

4.32 Auditors should remember the following whenplanning and performing tests of controls:

a. The lower the auditors’ assessment of control risk,the more evidence they need to support thatassessment.

b. Auditors may have to use a combination ofdifferent kinds of tests of controls to get sufficientevidence of a control’s effectiveness.

c. Inquiries alone generally will not support anassessment that control risk is below the maximum.

d. Observations provide evidence about a control’seffectiveness only at the time observed; they do notprovide evidence about its effectiveness during therest of the period under audit.

e. Auditors can use evidence from tests of controlsdone in prior audits (or at an interim date), but theyhave to obtain evidence about the nature and extentof significant changes in policies, procedures, andpersonnel since they last performed those tests.

4.33 Auditors may find it necessary to reconsidertheir assessments of control risk when theirsubstantive tests detect misstatements, especiallythose that appear to be irregularities or due to illegalacts. As a result, they may find it necessary to modifytheir planned substantive tests for some or allfinancial statement assertions. Deficiencies in internalcontrols that led to those misstatements may bereportable conditions or material weaknesses, whichauditors are required to report.

Page 43

Chapter 4

Field Work Standards for

Financial Audits

Working Papers 4.34 AICPA standards and GAGAS require the following:

A record of the auditors’ work should be

retained in the form of working papers.

4.35 The additional working paper standard forfinancial statement audits is:

Working papers should contain sufficient

information to enable an experienced auditor

having no previous connection with the audit to

ascertain from them the evidence that supports

the auditors’ significant conclusions and

judgments.

4.36 Audits done in accordance with GAGAS aresubject to review by other auditors and by oversightofficials more frequently than audits done inaccordance with AICPA standards. Thus, whereas AICPA

standards cite two main purposes of workingpapers—providing the principal support for the auditreport and aiding auditors in the conduct andsupervision of the audit—working papers serve anadditional purpose in audits performed in accordancewith GAGAS. Working papers allow for the review ofaudit quality by providing the reviewer writtendocumentation of the evidence supporting theauditors’ significant conclusions and judgments.

4.37 Working papers should contain

a. the objectives, scope, and methodology, includingany sampling criteria used;

b. documentation of the work performed to supportsignificant conclusions and judgments, includingdescriptions of transactions and records examined

Page 44

Chapter 4

Field Work Standards for

Financial Audits

that would enable an experienced auditor to examinethe same transactions and records;6 and

c. evidence of supervisory reviews of the workperformed.

4.38 One factor underlying GAGAS audits is thatfederal, state, and local governments and otherorganizations cooperate in auditing programs ofcommon interest so that auditors may use others’work and avoid duplicate audit efforts. Arrangementsshould be made so that working papers will be madeavailable, upon request, to other auditors. To facilitatereviews of audit quality and reliance by other auditorson the auditors’ work, contractual arrangements forGAGAS audits should provide for access to workingpapers.

Financial RelatedAudits

4.39 Certain AICPA standards address specific types offinancial related audits, and GAGAS incorporate thosestandards, as discussed below:7

a. SAS no. 35, Special Reports - Applying Agreed-UponProcedures to Specified Elements, Accounts, or Itemsof a Financial Statement;

b. SAS no. 62, Special Reports, for auditing specifiedelements, accounts, or items of a financial statement;

c. SAS no. 68, Compliance Auditing Applicable toGovernmental Entities and Other Recipients ofGovernmental Financial Assistance, for testing

6Auditors may meet this requirement by listing voucher numbers,check numbers, or other means of identifying specific documentsthey examined. They are not required to include in the workingpapers copies of documents they examined nor are they required tolist detailed information from those documents.

7GAGAS incorporate any new AICPA standards relevant to financialrelated audits unless GAO excludes them by formal announcement.

Page 45

Chapter 4

Field Work Standards for

Financial Audits

compliance with laws and regulations applicable tofederal financial assistance programs;

d. SAS no. 70, Reports on the Processing ofTransactions by Service Organizations, for examiningdescriptions of internal controls of serviceorganizations that process transactions for others;

e. Statement on Standards for AttestationEngagements (SSAE) no. 1, Attestation Standards, for(1) applying agreed-upon procedures to an entity’sassertions about internal controls over financialreporting and/or safeguarding assets or (2) examiningor applying agreed-upon procedures to an entity’sassertions about financial related matters notspecifically addressed in other AICPA standards;

f. SSAE no. 2, Reporting on an Entity’s Internal ControlStructure Over Financial Reporting, for examining anentity’s assertions about its internal controls overfinancial reporting and/or safeguarding assets; and

g. SSAE no. 3, Compliance Attestation, for(1) examining or applying agreed-upon procedures toan entity’s assertions about compliance with laws andregulations or (2) applying agreed-upon procedures toan entity’s assertions about internal controls overcompliance with laws and regulations.

4.40 Besides following applicable AICPA standards,auditors should follow this chapter’s audit follow-upand working paper standards. They should apply oradapt the other standards and guidance in thischapter as appropriate in the circumstances. Forfinancial related audits not described above, auditorsshould follow the field work standards forperformance audits in chapter 6.8

8Chapter 2 provides examples of other types of financial relatedaudits.

Page 46

Chapter 5

Reporting Standards forFinancial Audits

Purpose 5.1 This chapter prescribes standards of reporting forfinancial audits, which include financial statementaudits and financial related audits.

Relation toAICPA Standards

5.2 For financial statement audits, generally acceptedgovernment auditing standards (GAGAS) incorporatethe American Institute of Certified PublicAccountants’ (AICPA) four generally acceptedstandards of reporting, which are:

a. The report shall state whether the financialstatements are presented in accordance withgenerally accepted accounting principles.

b. The report shall identify those circumstances inwhich such principles have not been consistentlyobserved in the current period in relation to thepreceding period.

c. Informative disclosures in the financial statementsare to be regarded as reasonably adequate unlessotherwise stated in the report.

d. The report shall either contain an expression ofopinion regarding the financial statements, taken as awhole, or an assertion to the effect that an opinioncannot be expressed. When an overall opinion cannotbe expressed, the reasons therefor should be stated.In all cases where an auditor’s name is associatedwith financial statements, the report should contain aclear-cut indication of the character of the auditor’swork, if any, and the degree of responsibility theauditor is taking.

5.3 The AICPA has issued statements on auditingstandards (SAS) that interpret its standards of

Page 47

Chapter 5

Reporting Standards for

Financial Audits

reporting.1 This chapter incorporates these SASs andprescribes additional standards on

a. communication with audit committees or otherresponsible individuals (see paragraphs 5.5 through5.10),

b. reporting compliance with GAGAS (see paragraphs5.11 through 5.14),

c. reporting on compliance with laws and regulationsand on internal controls (see paragraphs 5.15 through5.28),

d. privileged and confidential information (seeparagraphs 5.29 through 5.31), and

e. report distribution. (See paragraphs 5.32 through5.35.)

5.4 This chapter concludes by explaining whichstandards auditors should follow in reporting theresults of financial related audits.

CommunicationWith AuditCommittees orOtherResponsibleIndividuals

5.5 The first additional reporting standard forfinancial statement audits is:

Auditors should communicate certain

information related to the conduct and

reporting of the audit to the audit committee or

to the individuals with whom they have

contracted for the audit.

5.6 This standard applies in all situations whereeither the auditee has an audit committee or the audit

1GAGAS incorporate any new AICPA standards relevant to financialstatement audits unless the General Accounting Office (GAO)excludes them by formal announcement.

Page 48

Chapter 5

Reporting Standards for

Financial Audits

is performed under contract. In other situations,auditors may still find it useful to communicate withmanagement or other officials of the auditee.

5.7 Auditors should communicate the followinginformation to the audit committee or to individualswith whom they contract to perform the audit:

a. the auditors’ responsibilities in a financialstatement audit, including their responsibilities fortesting and reporting on internal controls andcompliance with laws and regulations and

b. the nature of any additional testing of internalcontrols and compliance required by laws andregulations.

5.8 Auditors should use their professional judgmentto determine the form and content of thecommunication. The communication may be oral orwritten. If the information is communicated orally,the auditors should document the communication inthe working papers. Auditors may use an engagementletter to communicate the information described inparagraph 5.7. To help audit committees and otherresponsible parties understand the limitations ofauditors’ responsibilities for testing and reporting oninternal controls and compliance, auditors shouldcontrast those responsibilities with other financialrelated audits of controls and compliance. Thediscussion in paragraphs 5.9 and 5.10 may be helpfulto auditors in preparing to explain thoseresponsibilities.

5.9 Tests of internal controls and compliance withlaws and regulations in a financial statement auditcontribute to the evidence supporting the auditors’opinion on the financial statements. However, they donot provide a basis for opining on internal controls orcompliance. The limited purpose of these tests in afinancial statement audit may not meet the needs of

Page 49

Chapter 5

Reporting Standards for

Financial Audits

some users of auditors’ reports who require additionalinformation on internal controls and on compliancewith laws and regulations.

5.10 To meet certain audit report users’ needs, lawsand regulations often prescribe testing and reportingon internal controls and compliance to supplementthe financial statement audit’s coverage of theseareas.2 Nevertheless, even after auditors perform, andreport the results of, additional tests of internalcontrols and compliance required by laws andregulations, some reasonable needs of report usersstill may be unmet. Auditors may meet these needs byperforming further tests of internal controls andcompliance with laws and regulations in either of twoways:

a. supplemental (or agreed-upon) procedures or

b. examination, resulting in an opinion.

2For example, when auditing state and local government entitiesthat receive federal financial assistance, auditors should be familiarwith the Single Audit Act of 1984 and Office of Management andBudget (OMB) Circular A-128. The act and circular include specificaudit requirements, mainly in the areas of internal controls andcompliance with laws and regulations, that exceed the minimumaudit requirements in the standards in chapters 4 and 5 of thisdocument. Audits of nonprofit organizations under OMB CircularA-133 and audits conducted under the Chief Financial Officers Actof 1990 also have specific audit requirements in the areas ofinternal controls and compliance. Many state and localgovernments have similar requirements.

Page 50

Chapter 5

Reporting Standards for

Financial Audits

ReportingCompliance WithGenerallyAcceptedGovernmentAuditingStandards

5.11 The second additional reporting standard forfinancial statement audits is:

Audit reports should state that the audit was

made in accordance with generally accepted

government auditing standards.

5.12 The above statement refers to all the applicablestandards that the auditors should have followedduring their audit. The statement should be qualifiedin situations where the auditors did not follow anapplicable standard. In these situations, the auditorsshould disclose the applicable standard that was notfollowed, the reasons therefor, and how not followingthe standard affected the results of the audit.

5.13 When the report on the financial statements issubmitted to comply with a legal, regulatory, orcontractual requirement for a GAGAS audit, it shouldspecifically cite GAGAS. The report on the financialstatements may cite AICPA standards as well as GAGAS.

5.14 The auditee may need a financial statement auditfor purposes other than to comply with requirementscalling for a GAGAS audit. For example, it may need afinancial statement audit to issue bonds. GAGAS do notprohibit auditors from issuing a separate report onthe financial statements conforming only to therequirements of AICPA standards. However, it may beadvantageous to use a report issued in accordancewith GAGAS for these other purposes because itprovides information on compliance with laws andregulations and internal controls (as discussed below)that is not contained in a report issued in accordancewith AICPA standards.

Page 51

Chapter 5

Reporting Standards for

Financial Audits

Reporting onCompliance WithLaws andRegulations andon InternalControls

5.15 The third additional reporting standard forfinancial statement audits is:

The report on the financial statements should

either (1) describe the scope of the auditors’

testing of compliance with laws and regulations

and internal controls and present the results of

those tests or (2) refer to separate reports

containing that information. In presenting the

results of those tests, auditors should report

irregularities, illegal acts, other material

noncompliance, and reportable conditions in

internal controls.3 In some circumstances,

auditors should report irregularities and illegal

acts directly to parties external to the audited

entity.

5.16 Auditors may report on compliance with lawsand regulations and internal controls in the report onthe financial statements or in separate reports. Whenauditors report on compliance and controls in thereport on the financial statements, they shouldinclude an introduction summarizing key findings inthe audit of the financial statements and the relatedcompliance and internal controls work. Auditorsshould not issue this introduction as a stand-alonereport. When auditors report separately oncompliance and controls, the report on the financialstatements should state that they are issuing thoseadditional reports.

3These responsibilities are in addition to and do not modifyauditors’ responsibilities under AICPA standards to (1) address theeffect irregularities or illegal acts may have on the report on thefinancial statements and (2) determine that the audit committee orothers with equivalent authority and responsibility are adequatelyinformed about irregularities, illegal acts, and reportableconditions.

Page 52

Chapter 5

Reporting Standards for

Financial Audits

Scope ofCompliance andInternal ControlsWork

5.17 Auditors should report the scope of their testingof compliance with laws and regulations and ofinternal controls. If the tests they performed did notexceed those the auditors considered necessary for afinancial statement audit, then a statement that theauditors tested compliance with certain laws andregulations, obtained an understanding of internalcontrols, and assessed control risk would besufficient to satisfy this requirement. Auditors shouldalso report whether or not the tests they performedprovided sufficient evidence to support an opinion oncompliance or internal controls.

Irregularities, IllegalActs, and OtherNoncompliance

5.18 When auditors conclude, based on evidenceobtained, that an irregularity or illegal act either hasoccurred or is likely to have occurred,4 they shouldreport relevant information. Auditors need not reportinformation about an irregularity or illegal act that isclearly inconsequential. Thus, auditors should presentin a report the same irregularities and illegal acts thatthey report to audit committees under AICPA

standards. Auditors should also report othernoncompliance (for example, a violation of a contractprovision) that is material to the financial statements.

5.19 In reporting material irregularities, illegal acts,or other noncompliance, the auditors should placetheir findings in proper perspective. To give thereader a basis for judging the prevalence andconsequences of these conditions, the instancesidentified should be related to the universe or thenumber of cases examined and be quantified in terms

4Whether a particular act is, in fact, illegal may have to await finaldetermination by a court of law. Thus, when auditors disclosematters that have led them to conclude that an illegal act is likely tohave occurred, they should take care not to imply that they havemade a determination of illegality.

Page 53

Chapter 5

Reporting Standards for

Financial Audits

of dollar value, if appropriate.5 In presenting materialirregularities, illegal acts, or other noncompliance,auditors should follow chapter 7’s report contentsstandards for objectives, scope, and methodology;audit results; views of responsible officials; and itsreport presentation standards, as appropriate.Auditors may provide less extensive disclosure ofirregularities and illegal acts that are not material ineither a quantitative or qualitative sense.6

5.20 When auditors detect irregularities, illegal acts,or other noncompliance that do not meet paragraph5.18’s criteria for reporting, they should communicatethose findings to the auditee, preferably in writing. Ifauditors have communicated those findings in amanagement letter to top management, they shouldrefer to that management letter when they report oncompliance. Auditors should document in theirworking papers all communications to the auditeeabout irregularities, illegal acts, and othernoncompliance.

5Audit findings have often been regarded as containing theelements of criteria, condition, and effect, plus cause whenproblems are found. However, the elements needed for a findingdepend entirely on the objectives of the audit. Reportableconditions and noncompliance found by the auditor may notalways have all of these elements fully developed, given the scopeand objectives of the specific financial audit. However, auditorsshould identify at least the condition, criteria, and possible assertedeffect to provide sufficient information to federal, state, and localofficials to permit them to determine the effect and cause in orderto take prompt and proper corrective action.

6Chapter 4 provides guidance on factors that may influenceauditors’ materiality judgments in audits of government entities orentities receiving government assistance. AICPA standards provideguidance on the interaction of quantitative and qualitativeconsiderations in materiality judgments.

Page 54

Chapter 5

Reporting Standards for

Financial Audits

Direct Reporting ofIrregularities and IllegalActs

5.21 GAGAS require auditors to report irregularities orillegal acts directly to parties outside the auditee intwo circumstances, as discussed below. Theserequirements are in addition to any legal requirementsfor direct reporting of irregularities or illegal acts.Auditors should meet these requirements even if theyhave resigned or been dismissed from the audit.7

5.22 The auditee may be required by law orregulation to report certain irregularities or illegalacts to specified external parties (for example, to afederal inspector general or a state attorney general).If auditors have communicated such irregularities orillegal acts to the auditee, and it fails to report them,then the auditors should communicate theirawareness of that failure to the auditee’s governingbody. If the auditee does not make the required reportas soon as practicable after the auditors’communication with its governing body, then theauditors should report the irregularities or illegal actsdirectly to the external party specified in the law orregulation.

5.23 Management is responsible for taking timely andappropriate steps to remedy irregularities or illegalacts that auditors report to it. When an irregularity orillegal act involves assistance received directly orindirectly from a government agency, auditors mayhave a duty to report it directly if management fails totake remedial steps. If auditors conclude that suchfailure is likely to cause them to depart from thestandard report on the financial statements or resignfrom the audit, then they should communicate thatconclusion to the auditee’s governing body. Then, ifthe auditee does not report the irregularity or illegalact as soon as practicable to the entity that providedthe government assistance, the auditors should reportthe irregularity or illegal act directly to that entity.

7Internal auditors auditing within the entity that employs them donot have a duty to report outside that entity.

Page 55

Chapter 5

Reporting Standards for

Financial Audits

5.24 In both of these situations, auditors shouldobtain sufficient, competent, and relevant evidence(for example, by confirmation with outside parties) tocorroborate assertions by management that it hasreported irregularities or illegal acts. If they areunable to do so, then the auditors should report theirregularities or illegal acts directly as discussedabove.

5.25 Chapter 4 reminds auditors that under somecircumstances, laws, regulations, or policies mayrequire them to report promptly indications of certaintypes of irregularities or illegal acts to lawenforcement or investigatory authorities. Whenauditors conclude that this type of irregularity orillegal act either has occurred or is likely to haveoccurred, they should ask those authorities and/orlegal counsel if reporting certain information aboutthat irregularity or illegal act would compromiseinvestigative or legal proceedings. Auditors shouldlimit their reporting to matters that would notcompromise those proceedings, such as informationthat is already a part of the public record.

Deficiencies inInternal Controls

5.26 Auditors should report deficiencies in internalcontrols that they consider to be “reportableconditions” as defined in AICPA standards. Thefollowing are examples of matters that may bereportable conditions:

a. absence of appropriate segregation of dutiesconsistent with appropriate control objectives;

b. absence of appropriate reviews and approvals oftransactions, accounting entries, or systems output;

c. inadequate provisions for the safeguarding ofassets;

Page 56

Chapter 5

Reporting Standards for

Financial Audits

d. evidence of failure to safeguard assets from loss,damage, or misappropriation;

e. evidence that a system fails to provide completeand accurate output consistent with the auditee’scontrol objectives because of the misapplication ofcontrol procedures;

f. evidence of intentional override of internal controlsby those in authority to the detriment of the overallobjectives of the system;

g. evidence of failure to perform tasks that are part ofinternal controls, such as reconciliations not preparedor not timely prepared;

h. absence of a sufficient level of controlconsciousness within the organization;

i. significant deficiencies in the design or operation ofinternal controls that could result in violations of lawsand regulations having a direct and material effect onthe financial statements; and

j. failure to follow up and correct previouslyidentified deficiencies in internal controls.8

5.27 In reporting reportable conditions, auditorsshould identify those that are individually orcumulatively material weaknesses.9 Auditors shouldfollow chapter 7’s report contents standards forobjectives, scope, and methodology; audit results; andviews of responsible officials; and its reportpresentation standards, as appropriate.

8Chapter 4’s audit follow-up standard requires auditors to reportthe status of uncorrected material findings and recommendationsfrom prior audits that affect the financial statement audit.

9See footnote 5.

Page 57

Chapter 5

Reporting Standards for

Financial Audits

5.28 When auditors detect deficiencies in internalcontrols that are not reportable conditions, theyshould communicate those deficiencies to theauditee, preferably in writing. If the auditors havecommunicated other deficiencies in internal controlsin a management letter to top management, theyshould refer to that management letter when theyreport on controls. All communications to the auditeeabout deficiencies in internal controls should bedocumented in the working papers.

Privileged andConfidentialInformation

5.29 The fourth additional reporting standard forfinancial statement audits is:

If certain information is prohibited from general

disclosure, the audit report should state the

nature of the information omitted and the

requirement that makes the omission necessary.

5.30 Certain information may be prohibited fromgeneral disclosure by federal, state, or local laws orregulations. Such information may be provided on aneed-to-know basis only to persons authorized by lawor regulation to receive it.

5.31 If such requirements prohibit auditors fromincluding pertinent data in the report, they shouldstate the nature of the information omitted and therequirement that makes the omission necessary. Theauditors should obtain assurance that a validrequirement for the omission exists and, whenappropriate, consult with legal counsel.

ReportDistribution

5.32 The fifth additional reporting standard forfinancial statement audits is:

Written audit reports are to be submitted by the

audit organization to the appropriate officials of

Page 58

Chapter 5

Reporting Standards for

Financial Audits

the auditee and to the appropriate officials of

the organizations requiring or arranging for the

audits, including external funding organizations,

unless legal restrictions prevent it. Copies of

the reports should also be sent to other officials

who have legal oversight authority or who may

be responsible for acting on audit findings and

recommendations and to others authorized to

receive such reports. Unless restricted by law or

regulation, copies should be made available for

public inspection.10

5.33 Audit reports should be distributed in a timelymanner to officials interested in the results. Suchofficials include those designated by law or regulationto receive such reports, those responsible for actingon the findings and recommendations, those of otherlevels of government that have provided assistance tothe auditee, and legislators. However, if the subject ofthe audit involves material that is classified forsecurity purposes or not releasable to particularparties or the public for other valid reasons, auditorsmay limit the report distribution.

5.34 When public accountants are engaged, theengaging organization should ensure that the report isdistributed appropriately. If the public accountantsare to make the distribution, the engagementagreement should indicate which officials ororganizations should receive the report.

5.35 Internal auditors should follow their entity’s ownarrangements and statutory requirements fordistribution. Usually, they report to their entity’s topmanagers, who are responsible for distribution of thereport.

10See the Single Audit Act of 1984 and OMB Circular A-128 for thedistribution of reports on single audits of state and localgovernments.

Page 59

Chapter 5

Reporting Standards for

Financial Audits

Financial RelatedAudits

5.36 Certain AICPA standards address specific types offinancial related audits, and GAGAS incorporate thosestandards, as discussed below:11

a. SAS no. 35, Special Reports - Applying Agreed-UponProcedures to Specified Elements, Accounts, or Itemsof a Financial Statement;

b. SAS no. 62, Special Reports, for auditing specifiedelements, accounts, or items of a financial statement;

c. SAS no. 68, Compliance Auditing Applicable toGovernmental Entities and Other Recipients ofGovernmental Financial Assistance, for testingcompliance with laws and regulations applicable tofederal financial assistance programs;

d. SAS no. 70, Reports on the Processing ofTransactions by Service Organizations, for examiningdescriptions of internal controls of serviceorganizations that process transactions for others;

e. Statement on Standards for AttestationEngagements (SSAE) no. 1, Attestation Standards, for(1) applying agreed-upon procedures to an entity’sassertions about internal controls over financialreporting and/or safeguarding assets or (2) examiningor applying agreed-upon procedures to an entity’sassertions about financial related matters notspecifically addressed in other AICPA standards;

f. SSAE no. 2, Reporting on an Entity’s Internal ControlStructure Over Financial Reporting, for examining anentity’s assertions about its internal controls overfinancial reporting and/or safeguarding assets; and

g. SSAE no. 3, Compliance Attestation, for(1) examining or applying agreed-upon procedures to

11GAGAS incorporate any new AICPA standards relevant to financialrelated audits unless GAO excludes them by formal announcement.

Page 60

Chapter 5

Reporting Standards for

Financial Audits

an entity’s assertions about compliance with laws andregulations or (2) applying agreed-upon procedures toan entity’s assertions about internal controls overcompliance with laws and regulations.

5.37 Besides following applicable AICPA standards,auditors should follow this chapter’s second (GAGAS

reference), fourth (privileged and confidentialinformation), and fifth (report distribution) additionalstandards of reporting. They should apply or adaptthe other standards and guidance in this chapter asappropriate in the circumstances. For financialrelated audits not described above, auditors shouldfollow the reporting standards for performance auditsin chapter 7.12

12Chapter 2 provides examples of other types of financial relatedaudits.

Page 61

Chapter 6

Field Work Standards forPerformance Audits

Purpose 6.1 This chapter prescribes field work standards forperformance audits. These standards also apply tosome financial related audits, as discussed in chapter 4.

Planning 6.2 The first field work standard for performanceaudits is:

Work is to be adequately planned.

6.3 In planning, auditors should define the audit’sobjectives and the scope and methodology to achievethose objectives. The objectives are what the audit isto accomplish. They identify the audit subjects andperformance aspects to be included, as well as thepotential finding and reporting elements that theauditors expect to develop.1 Audit objectives can bethought of as questions about the program2 thatauditors seek to answer. Scope is the boundary of theaudit. It addresses such things as the period andnumber of locations to be covered. The methodologycomprises the work in data gathering and in analyticalmethods auditors will do to achieve the objectives.

6.4 Auditors should design the methodology toprovide sufficient, competent, and relevant evidenceto achieve the objectives of the audit. Methodologyincludes not only the nature of the auditors’procedures, but also their extent (for example,sample size).

6.5 In planning a performance audit, auditors should:

1See discussion of the elements of a finding in paragraphs 6.49through 6.52.

2Generally accepted government auditing standards (GAGAS) arestandards for audit of government organizations, programs,activities, and functions. This chapter uses only the term“program”; however, the concepts presented also apply to audits oforganizations, activities, and functions.

Page 62

Chapter 6

Field Work Standards for

Performance Audits

a. Consider significance and the needs of potentialusers of the audit report. (See paragraphs 6.7 and 6.8.)

b. Obtain an understanding of the program to beaudited. (See paragraphs 6.9 and 6.10.)

c. Consider legal and regulatory requirements. (Seeparagraphs 6.26 through 6.38.)

d. Consider management controls. (See paragraphs6.39 through 6.45.)

e. Identify criteria needed to evaluate matters subjectto audit. (See paragraph 6.11.)

f. Identify significant findings and recommendationsfrom previous audits that could affect the currentaudit objectives. Auditors should determine ifmanagement has corrected the conditions causingthose findings and implemented thoserecommendations. (See paragraphs 6.12 and 6.13.)

g. Identify potential sources of data that could beused as audit evidence and consider the validity andreliability of these data, including data collected bythe audited entity, data generated by the auditors, ordata provided by third parties. (See paragraphs 6.53through 6.62.)

h. Consider whether the work of other auditors andexperts may be used to satisfy some of the auditors’objectives. (See paragraphs 6.14 through 6.16.)

i. Provide sufficient staff and other resources to dothe audit. (See paragraphs 6.17 and 6.18.)

j. Prepare a written audit plan. (See paragraphs 6.19through 6.21.)

Page 63

Chapter 6

Field Work Standards for

Performance Audits

6.6 Planning should continue throughout the audit.Audit objectives, scope, and methodologies are notdetermined in isolation. Auditors determine thesethree elements of the audit plan together, as theconsiderations in determining each often overlap.

Significance andUser Needs

6.7 Auditors should consider significance in planning,performing, and reporting on performance audits. Thesignificance of a matter is its relative importance tothe audit objectives and potential users of the auditreport. Qualitative, as well as quantitative, factors areimportant in determining significance. Qualitativefactors can include

a. visibility and sensitivity of the program under audit,

b. newness of the program or changes in itsconditions,

c. role of the audit in providing information that canimprove public accountability and decision-making,and

d. level and extent of review or other forms ofindependent oversight.

6.8 One group of users of the auditors’ report isgovernment officials who may have authorized orrequested the audit. Another important user of theauditors’ report is the auditee, which is responsiblefor acting on the auditors’ recommendations. Otherpotential users of the auditors’ report includegovernment officials (other than those who may haveauthorized or requested the audit), the media, interestgroups, and individual citizens. These other potentialusers may have, in addition to an interest in theprogram, an ability to influence the conduct of theprogram. Thus, an awareness of these potential users’interests and influence can help auditors understand

Page 64

Chapter 6

Field Work Standards for

Performance Audits

why the program operates the way it does. Thisawareness can also help auditors judge whetherpossible findings could be significant to these otherusers.

Understanding theProgram

6.9 Auditors should obtain an understanding of theprogram to be audited to help assess, among othermatters, the significance of possible audit objectivesand the feasibility of achieving them. The auditors’understanding may come from knowledge theyalready have about the program and knowledge theygain from inquiries and observations they make inplanning the audit. The extent and breadth of thoseinquiries and observations will vary among audits, aswill the need to understand individual aspects of theprogram, such as the following.

a. Laws and regulations: Government programsusually are created by law and are subject to morespecific laws and regulations than the private sector.For example, laws and regulations usually set forthwhat is to be done, who is to do it, the purpose to beachieved, the population to be served, and how muchcan be spent on what. Thus, understanding the lawsestablishing a program can be essential tounderstanding the program itself. Obtaining thatunderstanding may also be a necessary step inidentifying provisions of laws and regulationssignificant to audit objectives.

b. Purpose and goals: Purpose is the result or effectthat is intended or desired, and can exist withoutbeing expressly stated. Goals quantify the level ofperformance intended or desired. Legislatures set theprogram purpose when they establish a program;however, management is expected to set goals forprogram efforts, operations, outputs, and outcomes.Auditors may use the purpose and goals as criteria forassessing program performance.

Page 65

Chapter 6

Field Work Standards for

Performance Audits

c. Efforts: Efforts are the amount of resources (interms of money, material, personnel, and so forth)that are put into a program. These resources maycome from within or outside the entity operating theprogram. Measures of efforts can have a number ofdimensions, such as cost, timing, and quality.Examples of measures of efforts are dollars,employee-hours, and square feet of building space.

d. Program operations: Program operations are thestrategies, processes, and activities the auditee usesto convert efforts into outputs. Program operationsare subject to management controls, which arediscussed later in this chapter.

e. Outputs: Outputs are the quantity of goods andservices provided. Examples of measures of outputare tons of solid waste processed, number of studentsgraduated, and number of students graduated whohave met a specified standard of achievement.

f. Outcomes: Outcomes are accomplishments orresults that occur (at least partially) because ofservices provided. Outcomes can be viewed asranging from immediate outcomes to long-termoutcomes. For example, an immediate outcome of ajob training program and an indicator of itseffectiveness might be the number of programgraduates placed in jobs. That program’s ultimateoutcome and test of its effectiveness depends onwhether program graduates are more likely to remainemployed than similar persons not in the program.Outcomes may be intended or unintended, and theymay be influenced by cultural, economic, physical, ortechnological factors external to the program.Auditors may use approaches drawn from the field ofprogram evaluation to isolate the effects of theprogram from those of other influences.

Page 66

Chapter 6

Field Work Standards for

Performance Audits

6.10 One approach to setting audit objectives is torelate the elements of a program to the types ofperformance audits discussed in chapter 2. Forexample, audits concerned with economy could focuson efforts, that is, were resources obtained at anoptimal cost and at an appropriate level of quality?Audits concerned with efficiency could focus on theprogram operations or the relationship betweenefforts (resources used) and either outputs oroutcomes to determine the cost per unit of output oroutcome. Program audits could be concerned withdetermining whether program outcomes metspecified goals or whether outcomes were better thanthey would have been without the program. Any typeof performance audit could encompass programoperations if auditors are looking for reasons why theprogram was successful or not.

Criteria 6.11 Criteria are the standards used to determinewhether a program meets or exceeds expectations.Criteria provide a context for understanding theresults of the audit. The audit plan, where possible,should state the criteria to be used. In selectingcriteria, auditors have a responsibility to use criteriathat are reasonable, attainable, and relevant to thematters being audited. The following are someexamples of possible criteria:

a. purpose or goals prescribed by law or regulation orset by management,

b. technically developed standards or norms,

c. expert opinions,

d. prior years’ performance,

e. performance of similar entities, and

Page 67

Chapter 6

Field Work Standards for

Performance Audits

f. performance in the private sector.

Audit Follow-up 6.12 Auditors should follow up on significant findingsand recommendations from previous audits thatcould affect the audit objectives. They should do thisto determine whether timely and appropriatecorrective actions have been taken by auditeeofficials. The audit report should disclose the statusof uncorrected significant findings andrecommendations from prior audits that affect theaudit objectives.

6.13 Much of the benefit from audit work is not in thefindings reported or the recommendations made, butin their effective resolution. Auditee management isresponsible for resolving audit findings andrecommendations, and having a process to track theirstatus can help it fulfill this responsibility. Ifmanagement does not have such a process, auditorsmay wish to establish their own. Continued attentionto significant findings and recommendations can helpauditors assure that the benefits of their work arerealized.

Considering Others’Work

6.14 Auditors should determine if other auditors havepreviously done, or are doing, audits of the programor the entity that operates it. Whether other auditorshave done performance audits or financial audits,they may be useful sources of information forplanning and performing the audit. If other auditorshave identified areas that warrant further study, theirwork may influence the auditors’ selection ofobjectives. The availability of other auditors’ workmay also influence the selection of methodology, asthe auditors may be able to rely on that work to limitthe extent of their own testing.

Page 68

Chapter 6

Field Work Standards for

Performance Audits

6.15 If auditors intend to rely on the work of otherauditors, they should perform procedures thatprovide a sufficient basis for that reliance. Auditorscan obtain evidence of other auditors’ qualifications3

and independence through prior experience, inquiry,and/or review of the other auditors’ external qualitycontrol review report. Auditors can determine thesufficiency, relevance, and competence of otherauditors’ evidence by reviewing their report, auditprogram, or working papers, and/or makingsupplemental tests of their work. The nature andextent of evidence needed will depend on thesignificance of the other auditors’ work and onwhether the auditors will refer to that work in theirreport.

6.16 Auditors face similar considerations whenrelying on the work of nonauditors (consultants,experts, specialists, and so forth). In addition,auditors should obtain an understanding of themethods and significant assumptions used by thenonauditors.

Staff and OtherResources

6.17 Staff planning should include:

a. Assigning staff with the appropriate skills andknowledge for the job.

b. Assigning an adequate number of experienced staffand supervisors to the audit. Consultants should beused when necessary.

c. Providing for on-the-job training of staff.

3Auditors from another country engaged to conduct audits in theircountry should meet the professional qualifications to practiceunder that country’s laws and regulations or other acceptablestandards, such as those issued by the International Organization ofSupreme Audit Institutions. Also see the International Federationof Accountants’ International Standards on Auditing.

Page 69

Chapter 6

Field Work Standards for

Performance Audits

6.18 The availability of staff and other resources is animportant consideration in establishing theobjectives, scope, and methodology. For example,limitations on travel funds may preclude auditorsfrom visiting certain locations, or lack of expertise ina particular methodology may preclude auditors fromundertaking certain objectives. Auditors may be ableto overcome such limitations by use of staff fromlocal offices or by engaging consultants with thenecessary expertise.

Written Audit Plan 6.19 A written audit plan should be prepared for eachaudit. The form and content of the written audit planwill vary among audits. The plan should include anaudit program or a memorandum or other appropriatedocumentation of key decisions about the auditobjectives, scope, and methodology and of theauditors’ basis for those decisions. It should beupdated, as necessary, to reflect any significantchanges to the plan made during the audit.

6.20 Documenting the audit plan is an opportunity forthe auditors to review the work done in planning theaudit to determine whether

a. the proposed audit objectives are likely to result ina useful report,

b. the proposed audit scope and methodology areadequate to satisfy the audit objectives, and

c. sufficient staff and other resources have been madeavailable to perform the audit.

6.21 Written audit plans may include:

a. Information about the legal authority for theaudited program, its history and current objectives, its

Page 70

Chapter 6

Field Work Standards for

Performance Audits

principal locations, and other background that canhelp auditors understand and carry out the audit plan.

b. Information about the responsibilities of each auditteam (such as preparing audit programs, conductingaudit work, supervising audit work, drafting reports,handling auditee comments, and processing the finalreport), which can help auditors when the work isconducted at several different locations. In theseaudits, use of comparable audit methods andprocedures can help make the data obtained fromparticipating locations comparable.

c. Audit programs describing procedures toaccomplish the audit objectives and providing asystematic basis for assigning work to staff and forsummarizing the work performed.

d. The general format of the audit report and thetypes of information to be included, which can helpauditors focus their field work on the information tobe reported.

Supervision 6.22 The second field work standard for performanceaudits is:

Staff are to be properly supervised.

6.23 Supervision involves directing the efforts ofauditors and others4 who are involved in the audit todetermine whether the audit objectives are beingaccomplished. Elements of supervision includeinstructing staff members, keeping informed ofsignificant problems encountered, reviewing the workperformed, and providing effective on-the-jobtraining.

4Others involved in accomplishing the objectives of the auditinclude external consultants and specialists.

Page 71

Chapter 6

Field Work Standards for

Performance Audits

6.24 Supervisors should satisfy themselves that staffmembers clearly understand what work they are todo, why the work is to be conducted, and what it isexpected to accomplish. With experienced staff,supervisors may outline the scope of the work andleave details to assistants. With a less experiencedstaff, supervisors may have to specify not onlytechniques for analyzing data but also how to gatherit.

6.25 The nature of the review of audit work may varydepending on the significance of the work or theexperience of the staff. For example, it may beappropriate to have experienced staff auditors reviewmuch of the work of other staff with similarexperience.

Compliance WithLaws andRegulations

6.26 The third field work standard for performanceaudits is:

When laws, regulations, and other compliance

requirements are significant to audit objectives,

auditors should design the audit to provide

reasonable assurance about compliance with

them. In all performance audits, auditors should

be alert to situations or transactions that could

be indicative of illegal acts or abuse.

6.27 The following paragraphs elaborate on therequirements of this standard. They also discuss waysauditors obtain information about laws, regulations,and other compliance requirements; and thelimitations of performance auditing in detectingillegal acts and abuse.

Illegal Acts and OtherNoncompliance

6.28 Auditors should design the audit to providereasonable assurance about compliance with lawsand regulations that are significant to audit

Page 72

Chapter 6

Field Work Standards for

Performance Audits

objectives. This requires determining if laws andregulations are significant to the audit objectives and,if they are, assessing the risk that significant illegalacts could occur.5 Based on that risk assessment, theauditors design and perform procedures to providereasonable assurance of detecting significant illegalacts.

6.29 It is not practical to set precise standards fordetermining if laws and regulations are significant toaudit objectives because government programs aresubject to so many laws and regulations, and auditobjectives vary widely. However, auditors may findthe following approach helpful in making thatdetermination:

a. Reduce each audit objective to questions aboutspecific aspects of the program being audited (that is,purpose and goals, efforts, program operations,outputs, and outcomes, as discussed in paragraph6.9).

b. Identify laws and regulations that directly addressspecific aspects of the program included in the auditobjectives’ questions.

c. Determine if violations of those laws andregulations could significantly affect the auditors’answers to the questions encompassed in the auditobjectives. If they could, then those laws andregulations are likely to be significant to the auditobjectives.

6.30 The following are examples of types of laws andregulations that can be significant to the objectives ofeconomy and efficiency audits and of program audits.

a. Economy and efficiency: Laws and regulations thatcould significantly affect the acquisition, protection,

5Illegal acts are violations of laws or regulations.

Page 73

Chapter 6

Field Work Standards for

Performance Audits

and use of the entity’s resources, and the quantity,quality, timeliness, and cost of the products andservices it produces and delivers.

b. Program: Laws and regulations pertaining to thepurpose of the program, the manner in which it is tobe delivered, and the population it is to serve.

6.31 In planning tests of compliance with significantlaws and regulations, auditors assess the risk thatillegal acts could occur. That risk may be affected bysuch factors as the complexity of the laws andregulations or their newness. The auditors’assessment of risk includes consideration of whetherthe entity has controls that are effective in preventingor detecting illegal acts. Management is responsiblefor establishing effective controls to ensurecompliance with laws and regulations. If auditorsobtain sufficient evidence of the effectiveness ofthese controls, they can reduce the extent of theirtests of compliance.

6.32 Auditors should be alert to situations ortransactions that could be indicative of illegal acts.When information comes to the auditors’ attention(through audit procedures, tips, or other means)indicating that illegal acts may have occurred,auditors should consider whether the possible illegalacts could significantly affect the audit results. If theycould, the auditors should extend the audit steps andprocedures, as necessary, (1) to determine if theillegal acts have or are likely to have occurred and(2) if so, to determine their effect on the audit results.

6.33 Auditors should exercise due professional carein pursuing indications of possible illegal acts so asnot to interfere with potential investigations, legalproceedings, or both. Under some circumstances,laws, regulations, or policies require auditors toreport indications of certain types of illegal acts to

Page 74

Chapter 6

Field Work Standards for

Performance Audits

law enforcement or investigatory authorities beforeextending audit steps and procedures. Auditors mayalso be required to withdraw from or defer furtherwork on the audit or a portion of the audit in ordernot to interfere with an investigation.

6.34 The term noncompliance has a broader meaningthan illegal acts. Noncompliance includes not onlyillegal acts, but also violations of provisions ofcontracts or grant agreements. Like illegal acts, theseother types of noncompliance can be significant toaudit objectives. The auditors’ considerations inplanning and performing tests of compliance withprovisions of contracts or grant agreements aresimilar to those discussed in paragraphs 6.28 through6.33.

Abuse 6.35 Abuse is distinct from illegal acts and othernoncompliance. When abuse occurs, no law,regulation, contract provision, or grant agreement isviolated. Rather, the conduct of a governmentprogram falls far short of societal expectations forprudent behavior. Auditors should be alert tosituations or transactions that could be indicative ofabuse. When information comes to the auditors’attention (through audit procedures, tips, or othermeans) indicating that abuse may have occurred,auditors should consider whether the possible abusecould significantly affect the audit results. If it could,the auditors should extend the audit steps andprocedures, as necessary, to determine if the abuseoccurred and, if so, to determine its effect on theaudit results. However, because the determination ofabuse is so subjective, auditors are not expected toprovide reasonable assurance of detecting it.

Page 75

Chapter 6

Field Work Standards for

Performance Audits

ObtainingInformation AboutLaws, Regulations,and OtherComplianceRequirements

6.36 Auditors’ training, experience, andunderstanding of the program being audited mayprovide a basis for recognition that some acts comingto their attention may be illegal. Whether an act, infact, is illegal is a determination normally beyondauditors’ professional capacity. However, auditors areresponsible for being aware of vulnerabilities to fraud6

associated with the area being audited in order to beable to identify indications that fraud may haveoccurred. In some circumstances, conditions such asthe following might indicate a heightened risk offraud:

a. Auditees offer unreasonable explanations to theauditors’ inquiries.

b. Auditees are annoyed at reasonable questions byauditors.

c. Auditees refuse to provide records.

d. Auditees refuse to take vacations or acceptpromotions.

6.37 Auditors may find it necessary to rely on thework of legal counsel in (1) determining those lawsand regulations that are significant to the auditobjectives, (2) designing tests of compliance withlaws and regulations, and (3) evaluating the results ofthose tests.7 Auditors also may find it necessary torely on the work of legal counsel when auditobjectives require testing compliance with provisionsof contracts or grant agreements. Depending on thecircumstances of the audit, auditors may find itnecessary to obtain information on compliancematters from others, such as investigative staff, audit

6Fraud is a type of illegal act involving the obtaining of somethingof value through willful misrepresentation.

7Paragraphs 6.14 through 6.16 discuss relying on the work ofothers.

Page 76

Chapter 6

Field Work Standards for

Performance Audits

officials of other government entities that providedassistance to the auditee, or the applicable lawenforcement authority.

Limitations of anAudit

6.38 An audit made in accordance with thesestandards provides reasonable assurance that itsobjectives have been achieved; it does not guaranteethe discovery of illegal acts or abuse. Nor does thesubsequent discovery of illegal acts or abusecommitted during the audit period necessarily meanthat the auditors’ performance was inadequate,provided the audit was made in accordance withthese standards.

ManagementControls

6.39 The fourth field work standard for performanceaudits is:

Auditors should obtain an understanding of

management controls that are relevant to the

audit. When management controls are

significant to audit objectives, auditors should

obtain sufficient evidence to support their

judgments about those controls.

6.40 Management is responsible for establishingeffective management controls. The lack ofadministrative continuity in government unitsbecause of continuing changes in elected legislativebodies and in administrative organizations increasesthe need for effective management controls.

6.41 Management controls, in the broadest sense,include the plan of organization, methods, andprocedures adopted by management to ensure that itsgoals are met. Management controls include theprocesses for planning, organizing, directing, andcontrolling program operations. They include thesystems for measuring, reporting, and monitoring

Page 77

Chapter 6

Field Work Standards for

Performance Audits

program performance. The following classification ofmanagement controls is intended to help auditorsfocus on understanding management controls and indetermining their significance to the audit objectives.

a. Program operations: Controls over programoperations include policies and procedures thatmanagement has implemented to reasonably ensurethat a program meets its objectives. Understandingthese controls can help auditors understand theprogram operations that convert efforts to outputs.

b. Validity and reliability of data: Controls over thevalidity and reliability of data include policies andprocedures that management has implemented toreasonably ensure that valid and reliable data areobtained, maintained, and fairly disclosed in reports.These controls help assure management that it isgetting valid and reliable information about whetherprograms are operating properly. Understandingthese controls can help auditors (1) assess the riskthat the data gathered by the entity may not be validand reliable and (2) design appropriate tests of thedata.

c. Compliance with laws and regulations: Controlsover compliance with laws and regulations includepolicies and procedures that management hasimplemented to reasonably ensure that resource useis consistent with laws and regulations.Understanding the controls relevant to compliancewith those laws and regulations that the auditors havedetermined are significant can help auditors assessthe risk of illegal acts.

d. Safeguarding resources: Controls over thesafeguarding of resources include policies andprocedures that management has implemented toreasonably ensure that resources are safeguardedagainst waste, loss, and misuse. Understanding these

Page 78

Chapter 6

Field Work Standards for

Performance Audits

controls can help auditors plan economy andefficiency audits.

6.42 Auditors can obtain an understanding ofmanagement controls through inquiries, observations,inspection of documents and records, or review ofother auditors’ reports. The procedures auditorsperform to obtain an understanding of managementcontrols will vary among audits. One factorinfluencing the extent of these procedures is theauditors’ knowledge about management controlsgained in prior audits. Also, the need to understandmanagement controls will depend on the particularaspects of the program the auditors consider insetting objectives, scope, and methodology. Thefollowing are examples of how the auditors’understanding of management controls can influencethe audit plan.

a. Objectives: Poorly controlled aspects of a programhave higher risk of failure, so they may be moresignificant than others in terms of where auditorswould want to focus their efforts.

b. Scope: Poor controls in a certain location may leadauditors to target their efforts there.

c. Methodology: Effective controls over collecting,summarizing, and reporting data may enable auditorsto limit the extent of their direct testing of datavalidity and reliability. In contrast, poor controls maylead auditors to perform more direct testing of thedata, look for data from outside the entity, or developtheir own data.

6.43 The need to test management controls dependson their significance to the audit objectives. Thefollowing are examples of circumstances wheremanagement controls can be significant to auditobjectives:

Page 79

Chapter 6

Field Work Standards for

Performance Audits

a. In determining the cause of unsatisfactoryperformance if that unsatisfactory performance couldresult from weaknesses in specific managementcontrols.

b. When assessing the validity and reliability ofperformance measures developed by the auditedentity. Effective management controls over collecting,summarizing, and reporting data will help ensurevalid and reliable performance measures.

6.44 Internal auditing is an important part ofmanagement control. When an assessment ofmanagement controls is called for, the work of theinternal auditors can be used to help providereasonable assurance that management controls arefunctioning properly and to prevent duplication ofeffort.

6.45 Considering the wide variety of governmentprograms, no single pattern for internal auditactivities can be specified. Many government entitieshave these activities identified by other names, suchas inspection, appraisal, investigation, organizationand methods, or management analysis. Theseactivities assist management by reviewing selectedfunctions.

Evidence 6.46 The fifth field work standard for performanceaudits is:

Sufficient, competent, and relevant evidence is

to be obtained to afford a reasonable basis for

the auditors’ findings and conclusions. A record

of the auditors’ work should be retained in the

form of working papers. Working papers should

contain sufficient information to enable an

experienced auditor having no previous

connection with the audit to ascertain from

Page 80

Chapter 6

Field Work Standards for

Performance Audits

them the evidence that supports the auditors’

significant conclusions and judgments.8

6.47 Evidence may be categorized as physical,documentary, testimonial, and analytical. Physicalevidence is obtained by auditors’ direct inspection orobservation of people, property, or events. Suchevidence may be documented in memoranda,photographs, drawings, charts, maps, or physicalsamples. Documentary evidence consists of createdinformation such as letters, contracts, accountingrecords, invoices, and management information onperformance. Testimonial evidence is obtainedthrough inquiries, interviews, or questionnaires.Analytical evidence includes computations,comparisons, separation of information intocomponents, and rational arguments.

6.48 The guidance in the following paragraphs isintended to help auditors judge the quality andquantity of evidence needed to satisfy auditobjectives. Paragraphs 6.49 through 6.52 describe theelements of an audit finding. Paragraphs 6.53 through6.62 provide guidance to help auditors determinewhat constitutes sufficient, competent, and relevantevidence to support their findings and conclusions.Finally, paragraphs 6.63 through 6.65 provideguidance on how to document that evidence.

Audit Findings 6.49 Audit findings often have been regarded ascontaining the elements of criteria, condition, and

8The nature of this documentation will vary with the nature of thework performed. For example, when this work includesexamination of auditee records, the working papers shoulddescribe those records so that an experienced auditor would beable to examine those same records. Auditors may meet thisrequirement by listing file numbers, case numbers, or other meansof identifying specific documents they examined. They are notrequired to include in the working papers copies of documents theyexamined, nor are they required to list detailed information fromthose documents.

Page 81

Chapter 6

Field Work Standards for

Performance Audits

effect, plus cause when problems are found.However, the elements needed for a finding dependentirely on the objectives of the audit. Thus, a findingor set of findings is complete to the extent that theaudit objectives are satisfied and the report clearlyrelates those objectives to the finding’s elements.Criteria are discussed in paragraph 6.11; the otherelements of a finding—condition, effect, andcause—are discussed in the following paragraphs.

6.50 Condition is a situation that exists. It has beendetermined and documented during the audit.

6.51 Effect has two meanings, which depend on theaudit objectives. When the auditors’ objectivesinclude identifying the actual or potentialconsequences of a condition that varies (eitherpositively or negatively) from the criteria identified inthe audit, “effect” is a measure of thoseconsequences. Auditors often use effect in this senseto demonstrate the need for corrective action inresponse to identified problems. When the auditors’objectives include estimating the extent to which aprogram has caused changes in physical, social, oreconomic conditions, “effect” is a measure of theimpact achieved by the program. Here, effect is theextent to which positive or negative changes in actualphysical, social, or economic conditions can beidentified and attributed to program operations.

6.52 Like effect, cause also has two meanings, whichdepend on the audit objectives. When the auditors’objectives include explaining why the poor (or good)performance determined in the audit happened, thereasons for that performance are referred to as“cause.” Identifying the cause of problems can assistauditors in making constructive recommendations forcorrection. Because problems can result from anumber of plausible factors, the recommendation canbe more persuasive if auditors can clearly

Page 82

Chapter 6

Field Work Standards for

Performance Audits

demonstrate and explain with evidence and reasoningthe link between the problems and the factor orfactors they identified as the cause. When theauditors’ objectives include estimating the program’seffect on changes in physical, social, or economicconditions, they seek evidence of the extent to whichthe program itself is the “cause” of those changes.

Tests of Evidence 6.53 Evidence should be sufficient, competent, andrelevant. Evidence is sufficient if there is enough of itto support the auditors’ findings. In determining thesufficiency of evidence it may be helpful to ask suchquestions as: Is there enough evidence to persuade areasonable person of the validity of the findings?When appropriate, statistical methods may be used toestablish sufficiency. Evidence used to support afinding is relevant if it has a logical, sensiblerelationship to that finding. Evidence is competent tothe extent that it is consistent with fact (that is,evidence is competent if it is valid).

6.54 The following presumptions are useful in judgingthe competence of evidence. However, thesepresumptions are not to be considered sufficient inthemselves to determine competence.

a. Evidence obtained from a credible third party ismore competent than that secured from the auditee.

b. Evidence developed under an effective system ofmanagement controls is more competent than thatobtained where such controls are weak ornonexistent.

c. Evidence obtained through the auditors’ directphysical examination, observation, computation, andinspection is more competent than evidence obtainedindirectly.

Page 83

Chapter 6

Field Work Standards for

Performance Audits

d. Original documents provide more competentevidence than do copies.

e. Testimonial evidence obtained under conditionswhere persons may speak freely is more competentthan testimonial evidence obtained undercompromising conditions (for example, where thepersons may be intimidated).

f. Testimonial evidence obtained from an individualwho is not biased or has complete knowledge aboutthe area is more competent than testimonial evidenceobtained from an individual who is biased or has onlypartial knowledge about the area.

6.55 Auditors may find it useful to obtain fromofficials of the auditee written representationsconcerning the competence of the evidence theyobtain. Written representations ordinarily confirmoral representations given to auditors, indicate anddocument the continuing appropriateness of suchrepresentations, and reduce the possibility ofmisunderstanding concerning the matters that are thesubject of the representations.

6.56 The auditors’ approach to determining thesufficiency, competence, and relevance of evidencedepends on the source of the information thatconstitutes the evidence. Information sources includeoriginal data gathered by auditors and existing datagathered by either the auditee or a third party. Datafrom any of these sources may be obtained fromcomputer-based systems.

6.57 Data Gathered by Auditors. Data gathered byauditors include the auditors’ own observations andmeasurements. Among the methods for gathering thistype of data are questionnaires, structured interviews,direct observations, and computations. The design ofthese methods and the skill of the auditors applying

Page 84

Chapter 6

Field Work Standards for

Performance Audits

them are the keys to ensuring that these dataconstitute sufficient, competent, and relevantevidence. When these methods are applied todetermine cause, auditors are concerned witheliminating rival explanations.

6.58 Data Gathered by the Auditee. Auditors can usedata gathered by the auditee as part of their evidence.Auditors may determine the validity and reliability ofthese data by direct tests of the data. Auditors canreduce the direct tests of the data if they test theeffectiveness of the entity’s controls over the validityand reliability of the data, and these tests support theconclusion that the controls are effective. The natureand extent of testing of the data will depend on thesignificance of the data to support auditors’ findings.

6.59 When the auditors’ tests of data disclose errorsin the data, or when they are unable to obtainsufficient, competent, and relevant evidence aboutthe validity and reliability of the data, they may find itnecessary to

a. seek evidence from other sources,

b. redefine the audit’s objectives to eliminate the needto use the data, or

c. use the data, but clearly indicate in their report thedata’s limitations and refrain from makingunwarranted conclusions or recommendations.

6.60 Data Gathered by Third Parties. The auditors’evidence may also include data gathered by thirdparties. In some cases, these data may have beenaudited by others, or the auditors may be able to auditthe data themselves. In other cases, however, it willnot be practical to obtain evidence of the data’svalidity and reliability.

Page 85

Chapter 6

Field Work Standards for

Performance Audits

6.61 How the use of unaudited third-party dataaffects the auditors’ report depends on the data’ssignificance to the auditors’ findings.

6.62 Validity and Reliability of Data FromComputer-Based Systems. Auditors should obtainsufficient, competent, and relevant evidence thatcomputer-processed data are valid and reliable whenthose data are significant to the auditors’ findings.9

This work is necessary regardless of whether the dataare provided to auditors or auditors independentlyextract them.10 Auditors should determine if otherauditors have worked to establish the validity andreliability of the data or the effectiveness of thecontrols over the system that produced the data. Ifthey have, auditors may be able to use that work. Ifnot, auditors may determine the validity andreliability of computer-processed data by direct testsof the data. Auditors can reduce the direct tests of thedata if they test the effectiveness of general andapplication controls over computer-processed data,and these tests support the conclusion that thecontrols are effective.11

9When the reliability of a computer-based system is the primaryobjective of the audit, the auditors should conduct a review of thesystem’s general and application controls.

10When computer-processed data are used by the auditors, orincluded in the report, for background or informational purposesand are not significant to the auditors’ findings, citing the source ofthe data and stating that they were not verified will satisfy thereporting standards for accuracy and completeness set forth in thisstatement.

11A GAO guide, Assessing the Reliability of Computer-Based Data(GAO/OP-8.1.3, September 1990), provides guidance on thefollowing key steps: (1) determining how computer-based data willbe used and how they will affect the audit objectives, (2) findingout what is known about the data and the system that producedthem, (3) obtaining an understanding of relevant system controls,which can reduce risk to an acceptable level, (4) testing the datafor reliability, and (5) disclosing the data source and how datareliability was established or qualifying the report if data reliabilitycould not be established.

Page 86

Chapter 6

Field Work Standards for

Performance Audits

Working Papers 6.63 Working papers serve three purposes. Theyprovide the principal support for the auditors’ report,aid the auditors in conducting and supervising theaudit, and allow others to review the audit’s quality.This third purpose is important because audits donein accordance with GAGAS often are subject to reviewby other auditors and by oversight officials. Workingpapers allow for the review of audit quality byproviding the reviewer written documentation of theevidence supporting the auditors’ significantconclusions and judgments.

6.64 Working papers should contain

a. the objectives, scope, and methodology, includingany sampling criteria used;

b. documentation of the work performed to supportsignificant conclusions and judgments; and

c. evidence of supervisory review of the workperformed.

6.65 One factor underlying GAGAS audits is thatfederal, state, and local governments and otherorganizations cooperate in auditing programs ofcommon interest so that auditors may use others’work and avoid duplicate audit efforts. Arrangementsshould be made so that working papers will be madeavailable, upon request, to other auditors. To facilitatereviews of audit quality and reliance by other auditorson the auditors’ work, contractual arrangements forGAGAS audits should provide for access to workingpapers. Audit organizations should also establishreasonable policies and procedures for the safecustody and retention of working papers for a timesufficient to satisfy legal and administrativerequirements.

Page 87

Chapter 7

Reporting Standards forPerformance Audits

Purpose 7.1 This chapter prescribes standards of reporting forperformance audits. The report “contents” and“presentation” standards also apply to some financialrelated audits, as discussed in chapter 5.

Form 7.2 The first reporting standard for performanceaudits is:

Auditors should prepare written audit reports

communicating the results of each audit.

7.3 Written reports (1) communicate the results ofaudits to officials at all levels of government,(2) make the results less susceptible tomisunderstanding, (3) make the results available forpublic inspection, and (4) facilitate follow-up todetermine whether appropriate corrective actionshave been taken. The need to maintain publicaccountability for government programs demandsthat audit reports be written.1

7.4 This standard is not intended to limit or preventdiscussion of findings, judgments, conclusions, andrecommendations with persons who haveresponsibilities involving the area being audited. Onthe contrary, such discussions are encouraged.

7.5 When an audit is terminated prior to completion,auditors should communicate the termination to theauditee and other appropriate officials, preferably inwriting. Auditors should also write a memorandumfor the record, summarizing the results of the workand explaining why the audit was terminated.

1Audit reports may be presented on other media that are retrievableby report users and the audit organization. Retrievable auditreports include those which are in electronic or video formats.

Page 88

Chapter 7

Reporting Standards for

Performance Audits

Timeliness 7.6 The second reporting standard for performanceaudits is:

Auditors should appropriately issue the reports

to make the information available for timely use

by management, legislative officials, and other

interested parties.

7.7 To be of maximum use, the report must be timely.A carefully prepared report may be of little value todecisionmakers if it arrives too late. Therefore,auditors should plan for the appropriate issuance ofthe audit report and conduct the audit with this goalin mind.

7.8 The auditors should consider interim reporting,during the audit, of significant matters to appropriateofficials. Such communication, which may be oral orwritten, is not a substitute for a final report, but itdoes alert officials to matters needing immediateattention and permits them to correct them before thefinal report is completed.

Report Contents 7.9 The third reporting standard for performanceaudits covers the report contents.

Objectives, Scope,and Methodology

7.10 Auditors should report the audit objectives

and the audit scope and methodology.

7.11 Knowledge of the objectives of the audit, as wellas of the audit scope and methodology for achievingthe objectives, is needed by readers to understand thepurpose of the audit, judge the merits of the auditwork and what is reported, and understand significantlimitations.

7.12 In reporting the audit’s objectives, auditorsshould explain why the audit was made and state

Page 89

Chapter 7

Reporting Standards for

Performance Audits

what the report is to accomplish. Articulating whatthe report is to accomplish normally involvesidentifying the audit subject and the aspect ofperformance examined, and because what is reporteddepends on the objectives, communicating whatfinding elements are discussed and whetherconclusions and recommendations are given.

7.13 To preclude misunderstanding in cases wherethe objectives are particularly limited and broaderobjectives can be inferred, it may be necessary tostate objectives that were not pursued.

7.14 In reporting the scope of the audit, auditorsshould describe the depth and coverage of workconducted to accomplish the audit’s objectives.Auditors should, as applicable, explain therelationship between the universe and what wasaudited; identify organizations, geographic locations,and the period covered; report the kinds and sourcesof evidence; and explain any quality or otherproblems with the evidence. Auditors should alsoreport significant constraints imposed on the auditapproach by data limitations or scope impairments.

7.15 To report the methodology used, auditors shouldclearly explain the evidence gathering and analysistechniques used. This explanation should identify anysignificant assumptions made in conducting the audit;describe any comparative techniques applied;describe the criteria used; and when samplingsignificantly supports auditors’ findings, describe thesample design and state why it was chosen.

7.16 Auditors should attempt to avoidmisunderstanding by the reader concerning the workthat was and was not done to achieve the auditobjectives, particularly when the work was limitedbecause of constraints on time or resources.

Page 90

Chapter 7

Reporting Standards for

Performance Audits

Audit Results 7.17 Auditors should report significant audit

findings, and where applicable, auditors’

conclusions.

7.18 Auditors should report the significant findingsdeveloped in response to each audit objective.2 Inreporting the findings, auditors should includesufficient, competent, and relevant information topromote adequate understanding of the mattersreported and to provide convincing but fairpresentations in proper perspective. Auditors shouldalso report appropriate background information thatreaders need to understand the findings.

7.19 Audit findings often have been regarded ascontaining the elements of criteria, condition, andeffect, plus cause when problems are found.3

However, the elements needed for a finding dependentirely on the objectives of the audit. Thus, a findingor set of findings is complete to the extent that theaudit objectives are satisfied and the report clearlyrelates those objectives to the finding’s elements.

7.20 Auditors should report conclusions when calledfor by the audit objectives. Conclusions are logicalinferences about the program based on the auditors’findings. Conclusions should be specified and not leftto be inferred by readers. The strength of the auditors’conclusions depends on the persuasiveness of theevidence supporting the findings and theconvincingness of the logic used to formulate theconclusions.

2Audit findings not included in the audit report, because ofinsignificance, should be separately communicated to the auditee,preferably in writing. Such findings, when communicated in amanagement letter to top management, should be referred to in theaudit report. All communications of audit findings should bedocumented in the working papers.

3See description of the elements of a finding in paragraphs 6.49through 6.52.

Page 91

Chapter 7

Reporting Standards for

Performance Audits

Recommendations 7.21 Auditors should report recommendations

for actions to correct problem areas and to

improve operations.

7.22 Auditors should report recommendations whenthe potential for significant improvement inoperations and performance is substantiated by thereported findings. Recommendations to effectcompliance with laws and regulations and improvemanagement controls should also be made whensignificant instances of noncompliance are noted orsignificant weaknesses in controls are found. Auditorsshould also report the status of uncorrectedsignificant findings and recommendations from prioraudits that affect the objectives of the current audit.

7.23 Constructive recommendations can encourageimprovements in the conduct of governmentprograms. Recommendations are most constructivewhen they are directed at resolving the cause ofidentified problems, are action oriented and specific,are addressed to parties that have the authority to act,are feasible, and, to the extent practical, arecost-effective.

Statement onAuditing Standards

7.24 Auditors should report that the audit was

made in accordance with generally accepted

government auditing standards.

7.25 The statement of compliance with generallyaccepted government auditing standards refers to allthe applicable standards that the auditors should havefollowed during the audit. The statement should bequalified in situations in which the auditors did notfollow an applicable standard. In these situations,auditors should report in the scope section theapplicable standard that was not followed, thereasons therefor, and how not following the standardaffected the results of the audit.

Page 92

Chapter 7

Reporting Standards for

Performance Audits

Compliance WithLaws andRegulations

7.26 Auditors should report all significant

instances of noncompliance and all significant

instances of abuse that were found during or in

connection with the audit. In some

circumstances, auditors should report illegal

acts directly to parties external to the audited

entity.

Noncompliance andAbuse

7.27 When auditors conclude, based on evidenceobtained, that significant noncompliance or abuseeither has occurred or is likely to have occurred, theyshould report relevant information. The term“noncompliance” comprises illegal acts (violations oflaws and regulations)4 and violations of provisions ofcontracts or grant agreements. Abuse occurs whenthe conduct of a government organization, program,activity, or function falls far short of societalexpectations for prudent behavior.

7.28 In reporting significant instances ofnoncompliance, auditors should place their findingsin perspective. To give the reader a basis for judgingthe prevalence and consequences of noncompliance,the instances of noncompliance should be related tothe universe or the number of cases examined and bequantified in terms of dollar value, if appropriate.

7.29 When auditors detect nonsignificant instances ofnoncompliance they should communicate them to theauditee, preferably in writing. If the auditors havecommunicated such instances of noncompliance in amanagement letter to top management, they shouldrefer to that management letter in the audit report.Auditors should document in their working papers allcommunications to the auditee about noncompliance.

4Whether a particular act is, in fact, illegal may have to await finaldetermination by a court of law. Thus, when auditors disclosematters that have led them to conclude that an illegal act is likely tohave occurred, they should take care not to imply that they havemade a determination of illegality.

Page 93

Chapter 7

Reporting Standards for

Performance Audits

Direct Reporting ofIllegal Acts

7.30 Auditors are responsible for reporting illegalacts directly to parties outside the auditee in certaincircumstances, as discussed in the followingparagraphs. Auditors should fulfill theseresponsibilities even if they have resigned or beendismissed from the audit.5

7.31 The auditee may be required by law orregulation to report certain illegal acts to specifiedexternal parties (for example, to a federal inspectorgeneral or a state attorney general). If auditors havecommunicated such illegal acts to the auditee, and itfails to report them, then the auditors shouldcommunicate their awareness of that failure to theauditee’s governing body. If the auditee does notmake the required report as soon as practical after theauditors’ communication with its governing body,then the auditors should report the illegal actsdirectly to the external party specified in the law orregulation.

7.32 Auditors should obtain sufficient, competent,and relevant evidence (for example, by confirmationwith outside parties) to corroborate assertions bymanagement that it has reported illegal acts. If theyare unable to do so, then the auditors should reportthe illegal acts directly as discussed above.

7.33 Chapter 6 reminds auditors that under somecircumstances, laws, regulations, or policies mayrequire them to report promptly indications of certaintypes of illegal acts to law enforcement orinvestigatory authorities. When auditors concludethat this type of illegal act either has occurred or islikely to have occurred, they should ask thoseauthorities and/or legal counsel if reporting certaininformation about that illegal act would compromiseinvestigative or legal proceedings. Auditors should

5Internal auditors auditing within the entity that employs them donot have a duty to report outside that entity.

Page 94

Chapter 7

Reporting Standards for

Performance Audits

limit their reporting to matters that would notcompromise those proceedings, such as informationthat is already a part of the public record.

ManagementControls

7.34 Auditors should report the scope of their

work on management controls and any

significant weaknesses found during the audit.

7.35 Reporting on management controls will varydepending on the significance of any weaknessesfound and the relationship of those weaknesses to theaudit objectives.

7.36 In audits where the sole objective is to audit themanagement controls, weaknesses found ofsignificance to warrant reporting would beconsidered deficiencies and be so identified in theaudit report. The management controls that wereassessed should be identified to the extent necessaryto clearly present the objectives, scope, andmethodology of the audit.

7.37 In a performance audit, auditors may identifysignificant weaknesses in management controls as acause of deficient performance. In reporting this typeof finding, the control weaknesses would bedescribed as the “cause.”

Views ofResponsibleOfficials

7.38 Auditors should report the views of

responsible officials of the audited program

concerning auditors’ findings, conclusions, and

recommendations, as well as corrections

planned.

7.39 One of the most effective ways to ensure that areport is fair, complete, and objective is to obtainadvance review and comments by responsible auditeeofficials and others, as may be appropriate. Including

Page 95

Chapter 7

Reporting Standards for

Performance Audits

the views of responsible officials produces a reportthat shows not only what was found and what theauditors think about it but also what the responsiblepersons think about it and what they plan to do aboutit.

7.40 Auditors should normally request that theresponsible officials’ views on significant findings,conclusions, and recommendations be submitted inwriting. When, in these cases, written comments arenot obtained, oral comments should be requested.

7.41 Advance comments should be objectivelyevaluated and recognized, as appropriate, in thereport. Advance comments, such as a promise or planfor corrective action, should be noted but should notbe accepted as justification for dropping a significantfinding or a related recommendation.

7.42 When the comments oppose the report’sfindings, conclusions, or recommendations, and arenot, in the auditors’ opinion, valid, the auditors maychoose to state their reasons for rejecting them.Conversely, the auditors should modify their report ifthey find the comments valid.

NoteworthyAccomplishments

7.43 Auditors should report noteworthy

accomplishments, particularly when

management improvements in one area may be

applicable elsewhere.

7.44 Noteworthy management accomplishmentsidentified during the audit, which were within thescope of the audit, should be included in the auditreport along with deficiencies. Such informationprovides a more fair presentation of the situation byproviding appropriate balance to the report. Inaddition, inclusion of such accomplishments may lead

Page 96

Chapter 7

Reporting Standards for

Performance Audits

to improved performance by other governmentorganizations that read the report.

Issues NeedingFurther Study

7.45 Auditors should refer significant issues

needing further audit work to the auditors

responsible for planning future audit work.

7.46 If, during the audit, auditors identify significantissues that warrant further work, but the issues arenot directly related to the audit objectives or theauditors do not have the time or resources to expandthe audit to pursue them, they should refer the issuesto the auditors within the audit organization who areresponsible for planning future audit work. Whenappropriate, auditors should also disclose the issuesin the report and the reasons the issues need furtherstudy.

Privileged andConfidentialInformation

7.47 If certain information is prohibited from

general disclosure, auditors should report the

nature of the information omitted and the

requirement that makes the omission necessary.

7.48 Certain information may be prohibited fromgeneral disclosure by federal, state, or local laws orregulations. Such information may be provided on aneed-to-know basis only to persons authorized by lawor regulation to receive it.

7.49 If such requirements prohibit auditors fromincluding pertinent information in the report, theyshould state the nature of the information omittedand the requirement that makes the omissionnecessary. The auditors should obtain assurance thata valid requirement for the omission exists, and, whenappropriate, consult with legal counsel.

Page 97

Chapter 7

Reporting Standards for

Performance Audits

ReportPresentation

7.50 The fourth reporting standard for performanceaudits is:

The report should be complete, accurate,

objective, convincing, and as clear and concise

as the subject permits.

Complete 7.51 Being complete requires that the report containall information needed to satisfy the audit objectives,promote an adequate and correct understanding ofthe matters reported, and meet the report contentrequirements. It also means including appropriatebackground information.

7.52 Giving readers an adequate and correctunderstanding means providing perspective on theextent and significance of reported findings, such asthe frequency of occurrence relative to the number ofcases or transactions tested and the relationship ofthe findings to the entity’s operations.

7.53 In most cases, a single example of a deficiency isnot sufficient to support a broad conclusion or arelated recommendation. All that it supports is that adeviation, an error, or a weakness existed. However,except as necessary to make convincingpresentations, detailed supporting data need not beincluded.

Accurate 7.54 Accuracy requires that the evidence presentedbe true and that findings be correctly portrayed. Theneed for accuracy is based on the need to assurereaders that what is reported is credible and reliable.One inaccuracy in a report can cast doubt on thevalidity of an entire report and can divert attentionfrom the substance of the report. Also, inaccuratereports can damage the credibility of the issuing audit

Page 98

Chapter 7

Reporting Standards for

Performance Audits

organization and reduce the effectiveness of itsreports.

7.55 The report should include only information,findings, and conclusions that are supported bycompetent and relevant evidence in the auditors’working papers. If data are significant to the auditfindings and conclusions, but are not audited, theauditors should clearly indicate in their report thedata’s limitations and not make unwarrantedconclusions or recommendations based on thosedata.

7.56 Reported evidence should demonstrate thecorrectness and reasonableness of the mattersreported. Correct portrayal means describingaccurately the audit scope and methodology, andpresenting findings and conclusions in a mannerconsistent with the scope of audit work.

Objective 7.57 Objectivity requires that the presentation of theentire report be balanced in content and tone. Areport’s credibility is significantly enhanced when itpresents evidence in an unbiased manner so thatreaders can be persuaded by the facts.

7.58 The audit report should be fair and notmisleading, and should place the audit results inperspective. This means presenting the audit resultsimpartially and guarding against the tendency toexaggerate or overemphasize deficient performance.In describing shortcomings in performance, auditorsshould present the explanation of responsibleofficials including the consideration of any unusualdifficulties or circumstances they faced.

7.59 The tone of reports should encouragedecisionmakers to act on the auditors’ findings andrecommendations. Although findings should be

Page 99

Chapter 7

Reporting Standards for

Performance Audits

presented clearly and forthrightly, the auditors shouldkeep in mind that one of their objectives is topersuade, and that this can best be done by avoidinglanguage that generates defensiveness andopposition. Although criticism of past performance isoften necessary, the report should emphasize neededimprovements.

Convincing 7.60 Being convincing requires that the audit resultsbe responsive to the audit objectives, the findings bepresented persuasively, and the conclusions andrecommendations follow logically from the factspresented. The information presented should besufficient to convince the readers to recognize thevalidity of the findings, the reasonableness of theconclusions, and the benefit of implementing therecommendations. Reports designed in this way canhelp focus the attention of responsible officials on thematters that warrant attention and can help stimulatecorrection.

Clear 7.61 Clarity requires that the report be easy to readand understand. Reports should be written inlanguage as clear and simple as the subject permits.

7.62 Use of straightforward, nontechnical language isessential to simplicity of presentation. If technicalterms and unfamiliar abbreviations and acronyms areused, they should be clearly defined. Acronymsshould be used sparingly.

7.63 Logical organization of material, and accuracyand precision in stating facts and in drawingconclusions, are essential to clarity andunderstanding. Effective use of titles and captionsand topic sentences make the report easier to readand understand. Visual aids (such as pictures, charts,

Page 100

Chapter 7

Reporting Standards for

Performance Audits

graphs, and maps) should be used when appropriateto clarify and summarize complex material.

Concise 7.64 Being concise requires that the report be nolonger than necessary to convey and support themessage. Too much detail detracts from a report, mayeven conceal the real message, and may confuse ordiscourage readers. Also, needless repetition shouldbe avoided.

7.65 Although room exists for considerable judgmentin determining the content of reports, those that arecomplete, but still concise, are likely to achievegreater results.

ReportDistribution

7.66 The fifth reporting standard for performanceaudits is:

Written audit reports are to be submitted by the

audit organization to the appropriate officials of

the auditee and to the appropriate officials of

the organizations requiring or arranging for the

audits, including external funding organizations,

unless legal restrictions prevent it. Copies of

the reports should also be sent to other officials

who have legal oversight authority or who may

be responsible for acting on audit findings and

recommendations and to others authorized to

receive such reports. Unless restricted by law or

regulation, copies should be made available for

public inspection.

7.67 Audit reports should be distributed in a timelymanner to officials interested in the results. Suchofficials include those designated by law or regulationto receive such reports, those responsible for actingon the findings and recommendations, those of otherlevels of government who have provided assistance to

Page 101

Chapter 7

Reporting Standards for

Performance Audits

the auditee, and legislators. However, if the subject ofthe audit involves material that is classified forsecurity purposes or is not releasable to particularparties or the public for other valid reasons, auditorsmay limit the report distribution.

7.68 When nongovernment audit organizations areengaged, the engaging government organizationshould ensure that the report is distributedappropriately. If the nongovernment auditorganization is to make the distribution, theengagement agreement should indicate what officialsor organizations should receive the report.

7.69 Internal auditors should follow their entity’s ownarrangements and statutory requirements fordistribution. Usually, they report to their entity’s topmanagers, who are responsible for distribution of thereport.

Page 102

Page 103

Appendix I

Government Auditing StandardsAdvisory Council

James B. Thomas, Jr., ChairmanInspector GeneralU.S. Department of Education

Ross F. ConnerAssociate Professor of Social Ecology and MedicineUniversity of California at Irvine

Norwood J. Jackson, Jr.Chief, Financial Standards and Reporting BranchOffice of Management and Budget

Margaret KellyState AuditorMissouri

Sam M. McCallDeputy Auditor GeneralFlorida

John R. MillerPartnerKPMG Peat Marwick

Donald L. NeebesPartnerErnst & Young

Douglas R. NortonAuditor GeneralArizona

Thomas D. RoslewiczDeputy Inspector General for Audit ServicesU.S. Department of Health and Human Services

Page 104

Appendix I

Government Auditing Standards

Advisory Council

Edward P. RyanCity Auditor and ComptrollerSan Diego, California

William J. SharkeyFormer Assistant DirectorDefense Contract Audit Agency

Richard C. TracyDirector of AuditsPortland, Oregon

Wanda A. WallaceAssociate Dean for Academic AffairsSchool of Business AdministrationThe College of William & Mary

John K. WatsenVice President for AuditingFederal National Mortgage Association

Wayne L. WelshLegislative Auditor GeneralUtah

Frederick D. WolfManaging DirectorPrice Waterhouse

GAO Project Team

Marcia B. BuchananDonald H. ChapinPatrick L. McNamee

Page 105

Index

Abuse 6.35

Activities other than audit 2.10-2.11, 3.9

AICPA standards

Relation 1.9, 4.2-4.4, 5.2-5.3

Financial related audits 4.39-4.40, 5.36-5.37

Applicability 1.2-1.8

Cause 6.52

Compliance

Controls over 4.30, 6.31, 6.41

Reporting 5.3, 5.15-5.25, 7.26-7.33

Conclusions 7.20

Condition 6.50

Continuing education requirements 3.6-3.9

Criteria 6.5, 6.11

Communications with audit committees or others 5.3, 5.5-5.10

Data

Auditees, by 6.58-6.59

Auditors, by 6.57

Computer based systems, from 6.62

Third parties, from 6.60-6.61

Direct reporting, compliance 5.15, 5.21-5.25, 7.26,7.30-7.33

Distribution, report 5.3, 5.32-5.35, 7.66-7.69

Due professional care 3.26-3.30

Possible irregularities or illegal acts 4.16, 6.33

Economy and efficiency audits 2.7a, 2.8, 6.10, 6.30

Effect 6.51

Evidence 6.5, 6.46-6.65

External quality control review 3.33-3.36

Financial statement audit 2.4a

(continued)

Page 106

Index

Financial related audits 2.4b, 2.5, 4.39-4.40,5.36-5.37

Findings 5.19, 6.49-6.52, 7.17-7.19

Follow-up 4.3, 4.10, 5.26, 6.5,6.12-6.13

Fraud 6.37

Illegal acts 4.4, 4.12, 4.14-4.16,6.28-6.33

Irregularities 4.4, 4.12, 4.14-4.16

Independence 3.11-3.25

Internal quality control system 3.32

Internal controls

Compliance with laws and regulations 4.30, 6.41

Control environment 4.23-4.24

Program 6.31

Risk assessments 4.31-4.33

Safeguarding of assets 4.25-4.29, 6.41

Validity and reliability of data 6.41

Internal control reporting 5.26-5.28

Issues needing further study 7.45-7.46

Management controls 6.39-6.45, 7.34-7.37

Materiality 4.4, 4.8-4.9

Methodology 3.28, 6.4, 6.6, 6.20, 6.42

Noncompliance 4.3, 4.13, 4.18-4.20, 6.34

Noteworthy accomplishments 7.43-7.44

Objectives 2.2-2.3, 6.3, 6.6,6.9-6.10, 6.20, 6.42,

7.10-7.13

Planning 4.6-4.10, 6.2-6.21

Written audit plan 6.19-6.21

Performance audits 2.6-2.9

Privileged and confidential information 5.29-5.31, 7.47-7.49

(continued)

Page 107

Index

Program, aspects of 6.5, 6.9

Program audits 2.7b, 2.9, 6.10, 6.30

Procurement of audit services 1.15, 3.36, 4.38, 6.65

Qualifications 3.3-3.10

Quality control 3.31-3.36

Reporting

Compliance with generally accepted government auditingstandards

3.29, 5.3, 5.11-5.14,7.24-7.25

Compliance with laws and regulations 5.3, 5.15-5.25, 7.26-7.33

Financial related audits 5.36-5.37

Internal controls 5.3, 5.26-5.28

Management controls 7.34-7.37

Performance audits 7.1-7.69

Status of previous findings and recommendations 4.10, 5.26, 6.12, 7.22

Report content 7.9-7.49

Report form 7.2-7.5

Report presentation

Accurate 7.54-7.56

Clear 7.61

Combined 5.16

Complete 7.51-7.53

Concise 7.64-7.65

Convincing 7.60

Objective 7.57-7.59

Scope 3.28, 6.3, 6.6, 6.20, 6.42,7.10-7.11, 7.14-7.16

Significance 6.5, 6.7

Staffing 6.5, 6.17-6.18, 6.20

Supervision 6.22-6.25, 6.64

Timeliness 7.6-7.8

User needs 5.9, 5.10, 6.7-6.8

(continued)

Page 108

Index

Working papers, requirements 3.29, 4.3, 4.15, 4.31,4.34-4.38, 5.8, 5.20,

5.28, 6.63-6.65, 7.18

Work of others 6.14-6.16, 6.65

Views of responsible officials 7.38-7.42

Page 109

This document, Government Auditing Standards: 1994Revision (GAO/OCG-94-4), is for sale by theSuperintendent of Documents, U.S. GovernmentPrinting Office, Washington, D.C. 20401. The stocknumber is 020-000-00-265-4.

United States

General Accounting Office

Washington, D.C. 20548

Official Business

Penalty for Private Use $300

First-Class Mail

Postage & Fees Paid

GAO

Permit No. G100