Government Auditing Standards Amendment II

7/29/2019 Government Auditing Standards Amendment II

1/74

GAOUnite d Stat es Gene ral Accounting Office

By the Comptroller General of theUnited States

Government AuditingStandards

Amendment No. 2

AuditorCommunication

GAO/A-GAGAS-2

July 1999


2/74

Page 1

United StatesGeneral Account ing OfficeWashingt on, D.C. 20548

Comptroller Generalof the United State s

GAO

This second amendment to Governm ent Audi tin gStandards (1994 revision), Amendment No. 2,Au di torCommunication , adds a field work standard and amends arepor ting standard for financial statement audits toimprove auditor communication concerning the auditorswork on compliance with laws and regulations andinternal control over financial reporting. This new

amendment requires specific communication with theauditee, the individuals con tracting for or requesting theaudit services, and the audit committee regarding thescope of compliance and internal control work to beperformed under Governm ent Audi tin g Standards. Thenew amendment also requires the auditor to emphasize inthe auditors report on the financial statements theimportance of the reports on compliance with laws andregulations and interna l control over financial reportingwhen these reports are issued separa tely from the report

on the financial statements .

The American Institute of Certified Public Accountants(AICPA), in issuing Statement on Auditing Standards(SAS) No. 61, Com m un ication With Audi t Com m ittees, andSAS No. 83,Establishing an Understan di ng With theClient, set requirements for auditors to establish anunderstanding with the client regarding the services to beperformed and to determine that certain matters related tothe conduct of the audit under generally accepted auditing

standards are communicated to those who haveresponsibility for oversight of the financial reportingprocess. Amendment No. 2 broadens the parties who theauditor must communicate with and requires the auditorto communicate specific information regarding the natureand extent of testing and report ing on compliance withlaws and regulations and internal control over financialreporting during the planning stages of a financialstatement audit. The Advisory Council on GovernmentAuditing Standards recommended the issuance of thisamendment to reduce the risk that the needs orexpectations of the parties involved may be misinterpretedand to highlight the importance of the auditors reports oncompliance with laws and regulations and internal controlover financial reporting required under Government

Auditing Standards.


3/74

Page 2

We have included as appendixes I and II versions ofchapters 4 and 5, respectively, which show the deletion oflanguage appearing in Governm ent Auditi ng Standards(1994 revision) , as amended by Amendment No. 1, with astrikeout and present the new or amended language withbold and italics. Appendix III conta ins a list of membersto the Comptroller Generals Advisory Council onGovernment Auditing Standards.

An electronic version of this amendment can be accessed

through GAOs Internet Home Page (www.gao.gov )fromthe GAO Policy and Guidance Materials or the SpecialPublications sections of the GAO site, or directly atwww.gao.gov/govaud/ybk01.htm. This site alsocontains a new electronic version ofGovernm ent Auditi ngStandards, which codifies the new amendment by

This amendment moves a reporting standard on auditorcommunication, (paragraphs 5.5 through 5.10) in chapter5, with some modification, to a field work standard(paragraphs 4.6.3 through 4.6.9), as communication on thescope of work to be performed on an audit is viewedmore appropriately as a field work standard. In addition,

this amendment revises the sect ion entitled Reporting onCompliance With Laws and Regulations and on InternalControls (paragraphs 5.15 through 5.17) in chapter 5.

This amendment includes changes resulting fromGovernm ent Auditi ng Standards: Am endm ent No. 1,

Docum entati on Requirem ents When Assessing ControlRi sk at Maxim um for Controls Signifi can tly Dependen tUpon Com puterized Inform ation System s (GAO/A-GAGAS-1, May 1999). This amendment also includesconforming changes to recognize, where applicable,standards issued by the AICPA subsequent to the issuanceof the 1994 revision ofGovernm ent Audi tin g Standards,and the issuance of Office of Management and BudgetCircular A-133,Au di ts of S tates , Local Governm ents , an d

Non-Profi t Organ izations issued in June 1997.

This amendment is effective for financial statement auditsof per iods ending on or after January 1, 2000. Ear lierapplication is permissible.


4/74

Page 3

reflecting changes made resulting from the issuance ofrecent amendments. Printed copies of this amendment canbe obtained from the U. S. Government Printing Office.

This amendment was exposed for public comment pr ior toits final issuance. As a result, various suggestions were

incorporated into the final amendment. I thank those whosuggested improvements to the amendment, and Iespecially commend the Advisory Council on GovernmentAuditing Standards and the project team for their efforts.

If you have any questions regarding this amendment,please contact Robert W. Gramling, Direc tor, CorporateAudits and Standards, Accounting and InformationManagement Division, (202) 512-9406. Key contributors tothis amendment were Cheryl E. Clark, Marcia B.Buchanan, and Michael C. Hrapsky.

David M. WalkerComptroller Generalof the United States


5/74

Page 4

Amendment No. 2: Auditor Communication

Chapter 4

Field Work Standards for Financial Audits

This amendment to Governm ent Au diti ng Standards(1994 revision) establishes a new field work standardand revises a reporting standard for financial statementaudits to improve auditor communication concerningthe auditors work on compliance with laws andregulations and internal control over financial reporting

with users of the auditors repor ts. This standard iseffective for financial statement audits of periodsending on or after January 1, 2000. Earlier applicationis permissible.

Purpose 4.1 This chapter prescribes standards of field work forfinancial audits, which include financial statementaudits and financial related audits.

4.2 For financial statement audits, generally acceptedgovernment auditing standards (GAGAS) incorporatethe American Institute of Certified Public Accountants(AICPA) three generally accepted standards of fieldwork, which are:

a. The work is to be adequately planned and assistants,

if any, are to be properly supervised.

b. A sufficient understanding of internal control is to beobtained to plan the audit and to determine the nature,timing, and extent of tests to be performed.

c. Sufficient competent evidential matter is to beobtained through inspection, observation, inquiries,and confirmations to a fford a reasonable basis for anopinion regarding the financial statements under audit.

4.3 The AICPA has issued s tatements on auditingstandards (SAS) that interpret its standards of field

Relation toAICPA Standards


6/74


work (including a SAS on compliance auditing).1 Thischapter incorporates these SASs and prescribesadditional standards on

a. auditor communication (see paragraphs 4.6.3through 4.6.9),

b. audit follow-up (see paragraphs 4.7, 4.10, and 4.11),

c. noncompliance other than illegal acts (seeparagraphs 4.13 and 4.18 through 4.20),

d. documentation requirements when assessing controlrisk at maximum for controls significantly dependentupon computerized information systems (seeparagraphs 4.21.1 through 4.21.4), and

e . working papers . (See paragraphs 4.34 through 4.38.)

4.4 This chapter also discusses three other key aspectsof financial statement audits:

a. materiality (see paragraphs 4.6.1 and 4.6.2),

b. fraud and illegal acts (see paragraphs 4.14 through4.17), and

c. internal control. (See paragraphs 4.22 and 4.25through 4.30.)

4.5 This chapter concludes by explaining whichstandards auditors should follow in performingfinancial related audits.

Page 5

1 GAGAS incorporate any new AICPA field work s tanda rds r elevant to

financial statement audits unless the General Accounting Office (GAO)

excludes them by formal announcement.


7/74


Page 6

4.6 AICPA standards and GAGAS require thefollowing:

The work is to be prope rly planned, and auditorsshould cons ider mate riality, among ot her matte rs,in dete rmining the nature, timing, and ex te nt o f

auditing procedures and in evaluating the resultsof those procedures.

4.6.1 Auditors consideration of materiality is a matterof professional judgment and is influenced by theirperception of the needs of a reasonable person whowill rely on the financial statements. Mater ialityjudgments are made in light of surroundingcircumstances and necessarily involve bothquantitative and qualitative considerations.

4.6.2 In an audit of the financial statements of agovernment entity or an ent ity that receivesgovernment assistance, auditors may set lowermater iality levels than in audits in the private sectorbecause of the public accountability of the auditee, thevarious legal and regulatory requirements , and thevisibility and sensitivity of government programs,activities, and functions.

4.6.3 The first additional planning standard forfinancial statement audits is

Auditors should communicate information to theaudite e, t he individuals contracting for orrequesting the audit s ervices, and the auditcommitte e regarding the nature and ex te nt ofplanned t es ting and reporting on compliance withlaws and regulations and inte rnal control ove rfinancial reporting.

4.6.4 AICPA standards and GAGAS require auditors toestablish an understanding with the client and tocommunicate with audit committees. GAGAS broaden

AuditorCommunication

Planning


8/74

Page 7

who auditors must communicate with and requireauditors to communicate specific informationregarding the nature and extent of testing and reportingon compliance with laws and regulations and internalcontrol over financial reporting during the planningstages of a financial statement audit to reduce the risk

that the needs or expectations of the parties involvedmay be misinterpreted.

4.6.5 The auditee is the organization or entity beingaudited. Auditors should communicate theirresponsibilities for the engagement to the appropr iateofficials of the auditee (which would normally includethe head of the organization, the audit committee orboard of directors or other equivalent oversight body inthe absence of an audit committee, and the individual

who possesses a sufficient level of authority andresponsibility for the financial reporting process, suchas the chief financial officer). In situat ions whereauditors are performingtheaudit under a contract witha party other than the auditee, orpursuant to a third-partyrequest, auditors should also communicate withtheindividuals contracting for or requesting the audit,such as contracting officials or legislative members orstaff. When auditors are performing the audit pursuantto a law or regulation, auditors should communicate

with the legislative members or staff who haveoversight of the auditee.1 .1

4.6.6 During the planning stages of an audit, auditorsshould communicate their responsibilities in a financialstatement audit, including their responsibilities fortesting and reporting on compliance with laws andregulations and internal control over financial reporting.

1.1

This requirement applies only to situations where the law orregulation specifically identifies the ent ity to be audited, such a s an

audit of a specific agencys financial statements required by the Chief

Financial Officers Act, as expanded by the Government Management

Reform Act of 1994. Situations where the financial statement audit

manda te applies to entities not specifically identified, such as audits

required by the Single Audit Act Amendments o f 1996, are excluded.



9/74

Page 8

Such communication should include the nature of anyadditional testing of compliance and internal controlrequired by laws and regulations or otherwise requested,and whether the auditors are planning on providingopinions on compliance with laws and regulations andinternal control over financial reporting.

4.6.7 Auditors should use their professional judgmentto determine the form and content of thecommunication. Written communication is preferred.Auditors should document the communication in theworking papers. Auditors may use an engagementletter to communicate the information descr ibed inparagraph 4.6.6. To assist in understanding thelimitations of auditors responsibilities for testing andreporting on compliance and internal control over

financial reporting, auditors may want to contrast thoseresponsibilities with other financial related audits ofcompliance and controls. The discussion in paragraphs4.6.8 and 4.6.9 may be helpful to auditors in explainingtheir responsibilities for testing and reporting oncompliance with laws and regulations and internalcontrol over financial reporting to the auditee andother interested parties.

4.6.8 Tests of compliance with laws and regulations

and internal control over financial report ing in afinancial statement audit contribute to the evidencesupport ing the auditors opinion on the financialstatements. However, they generally do not provide abasis for opining on compliance or internal controlover financial reporting. To meet certa in audit reportusers needs, laws and regulations somet imes prescribetesting and reporting on compliance and internal



10/74

Page 9

control over financial reporting to supplement thefinancial statement audits coverage of these areas. 1 .2

4.6.9 Even after auditors perform and report theresults of additional tests of compliance and internalcontrol over financial reporting required by laws and

regulations, some reasonable needs of report users stillmay be unmet. Auditors may meet these needs byperforming further tests of compliance and internalcontrol in either of two ways:

a. supplemental (or agreed-upon) procedures or

b. examinat ion, resulting in an opinion.

Audit Follow-up 4.7 The second additional planning standard forfinancial statement audits is

Auditors should follow up on known materialfindings and recommendations from previous audits .

[Paragraphs 4.8 and 4.9 have been moved andrenumbered to paragraphs 4.6.1 and 4.6.2.]

4.10 Auditors should follow up on known material

findings and recommendations from previous auditsthat could affect the financial statement audit. Theyshould do this to determine whether the auditee has


1.2For example, when engaged to perform audits under the Single Audit

Act of state and local government entities and nonprofit organizations

that r eceive federal awards, auditors should be familiar with the Single

Audit Act Amendments of 1996 and Office of Management and Budget

(OMB) Circular A-133. The act and circular include specific audit

requirements, mainly in the areas o f compliance with laws and

regulations and internal control, that exceed the minimum auditrequirements in the standards in chapte rs 4 and 5 of this document.

Audits conducted under the Chief Financial Officers Act o f 1990, as

expanded by the Government Management Reform Act of 1994, also

have spec ific audit requirements prescribed by OMB in the areas of

compliance and interna l control. Many state and local governments

have additional audit requirements.


11/74

Page 10

taken timely and appropriate corrective actions.Auditors should report the status of uncorrectedmater ial findings and recommendations from prioraudits that affect the financial statements.

4.11 Much of the benefit from audit work is not in the

findings reported or the recommendations made, but intheir effective resolution. Auditee management isresponsible for resolving audit findings andrecommendations, and having a process to track theirstatus can help it fulfill this responsibility. If managementdoes not have such a process, auditors may wish toestablish their own. Continued attention to materialfindings and recommendations can help auditors assurethat the benefits of their work are realized.


a. Auditors should design the audit t o providereasonable ass urance o f dete cting fraud that ismate rial to the financial stat ement s.2

b. Auditors should design the audit to providereasonable assurance of dete cting material

misstatements resulting from direct and materialillegal acts.3

Fraud, IllegalActs, and OtherNoncompliance

2Two types of misstatements are relevant to the auditors consideration

of fraud in a financial statement auditmisstatements arising from

fraudulent financial statements and misstatements arising from

misappropriation of assets. The primary factor that distinguishes fraud

from error is whether the underlying action that results in themisstatement in the financial statements is intentional or unintentional.

3Direct and mater ial illegal acts are violations of laws and

regulations having a direct and material effect on the determination

of financial statement amounts.



12/74

Page 11

c. Auditors should be aware of the possibility thatindirect illegal acts may have occurred.4 Ifspecific information comes to the auditorsatte ntion that provides e vidence concerning theex iste nce of possible illegal acts that could have amate rial indirect e ffect o n the financial

stat ement s, the auditors s hould apply auditproce dures specifically directed to ascertainingwhether an illegal act has occurred.

4.13 The additional compliance s tandard for financialstatement audits is

Auditors should des ign the audit to providereasonable ass urance of det ect ing mate rialmisst ate ments re sulting from noncompliance with

provisions of cont racts or grant agree ments thathave a direct and material effect on t hedete rmination of financial stat ement amounts. Ifspecific information comes to the auditorsatte ntion that provides e vidence concerning theex istence of possible noncompliance that couldhave a mate rial indirect effect on t he financialstat ement s, auditors s hould apply auditproce dures specifically directed to ascertainingwhether that noncompliance has occurred.

4.14 Auditors are responsible for being aware of thecharacteristics and types of potentially mater ial fraudthat could be associated with the area being audited sothat they can plan the audit to provide reasonableassurance of detecting material fraud.

4.15 Auditors should obtain an understanding of thepossible effects on financial statements of laws andregulations that are generally recognized by auditors tohave a direct and material effect on the determination


AuditorsUnderstanding ofPossible Fraud andof Laws andRegulations

4Indirect illegal acts ar e violations of laws and regulations having

material but indirect effects on the financial statements.


13/74

Page 12

of amounts in the financial statements. Auditors mayfind it necessary to use the work of legal counsel in(1) determining which laws and regulations might havea direct and mater ial effect on the financial statements,(2) designing tests o f compliance with laws andregulations, and (3) evaluating the results of those

tests.5

Auditors also may find it necessary to use thework of legal counsel when an audit requires testingcompliance with provisions of contracts or grantagreements. Depending on the circumstances of theaudit, auditors may find it necessary to obtaininformation on compliance matte rs from others , such asinvestigative staff, audit officials of government entitiesthat provided assistance to the auditee, and/or theapplicable law enforcement authority.

4.16 Auditors should exercise due professional care inpursuing indications of possible fraud and illegal acts soas not to interfere with potential future investigations,legal proceedings, or both. Under some circumstances,laws, regulations, or policies may require auditors toreport indications of certain types of fraud or illegalacts to law enforcement or investigatory authoritiesbefore extending audit steps and procedures. Auditorsmay also be required to withdraw from or defer further

work on the audit or a portion of the audit in order notto interfere with an investigation.

4.17 An audit made in accordance with GAGAS will notguarantee the discovery of illegal acts or contingentliabilities resulting from them. Nor does the subsequentdiscovery of illegal acts committed during the auditperiod necessarily mean that the auditors performancewas inadequate, provided the audit was made inaccordance with these standards.

5AICPA standards provide guidance for auditors who use the work

of a specialist who is not a member of the ir staff.


Due CareConcerning PossibleFraud and Illegal Acts


14/74

Page 13

4.18 The term noncompliance has a broader meaningthan illegal acts. Noncompliance includes not onlyillegal acts, but a lso violations of provisions ofcontracts or grant agreements . AICPA standards do notdiscuss auditors responsibility for detectingnoncompliance other than illegal acts . But, under

GAGAS, auditors have the same responsibilities fordetecting material misstatements arising from othertypes of noncompliance as they do for detecting thosearising from illegal acts .

4.19 Direct and material noncompliance isnoncompliance having a direct and material effect onthe determination of financial statement amounts.Auditors should design the audit to provide reasonableassurance of detecting material misstatements resulting

from direct and material noncompliance withprovisions of contracts or grant agreements.

4.20 Indirect noncompliance is noncompliance havingmaterial but indirect effects on the financial statements.A financial statement audit provides no assurance thatindirect noncompliance with provisions of contracts orgrant agreements will be detected. However, if specificinformation comes to the auditors attention thatprovides evidence concerning the existence of possible

noncompliance that could have a mater ial indirecteffect on the financial statements, auditors should applyaudit procedures specifically directed to ascertainingwhether that noncompliance has occurred.


Auditors should obtain a sufficient understanding

of inte rnal control to plan the audit and det erminethe nature, timing, and ex te nt of t est s t o beperformed.


Internal Control

NoncomplianceOther Than IllegalActs


15/74

Page 14

4.21.1 AICPA standards and GAGAS require that, in allaudits, auditors obtain an understanding of internalcontrol sufficient to plan the audit by performingprocedures to understand (1) the design of controlsrelevant to an audit of financial statements and(2) whether the controls have been placed in operat ion.

This understanding should include a consideration ofthe methods an ent ity uses to process accountinginformation because such methods influence the designof internal control. The extent to which computerizedinformation systems are used in significant accountingapplications, 5.1 as well as the complexity of thatprocessing, may also influence the nature, timing, andextent of audit procedures. Accordingly, in planning theaudit and in obtaining an understanding of internalcontrol over an entitys computer processing, auditors

should consider, among other things, such matters as

a. the extent to which computer processing is used ineach s ignificant accounting application;5.2

b. the complexity of the entitys computer operations;

c. the organizational structure of the computerprocessing act ivities; and

d. the kinds and competence of available evidentialmatter, in electronic and in paper formats , to achieveaudit objectives.

5.1Significant accounting applications are those which relate to

accounting information that can materially affect the financial

statements the auditor is auditing. Significant account ing applications

could include financial as well as other systems, such as management

information systems or systems that monitor compliance, if theyprovide data for material account balances, transaction classes, and

disclosure components of financial statements.

5.2 Obtaining an understanding of these elements would include

consideration of internal control related to security over computerized

information systems.



16/74

Page 15

4.21.2 AICPA standards and GAGAS require auditors todocument their understanding of the components of anentitys internal control related to computer applicationsthat process information used in preparing an entitysfinancial statements and, based on that understanding,to develop a planned audit approach in sufficient detail

to demonstrate its effectiveness in reducing audit risk.In doing so, under AICPA standards and GAGAS,auditors should consider whether specialized skills areneeded for considering the effect of computerizedinformation systemson the audit, understandinginternal control, or designing and performing auditprocedures, including tests of internal control. If theuse of a professional with specialized skills is planned,auditors should have sufficient computer-relatedknowledge to communicate the objectives of the other

professionals work; to evaluate whether the specifiedprocedures will meet the auditors objectives; and toevaluate the results of the procedures applied as theyrelate to the nature, timing, and extent of other plannedaudit procedures.

4.21.3 The additional internal control standard forfinancial statement audits is

In planning the audit, auditors should document in

the working papers ( 1) the basis for assessingcontrol risk at the maximum leve l for assertionsrelated to material account balances, transactionclasse s, and disclosure compone nts o f financialstate ments when such assertions are significantlydependent upon computerized information s yste msand ( 2) consideration that the planned auditproce dures are designed to achieve auditobjectives and to reduce audit risk to anacceptable level.

4.21.4 This additional GAGAS standard does notincrease the auditors responsibility for testing controls,but ra ther requires that, if auditors assess control risk atthe maximum level for assertions related to material



17/74

Page 16

account balances, transaction classes, and disclosurecomponents of financial statements when suchassertions are significantly dependent uponcomputer ized information systems, auditors shoulddocument in the working papers5 .3 the basis for thatconclusion by addressing (1) the ineffectiveness of the

design and/or operation of the controls, or (2) thereasons why it would be inefficient to tes t the controls.In such circumstances , GAGAS also require auditors todocument in the working papers the consideration thatthe planned audit procedures are designed to achievespecific audit objectives and, accordingly, to reduceaudit risk to an acceptable level. This documentat ionshould address

a. the rationale for determining the nature, timing, and

extent of planned audit procedures ;

b. the kinds and competence of available evidentialmatter produced outside a computerized informationsystem; and

c. the effect on the audit opinion or repor t if evident ialmatter to be gathered during the audit does not afford areasonable basis for the auditors opinion on thefinancial statements.

4.22 Safeguarding of assets and compliance with lawsand regulations are internal control objectives that areespecially important in conducting financial statementaudits in accordance with GAGAS of governmentalentities or others receiving government funds. Giventhe public accountability for stewardship of resources,safeguarding of assets permeates control objectives andcomponents as defined by the AICPA standards and

GAGAS. Also, the operation of government programsand the related transactions that materially affect theentitys financial statements are generally governed bylaws and regulations. Although GAGAS are not


5.3See paragraphs 4.34 through 4.38 for a discuss ion of the working paper

standards.


18/74

Page 17

prescribing additional internal control standards inthese areas, this chapter provides a discussionthatauditors may find useful in assessing audit risk and inobtaining evidence needed to support their opinion onthe financial statements in a governmental environment.

[Paragraphs 4.23 and 4.24 deleted.]

4.25 As applied to financial statement audits, internalcontrol over safeguarding of assets constitutes aprocess, effected by an entitys governing body,management, and other detection of unauthorizedacquisition, use, or disposition of the entitys assets thatcould have a material effect on the financial statements.

4.26 Internal control over the safeguarding of assetsrelates to the prevention or timely detection ofunauthorized transactions and unauthorized access toassets that could result in losses that are material to thefinancial statements; for example, when unauthorizedexpenditures or investments are made, unauthorizedliabilities are incurred, inventory is stolen, or assets areconverted to personal use. Such controls are designed tohelp ensure the use of and access to assets are inaccordance with managements authorization.

Authorization includes approval of transactions inaccordance with control activities established bymanagement to safeguard assets, such as establishing andcomplying with requirements for extending and monitoringcredit or making investment decisions, and relateddocumentation. Control over safeguarding of assets is notdesigned to protect against loss of assets arising frominefficiency or from managements operating decisions,such as incurring expenditures for equipment or materialthat proves to be unnecessary or unsatisfactory.

4.27 AICPA standards and GAGAS require auditors toobtain a sufficient unders tanding of internal control toplan the audit. They also require auditors to plan theaudit to provide reasonable assurance of detecting


Safeguarding ofAssets


19/74

Page 18

material fraud, including material misappropriation ofassets. Because preventing or detecting materialmisappropriations is an objective of control oversafeguarding of assets, understanding this type ofcontrol can be essential to planning the audit.

4.28 Control over safeguarding of assets is not limitedto preventing or detecting misappropriations, however.It also helps prevent or detect other material losses thatcould result from unauthorized acquisition, use, ordisposition of assets. Such controls include, forexample, the process of assessing the risk ofunauthorized acquisition, use, or disposition of assetsand establishing control activities to help ensure thatmanagement directives to address the risk are carriedout. Such control activities would include permitting

acquisition, use, or disposition of assets only inaccordance with managements general or specificauthorization, including compliance with establishedcontrol act ivities for such acquisition, use, ordisposition. They would also include comparingexisting assets with the related records at reasonableintervals and taking appropriate action with respect toany differences. Finally, controls over safeguarding ofassets against unauthorized acquisition, use, ordisposition also relate to making available to

management information it needs to car ry out itsresponsibilities related to prevention or timely detectionof such unauthorized activities, as well as mechanismsto enable management to monitor the continuedeffective operation of such controls.

4.29 Understanding the control over safeguarding ofassets can help auditors assess the r isk that financialstatements could be materially misstated. For example,an understanding of an auditees control over the

safeguarding of assets can help auditors recognize riskfactors such as

a. failure to adequately monitor decentralized operations;



20/74

Page 19

b. lack of control over activities, such as lack ofdocumentation for major transactions;

c. lack of control over computerized information systems,such as a lack of control over access to applications thatinitiate or control the movement of assets;

d. failure to develop or communicate adequate controlactivities for security of data or assets, such as allowingunauthorized personnel to have ready access to data orassets; and

e . failure to investigate significant unreconcileddifferences between reconciliations of a control accountand subsidiary records.

4.29.1 Governmental entities are subject to a variety oflaws and regulations that affect their financialstatements, which is a major factor distinguishinggovernmental accounting from commercial accounting.For example, such laws and regulations may address therequired fund structure, procurement or debtlimitations, or authority for transactions. Accordingly,compliance with such laws and regulations may have adirect and material effect on the determination ofamounts in the financial statements of governmental

entities. Likewise, organizations that receivegovernment assistance, such as contractors , nonprofitorganizations, and other nongovernmentalorganizations, are also subject to regulations, contractprovisions, or grant agreements that could have a directand material effect on their financial statements.Management, of both governmental entities and othersreceiving governmental assistance, is responsible forensuring that the entity complies with the laws andregulations applicable to its activities. Thatresponsibility encompasses the identification ofapplicable laws and regulations and the establishment ofcontrols designed to provide reasonable assurance thatthe entity complies with those laws and regulations.


Control OverCompliance With

Laws and

Regulations


21/74

Page 20

4.30 AICPA standards and GAGAS require auditors todesign the audit to provide reasonable assurance thatthe financial statements are free of materialmisstatements resulting from violations of laws andregulations that have a direct and mater ial effect on thedetermination of financial statement amounts . To meet

that requirement, auditors should have an understandingof internal control relevant to financial statementassertions affected by those laws and regulations.Auditors should use that understanding to ident ify typesof potential misstatements, consider factors that affectthe risk of material misstatement, and designsubstantive tests. For example, the following factorsmay influence the auditors assessment of control risk:

a. managements awareness or lack of awareness of

applicable laws and regulations;

b. auditee policy regarding such matters as acceptableoperating practices and codes of conduct; and

c. assignment of responsibility and delegation of authority todeal with such matters as organizational goals and objectives,operating functions, and regulatory requirements.

[Paragraphs 4.31 through 4.33 deleted.]


A record of the auditors work should be retainedin the fo rm of working papers.

4.35 The additional working paper standard forfinancial statement audits is

Working papers should cont ain sufficie ntinformation to e nable an ex perienced auditorhaving no previous connect ion with the audit t oascertain from them the e vidence that supports t heauditors significant conclusions and judgments .


Working Papers


22/74

Page 21

4.36 Audits done in accordance with GAGAS are subjectto review by other auditors and by oversight officialsmore frequently than audits done in accordance withAICPA standards. Thus, whereas AICPA standards citetwo main purposes of working papersproviding theprincipal support for the audit report and aiding auditors

in the conduct and supervision of the auditworkingpapers serve an additional purpose in audits performed inaccordance with GAGAS. Working papers allow for thereview of audit quality by providing the reviewer writtendocumentation of the evidence supporting the auditorssignificant conclusions and judgments.

4.37 Working papers should contain

a. the objectives, scope, and methodology, including any

sampling criteria used;

b. documentat ion of the work performed to supportsignificant conclusions and judgments , includingdescriptions of transactions and records examined thatwould enable an experienced auditor to examine thesame transactions and records;6 and

c. evidence of supervisory reviews of the work performed.

4.38 One factor underlying GAGAS audits is that federal,state, and local governments and other organizationscooperate in auditing programs of common interest sothat auditors may use others work and avoid duplicateaudit efforts. Arrangements should be made so thatworking papers will be made available, upon request, toother auditors. To facilitate reviews of audit quality andreliance by other auditors on the auditors work,contractual arrangements for GAGAS audits shouldprovide for access to working papers.


6Auditors may meet this requirement by listing voucher numbers,

check numbers, or other means of identifying specific documents they

examined. They are not required to include copies of documents they

examined in the working papers, nor are they required to list detailed

information from those documents .


23/74

Page 22

4.39 Certain AICPA standards address specific types offinancial related audits, and GAGAS incorporate thosestandards, as discussed below:7

a. SAS No. 75,Engagem ents to Apply Agreed-UponProcedures to Speci fi c Elements, Accounts, or Items of

a Fin ancial Statem ent;

b. SAS No. 62, Special Reports, for auditing specifiedelements, accounts, or items of a financial statement;

c. SAS No. 74, Com plian ce Audi tin g Consi derations i nAu di ts of Governm ental En ti ti es and Recipi ents ofGovernm ental Fin ancial Assi stance, for testingcompliance with laws and regulations applicable tofederal financial assistance programs;

d. SAS No. 70,Reports on the Processi ng ofTransactions by Service Organizations, for examiningdescriptions of internal control of service organizationsthat process transactions for others;

e . Statement on Standards for Attestation Engagements(SSAE) No. 1,Attestat ion Stan dards , as amended bySSAE No. 9,Am endm ents to Statem ent on Stan dards forAttestation Engagem ents Nos. 1, 2, and 3, for examining

or reviewing an entitys assertions about financialrelated matters not specifically addressed in otherAICPA standards;

f. SSAE No. 2,Reporting on an En ti ty s In ternal ControlOver Fin ancial Reporting, as amended by SSAE No. 9,Am endm ents to Statem ent on Standards for Attestati onEngagem ents Nos. 1, 2, and 3, for examining an entitysassertions about its internal control over financialreporting and/or safeguarding assets;


FinancialRelated Audits

7GAGAS incorporate any new AICPA field work standards relevant to

financial related audits unless GAO excludes them by formal

announcement.


24/74

Page 23

g. SSAE No. 3, Complian ce Attestation , as amended bySSAE No. 9,Am endm ents to Statem ent on Stan dards forAttestat ion Engagem ents Nos. 1 , 2 , and 3, for (1)examining or applying agreed-upon procedures to anentitys assertions about compliance with specifiedrequirements or (2) applying agreed-upon procedures to

an entitys assertions about inte rnal control overcompliance with laws and regulations; and

h. SSAE No. 4,Agreed-Upon Procedures Engagem ents,for applying agreed-upon procedures to (1) an entitysassertions about internal control over financial reportingand/or safeguarding of assets or (2) an entitysassertions about financial related mat ters notspecifically addressed in other AICPA standards.

4.40 Besides following applicable AICPA standards,auditors should follow this chapters audit follow-up andworking paper standards. They should apply or adapt theother standards and guidance in this chapter asappropriate in the circumstances. For financial relatedaudits not described above, auditors should follow the fieldwork standards for performance audits in chapter 6.8


8Chapter 2 provides examples of other types of financial related audits.


25/74

Purpose

Chapter 5Reporting Standards for Financial Audits

5.1 This chapter prescribes standards of reporting forfinancial audits, which include financial statementaudits and financial related audits.

5.2 For financial statement audits, generally accepted

government auditing standards (GAGAS) incorporatethe American Inst itute of Certified Public Accountants(AICPA) four generally accepted standards of reporting,which are:

a. The report shall state whether the financialstatements are presented in accordance with generallyaccepted accounting principles.

b. The report shall identify those circumstances in

which such principles have not been consistentlyobserved in the current period in relation to thepreceding period.

c. Informative disclosures in the financial statementsare to be regarded as reasonably adequate unlessotherwise stated in the report.

d. The report shall either contain an expression ofopinion regarding the financial statements, taken as awhole, or an assertion to the effect that an opinion cannotbe expressed. When an overall opinion cannot beexpressed, the reasons therefor should be stated. In allcases where an auditors name is associated withfinancial statements, the report should contain a clear-cutindication of the character of the auditors work, if any,and the degree of responsibility the auditor is taking.

5.3 The AICPA has issued s tatements on auditing

standards (SAS) that interpret its standards ofreporting.1 This chapter incorporates these SASs andprescribes additional standards on

Relation to AICPAStandards

Page 24

1GAGAS incorporate any new AICPA reporting standards relevant to





26/74

a. reporting compliance with GAGAS (see paragraphs5.11 through 5.14),

b. reporting on compliance with laws and regulationsand on internal controlover financial reporting (seeparagraphs 5.15 through 5.28),

c. privileged and confidential information (seeparagraphs 5.29 through 5.31), and

d. report distribution. (See paragraphs 5.32 through 5.35.)

5.4 This chapter concludes by explaining whichstandards auditors should follow in reporting the resultsof financial related audits.

[Paragraphs 5.5 through 5.10 and footnote 2 deleted.]

5.11 The first additional report ing standard forfinancial statement audits is

Audit reports s hould state that the audit was madein accordance with gene rally accepte d governmentauditing standards.

5.12 The above statement refers to all the applicablestandards that the auditors should have followed dur ingtheir audit. The statement should be qualified insituations where the auditors did not follow anapplicable standard. In these situations, the auditorsshould disclose the applicable standard that was notfollowed, the reasons therefor, and how not followingthe standard affected the results of the audit.

5.13 When the report on the financial statements issubmitted to comply with a legal, regulatory, orcontractual requirement for a GAGAS audit, it shouldspecifically cite GAGAS. The report on the financialstatements may cite AICPA standards as well as GAGAS.

ReportingCompliance WithGenerallyAcceptedGovernment

AuditingStandards

Page 25



27/74

5.14 The auditee may need a financial statement auditfor purposes other than to comply with requirementscalling for a GAGAS audit. For example, it may need afinancial statement audit to issue bonds. GAGAS do notprohibit auditors from issuing a separate report on thefinancial statements conforming only to the requirements

of AICPA standards. However, it may be advantageous touse a report issued in accordance with GAGAS for theseother purposes because it provides information oncompliance with laws and regulations and internalcontrol (as discussed below) that is not contained in areport issued in accordance with AICPA standards.

5.15 The second additional reporting standard forfinancial statement audits is

The report on the financial state ments s houldeither ( 1) describe t he scope of the auditorste sting of co mpliance with laws and regulationsand internal contro l over financial reporting andprese nt the results of those te sts or (2) refe r tothe s eparate report( s) containing thatinformation. In pres ent ing the results o f thosete sts , auditors s hould report fraud, illegal acts,ot her mate rial noncompliance , and reportableconditions in inte rnal control over financialreporting.3 In some circumstance s, auditors shouldreport fraud and illegal acts directly to partie sex te rnal to the audited entit y.

5.16 Auditors may report on compliance with laws andregulations and internal control over financial reportingin the report on the financial statements or in separatereport(s ). When auditors report on compliance and

Page 26

Reporting on

Compliance WithLaws and

Regulations and

on Internal

ControlOver

Financial

Reporting

3These responsibilities are in addition to and do not modify auditors

responsibilities under AICPA standards to (1) address the effect fraud or

illegal acts may have on the repor t on the financial statements and (2)

determine that the audit committee or others with equivalent author ity

and re spons ibility are adequately informed about fraud, illegal acts, and

reportable conditions.



28/74

internal control over financial reporting in the report onthe financial statements, they should include anintroduction summarizing key findings in the audit ofthe financial statements and the related compliance andinternal control work. Auditors should not issue thisintroduction as a stand-alone report.

5.16.1 When auditors report separately (includingseparate reports bound in the same document) oncompliance with laws and regulations and internalcontrol over financial reporting, the report on thefinancial statements should state that they are issuingthose additional reports. The report on the financialstatements should also state that the reports oncompliance with laws and regulations and internalcontrol over financial reporting are an integral part of a

GAGAS audit, and, in considering the results of theaudit, these reports should be read along with theauditors report on the financial statements.

5.17 Auditors should report the scope of their testing ofcompliance with laws and regulations and of internalcontrol over financial reporting, including whether ornot the tests they performed provided sufficientevidence to support an opinion on compliance or

internal control over financial reporting and whether theauditors are providing such opinions.

5.18 When auditors conclude, based on evidenceobtained, that fraudor an illegal act either has occurredor is likely to have occurred,4 they should reportrelevant information. Auditors need not reportinformation about fraud or an illegal act that is clearlyinconsequential. Thus, auditors should present in a

Page 27

Scope of Complianceand Internal ControlWork

Fraud, Illegal Acts,and OtherNoncompliance

4Whether a part icular act is, in fact, illegal may have to await final

determination by a court of law. Thus, when auditors disclose matters

that have led them to conclude that an illegal act is likely to have

occurred, they should take care not to imply that they have made a

determination of illegality.



29/74

report the same fraud and illegal acts that they report toaudit committees under AICPA standards. Auditorsshould also report other noncompliance (for example, aviolation of a contract provision) that is material to thefinancial statements.

5.19 In reporting material fraud, illegal acts, or othernoncompliance, the auditors should place their findings inproper perspective. To give the reader a basis for judgingthe prevalence and consequences of these conditions, theinstances identified should be related to the universe orthe number of cases examined and be quantified in termsof dollar value, if appropriate.5 In presenting materialfraud, illegal acts , or other noncompliance, auditorsshould follow chapter 7s repor t contents standards forobjectives, scope, and methodology; audit results; views

of responsible officials; and its report presentationstandards, as appropriate. Auditors may provide lessextensive disclosure of fraud and illegal acts that are notmaterial in either a quantitat ive or qualitative sense.6

5.20 When auditors detect fraud, illegal acts, or othernoncompliance that do not meet paragraph 5.18scriteria for reporting, they should communicate thosefindings to the auditee, preferably in writing. If auditorshave communicated those findings in a management

letter to top management, they should refer to thatmanagement letter when they report on compliance.

5Audit findings have often been regarded as containing the elements of

criteria, condition, and effect, plus cause when problems are found. However,

the elements needed for a finding depend entirely on the objectives of the

audit. Reportable conditions and noncompliance found by the auditor may

not always have all of these elements fully developed, given the scope and

objectives of the specific financial audit. However, auditors should identify at

least the condition, criteria, and possible asserted effect to provide sufficient

information to federal, state, and local officials to permit them to determine

the effect and cause in order to take prompt and proper corrective action.

6Chapter 4 provides guidance on factors that may influence auditors

materiality judgments in audits of government entities or en tities

rece iving government ass istance . AICPA standards provide guidance on

the interaction of quantitative and qualitative cons iderations in

mater iality judgments.

Page 28



30/74

Auditors should document in their working papers allcommunications to the auditee about fraud, illegal acts,and other noncompliance.

5.21 GAGAS require auditors to report fraud or illegal

acts directly to par ties outside the auditee in twocircumstances, as discussed below. These requirementsare in addition to any legal requirements for directreporting of fraud or illegal acts. Auditors should meetthese requirements even if they have resigned or beendismissed from the audit.7

5.22 The auditee may be required by law or regulation toreport certain fraud or illegal acts to specified externalpart ies (for example, to a federal inspector general or a

state attorney general). If auditors have communicatedsuch fraud or illegal acts to the auditee, and it fails toreport them, then the auditors should communicate theirawareness of that failure to the auditees governing body.If the auditee does not make the required report as soonas practicable after the auditors communication with itsgoverning body, then the auditors should report the fraudor illegal acts directly to the external party specified inthe law or regulation.

5.23 Management is responsible for taking timely andappropriate steps to remedy fraud or illegal acts thatauditors report to it. When fraud or an illegal actinvolves assistance received directly or indirectly from agovernment agency, auditors may have a duty to reportit directly if management fails to take remedial steps. Ifauditors conclude that such failure is likely to causethem to depart from the standard report on the financialstatements or resign from the audit, then they shouldcommunicate that conclusion to the auditees governing

body. Then, if the auditee does not report the fraud orillegal act as soon as pract icable to the entity that

Direct Reporting of

Fraud and IllegalActs

Page 29

7Internal auditors auditing within the ent ity that employs them do not

have a du ty to repor t outside that entity.



31/74

provided the government assistance, the auditors shouldreport the fraud or illegal act direct ly to that entity.

5.24 In both of these situations, auditors should obtainsufficient, competent , and relevant evidence (forexample, by confirmation with outside parties) to

corroborate assertions by management that it hasreported fraud or illegal acts . If they are unable to doso, then the auditors should repor t the fraud or illegalacts directly as discussed above.

5.25 Chapter 4 reminds auditors that under somecircumstances, laws, regulations, or policies mayrequire them to report promptly indications of certaintypes of fraud or illegal acts to law enforcement orinvestigatory authorities. When auditors conclude that

this type of fraud or illegal act either has occurred or islikely to have occurred, they should ask thoseauthorities and/or legal counsel if reporting certaininformation about that fraud or illegal act wouldcompromise investigative or legal proceedings.Auditors should limit their reporting to matters thatwould not compromise those proceedings, such asinformation that is already a part of the public record.

5.26 Auditors should report deficiencies in internalcontrol that they consider to be reportable conditionsas defined in AICPA standards. The following areexamples of matters that may be reportable conditions:

a. absence of appropriate segregation of dutiesconsistent with appropriate control objectives;

b. absence of appropriate reviews and approvals oftransactions, accounting entries, or systems output;

c. inadequate provisions for the safeguarding of assets;

d. evidence of failure to safeguard assets from loss ,damage, or misappropriation;

Page 30

Deficiencies inInternal Control



32/74

e . evidence that a system fails to provide complete andaccurate output consistent with the auditees controlobjectives because of the misapplication of controlprocedures;

f. evidence of intentional override of internal control by

those in authority to the detriment of the overallobjectives of the system;

g. evidence of failure to perform tasks that are part ofinternal control, such as reconciliations not prepared ornot timely prepared;

h. absence of a sufficient level of control consciousnesswithin the organization;

i. significant deficiencies in the design or opera tion ofinterna l control that could result in violations of lawsand regulations having a direct and material effect onthe financial statements; and

j. failure to follow up and correct previously identifieddeficiencies in internal control.8

5.27 In reporting reportable conditions, auditors shouldidentify those that are individually or cumulatively material

weaknesses.9 Auditors should follow chapter 7s reportcontents standards for objectives, scope, and methodology;audit results; and views of responsible officials; and itsreport presentation standards, as appropriate.

5.28 When auditors detect deficiencies in internalcontrol that a re not reportable conditions, they shouldcommunicate those deficiencies to the auditee,preferably in writing. If the auditors havecommunicated other deficiencies in internal control in a

Page 31

8Chapter 4s audit follow-up standard requires auditors to report the

status of uncorrected material findings and recommendations from prior

audits that a ffect the financial statement audit.

9See footnote 5.



33/74

management letter to top management, they shouldrefer to that management letter when they report oninterna l control. All communications to the auditeeabout deficiencies in internal control should bedocumented in the working papers.

5.29 The third additional reporting standard forfinancial statement audits is

If certain information is prohibited from gene raldisclosure, the audit report should state the natureof the information o mitte d and the requirementthat makes the o mission neces sary.

5.30 Certain information may be prohibited from

general disclosure by federal, state, or local laws orregulations. Such information may be provided on aneed-to-know basis only to persons authorized by law orregulation to receive it.

5.31 If such requirements prohibit auditors fromincluding pertinent data in the report, they should statethe nature of the information omitted and therequirement that makes the omission necessary. Theauditors should obtain assurance that a valid

requirement for the omission exists and, whenappropriate, consult with legal counsel.

5.32 The fourth additional report ing standard forfinancial statement audits is

Writte n audit reports are t o be s ubmitt ed by theaudit o rganization to the appropriate officials o fthe audite e and to the appropriate officials of t he

organizations requiring or arranging for the audit s,including ex te rnal funding organizations, unles slegal restrictions preve nt it. Copies o f the reportsshould also be se nt to othe r officials who havelegal oversight authority or who may be

Page 32

Privileged and

Confidential

Information

Report

Distribution



34/74

responsible for acting on audit findings andrecommendations and to othe rs authorized toreceive such reports. Unless res tricted by law orregulation, copie s s hould be made available forpublic inspect ion.10

5.33 Audit reports should be distributed in a timelymanner to officials interested in the results. Suchofficials include those designated by law or regulation toreceive such reports, those responsible for acting on thefindings and recommendations, those of other levels ofgovernment that have provided assistance to theauditee, and legislators. However, if the subject of theaudit involves material that is classified for securitypurposes or not releasable to part icular parties or thepublic for other valid reasons, auditors may limit the

report distribution.

5.34 When public accountants are engaged, theengaging organization should ensure that the report isdistributed appropriately. If the public accountants areto make the distribution, the engagement agreementshould indicate what officials or organizations shouldreceive the report.

5.35 Internal auditors should follow their entitys own

arrangements and statutory requirements for distribution.Usually, they report to their entitys top managers, whoare responsible for distribution of the report.

5.36 Certain AICPA standards address specific types offinancial related audits, and GAGAS incorporate thosestandards, as discussed below:11

Page 33

10See the Single Audit Act Amendments of 1996 and Office of

Management and Budget (OMB) Circular A-133 for the d istribution of

reports on single audits of state and local governmenta l entities and

nonprofit organizations that receive federal awards.

11GAGAS incorporate any new AICPA reporting standards relevant to

financial related audits un less GAO excludes them by formal

announcement.

Financial RelatedAudits



35/74

a. SAS No. 75,Engagem ents to Apply Agreed-UponProcedures to Speci fi c Elements, Accounts, or Items ofa Finan cial Statem ent;

b. SAS No. 62, Special Reports, for auditing specifiedelements, accounts, or items of a financial statement;

c. SAS No. 74, Com plian ce Audi tin g Consi derations i nAudi ts of Governm ental En ti ties and Recipi ents ofGovernm ental Fin ancial Assi stance, for testingcompliance with laws and regulations applicable tofederal financial assistance programs;

d. SAS No. 70,Reports on the Processing ofTransactions by Service Organizations, for examiningdescriptions of internal control of service organizations

that process transactions for others;

e . Statement on Standards for Attestation Engagements(SSAE) No. 1,Attestat ion Stan dards , as amended bySSAE No. 9,Am endm ents to Statem ent on Stan dardsfor Attestat ion Engagem ents Nos. 1, 2, and 3, forexamining or reviewing an entitys assertions aboutfinancial related matters not specifically addressed inother AICPA standards;

f. SSAE No. 2,Reporting on an En ti ty s In ternal ControlOver Financial Reporting, as amended by SSAE No. 9,Am endm ents to Statem ent on Stan dards for AttestationEn gagem ents Nos. 1, 2, and 3, for examining an entitysassertions about its internal control over financialreporting and/or safeguarding assets;

g. SSAE No. 3, Com plian ce Attestati on , as amended bySSAE No. 9,Am endm ents to Statem ent on Stan dards

for Attestat ion Engagem ents Nos. 1, 2, and 3, for (1)examining or applying agreed-upon procedures to anentitys assertions about compliance with specifiedrequirements or (2) applying agreed-upon procedures toan entitys asser tions about internal control overcompliance with laws and regulations; and

Page 34



36/74

h. SSAE No. 4,Agreed-Upon Procedures Engagem ents,for applying agreed-upon procedures to (1) an entitysassertions about internal control over financialreporting and/or safeguarding of assets or (2) an entitysassertions about financial related mat ters notspecifically addressed in other AICPA standards.

5.37 Besides following applicable AICPA standards,auditors should follow this chapters first (GAGASreference), third (privileged and confidentialinformation), and fourth (report distribution) additionalstandards of reporting. They should apply or adapt theother standards and guidance in this chapter asappropriate in the circumstances. For financial relatedaudits not described above, auditors should follow thereporting standards for performance audits in chapter 7.12

Page 35

12Chapter 2 provides examples of other types of financial related audits.



37/74

Chapter 4Field Work Standards for Financial Audits

This amendment to Government Auditing Sta ndards(1994 revision) establishes a new field work s tandardand revises a reporting standard for financialstatement aud its to improve aud itor communica tionconcerning the aud itors work on complia nce withlaws and regula tions and internal control over

financia l reporting with users of the aud itors reports.This standa rd is effective for financial sta tementaud its of periods ending on or after January 1, 2000.Ea rlier a pplication is permissible.

4.1 This chapter prescribes standards of field work forfinancial audits, which include financial statementaudits and financial related audits.

4.2 For financial statement audits, generally acceptedgovernment auditing standards (GAGAS) incorporatethe American Inst itute of Certified Public Accountants(AICPA) three generally accepted standards of fieldwork, which are:

a. The work is to be adequately planned and assistants,if any, are to be properly supervised.

b. A sufficient understanding of internal control is to beobtained to plan the audit and to determine the nature,timing, and extent of tests to be performed.

c. Sufficient competent evident ial matter is to beobtained through inspection, observation, inquiries, andconfirmations to afford a reasonable basis for anopinion regarding the financial statements under audit.

4.3 The AICPA has issued s tatements on auditingstandards (SAS) that interpret its standards of fieldwork (including a SAS on compliance auditing).1 This

Appendix I

Relation to AICPAStandards

Page 36

Purpose

1 GAGAS incorporate any new AICPAfi eld w or k standards r elevant to




38/74

chapter incorporates these SASs and prescribesadditional standards on

a . a ud itor communica t ion ( s ee pa ra gra phs 4.6 .3through 4 .6.9) ,

ab . audit follow-up (see paragraphs 4.7, 4.10, and 4.11),

bc. noncompliance o ther than illegal acts (seeparagraphs 4.13 and 4.18 through 4.20),

cd. documentat ion requirements when assessing controlrisk at maximum for controls significantly dependentupon computerized information systems (seeparagraphs 4.21.1 through 4.21.4), and

de. working papers. (See paragraphs 4.34 through 4.38.)

4.4 This chapter alsod is cus s es presents discussionsof three other key aspects of financial statement audits:

a. mater iality (see paragraphs 4.86.1 and 4.96.2 ),

b. fraud and illegal acts (see paragraphs 4.14 through4.17), and

c. internal control. (See paragraphs 4.22 and 4.25through 4.30.)

4.5 This chapter concludes by explaining whichstandards auditors should follow in performing financialrelated audits.

4.6 AICPA standards and GAGAS require the following:

The work is to be properly planned, and auditorsshould consider materiality, among ot her matters,in dete rmining the nature, timing, and ex te nt ofauditing proce dures and in evaluating the res ultsof those procedures.

Appendix I

Page 37

Planning


39/74

4.86.1 Auditors consideration of materiality is a matter ofprofessional judgment and is influenced by their perceptionof the needs of a reasonable person who will rely on thefinancial statements. Materiality judgments are made inlight of surrounding circumstances and necessarily involveboth quantitative and qualitative considerations.

4.96.2 In an audit of the financial statements of agovernment entity or an entity that receives governmentassistance, auditors may set lower materiality levels thanin audits in the private sector because of the publicaccountability of the auditee, the various legal andregulatory requirements, and the visibility and sensitivityof government programs, activities, and functions.

4.6 .3 The firs t a d d it iona l pla nning s ta nd a rd forfina ncia l s ta tement a ud its is

Aud itors s hould communica te informa t ion to thea ud itee, the ind ivid ua ls contra ct ing for orreques t ing the a ud it s ervice s , a nd the a ud itcommit tee rega rd ing the na ture a nd extent ofp la nned tes t ing a nd report ing on complia nce w ithlaw s a nd regulations a nd internal control overfina ncia l report ing .

4.6 .4 AICPA s ta nda rd s a nd GAGAS requirea ud itors to es ta bli sh a n unders ta nd ing w ith thecli ent a nd to communica te w ith a ud it commit tees .GAGAS broa den w ho audit ors must communica tew ith and require a uditors to communica te specificinforma tion rega rding the nat ure and extent oftes t ing a nd report ing on complia nce w ith la w s a ndregula t ions a nd interna l control over fina ncia lreport ing during the p la nning s ta ges of a fina ncia l

s ta tement a ud it to red uce the ris k tha t the needsor expect a t ions of t he pa rt ies involv ed ma y bemis interpreted .

Appendix I

Aud itorCommunication

Page 38


40/74

4.6 .5 The a ud itee i s the orga niz a t ion or ent itybeing a ud ited . Aud itors s hould communica tetheir res ponsibilit ies for the engagem ent to thea ppropria te officia ls of the audit ee (w hich w ouldnormally include the hea d of the organiz a tion, thea udit committee or b oard of d irectors or other

equivalent oversight bod y in the abs ence of ana udit commit tee , a nd the individua l w ho posses sesa sufficient level of a ut hority a nd res ponsibility forthe financia l rep orting process , s uch a s the chieffina ncia l officer) . In s it ua tions w here audit ors a reper forming the audit under a contra ct w ith a pa rtyother tha n the audit ee, or pursua nt to a third -pa rtyreq ues t , a ud itors should a ls o communica te w ith theindividua ls contra cting for or requesting the audit,such as cont ra ct ing officia ls or legis la tive members

or s ta ff. When a uditors a re per forming the auditpursuant to a la w or reg ula tion, a ud itors shouldcommunica te w it h the legis la tive mem bers or s ta ffw ho have oversight of the aud itee.1 .1

4.6.6 During the pla nning s ta ges of a n a udit ,a uditors should communica te their res pons ibili t iesin a financial st a tement a udit, including theirrespons ibili t ies for tes t ing a nd report ing oncomplia nce w ith la w s a nd regula t ions a nd

internal control over financial reporting. Suchcommunica t ion should include the na ture of a nya ddit iona l tes t ing of complia nce a nd interna lcontrol required by la w s a nd regula tions orotherw ise reques ted , and w hether the a ud itors a repla nning on provid ing opinions on complia ncewith law s a nd regulat ions a nd internal controlover fina ncia l report ing.

Appendix I

Page 39

1.1 This requirement appl ies only to s i tuat ions w here the law or

regula t io n s peci fi ca lly ident ifi es the ent it y to b e a ud it ed , s uch a sa n a ud it o f a s peci fi c a gency s fina nci a l s ta tements requir ed by

the Chief Fin a nci a l Office rs Act , a s expa nded by the Government

Ma na gement Reform Act of 1994 . S itua t io ns w here the fina nci a l

s ta tement a ud it ma nd a te a ppli es to e nt it ies not s peci fi ca lly

identified, such as aud its required b y the Single Audit Act

Am endments of 19 96, a re excluded .


41/74

4.6.7 Aud itors s hould use their p rofes siona l jud gmentto det ermine the form and content of thecommunication. Writ ten communication is p referred .Aud itors s hould d ocum ent the communica tion in theworking papers. Auditors may use an engagementletter to communicate the informa tion described in

para gra ph 4.6.6. To assis t in und erstand ing thelimita tions of aud itors responsibilities for test ing a ndrepor ting on compliance and interna l control overfinancial reporting, aud itors may w ant to contra stthose responsib ilit ies w ith other financia l rela tedaud it s of compliance and controls . The dis cussion inpara gra phs 4.6.8 and 4.6.9 ma y be helpful to aud itorsin explaining their responsibilities for test ing andreporting on compliance with laws and regula tionsand interna l control over fina ncia l repor ting to the

aud itee a nd other interes ted parties.

4.6.8 Tes ts of complia nce w ith la w s a ndregula tions a nd interna l control over fina ncia lreport ing in a fina ncia l s ta tement a udit contributeto the evidence supporting the a uditors opinion onthe fina ncia l s ta tements . How ever, t hey genera llydo not provide a ba s is for opining on complia nceor interna l control over fina ncia l reporting. Tomeet certa in a ud it report users needs , la w s a nd

regula tions somet imes prescr ibe tes t ing a ndreporting on complia nce a nd interna l control overfina ncia l reporting to supplement the fina ncia ls ta tement a udits covera ge of these a rea s . 1 .2

Appendix I

Page 40

1.2For ex a mple, w hen eng a ged to perform a udit s und er the Sin gle

Audit Act of s ta te a nd loca l gov ernm ent en t it ie s a nd nonprofit

or ga ni z a t ions tha t receiv e feder a l a w a rds , audit or s s hould be

fa mil ia r w it h the Sin gle Audit Act Am en dment s of 1996 a nd Office

of Ma na gement a nd Bud get (OMB) Cir cu la r A-133. T he a ct a nd

circula r include specific a udit req uir ement s , ma in ly in the a rea s

of complia nce w it h la w s a nd regula tions a nd in ter na l cont rol ,

tha t exceed the min im um a ud it req uir ement s in the s ta nd a rds incha pter s 4 a nd 5 of this docum en t . Audit s conducted und er the

Chief Financia l Officers Act of 1990, as exp and ed by the

Government Mana gement Reform Act of 1994, also ha ve sp ecific

a ud it requi rement s prescr ib ed by OMB in the a rea s of

complia nce a nd in ter na l cont rol . Many s ta te a nd loca l

gov ernment s ha ve a ddit iona l a ud it requi rement s .


42/74

4.6.9 Even a fter a ud itors per form a nd rep ort theres ults of addit iona l tes ts of compliance a nd int erna lcont rol over financia l repor ting req uired by la w s a ndreg ula tions , some rea sona ble needs of report userss t ill ma y be unm et . Audit ors ma y meet thes e needsby per forming further tes ts of compliance a nd

internal control in either of tw o wa y s:

a . s upplementa l ( or a greed -upon) proced ures or

b . exa mina t ion, res ult ing in a n opinion.

Aud it Follow -up 4.7 Thes econdadditional planning standard forfinancial statement audits is

Auditors should follow up on known material

findings and recommendations from previous audits .

[Pa ra gra phs 4.8 a nd 4.9 ha ve been moved a ndrenumbered to pa ra gra phs 4.6 .1 a nd 4.6 .2 .]

Audit Follow-up 4.10 Auditors should follow up on known materialfindings and recommendat ions from previous audits thatcould affect the financial statement audit. They shoulddo this to determine whether the auditee has takentimely and appropriate corrective actions. Auditorsshould report the status of uncorrected material findingsand recommendations from prior audits that affect thefinancial statements.

4.11 Much of the benefit from audit work is not in thefindings reported or the recommendations made, but intheir effective resolution. Auditee management isresponsible for resolving audit findings and

recommendations, and having a process to track theirstatus can help it fulfill this responsibility. If managementdoes not have such a process, auditors may wish toestablish their own. Continued attention to materialfindings and recommendations can help auditors assurethat the benefits of their work are realized.

Appendix I

Page 41

Materiality


43/74


a. Auditors should design the audit to providereasonable ass urance o f dete cting irregularitie sfraud that are is material to the financial statements .2

b. Audito rs should design the audit to providereasonable ass urance of det ect ing mate rialmisst atements resulting from direct and materialillegal acts.3

c. Auditors should be aware of the possibility thatindirect illegal acts may have occurred.4 If specificinformation comes to the auditors attention thatprovides evidence concerning the existence of possibleillegal acts that could have a material indirect effect on

the financial statements, the auditors should applyaudit procedures specifically directed to ascertainingwhether an illegal act has occurred.

4.13 The additional compliance standard for financialstatement audits is

Audito rs should design the audit t o providereasonable ass urance of det ect ing mate rialmisst atements resulting from noncompliance with

Appendix I

Page 42

Irregularities

Fra ud, Illegal

Acts, and Other

Noncompliance

2Irregularities are intentional misstatements or omissions of

amounts or disclosures in financial statements. Two ty pes of

mis s ta tements a re releva nt to t he a ud itors cons idera t io n of

fra ud in a fina ncia l s ta tement a ud it mis s ta tement s a ris ing

fr om fr a udulent f in a ncia l s ta tements a nd mis s ta tements

a ris in g from mis a pprop ria t ion of a s s et s . The p rima ry fa ct or

tha t d is t inguis hes fr a ud fr om error i s w hether t he

underly ing act ion that resul ts in the miss ta tement in the

fina nci a l s ta tements is intent ion a l or u nin tent io na l.

3Direct and mater ial illegal acts ar e violations of laws and

regulations having a direct and material effect on the determination

of financial statement amounts.

4Indirect illegal acts a re violations of laws and regulations having

material but indirect effects on the financial statements.


44/74

provisions o f contracts or grant agree ments t hathave a direct and material effect on t hedete rmination of financial stat ement amounts. Ifspecific information comes to t he auditorsatte ntion that provides e vidence concerning theex istence of possible noncompliance that could

have a material indirect effe ct o n the financialstat ement s, auditors should apply auditproce dures specifically direct ed t o as certainingwhether that noncompliance has occurred.

4.14 Auditors are responsible for being aware of thecharacteristics and types of potentially materialirregularitiesfr a ud that could be associated with thearea being audited so that they can plan the audit to

provide reasonable assurance of detecting materialirregularitiesfra ud.

4.15 Auditors should obtain an understanding of thepossible effects on financial statements of laws andregulations that are generally recognized by auditors tohave a direct and material effect on the determination ofamounts in the financial statements. Auditors may findit necessary to use the work of legal counsel in(1) determining which laws and regulations might have

a direct and material effect on the financial statements,(2) designing tests of compliance with laws andregulations, and (3) evaluating the results of thosetests.5 Auditors also may find it necessary to use thework of legal counsel when an audit requires testingcompliance with provisions of contracts or grantagreements. Depending on the circumstances of theaudit, auditors may find it necessary to obtaininformation on compliance matters from others, such asinvestigative staff, audit officials of government entities

that provided assistance to the auditee, and/or theapplicable law enforcement authority.

Appendix I

Page 43

AuditorsUnderstanding ofPossible

IrregularitiesFra udand of Laws andRegulations

5AICPA standards provide guidance for auditors who use the work

of a specialist who is not a member of the ir staff.


45/74

4.16 Auditors should exercise due professional care inpursuing indications of possible irregularitiesfra udandillegal acts so as not to interfere with potential futureinvestigations, legal proceedings, or both. Under somecircumstances, laws, regulations, or policies may requireauditors to report indications of certain types of

irregularitiesfra udor illegal acts to law enforcement orinvestigatory authorities before extending audit steps andprocedures. Auditors may also be required to withdrawfrom or defer further work on the audit or a portion of theaudit in order not to interfere with an investigation.

4.17 An audit made in accordance with GAGAS will notguarantee the discovery of illegal acts or contingentliabilities resulting from them. Nor does the subsequentdiscovery of illegal acts committed during the audit

period necessarily mean that the auditors performancewas inadequate, provided the audit was made inaccordance with these standards.

4.18 The term noncompliance has a broader meaningthan illegal acts. Noncompliance includes not only illegalacts, but also violations of provisions of contracts orgrant agreements. AICPA standards do not discussauditors responsibility for detecting noncompliance

other than illegal acts. But, under GAGAS, auditors havethe same responsibilities for detecting materialmisstatements arising from other types of noncomplianceas they do for detecting those arising from illegal acts.

4.19 Direct and mater ial noncompliance isnoncompliance having a direct and material effect onthe determination of financial statement amounts.Auditors should design the audit to provide reasonableassurance of detecting material misstatements resultingfrom direct and material noncompliance with provisionsof contracts or grant agreements.

4.20 Indirect noncompliance is noncompliance havingmaterial but indirect effects on the financial statements.

Appendix I

Page 44

Due Care ConcerningPossibleIrregularitiesFra udand Illegal Acts

Noncompliance OtherThan Illegal Acts


46/74

A financial statement audit provides no assurance thatindirect noncompliance with provisions of contracts orgrant agreements will be detected. However, if specificinformation comes to the auditors attention thatprovides evidence concerning the existence of possiblenoncompliance that could have a material indirect effect

on the financial statements, auditors should apply auditprocedures specifically directed to ascertaining whetherthat noncompliance has occurred.


Auditors should obtain a sufficient understanding ofinternal control to plan the audit and determine thenature, timing, and ex tent of te sts to be performed.

4.21.1 AICPA standards and GAGAS require that, in allaudits, the auditors obtain an understanding of internalcontrol sufficient to plan the audit by performingprocedures to understand (1) the design of controlsrelevant to an audit of financial statements and (2)whether the controls have been placed in operation.This understanding should include a consideration ofthe methods an ent ity uses to process accountinginformation because such methods influence the design

of internal control. The extent to which computerizedinformation systems are used in significant accountingapplications, 5.1 as well as the complexity of thatprocessing, may also influence the nature, timing, andextent of audit procedures. Accordingly, in planning theaudit and in obtaining an understanding of internalcontrol over an en titys computer processing, theauditors should consider, among other things, suchmatters as

Appendix I

Page 45

Internal Control

5.1Significant accounting applications are those which relate to

accounting information that can materially affect the financial

statements the auditor is auditing. Significant accounting applications

could include financial as well as other systems , such as management

information systems or systems that monitor compliance , if they provide

data for mate rial account balances, transaction classes, and disclosure

components of financial statements.


47/74

a. the extent to which computer processing is used ineach s ignificant accounting application;5.2

b. the complexity of the entitys computer operat ions;

c. the organizational structure of the computer

processing act ivities; and

d.the kinds and competence of available evidential matter,in electronic and in paper formats, to achieve auditobjectives.

4.21.2 AICPA standards and GAGAS require auditors todocument their understanding of the components of anentitys internal control related to computer applicationsthat process information used in preparing an entitys

financial statements and, based on that understanding, todevelop a planned audit approach in sufficient detail todemonstrate its effectiveness in reducing audit risk. Indoing so, under AICPA standards and GAGAS, theauditors should consider whether specialized skills areneeded for considering the effect of computerizedinformation systemson the audit, understanding internalcontrol, or designing and performing audit procedures,including tests of internal control. If the use of aprofessional with specialized skills is planned, the

auditors should have sufficient computer-relatedknowledge to communicate the objectives of the otherprofessionals work; to evaluate whether the specifiedprocedures will meet the

Government Auditing Standards Amendment II

Documents

Transcript of Government Auditing Standards Amendment II