4.01 This chapter establishes field work standards and provides guidance for financial audits conducted in accordance with generally accepted government auditing standards (GAGAS). This chapter identifies the American Institute of Certified Public Accountants (AICPA) field work standards and prescribes additional standards for financial audits performed in accordance with GAGAS.
a. For financial audits, GAGAS incorporate the AICPA field work and reporting standards and the related statements on auditing standards (SAS) unless specifically excluded or modified by GAGAS.46
b. Under AICPA standards and GAGAS, auditors must plan and perform the audit to obtain sufficient appropriate audit evidence so that audit risk will be limited to a low level that is, in their professional judgment, appropriate for expressing an opinion on the financial statements. The high, but not absolute, level of assurance that is intended to be obtained by auditors is expressed in the auditor's report as obtaining reasonable assurance about whether the financial statements are free of material misstatement (whether caused by error or fraud). Absolute assurance is not attainable because of the nature of audit evidence and the characteristics of fraud. Therefore, an audit conducted in accordance with generally accepted auditing standards may not detect a material misstatement.
4.03 The three AICPA generally accepted standards of field work are as follows:47
b. The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures.
4.04 GAGAS establish field work standards for financial audits in addition to the requirements contained in the AICPA standards. Auditors should comply with these additional standards when citing GAGAS in their audit reports. The additional government auditing standards relate to:
4.05 Under AICPA standards and GAGAS, auditors should communicate with the audited entity their understanding of the services to be performed for each engagement and document that understanding through a written communication.48 GAGAS broaden the parties included in the communication and the items for the auditors to communicate.
4.06 Under GAGAS, when planning the audit, auditors should communicate certain information in writing to management of the audited entity, those charged with governance,49 and to the individuals contracting for or requesting the audit. When auditors perform the audit pursuant to a law or regulation or they conduct the work for the legislative committee that has oversight of the audited entity, auditors should communicate with the legislative committee. In those situations where there is not a single individual or group that both oversees the strategic direction of the entity and the fulfillment of its accountability obligations or in other situations where the identity of those charged with governance is not clearly evident, auditors should document the process followed and conclusions reached for identifying the appropriate individuals to receive the required auditor communications. Auditors should communicate the following additional information under GAGAS:
a. The nature of planned work and level of assurance to be provided related to internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements.
4.07 Under AICPA standards and GAGAS, tests of internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements in a financial statement audit contribute to the evidence supporting the auditors' opinion on the financial statements or other conclusions regarding financial data. However, such tests generally are not sufficient in scope to provide an opinion on the effectiveness of internal control over financial reporting or compliance with laws, regulations, and provisions of contracts or grant agreements. To meet the needs of certain audit report users, laws and regulations sometimes prescribe supplemental testing and reporting on internal control over financial reporting and compliance with laws, regulations, and provisions of contracts and grant agreements.50
4.08 If an audit is terminated before it is completed and an audit report is not issued, auditors should document the results of the work to the date of termination and why the audit was terminated. Determining whether and how to communicate the reason for terminating the audit to those charged with governance, appropriate officials of the audited entity, the entity contracting for or requesting the audit, and other appropriate officials will depend on the facts and circumstances and, therefore, is a matter of professional judgment.
4.09 Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a material effect on the financial statements. When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives.
4.10 Auditors should design the audit to provide reasonable assurance of detecting misstatements that result from violations of provisions of contracts or grant agreements and could have a direct and material effect on the determination of financial statement amounts or other financial data significant to the audit objectives.
4.11 If specific information comes to the auditors' attention that provides evidence concerning the existence of possible violations of provisions of contracts or grant agreements that could have a material indirect effect on the financial statements, the auditors should apply audit procedures specifically directed to ascertaining whether such violations have occurred . When the auditors conclude that a violation of provisions of contracts or grant agreements has or is likely to have occurred, they should determine the effect on the financial statements as well as the implications for other aspects of the audit.
4.12 Abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances. Abuse also includes misuse of authority or position for personal financial interests or those of an immediate or close family member or business associate. Abuse does not necessarily involve fraud, violation of laws, regulations, or provisions of a contract or grant agreement.
4.13 If during the course of the audit, auditors become aware of abuse that could be quantitatively or qualitatively material to the financial statements, auditors should apply audit procedures specifically directed to ascertain the potential effect on the financial statements or other financial data significant to the audit objectives. After performing additional work, auditors may discover that the abuse represents potential fraud or illegal acts. Because the determination of abuse is subjective, auditors are not required to provide reasonable assurance of detecting abuse.
4.14 Audit findings may involve deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse. The elements needed for a finding depend entirely on the objectives of the audit. Thus, a finding or set of findings is complete to the extent that the audit objectives are satisfied. When auditors identify deficiencies, auditors should plan and perform procedures to develop the elements of the findings that are relevant and necessary to achieve the audit objectives. The elements of an audit finding are discussed in paragraphs 4.15 through 4.18.
4.15 Criteria: The laws, regulations, contracts, grant agreements, standards, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated. Criteria identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding the findings.
4.17 Cause: The cause identifies the reason or explanation for the condition or the factor or factors responsible for the difference between the situation that exists (condition) and the required or desired state (criteria), which may also serve as a basis for recommendations for corrective actions. Common factors include poorly designed policies, procedures, or criteria; inconsistent, incomplete, or incorrect implementation; or factors beyond the control of program management. Auditors may assess whether the evidence provides a reasonable and convincing argument for why the stated cause is the key factor or factors contributing to the difference.
4.18 Effect or potential effect: The effect is a clear, logical link to establish the impact or potential impact of the difference between the situation that exists (condition) and the required or desired state (criteria). The effect or potential effect identifies the outcomes or consequences of the condition. When the audit objectives include identifying the actual or potential consequences of a condition that varies (either positively or negatively) from the criteria identified in the audit, "effect" is a measure of those consequences. Effect or potential effect may be used to demonstrate the need for corrective action in response to identified problems or relevant risks.
4.19 Under AICPA standards and GAGAS, auditors must prepare audit documentation in connection with each audit in sufficient detail to provide a clear understanding of the work performed (including the nature, timing, extent, and results of audit procedures performed), the audit evidence obtained and its source, and the conclusions reached.51 Under AICPA standards and GAGAS, auditors should prepare audit documentation that enables an experienced auditor,52 having no previous connection to the audit, to understand
4.20 Under GAGAS, auditors also should document, before the audit report is issued, evidence of supervisory review of the work performed that supports findings, conclusions, and recommendations contained in the audit report.
4.21 When auditors do not comply with applicable GAGAS requirements due to law, regulation, scope limitations, restrictions on access to records, or other issues impacting the audit, the auditors should document the departure from the GAGAS requirements and the impact on the audit and on the auditors' conclusions. This applies to departures from both mandatory requirements and presumptively mandatory requirements where alternative procedures performed in the circumstances were not sufficient to achieve the objectives of the standard. (See paragraphs 1.12 and 1.13.)
4.22 Audit organizations should establish policies and procedures for the safe custody and retention of audit documentation for a time sufficient to satisfy legal, regulatory, and administrative requirements for record retention. Whether audit documentation is in paper, electronic, or other media, the integrity, accessibility, and retrievability of the underlying information could be compromised if the documentation is altered, added to, or deleted without the auditors' knowledge, or if the documentation is lost or damaged. For audit documentation that is retained electronically, the audit organization should establish information systems controls concerning accessing and updating the audit documentation.
4.23 Underlying GAGAS audits is the premise that audit organizations in federal, state, and local governments and public accounting firms engaged to perform a financial audit in accordance with GAGAS cooperate in auditing programs of common interest so that auditors may use others' work and avoid duplication of efforts. Subject to applicable laws and regulations, auditors should make appropriate individuals, as well as audit documentation, available upon request and in a timely manner to other auditors or reviewers to satisfy these objectives. The use of auditors' work by other auditors may be facilitated by contractual arrangements for GAGAS audits that provide for full and timely access to appropriate individuals, as well as audit documentation.
4.24 Audit organizations should develop policies to deal with requests by outside parties to obtain access to audit documentation, especially when an outside party attempts to obtain information indirectly through the auditor rather than directly from the audited entity. In developing such policies, audit organizations should determine what laws and regulations apply, if any.
4.25 Due to the audit objectives and public accountability of GAGAS audits, there may be additional considerations for financial audits completed in accordance with GAGAS. These considerations relate to
4.26 Under both AICPA standards and GAGAS, the auditors' responsibility is to plan and perform the audit to obtain reasonable assurance that material misstatements, whether caused by errors or fraud, are detected.53 The concept of materiality recognizes that some matters, either individually or in the aggregate, are important for fair presentation of financial statements in conformity with generally accepted accounting principles, while other matters are not important. In performing the audit, matters that, either individually or in the aggregate, could be material to the financial statements are a primary consideration.54 Additional considerations may apply to GAGAS financial audits of government entities or entities that receive government awards. For example, in audits performed in accordance with GAGAS, auditors may find it appropriate to use lower materiality levels as compared with the materiality levels used in non-GAGAS audits because of the public accountability of government entities and entities receiving government funding, various legal and regulatory requirements, and the visibility and sensitivity of government programs.55
4.27 Under both the AICPA standards56 and GAGAS, auditors should plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud.57 Recognizing the possibility that a material misstatement due to fraud could be present is important for achieving this objective. However, absolute assurance is not attainable and thus even a properly planned and performed audit may not detect a material misstatement resulting from fraud.
4.28 Under both the AICPA standards58 and GAGAS, auditors should design the audit to provide reasonable assurance of detecting material misstatements resulting from illegal acts that could have a direct and material effect on the financial statements.59 If specific information comes to the auditors' attention that provides evidence concerning the existence of possible illegal acts60 that could have a material indirect effect on the financial statements, the auditors should apply audit procedures specifically directed to ascertaining whether an illegal act has occurred. When an illegal act has or is likely to have occurred, auditors should determine the effect on the financial statements as well as the implications for other aspects of the audit.
4.29 Avoiding interference with investigations or legal proceedings is important in pursuing indications of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse. Laws, regulations, or policies might require auditors to report indications of certain types of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to law enforcement or investigatory authorities before performing additional audit procedures. When investigations or legal proceedings are initiated or in process, auditors should evaluate the impact on the current audit. In some cases, it may be appropriate for the auditors to work with investigators and/or legal authorities, or withdraw from or defer further work on the audit engagement or a portion of the engagement to avoid interfering with an investigation.
49. Those charged with governance are those responsible for overseeing the strategic direction of the entity and the entity's fulfillment of its obligations related to the accountability of the entity. (See appendix I, paragraphs A1.05 through A1.07 for additional information.)
50. For example, when engaged to perform audits under the Single Audit Act, as amended, for state and local government entities and nonprofit entities that receive federal awards, auditors follow Office of Management and Budget (OMB) Circular No. A-133. The act and circular include specific audit requirements, mainly in the areas of compliance with laws and regulations and internal control over compliance that go beyond the requirements in chapters 4 and 5 of GAGAS. Audits performed pursuant to the Chief Financial Officers Act of 1990, as expanded by the Government Management Reform Act of 1994 and the Accountability of Tax Dollars Act of 2002, also have specific audit requirements prescribed by OMB in the areas of internal control and compliance. In addition, some state and local governments may have additional audit requirements that the auditors would need to follow in planning the audit.
52. An experienced auditor means an individual (whether internal or external to the audit organization) who possesses the competencies and skills that would have enabled him or her to perform the audit. These competencies and skills include an understanding of (1) audit processes, (2) GAGAS and applicable legal and regulatory requirements, (3) the environment in which the entity operates, and (4) auditing and financial reporting issues relevant to the audited entity's environment.
55. In accordance with AICPA Statement on Auditing Standards No. 107, Audit Risk and Materiality in Conducting an Audit , the auditor's consideration of materiality is a matter of professional judgment and is influenced by the auditor's perception of the needs of users of financial statements. The Financial Accounting Standards Board defined materiality in its Statement of Financial Accounting Concepts No. 2, Qualitative Characteristics of Accounting Information as "the magnitude of an omission or misstatement of accounting information that, in the light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement."
57. Two types of misstatements are relevant to the auditors' consideration of fraud in an audit of financial statements--misstatements arising from fraudulent financial reporting and misstatements arising from misappropriation of assets. The primary factor that distinguishes fraud from error is whether the underlying action that results in the misstatement in the financial statements is intentional or unintentional.
59. Illegal acts are violations of laws or government regulations that have a direct and material effect on the determination of financial statement amounts. For example, applicable laws and regulations may affect the amount of revenue accrued under government contracts. However, the auditor considers such laws or regulations from the perspective of their known relation to audit objectives derived from financial statement assertions rather than from the perspective of legality per se.