6.01 This chapter establishes standards and provides guidance for attestation engagements conducted in accordance with generally accepted government auditing standards (GAGAS). For attestation engagements, GAGAS incorporate the American Institute of Certified Public Accountants (AICPA) general standard on criteria, and the field work and reporting standards and the related Statements on Standards for Attestation Engagements (SSAE), unless specifically excluded or modified by GAGAS.77 , 78 This chapter identifies the AICPA general standard on criteria79 and the field work and reporting standards for attestation engagements and prescribes additional standards for attestation engagements performed in accordance with GAGAS.
6.05 GAGAS establish attestation engagement field work standards in addition to the requirements contained in the AICPA standards. Auditors should comply with these additional standards when citing GAGAS in their attestation engagement reports. The additional government auditing standards relate to
6.06 Under AICPA standards and GAGAS, auditors should establish an understanding with the entity regarding the services to be performed for each engagement. Auditors also should obtain written acknowledgment or other evidence of the entity's responsibilities for the subject matter or the written assertion as it relates to the objectives of the engagement. GAGAS broaden the parties included in the communications during planning and contain additional items in the communications.
6.07 Under GAGAS, when planning the engagement, auditors should communicate certain information, including their understanding of the services to be performed for each engagement, in writing to entity management, those charged with governance,80 and to the individuals contracting for or requesting the engagement. When auditors perform the engagement pursuant to a law or regulation or they conduct the work for the legislative committee that has oversight of the entity, auditors should communicate with the legislative committee. In those situations where there is not a single individual or group that both oversees the strategic direction of the entity and the fulfillment of its accountability obligations or in other situations where the identity of those charged with governance is not clearly evident, the auditors should document the process followed and conclusions reached for identifying the appropriate individuals to receive the required auditor communications. Auditors should communicate the following additional information under GAGAS:
6.08 If an engagement is terminated before it is completed and a report is not issued, auditors should document the results of the work to the date of termination and why the engagement was terminated. Determining whether and how to communicate the reason for terminating the engagement to those charged with governance, appropriate officials of the entity, the entity contracting for or requesting the engagement, and other appropriate officials will depend on the facts and circumstances and, therefore, is a matter of professional judgment.
6.09 Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a material effect on the subject matter. When planning the engagement, auditors should ask entity management to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter of the attestation engagement being undertaken, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current engagement objectives.
6.10 In planning examination-level attestation engagements, auditors should obtain a sufficient understanding of internal control that is material to the subject matter in order to plan the engagement and design procedures to achieve the objectives of the attestation engagement.
6.11 In planning an examination-level attestation engagement, auditors should obtain an understanding of internal control as it relates to the subject matter to which the auditors are attesting. The subject matter may be financial or nonfinancial. (See paragraph 1.23 for a discussion of possible attestation engagement subject matters.)
6.12 A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, detect, or correct errors in assertions made by management on a timely basis. A deficiency in design exists when (1) a control necessary to meet the control objective is missing or (2) an existing control is not properly designed so that, even if the control operates as designed, the control objective is not met. A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.
6.13 The auditors' responsibility with regard to fraud,81 illegal acts, violations of provisions of contracts or grant agreements, or abuse for attestation engagements performed in accordance with GAGAS is as follows:
a. Examination-level engagements: In planning, auditors should design the engagement to provide reasonable assurance of detecting fraud, illegal acts, or violations of provisions of contracts or grant agreements that could have a material effect on the subject matter of the attestation engagement. Thus, auditors should assess the risk and possible effects of material fraud, illegal acts, or violations of provisions of contracts or grant agreements on the subject matter of the attestation engagement. When risk factors are identified, auditors should document the risk factors identified, the auditors' response to those risk factors individually or in combination, and the auditors' conclusions.
Review-level and agreed-upon-procedures-level engagements: If during the course of the engagement, information comes to the auditors' attention indicating that fraud, illegal acts, or violations of provisions of contracts or grant agreements that could have a material effect on the subject matter may have occurred, auditors should perform procedures as necessary to
c. For all levels of attestation engagements: If during the course of the engagement, auditors become aware of abuse that could be quantitatively or qualitatively material, auditors should apply procedures specifically directed to ascertain the potential effect on the subject matter or other data significant to the engagement objectives. After performing additional work, auditors may discover that the abuse represents potential fraud or illegal acts. Because the determination of abuse is subjective, auditors are not required to provide reasonable assurance of detecting abuse in attestation engagements.
6.14 Abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances. Abuse also includes misuse of authority or position for personal financial interests or those of an immediate or close family member or business associate. Abuse does not necessarily involve fraud, violation of laws, regulations, or provisions of a contract or grant agreement.
6.15 Audit findings may involve deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse. The elements needed for a finding depend entirely on the engagement objectives. Thus a finding or set of findings is complete to the extent that the engagement objectives are satisfied. When auditors identify deficiencies, auditors should plan and perform procedures to develop the elements of the findings that are relevant and necessary to achieve the engagement objectives. The elements of a finding are discussed in paragraphs 6.16 through 6.19.
6.16 Criteria: The laws, regulations, contracts, grant agreements, standards, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated. Criteria identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding the findings.
6.18 Cause: The cause identifies the reason or explanation for the condition or the factor or factors responsible for the difference between the situation that exists (condition) and the required or desired state (criteria), which may also serve as a basis for recommendations for corrective actions. Common factors include poorly designed policies, procedures, or criteria; inconsistent, incomplete, or incorrect implementation; or factors beyond the control of program management. Auditors may assess whether the evidence provides a reasonable and convincing argument for why the stated cause is the key factor or factors contributing to the difference.
6.19 Effect or potential effect: The effect is a clear, logical link to establish the impact or potential impact of the difference between the situation that exists (condition) and the required or desired state (criteria). The effect or potential effect identifies the outcomes or consequences of the condition. When the engagement objectives include identifying the actual or potential consequences of a condition that varies (either positively or negatively) from the criteria identified in the engagement, "effect" is a measure of those consequences. Effect or potential effect may be used to demonstrate the need for corrective action in response to identified problems or relevant risks.
6.20 Under GAGAS, auditors must prepare attest documentation in connection with each engagement in sufficient detail to provide a clear understanding of the work performed (including the nature, timing, extent, and results of engagement procedures performed); the evidence obtained and its source; and the conclusions reached. Documentation provides the principal support for
6.21 Auditors should prepare attest documentation in sufficient detail to enable an experienced auditor,82 having no previous connection to the attestation engagement, to understand from the documentation the nature, timing, extent, and results of procedures performed and the evidence obtained and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. Auditors should prepare attest documentation that contains support for findings, conclusions, and recommendations before they issue their report.
b. the work performed to support significant judgments and conclusions, including descriptions of transactions and records examined;83
the auditors' consideration that the planned procedures be designed to achieve objectives of the attestation engagement when (1) evidence obtained is dependent on computerized information systems,
6.23 When auditors do not comply with applicable GAGAS requirements due to law, regulation, scope limitations, restrictions on access to records, or other issues impacting the engagement, the auditors should document the departure, the impact on the engagement and on the auditors' conclusions. This applies to departures from mandatory requirements and presumptively mandatory requirements where alternative procedures performed in the circumstances were not sufficient to achieve the objectives of the standard. (See paragraphs 1.12 and 1.13.)
6.24 Audit organizations should establish policies and procedures for the safe custody and retention of documentation for a time sufficient to satisfy legal, regulatory, and administrative requirements for records retention. Whether engagement documentation is in paper, electronic, or other media, the integrity, accessibility, and retrievability of the underlying information could be compromised if the documentation is altered, added to, or deleted without the auditors' knowledge, or if the documentation is lost or damaged. For attest documentation that is retained electronically, the audit organization should establish information systems controls concerning accessing and updating the attest documentation.
6.25 Underlying GAGAS engagements is the premise that audit organizations in federal, state, and local governments and public accounting firms engaged to perform an engagement in accordance with GAGAS cooperate in performing attestation engagements of programs of common interest so that auditors may use others' work and avoid duplication of efforts. Subject to applicable laws and regulations, auditors should make appropriate individuals, as well as attest documentation, available upon request and in a timely manner to other auditors or reviewers to satisfy these objectives. The use of auditors' work by other auditors may be facilitated by contractual arrangements for GAGAS engagements that provide for full and timely access to appropriate individuals, as well as attest documentation.
6.26 Audit organizations should develop policies to deal with requests by outside parties to obtain access to attest documentation, especially when an outside party attempts to obtain information indirectly through the auditor rather than directly from the entity. In developing such policies, audit organizations should determine what laws and regulations apply, if any.
6.27 Due to the engagement objectives and public accountability of GAGAS engagements, there may be additional considerations for attestation engagements completed in accordance with GAGAS. These considerations relate to
6.28 The concept of materiality recognizes that some matters, either individually or in the aggregate, are important for fair presentation of a subject matter or an assertion about a subject matter, while other matters are not important. In performing the engagement, matters that, either individually or in the aggregate, could be material to the subject matter are a primary consideration. In engagements performed in accordance with GAGAS, auditors may find it appropriate to use lower materiality levels as compared with the materiality levels used in non-GAGAS engagements because of the public accountability of government entities and entities receiving government funding, various legal and regulatory requirements, and the visibility and sensitivity of government programs.
6.29 Avoiding interference with investigations or legal proceedings is important in pursuing indications of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse. Laws, regulations, or policies might require auditors to report indications of certain types of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to law enforcement or investigatory authorities before performing additional procedures. When investigations or legal proceedings are initiated or in process, auditors should evaluate the impact on the current engagement. In some cases, it may be appropriate for the auditors to work with investigators and/or legal authorities, or withdraw from or defer further work on the engagement or a portion of the engagement to avoid interfering with an investigation.
6.30 The four AICPA reporting standards that apply to all levels of attestation engagements are as follows:84
b. The practitioner [auditor] must state the practitioner's [auditor's] conclusion about the subject matter or the assertion in relation to the criteria against which the subject matter was evaluated in the report.
c. The practitioner [auditor] must state all of the practitioner's [auditor's] significant reservations about the engagement, the subject matter, and, if applicable, the assertion related thereto in the report.
(1) When the criteria used to evaluate the subject matter are determined by the practitioner [auditor] to be appropriate only for a limited number of parties who either participated in their establishment or can be presumed to have an adequate understanding of the criteria.
6.31 GAGAS establish reporting standards for attestation engagements in addition to the requirements contained in the AICPA standards. Auditors should comply with these additional standards when citing GAGAS in their attestation engagement reports. The additional government auditing standards relate to
6.32 When auditors comply with all applicable GAGAS requirements, they should include a statement in the attestation report that they performed the engagement in accordance with GAGAS. (See paragraphs 1.12 and 1.13 for additional requirements on citing compliance with GAGAS.) GAGAS do not prohibit auditors from issuing a separate report conforming only to the requirements of other standards.
For attestation engagements, auditors should report, as applicable to the objectives of the engagement, and based upon the work performed,
a. Significant deficiency: a deficiency in internal control, or combination of deficiencies, that adversely affects the entity's ability to initiate, authorize, record, process, or report data reliably in accordance with the applicable criteria or framework such that there is more than a remote85 likelihood that a misstatement of the subject matter that is more than inconsequential86 will not be prevented or detected.
b. Material weakness: a significant deficiency or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the subject matter will not be prevented or detected.
6.35 Determining whether and how to communicate to entity officials internal control deficiencies that have an inconsequential effect on the subject matter is a matter of professional judgment. Auditors should document such communications.
6.36 Under GAGAS, when auditors conclude, based on sufficient, appropriate evidence, that any of the following either has occurred or is likely to have occurred, they should include in their report the relevant information about
a . fraud and illegal acts87 that have an effect on the subject matter that is more than inconsequential,
6.37 When auditors detect violations of provisions of contracts or grant agreements or abuse that have an effect on the subject matter that is less than material but more than inconsequential, they should communicate those findings in writing to entity officials. Determining whether and how to communicate to entity officials fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that is inconsequential is a matter of professional judgment. Auditors should document such communications.
6.38 When fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse either have occurred or are likely to have occurred, auditors may consult with authorities or legal counsel about whether publicly reporting such information would compromise investigative or legal proceedings. Auditors may limit their public reporting to matters that would not compromise those proceedings and, for example, report only on information that is already a part of the public record.
6.39 Auditors should report known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly to parties outside the audited entity in the following two circumstances.88
a. When entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties.
b. When entity management fails to take timely and appropriate steps to respond to known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that (1) is likely to have a material effect on the subject matter and (2) involves funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the entity's failure to take timely and appropriate steps directly to the funding agency.
6.40 The reporting in paragraph 6.39 is in addition to any legal requirements to report such information directly to parties outside the entity. Auditors should comply with these requirements even if they have resigned or been dismissed from the engagement prior to its completion.
6.41 Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate assertions by entity management that it has reported such findings in accordance with laws, regulations, and funding agreements. When auditors are unable to do so, they should report such information directly as discussed in paragraph 6.39.
6.42 In presenting findings such as deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse, auditors should develop the elements of the findings to the extent necessary to achieve the engagement objectives. Clearly developed findings, as discussed in paragraphs 6.15 through 6.19, assist management or oversight officials in understanding the need for taking corrective action. If auditors are able to sufficiently develop the elements of a finding, they may provide recommendations for corrective action.
6.43 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as applicable, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures, as appropriate. If the results cannot be projected, auditors should limit their conclusions appropriately.
6.44 If the attestation engagement report discloses deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse, auditors should obtain and report the views of responsible officials concerning the findings, conclusions, and recommendations, as well as planned corrective actions.
6.45 Providing a draft report with findings for review and comment by responsible officials of the audited entity and others helps the auditors develop a report that is fair, complete, and objective. Including the views of responsible officials results in a report that presents not only the auditors' findings, conclusions, and recommendations, but also the perspectives of the responsible officials of the audited entity and the corrective actions they plan to take. Obtaining the comments in writing is preferred, but oral comments are acceptable.
6.46 When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments, or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments and provide a copy of the summary to the responsible officials to verify that the comments are accurately stated.
6.47 Auditors should also include in the report an evaluation of the comments, as appropriate. In cases in which the audited entity provides technical comments in addition to its written or oral comments on the report, auditors may disclose in the report that such comments were received.
6.48 Obtaining oral comments may be appropriate when, for example, there is a reporting date critical to meeting a user's needs; auditors have worked closely with the responsible officials throughout the conduct of the work and the parties are familiar with the findings and issues addressed in the draft report; or the auditors do not expect major disagreements with the findings, conclusions, and recommendations in the draft report, or major controversies with regard to the issues discussed in the draft report.
6.49 When the entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, or when planned corrective actions do not adequately address the auditors' recommendations, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported with sufficient, appropriate evidence.
6.50 If the entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors may issue the report without receiving comments from the entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments.
6.51 If certain pertinent information is prohibited from public disclosure or is excluded from a report due to the confidential or sensitive nature of the information, auditors should disclose in the report that certain information has been omitted and the reason or other circumstances that make the omission necessary.
6.52 Certain information may be classified or may be otherwise prohibited from general disclosure by federal, state, or local laws or regulations. In such circumstances, auditors may issue a separate classified or limited use report containing such information and distribute the report only to persons authorized by law or regulation to receive it.
6.53 Additional circumstances associated with public safety and security concerns could also justify the exclusion of certain information from a publicly available or widely distributed report. For example, detailed information related to computer security for a particular program may be excluded from publicly available reports because of the potential damage that could be caused by the misuse of this information. In such circumstances, auditors may issue a limited use report containing such information and distribute the report only to those parties responsible for acting on the auditors' recommendations. The auditors may consult with legal counsel regarding any requirements or other circumstances that may necessitate the omission of certain information.
6.54 Considering the broad public interest in the program or activity under review assists auditors when deciding whether to exclude certain information from publicly available reports. When circumstances call for omission of certain information, auditors should evaluate whether this omission could distort the engagement results or conceal improper or illegal practices.
6.55 When audit organizations are subject to public records laws, auditors should determine whether public records laws could impact the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. For example, the auditors may communicate general information in a written report and communicate detailed information verbally. The auditor may consult with legal counsel regarding applicable public records laws.
6.56 Distribution of reports completed under GAGAS depends on the relationship of the auditors to the entity and the nature of the information contained in the report. If the subject matter or the assertion involves material that is classified for security purposes or contains confidential or sensitive information, auditors may limit the report distribution. Auditors should document any limitation on report distribution. The following discussion outlines distribution for reports completed under GAGAS:
a. Audit organizations in government entities should distribute reports to those charged with governance, to the appropriate entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on engagement findings and recommendations, and to others authorized to receive such reports.
Internal audit organizations in government entities may follow the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing. Under GAGAS and IIA standards, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should:
c. Public accounting firms contracted to perform an engagement under GAGAS should clarify report distribution responsibilities with the engaging organization. If the contracting firm is to make the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public.
80. Those charged with governance are those responsible for overseeing the strategic direction of the entity and the entity's fulfillment of its obligations related to accountability. (See appendix I, paragraph A1.05 through A1.07 for additional information.)
81. Fraud is a type of illegal act involving the obtaining of something of value through willful misrepresentation. Although not applicable to attestation engagements, the AICPA Statements on Auditing Standards (SAS) may provide useful guidance related to fraud for auditors performing attestation engagements in accordance with GAGAS.
82. An experienced auditor means an individual (whether internal or external to the audit organization) who possesses the competencies and skills that would have enabled him or her to perform the attestation engagement. These competencies and skills include an understanding of (1) attestation engagement processes, (2) GAGAS and applicable legal and regulatory requirements, (3) the subject matter that the auditor is engaged to report on, (4) the suitability and availability of criteria, and (5) issues related to the audited entity's environment.
83. Auditors may meet this requirement by listing file numbers, case numbers, or other means of identifying specific documents they examined. They are not required to include copies of documents they examined as part of the attest documentation, nor are they required to list detailed information from those documents.
84. Under AT Section 50, SSAE Hierarchy, the reporting standards apply when the practitioner issues a report. The reporting standards do not apply when the practitioner declines to issue a report as a result of the engagement.
85. The term "more than remote" used in the definitions for significant deficiency and material weakness means "at least reasonably possible." The following definitions apply: (1) Remote--The chance of the future events occurring is slight. (2) Reasonably possible--The chance of the future events or their occurrence is more than remote but less than likely. (3) Probable--The future events are likely to occur.
86. "More than inconsequential" indicates an amount that is less than material, yet has significance. A misstatement is "inconsequential" if a reasonable person would conclude that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the subject matter. If a reasonable person would not reach such a conclusion, that misstatement is "more than inconsequential."
87. Whether a particular act is, in fact, illegal may have to await final determination by a court of law or other adjudicative body. Disclosing matters that have led auditors to conclude that an illegal act is likely to have occurred is not a final determination of illegality.