7.01 This chapter establishes field work standards and provides guidance for performance audits conducted in accordance with generally accepted government auditing standards (GAGAS). The field work standards for performance audits relate to planning the audit; supervising staff; obtaining sufficient, appropriate evidence; and preparing audit documentation. The concepts of reasonable assurance, significance, and audit risk form a framework for applying these standards and are included throughout the discussion of performance audits.
7.03 Performance audits that comply with GAGAS provide reasonable assurance that evidence is sufficient and appropriate to support the auditors' findings and conclusions. Thus, the sufficiency and appropriateness of evidence needed and tests of evidence will vary based on the audit objectives, findings, and conclusions. Objectives for performance audits range from narrow to broad and involve varying types and quality of evidence. In some engagements, sufficient, appropriate evidence is available, but in others, information may have limitations. Professional judgment assists auditors in determining the audit scope and methodology needed to address the audit objectives, while providing the appropriate level of assurance that the obtained evidence is sufficient and appropriate to address the audit objectives. (See paragraphs 7.55 through 7.71 for a discussion about assessing the sufficiency and appropriateness of evidence.)
7.04 The concept of significance89 assists auditors throughout a performance audit, including when deciding the type and extent of audit work to perform, when evaluating results of audit work, and when developing the report and related findings and conclusions. Significance is defined as the relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors. Such factors include the magnitude of the matter in relation to the subject matter of the audit, the nature and effect of the matter, the relevance of the matter, the needs and interests of an objective third party with knowledge of the relevant information, and the impact of the matter to the audited program or activity. Professional judgment assists auditors when evaluating the significance of matters within the context of the audit objectives.
7.05 Audit risk is the possibility that the auditors' findings, conclusions, recommendations, or assurance may be improper or incomplete, as a result of factors such as evidence that is not sufficient and/or appropriate, an inadequate audit process, or intentional omissions or misleading information due to misrepresentation or fraud. The assessment of audit risk involves both qualitative and quantitative considerations. Factors such as the time frames, complexity, or sensitivity of the work; size of the program in terms of dollar amounts and number of citizens served; adequacy of the audited entity's systems and processes to detect inconsistencies, significant errors, or fraud; and auditors' access to records, also impact audit risk. Audit risk includes the risk that auditors will not detect a mistake, inconsistency, significant error, or fraud in the evidence supporting the audit. Audit risk can be reduced by taking actions such as increasing the scope of work; adding experts, additional reviewers, and other resources to the audit team; changing the methodology to obtain additional evidence, higher quality evidence, or alternative forms of corroborating evidence; or aligning the findings and conclusions to reflect the evidence obtained.
7.07 Auditors must plan the audit to reduce audit risk to an appropriate level for the auditors to provide reasonable assurance that the evidence is sufficient and appropriate to support the auditors' findings and conclusions. This determination is a matter of professional judgment. In planning the audit, auditors should assess significance and audit risk and apply these assessments in defining the audit objectives and the scope and methodology to address those objectives.90 Planning is a continuous process throughout the audit. Therefore, auditors may need to adjust the audit objectives, scope, and methodology as work is being completed.
7.08 The objectives are what the audit is intended to accomplish. They identify the audit subject matter and performance aspects to be included, and may also include the potential findings and reporting elements that the auditors expect to develop. Audit objectives can
be thought of as questions about the program91 that the auditors seek to answer based on evidence obtained and assessed against criteria.
7.09 Scope is the boundary of the audit and is directly tied to the audit objectives. The scope defines the subject matter that the auditors will assess and report on, such as a particular program or aspect of a program, the necessary documents or records, the period of time reviewed, and the locations that will be included.
7.10 The methodology describes the nature and extent of audit procedures for gathering and analyzing evidence to address the audit objectives. Audit procedures are the specific steps and tests auditors will carry out to address the audit objectives. Auditors should design the methodology to obtain sufficient, appropriate evidence to address the audit objectives, reduce audit risk to an acceptable level, and provide reasonable assurance that the evidence is sufficient and appropriate to support the auditors' findings and conclusions. Methodology includes both the nature and extent of audit procedures used to address the audit objectives.
d. legal and regulatory requirements, contract provisions or grant agreements, potential fraud, or abuse that are significant within the context of the audit objectives (see paragraphs 7.28 through 7.35); and
7.13 Auditors should obtain an understanding of the nature of the program or program component under audit and the potential use that will be made of the audit results or report as they plan a performance audit. The nature and profile of a program include
7.14 One group of users of the auditors' report is government officials who may have authorized or requested the audit. Other important users of the auditors' report are the entity being audited, those responsible for acting on the auditors' recommendations, oversight organizations, and legislative bodies. Other potential users of the auditors' report include government legislators or officials (other than those who may have authorized or requested the audit), the media, interest groups, and individual citizens. In addition to an interest in the program, potential users may have an ability to influence the conduct of the program. An awareness of these potential users' interests and influence can help auditors judge whether possible findings could be significant to relevant users.
7.15 Obtaining an understanding of the program under audit helps auditors to assess the relevant risks associated with the program and the impact on the audit objectives, scope, and methodology. The auditors' understanding may come from knowledge they already have about the program or knowledge they gain from inquiries and observations they make in planning the audit. The extent and breadth of those inquiries and observations will vary among audits based on the audit objectives, as will the need to understand individual aspects of the program, such as the following.
a. Laws, regulations, and provisions of contracts or grant agreements: Government programs are usually created by law and are subject to specific laws and regulations. Laws and regulations usually set forth what is to be done, who is to do it, the purpose to be achieved, the population to be served, and related funding guidelines or restrictions. Government programs may also be subject to provisions of contracts and grant agreements. Thus, understanding the laws and legislative history establishing a program and the provisions of any contracts or grant agreements can be essential to understanding the program itself. Obtaining that understanding is also a necessary step in identifying the provisions of laws, regulations, contracts, or grant agreements that are significant within the context of the audit objectives.
b. Purpose and goals: Purpose is the result or effect that is intended or desired from a program's operation. Legislatures usually establish the program's purpose when they provide authority for the program. Entity officials may provide more detailed information on the program's purpose to supplement the authorizing legislation. Entity officials are sometimes asked to set goals for program performance and operations, including both output and outcome goals. Auditors may use the stated program purpose and goals as criteria for assessing program performance or may develop additional criteria to use when assessing performance.
c. Internal control: Internal control, sometimes referred to as management control, in the broadest sense includes the plan, policies, methods, and procedures adopted by management to meet its missions, goals, and objectives. Internal control includes the processes for planning, organizing, directing, and controlling program operations. It includes the systems for measuring, reporting, and monitoring program performance. Internal control serves as a defense in safeguarding assets and in preventing and detecting errors; fraud; violations of laws, regulations, and provisions of contracts and grant agreements; or abuse. Paragraphs 7.16 through 7.22 contain guidance pertaining to internal control.
d. Efforts: Efforts are the amount of resources (in terms of money, material, personnel, etc.) that are put into a program. These resources may come from within or outside the entity operating the program. Measures of efforts can have a number of dimensions, such as cost, timing, and quality. Examples of measures of efforts are dollars spent, employee-hours expended, and square feet of building space.
f. Outputs: Outputs represent the quantity of goods or services produced by a program. For example, an output measure for a job training program could be the number of persons completing training, and an output measure for an aviation safety inspection program could be the number of safety inspections completed.
g. Outcomes: Outcomes are accomplishments or results of a program. For example, an outcome measure for a job training program could be the percentage of trained persons obtaining a job and still in the work place after a specified period of time. An example of an outcome measure for an aviation safety inspection program could be the percentage reduction in safety problems found in subsequent inspections or the percentage of problems deemed corrected in follow-up inspections. Such outcome measures show the progress made in achieving the stated program purpose of helping unemployable citizens obtain and retain jobs, and improving the safety of aviation operations. Outcomes may be influenced by cultural, economic, physical, or technological factors outside the program. Auditors may use approaches drawn from other disciplines, such as program evaluation, to isolate the effects of the program from these other influences. Outcomes also include unexpected and/or unintentional effects of a program, both positive and negative.
7.16 Auditors should obtain an understanding of internal control92 that is significant within the context of the audit objectives. For internal control that is significant within the context of the audit objectives, auditors should assess whether internal control has been properly designed and implemented. For those internal controls that are deemed significant within the context of the audit objectives, auditors should plan to obtain sufficient, appropriate evidence to support their assessment about the effectiveness of those controls. Information systems controls are often an integral part of an entity's internal control. Thus, when obtaining an understanding of internal control significant to the audit objectives, auditors should also determine whether it is necessary to evaluate information systems controls. (See paragraphs 7.23 through 7.27 for additional discussion on evaluating the effectiveness of information systems controls.)
7.17 Auditors may modify the nature, timing, or extent of the audit procedures based on the auditors' assessment of internal control and the results of internal control testing. For example, poorly controlled aspects of a program have a higher risk of failure, so auditors may choose to focus their efforts in these areas. Conversely, effective controls at the audited entity may enable the auditors to limit the extent and type of audit testing needed.
7.18 Auditors may obtain an understanding of internal control through inquiries, observations, inspection of documents and records, review of other auditors' reports, or direct tests. The procedures auditors perform to obtain an understanding of internal control may vary among audits based on audit objectives and audit risk. The extent of these procedures will vary based on the audit objectives, known or potential internal control risks or problems, and the auditors' knowledge about internal control gained in prior audits.
7.19 The following discussion of the principal types of internal control objectives is intended to help auditors better understand internal controls and determine whether or to what extent they are significant to the audit objectives.
a. Effectiveness and efficiency of program operations: Controls over program operations include policies and procedures that the audited entity has implemented to provide reasonable assurance that a program meets its objectives, while considering cost-effectiveness and efficiency. Understanding these controls can help auditors understand the program operations that convert inputs and efforts to outputs and outcomes.
b. Relevance and reliability of information: Controls over the relevance and reliability of information include policies, procedures, and practices that officials of the audited entity have implemented to provide themselves reasonable assurance that operational and financial information they use for decision making and reporting externally is relevant and reliable and fairly disclosed in reports. Understanding these controls can help auditors (1) assess the risk that the information gathered by the entity may not be relevant or reliable and (2) design appropriate tests of the information considering the audit objectives.
c. Compliance with applicable laws and regulations and provisions of contracts or grant agreements: Controls over compliance include policies and procedures that the audited entity has implemented to provide reasonable assurance that program implementation is in accordance with laws, regulations, and provisions of contracts or grant agreements. Understanding the relevant controls concerning compliance with those laws and regulations and provisions of contracts or grant agreements that the auditors have determined are significant within the context of the audit objectives can help them assess the risk of illegal acts, violations of provisions of contracts or grant agreements, or abuse.
7.20 A subset of these categories of internal control objectives is the safeguarding of assets and resources. Controls over the safeguarding of assets and resources include policies and procedures that the audited entity has implemented to reasonably prevent or promptly detect unauthorized acquisition, use, or disposition of assets and resources.
In performance audits, a deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, detect, or correct (1) impairments of effectiveness or efficiency of operations,
7.22 Internal auditing93 is an important part of overall governance, accountability, and internal control. A key role of many internal audit organizations is to provide assurance that internal controls are in place to adequately mitigate risks and achieve program goals and objectives. When an assessment of internal control is needed, the auditor may use the work of the internal auditors in assessing whether internal controls are effectively designed and operating effectively, and to prevent duplication of effort. (See paragraphs 7.41 through 7.43 for standards and guidance for using the work of other auditors.)
7.23 Understanding information systems controls is important when information systems are used extensively throughout the program under audit and the fundamental business processes related to the audit objectives rely on information systems. Information systems controls consist of those internal controls that are dependent on information systems processing and include general controls and application controls. Information systems general controls are the policies and procedures that apply to all or a large segment of an entity's information systems. General controls help ensure the proper operation of information systems by creating the environment for proper operation of application controls. General controls include security management, logical and physical access, configuration management, segregation of duties, and contingency planning. Application controls, sometimes referred to as business process controls, are those controls that are incorporated directly into computer applications to help ensure the validity, completeness, accuracy, and confidentiality of transactions and data during application processing. Application controls include controls over input, processing, output, master data, application interfaces, and data management system interfaces.
7.24 An organization's use of information systems controls may be extensive; however, auditors are primarily interested in those information systems controls that are significant to the audit objectives. Information systems controls are significant to the audit objectives if auditors determine that it is necessary to evaluate the effectiveness of information systems controls in order to obtain sufficient, appropriate evidence. When information systems controls are determined to be significant to the audit objectives, auditors should then evaluate the design and operating effectiveness of such controls. This evaluation would include other information systems controls that impact the effectiveness of the significant controls or the reliability of information used in performing the significant controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives.94
Audit procedures to evaluate the effectiveness of significant information systems controls include
7.26 The evaluation of information systems controls may be done in conjunction with the auditors' consideration of internal control within the context of the audit objectives (see paragraphs 7.16 through 7.22), or as a separate audit objective or audit procedure, depending on the objectives of the audit. Depending on the significance of information systems controls to the audit objectives, the extent of audit procedures to obtain such an understanding may be limited or extensive. In addition, the nature and extent of audit risk related to information systems controls are affected by the nature of the hardware and software used, the configuration of the entity's systems and networks, and the entity's information systems strategy.
7.27 Auditors should determine which audit procedures related to information systems controls are needed to obtain sufficient, appropriate evidence to support the audit findings and conclusions. The following factors may assist auditors in making this determination:
b. The availability of evidence outside the information system to support the findings and conclusions: It may not be possible for auditors to obtain sufficient, appropriate evidence without evaluating the effectiveness of relevant information systems controls. For example, if information supporting the findings and conclusions is generated by information systems or its reliability is dependent on information systems controls, there may not be sufficient supporting or corroborating information or documentary evidence that is available other than that produced by the information systems.
c. The relationship of information systems controls to data reliability: To obtain evidence about the reliability of computer-generated information, auditors may decide to evaluate the effectiveness of information systems controls as part of obtaining evidence about the reliability of the data. If the auditor concludes that information systems controls are effective, the auditor may reduce the extent of direct testing of data.
d. Evaluating the effectiveness of information systems controls as an audit objective: When evaluating the effectiveness of information systems controls is directly a part of an audit objective, auditors should test information systems controls necessary to address the audit objectives. For example, the audit may involve the effectiveness of information systems controls related to certain systems, facilities, or organizations.
7.28 Auditors should determine which laws, regulations, and provisions of contracts or grant agreements are significant within the context of the audit objectives and assess the risk that violations of those laws, regulations, and provisions of contracts or grant agreements could occur. Based on that risk assessment, the auditors should design and perform procedures to provide reasonable assurance of detecting instances of violations of legal and regulatory requirements or violations of provisions of contracts or grant agreements that are significant within the context of the audit objectives.
7.29 The auditors' assessment of audit risk may be affected by such factors as the complexity or newness of the laws, regulations, and provisions of contracts or grant agreements. The auditors' assessment of audit risk also may be affected by whether the entity has controls that are effective in preventing or detecting violations of laws, regulations, and provisions of contracts or grant agreements. If auditors obtain sufficient, appropriate evidence of the effectiveness of these controls, they can reduce the extent of their tests of compliance.
7.30 In planning the audit, auditors should assess risks of fraud95 occurring that is significant within the context of the audit objectives. Audit team members should discuss among the team fraud risks, including factors such as individuals' incentives or pressures to commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could allow individuals to commit fraud. Auditors should gather and assess information to identify risks of fraud that are significant within the scope of the audit objectives or that could affect the findings and conclusions. For example, auditors may obtain information through discussion with officials of the audited entity or through other means to determine the susceptibility of the program to fraud, the status of internal controls the entity has established to detect and prevent fraud, or the risk that officials of the audited entity could override internal control. An attitude of professional skepticism in assessing these risks assists auditors in assessing which factors or risks could significantly affect the audit objectives.
7.31 When auditors identify factors or risks related to fraud that has occurred or is likely to have occurred that they believe are significant within the context of the audit objectives, they should design procedures to provide reasonable assurance of detecting such fraud. Assessing the risk of fraud is an ongoing process throughout the audit and relates not only to planning the audit but also to evaluating evidence obtained during the audit.
7.32 When information comes to the auditors' attention indicating that fraud that is significant within the context of the audit objectives may have occurred, auditors should extend the audit steps and procedures, as necessary, to (1) determine whether fraud has likely occurred and (2) if so, determine its effect on the audit findings. If the fraud that may have occurred is not significant within the context of the audit objectives, the auditors may conduct additional audit work as a separate engagement, or refer the matter to other parties with oversight responsibility or jurisdiction.
7.33 Abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances. Abuse also includes misuse of authority or position for personal financial interests or those of an immediate or close family member or business associate. Abuse does not necessarily involve fraud, violation of laws, regulations, or provisions of a contract or grant agreement.
7.34 If during the course of the audit, auditors become aware of abuse that could be quantitatively or qualitatively significant to the program under audit, auditors should apply audit procedures specifically directed to ascertain the potential effect on the program under audit within the context of the audit objectives. After performing additional work, auditors may discover that the abuse represents potential fraud or illegal acts. Because the determination of abuse is subjective, auditors are not required to provide reasonable assurance of detecting abuse.
7.35 Avoiding interference with investigations or legal proceedings is important in pursuing indications of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse. Laws, regulations, or policies might require auditors to report indications of certain types of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to law enforcement or investigatory authorities before performing additional audit procedures. When investigations or legal proceedings are initiated or in process, auditors should evaluate the impact on the current audit. In some cases, it may be appropriate for the auditors to work with investigators and/or legal authorities, or withdraw from or defer further work on the audit or a portion of the audit to avoid interfering with an investigation.
7.36 Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, performance audits, or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives.
7.37 Auditors should identify criteria. Criteria represent the laws, regulations, contracts, grant agreements, standards, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated. Criteria identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding the findings, conclusions, and recommendations included in the report. Auditors should use criteria that are relevant to the audit objectives and permit consistent assessment of the subject matter.
7.39 Auditors should identify potential sources of information that could be used as evidence. Auditors should determine the amount and type of evidence needed to obtain sufficient, appropriate evidence to address the audit objectives and adequately plan audit work.
7.40 If auditors believe that it is likely that sufficient, appropriate evidence will not be available, they may revise the audit objectives or modify the scope and methodology and determine alternative procedures to obtain additional evidence or other forms of evidence to address the current audit objectives. Auditors should also evaluate whether the lack of sufficient, appropriate evidence is due to internal control deficiencies or other program weaknesses, and whether the lack of sufficient, appropriate evidence could be the basis for audit findings. (See paragraphs 7.55 through 7.71 for standards concerning evidence.)
7.41 Auditors should determine whether other auditors have conducted, or are conducting, audits of the program that could be relevant to the current audit objectives. The results of other auditors' work may be useful sources of information for planning and performing the audit. If other auditors have identified areas that warrant further audit work or follow-up, their work may influence the auditors' selection of objectives, scope, and methodology.
7.42 If other auditors have completed audit work related to the objectives of the current audit, the current auditors may be able to use the work of the other auditors to support findings or conclusions for the current audit and, thereby, avoid duplication of efforts. If auditors use the work of other auditors, they should perform procedures that provide a sufficient basis for using that work. Auditors should obtain evidence concerning the other auditors' qualifications and independence and should determine whether the scope, quality, and timing of the audit work performed by the other auditors is adequate for reliance in the context of the current audit objectives. Procedures that auditors may perform in making this determination include reviewing the other auditors' report, audit plan, or audit documentation, and/or performing tests of the other auditors' work. The nature and extent of evidence needed will depend on the significance of the other auditors' work to the current audit objectives and the extent to which the auditors will use that work.
7.43 Some audits may necessitate the use of specialized techniques or methods that require the skills of a specialist. If auditors intend to use the work of specialists, they should obtain an understanding of the qualifications and independence of the specialists. (See paragraph 3.05 for independence considerations when using the work of others.) Evaluating the professional qualifications of the specialist involves the following:
7.44 Audit management should assign sufficient staff and specialists with adequate collective professional competence to perform the audit. (See paragraph 3.43 for a discussion of using specialists in a GAGAS audit.) Staffing an audit includes, among other things:
performance audit96 and planned reporting (including any potential restrictions on the report) to the following, as applicable:
b. those charged with governance;97
d. when auditors perform the audit pursuant to a law or regulation or they conduct the work for the legislative committee that has oversight of the audited entity, auditors should communicate with the legislative committee.
7.48 Determining the form, content, and frequency of the communication is a matter of professional judgment, although written communication is preferred. Auditors may use an engagement letter to communicate the information. Auditors should document this communication.
7.49 If an audit is terminated before it is completed and an audit report is not issued, auditors should document the results of the work to the date of termination and why the audit was terminated. Determining whether and how to communicate the reason for terminating the audit to those charged with governance, appropriate officials of the audited entity, the entity contracting for or requesting the audit, and other appropriate officials will depend on the facts and circumstances and, therefore, is a matter of professional judgment.
7.50 Auditors must prepare a written audit plan for each audit. The form and content of the written audit plan may vary among audits and may include an audit strategy, audit program, project plan, audit planning paper, or other appropriate documentation of key decisions about the audit objectives, scope, and methodology and the auditors' basis for those decisions. Auditors should update the plan, as necessary, to reflect any significant changes to the plan made during the audit.
e. sufficient staff, supervisors, and specialists with adequate collective professional competence and other resources are available to perform the audit and to meet expected time frames for completing the work.
7.53 Audit supervision involves providing sufficient guidance and direction to staff assigned to the audit to address the audit objectives and follow applicable standards, while staying informed about significant problems encountered, reviewing the work performed, and providing effective on-the-job training.
7.54 The nature and extent of the supervision of staff and the review of audit work may vary depending on a number of factors, such as the size of the audit organization, the significance of the work, and the experience of the staff.
7.56 The concept of sufficient, appropriate evidence is integral to an audit. Appropriateness is the measure of the quality of evidence that encompasses its relevance, validity, and reliability in providing support for findings and conclusions related to the audit objectives. In assessing the overall appropriateness of evidence, auditors should assess whether the evidence is relevant, valid, and reliable. Sufficiency is a measure of the quantity of evidence used to support the findings and conclusions related to the audit objectives. In assessing the sufficiency of evidence, auditors should determine whether enough evidence has been obtained to persuade a knowledgeable person that the findings are reasonable.
7.57 In assessing evidence, auditors should evaluate whether the evidence taken as a whole is sufficient and appropriate for addressing the audit objectives and supporting findings and conclusions. Audit objectives may vary widely, as may the level of work necessary to assess the sufficiency and appropriateness of evidence to address the objectives. For example, in establishing the appropriateness of evidence, auditors may test its reliability by obtaining supporting evidence, using statistical testing, or obtaining corroborating evidence. The concepts of audit risk and significance assist auditors with evaluating the audit evidence.
7.58 Professional judgment assists auditors in determining the sufficiency and appropriateness of evidence taken as a whole. Interpreting, summarizing, or analyzing evidence is typically used in the process of determining the sufficiency and appropriateness of evidence and in reporting the results of the audit work. When appropriate, auditors may use statistical methods to analyze and interpret evidence to assess its sufficiency.
7.59 Appropriateness is the measure of the quality of evidence that encompasses the relevance, validity, and reliability of evidence used for addressing the audit objectives and supporting findings and conclusions. (See appendix I, paragraph A7.03 for additional guidance regarding assessing the appropriateness of evidence in relation to the audit objectives.)
7.60 There are different types and sources of evidence that auditors may use, depending on the audit objectives. Evidence may be obtained by observation, inquiry, or inspection. Each type of evidence has its own strengths and weaknesses. (See appendix I, paragraph A7.02 for additional guidance regarding the types of evidence.) The following contrasts are useful in judging the appropriateness of evidence. However, these contrasts are not adequate in themselves to determine appropriateness. The nature and types of evidence to support auditors' findings and conclusions are matters of the auditors' professional judgment based on the audit objectives and audit risk.
e. Testimonial evidence obtained from an individual who is not biased and has direct knowledge about the area is generally more reliable than testimonial evidence obtained from an individual who is biased or has indirect or partial knowledge about the area.
f. Evidence obtained from a knowledgeable, credible, and unbiased third party is generally more reliable than evidence from management of the audited entity or others who have a direct interest in the audited entity.
7.61 Testimonial evidence may be useful in interpreting or corroborating documentary or physical information. Auditors should evaluate the objectivity, credibility, and reliability of the testimonial evidence. Documentary evidence may be used to help verify, support, or challenge testimonial evidence.
7.62 Surveys generally provide self-reported information about existing conditions or programs. Evaluation of the survey design and administration assists auditors in evaluating the objectivity, credibility, and reliability of the self-reported information.
7.63 When sampling is used, the method of selection that is appropriate will depend on the audit objectives. When a representative sample is needed, the use of statistical sampling approaches generally results in stronger evidence than that obtained from nonstatistical techniques. When a representative sample is not needed, a targeted selection may be effective if the auditors have isolated certain risk factors or other criteria to target the selection.
7.64 When auditors use information gathered by officials of the audited entity as part of their evidence, they should determine what the officials of the audited entity or other auditors did to obtain assurance over the reliability of the information. The auditor may find it necessary to perform testing of management's procedures to obtain assurance or perform direct testing of the information. The nature and extent of the auditors' procedures will depend on the significance of the information to the audit objectives and the nature of the information being used.
7.65 Auditors should assess the sufficiency and appropriateness of computer-processed information regardless of whether this information is provided to auditors or auditors independently extract it. The nature, timing, and extent of audit procedures to assess sufficiency and appropriateness is affected by the effectiveness of the entity's internal controls over the information, including information systems controls, and the significance of the information and the level of detail presented in the auditors' findings and conclusions in light of the audit objectives. (See paragraphs 7.23 through 7.27 for additional discussion on assessing the effectiveness of information systems controls.)
7.66 Sufficiency is a measure of the quantity of evidence used for addressing the audit objectives and supporting findings and conclusions. Sufficiency also depends on the appropriateness of the evidence. In determining the sufficiency of evidence, auditors should determine whether enough appropriate evidence exists to address the audit objectives and support the findings and conclusions.
7.67 The following presumptions are useful in judging the sufficiency of evidence. The sufficiency of evidence required to support the auditors' findings and conclusions is a matter of the auditors' professional judgment.
7.68 Auditors should determine the overall sufficiency and appropriateness of evidence to provide a reasonable basis for the findings and conclusions, within the context of the audit objectives. Professional judgments about the sufficiency and appropriateness of evidence are closely interrelated, as auditors interpret the results of audit testing and evaluate whether the nature and extent of the evidence obtained is sufficient and appropriate. Auditors should perform and document an overall assessment of the collective evidence used to support findings and conclusions, including the results of any specific assessments conducted to conclude on the validity and reliability of specific evidence.
7.69 Sufficiency and appropriateness of evidence are relative concepts, which may be thought of in terms of a continuum rather than as absolutes. Sufficiency and appropriateness are evaluated in the context of the related findings and conclusions. For example, even though the auditors may have some limitations or uncertainties about the sufficiency or appropriateness of some of the evidence, they may nonetheless determine that in total there is sufficient, appropriate evidence to support the findings and conclusions.
7.70 When assessing the sufficiency and appropriateness of evidence, auditors should evaluate the expected significance of evidence to the audit objectives, findings, and conclusions, available corroborating evidence, and the level of audit risk. The steps to assess evidence may depend on the nature of the evidence, how the evidence is used in the audit or report, and the audit objectives.
Evidence is not sufficient or not appropriate when
7.71 Evidence has limitations or uncertainties when the validity or reliability of the evidence has not been assessed or cannot be assessed, given the audit objectives and the intended use of the evidence. Limitations also include errors identified by the auditors in their testing. When the auditors identify limitations or uncertainties in evidence that is significant to the audit findings and conclusions, they should apply additional procedures, as appropriate. Such procedures include
c. presenting the findings and conclusions so that the supporting evidence is sufficient and appropriate and describing in the report the limitations or uncertainties with the validity or reliability of the evidence, if such disclosure is necessary to avoid misleading the report users about the findings or conclusions (see paragraph 8.15 for additional reporting requirements when there are limitations or uncertainties with the validity or reliability of evidence); or
7.72 Auditors should plan and perform procedures to develop the elements of a finding necessary to address the audit objectives. In addition, if auditors are able to sufficiently develop the elements of a finding, they should develop recommendations for corrective action if they are significant within the context of the audit objectives. The elements needed for a finding depend entirely on the objectives of the audit. Thus, a finding or set of findings is complete to the extent that the audit objectives are addressed and the report clearly relates those objectives to the elements of a finding. For example, an audit objective may be limited to determining the current status or condition of program operations or progress in implementing legislative requirements, and not the related cause or effect. In this situation, developing the condition would address the audit objective and development of the other elements of a finding would not be necessary.
7.75 Cause: The cause identifies the reason or explanation for the condition or the factor or factors responsible for the difference between the situation that exists (condition) and the required or desired state (criteria), which may also serve as a basis for recommendations for corrective actions. Common factors include poorly designed policies, procedures, or criteria; inconsistent, incomplete, or incorrect implementation; or factors beyond the control of program management. Auditors may assess whether the evidence provides a reasonable and convincing argument for why the stated cause is the key factor or factors contributing to the difference. When the audit objectives include explaining why a particular type of positive or negative program performance, output, or outcome identified in the audit occurred, they are referred to as "cause." Identifying the cause of problems may assist auditors in making constructive recommendations for correction. Because problems can result from a number of plausible factors or multiple causes, the recommendation can be more persuasive if auditors can clearly demonstrate and explain with evidence and reasoning the link between the problems and the factor or factors they have identified as the cause or causes. Auditors may identify deficiencies in program design or structure as the cause of deficient performance. Auditors may also identify deficiencies in internal control that are significant to the subject matter of the performance audit as the cause of deficient performance. In developing these types of findings, the deficiencies in program design or internal control would be described as the "cause." Often the causes of deficient program performance are complex and involve multiple factors, including fundamental, systemic root causes. Alternatively, when the audit objectives include estimating the program's effect on changes in physical, social, or economic conditions, auditors seek evidence of the extent to which the program itself is the "cause" of those changes.
7.76 Effect or potential effect: The effect is a clear, logical link to establish the impact or potential impact of the difference between the situation that exists (condition) and the required or desired state (criteria). The effect or potential effect identifies the outcomes or consequences of the condition. When the audit objectives include identifying the actual or potential consequences of a condition that varies (either positively or negatively) from the criteria identified in the audit, "effect" is a measure of those consequences. Effect or potential effect may be used to demonstrate the need for corrective action in response to identified problems or relevant risks. When the audit objectives include estimating the extent to which a program has caused changes in physical, social, or economic conditions, "effect" is a measure of the impact achieved by the program. In this case, effect is the extent to which positive or negative changes in actual physical, social, or economic conditions can be identified and attributed to the program.
7.77 Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor,98 having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed, the audit evidence obtained and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. Auditors should prepare audit documentation that contains support for findings, conclusions, and recommendations before they issue their report.
7.78 Auditors should design the form and content of audit documentation to meet the circumstances of the particular audit. The audit documentation constitutes the principal record of the work that the auditors have performed in accordance with standards and the conclusions that the auditors have reached. The quantity, type, and content of audit documentation are a matter of the auditors' professional judgment.
Audit documentation is an essential element of audit quality. The process of preparing and reviewing audit documentation contributes to the quality of an audit. Audit documentation serves to (1) provide the principal support for the auditors' report, (2) aid auditors in conducting and supervising the audit, and
b. the work performed to support significant judgments and conclusions, including descriptions of transactions and records examined;99 and
7.81 When auditors do not comply with applicable GAGAS requirements due to law, regulation, scope limitations, restrictions on access to records, or other issues impacting the audit, the auditors should document the departure from the GAGAS requirements and the impact on the audit and on the auditors' conclusions. This applies to departures from both mandatory requirements and presumptively mandatory requirements when alternative procedures performed in the circumstances were not sufficient to achieve the objectives of the standard. (See paragraphs 1.12 and 1.13.)
7.82 Audit organizations should establish policies and procedures for the safe custody and retention of audit documentation for a time sufficient to satisfy legal, regulatory, and administrative requirements for records retention. Whether audit documentation is in paper, electronic, or other media, the integrity, accessibility, and retrievability of the underlying information could be compromised if the documentation is altered, added to, or deleted without the auditors' knowledge, or if the documentation is lost or damaged. For audit documentation that is retained electronically, the audit organization should establish information systems controls concerning accessing and updating the audit documentation.
7.83 Underlying GAGAS audits is the premise that audit organizations in federal, state, and local governments and public accounting firms engaged to perform audits in accordance with GAGAS cooperate in auditing programs of common interest so that auditors may use others' work and avoid duplication of efforts. Subject to applicable laws and regulations, auditors should make appropriate individuals, as well as audit documentation, available upon request and in a timely manner to other auditors or reviewers to satisfy these objectives. The use of auditors' work by other auditors may be facilitated by contractual arrangements for GAGAS audits that provide for full and timely access to appropriate individuals, as well as audit documentation.
7.84 Audit organizations should develop policies to deal with requests by outside parties to obtain access to audit documentation, especially when an outside party attempts to obtain information indirectly through the auditor rather than directly from the audited entity. In developing such policies, audit organizations should determine what laws and regulations apply, if any.
Refer to the internal control guidance contained in
Internal Control--Integrated Framework
, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). As discussed in the COSO framework, internal control consists of five interrelated components, which are (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and
93. Many government entities identify these internal auditing activities by other names, such as inspection, appraisal, investigation, organization and methods, or management analysis. These activities assist management by reviewing selected functions.
94. Refer to additional criteria and guidance in Federal Information Controls Audit Manual (FISCAM), GAO/AIMD-12.19.6 (Washington, D.C.: January 1999) and IS Standards, Guidelines and Procedures for Auditing and Control Professionals, published by the Information Systems Audit and Control Association (ISACA).
95. Fraud is a type of illegal act involving the obtaining of something of value through willful misrepresentation. Whether an act is, in fact, fraud is a determination to be made through the judicial or other adjudicative system and is beyond auditors' professional responsibility.
97. Those charged with governance are those responsible for overseeing the strategic direction of the entity and the entity's fulfillment of its obligations related to accountability. (See appendix I, paragraphs A1.05 through A1.07.)
98. An experienced auditor means an individual (whether internal or external to the audit organization) who possesses the competencies and skills that would have enabled him or her to perform the performance audit. These competencies and skills include an understanding of (1) the performance audit processes, (2) GAGAS and applicable legal and regulatory requirements, (3) the subject matter associated with achieving the audit objectives, and (4) issues related to the audited entity's environment.
99. Auditors may meet this requirement by listing file numbers, case numbers, or other means of identifying specific documents they examined. They are not required to include copies of documents they examined as part of the audit documentation, nor are they required to list detailed information from those documents.