Additional GAGAS Requirements for Conducting Financial Audits
Compliance with Standards
Requirement: Compliance with Standards
GAGAS establishes requirements for financial audits in addition to the requirements in the AICPA SAS. Auditors should comply with these additional requirements, along with the AICPA requirements for financial audits, when citing GAGAS in financial audit reports.
Application Guidance: Compliance with Standards
Standards used in conjunction with GAGAS require the auditors to apply the concept of materiality appropriately in planning and performing the audit.44 Additional considerations may apply to GAGAS engagements that concern government entities or entities that receive government awards. For example, for engagements conducted in accordance with GAGAS, auditors may find it appropriate to use lower materiality levels than those used in non-GAGAS audits because of the public accountability of government entities and entities receiving government funding, various legal and regulatory requirements, and the visibility and sensitivity of government programs.
Licensing and Certification
Requirements: Licensing and Certification
Auditors engaged to conduct financial audits in the United States who do not work for a government audit organization should be licensed CPAs, persons working for licensed certified public accounting firms, or licensed accountants in states that have multiclass licensing systems that recognize licensed accountants other than CPAs.
Auditors engaged to conduct financial audits of entities operating outside of the United States who do not work for a government audit organization should meet the qualifications indicated in paragraph 6.04, have certifications that meet all applicable national and international standards and serve in their respective countries as the functional equivalent of CPAs in the United States, or work for nongovernment audit organizations that are the functional equivalent of licensed certified public accounting firms in the United States.
Requirements: Auditor Communication
If the law or regulation requiring an audit specifically identifies the entities to be audited, auditors should communicate pertinent information that in the auditors’ professional judgment needs to be communicated both to individuals contracting for or requesting the audit and to those legislative committees, if any, that have ongoing oversight responsibilities for the audited entity.
If the identity of those charged with governance is not clearly evident, auditors should document the process followed and conclusions reached in identifying the appropriate individuals to receive the required communications.
Application Guidance: Auditor Communication
One example of a law or regulation requiring an audit that does not specifically identify the entities to be audited is the Single Audit Act Amendments of 1996.
For some matters, early communication to management or those charged with governance may be important because of the relative significance and the urgency for corrective follow-up action.45 Further, early communication is important to allow management to take prompt corrective action to prevent further occurrences when a control deficiency results in identified or suspected noncompliance with provisions of laws, regulations, contracts, and grant agreements or identified or suspected instances of fraud. When a deficiency is communicated early, the reporting requirements and application guidance in paragraphs 6.40 through 6.50 still apply.
Because the governance structures of government entities and organizations can vary widely, it may not always be clearly evident who is charged with key governance functions. The process for identifying those charged with governance includes evaluating the organizational structure for directing and controlling operations to achieve the audited entity’s objectives and how the audited entity delegates authority and establishes accountability for management.
Results of Previous Engagements
Requirement: Results of Previous Engagements
When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work and determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives.
Investigations or Legal Proceedings
Requirement: Investigations or Legal Proceedings
Auditors should inquire of management of the audited entity whether any investigations or legal proceedings have been initiated or are in process with respect to the period under audit, and should evaluate the effect of initiated or in-process investigations or legal proceedings on the current audit.
Application Guidance: Investigations or Legal Proceedings
Laws, regulations, or policies may require auditors to communicate indications of certain types of fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements to law enforcement or investigatory authorities before performing additional audit procedures.
Avoiding interference with investigations or legal proceedings is important in pursuing indications of fraud and noncompliance with provisions of laws, regulations, contracts, and grant agreements. In some cases, it may be appropriate for the auditors to work with investigators or legal authorities or to withdraw from or defer further work on the engagement or a portion of the engagement to avoid interfering with an ongoing investigation or legal proceeding.
Noncompliance with Provisions of Laws, Regulations, Contracts, and Grant Agreements
Requirement: Noncompliance with Provisions of Laws, Regulations, Contracts, and Grant Agreements
Auditors should extend the AICPA requirements concerning consideration of noncompliance with laws and regulations to include consideration of noncompliance with provisions of contracts and grant agreements.46
Application Guidance: Noncompliance with Provisions of Laws, Regulations, Contracts, and Grant Agreements
Government programs are subject to provisions of many laws, regulations, contracts, and grant agreements. At the same time, these provisions’ significance within the context of the audit objectives varies widely, depending on the objectives of the audit. Auditors may consult with their legal counsel to (1) determine those laws and regulations that are significant to the audit objectives, (2) design tests of compliance with laws and regulations, and (3) evaluate the results of those tests. Auditors also may consult with their legal counsel when audit objectives require testing compliance with provisions of contracts or grant agreements. Depending on the circumstances of the audit, auditors may consult with others, such as investigative staff, other audit organizations or government entities that provided professional services to the audited entity, or applicable law enforcement authorities, to obtain information on compliance matters.
When auditors identify findings, they should plan and perform procedures to develop the criteria, condition, cause, and effect of the findings to the extent that these elements are relevant and necessary to achieve the audit objectives.
Auditors should consider internal control deficiencies in their evaluation of identified findings when developing the cause element of the identified findings.
Application Guidance: Findings
Findings may involve deficiencies in internal control; noncompliance with provisions of laws, regulations, contracts, and grant agreements; or instances of fraud.
Given the concept of accountability for use of public resources and government authority, evaluating internal control in a government environment may also include considering internal control deficiencies that result in waste or abuse. Because the determination of waste and abuse is subjective, auditors are not required to perform specific procedures to detect waste or abuse in financial audits. However, auditors may consider whether and how to communicate such matters if they become aware of them. Auditors may also discover that waste or abuse are indicative of fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements.
Waste is the act of using or expending resources carelessly, extravagantly, or to no purpose. Importantly, waste can include activities that do not include abuse and does not necessarily involve a violation of law. Rather, waste relates primarily to mismanagement, inappropriate actions, and inadequate oversight.
The following are examples of waste, depending on the facts and circumstances:
Making travel choices that are contrary to existing travel policies or are unnecessarily extravagant or expensive.
Making procurement or vendor selections that are contrary to existing policies or are unnecessarily extravagant or expensive.
Abuse is behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances, but excludes fraud and noncompliance with provisions of laws, regulations, contracts, and grant agreements. Abuse also includes misuse of authority or position for personal financial interests or those of an immediate or close family member or business associate.
The following are examples of abuse, depending on the facts and circumstances:
Creating unneeded overtime.
Requesting staff to perform personal errands or work tasks for a supervisor or manager.
Misusing the official’s position for personal gain (including actions that could be perceived by an objective third party with knowledge of the relevant information as improperly benefiting an official’s personal financial interests or those of an immediate or close family member; a general partner; an organization for which the official serves as an officer, director, trustee, or employee; or an organization with which the official is negotiating concerning future employment).
Criteria: For inclusion in findings, criteria may include the laws, regulations, contracts, grant agreements, standards, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated. Criteria identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding the findings, conclusions, and recommendations in the report. In a financial audit, the applicable financial reporting framework, such as generally accepted accounting principles, represents one set of criteria.
Condition: Condition is a situation that exists. The condition is determined and documented during the audit.
Cause: The cause is the factor or factors responsible for the difference between the condition and the criteria, and may also serve as a basis for recommendations for corrective actions. Common factors include poorly designed policies, procedures, or criteria; inconsistent, incomplete, or incorrect implementation; or factors beyond the control of program management. Auditors may assess whether the evidence provides a reasonable and convincing argument for why the stated cause is the key factor contributing to the difference between the condition and the criteria.
Effect or potential effect: The effect or potential effect is the outcome or consequence resulting from the difference between the condition and the criteria. When the audit objectives include identifying the actual or potential consequences of a condition that varies (either positively or negatively) from the criteria identified in the audit, effect is a measure of those consequences. Effect or potential effect may be used to demonstrate the need for corrective action in response to identified problems or relevant risks.
Regardless of the type of finding identified, the cause of a finding may relate to one or more underlying internal control deficiencies. Depending on the magnitude of impact, likelihood of occurrence, and nature of the deficiency, the deficiency could be a significant deficiency or material weakness in a financial audit.47
Considering internal control in the context of a comprehensive internal control framework, such as Standards for Internal Control in the Federal Government or Internal Control—Integrated Framework,48 can help auditors to determine whether underlying internal control deficiencies exist as the root cause of findings. Identifying these deficiencies can help provide the basis for developing meaningful recommendations for corrective actions.
Requirements: Audit Documentation
Auditors should document supervisory review, before the report release date, of the evidence that supports the findings and conclusions contained in the audit report.
Auditors should document any departures from the GAGAS requirements and the effect on the audit and on the auditors’ conclusions when the audit is not in compliance with applicable GAGAS requirements because of law, regulation, scope limitations, restrictions on access to records, or other issues affecting the audit.
Application Guidance: Audit Documentation
When documenting departures from the GAGAS requirements, the audit documentation requirements apply to departures from unconditional requirements and from presumptively mandatory requirements when alternative procedures performed in the circumstances were not sufficient to achieve the objectives of the requirements.
Availability of Individuals and Documentation
Requirement: Availability of Individuals and Documentation
Subject to applicable provisions of laws and regulations, auditors should make appropriate individuals and audit documentation available upon request and in a timely manner to other auditors or reviewers.
Application Guidance: Availability of Individuals and Documentation
Underlying GAGAS audits is the premise that audit organizations in federal, state, and local governments and public accounting firms engaged to conduct financial audits in accordance with GAGAS cooperate in auditing programs of common interest so that auditors may use others’ work and avoid duplication of efforts. The use of auditors’ work by other auditors may be facilitated by contractual arrangements for GAGAS audits that provide for full and timely access to appropriate individuals and to audit documentation.
See AU-C section 320, Materiality in Planning and Performing an Audit (AICPA, Professional Standards).↩︎
See AU-C section 265, Communicating Internal Control Related Matters Identified in an Audit (AICPA, Professional Standards).↩︎
See AU-C section 250, Consideration of Laws and Regulations in an Audit of Financial Statements (AICPA, Professional Standards).↩︎
See AU-C section 265, Communicating Internal Control Related Matters Identified in an Audit (AICPA, Professional Standards).↩︎
Para. .A16 of AU-C section 940, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements (AICPA, Professional Standards) indicates that the Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control—Integrated Framework and Standards for Internal Control in the Federal Government (GAO-14-704G) provide suitable and available criteria against which management may evaluate and report on the effectiveness of the entity’s internal control over financial reporting. Standards for Internal Control in the Federal Government may be adopted by entities beyond those federal entities for which it is legally required, such as state, local, and quasi-governmental entities, as well as other federal entities and not-for-profit organizations, as a framework for an internal control system.↩︎