Additional GAGAS Requirements for Reporting on Financial Audits
Reporting the Auditors’ Compliance with GAGAS
Requirement: Reporting the Auditors’ Compliance with GAGAS
6.36
When auditors comply with all applicable GAGAS requirements, they should include a statement in the audit report that they conducted the audit in accordance with GAGAS.49
Application Guidance: Reporting the Auditors’ Compliance with GAGAS
6.37
Because GAGAS incorporates by reference the AICPA’s financial audit standards, GAGAS does not require auditors to cite compliance with the AICPA standards when citing compliance with GAGAS. GAGAS does not prohibit auditors from issuing a separate report conforming only to the requirements of the AICPA or other standards.50
6.38
When disclaiming an opinion on a financial audit, auditors may revise the statement that the auditor was engaged to audit the financial statements.51 For example, auditors may state that they were engaged to conduct the audit in accordance with GAGAS or that the auditors’ work was conducted in accordance with GAGAS, depending on whether the use of GAGAS is required or voluntary. Determining how to revise this statement is a matter of professional judgment.
6.39
Although there is no requirement in GAGAS to communicate key audit matters in the auditor’s report, auditors may be required to communicate in the auditor’s report key audit matters for audits of government entities and entities that receive government financial assistance if (1) engaged to do so by management or those charged with governance,52 or (2) required by law or regulation.53
Reporting on Internal Control; Compliance with Provisions of Laws, Regulations, Contracts, and Grant Agreements; and Instances of Fraud
Requirements: Reporting on Internal Control; Compliance with Provisions of Laws, Regulations, Contracts, and Grant Agreements; and Instances of Fraud
6.40
Auditors should report on internal control and compliance with provisions of laws, regulations, contracts, or grant agreements regardless of whether they identify internal control deficiencies or instances of noncompliance.
6.41
When providing an opinion or a disclaimer on financial statements, auditors should report as findings any significant deficiencies or material weaknesses in internal control over financial reporting that the auditors identified based on the engagement work performed.
6.42
Auditors should include in their report on internal control or compliance the relevant information about noncompliance and fraud when auditors, based on sufficient, appropriate evidence, identify or suspect
noncompliance with provisions of laws, regulations, contracts, or grant agreements that has a material effect on the financial statements or other financial data significant to the audit objectives or
fraud that is material, either quantitatively or qualitatively, to the financial statements or other financial data significant to the audit objectives.
6.43
Auditors should include either in the same or in separate report(s) a description of the scope of the auditors’ testing of internal control over financial reporting and of compliance with provisions of laws, regulations, contracts, and grant agreements. Auditors should also state in the report(s) whether the tests they performed provided sufficient, appropriate evidence to support opinions on the effectiveness of internal control and on compliance with provisions of laws, regulations, contracts, and grant agreements.
6.44
If auditors report separately (including separate reports bound in the same document) on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements, they should include a reference in the audit report on the financial statements to those additional reports. They should also state in the audit report that the reports on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements are an integral part of a GAGAS audit in considering the audited entity’s internal control over financial reporting and compliance. If separate reports are used, the auditors should make the report on internal control and compliance available to users in the same manner as the financial audit report to which it relates.
6.45
Auditors should communicate in writing to audited entity officials when
identified or suspected noncompliance with provisions of laws, regulations, contracts, or grant agreements comes to the auditor’s attention during the course of an audit that has an effect on the financial statements or other financial data significant to the audit objectives that is less than material but warrants the attention of those charged with governance or
the auditor has obtained evidence of identified or suspected instances of fraud that have an effect on the financial statements or other financial data significant to the audit objectives that are less than material but warrant the attention of those charged with governance.
Application Guidance: Reporting on Internal Control; Compliance with Provisions of Laws, Regulations, Contracts, and Grant Agreements; and Instances of Fraud
6.46
The GAGAS requirement to report on internal control over financial reporting is based on the AICPA requirements to communicate in writing to those charged with governance significant deficiencies and material weaknesses in internal control over financial reporting identified during an audit. The objective of the GAGAS internal control reporting requirement for financial audits is to increase the availability of information on significant deficiencies and material weaknesses to users of financial statements other than those charged with governance.
6.47
Internal control plays an expanded role in the government sector. Given the government’s accountability for public resources, assessing internal control in a government environment may involve considering controls that would not be required in the private sector. In the government sector, evaluating controls that are relevant to the audit involves understanding significant controls that the audited entity designed, implemented, and operated as part of its responsibility for oversight of public resources.
6.48
The audit report on internal control and compliance with provisions of laws, regulations, contracts, and grant agreements relates only to the most recent reporting period included, when comparative financial statements are presented.
6.49
When identified or suspected noncompliance with provisions of laws, regulations, contracts, or grant agreements that does not warrant the attention of those charged with governance comes to the auditor’s attention during the course of the audit, the auditors’ determination of how to communicate such instances to audited entity officials is a matter of professional judgment. When identified or suspected noncompliance with provisions of laws, regulations, contracts, or grant agreements is clearly inconsequential, the auditors’ determination of whether and how to communicate such instances to audited entity officials is a matter of professional judgment.
6.50
When auditors identify or suspect noncompliance with provisions of laws, regulations, contracts, or grant agreements or instances of fraud, auditors may consult with authorities or legal counsel about whether publicly reporting such information would compromise investigative or legal proceedings. Auditors may limit their public reporting to matters that would not compromise those proceedings and, for example, report only on information that is already a part of the public record.
Presenting Findings in the Audit Report
Requirements: Presenting Findings in the Audit Report
6.51
When presenting findings, auditors should develop the elements of the findings to the extent necessary to assist management or oversight officials of the audited entity in understanding the need for corrective action.
6.52
Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately.
Application Guidance: Presenting Findings in the Audit Report
6.53
Along with assisting management or oversight officials of the audited entity in understanding the need for corrective action, clearly developed findings assist auditors in making recommendations for corrective action. If auditors sufficiently develop the elements of a finding, they may provide recommendations for corrective action.
Reporting Findings Directly to Parties outside the Audited Entity
Requirements: Reporting Findings Directly to Parties outside the Audited Entity
6.54
Auditors should report identified or suspected noncompliance with provisions of laws, regulations, contracts, and grant agreements and instances of fraud directly to parties outside the audited entity in the following two circumstances.
When audited entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors’ communication with those charged with governance, then the auditors should report the information directly to the specified external parties.
When audited entity management fails to take timely and appropriate steps to respond to fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements that (1) is likely to have a material effect on the subject matter and (2) involves funding received directly or indirectly from a government agency, auditors should first report management’s failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors’ communication with those charged with governance, then the auditors should report the audited entity’s failure to take timely and appropriate steps directly to the funding agency.
6.55
Auditors should comply with the requirements in paragraph 6.54 even if they have resigned or been dismissed from the audit prior to its completion.
6.56
Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate representations by management of the audited entity that it has reported audit findings in accordance with provisions of laws, regulations, or funding agreements. When auditors are unable to do so, they should report such information directly as discussed in paragraphs 6.54 and 6.55.
Application Guidance: Reporting Findings Directly to Parties outside the Audited Entity
6.57
The reporting in paragraph 6.54 is in addition to any legal requirements to report such information directly to parties outside the audited entity.
Obtaining and Reporting the Views of Responsible Officials
Requirements: Obtaining and Reporting the Views of Responsible Officials
6.58
Auditors should obtain and report the views of responsible officials of the audited entity concerning the findings, conclusions, and recommendations in the audit report, as well as any planned corrective actions.
6.59
When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials’ written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report.
6.60
When the audited entity’s comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity’s comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence.
6.61
If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors should issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments.
Application Guidance: Obtaining and Reporting the Views of Responsible Officials
6.62
Providing a draft report with findings for review and comment by responsible officials of the audited entity and others helps the auditors develop a report that is fair, complete, and objective. Including the views of responsible officials results in a report that presents not only the auditors’ findings, conclusions, and recommendations but also the perspectives of the audited entity’s responsible officials and the corrective actions they plan to take. Obtaining the comments in writing is preferred, but oral comments are acceptable. In cases in which the audited entity provides technical comments in addition to its written or oral comments on the report, auditors may disclose in the report that such comments were received. Technical comments address points of fact or are editorial in nature and do not address substantive issues, such as methodology, findings, conclusions, or recommendations.
6.63
Obtaining oral comments may be appropriate when, for example, there is a reporting date critical to meeting a user’s needs; auditors have worked closely with the responsible officials throughout the engagement, and the parties are familiar with the findings and issues addressed in the draft report; or the auditors do not expect major disagreements with findings, conclusions, or recommendations in the draft report or major controversies with regard to the issues discussed in the draft report.
Reporting Confidential or Sensitive Information
Requirements: Reporting Confidential or Sensitive Information
6.64
If certain information is prohibited from public disclosure or is excluded from a report because of its confidential or sensitive nature, auditors should disclose in the report that certain information has been omitted and the circumstances that make the omission necessary.
6.65
When circumstances call for omission of certain information from the report, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices and revise the report language as necessary to avoid report users drawing inappropriate conclusions from the information presented.
6.66
When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports.
Application Guidance: Reporting Confidential or Sensitive Information
6.67
If the report refers to the omitted information, the reference may be general and not specific. If the omitted information is not necessary to meet the audit objectives, the report need not refer to its omission.
6.68
Certain information may be classified or may otherwise be prohibited from general disclosure by federal, state, or local laws or regulations. In such circumstances, auditors may issue a separate, classified, or limited use report containing such information and distribute the report only to persons authorized by law or regulation to receive it.
6.69
Additional circumstances associated with public safety, privacy, or security concerns could also justify the exclusion of certain information from a publicly available or widely distributed report. For example, detailed information related to computer security for a particular program may be excluded from publicly available reports because of the potential damage that misuse of this information could cause. In such circumstances, auditors may issue a limited use report containing such information and distribute the report only to those parties responsible for acting on the auditors’ recommendations. In some instances, it may be appropriate to issue both a publicly available report with the sensitive information excluded and a limited use report. The auditors may consult with legal counsel regarding any requirements or other circumstances that may necessitate omitting certain information. Considering the broad public interest in the program or activity under audit assists auditors when deciding whether to exclude certain information from publicly available reports.
6.70
In cases described in paragraph 6.66, the auditors may communicate general information in a written report and communicate detailed information orally. The auditors may consult with legal counsel regarding applicable public records laws.
Distributing Reports
Requirement: Distributing Reports
6.71
Distribution of reports completed in accordance with GAGAS depends on the auditors’ relationship with the audited entity and the nature of the information contained in the reports. Auditors should document any limitation on report distribution.
An audit organization in a government entity should distribute audit reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations and to others authorized to receive such reports.
A public accounting firm contracted to conduct an audit in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the audit about which officials or organizations will receive the report and the steps being taken to make the report available to the public.
See paras. 2.16 through 2.19 for information on the GAGAS compliance statement.↩︎
See AU-C section 700, Forming an Opinion and Reporting on Financial Statements (AICPA, Professional Standards).↩︎
See AU-C section 705, Modifications to the Opinion in the Independent Auditor’s Report (AICPA, Professional Standards).↩︎
See para. 1.04 for additional information on those charged with governance.↩︎
See AU-C section 701, Communicating Key Audit Matters in the Independent Auditor’s Report (AICPA, Professional Standards).↩︎