Conducting the Engagement
Nature and Profile of the Program and User Needs
Requirement: Nature and Profile of the Program and User Needs
Auditors should obtain an understanding of the nature of the program or program component under audit and the potential use that will be made of the audit results or report as they plan a performance audit. The nature and profile of a program include
visibility, sensitivity, and relevant risks associated with the program under audit;
age of the program or changes in its condition;
the size of the program in terms of total dollars, number of citizens affected, or other measures;
level and extent of review or other forms of independent oversight;
the program’s strategic plan and objectives; and
external factors or conditions that could directly affect the program.
Application Guidance: Nature and Profile of the Program and User Needs
One group of users of the audit report is government officials or other parties who authorize or request audits. Other important users of the audit report are the audited entity, those responsible for acting on the auditors’ recommendations, oversight organizations, and legislative bodies. Other potential users of the audit report include legislators or government officials (other than those who authorized or requested the audit), the media, interest groups, and individual citizens. In addition to an interest in the program, potential users may have an ability to influence the conduct of the program. An awareness of these potential users’ interests and influence can help auditors judge whether possible findings could be significant to relevant users.
Obtaining an understanding of the program under audit helps auditors to assess the relevant risks associated with the program and the effect of the risks on the audit objectives, scope, and methodology. The auditors’ understanding may come from knowledge they already have about the program or knowledge they gain from inquiries, observations, and reviewing documents while planning the audit. The extent and breadth of those inquiries and observations will vary among audits based on the audit objectives, as will the need to understand individual aspects of the program, such as the following:
Provisions of laws, regulations, contracts, and grant agreements: Government programs are usually created by law and are subject to specific laws and regulations. Laws and regulations usually set forth what is to be done, who is to do it, the purpose to be achieved, the population to be served, and related funding guidelines or restrictions. Government programs may also be subject to contracts or grant agreements. Thus, understanding the laws and legislative history establishing a program and the provisions of contracts or grant agreements is essential to understanding the program itself. Obtaining that understanding is also a necessary step in identifying the provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives.
Purpose and goals: Purpose is the result or effect that is intended or desired from a program’s operation. Legislatures usually establish a program’s purpose when they provide authority for the program. Audited entity officials may provide more detailed information on the program’s purpose to supplement the authorizing legislation. Audited entity officials are sometimes asked to set goals for program performance and operations, including both output and outcome goals. Auditors may use the stated program purpose and goals as criteria for assessing program performance or may develop additional criteria to use when assessing performance.
Internal control: Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved. Internal control comprises the plans, methods, policies, and procedures used to fulfill the mission, strategic plan, goals, and objectives of the entity.
- Inputs: Inputs are the amount of resources (in terms of, for example, money, material, or personnel) that is put into a program. These resources may come from within or outside the entity operating the program. Measures of inputs can have a number of dimensions, such as cost, timing, and quality. Examples of measures of inputs are dollars spent, employee hours expended, and square feet of building space used.
- Program operations: Program operations are the strategies, processes, and activities management uses to convert inputs into outputs. Program operations may be subject to internal control.
- Outputs: Outputs represent the quantity of goods or services produced by a program. For example, an output measure for a job training program could be the number of persons completing training, and an output measure for an aviation safety inspection program could be the number of safety inspections completed.
- Outcomes: Outcomes are accomplishments or results of a program. For example, an outcome measure for a job training program could be the percentage of trained persons obtaining a job and still in the workplace after a specified period. An example of an outcome measure for an aviation safety inspection program could be the percentage reduction in safety problems found in subsequent inspections or the percentage of problems deemed corrected in follow-up inspections. Such outcome measures show the progress made in achieving the stated program purposes of helping unemployed citizens obtain and retain jobs and improving the safety of aviation operations, respectively. Outcomes may be influenced by cultural, economic, physical, or technological factors outside the program. Auditors may use approaches drawn from other disciplines, such as program evaluation, to isolate the effects of the program from these other influences. Outcomes also include a program’s unexpected or unintentional effects, both positive and negative.
Determining Significance and Obtaining an Understanding of Internal Control
Requirements: Determining Significance and Obtaining an Understanding of Internal Control
Auditors should determine and document whether internal control is significant to the audit objectives.72
If it is determined that internal control is significant to the audit objectives, auditors should obtain an understanding of such internal control.
Application Guidance: Determining Significance and Obtaining an Understanding of Internal Control
Consideration of internal control in a performance audit begins with determining the significance of internal control to the audit objectives and documenting that determination. Some factors that may be considered when determining the significance of internal control to the audit objectives include
the subject matter under audit, such as the program or program component under audit, including the audited entity’s objectives for the program and associated inherent risks;
the nature of findings and conclusions expected to be reported, based on the needs and interests of audit report users;
the three categories of entity objectives (operations, reporting, and compliance);73 and
the five components of internal control (control environment, risk assessment, control activities, information and communication, and monitoring) and the integration of the components.
If internal control is significant to the audit objectives, auditors determine which of the five components of internal control are significant to the audit objectives, as all components of internal control are generally relevant, but not all components may be significant to the audit objectives. This determination can also identify the underlying principles, control objectives, or specific controls that are significant to the audit objectives. Determining which internal control components, principles, control objectives, and/or specific controls are significant to the audit objectives is a matter of professional judgment.
Determining the significance of internal control may be an iterative process. As discussed in paragraph 8.09, the audit objectives can evolve and become more refined throughout the audit. When this occurs, the significance of internal control is determined and documented for the new or revised objectives.
Determining the significance of internal control may be documented in formats such as narratives or tables. The documentation includes the conclusions on whether internal control is significant to the audit objectives, and if so, which components of internal control are significant to the audit objectives. The documentation may also include the factors considered and steps taken to perform the determination.
Determining the significance of internal control to the audit objectives affects the audit planning required in paragraphs 8.03 through 8.07. Specifically, it enables auditors to determine whether to assess internal control as part of the audit and, if they do, to identify criteria for the assessment and plan the appropriate scope, methodology, and extent of internal control assessments to perform.
The nature and extent of procedures auditors perform to obtain an understanding of internal control is a matter of professional judgment and may vary among audits based on audit objectives, audit risk, internal control deficiencies, and the auditors’ knowledge about internal control gained in prior audits. The understanding of internal control builds on the understanding of the program required in paragraph 8.36. The auditors’ understanding of internal control may be obtained through procedures such as inquiries, observations, inspection of documents and records, review of other audit reports, or direct tests.
Approaches for obtaining an understanding of internal control may vary and may include consideration of entity-level controls, transaction-level controls, or both. However, even when assessing only transaction-level controls, it may be beneficial to gain an understanding of entity-level controls that may affect transaction-level controls by obtaining a broad understanding of the five components of internal control at the entity level. This involves considering the relationships between the components, which work together in an integrated manner in an effective internal control system, and the principles of internal control that support each component. In addition to obtaining a broad understanding of internal control at the entity level, auditors may also obtain an understanding of internal control at the transaction level for the specific programs and processes under audit.
Obtaining an understanding of internal control assists auditors in identifying an audited entity’s key controls relevant to the audit objectives. Identifying key controls involves considering the entity’s objectives that are relevant to the audit and whether the entity has controls in place to achieve those objectives and address associated risks. Collectively, key controls are those controls necessary to achieve the entity’s control objectives and provide reasonable assurance of achieving the entity’s objectives. Key controls often have one or both of the following characteristics:
Their failure may significantly affect the achievement of the entity’s objectives, yet not reasonably be detected in a timely manner by other controls.
Their operation may prevent or detect other control failures before they have an opportunity to become significant to the achievement of the entity’s objectives.
Assessing Internal Control
Requirement: Assessing Internal Control
If internal control is determined to be significant to the audit objectives, auditors should plan and perform audit procedures to assess internal control to the extent necessary to address the audit objectives.
Application Guidance: Assessing Internal Control
The auditors’ understanding of internal control provides a basis for determining the nature, timing, and extent of procedures for assessments of internal control, if such an assessment will be performed. Assessments of internal control in a performance audit are performed to the extent necessary to address the audit objectives. The levels of internal control assessment that may be performed based on the audit objectives are (1) assessing the design; (2) assessing the design and implementation; or (3) assessing the design, implementation, and operating effectiveness of controls that are significant to the audit objectives.
Assessments of internal control involve designing and performing procedures to obtain sufficient, appropriate evidence, as required in paragraphs 8.90 through 8.94, to support and document the auditors’ findings and conclusions on design, implementation, and/or operating effectiveness of controls that are significant to the audit objectives. The controls being assessed are generally the key controls identified during the planning phase of the engagement, which may include controls at both the entity and transaction levels. Changes may be made to the initial determination of key controls based on additional information gathered during the course of fieldwork.
The design of internal control is assessed by determining whether controls individually and in combination are capable of achieving an objective and addressing the related risk. The implementation of internal control is assessed by determining if the control exists and has been placed into operation. The operating effectiveness of internal control is assessed by determining whether controls were applied at relevant times during the period under evaluation, the consistency with which they were applied, and by whom or by what means they were applied. A control cannot be effectively implemented if it was not effectively designed. A control cannot be operating effectively if it was not effectively designed and implemented.
During the assessment of each control, deficiencies in internal control may be identified. A deficiency in internal control exists when the design, implementation, or operation of a control does not allow management or personnel to achieve control objectives and address related risks.74 A deficiency in design exists when a necessary control is missing or is not properly designed so that even if the control operates as designed, the control objective would not be met. A deficiency in implementation exists when a control is properly designed but not implemented correctly in the internal control system. A deficiency in operating effectiveness exists when a properly designed control does not operate as designed or the person performing the control does not have the necessary competence or authority to perform the control effectively.
Internal Control Deficiencies Considerations
Requirement: Internal Control Deficiencies Considerations
Auditors should evaluate and document the significance of identified internal control deficiencies within the context of the audit objectives.
Application Guidance: Internal Control Deficiencies Considerations
Internal control deficiencies are evaluated for significance within the context of the audit objectives. Deficiencies are evaluated both on an individual basis and in the aggregate. Consideration is given to the correlation among deficiencies. This evaluation and the audit work performed form the basis of the auditors’ determination whether, individually or in combination, the deficiencies are significant within the context of the audit objectives.75
Determining whether deficiencies are significant within the context of the audit objectives involves evaluating the following factors:
- Magnitude of impact: Magnitude of impact refers to the likely effect that the deficiency could have on the entity achieving its objectives and is affected by factors such as the size, pace, and duration of the deficiency’s impact. A deficiency may be more significant to one objective than another.
- Likelihood of occurrence: Likelihood of occurrence refers to the possibility of a deficiency impacting an entity’s ability to achieve its objectives.
- Nature of the deficiency: The nature of the deficiency involves factors such as the degree of subjectivity involved with the deficiency and whether the deficiency arises from fraud or misconduct.
Internal control deficiencies are a type of finding, and the requirements related to developing the four elements of a finding in paragraph 8.116 apply. When determining the cause of internal control deficiencies, it may be helpful for auditors to perform an analysis to identify the root cause of the deficiencies. Identifying the root causes of internal control deficiencies may strengthen the quality of auditors’ recommendations for corrective actions.
The following are examples of control deficiencies:
Ineffective oversight by those charged with governance of the entity’s financial reporting, performance reporting, or internal control, or an ineffective overall governance structure.
An ineffective internal audit function or risk assessment function at an entity for which such functions are important to the monitoring or risk assessment component of internal control, such as for a large or complex entity.
Failure by management or those charged with governance to assess the effect of a deficiency previously communicated to them and either to correct it or to conclude that it does not need to be corrected.
Inadequate controls for the safeguarding of assets.
Inadequate design of information systems general, application, and user controls that prevents an information system from providing complete and accurate information consistent with financial, compliance, or performance reporting objectives or other current needs.
Failure of an application control caused by a deficiency in the design or operation of an information system’s general controls.
Employees or management who lack the qualifications and training to fulfill their assigned functions.
Information Systems Controls Considerations
Requirements: Information Systems Controls Considerations
The effectiveness of significant internal controls frequently depends on the effectiveness of information systems controls. Thus, when obtaining an understanding of internal control significant to the audit objectives, auditors should also determine whether it is necessary to evaluate information systems controls.
When information systems controls are determined to be significant to the audit objectives or when the effectiveness of significant controls depends on the effectiveness of information systems controls, auditors should then evaluate the design, implementation, and/or operating effectiveness of such controls. This evaluation includes other information systems controls that affect the effectiveness of the significant controls or the reliability of information used in performing the significant controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives.
Auditors should determine which audit procedures related to information systems controls are needed to obtain sufficient, appropriate evidence to support the audit findings and conclusions.
When evaluating information systems controls is an audit objective, auditors should test information systems controls to the extent necessary to address the audit objective.
Application Guidance: Information Systems Controls Considerations
Understanding information systems controls is important when information systems are used extensively throughout the program under audit and the fundamental business processes related to the audit objectives rely on information systems. Information systems controls consist of those internal controls that depend on information systems processing and include general controls, application controls, and user controls.
Information systems general controls (entity-wide, system, and application levels) are the policies and procedures that apply to all or a large segment of an entity’s information systems. General controls help ensure the proper operation of information systems by creating the environment for proper operation of application controls. General controls include security management, logical and physical access, configuration management, segregation of duties, and contingency planning.
Application controls, sometimes referred to as business process controls, are those controls that are incorporated directly into computer applications to help ensure the validity, completeness, accuracy, and confidentiality of transactions and data during application processing. Application controls include controls over input, processing, output, master file, interface, and the data management system.
User controls are portions of controls that are performed by people interacting with information systems controls. A user control is an information systems control if its effectiveness depends on information systems processing or the reliability (accuracy, completeness, and validity) of information processed by information systems.
An entity’s use of information systems controls may be extensive; however, auditors are primarily interested in those information systems controls that are significant to the audit objectives. Information systems controls are significant to the audit objectives if auditors determine that it is necessary to evaluate the effectiveness of these controls in order to obtain sufficient, appropriate evidence. For example, an audit objective may involve evaluating the effectiveness of information systems controls related to certain systems, facilities, or entities.
Audit procedures to evaluate the effectiveness of significant information systems controls include (1) gaining an understanding of the system as it relates to the information and (2) identifying and evaluating the general, application, and user controls that are critical to providing assurance over the reliability of the information required for the audit.
The evaluation of information systems controls may be done in conjunction with the auditors’ consideration of internal control within the context of the audit objectives or as a separate audit objective or audit procedure, depending on the audit’s objectives. Depending on the significance of information systems controls to the audit objectives, the extent of audit procedures to obtain such an understanding may be limited or extensive. In addition, the nature and extent of audit risk related to information systems controls are affected by the hardware and software used, the configuration of the entity’s systems and networks, and the entity’s information systems strategy.
The following factors may assist auditors in determining the significance of information system controls to the audit objectives:
The extent to which internal controls that are significant to the audit depend on the reliability of information processed or generated by information systems.
The availability of evidence outside the information system to support the findings and conclusions. It may not be possible for auditors to obtain sufficient, appropriate evidence without evaluating the effectiveness of relevant information systems controls. For example, if information supporting the findings and conclusions is generated by information systems or its reliability depends on information systems controls, there may not be sufficient supporting or corroborating information or documentary evidence available other than that produced by the information systems.
The relationship of information systems controls to data reliability. To obtain evidence about the reliability of computer-generated information, auditors may decide to evaluate the effectiveness of information systems controls as part of obtaining evidence about the reliability of the data. If the auditors conclude that information systems controls are effective, they may reduce the direct testing of data.
Provisions of Laws, Regulations, Contracts, and Grant Agreements
Requirement: Provisions of Laws, Regulations, Contracts, and Grant Agreements
Auditors should identify any provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives and assess the risk that noncompliance with provisions of laws, regulations, contracts, and grant agreements could occur. Based on that risk assessment, the auditors should design and perform procedures to obtain reasonable assurance of detecting instances of noncompliance with provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives.
Application Guidance: Provisions of Laws, Regulations, Contracts, and Grant Agreements
Government programs are subject to many provisions of laws, regulations, contracts, and grant agreements. At the same time, these provisions’ significance within the context of the audit objectives varies widely, depending on the objectives of the audit. Auditors may consult with their legal counsel to (1) determine those laws and regulations that are significant to the audit objectives, (2) design tests of compliance with provisions of laws and regulations, and (3) evaluate the results of those tests. Auditors also may consult with their legal counsel when audit objectives require testing compliance with provisions of contracts or grant agreements. Depending on the circumstances of the audit, auditors may consult with others, such as investigative staff, other audit organizations or government entities that provided professional services to the audited entity, or law enforcement authorities, to obtain information on compliance matters.
The auditors’ assessment of audit risk may be affected by such factors as the complexity or recent establishment of the laws, regulations, contracts, and grant agreements. The auditors’ assessment of audit risk also may be affected by whether the audited entity has controls that are effective in preventing or detecting noncompliance with provisions of laws, regulations, contracts, and grant agreements. If auditors obtain sufficient, appropriate evidence of the effectiveness of these controls, they can reduce their tests of compliance.
Auditors should assess the risk of fraud occurring that is significant within the context of the audit objectives. Audit team members should discuss among the team fraud risks, including factors such as individuals’ incentives or pressures to commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could increase the risk of fraud. Auditors should gather and assess information to identify the risk of fraud that is significant within the scope of the audit objectives or that could affect the findings and conclusions.
Assessing the risk of fraud is an ongoing process throughout the audit. When information comes to the auditors’ attention indicating that fraud, significant within the context of the audit objectives, may have occurred, auditors should extend the audit steps and procedures, as necessary, to (1) determine whether fraud has likely occurred and (2) if so, determine its effect on the audit findings.
Application Guidance: Fraud
Fraud involves obtaining something of value through willful misrepresentation. Whether an act is, in fact, fraud is determined through the judicial or other adjudicative system and is beyond auditors’ professional responsibility.
Auditors may obtain information through discussion with officials of the audited entity or through other means to determine the susceptibility of a program to fraud, the extent to which the audited entity has implemented leading practices to manage fraud risks, the status of internal controls the audited entity has established to prevent and detect fraud, or the risk that officials of the audited entity could override internal control. An attitude of professional skepticism in assessing the risk of fraud assists auditors in assessing which factors or risks could significantly affect the audit objectives.
In some circumstances, conditions such as the following could indicate a heightened risk of fraud:
economic, programmatic, or entity operating conditions that threaten the entity’s financial stability, viability, or budget;
the nature of the entity’s operations provide opportunities to engage in fraud;
management’s monitoring of compliance with laws, regulations, and policies is inadequate;
the organizational structure is unstable or unnecessarily complex;
management communication or support for ethical standards is lacking;
management is willing to accept unusually high levels of risk in making significant decisions;
the entity has a history of impropriety, such as previous issues with fraud, questionable practices, or past audits or investigations with findings of questionable or criminal activity;
operating policies and procedures have not been developed or are outdated;
key documentation is lacking or does not exist;
asset accountability or safeguarding procedures are lacking;
a history of improper payments;
evidence of false or misleading information; and
evidence of unusual patterns and trends in contracting, procurement, acquisition, and other activities of the entity or program.
If fraud that may have occurred is not significant within the context of the audit objectives, the auditors may perform additional audit work as a separate engagement or refer the matter to other parties with oversight responsibility or jurisdiction.
Identifying Sources of Evidence and the Amount and Type of Evidence Required
Requirements: Identifying Sources of Evidence and the Amount and Type of Evidence Required
Auditors should identify potential sources of information that could be used as evidence. Auditors should determine the amount and type of evidence needed to obtain sufficient, appropriate evidence to address the audit objectives and adequately plan audit work.
Auditors should evaluate whether any lack of sufficient, appropriate evidence is caused by internal control deficiencies or other program weaknesses, and whether the lack of sufficient, appropriate evidence could be the basis for audit findings.
Application Guidance: Identifying Sources of Evidence and the Amount and Type of Evidence Required
If auditors believe it is likely that sufficient, appropriate evidence will not be available, they may revise the audit objectives or modify the scope and methodology and determine alternative procedures to obtain additional evidence or other forms of evidence to address the current audit objectives.
Using the Work of Others
Requirements: Using the Work of Others
Auditors should determine whether other auditors have conducted, or are conducting, audits that could be relevant to the current audit objectives.
If auditors use the work of other auditors, they should perform procedures that provide a sufficient basis for using that work. Auditors should obtain evidence concerning the other auditors’ qualifications and independence and should determine whether the scope, quality, and timing of the audit work performed by the other auditors can be relied on in the context of the current audit objectives.76
If the engagement team intends to use the work of a specialist, it should assess the independence of the specialist.77
Application Guidance: Using the Work of Others
The results of other auditors’ work may be useful sources of information for planning and conducting the audit. If other auditors have identified areas that warrant further audit work or follow-up, their work may influence the auditors’ selection of objectives, scope, and methodology.
Internal auditing is an important part of overall governance, accountability, and internal control. A key role of many internal audit organizations is to provide assurance that internal controls are in place to adequately mitigate risks and achieve program goals and objectives. Auditors may determine that it is appropriate to use the work of the internal auditors in assessing the effectiveness of design or operation of internal controls that are significant within the context of the audit objectives.
If other auditors have completed audit work related to the objectives of the current audit, the current auditors may be able to use the work of the other auditors to support findings or conclusions for the current audit and thereby avoid duplication of effort. Procedures that auditors may perform in making this determination include reviewing the other audit report, audit plan, or audit documentation, or performing tests of the other auditors’ work. The nature and extent of evidence needed will depend on the significance of the other auditors’ work to the current audit objectives and the extent to which the auditors will use that work.
The engagement team’s assessment of the independence of specialists who perform audit work includes identifying threats and applying any necessary safeguards in the same manner as they would for auditors performing work on those audits.78
The terminology used in this section is consistent with the definitions and concepts in the Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control—Integrated Framework (COSO Framework) and Standards for Internal Control in the Federal Government (GAO-14-704G) (Green Book).↩︎