Planning
Requirements: General
8.03
Auditors must adequately plan the work necessary to address the audit objectives. Auditors must document the audit plan.
8.04
Auditors must plan the audit to reduce audit risk to an acceptably low level.
8.05
In planning the audit, auditors should assess significance and audit risk. Auditors should apply these assessments to establish the scope and methodology for addressing the audit objectives. Planning is a continuous process throughout the audit.
8.06
Auditors should design the methodology to obtain sufficient, appropriate evidence that provides a reasonable basis for findings and conclusions based on the audit objectives and to reduce audit risk to an acceptably low level.
8.07
Auditors should identify and use suitable criteria based on the audit objectives.
Application Guidance: General
8.08
The audit objectives are what the audit is intended to accomplish. They identify the audit subject matter and performance aspects to be included. Audit objectives can be thought of as questions about the program that the auditors seek to answer based on evidence obtained and assessed against criteria. Audit objectives may also pertain to the current status or condition of a program. The term program as used in GAGAS includes processes, projects, studies, policies, operations, activities, entities, and functions.
8.09
Auditors may need to refine or adjust the audit objectives, scope, and methodology as work is performed. However, in situations where the audit objectives are established by statute or legislative oversight, auditors may not have latitude to define or adjust the audit objectives or scope.
8.10
Scope is the boundary of the audit and is directly tied to the audit objectives. The scope defines the subject matter that the auditors will assess and report on, such as a particular program or aspect of a program, the necessary documents or records, the period of time reviewed, and the locations that will be included.
8.11
The methodology describes the nature and extent of audit procedures for gathering and analyzing evidence to address the audit objectives. Audit procedures are the specific steps and tests auditors perform to address the audit objectives.
8.12
Obtaining sufficient, appropriate evidence provides auditors with a reasonable basis for findings and conclusions that are valid, accurate, appropriate, and complete with respect to the audit objectives.
8.13
The sufficiency and appropriateness of evidence needed and tests of evidence are determined by the auditors based on the audit objectives, findings, and conclusions. Objectives for performance audits range from narrow to broad and involve varying types and quality of evidence. In some engagements, sufficient, appropriate evidence is available, but in others, information may have limitations. Professional judgment assists auditors in determining the audit scope and methodology needed to address the audit objectives and in evaluating whether sufficient, appropriate evidence has been obtained to address the audit objectives.
8.14
In performance audits conducted in accordance with GAGAS, auditors are the party who measures or evaluates the subject matter of the engagement and who presents the resulting information as part of, or accompanying, the audit report. Therefore, GAGAS does not require auditors to obtain management assertions with respect to the subject matter when conducting a performance audit.
8.15
The concept of significance assists auditors throughout a performance audit, including when deciding the type and extent of audit work to perform, when evaluating results of audit work, and when developing the report and related findings and conclusions. Significance is defined as the relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors. Such factors include the magnitude of the matter in relation to the subject matter of the audit, the nature and effect of the matter, the relevance of the matter, the needs and interests of an objective third party with knowledge of the relevant information, and the matter’s effect on the audited program or activity. Professional judgment assists auditors when evaluating the significance of matters within the context of the audit objectives. In the performance audit requirements, the term significant is comparable to the term material as used in the context of financial statement engagements.
8.16
Audit risk is the possibility that the auditors’ findings, conclusions, recommendations, or assurance may be improper or incomplete as a result of factors such as evidence that is not sufficient or appropriate, an inadequate audit process, or intentional omissions or misleading information because of misrepresentation or fraud. The assessment of audit risk involves both qualitative and quantitative considerations. Factors affecting audit risk include the time frames, complexity, or sensitivity of the work; size of the program in terms of dollar amounts and number of citizens served; adequacy of the audited entity’s systems and processes for preventing and detecting inconsistencies, significant errors, or fraud; and auditors’ access to records. Audit risk includes the risk that auditors will not detect a mistake, inconsistency, significant error, or fraud in the evidence supporting the audit. Audit risk can be reduced by taking actions such as increasing the scope of work; adding specialists, additional reviewers, and other resources to conduct the audit; changing the methodology to obtain additional evidence, higher-quality evidence, or alternative forms of corroborating evidence; or aligning the findings and conclusions to reflect the evidence obtained.
8.17
Criteria identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding the findings, conclusions, and recommendations in the report. Suitable criteria are relevant, reliable, objective, and understandable and do not result in the omission of significant information, as applicable, within the context of the audit objectives. The relative importance of each of these characteristics to a particular engagement is a matter of professional judgment. In instances where laws, regulations, or policies prescribe the criteria to be used for the engagement, such criteria are presumed to be suitable in the absence of indications to the contrary.
8.18
Examples of criteria include
laws and regulations applicable to the operation of the audited entity;
goals, policies, and procedures established by officials of the audited entity;
technically developed standards or norms;
expert opinions;
prior periods’ performance;
defined business practices;
contracts or grant agreements; and
benchmarks against which performance is compared, including performance of other entities or sectors.
8.19
For audit objectives that pertain to the current status or condition of a program, sufficient, appropriate evidence is gathered to provide reasonable assurance that the description of the current status or condition of a program is accurate and reliable and does not omit significant information relevant to the audit objectives. Information addressing the audit objectives is to be provided in an objective, understandable manner. The relative importance of each of the characteristics of the information to a particular engagement is a matter of professional judgment.
Auditor Communication
Requirements: Auditor Communication
8.20
Auditors should communicate an overview of the objectives, scope, and methodology and the timing of the performance audit and planned reporting (including any potential restrictions on the report), unless doing so could significantly impair the auditors’ ability to obtain sufficient, appropriate evidence to address the audit objectives. Auditors should communicate such information with the following parties, as applicable:
management of the audited entity, including those with sufficient authority and responsibility to implement corrective action in the program or activity being audited;
those charged with governance;
the individuals contracting for or requesting audit services, such as contracting officials or grantees; or
the cognizant legislative committee, when auditors conduct the audit pursuant to a law or regulation or when they conduct the work for the legislative committee that has oversight of the audited entity.
8.21
In situations where the parties required to receive communications, as described in paragraph 8.20, are not clearly evident, auditors should document the process followed and conclusions reached in identifying the appropriate individuals to receive the required communications.
8.22
Auditors should retain any written communication resulting from paragraph 8.20 as audit documentation.
Application Guidance: Auditor Communication
8.23
Determining the form, content, and frequency of the communication with management or those charged with governance is a matter of professional judgment, although written communication is preferred. Auditors may use an engagement letter to communicate key information early in the engagement.
8.24
Examples of communications regarding the objectives, scope, methodology, and timing that could impair the auditors’ ability to obtain sufficient, appropriate evidence include situations in which the auditors plan to perform unannounced cash counts or perform procedures related to indications of fraud.
8.25
Communicating with those charged with governance or management may include communicating deficiencies in internal control; fraud; or noncompliance with provisions of laws, regulations, contracts, and grant agreements. Early communication of these matters may be important because of their relative significance and the urgency for corrective follow-up action. Further, early communication is important to allow management to take prompt corrective action to prevent further occurrences when a control deficiency results in noncompliance with provisions of laws, regulations, contracts, and grant agreements or fraud. When a deficiency is communicated early, the reporting requirements and application guidance in paragraphs 9.29 through 9.44 still apply.
8.26
Because the governance structures of government entities and organizations can vary widely, it may not always be clearly evident who is charged with key governance functions. The process for identifying those charged with governance includes evaluating the organizational structure for directing and controlling operations to achieve the audited entity’s objectives and how the audited entity delegates authority and establishes accountability for management.
Investigations or Legal Proceedings
Requirement: Investigations or Legal Proceedings
8.27
Auditors should inquire of management of the audited entity whether any investigations or legal proceedings significant to the audit objectives have been initiated or are in process with respect to the period under audit, and should evaluate the effect of initiated or in-process investigations or legal proceedings on the current audit.
Application Guidance: Investigations or Legal Proceedings
8.28
Laws, regulations, or policies may require auditors to report indications of the following to law enforcement or investigatory authorities before performing additional audit procedures: certain types of fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements.
8.29
Avoiding interference with investigations or legal proceedings is important in pursuing indications of fraud and noncompliance with provisions of laws, regulations, contracts, and grant agreements. In some cases, it may be appropriate for the auditors to work with investigators or legal authorities or to withdraw from or defer further work on the engagement or a portion of the engagement to avoid interfering with an ongoing investigation or legal proceeding.
Results of Previous Engagements
Requirement: Results of Previous Engagements
8.30
Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives.
Assigning Auditors
Requirements: Assigning Auditors
8.31
Audit management should assign sufficient auditors with adequate collective professional competence, as described in paragraphs 4.02 through 4.15, to conduct the audit. Staffing an audit includes, among other things,
assigning auditors with the collective knowledge, skills, and abilities appropriate for the audit;
assigning a sufficient number of auditors to the audit;
providing for on-the-job training of auditors; and
engaging specialists when necessary.
8.32
If planning to use the work of specialists, auditors should document the nature and scope of the work to be performed by the specialists, including
the objectives and scope of the specialists’ work,
the intended use of the specialists’ work to support the audit objectives,
the specialists’ procedures and findings so they can be evaluated and related to other planned audit procedures, and
the assumptions and methods used by the specialists.
Preparing a Written Audit Plan
Requirement: Preparing a Written Audit Plan
8.33
Auditors must prepare a written audit plan for each audit. Auditors should update the plan, as necessary, to reflect any significant changes to the plan made during the audit.
Application Guidance: Preparing a Written Audit Plan
8.34
The form and content of the written audit plan may vary among audits and may include an audit strategy, audit program, project plan, audit planning paper, or other appropriate documentation of key decisions about the audit objectives, scope, and methodology and the auditors’ basis for those decisions.
8.35
A written audit plan provides an opportunity for audit organization management to supervise audit planning and to determine whether
the proposed audit objectives are likely to result in a useful report;
the audit plan adequately addresses relevant risks;
the proposed audit scope and methodology are adequate to address the audit objectives;
available evidence is likely to be sufficient and appropriate for purposes of the audit; and
sufficient staff, supervisors, and specialists with adequate collective professional competence and other resources are available to conduct the audit and to meet expected time frames for completing the work.