Types of GAGAS Engagements
This section describes the types of engagements that audit organizations may conduct in accordance with GAGAS. This description is not intended to limit or require the types of engagements that may be conducted in accordance with GAGAS.
All GAGAS engagements begin with objectives, and those objectives determine the type of engagement to be conducted and the applicable standards to be followed. This document classifies financial audits, attestation engagements, reviews of financial statements, and performance audits, as defined by their objectives, as the types of engagements that are covered by GAGAS.
In some GAGAS engagements, the standards applicable to the specific objective will be apparent. For example, if the objective is to express an opinion on financial statements, the standards for financial audits apply. However, some engagements may have objectives that could be met using more than one approach. For example, if the objective is to determine the reliability of performance measures, auditors can perform this work in accordance with either the standards for attestation engagements or performance audits.
GAGAS requirements and guidance apply to the types of engagements that auditors may conduct in accordance with GAGAS as follows:
Financial audits: the requirements and guidance in chapters 1 through 6 apply.
Attestation-level examination, review, and agreed-upon procedures engagements and reviews of financial statements: the requirements and guidance in chapters 1 through 5 and 7 apply.
Performance audits: the requirements and guidance in chapters 1 through 5, 8, and 9 apply.
Financial audits provide independent assessments of whether entities’ reported financial information (e.g., financial condition, results, and use of resources) is presented fairly, in all material respects, in accordance with recognized criteria. Financial audits conducted in accordance with GAGAS include financial statement audits and other related financial audits.
Financial statement audits: The primary purpose of a financial statement audit is to provide financial statement users with an opinion by an auditor on whether an entity’s financial statements are presented fairly, in all material respects, in accordance with an applicable financial reporting framework. Reporting on financial statement audits conducted in accordance with GAGAS also includes reports on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements that have a material effect on the financial statements.
Other types of financial audits: Other types of financial audits conducted in accordance with GAGAS entail various scopes of work, including
obtaining sufficient, appropriate evidence to form an opinion on a single financial statement or specified elements, accounts, or line items of a financial statement;1
issuing letters (commonly referred to as comfort letters) for underwriters and certain other requesting parties;2
auditing applicable compliance and internal control requirements relating to one or more government programs;3 and
conducting an audit of internal control over financial reporting that is integrated with an audit of financial statements (integrated audit).4
Attestation Engagements and Reviews of Financial Statements
Attestation engagements can cover a broad range of financial or nonfinancial objectives about the subject matter or assertion depending on the users’ needs. In an attestation engagement, the subject matter or an assertion by a party other than the auditors is measured or evaluated in accordance with suitable criteria. The work the auditors perform and the level of assurance associated with the report vary based on the type of attestation engagement. The three types of attestation engagements are as follows:
- Examination: An auditor obtains reasonable assurance by obtaining sufficient, appropriate evidence about the measurement or evaluation of subject matter against criteria in order to be able to draw reasonable conclusions on which to base the auditor’s opinion about whether the subject matter is in accordance with (or based on) the criteria or the assertion is fairly stated, in all material respects. The auditor obtains the same level of assurance in an examination as in a financial statement audit.
- Review: An auditor obtains limited assurance by obtaining sufficient, appropriate review evidence about the measurement or evaluation of subject matter against criteria in order to express a conclusion about whether any material modification should be made to the subject matter in order for it to be in accordance with (or based on) the criteria or to the assertion in order for it to be fairly stated. Review-level work does not include reporting on internal control or compliance with provisions of laws, regulations, contracts, and grant agreements. The auditor obtains the same level of assurance in a review engagement as in a review of financial statements.
- Agreed-upon procedures engagement: An auditor performs specific procedures on subject matter or an assertion and reports the findings without providing an opinion or a conclusion on it. The specified parties to the engagement agree upon and are responsible for the sufficiency of the procedures for their purposes. The specified parties are the intended users to whom use of the report is limited.
The subject matter of an attestation engagement may take many forms, including the following:
historical or prospective performance or condition, historical or prospective financial information, performance measurements, or backlog data;
physical characteristics, for example, narrative descriptions or square footage of facilities;
historical events, for example, the price of a market basket of goods on a certain date;
analyses, for example, break-even analyses;
systems and processes, for example, internal control; and
behavior, for example, corporate governance, compliance with laws and regulations, and human resource practices.
The objective of the auditor when performing a review of financial statements is to obtain limited assurance as a basis for reporting whether the auditor is aware of any material modifications that should be made to financial statements in order for the financial statements to be in accordance with the applicable financial reporting framework. A review of financial statements does not include obtaining an understanding of the entity’s internal control, assessing fraud risk, or certain other procedures ordinarily performed in an audit.
Performance audits provide objective analysis, findings, and conclusions to assist management and those charged with governance and oversight with, among other things, improving program performance and operations, reducing costs, facilitating decision making by parties responsible for overseeing or initiating corrective action, and contributing to public accountability.
Performance audit objectives vary widely and include assessments of program effectiveness, economy, and efficiency; internal control; compliance; and prospective analyses. Audit objectives may also pertain to the current status or condition of a program. These overall objectives are not mutually exclusive. For example, a performance audit with an objective of determining or evaluating program effectiveness may also involve an additional objective of evaluating the program’s internal controls. Key categories of performance audit objectives include the following:
- Program effectiveness and results audit objectives. These are frequently interrelated with economy and efficiency objectives. Audit objectives that focus on program effectiveness and results typically measure the extent to which a program is achieving its goals and objectives. Audit objectives that focus on economy and efficiency address the costs and resources used to achieve program results.
Internal control audit objectives. These relate to an assessment of one or more aspects of an entity’s system of internal control that is designed to provide reasonable assurance of achieving effective and efficient operations, reliability of reporting for internal and external use, or compliance with provisions of applicable laws and regulations. Internal control objectives also may be relevant when determining the cause of unsatisfactory program performance. Internal control is a process effected by an entity’s oversight body, management, and other personnel that provides reasonable assurance that the objectives of an entity will be achieved. Internal control comprises the plans, methods, policies, and procedures used to fulfill the mission, strategic plan, goals, and objectives of the entity.
Compliance audit objectives. These relate to an assessment of compliance with criteria established by provisions of laws, regulations, contracts, and grant agreements, or other requirements that could affect the acquisition, protection, use, and disposition of the entity’s resources and the quantity, quality, timeliness, and cost of services the entity produces and delivers. Compliance requirements can be either financial or nonfinancial.
Prospective analysis audit objectives. These provide analysis or conclusions about information that is based on assumptions about events that may occur in the future, along with possible actions that the entity may take in response to the future events.
Examples of program effectiveness and results audit objectives include
assessing the extent to which legislative, regulatory, or organizational goals and objectives are being achieved;
assessing the relative ability of alternative approaches to yield better program performance or eliminate factors that inhibit program effectiveness;
analyzing the relative cost-effectiveness of a program or activity, focusing on combining cost information or other inputs with
(1) information about outputs or the benefit provided or
(2) outcomes or the results achieved;
determining whether a program produced intended results or produced results that were not consistent with the program’s objectives;
determining the current status or condition of program operations or progress in implementing legislative requirements;
determining whether a program provides equitable access to or distribution of public resources within the context of statutory parameters;
assessing the extent to which programs duplicate, overlap, or conflict with other related programs;
evaluating whether the entity is following sound procurement practices;
assessing the reliability, validity, or relevance of performance measures concerning program effectiveness and results or economy and efficiency;
assessing the reliability, validity, or relevance of financial information related to the performance of a program;
determining whether government resources (inputs) are obtained at reasonable costs while meeting timeliness and quality considerations;
determining whether appropriate value was obtained based on the cost or amount paid or based on the amount of revenue received;
determining whether government services and benefits are accessible to those individuals who have a right to access those services and benefits;
determining whether fees assessed cover costs;
determining whether and how the program’s unit costs can be decreased or its productivity increased; and
assessing the reliability, validity, or relevance of budget proposals or budget requests to assist legislatures in the budget process.
Examples of internal control audit objectives include determining whether
organizational missions, goals, and objectives are achieved effectively and efficiently;
resources are used in compliance with laws, regulations, or other requirements;
resources, including sensitive information accessed or stored outside the organization’s physical perimeter, are safeguarded against unauthorized acquisition, use, or disposition;
management information, such as performance measures, and public reports are complete, accurate, and consistent to support performance and decision making;
the integrity of information from computerized systems is achieved; and
contingency planning for information systems provides essential backup to prevent unwarranted disruption of the activities and functions that the systems support.
Examples of compliance objectives include determining whether
the purpose of the program, the manner in which it is to be conducted, the services delivered, the outcomes, or the population it serves is in compliance with provisions of laws, regulations, contracts, or grant agreements or other requirements;
government services and benefits are distributed or delivered to citizens based on eligibility to obtain those services and benefits;
incurred or proposed costs are in compliance with applicable laws, regulations, contracts, or grant agreements; and
revenues received are in compliance with applicable laws, regulations, contracts, or grant agreements.
Examples of prospective analysis objectives include providing conclusions based on
current and projected trends and future potential impact on government programs and services and their implications for program or policy alternatives;
program or policy alternatives, including forecasting program outcomes under various assumptions;
policy or legislative proposals, including advantages, disadvantages, and analysis of stakeholder views;
prospective information prepared by management;
budgets and forecasts that are based on (1) assumptions about expected future events and (2) stakeholders’ and management’s expected reaction to those future events; and
management’s assumptions on which prospective information is based.
See AU-C section 805, Special Considerations - Audits of Single Financial Statements and Specific Elements, Accounts, or Items of a Financial Statement (AICPA, Professional Standards).↩︎
See AU-C section 920, Letters for Underwriters and Certain Other Requesting Parties (AICPA, Professional Standards).↩︎
See AU-C section 935, Compliance Audits (AICPA, Professional Standards).↩︎
See AU-C section 940, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements (AICPA, Professional Standards).↩︎