Examination Engagements

Compliance with Standards

Requirement: Compliance with Standards

7.05

GAGAS establishes requirements for examination engagements in addition to the requirements for examinations contained in the AICPA’s SSAEs. Auditors should comply with these additional requirements, along with the AICPA requirements for examination engagements, when citing GAGAS in their examination engagement reports.

Application Guidance: Compliance with Standards

7.06

The AICPA standards applicable to examinations require the auditors to apply the concept of materiality appropriately in planning and performing the examination. Additional considerations may apply to GAGAS engagements that concern government entities or entities that receive government awards. For example, for engagements conducted in accordance with GAGAS, auditors may find it appropriate to use lower materiality levels than those used in non-GAGAS engagements because of the public accountability of government entities and entities receiving government funding, various legal and regulatory requirements, and the visibility and sensitivity of government programs.

Licensing and Certification

Requirements: Licensing and Certification

7.07

Auditors engaged to conduct examination engagements in the United States who do not work for a government audit organization should be licensed CPAs, persons working for licensed certified public accounting firms, or licensed accountants in states that have multiclass licensing systems that recognize licensed accountants other than CPAs.

7.08

Auditors engaged to conduct examination engagements of entities operating outside of the United States who do not work for a government audit organization should meet the qualifications indicated in paragraph 7.07, have certifications that meet all applicable national and international standards and serve in their respective countries as the functional equivalent of CPAs in the United States, or work for nongovernment audit organizations that are the functional equivalent of licensed certified public accounting firms in the United States.

Auditor Communication

Requirements: Auditor Communication

7.09

If the law or regulation requiring an examination engagement specifically identifies the entities to be examined, auditors should communicate pertinent information that in the auditors’ professional judgment needs to be communicated both to individuals contracting for or requesting the examination and to those legislative committees, if any, that have ongoing oversight responsibilities for the audited entity.

7.10

If the identity of those charged with governance is not clearly evident, auditors should document the process followed and conclusions reached in identifying the appropriate individuals to receive the required communications.

Application Guidance: Auditor Communication

7.11

For some matters, early communication to those charged with governance or management may be important because of the relative significance and the urgency for corrective follow-up action. Further, early communication is important to allow management to take prompt corrective action to prevent further occurrences when a control deficiency results in identified or suspected noncompliance with provisions of laws, regulations, contracts, and grant agreements or identified or suspected fraud. When a deficiency is communicated early, the reporting requirements and application guidance in paragraphs 7.39 through 7.47 still apply.

7.12

Because the governance structures of government entities and organizations can vary widely, it may not always be clearly evident who is charged with key governance functions. The process for identifying those charged with governance includes evaluating the organizational structure for directing and controlling operations to achieve the audited entity’s objectives and how the audited entity delegates authority and establishes accountability for management.

Results of Previous Engagements

Requirement: Results of Previous Engagements

7.13

When planning a GAGAS examination engagement, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter or an assertion about the subject matter of the examination engagement, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter or an assertion about the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work and determining the extent to which testing the implementation of the corrective actions is applicable to the current examination engagement objectives.

Investigations or Legal Proceedings

Requirement: Investigations or Legal Proceedings

7.14

Auditors should inquire of management of the audited entity whether any investigations or legal proceedings significant to the engagement objectives have been initiated or are in process with respect to the period under examination, and should evaluate the effect of initiated or in-process investigations or legal proceedings on the current examination engagement.

Application Guidance: Investigations or Legal Proceedings

7.15

Laws, regulations, or policies may require auditors to report indications of certain types of fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements to law enforcement or investigatory authorities before performing additional examination procedures.

7.16

Avoiding interference with investigations or legal proceedings is important in pursuing indications of fraud and noncompliance with provisions of laws, regulations, contracts, and grant agreements. In some cases, it may be appropriate for the auditors to work with investigators or legal authorities or to withdraw from or defer further work on the attestation engagement or a portion of the engagement to avoid interfering with an ongoing investigation or legal proceeding.

Noncompliance with Provisions of Laws, Regulations, Contracts, and Grant Agreements

Requirement: Noncompliance with Provisions of Laws, Regulations, Contracts, and Grant Agreements

7.17

Auditors should extend the AICPA requirements concerning consideration of noncompliance with laws and regulations to include consideration of noncompliance with provisions of contracts and grant agreements.⁵²

Application Guidance: Noncompliance with Provisions of Laws, Regulations, Contracts, and Grant Agreements

7.18

Government programs are subject to provisions of many laws, regulations, contracts, and grant agreements. At the same time, these provisions’ significance within the context of the engagement objectives varies widely, depending on the objectives of the engagement. Auditors may consult with their legal counsel to (1) determine those laws and regulations that are significant to the examination objectives, (2) design tests of compliance with laws and regulations, and (3) evaluate the results of those tests. Auditors also may consult with their legal counsel when engagement objectives require testing compliance with provisions of contracts or grant agreements. Depending on the circumstances of the engagement, auditors may consult with others—such as investigative staff, other audit organizations or government entities that provided professional services to the audited entity, or applicable law enforcement authorities—to obtain information on compliance matters.

Findings

Requirements: Findings

7.19

When auditors identify findings, they should plan and perform procedures to develop the criteria, condition, cause, and effect of the findings to the extent that these elements are relevant and necessary to achieve the examination objectives.

7.20

Auditors should consider internal control deficiencies in their evaluation of identified findings when developing the cause element of the identified findings.

Application Guidance: Findings

7.21

Findings may involve deficiencies in internal control; noncompliance with provisions of laws, regulations, contracts, and grant agreements; or instances of fraud.

7.22

Given the concept of accountability for use of public resources and government authority, evaluating internal control in a government environment may also include considering internal control deficiencies that result in waste or abuse. Because the determination of waste and abuse is subjective, auditors are not required to perform specific procedures to detect waste or abuse in examinations. However, auditors may consider whether and how to communicate such matters if they become aware of them. Auditors may also discover that waste or abuse are indicative of fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements.

7.23

Waste is the act of using or expending resources carelessly, extravagantly, or to no purpose. Importantly, waste can include activities that do not include abuse and does not necessarily involve a violation of law. Rather, waste relates primarily to mismanagement, inappropriate actions, and inadequate oversight.

7.24

The following are examples of waste, depending on the facts and circumstances:

1. Making travel choices that are contrary to existing travel policies or are unnecessarily extravagant or expensive.

2. Making procurement or vendor selections that are contrary to existing policies or are unnecessarily extravagant or expensive.

7.25

Abuse is behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances, but excludes fraud and noncompliance with provisions of laws, regulations, contracts, and grant agreements. Abuse also includes misuse of authority or position for personal financial interests or those of an immediate or close family member or business associate.

7.26

The following are examples of abuse, depending on the facts and circumstances:

1. Creating unneeded overtime.

2. Requesting staff to perform personal errands or work tasks for a supervisor or manager.

3. Misusing the official’s position for personal gain (including actions that could be perceived by an objective third party with knowledge of the relevant information as improperly benefiting an official’s personal financial interests or those of an immediate or close family member; a general partner; an organization for which the official serves as an officer, director, trustee, or employee; or an organization with which the official is negotiating concerning future employment).

7.27

Criteria: For inclusion in findings, criteria may include the laws, regulations, contracts, grant agreements, standards, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated. Criteria identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding the findings, conclusions, and recommendations in the report.

7.28

Condition: Condition is a situation that exists. The condition is determined and documented during the attestation engagement.

7.29

Cause: The cause is the factor or factors responsible for the difference between the condition and the criteria, and may also serve as a basis for recommendations for corrective actions. Common factors include poorly designed policies, procedures, or criteria; inconsistent, incomplete, or incorrect implementation; or factors beyond the control of program management. Auditors may assess whether the evidence provides a reasonable and convincing argument for why the stated cause is the key factor contributing to the difference between the condition and the criteria.

7.30

Effect or potential effect: The effect or potential effect is the outcome or consequence resulting from the difference between the condition and the criteria. When the engagement objectives include identifying the actual or potential consequences of a condition that varies (either positively or negatively) from the criteria identified in the engagement, effect is a measure of those consequences. Effect or potential effect may be used to demonstrate the need for corrective action in response to identified problems or relevant risks.

7.31

Regardless of the type of finding identified, the cause of a finding may relate to an underlying internal control deficiency. Depending on the magnitude of impact, likelihood of occurrence, and nature of the deficiency, this deficiency could be a significant deficiency or a material weakness.

7.32

Considering internal control in the context of a comprehensive internal control framework, such as Standards for Internal Control in the Federal Government or Internal Control—Integrated Framework,⁵³ can help auditors to determine whether underlying internal control deficiencies exist as the root cause of findings. Identifying these deficiencies can help provide the basis for developing meaningful recommendations for corrective actions.

Examination Engagement Documentation

Requirements: Examination Engagement Documentation

7.33

Auditors should comply with the following documentation requirements.

1. Before the date of the examination report, document supervisory review of the evidence that supports the findings, conclusions, and recommendations contained in the examination report.

2. Document any departures from the GAGAS requirements and the effect on the examination engagement and on the auditors’ conclusions when the examination engagement does not comply with applicable GAGAS requirements because of law, regulation, scope limitations, restrictions on access to records, or other issues affecting the examination engagement.

7.34

In addition to the requirements of the examination engagement standards used in conjunction with GAGAS, auditors should prepare attest documentation in sufficient detail to enable an experienced auditor, having no previous connection to the examination engagement, to understand from the documentation the nature, timing, extent, and results of procedures performed and the evidence obtained and its source and the conclusions reached, including evidence that supports the auditors’ significant judgments and conclusions.

Application Guidance: Examination Engagement Documentation

7.35

When documenting departures from the GAGAS requirements where alternative procedures performed were not sufficient to achieve the objectives of the requirements, the examination engagement documentation requirements apply to departures from unconditional requirements and presumptively mandatory requirements.

7.36

An experienced auditor is an individual who possesses the competencies and skills to be able to conduct the examination engagement. These competencies and skills include an understanding of (1) examination engagement processes and related examination standards, (2) GAGAS and applicable legal and regulatory requirements, (3) the subject matter on which the auditors are engaged to report, (4) the suitability and availability of criteria, and (5) issues related to the audited entity’s environment.

Availability of Individuals and Documentation

Requirement: Availability of Individuals and Documentation

7.37

Subject to applicable provisions of laws and regulations, auditors should make appropriate individuals and examination engagement documentation available upon request and in a timely manner to other auditors or reviewers.

Application Guidance: Availability of Individuals and Documentation

7.38

Underlying GAGAS examination engagements is the premise that audit organizations in federal, state, and local governments and public accounting firms engaged to conduct examination engagements in accordance with GAGAS cooperate in evaluating programs of common interest so that auditors may use others’ work and avoid duplication of efforts. The use of auditors’ work by other auditors may be facilitated by contractual arrangements for GAGAS engagements that provide for full and timely access to appropriate individuals and to engagement documentation.

Reporting the Auditors’ Compliance with GAGAS

Requirements: Reporting the Auditors’ Compliance with GAGAS

7.39

When auditors comply with all applicable GAGAS requirements, they should include a statement in the report that they conducted the examination in accordance with GAGAS.⁵⁴

7.40

If auditors report separately (including separate reports bound in the same document) on deficiencies in internal control; noncompliance with provisions of laws, regulations, contracts, and grant agreements; or instances of fraud, they should state in the examination report that they are issuing those additional reports. They should include a reference to the separate reports and also state that the reports are an integral part of a GAGAS examination engagement.

Application Guidance: Reporting the Auditors’ Compliance with GAGAS

7.41

Because GAGAS incorporates by reference the AICPA’s attestation standards, GAGAS does not require auditors to cite compliance with the AICPA standards when citing compliance with GAGAS. GAGAS does not prohibit auditors from issuing a separate report conforming only to the requirements of the AICPA or other standards.

Reporting Deficiencies in Internal Control

Requirement: Reporting Deficiencies in Internal Control

7.42

Auditors should include in the examination report all internal control deficiencies, even those communicated early, that are considered to be significant deficiencies or material weaknesses that the auditors identified based on the engagement work performed.⁵⁵

Application Guidance: Reporting Deficiencies in Internal Control

7.43

Determining whether and how to communicate to officials of the audited entity internal control deficiencies that are not considered significant deficiencies or material weaknesses is a matter of professional judgment.

Reporting on Noncompliance with Provisions of Laws, Regulations, Contracts, and Grant Agreements or Instances of Fraud

Requirements: Reporting on Noncompliance with Provisions of Laws, Regulations, Contracts, and Grant Agreements or Instances of Fraud

7.44

Auditors should include in their examination report the relevant information about noncompliance and fraud when auditors, based on sufficient, appropriate evidence, identify or suspect

1. noncompliance with provisions of laws, regulations, contracts, or grant agreements that has a material effect on the subject matter or an assertion about the subject matter or

2. fraud that is material, either quantitatively or qualitatively, to the subject matter or an assertion about the subject matter that is significant to the engagement objectives.

7.45

When auditors identify or suspect noncompliance with provisions of laws, regulations, contracts, or grant agreements or instances of fraud that have an effect on the subject matter or an assertion about the subject matter that are less than material but warrant the attention of those charged with governance, they should communicate in writing to audited entity officials.

Application Guidance: Reporting on Noncompliance with Provisions of Laws, Regulations, Contracts, or Grant Agreements or Instances of Fraud

7.46

When auditors identify or suspect noncompliance with provisions of laws, regulations, contracts, or grant agreements or instances of fraud that do not warrant the attention of those charged with governance, the auditors’ determination of whether and how to communicate such instances to audited entity officials is a matter of professional judgment.

7.47

When auditors identify or suspect noncompliance with provisions of laws, regulations, contracts, or grant agreements or instances of fraud, auditors may consult with authorities or legal counsel about whether publicly reporting such information would compromise investigative or legal proceedings. Auditors may limit their public reporting to matters that would not compromise those proceedings and, for example, report only on information that is already a part of the public record.

Presenting Findings in the Report

Requirements: Presenting Findings in the Report

7.48

When presenting findings, auditors should develop the elements of the findings to the extent necessary to assist management or oversight officials of the audited entity in understanding the need for taking corrective action.

7.49

Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of the findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately.

Application Guidance: Presenting Findings in the Report

7.50

Along with assisting management or oversight officials of the audited entity in understanding the need for taking corrective action, clearly developed findings assist auditors in making recommendations for corrective action. If auditors sufficiently develop the elements of a finding, they may provide recommendations for corrective action.

Reporting Findings Directly to Parties outside the Audited Entity

Requirements: Reporting Findings Directly to Parties outside the Audited Entity

7.51

Auditors should report identified or suspected noncompliance with provisions of laws, regulations, contracts, and grant agreements and instances of fraud directly to parties outside the audited entity in the following two circumstances.

1. When audited entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors’ communication with those charged with governance, then the auditors should report the information directly to the specified external parties.

2. When audited entity management fails to take timely and appropriate steps to respond to fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements that (1) is likely to have a material effect on the subject matter and (2) involves funding received directly or indirectly from a government agency, auditors should first report management’s failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors’ communication with those charged with governance, then the auditors should report the audited entity’s failure to take timely and appropriate steps directly to the funding agency.

7.52

Auditors should comply with the requirements in paragraph 7.51 even if they have resigned or been dismissed from the engagement prior to its completion.

7.53

Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate representations by management of the audited entity that it has reported engagement findings in accordance with laws, regulations, or funding agreements. When auditors are unable to do so, they should report such information directly, as discussed in paragraphs 7.51 and 7.52.

Application Guidance: Reporting Findings Directly to Parties outside the Audited Entity

7.54

The reporting in paragraph 7.51 is in addition to any legal requirements to report such information directly to parties outside the audited entity.

Obtaining and Reporting the Views of Responsible Officials

Requirements: Obtaining and Reporting the Views of Responsible Officials

7.55

Auditors should obtain and report the views of responsible officials of the audited entity concerning the findings, conclusions, and recommendations in the examination report, as well as any planned corrective actions.

7.56

When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials’ written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report.

7.57

When the audited entity’s comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity’s comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence.

7.58

If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors should issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments.

Application Guidance: Obtaining and Reporting the Views of Responsible Officials

7.59

Providing a draft report with findings for review and comment by responsible officials of the audited entity and others helps the auditors develop a report that is fair, complete, and objective. Including the views of responsible officials results in a report that presents not only the auditors’ findings, conclusions, and recommendations but also the perspectives of the audited entity’s responsible officials and the corrective actions they plan to take. Obtaining the comments in writing is preferred, but oral comments are acceptable. When the audited entity provides technical comments in addition to its written or oral comments on the report, auditors may disclose in the report that such comments were received. Technical comments address points of fact or are editorial in nature and do not address substantive issues, such as methodology, findings, conclusions, or recommendations.

7.60

Obtaining oral comments may be appropriate when, for example, there is a reporting date critical to meeting a user’s needs; auditors have worked closely with the responsible officials throughout the engagement, and the parties are familiar with the findings and issues addressed in the draft report; or the auditors do not expect major disagreements with findings, conclusions, or recommendations in the draft report or major controversies with regard to the issues discussed in the draft report.

Reporting Confidential or Sensitive Information

Requirements: Reporting Confidential or Sensitive Information

7.61

If certain information is prohibited from public disclosure or is excluded from a report because of its confidential or sensitive nature, auditors should disclose in the report that certain information has been omitted and the circumstances that make the omission necessary.

7.62

When circumstances call for omission of certain information, auditors should evaluate whether the omission could distort the examination engagement results or conceal improper or illegal practices and revise the report language as necessary to avoid report users drawing inappropriate conclusions from the information presented.

7.63

When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports.

Application Guidance: Reporting Confidential or Sensitive Information

7.64

If the report refers to the omitted information, the reference may be general and not specific. If the omitted information is not necessary to meet the engagement objectives, the report need not refer to its omission.

7.65

Certain information may be classified or may otherwise be prohibited from general disclosure by federal, state, or local laws or regulations. In such circumstances, auditors may issue a separate, classified, or limited use report containing such information and distribute the report only to persons authorized by law or regulation to receive it.

7.66

Additional circumstances associated with public safety, privacy, or security concerns could also justify the exclusion of certain information from a publicly available or widely distributed report. For example, detailed information related to computer security for a particular program may be excluded from publicly available reports because of the potential damage that misuse of this information could cause. In such circumstances, auditors may issue a limited use report containing such information and distribute the report only to those parties responsible for acting on the auditors’ recommendations. In some instances, it may be appropriate to issue both a publicly available report with the sensitive information excluded and a limited use report. The auditors may consult with legal counsel regarding any requirements or other circumstances that may necessitate omitting certain information.

7.67

Considering the broad public interest in the program or activity under examination assists auditors when deciding whether to exclude certain information from publicly available reports.

7.68

In cases described in paragraph 7.63, the auditors may communicate general information in a written report and communicate detailed information orally. The auditors may consult with legal counsel regarding applicable public records laws.

Distributing Reports

Requirement: Distributing Reports

7.69

Distribution of reports completed in accordance with GAGAS depends on the auditors’ relationship with the audited organization and the nature of the information contained in the reports. Auditors should document any limitation on report distribution.

1. An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the examination engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on engagement findings and recommendations and to others authorized to receive such reports.

2. A public accounting firm contracted to conduct an examination engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the examination engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public.

---

52. See paras. .32 and .33 of AT-C section 205 (AICPA, Professional Standards).↩︎

53. The Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control—Integrated Framework and Standards for Internal Control in the Federal Government (GAO-14-704G) provide suitable and available criteria against which management may evaluate and report on the effectiveness of the entity’s internal control. Standards for Internal Control in the Federal Government may be adopted by entities beyond those federal entities for which it is legally required, such as state, local, and quasi-governmental entities, as well as other federal entities and not-for-profit organizations, as a framework for an internal control system.↩︎

54. See paras. 2.16 through 2.19 for information on the GAGAS compliance statement.↩︎

55. GAGAS’s use of internal control terminology is consistent with the definitions contained in AU-C section 265 (AICPA, Professional Standards).↩︎