Nature and Profile of the Program and User Needs

7.13 Auditors should obtain an understanding of the nature of the program or program component under audit and the potential use that will be made of the audit results or report as they plan a performance audit. The nature and profile of a program include

a. visibility, sensitivity, and relevant risks associated with the program under audit;

b. age of the program or changes in its conditions;

c. the size of the program in terms of total dollars, number of citizens affected, or other measures;

d. level and extent of review or other forms of independent oversight;

e. program's strategic plan and objectives; and

f. external factors or conditions that could directly affect the program.

7.14 One group of users of the auditors' report is government officials who may have authorized or requested the audit. Other important users of the auditors' report are the entity being audited, those responsible for acting on the auditors' recommendations, oversight organizations, and legislative bodies. Other potential users of the auditors' report include government legislators or officials (other than those who may have authorized or requested the audit), the media, interest groups, and individual citizens. In addition to an interest in the program, potential users may have an ability to influence the conduct of the program. An awareness of these potential users' interests and influence can help auditors judge whether possible findings could be significant to relevant users.

7.15 Obtaining an understanding of the program under audit helps auditors to assess the relevant risks associated with the program and the impact on the audit objectives, scope, and methodology. The auditors' understanding may come from knowledge they already have about the program or knowledge they gain from inquiries and observations they make in planning the audit. The extent and breadth of those inquiries and observations will vary among audits based on the audit objectives, as will the need to understand individual aspects of the program, such as the following.

a. Laws, regulations, and provisions of contracts or grant agreements: Government programs are usually created by law and are subject to specific laws and regulations. Laws and regulations usually set forth what is to be done, who is to do it, the purpose to be achieved, the population to be served, and related funding guidelines or restrictions. Government programs may also be subject to provisions of contracts and grant agreements. Thus, understanding the laws and legislative history establishing a program and the provisions of any contracts or grant agreements can be essential to understanding the program itself. Obtaining that understanding is also a necessary step in identifying the provisions of laws, regulations, contracts, or grant agreements that are significant within the context of the audit objectives.

b. Purpose and goals: Purpose is the result or effect that is intended or desired from a program's operation. Legislatures usually establish the program's purpose when they provide authority for the program. Entity officials may provide more detailed information on the program's purpose to supplement the authorizing legislation. Entity officials are sometimes asked to set goals for program performance and operations, including both output and outcome goals. Auditors may use the stated program purpose and goals as criteria for assessing program performance or may develop additional criteria to use when assessing performance.

c. Internal control: Internal control, sometimes referred to as management control, in the broadest sense includes the plan, policies, methods, and procedures adopted by management to meet its missions, goals, and objectives. Internal control includes the processes for planning, organizing, directing, and controlling program operations. It includes the systems for measuring, reporting, and monitoring program performance. Internal control serves as a defense in safeguarding assets and in preventing and detecting errors; fraud; violations of laws, regulations, and provisions of contracts and grant agreements; or abuse. Paragraphs 7.16 through 7.22 contain guidance pertaining to internal control.

d. Efforts: Efforts are the amount of resources (in terms of money, material, personnel, etc.) that are put into a program. These resources may come from within or outside the entity operating the program. Measures of efforts can have a number of dimensions, such as cost, timing, and quality. Examples of measures of efforts are dollars spent, employee-hours expended, and square feet of building space.

e. Program operations: Program operations are the strategies, processes, and activities management uses to convert efforts into outputs. Program operations may be subject to internal control.

f. Outputs: Outputs represent the quantity of goods or services produced by a program. For example, an output measure for a job training program could be the number of persons completing training, and an output measure for an aviation safety inspection program could be the number of safety inspections completed.

g. Outcomes: Outcomes are accomplishments or results of a program. For example, an outcome measure for a job training program could be the percentage of trained persons obtaining a job and still in the work place after a specified period of time. An example of an outcome measure for an aviation safety inspection program could be the percentage reduction in safety problems found in subsequent inspections or the percentage of problems deemed corrected in follow-up inspections. Such outcome measures show the progress made in achieving the stated program purpose of helping unemployable citizens obtain and retain jobs, and improving the safety of aviation operations. Outcomes may be influenced by cultural, economic, physical, or technological factors outside the program. Auditors may use approaches drawn from other disciplines, such as program evaluation, to isolate the effects of the program from these other influences. Outcomes also include unexpected and/or unintentional effects of a program, both positive and negative.

Internal Control

7.16 Auditors should obtain an understanding of internal control92 that is significant within the context of the audit objectives. For internal control that is significant within the context of the audit objectives, auditors should assess whether internal control has been properly designed and implemented. For those internal controls that are deemed significant within the context of the audit objectives, auditors should plan to obtain sufficient, appropriate evidence to support their assessment about the effectiveness of those controls. Information systems controls are often an integral part of an entity's internal control. Thus, when obtaining an understanding of internal control significant to the audit objectives, auditors should also determine whether it is necessary to evaluate information systems controls. (See paragraphs 7.23 through 7.27 for additional discussion on evaluating the effectiveness of information systems controls.)

7.17 Auditors may modify the nature, timing, or extent of the audit procedures based on the auditors' assessment of internal control and the results of internal control testing. For example, poorly controlled aspects of a program have a higher risk of failure, so auditors may choose to focus their efforts in these areas. Conversely, effective controls at the audited entity may enable the auditors to limit the extent and type of audit testing needed.

7.18 Auditors may obtain an understanding of internal control through inquiries, observations, inspection of documents and records, review of other auditors' reports, or direct tests. The procedures auditors perform to obtain an understanding of internal control may vary among audits based on audit objectives and audit risk. The extent of these procedures will vary based on the audit objectives, known or potential internal control risks or problems, and the auditors' knowledge about internal control gained in prior audits.

7.19 The following discussion of the principal types of internal control objectives is intended to help auditors better understand internal controls and determine whether or to what extent they are significant to the audit objectives.

a. Effectiveness and efficiency of program operations: Controls over program operations include policies and procedures that the audited entity has implemented to provide reasonable assurance that a program meets its objectives, while considering cost-effectiveness and efficiency. Understanding these controls can help auditors understand the program operations that convert inputs and efforts to outputs and outcomes.

b. Relevance and reliability of information: Controls over the relevance and reliability of information include policies, procedures, and practices that officials of the audited entity have implemented to provide themselves reasonable assurance that operational and financial information they use for decision making and reporting externally is relevant and reliable and fairly disclosed in reports. Understanding these controls can help auditors (1) assess the risk that the information gathered by the entity may not be relevant or reliable and (2) design appropriate tests of the information considering the audit objectives.

c. Compliance with applicable laws and regulations and provisions of contracts or grant agreements: Controls over compliance include policies and procedures that the audited entity has implemented to provide reasonable assurance that program implementation is in accordance with laws, regulations, and provisions of contracts or grant agreements. Understanding the relevant controls concerning compliance with those laws and regulations and provisions of contracts or grant agreements that the auditors have determined are significant within the context of the audit objectives can help them assess the risk of illegal acts, violations of provisions of contracts or grant agreements, or abuse.

7.20 A subset of these categories of internal control objectives is the safeguarding of assets and resources. Controls over the safeguarding of assets and resources include policies and procedures that the audited entity has implemented to reasonably prevent or promptly detect unauthorized acquisition, use, or disposition of assets and resources.

7.21 In performance audits, a deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, detect, or correct (1) impairments of effectiveness or efficiency of operations,
(2) misstatements in financial or performance information, or (3) violations of laws and regulations, on a timely basis. A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective is not met. A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.

7.22 Internal auditing93 is an important part of overall governance, accountability, and internal control. A key role of many internal audit organizations is to provide assurance that internal controls are in place to adequately mitigate risks and achieve program goals and objectives. When an assessment of internal control is needed, the auditor may use the work of the internal auditors in assessing whether internal controls are effectively designed and operating effectively, and to prevent duplication of effort. (See paragraphs 7.41 through 7.43 for standards and guidance for using the work of other auditors.)

Information Systems Controls

7.23 Understanding information systems controls is important when information systems are used extensively throughout the program under audit and the fundamental business processes related to the audit objectives rely on information systems. Information systems controls consist of those internal controls that are dependent on information systems processing and include general controls and application controls. Information systems general controls are the policies and procedures that apply to all or a large segment of an entity's information systems. General controls help ensure the proper operation of information systems by creating the environment for proper operation of application controls. General controls include security management, logical and physical access, configuration management, segregation of duties, and contingency planning. Application controls, sometimes referred to as business process controls, are those controls that are incorporated directly into computer applications to help ensure the validity, completeness, accuracy, and confidentiality of transactions and data during application processing. Application controls include controls over input, processing, output, master data, application interfaces, and data management system interfaces.

7.24 An organization's use of information systems controls may be extensive; however, auditors are primarily interested in those information systems controls that are significant to the audit objectives. Information systems controls are significant to the audit objectives if auditors determine that it is necessary to evaluate the effectiveness of information systems controls in order to obtain sufficient, appropriate evidence. When information systems controls are determined to be significant to the audit objectives, auditors should then evaluate the design and operating effectiveness of such controls. This evaluation would include other information systems controls that impact the effectiveness of the significant controls or the reliability of information used in performing the significant controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives.94

7.25 Audit procedures to evaluate the effectiveness of significant information systems controls include
(1) gaining an understanding of the system as it relates to the information and (2) identifying and evaluating the general controls and application controls that are critical to providing assurance over the reliability of the information required for the audit.

7.26 The evaluation of information systems controls may be done in conjunction with the auditors' consideration of internal control within the context of the audit objectives (see paragraphs 7.16 through 7.22), or as a separate audit objective or audit procedure, depending on the objectives of the audit. Depending on the significance of information systems controls to the audit objectives, the extent of audit procedures to obtain such an understanding may be limited or extensive. In addition, the nature and extent of audit risk related to information systems controls are affected by the nature of the hardware and software used, the configuration of the entity's systems and networks, and the entity's information systems strategy.

7.27 Auditors should determine which audit procedures related to information systems controls are needed to obtain sufficient, appropriate evidence to support the audit findings and conclusions. The following factors may assist auditors in making this determination:

a. The extent to which internal controls that are significant to the audit depend on the reliability of information processed or generated by information systems.

b. The availability of evidence outside the information system to support the findings and conclusions: It may not be possible for auditors to obtain sufficient, appropriate evidence without evaluating the effectiveness of relevant information systems controls. For example, if information supporting the findings and conclusions is generated by information systems or its reliability is dependent on information systems controls, there may not be sufficient supporting or corroborating information or documentary evidence that is available other than that produced by the information systems.

c. The relationship of information systems controls to data reliability: To obtain evidence about the reliability of computer-generated information, auditors may decide to evaluate the effectiveness of information systems controls as part of obtaining evidence about the reliability of the data. If the auditor concludes that information systems controls are effective, the auditor may reduce the extent of direct testing of data.

d. Evaluating the effectiveness of information systems controls as an audit objective: When evaluating the effectiveness of information systems controls is directly a part of an audit objective, auditors should test information systems controls necessary to address the audit objectives. For example, the audit may involve the effectiveness of information systems controls related to certain systems, facilities, or organizations.

Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements, Fraud, or Abuse

Previous Audits and Attestation Engagements

7.36 Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, performance audits, or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives.

Identifying Audit Criteria

7.37 Auditors should identify criteria. Criteria represent the laws, regulations, contracts, grant agreements, standards, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated. Criteria identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding the findings, conclusions, and recommendations included in the report. Auditors should use criteria that are relevant to the audit objectives and permit consistent assessment of the subject matter.

7.38 The following are some examples of criteria:

a. purpose or goals prescribed by law or regulation or set by officials of the audited entity,

b. policies and procedures established by officials of the audited entity,

c. technically developed standards or norms,

d. expert opinions,

e. prior periods' performance,

f. defined business practices,

g. contract or grant terms, and

h. performance of other entities or sectors used as defined benchmarks.

Identifying Sources of Evidence and the Amount and Type of Evidence Required

7.39 Auditors should identify potential sources of information that could be used as evidence. Auditors should determine the amount and type of evidence needed to obtain sufficient, appropriate evidence to address the audit objectives and adequately plan audit work.

7.40 If auditors believe that it is likely that sufficient, appropriate evidence will not be available, they may revise the audit objectives or modify the scope and methodology and determine alternative procedures to obtain additional evidence or other forms of evidence to address the current audit objectives. Auditors should also evaluate whether the lack of sufficient, appropriate evidence is due to internal control deficiencies or other program weaknesses, and whether the lack of sufficient, appropriate evidence could be the basis for audit findings. (See paragraphs 7.55 through 7.71 for standards concerning evidence.)

Using the Work of Others

7.41 Auditors should determine whether other auditors have conducted, or are conducting, audits of the program that could be relevant to the current audit objectives. The results of other auditors' work may be useful sources of information for planning and performing the audit. If other auditors have identified areas that warrant further audit work or follow-up, their work may influence the auditors' selection of objectives, scope, and methodology.

7.42 If other auditors have completed audit work related to the objectives of the current audit, the current auditors may be able to use the work of the other auditors to support findings or conclusions for the current audit and, thereby, avoid duplication of efforts. If auditors use the work of other auditors, they should perform procedures that provide a sufficient basis for using that work. Auditors should obtain evidence concerning the other auditors' qualifications and independence and should determine whether the scope, quality, and timing of the audit work performed by the other auditors is adequate for reliance in the context of the current audit objectives. Procedures that auditors may perform in making this determination include reviewing the other auditors' report, audit plan, or audit documentation, and/or performing tests of the other auditors' work. The nature and extent of evidence needed will depend on the significance of the other auditors' work to the current audit objectives and the extent to which the auditors will use that work.

7.43 Some audits may necessitate the use of specialized techniques or methods that require the skills of a specialist. If auditors intend to use the work of specialists, they should obtain an understanding of the qualifications and independence of the specialists. (See paragraph 3.05 for independence considerations when using the work of others.) Evaluating the professional qualifications of the specialist involves the following:

a. the professional certification, license, or other recognition of the competence of the specialist in his or her field, as appropriate;

b. the reputation and standing of the specialist in the views of peers and others familiar with the specialist's capability or performance;

c. the specialist's experience and previous work in the subject matter; and

d. the auditors' prior experience in using the specialist's work.

Assigning Staff and Other Resources

7.44 Audit management should assign sufficient staff and specialists with adequate collective professional competence to perform the audit. (See paragraph 3.43 for a discussion of using specialists in a GAGAS audit.) Staffing an audit includes, among other things:

a. assigning staff and specialists with the collective knowledge, skills, and experience appropriate for the job,

b. assigning a sufficient number of staff and supervisors to the audit,

c. providing for on-the-job training of staff, and

d. engaging specialists when necessary.

7.45 If planning to use the work of a specialist, auditors should document the nature and scope of the work to be performed by the specialist, including

a. the objectives and scope of the specialist's work,

b. the intended use of the specialist's work to support the audit objectives,

c. the specialist's procedures and findings so they can be evaluated and related to other planned audit procedures, and

d. the assumptions and methods used by the specialist.

Communicating with Management, Those Charged with Governance, and Others

7.46 Auditors should communicate an overview of the objectives, scope, and methodology, and timing of the

performance audit96 and planned reporting (including any potential restrictions on the report) to the following, as applicable:

a. management of the audited entity, including those with sufficient authority and responsibility to implement corrective action in the program or activity being audited;

b. those charged with governance;97

c. the individuals contracting for or requesting audit services, such as contracting officials, grantees; and

d. when auditors perform the audit pursuant to a law or regulation or they conduct the work for the legislative committee that has oversight of the audited entity, auditors should communicate with the legislative committee.

7.47 In situations in which those charged with governance are not clearly evident, auditors should document the process followed and conclusions reached for identifying those charged with governance.

7.48 Determining the form, content, and frequency of the communication is a matter of professional judgment, although written communication is preferred. Auditors may use an engagement letter to communicate the information. Auditors should document this communication.

7.49 If an audit is terminated before it is completed and an audit report is not issued, auditors should document the results of the work to the date of termination and why the audit was terminated. Determining whether and how to communicate the reason for terminating the audit to those charged with governance, appropriate officials of the audited entity, the entity contracting for or requesting the audit, and other appropriate officials will depend on the facts and circumstances and, therefore, is a matter of professional judgment.

Preparing the Audit Plan

7.50 Auditors must prepare a written audit plan for each audit. The form and content of the written audit plan may vary among audits and may include an audit strategy, audit program, project plan, audit planning paper, or other appropriate documentation of key decisions about the audit objectives, scope, and methodology and the auditors' basis for those decisions. Auditors should update the plan, as necessary, to reflect any significant changes to the plan made during the audit.

7.51 A written audit plan provides an opportunity for the audit organization management to supervise audit planning and to determine whether

a. the proposed audit objectives are likely to result in a useful report,

b. the audit plan adequately addresses relevant risks,

c. the proposed audit scope and methodology are adequate to address the audit objectives,

d. available evidence is likely to be sufficient and appropriate for purposes of the audit, and

e. sufficient staff, supervisors, and specialists with adequate collective professional competence and other resources are available to perform the audit and to meet expected time frames for completing the work.

Appropriateness

7.59 Appropriateness is the measure of the quality of evidence that encompasses the relevance, validity, and reliability of evidence used for addressing the audit objectives and supporting findings and conclusions. (See appendix I, paragraph A7.03 for additional guidance regarding assessing the appropriateness of evidence in relation to the audit objectives.)

a. Relevance refers to the extent to which evidence has a logical relationship with, and importance to, the issue being addressed.

b. Validity refers to the extent to which evidence is based on sound reasoning or accurate information.

c. Reliability refers to the consistency of results when information is measured or tested and includes the concepts of being verifiable or supported.

7.60 There are different types and sources of evidence that auditors may use, depending on the audit objectives. Evidence may be obtained by observation, inquiry, or inspection. Each type of evidence has its own strengths and weaknesses. (See appendix I, paragraph A7.02 for additional guidance regarding the types of evidence.) The following contrasts are useful in judging the appropriateness of evidence. However, these contrasts are not adequate in themselves to determine appropriateness. The nature and types of evidence to support auditors' findings and conclusions are matters of the auditors' professional judgment based on the audit objectives and audit risk.

a. Evidence obtained when internal control is effective is generally more reliable than evidence obtained when internal control is weak or nonexistent.

b. Evidence obtained through the auditors' direct physical examination, observation, computation, and inspection is generally more reliable than evidence obtained indirectly.

c. Examination of original documents is generally more reliable than examination of copies.

d. Testimonial evidence obtained under conditions in which persons may speak freely is generally more reliable than evidence obtained under circumstances in which the persons may be intimidated.

e. Testimonial evidence obtained from an individual who is not biased and has direct knowledge about the area is generally more reliable than testimonial evidence obtained from an individual who is biased or has indirect or partial knowledge about the area.

f. Evidence obtained from a knowledgeable, credible, and unbiased third party is generally more reliable than evidence from management of the audited entity or others who have a direct interest in the audited entity.

7.61 Testimonial evidence may be useful in interpreting or corroborating documentary or physical information. Auditors should evaluate the objectivity, credibility, and reliability of the testimonial evidence. Documentary evidence may be used to help verify, support, or challenge testimonial evidence.

7.62 Surveys generally provide self-reported information about existing conditions or programs. Evaluation of the survey design and administration assists auditors in evaluating the objectivity, credibility, and reliability of the self-reported information.

7.63 When sampling is used, the method of selection that is appropriate will depend on the audit objectives. When a representative sample is needed, the use of statistical sampling approaches generally results in stronger evidence than that obtained from nonstatistical techniques. When a representative sample is not needed, a targeted selection may be effective if the auditors have isolated certain risk factors or other criteria to target the selection.

7.64 When auditors use information gathered by officials of the audited entity as part of their evidence, they should determine what the officials of the audited entity or other auditors did to obtain assurance over the reliability of the information. The auditor may find it necessary to perform testing of management's procedures to obtain assurance or perform direct testing of the information. The nature and extent of the auditors' procedures will depend on the significance of the information to the audit objectives and the nature of the information being used.

7.65 Auditors should assess the sufficiency and appropriateness of computer-processed information regardless of whether this information is provided to auditors or auditors independently extract it. The nature, timing, and extent of audit procedures to assess sufficiency and appropriateness is affected by the effectiveness of the entity's internal controls over the information, including information systems controls, and the significance of the information and the level of detail presented in the auditors' findings and conclusions in light of the audit objectives. (See paragraphs 7.23 through 7.27 for additional discussion on assessing the effectiveness of information systems controls.)

Sufficiency

7.66 Sufficiency is a measure of the quantity of evidence used for addressing the audit objectives and supporting findings and conclusions. Sufficiency also depends on the appropriateness of the evidence. In determining the sufficiency of evidence, auditors should determine whether enough appropriate evidence exists to address the audit objectives and support the findings and conclusions.

7.67 The following presumptions are useful in judging the sufficiency of evidence. The sufficiency of evidence required to support the auditors' findings and conclusions is a matter of the auditors' professional judgment.

a. The greater the audit risk, the greater the quantity and quality of evidence required.

b. Stronger evidence may allow less evidence to be used.

c. Having a large volume of audit evidence does not compensate for a lack of relevance, validity, or reliability.

Overall Assessment of Evidence

7.68 Auditors should determine the overall sufficiency and appropriateness of evidence to provide a reasonable basis for the findings and conclusions, within the context of the audit objectives. Professional judgments about the sufficiency and appropriateness of evidence are closely interrelated, as auditors interpret the results of audit testing and evaluate whether the nature and extent of the evidence obtained is sufficient and appropriate. Auditors should perform and document an overall assessment of the collective evidence used to support findings and conclusions, including the results of any specific assessments conducted to conclude on the validity and reliability of specific evidence.

7.69 Sufficiency and appropriateness of evidence are relative concepts, which may be thought of in terms of a continuum rather than as absolutes. Sufficiency and appropriateness are evaluated in the context of the related findings and conclusions. For example, even though the auditors may have some limitations or uncertainties about the sufficiency or appropriateness of some of the evidence, they may nonetheless determine that in total there is sufficient, appropriate evidence to support the findings and conclusions.

7.70 When assessing the sufficiency and appropriateness of evidence, auditors should evaluate the expected significance of evidence to the audit objectives, findings, and conclusions, available corroborating evidence, and the level of audit risk. The steps to assess evidence may depend on the nature of the evidence, how the evidence is used in the audit or report, and the audit objectives.

a. Evidence is sufficient and appropriate when it provides a reasonable basis for supporting the findings or conclusions within the context of the audit objectives.

b. Evidence is not sufficient or not appropriate when
(1) using the evidence carries an unacceptably high risk that it could lead to an incorrect or improper conclusion, (2) the evidence has significant limitations, given the audit objectives and intended use of the evidence, or (3) the evidence does not provide an adequate basis for addressing the audit objectives or supporting the findings and conclusions. Auditors should not use such evidence as support for findings and conclusions.

7.71 Evidence has limitations or uncertainties when the validity or reliability of the evidence has not been assessed or cannot be assessed, given the audit objectives and the intended use of the evidence. Limitations also include errors identified by the auditors in their testing. When the auditors identify limitations or uncertainties in evidence that is significant to the audit findings and conclusions, they should apply additional procedures, as appropriate. Such procedures include

a. seeking independent, corroborating evidence from other sources;

b. redefining the audit objectives or limiting the audit scope to eliminate the need to use the evidence;

c. presenting the findings and conclusions so that the supporting evidence is sufficient and appropriate and describing in the report the limitations or uncertainties with the validity or reliability of the evidence, if such disclosure is necessary to avoid misleading the report users about the findings or conclusions (see paragraph 8.15 for additional reporting requirements when there are limitations or uncertainties with the validity or reliability of evidence); or

d. determining whether to report the limitations or uncertainties as a finding, including any related, significant internal control deficiencies.

Developing Elements of a Finding

7.72 Auditors should plan and perform procedures to develop the elements of a finding necessary to address the audit objectives. In addition, if auditors are able to sufficiently develop the elements of a finding, they should develop recommendations for corrective action if they are significant within the context of the audit objectives. The elements needed for a finding depend entirely on the objectives of the audit. Thus, a finding or set of findings is complete to the extent that the audit objectives are addressed and the report clearly relates those objectives to the elements of a finding. For example, an audit objective may be limited to determining the current status or condition of program operations or progress in implementing legislative requirements, and not the related cause or effect. In this situation, developing the condition would address the audit objective and development of the other elements of a finding would not be necessary.

7.73 The element of criteria is discussed in paragraphs 7.37 and 7.38, and the other elements of a finding--condition, effect, and cause--are discussed in paragraphs 7.74 through 7.76.

7.74 Condition: Condition is a situation that exists. The condition is determined and documented during the audit.

7.75 Cause: The cause identifies the reason or explanation for the condition or the factor or factors responsible for the difference between the situation that exists (condition) and the required or desired state (criteria), which may also serve as a basis for recommendations for corrective actions. Common factors include poorly designed policies, procedures, or criteria; inconsistent, incomplete, or incorrect implementation; or factors beyond the control of program management. Auditors may assess whether the evidence provides a reasonable and convincing argument for why the stated cause is the key factor or factors contributing to the difference. When the audit objectives include explaining why a particular type of positive or negative program performance, output, or outcome identified in the audit occurred, they are referred to as "cause." Identifying the cause of problems may assist auditors in making constructive recommendations for correction. Because problems can result from a number of plausible factors or multiple causes, the recommendation can be more persuasive if auditors can clearly demonstrate and explain with evidence and reasoning the link between the problems and the factor or factors they have identified as the cause or causes. Auditors may identify deficiencies in program design or structure as the cause of deficient performance. Auditors may also identify deficiencies in internal control that are significant to the subject matter of the performance audit as the cause of deficient performance. In developing these types of findings, the deficiencies in program design or internal control would be described as the "cause." Often the causes of deficient program performance are complex and involve multiple factors, including fundamental, systemic root causes. Alternatively, when the audit objectives include estimating the program's effect on changes in physical, social, or economic conditions, auditors seek evidence of the extent to which the program itself is the "cause" of those changes.

7.76 Effect or potential effect: The effect is a clear, logical link to establish the impact or potential impact of the difference between the situation that exists (condition) and the required or desired state (criteria). The effect or potential effect identifies the outcomes or consequences of the condition. When the audit objectives include identifying the actual or potential consequences of a condition that varies (either positively or negatively) from the criteria identified in the audit, "effect" is a measure of those consequences. Effect or potential effect may be used to demonstrate the need for corrective action in response to identified problems or relevant risks. When the audit objectives include estimating the extent to which a program has caused changes in physical, social, or economic conditions, "effect" is a measure of the impact achieved by the program. In this case, effect is the extent to which positive or negative changes in actual physical, social, or economic conditions can be identified and attributed to the program.