Government Auditing Standards--Chapter 1: Use and Application of GAGAS

Chapter 1: Use and Application of GAGAS

Introduction

1.01 Auditing is essential to government accountability to the public. Audits and attestation engagements provide an independent, objective, nonpartisan assessment of the stewardship, performance, or cost of government policies, programs, or operations, depending upon the type and scope of the audit.

1.02 The concept of accountability for use of public resources and government authority is key to our nation's governing processes. Government officials entrusted with public resources are responsible for carrying out public functions legally, effectively, efficiently, economically, ethically, and equitably.1 Government managers are responsible for providing reliable, useful, and timely information for accountability of government programs and their operations. (See appendix I paragraph A1.08 for additional information on management's responsibility.) Legislators, government officials, and the public need to know whether (1) government manages public resources and uses its authority properly and in compliance with laws and regulations; (2) government programs are achieving their objectives and desired outcomes; (3) government services are provided effectively, efficiently, economically, ethically, and equitably; and (4) government managers are held accountable for their use of public resources.

Purpose and Applicability of GAGAS

1.03 The professional standards and guidance contained in this document, commonly referred to as generally accepted government auditing standards (GAGAS), provide a framework for conducting high quality government audits and attestation engagements with competence, integrity, objectivity, and independence. These standards are for use by auditors2 of government entities and entities that receive government awards and audit organizations3 performing GAGAS audits and attestation engagements. GAGAS contain requirements and guidance dealing with ethics, independence, auditors' professional competence and judgment, quality control, the performance of field work, and reporting. Audits and attestation engagements performed under GAGAS provide information used for oversight, accountability, and improvements of government programs and operations. GAGAS contain requirements and guidance to assist auditors in objectively acquiring and evaluating sufficient, appropriate evidence and reporting the results. When auditors perform their work in this manner and comply with GAGAS in reporting the results, their work can lead to improved government management, better decision making and oversight, effective and efficient operations, and accountability for resources and results.

1.04 Laws, regulations, contracts, grant agreements, or policies frequently require audits in accordance with GAGAS. Many auditors and audit organizations also voluntarily choose to perform their work in accordance with GAGAS. The requirements and guidance in this document apply to audits and attestation engagements of government entities, programs, activities, and functions, and of government assistance administered by contractors, nonprofit entities, and other nongovernmental entities when the use of GAGAS is required or is voluntarily followed.

Use of Terminology to Define Professional Requirements in GAGAS

1.05 GAGAS contain professional requirements together with related guidance in the form of explanatory material.4 Auditors have a responsibility to consider the entire text of GAGAS in carrying out their work and in understanding and applying the professional requirements in GAGAS.

1.06 Not every paragraph of GAGAS carries a professional requirement that auditors and audit organizations are expected to fulfill. Rather, the professional requirements are identified through use of specific language.

1.07 GAGAS use two categories of professional requirements, identified by specific terms, to describe the degree of responsibility they impose on auditors and audit organizations, as follows:

a. Unconditional requirements: Auditors and audit organizations are required to comply with an unconditional requirement in all cases in which the circumstances exist to which the unconditional requirement applies. GAGAS use the words must or is required to specify an unconditional requirement.

b. Presumptively mandatory requirements: Auditors and audit organizations are also required to comply with a presumptively mandatory requirement in all cases in which the circumstances exist to which the presumptively mandatory requirement applies; however, in rare circumstances, auditors and audit organizations may depart from a presumptively mandatory requirement provided they document their justification for the departure and how the alternative procedures performed in the circumstances were sufficient to achieve the objectives of the presumptively mandatory requirement. GAGAS use the word should to specify a presumptively mandatory requirement.

1.08 Explanatory material is defined as the text within GAGAS (including appendix I) other than the requirements defined in paragraph 1.07. Explanatory material uses the words may, might , and could to describe explanatory information and is provided to

a. provide further explanation and guidance on the professional requirements or

b. identify and describe other procedures or actions relating to auditors' or audit organizations' activities.

1.09 Explanatory material is intended to be descriptive rather than required. This material is intended, for example, to explain the objective of a requirement where it would be useful to do so; explain why particular procedures may be considered or employed under certain circumstances; or provide additional information to consider in exercising professional judgment.

1.10 Explanatory material that identifies and describes other procedures or actions does not impose a professional requirement on the auditor or audit organization to perform the suggested procedures or actions. How and whether to carry out such procedures or actions depends on the exercise of professional judgment consistent with the objective of the standard.

Stating Compliance with GAGAS in the Auditors' Report

1.11 When auditors are required to follow GAGAS or are representing to others that they followed GAGAS, they should follow all applicable GAGAS requirements and should refer to compliance with GAGAS in the auditors' report as set forth in paragraphs 1.12 and 1.13.

1.12 Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS audits and attestation engagements, as appropriate.5

a. Unmodified GAGAS compliance statement: Stating that the auditor performed the audit or attestation engagement in accordance with GAGAS. Auditors should include an unmodified GAGAS compliance statement in the audit report when they have
(1) followed all applicable unconditional and presumptively mandatory GAGAS requirements, or
(2) have followed all unconditional requirements and documented justification for any departures from applicable presumptively mandatory requirements, and have achieved the objectives of those requirements through other means.

b. Modified GAGAS compliance statement: Stating either that (1) the auditor performed the audit or attestation engagement in accordance with GAGAS, except for specific applicable requirements that were not followed, or (2) because of the significance of the departure(s) from the requirements, the auditor was unable to and did not perform the audit or attestation engagement in accordance with GAGAS. Situations when auditors use modified compliance statements include scope limitations, such as restrictions on access to records, government officials, or other individuals needed to conduct the audit. When auditors use a modified GAGAS statement, they should disclose in the report the applicable requirement(s) not followed, the reasons for not following the requirement(s), and how not following the requirements affected, or could have affected, the audit and the assurance provided.

1.13 When auditors do not comply with any applicable requirements, they should (1) assess the significance of the noncompliance to the audit objectives, (2) document the assessment, along with their reasons for not following the requirement, and (3) determine the type of GAGAS compliance statement.6 The auditors' determination will depend on the significance of the requirements not followed in relation to the audit objectives.

Relationship between GAGAS and Other Professional Standards

1.14 Auditors may use GAGAS in conjunction with professional standards issued by other authoritative bodies. Auditors may also cite the use of other standards in their audit reports, as appropriate. If the auditor is citing compliance with GAGAS and inconsistencies exist between GAGAS and other standards cited, the auditor should use GAGAS as the prevailing standard for conducting the audit and reporting the results.

1.15 The relationship between GAGAS and other professional standards for financial audits and attestation engagements is as follows:

a. The American Institute of Certified Public Accountants (AICPA) has established professional standards that apply to financial audits and attestation engagements for nonissuers7 performed by certified public accountants (CPA). For financial audits, GAGAS incorporate the AICPA field work and reporting standards and the related Statements on Auditing Standards (SAS) 8 unless specifically excluded or modified by GAGAS. For attestation engagements, GAGAS incorporate the AICPA general standard on criteria, and the field work and reporting standards and the related Statements on Standards for Attestation Engagements (SSAE) unless specifically excluded or modified by GAGAS. GAGAS describe ethical principles, and establish independence and other general standards, and additional field work and reporting standards beyond those provided by the AICPA for performing financial audits and attestation engagements.

b. The Public Company Accounting Oversight Board (PCAOB) has established professional standards that apply to financial audits and attestation engagements for issuers. Auditors may use GAGAS in conjunction with the PCAOB standards.

c. The International Auditing and Assurance Standards Board (IAASB) has established professional standards that apply to financial audits and attestation engagements. Auditors may use GAGAS in conjunction with the IAASB standards and the related statements on International Statements on Auditing (ISA) .

1.16 For performance audits, auditors may use other professional standards in conjunction with GAGAS, such as the following:

a. International Standards for the Professional Practice of Internal Auditing , The Institute of Internal Auditors, Inc.;

b. Guiding Principles for Evaluators , American Evaluation Association;

c. The Program Evaluation Standards , Joint Committee on Standards for Education Evaluation; and

d. Standards for Educational and Psychological Testing , American Psychological Association.

Types of GAGAS Audits and Attestation Engagements

1.17 This section describes the types of audits and attestation engagements that audit organizations may perform under GAGAS. This description is not intended to limit or require the types of audits or attestation engagements that may be performed under GAGAS.

1.18 All audits and attestation engagements begin with objectives, and those objectives determine the type of audit to be performed and the applicable standards to be followed. The types of audits that are covered by GAGAS, as defined by their objectives, are classified in this document as financial audits, attestation engagements, and performance audits.

1.19 In some audits and attestation engagements, the standards applicable to the specific audit objective will be apparent. For example, if the audit objective is to express an opinion on financial statements, the standards for financial audits apply. However, some engagements may have multiple or overlapping objectives. For example, if the objectives are to determine the reliability of performance measures, this work can be done in accordance with either the standards for attestation engagements or for performance audits. In cases in which there is a choice between applicable standards, auditors should evaluate users' needs and the auditors' knowledge, skills, and experience in deciding which standards to follow.

1.20 GAGAS requirements apply to the types of audit and attestation engagements that may be performed under GAGAS as follows:

a. Financial audits: chapters 1 through 5 apply.

b. Attestation engagements: chapters 1 through 3 and 6 apply.

c. Performance audits: chapters 1 through 3 and 7 and 8 apply.

1.21 Appendix I includes supplemental guidance for auditors and the audited entities to assist in the implementation of GAGAS. Appendix I does not establish auditor requirements but instead is intended to facilitate auditor implementation of the standards contained in chapters 1 through 8.

Financial Audits

1.22 Financial audits provide an independent assessment of and reasonable assurance about whether an entity's reported financial condition, results, and use of resources are presented fairly in accordance with recognized criteria. Reporting on financial audits performed in accordance with GAGAS also includes reports on internal control, compliance with laws and regulations, and provisions of contracts and grant agreements as they relate to financial transactions, systems, and processes. Financial audits performed under GAGAS include financial statement audits and other related financial audits:

a. Financial statement audits: The primary purpose of a financial statement audit is to provide reasonable assurance through an opinion (or disclaim an opinion) about whether an entity's financial statements are presented fairly in all material respects in conformity with generally accepted accounting principles (GAAP),9 or with a comprehensive basis of accounting other than GAAP.

b. Other types of financial audits: Other types of financial audits under GAGAS provide for different levels of assurance and entail various scopes of work, including: (1) providing special reports, such as for specified elements, accounts, or items of a financial statement;10(2) reviewing interim financial information; 11 (3) issuing letters for underwriters and certain other requesting parties; (4) reporting on the controls over processing of transactions by service organizations;12 and (5) auditing compliance with regulations relating to federal award expenditures and other governmental financial assistance in conjunction with or as a by-product of a financial statement audit.

Attestation Engagements

1.23 Attestation engagements can cover a broad range of financial or nonfinancial objectives and may provide different levels of assurance about the subject matter or assertion depending on the users' needs. Attestation engagements result in an examination, a review, or an agreed-upon procedures report on a subject matter or on an assertion about a subject matter that is the responsibility of another party. The three types of attestation engagements are:

a. Examination: Consists of obtaining sufficient, appropriate evidence to express an opinion on whether the subject matter is based on (or in conformity with) the criteria in all material respects or the assertion is presented (or fairly stated), in all material respects, based on the criteria.

b. Review: Consists of sufficient testing to express a conclusion about whether any information came to the auditors' attention on the basis of the work performed that indicates the subject matter is not based on (or not in conformity with) the criteria or the assertion is not presented (or not fairly stated) in all material respects based on the criteria. As stated in the AICPA SSAE, auditors should not perform review-level work for reporting on internal control or compliance with laws and regulations.

c. Agreed-Upon Procedures: Consists of specific procedures performed on a subject matter.

1.24 The subject matter of an attestation engagement may take many forms. Possible subjects of attestation engagements include reporting on

a. prospective financial or performance information;

b. management's discussion and analysis (MD&A) presentation;

c. an entity's internal control over financial reporting;

d. the effectiveness of an entity's internal control over compliance with specified requirements, such as those governing the bidding for, accounting for, and reporting on grants and contracts;

e. an entity's compliance with requirements of specified laws, regulations, policies, contracts, or grants;

f. the accuracy and reliability of reported performance measures;

g. incurred final contract costs are supported with required evidence and in compliance with the contract terms;

h. the allowability and reasonableness of proposed contract amounts that are based on detailed costs;

i. the quantity, condition, or valuation of inventory or assets; and

j. specific procedures performed on a subject matter (agreed-upon procedures).

Performance Audits

1.25 Performance audits are defined as engagements that provide assurance or conclusions based on an evaluation of sufficient, appropriate evidence against stated criteria, such as specific requirements, measures, or defined business practices. Performance audits provide objective analysis so that management and those charged with governance and oversight can use the information to improve program13 performance and operations, reduce costs, facilitate decision making by parties with responsibility to oversee or initiate corrective action, and contribute to public accountability. Reporting information without following GAGAS is not a performance audit but a nonaudit service provided by an audit organization.

1.26 Performance audits that comply with GAGAS provide reasonable assurance that the auditors have obtained sufficient, appropriate evidence to support the conclusions reached. Thus, the sufficiency and appropriateness of evidence needed and tests of evidence will vary based on the audit objectives and conclusions.

1.27 A performance audit is a dynamic process that includes consideration of the applicable standards throughout the course of the audit. An ongoing assessment of the objectives, audit risk, audit procedures, and evidence during the course of the audit facilitates the auditors' determination of what to report and the proper context for the audit conclusions, including discussion about the sufficiency and appropriateness of evidence being used as a basis for the audit conclusions. Performance audit conclusions logically flow from all of these elements and provide an assessment of the audit findings and their implications.

1.28 Performance audit objectives may vary widely and include assessments of program effectiveness, economy, and efficiency; internal control;14 compliance; and prospective analyses. These overall objectives are not mutually exclusive. Thus, a performance audit may have more than one overall objective. For example, a performance audit with an initial objective of program effectiveness may also involve an underlying objective of evaluating internal controls to determine the reasons for a program's lack of effectiveness or how effectiveness can be improved.

1.29 Program effectiveness and results audit objectives are frequently interrelated with economy and efficiency objectives. Audit objectives that focus on program effectiveness and results typically measure the extent to which a program is achieving its goals and objectives. Audit objectives that focus on economy and efficiency address the costs and resources used to achieve program results. Examples of audit objectives in these categories include

a. assessing the extent to which legislative, regulatory, or organizational goals and objectives are being achieved;

b. assessing the relative ability of alternative approaches to yield better program performance or eliminate factors that inhibit program effectiveness;

c. analyzing the relative cost-effectiveness of a program or activity;15

d. determining whether a program produced intended results or produced results that were not consistent with the program's objectives;

e. determining the current status or condition of program operations or progress in implementing legislative requirements;

f. determining whether a program provides equitable access to or distribution of public resources within the context of statutory parameters;

g. assessing the extent to which programs duplicate, overlap, or conflict with other related programs;

h. evaluating whether the audited entity is following sound procurement practices;

i. assessing the reliability, validity, or relevance of performance measures concerning program effectiveness and results, or economy and efficiency;

j. assessing the reliability, validity, or relevance of financial information related to the performance of a program;

k. determining whether government resources (inputs) are obtained at reasonable costs while meeting timeliness and quality considerations;

l. determining whether appropriate value was obtained based on the cost or amount paid or based on the amount of revenue received;

m. determining whether government services and benefits are accessible to those individuals who have a right to access those services and benefits;

n. determining whether fees assessed cover costs;

o. determining whether and how the program's unit costs can be decreased or its productivity increased; and

p. assessing the reliability, validity, or relevance of budget proposals or budget requests to assist legislatures in the budget process.

1.30 Internal control audit objectives relate to an assessment of the component of an organization's system of internal control that is designed to provide reasonable assurance of achieving effective and efficient operations, reliable financial and performance reporting, or compliance with applicable laws and regulations. Internal control objectives also may be relevant when determining the cause of unsatisfactory program performance. Internal control comprises the plans, policies, methods, and procedures used to meet the organization's mission, goals, and objectives. Internal control includes the processes and procedures for planning, organizing, directing, and controlling program operations, and management's system for measuring, reporting, and monitoring program performance. Examples of audit objectives related to internal control include an assessment of the extent to which internal control provides reasonable assurance about whether

a. organizational missions, goals, and objectives are achieved effectively and efficiently;

b. resources are used in compliance with laws, regulations, or other requirements;

c. resources, including sensitive information accessed or stored outside the organization's physical perimeter, are safeguarded against unauthorized acquisition, use, or disposition;

d. management information, such as performance measures, and public reports are complete, accurate, and consistent to support performance and decision making;

e. the integrity of information from computerized systems is achieved; and

f. contingency planning for information systems provides essential back-up to prevent unwarranted disruption of the activities and functions that the systems support.

1.31 Compliance audit objectives relate to compliance criteria established by laws, regulations, contract provisions, grant agreements, and other requirements16 that could affect the acquisition, protection, use, and disposition of the entity's resources and the quantity, quality, timeliness, and cost of services the entity produces and delivers. Compliance objectives include determining whether

a. the purpose of the program, the manner in which it is to be conducted, the services delivered, the outcomes, or the population it serves is in compliance with laws, regulations, contract provisions, grant agreements, and other requirements;

b. government services and benefits are distributed or delivered to citizens based on the individual's eligibility to obtain those services and benefits;

c. incurred or proposed costs are in compliance with applicable laws, regulations, and contracts or grant agreements; and

d. revenues received are in compliance with applicable laws, regulations, and contract or grant agreements.

1.32 Prospective analysis audit objectives provide analysis or conclusions, about information that is based on assumptions about events that may occur in the future along with possible actions that the audited entity may take in response to the future events. Examples of objectives pertaining to this work include providing conclusions based on

a. current and projected trends and future potential impact on government programs and services;

b. program or policy alternatives, including forecasting program outcomes under various assumptions;

c. policy or legislative proposals, including advantages, disadvantages, and analysis of stakeholder views;

d. prospective information prepared by management;

e. budgets and forecasts that are based on
(1) assumptions about expected future events and
(2) management's expected reaction to those future events; and

f. management's assumptions on which prospective information is based.

Professional Services Other Than Audits (Nonaudit Services) Provided by Audit Organizations

1.33 GAGAS do not cover professional services other than audits or attestation engagements (nonaudit services). (See paragraphs 3.25 through 3.30 for additional discussion of nonaudit services.) Therefore, auditors must not report that the nonaudit services were conducted in accordance with GAGAS. When performing nonaudit services for an entity for which the audit organization performs a GAGAS audit or attestation engagement, audit organizations should communicate, as appropriate, with requestors and those charged with governance to clarify that the scope of work performed does not constitute an audit under GAGAS.

1.34 Audit organizations that provide nonaudit services must evaluate whether providing nonaudit services creates an independence impairment either in fact or appearance with respect to the entities they audit. (See paragraph 3.02.)

1. The term "equity" in this context refers to the approaches used by a government, nonprofit, or other organizations that manage or carry out government programs to provide services to the public in a fair manner within the context of the statutory boundaries of the specific government programs.

2. The term "auditor" throughout this document includes individuals performing work under GAGAS (including audits and attestation engagements) and, therefore, individuals who may have the titles auditor, analyst, evaluator, inspector, or other similar titles.

3. The term "audit organization" is used throughout the standards to refer to government audit organizations as well as public accounting firms that perform audits using GAGAS.

4. The terminology used in GAGAS to designate professional requirements and explanatory material is intended to be consistent with the American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standard No. 102, Defining Professional Requirements in Statements on Auditing Standards.

5. For financial audits and attestation engagements, AICPA reporting standards provide additional guidance when some or all of the standards are not followed.

6. See footnote 35 for applicability of peer review and quality assurance requirements in this assessment.

7. Under the Sarbanes-Oxley Act of 2002 (Public Law 107-204), audits of issuers (generally, publicly traded companies with a reporting obligation under the Securities Exchange Act of 1934) are subject to rules and standards established by the Public Company Accounting Oversight Board. The term "nonissuer" refers to any entity other than an issuer under the Sarbanes-Oxley Act of 2002, such as privately held companies, nonprofit entities, and government entities.

8. Because GAGAS incorporate the field work and reporting standards of the AICPA for financial audits performed in which U.S. auditing standards are to be followed, auditors are not required to cite compliance with the AICPA standards when citing compliance with GAGAS, although auditors may cite both sets of standards.

9. The three U.S.-based authoritative bodies for establishing accounting principles and financial reporting standards are the Federal Accounting Standards Advisory Board (federal government), the Governmental Accounting Standards Board (state and local governments), and the Financial Accounting Standards Board (nongovernmental entities).

10. Special reports are auditors' reports issued in connection with the following: (1) financial statements that are prepared in conformity with a comprehensive basis of accounting other than generally accepted accounting principles; (2) specified elements, accounts, or items of a financial statement; (3) compliance with aspects of contractual agreements or regulatory requirements related to audited financial statements; (4) financial presentations to comply with contractual agreements or regulatory requirements; or (5) financial information presented in prescribed forms or schedules that require a prescribed form of auditors' report. (See AU Section 623, Special Reports.)

11. See AU Section 722, Interim Financial Information.

12. A service organization is the entity or a segment of an entity that provides services to a user organization that are part of the user organization's information system. A user organization is an entity that has engaged a service organization. (See AU Section 324, Service Organizations.)

13. The term "program" is used in this document to include government entities, organizations, programs, activities, and functions.

14. In the context of performance audits, the term "internal control" in this document is synonymous with the term management control and covers all aspects of an entity's operations (programmatic, financial, and compliance).

15. These objectives focus on combining cost information with information about outputs or the benefit provided or with outcomes or the results achieved.

16. Compliance requirements can be either financial or nonfinancial.