This is the accessible text file for GAO report number GAO-08-585G entitled 'Financial Audit Manual, Volume 1' which was released on July 28, 2008. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO-08-585G: Financial Audit Manual, Volume 1: July 2008: United States Government Accountability Office: President’s Council On Integrity & Efficiency: July 2008: To Audit Officials, Agency CFOs, And Others Interested In Federal Financial Auditing And Reporting: This letter transmits the revised Financial Audit Manual (FAM) Volume 1 of the Government Accountability Office (GAO) and the President’s Council on Integrity and Efficiency (PCIE). GAO and the PCIE issued the joint FAM in July 2001. The FAM presents a methodology to perform financial statement audits of federal entities in accordance with professional standards. We have updated the FAM for significant changes that have occurred in auditing financial statements in the U.S. government since the last major revisions to the FAM were issued in July 2004. To help the FAM continue to meet the needs of the federal audit community and the public it serves, GAO and the PCIE created a joint FAM Working Group. The Group is comprised of auditors from GAO and several Offices of the Inspectors General experienced in conducting audits of federal entity financial statements. Through a collaborative effort, the FAM Working Group prepared a revised FAM Volume 1 that contains the audit methodology. A revised FAM Volume 2 that contains audit tools is being issued separately. FAM Volume 3, which contains checklists for Federal Accounting (FAM 2010) and Federal Reporting and Disclosures (FAM 2020), was issued on August 28, 2007 (GAO-07-1173G). On October 5, 2007, we issued exposure drafts of FAM Volumes 1 and 2 for an extended public comment period that ended on January 31, 2008. We received 15 letters of comment which have been considered in this issued version of FAM Volume 1, as well as FAM Volume 2. The revisions to the FAM are primarily due to changes in (1) professional auditing and attestation standards of the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA); (2) Government Auditing Standards issued by GAO; (3) audit and reporting guidance issued by the Office of Management and Budget (OMB); (4) accounting standards issued by the Federal Accounting Standards Advisory Board (FASAB); and (5) laws. Summary of Major Revisions and Improvements for FAM Volume 1: FAM Volume 1 incorporates changes based on (1) AICPA Statement of Auditing Standards (SAS) Nos. 100 through 114, which include the audit risk standards (SAS Nos. 104 through 111); (2) Government Auditing Standards (July 2007 Revision); (3) audit guidance in OMB Bulletin No. 07-04, Audit Requirements for Federal Financial Statements (September 4, 2007); and (4) financial reporting guidance in revised OMB Circular No. A-136, Financial Reporting Requirements (June 29, 2007). FAM Volume 1 also includes the effects on financial audits of FASAB accounting concepts and standards issued through May 31, 2007. This includes accounting, reporting, and disclosure requirements for social insurance, heritage assets and stewardship land, and earmarked funds. Finally, throughout the updated FAM Volume 1, revisions were made for new terminology, changes in the federal audit environment, and effects of applicable laws. A table of major changes to FAM Volume 1 is presented in attachment 1 to this letter. This FAM Volume 1 supersedes previously issued versions of FAM Volume 1 through July 2004 and can be used to audit federal entity financial statements for the fiscal year ended September 30, 2008. Should you need additional information, please contact us at fam@gao.gov or call GAO’s Financial Management and Assurance Assistant Directors Roger Stoltz, at (202) 512-9408; or Janet Krell, at (202) 512- 4716; Director Steve Sebastian at (202) 512-9521; or PCIE FAM Working Group Leaders Alex Biggs, at (202) 693-5258; or Joel Grover, at (202) 927-5768. Other GAO FAM Project Team and PCIE FAM Working Group members are presented in attachment 2 of this letter. Sincerely yours, Signed by: McCoy Williams: Managing Director: Financial Management and Assurance: U.S. Government Accountability Office: The Honorable Jon T. Rymer: Chair, Audit Committee: President’s Council on Integrity and Efficiency: Attachments and enclosures: Attachment 1: Table of Major Changes to FAM Volume 1: FAM section: 100-500; Major change: The audit risk standards (SAS Nos. 104-111), effective for audits of financial statements for periods beginning on or after December 15, 2006, provide guidance concerning the auditor’s assessment of the risk of material misstatement (whether caused by error or fraud) in a financial statement audit and the design and performance of audit procedures whose nature, extent, and timing respond to assessed risks. These standards also provide guidance on planning and supervision, the nature of audit evidence, and evaluating whether the audit evidence obtained affords a reasonable basis for an opinion on the financial statements. While the FAM has always used a risk-based methodology, many changes were made throughout FAM Volume 1 to comply with the terminology and guidance of the risk standards, particularly in FAM 200 on audit planning. FAM section: 110.28 Major change: “Must” as used in the FAM now indicates a required procedure (mostly by professional standards) where the auditor’s failure to perform means the auditor will not be able to express an unqualified opinion on the entity’s financial statements. Minor clarifications have been made to the definitions of the related terms “should,” “generally should,” and “may.” FAM section: 215, 215 A, 215 B; Major change: These are new sections of the FAM that address establishing an understanding with the client. They include guidance for identifying the client and those charged with governance in the federal environment; issues of audit scope; matters to be communicated to management and those charged with governance (following SAS Nos. 112 and 114, and GAGAS); and the use of engagement, intent, notification, and commitment letters. FAM 215 A provides two example of an engagement letter (SAS No. 108), and FAM 215 B provides an example of a letter to those charged with governance. Some of this information was previously in FAM 280.06-.09. FAM section: 230.05; Major change: The term “test materiality” was changed to “tolerable misstatement”, consistent with SAS No. 107. FAM section: 235; Major change: The definitions of the assertions were revised to be consistent with SAS No. 106. This standard identifies 13 financial statement assertions, which are grouped in the FAM into 5 assertions, as shown in FAM 235.08. The revised assertion definitions do not significantly affect the related potential misstatement definitions in the FAM used for audit planning and testing. FAM section: 260; Major change: The term “combined risk” was changed to “risk of material misstatement” and is the auditor’s combined assessment of inherent risk and control risk (SAS No. 107). FAM 260.13-.17 now discuss identification and communication of the risk of material misstatement among the audit team, including “brainstorming” sessions (SAS No. 109). FAM 260.67-.70 have been added to discuss work conducted under the Federal Information Security Management Act of 2002 and its relationship to the auditor’s risk assessment. FAM section: 285; Major change: When planning locations to visit, the auditor now should rely only on controls tested for the current year and past 2 years, after determining that there were no changes (SAS No. 110), rather than the previous 5 years. FAM section: 290; Major change: Documentation requirements were expanded to include the understanding established with the client (FAM 215); audit strategy (SAS No. 108.13-.14) as part of the General Risk Analysis; effect of the risk of material misstatement, including fraud risk on the audit strategy; changes to the assessment of risk of material misstatement, including fraud risk during the audit (SAS No. 109); audit plan/procedures expected to reduce audit risk to an acceptably low level (SAS No. 108); and communication of audit issues (FAM 290.11) to include those charged with governance (SAS No. 112 and 114). FAM section: 295 B; Major change: FAM 295 B.12 expands identifying and analyzing risks of material misstatements (SAS No. 109) within the entity’s risk assessment process. FAM 295 B.17 includes consideration of OMB Circular No. A-123 reviews. FAM section: 310; Major change: The overview was expanded in FAM 310.01 on how the auditor should use results of internal control work and a new FAM 310.02 explains that auditors may no longer default to maximum for the control risk assessment when designing further audit procedures (SAS No. 110). New FAM 310.11-.13 discusses use of SAS No. 70 reports in the financial audit. FAM section: 320; Major change: FAM 320.03 expanded the discussion of the auditor’s understanding of the accounting system(s). FAM section: 350; A new FAM 350.21 expanded the discussion regarding the timing of control tests that was formerly in FAM 350.17. FAM section: 380; Major change: FAM 380.01 expanded the discussion of multiyear testing of controls (SAS No. 110). FAM section: 390; Major change: A new FAM 390.03 was created to document audit procedures and conclusions on multiyear testing. FAM section: 410; Major change: The overview was reorganized to better present the audit work to be done during the testing phase. FAM section: 420; Major change: New FAM 420.01-.02 were created to explain designing further audit procedures. FAM section: 450; A new FAM 450.01 was added on performing tests of controls. FAM section: 470; FAM 470.01-.03 were revised to discuss substantive procedures and detection risk. FAM section: 475; Major change: FAM 475.04 was added for designing substantive analytical procedures as discussed in SAS No. 110. FAM section: 490; FAM 490.01-.04 was revised for documenting assessed risk of material misstatement at the relevant assertion level (SAS No. 110) and for classifying deficiencies as material weaknesses, other significant deficiencies, or other control deficiencies (SAS No. 112). FAM section: 540; Major change: FAM 540.07-.08 were revised for discussing misstatements with management and those charged with governance (SAS No. 114). FAM section: 550; Major change: FAM 550.13-.16 were added to discuss communication with those charged with governance (SAS No. 114). FAM section: 580; Major change: FAM 580.01 was revised to indicate that non-GAO auditors may report FFMIA with compliance with laws and regulations. FAM 580.33- .34 were revised and FAM 580.35 was added on control deficiency, significant deficiency, and material weakness (SAS No. 112). FAM 580.82 on other information in the annual financial statement was expanded through FAM 580.84. A new FAM 580.85 was added on dating the auditor’s report (SAS No. 103); new FAM 580.86-.87 was added on other reporting matters concerning restatements and information contained in the Performance and Accountability Report. FAM section: 590; Major change: FAM 590.08-.10 have been added for documenting subsequent discovery of facts, condensed financial statements, and exit conference. FAM section: 595 A; Major change: A new example 2 report was added for reporting internal control deficiencies without expressing an opinion on control effectiveness. Both example reports reflect new terminology consistent with changes in professional standards. Both examples indicate that non- GAO auditors may report FFMIA with compliance with laws and regulations. FAM section: 595 B; Major change: Example modifications to the auditor’s report were revised for terminology in new standards. FAM section: 595 C; Major change: New narrative in FAM 595 C.01-.15 was added for discussing uncorrected misstatements and adjusting entries with management (SAS No. 107) and those charged with governance (SAS No. 114). Also, new examples are provided of the Schedule of Uncorrected Misstatements and the Summary of Uncorrected Misstatements. FAM section: 595 D; Major change: Example Summary of Unadjusted Misstatements has been eliminated, and examples are now provided in FAM 595 C. [End of attachment] Attachment 2: GAO FAM Project Team: McCoy Williams, Managing Director: Steven J. Sebastian, Director: Robert F. Dacey, Chief Accountant: Abraham D. Akresh, Senior Level Expert for Auditing Standards: Roger R. Stoltz, Assistant Director: Janet M. Krell, Assistant Director: Corinne P. Robertson, Senior Auditor and Project Manager: William E. Boutboul, Project Manager: Charles R. Fox, Project Manager: Suzanne Murphy, Project Manager: Vera M. Seekins, Senior Auditor: Sharon O. Bryd, Audit Sampling Specialist: Francis L. Dymond, Assistant General Counsel: Jacquelyn N. Hamilton, Deputy Assistant General Counsel: PCIE FAM Working Group Members: The Honorable John P. Higgins, Jr., Chairman, Audit Committee, PCIE: Alex Biggs, PCIE Working Group Leader, Office of Inspector General, U.S. Department of Labor: Joel Grover, PCIE Working Group Leader, Office of Inspector General, U.S. Department of Treasury: Debra Alford, Office of Inspector General, U.S. Department of Defense: Morgan Aronson, Office of Inspector General, U.S. Department of Interior: Ade Bankole, Office of Inspector General, U.S. Department of Treasury: Susan Barron, Office of Inspector General, U.S. Department of Treasury: Paul Curtis, Office of Inspector General, Environmental Protection Agency: Mary Harmison, Office of Inspector General, Federal Trade Commission: Mark L. Hayes, Office of Inspector General, U.S. Department of Justice: David S. Laun, Office of Inspector General, U.S. Department of Justice: Marie Maguire, Office of Inspector General, National Science Foundation: Kelly A. McFadden, Office of Inspector General, U.S. Department of Justice: Joon Park, Office of Inspector General, U.S. Department of Labor: Kieu Rubb, Office of Inspector General, U.S. Department of Treasury: Gregory Spencer, Office of Inspector General, U.S. Department of Education: [End of attachment] Contents: 100: Introduction: 110: Overview of the FAM Methodology: 200: Planning Phase: 210: Overview of the Planning Phase: 215: Establish an Understanding with the Client: 220: Understand the Entity’s Operations: 225: Perform Preliminary Analytical Procedures: 230: Determine Planning and Design Materiality and Tolerable Misstatement: 235: Identify Significant Line Items, Accounts, Assertions, and RSSI: 240: Identify Significant Cycles, Accounting Applications, and Financial Management Systems: 245: Identify Significant Provisions of Laws and Regulations: 250: Identify Relevant Budget Restrictions: 260: Identify Risk Factors: 270: Determine Likelihood of Effective Information System Controls: 275: Identify Relevant Operations Controls to Evaluate and Test: 280: Plan Other Audit Procedures: * Inquiries of Legal Counsel; * Management Representations; * Related Party Transactions; * Sensitive Payments; * Other Planning Issues: 285: Plan Locations to Visit: 290: Documentation: Appendixes to FAM 200: 215 A: Sample Audit Engagement Letter to a Federal Entity: 215 B: Sample Letter to Those Charged With Governance: 295 A: Potential Inherent Risk Conditions: 295 B: Potential Control Environment, Risk Assessment, Communication, and Monitoring Weaknesses: 295 C: An Approach for Multiple-Location Audits: 295 D: Interim Substantive Testing of Balance Sheet Accounts: 295 E: Effect of Risk of Material Misstatement on Extent of Audit Procedures: 295 F: Types of Information System Controls: 295 G: Budget Controls: 295 H: Laws Identified in OMB Audit Guidance and Other General Laws: 295 I: Examples of Auditor Responses to Fraud Risks: 295 J: Steps in Assessing Information System Controls: 300: Internal Control Phase: 310: Overview of the Internal Control Phase: 320: Understand Information Systems: 330: Identify Control Objectives: 340: Identify and Understand Relevant Control Activities: 350: Determine the Nature, Extent, and Timing of Control Tests and Compliance with FFMIA: 360: Perform Nonsampling Control Tests and Test Compliance with FFMIA: 370: Assess Internal Control on a Preliminary Basis: 380: Other Considerations: 390: Documentation: Appendixes to FAM 300: 395 A: Typical Relationships of Accounting Applications to Line Items/Accounts: 395 B: Financial Statement Assertions, Potential Misstatements, and Control Objectives: 395 C: Typical Control Activities: 395 D: Selected Statutes Relevant to Budget Execution: 395 E: Budget Execution Process: 395 F: Budget Control Objectives: 395 FS: Budget Control Objectives for Federal Credit Reform Act: 395 G: Multiyear Testing of Controls: 395 H: Specific Control Evaluation Worksheet: 395 I: Account Risk Analysis Form: 400: Testing Phase: 410: Overview of the Testing Phase: 420: Design the Nature, Extent, Timing, of Further Audit Procedures: 430: Design Tests: 440: Perform Tests and Evaluate Results: 450: Sampling Control Tests: 460: Compliance Tests: 470: Substantive Procedures – Overview: 475: Substantive Analytical Procedures: 480: Substantive Detail Tests: 490: Documentation: Appendixes to FAM 400: 495 A: Substantive Analytical Procedure Determinations: 495 B: Example Procedures for Tests of Budget Information: 495 C: Guidance for Interim Testing: 495 D: Example of Audit Matrix with Statistical Risk Factors: 495 E: Sampling: 495 F: Manually Selecting a Monetary Unit Sampling: 500: Reporting Phase: 510: Overview of the Reporting Phase: 520: Perform Overall Analytical Procedures: 530: Reassess Materiality and Risk: 540: Evaluate Misstatements: 550: Conclude Other Audit Procedures: * Obtain Legal Representation; * Identify Material Subsequent Events; * Obtain Management Representations; * Assess Related Party Transactions; * Communicate With Those Charged With Governance: 560: Determine Conformity with U.S. Generally Accepted Accounting Principles: 570: Determine Compliance with GAO/PCIE Financial Audit Manual: 580: Draft Reports: * Report Format; * Financial Statements; * Internal Control; * Financial Management Systems; * Compliance with Laws and Regulations; * Other Information in the Annual Financial Report; * Dating the Auditor’s Report; * Restatement of Audited Financial Statements; * Other Reporting Matters: 590: Documentation: Appendixes to FAM 500: 595 A: Example Unqualified Auditor’s Report: 595 B: Example Modifications to the Auditor’s Report: 595 C: Uncorrected Misstatements and Adjusting Entries: Appendixes: A: Consultations: B: Instances Where the Auditor "Must" Comply in the FAM: Glossary: Abbreviations: Index: [End of contents] Section 100: Introduction: Figure 100 – Overview of the FAM Methodology: Planning Phase: * Establish an Understanding with the Client: FAM: 215. * Understand the Entity’s Operations: FAM: 220. * Perform Preliminary Analytical Procedures: FAM: 225. * Determine Planning and Design Materiality and Tolerable Misstatement: FAM: 230. * Identify Significant Line Items, Accounts, Assertions, and RSSI: FAM: 235. * Identify Significant Cycles, Accounting Applications, and Systems: FAM: 240. * Identify Significant Provisions of Laws and Regulations: FAM: 245. * Identify Relevant Budget Restrictions: FAM: 250. * Identify Risk Factors: FAM: 260. * Determine Likelihood of Effective Information System Controls: FAM: 270. * Identify Relevant Operations Controls to Evaluate and Test: FAM: 275. * Plan Other Audit Procedures: FAM: 280. * Plan Locations to Visit: FAM: 285. * Documentation: FAM: 290. Internal Control Phase FAM: * Understand Information Systems: FAM: 320. * Identify Control Objectives: FAM: 330. * Identify and Understand Relevant Control Activities: FAM: 340. * Determine the Nature, Extent, and Timing of Control Tests and Compliance with FFMIA: FAM: 350. * Perform Nonsampling Control Tests and Test Compliance with FFMIA: FAM: 360. * Assess Internal Control on a Preliminary Basis: FAM: 370. * Other Considerations: FAM: 380. * Documentation: FAM: 390. Testing Phase FAM: * Design the Nature, Extent, and Timing of Further Audit Procedures: FAM: 420. * Design Tests: FAM: 430. * Perform Tests and Evaluate Results: FAM: 440. * Sampling Control Tests: FAM: 450. * Compliance Tests: FAM: 460. * Substantive Procedures -- Overview: FAM: 470. * Substantive Analytical Procedures: FAM: 475. * Substantive Detail Tests: FAM: 480. * Documentation: FAM: 490. Reporting Phase FAM: * Perform Overall Analytical Procedures: FAM: 520. * Reassess Materiality and Risk: FAM: 530. * Evaluate Misstatements: FAM: 540. * Conclude Other Audit Procedures: FAM: 550. * Determine Conformity with U.S. GAAP: FAM: 560. * Determine Compliance with GAO/PCIE Financial Audit Manual: FAM: 570. * Draft Reports: FAM: 580. * Documentation: FAM: 590. 110 – Overview of the FAM Methodology: .01: This introduction provides an overview of the methodology of the Government Accountability Office (GAO) and the President’s Council on Integrity and Efficiency (PCIE) for performing financial statement audits of federal entities. It describes how the methodology in the Financial Audit Manual (FAM) relates to relevant professional auditing and attestation standards and Office of Management and Budget (OMB) guidance, and outlines key issues to be considered in using the methodology. .02: The purposes of performing financial statement audits of federal entities include providing decision makers (financial statement users) with assurance as to whether the financial statements are reliable [presented fairly in all material respects, in accordance with U.S. generally accepted accounting principles (U.S. GAAP)], report deficiencies in internal control, and, in certain circumstances, provide an opinion on the effectiveness of internal control, and report on noncompliance with laws and regulations tested. To achieve these purposes, the FAM approach to federal financial statement audits involves four phases – Planning, Internal Control, Testing, and Reporting -- which are outlined in the rest of this section. In broad terms, the auditor: * adequately plans the audit to obtain sufficient appropriate evidence; * understands the design of the entity’s internal control; determines whether the design has been implemented; assesses the risks of material misstatements; designs appropriate tests of controls and substantive procedures; and, for Chief Financial Officers (CFO) Act agencies and their components as designated by OMB, determines whether financial management systems substantially comply with the three requirements of the Federal Financial Management Improvement Act of 1996 (FFMIA): (1) federal financial management systems requirements, (2) applicable federal accounting standards,[Footnote 1] and (3) the U.S. Government Standard General Ledger (SGL) at the transaction level;[Footnote 2] * tests the significant assertions related to the financial statements, internal control effectiveness, and compliance with laws and regulations; and; * reports the results of audit procedures performed, and performs other audit procedures to complete the audit in accordance with generally accepted government auditing standards (GAGAS). The FAM audit phases are illustrated in the FAM methodology overview in figure 100 and are summarized in the following pages of this section. [Footnote 3] Planning Phase: .03: Although planning continues throughout the audit, the objectives of this initial phase are to gain an understanding of the entity to be audited; to understand its environment, including internal control; to identify significant areas for audit; and to design effective and efficient audit procedures. To accomplish this, the methodology includes guidance in: * establishing an understanding about the audit with the client, entity management, and those charged with governance; * understanding the entity’s operations and its environment, including its organization, management style, internal control, and internal and external factors influencing its operating environment; * performing analytical procedures to assist in planning the audit; * identifying significant accounts, accounting applications, and financial management systems; important budget restrictions; significant provisions of laws and regulations; and relevant internal controls; * determining the likelihood of effective information system (IS) controls; * identifying assertions and using them in planning the audit; * determining materiality for the financial statements including tolerable misstatement (formerly test materiality) for accounts and related assertions; * performing a preliminary risk assessment to determine the risk of material misstatement, whether by error or fraud; and; * developing the audit strategy and audit plan, including entity field locations to visit. Based on evidence obtained throughout the audit, the auditor should monitor and revise, if needed, preliminary assessments made during the planning phase for risk of material misstatement and the likelihood of control effectiveness. Internal Control Phase: .04: This phase entails understanding, testing, and assessing internal control to reach conclusions about the achievement of the following internal control objectives: * Reliability of financial reporting—transactions are properly recorded, processed, and summarized to permit the preparation of the financial statements in accordance with U.S. GAAP, and assets are safeguarded against loss from unauthorized acquisition, use, or disposition. * Compliance with applicable laws and regulations—transactions are executed in accordance with (a) laws governing the use of budget authority and other laws and regulations that could have a direct and material effect on the financial statements and (b) any other laws, regulations, and governmentwide policies identified by OMB in its audit guidance. .05: OMB audit guidance indicates that the auditor should test controls that have been properly designed and implemented (placed into operation) to achieve these objectives in order to support a low assessed level of control risk. OMB audit guidance does not require the auditor to express an opinion on the effectiveness of internal control. As required by GAGAS 5.08, if the auditor does not express an opinion on internal control, the auditor should state in the report whether tests performed provided sufficient, appropriate evidence to express an opinion on the effectiveness of internal control over financial reporting. GAO auditors[Footnote 4] should design the audit to express an opinion on internal control over financial reporting and internal control over compliance with selected provisions of laws and regulations.[Footnote 5] For audits performed by GAO, the internal control testing described in the OMB audit guidance and in the FAM typically is sufficient to provide an opinion on internal control effectiveness. Sufficiency and appropriateness of audit evidence is a matter of auditor judgment. .06: The FAM also provides guidance on evaluating internal controls related to operating objectives that the auditor elects to evaluate. Such controls include those related to safeguarding assets from waste or preparing statistical reports. .07: To evaluate internal control, the auditor identifies and understands the relevant controls and tests their effectiveness. Where the auditor determines controls to be effective, the extent of substantive procedures can be reduced. .08: The FAM also includes guidance on: * assessing specific levels of control risk; * selecting controls to test; * determining the effectiveness of IS controls; and; * testing controls, including coordinating control tests in the testing phase for efficiency. .09: Also, during the internal control phase, for CFO Act agencies and their components identified in OMB’s audit guidance, the auditor should understand the design of the entity’s significant financial management systems and test their compliance with FFMIA. Testing Phase: .10: The objectives of this phase are to (1) obtain reasonable assurance about whether the financial statements are free of material misstatements, (2) determine whether the entity complied with significant provisions of applicable laws and regulations, and (3) assess the effectiveness of internal control through testing controls often in coordination with other tests. .11: To achieve these objectives, the FAM includes guidance on: * designing and performing substantive, compliance, and control tests; * designing and evaluating audit samples; * correlating risk of material misstatement, audit risk, and materiality with the nature, timing, and extent of substantive procedures; and; * designing multipurpose tests that use a common sample to test several different controls, specific accounts or transactions, and audit assertions. Reporting Phase: .12: This phase completes the audit based on the results of audit procedures performed in the preceding phases. This involves developing the auditor's report on the entity’s (1) annual financial statements and supplementary information,[Footnote 6] (2) internal control, (3) financial management systems’ substantial compliance with FFMIA requirements (for CFO Act agencies), and (4) compliance with laws and regulations. To assist in this process, the FAM includes guidance on forming opinions on the basic financial statements and conclusions on internal control, as well as reporting findings. Also included in FAM 595 A are two examples of auditor’s reports designed to be understandable to the reader. The first example is for when the auditor expresses an opinion on internal control and the second example when the auditor issues a report on internal control. Relationship to Applicable Standards: .13: The following section describes the relationship of the FAM to applicable auditing standards, OMB guidance, and other policy requirements. This section is organized into three areas: * relevant auditing standards and OMB guidance, * audit guidance beyond the “yellow book,” and, * auditing standards and policies not addressed in this manual. Relevant Auditing Standards and OMB Guidance: .14: The FAM provides a framework for performing financial statement audits of federal entities in accordance with Government Auditing Standards (also known as GAGAS) issued by the Comptroller General of the United States, frequently referred to as the “yellow book” and OMB audit guidance. GAGAS incorporates, by reference, certain U.S. generally accepted auditing standards (U.S. GAAS) and attestation standards established by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). GAGAS are available at [hyperlink, http://www.gao.gov]. .15: The FAM is an audit methodology that both integrates the requirements of the standards and provides implementation guidance based upon practical experience. The FAM is designed to achieve: * effective audits by considering compliance with GAGAS, significant laws, and OMB guidance; * efficient audits by focusing audit procedures on areas of higher risk and materiality and by providing an integrated approach designed to gather audit evidence efficiently; * quality control through an agreed-upon framework that is documented and can be followed by all personnel; and; * consistency of application through a documented methodology. .16: The FAM supplements GAGAS and OMB’s audit guidance and includes references to the AICPA Codification of Statements on Auditing Standards (AU) and to the related codification of Standards for Attestation Engagements (AT). The AICPA standards are updated and issued annually and are incorporated into GAGAS by reference. Certain standards are available through [hyperlink, http://www.aicpa.org], and GAO staff may access them electronically through the audit reference library. Audit Guidance Beyond the “Yellow Book”: .17: In addition to meeting GAGAS, for audits of federal entities to which OMB’s audit guidance applies, the auditor should: * perform sufficient tests of internal controls that have been properly designed and placed in operation, to support a low assessed level of control risk; * evaluate and test controls related to budget execution and compliance with selected provisions of laws and regulations; * understand the design of the entity’s process for complying with 31 U.S.C. 3512 (c), (d) (commonly known as the Federal Managers’ Financial Integrity Act (FMFIA) and whether the design has been implemented; * perform tests at CFO Act agencies to report on the entity’s financial management systems’ substantial compliance with FFMIA requirements; * test for compliance with laws, regulations, and governmentwide policies identified in OMB’s audit guidance; and; * read the MD&A and other supplementary information for conformity with FASAB standards and OMB guidance. .18 Auditors may design procedures to consider and report whether misstatements and internal control weaknesses could effect the achievement of operations objectives or the accuracy of reports prepared by the entity. .19: GAO auditors should design audits to express an opinion on the entity’s internal control over financial reporting. Auditing Standards and Policies Not Addressed in the Manual: .20: The FAM supplements financial audit standards and policies adopted by GAO and the inspectors general (IG). It is not intended to address all standards or policies. For example, report processing is not addressed. Further, IGs may use other methodologies that are equivalent to the FAM for conducting financial statement audits in accordance with GAGAS, including AICPA auditing standards, and OMB audit requirements. Key Implementation Considerations: .21: In applying the FAM to a federal entity, the auditor considers: * audit objectives, * exercise of professional judgment and professional skepticism, * references to positions, * knowledge of information systems and use of IS controls specialists, * compliance with policies in the FAM, * use of technical terms, and, 8 reference to sections of the FAM. These items are discussed in more detail below. Audit Objectives: .22: For audits of certain federal entities not subject to OMB audit guidance, the auditor should evaluate whether to conduct those audits in accordance with OMB audit guidance to achieve the audits’ objectives. The FAM generally assumes that the objective of the audit is to express an opinion on the current year financial statements as part of a 2-year opinion on comparative financial statements, to issue a report (or opinion) on internal control, and to issue a report on compliance. When these are not the objectives, the auditor uses judgment in applying the FAM guidance. In some circumstances, the auditor may expect to issue a disclaimer on the current year financial statements due to scope limitations, including the auditability of information. In these circumstances, the auditor may develop a multiyear plan to be able to express a future opinion when the financial statements are expected to become auditable. Exercise of Professional Judgment and Professional Skepticism: .23: In performing a financial statement audit, the auditor uses professional judgment and exercises professional skepticism in evaluating the quantity and quality of audit evidence, and thus its sufficiency and appropriateness, in determining the audit opinion. Although the auditor may find it necessary to rely on audit evidence that is persuasive rather than conclusive to obtain reasonable assurance, the auditor must not be satisfied with audit evidence that is less than persuasive. The auditor should tailor the guidance in the FAM, if needed, to respond to specific situations encountered during an audit. However, the auditor must, at a minimum, meet professional standards. Proper application of professional judgment and skepticism may result in more extensive audit work than described in the FAM. The auditor should document these decisions. .24: When exercising judgment, particularly when tailoring FAM guidance, the auditor should consider the needs of, and consult in a timely manner with, other auditors who plan to use the work being performed. In turn, the auditor should coordinate with other auditors whose work the auditor plans to use so that the judgments exercised can satisfy the needs of both auditors. For example, auditors of a consolidated entity (such as the U.S. government or an entire department or agency) are likely to plan to use the work of auditors of subsidiary entities (such as individual departments and agencies or bureaus and components of a department). This coordination can result in more effective government audits and avoid duplication of effort. .25: Many aspects of a financial statement audit involve technical judgments. The auditor is responsible for making these judgments. The audit organization should have or contract for personnel with adequate technical expertise to provide technical assistance to the auditor, particularly in the following areas: * quantifying planning and design materiality and tolerable misstatement; and using tolerable misstatement in determining the extent of testing (see FAM 230); * identifying risk factors to assess risks of material misstatement (see FAM 260); * assessing the effectiveness of IS controls (see FAM 270); * specifying a minimum level of substantive assurance based on the assessed risk of material misstatement, substantive analytical procedures, and substantive detail tests (see FAM 470, 480, and 495 D); * determining whether selections are samples (intended to be representative and projected to populations) or nonsampling selections that are not projectible (see FAM 480); * using sampling methods, such as monetary unit sampling, classical variables estimation sampling, or classical probability proportional to size (PPS) sampling, for substantive or multipurpose testing (including nonstatistical sampling) (see FAM 480); * using sampling for control testing, other than attribute sampling using the tables in FAM 450, to determine sample size when not performing a multipurpose test; * using sampling for compliance testing of laws and regulations, other than attribute sampling using the tables in FAM 460, to determine sample size when not performing a multipurpose test; and; * placing complete or partial reliance on analytical procedures, using tolerable misstatements to calculate the limit. The limit is the amount of difference between the expected and recorded amounts that can be accepted without further investigation (see FAM 475). References to Positions: .26: Various sections of the FAM refer to consultation with audit management and/or persons with technical expertise to obtain approval or additional guidance. The auditor should document key consultations. Each audit organization should have written evidence, in the audit documentation or in its audit policy manual, of the specific positions of persons who will perform these functions. The following are references to positions at GAO; however, description of position responsibilities in relation to the audit are included for identification of the position or role in other audit organizations. IGs performing an audit or using a firm to perform an audit in accordance with the FAM should clarify and document the positions of the persons the auditor should consult in various circumstances. * The audit director (first partner) is responsible for the quality of the financial statement audit and the audit report, reporting to the assistant inspector general for audit or, at GAO, to the managing director. * The assistant director is responsible for the operational conduct of the audit and generally for preparation of the audit report. In public accounting firms, the audit manager may have these responsibilities. * The reviewer (engagement quality control reviewer or second partner) is responsible for providing negative assurance about the quality of the audit and reports to the assistant inspector general for audit (or higher position) or, at GAO, is the chief accountant or designee. The reviewer may consult with other personnel as needed. * The statistician is a person the auditor consults for technical expertise in areas such as audit sampling, audit sample evaluation, and selecting entity field locations to visit. * The data extraction specialist has technical expertise in extracting data from entity records. * The IS controls specialist is a person with technical expertise in information systems, general controls, application controls, and information security. * The technical accounting and auditing expert reports to the assistant inspector general for audit or higher. At GAO, this is the chief accountant or other designated expert. This expert advises on accounting and auditing professional matters and related national issues. This person also may be the reviewer or may review reports on financial statements and reports that express opinions on financial information for compliance with professional auditing standards. * The Office of General Counsel[Footnote 7] (OGC) advises the auditor in (1) identifying provisions of laws and regulations to test, (2) identifying budget restrictions, and (3) identifying and resolving legal issues encountered in the financial statement audit, such as evaluating potential instances of noncompliance. * The Special Investigator Unit (SIU) investigates specific allegations involving conflict-of-interest and ethics matters, contract and procurement irregularities, official misconduct and abuse, and fraud in federal programs or activities. In the offices of the IGs, this is the investigation unit; at GAO, it is the Forensic Audits and Special Investigations Unit. The SIU provides assistance to the auditor by (1) informing the auditor of relevant pending or completed investigations of the entity and (2) investigating possible instances of federal fraud, waste, and abuse. Knowledge of IS Controls and Use of IS Controls Specialists: .27: The audit team should possess sufficient knowledge of IS controls to determine the effect of information systems on the audit, to understand IS controls, and to consult with an IS controls specialist to design and test IS controls. Specialized IS control audit skills generally are needed in situations where: * the entity’s systems, IS controls, or the manner in which they are used in conducting the entity’s business are complex; * significant changes have been made to existing systems or new systems have been implemented; * data are extensively shared among systems; * the entity participates in electronic commerce; * the entity uses emerging technologies; or; * significant audit evidence is available only in electronic form. Appendix V of GAO’s Federal Information System Controls Audit Manual (FISCAM) contains examples of knowledge, skills, and abilities auditors need. If needed, the auditor should seek the assistance of IS controls specialists or use outside contractors to provide these skills. However, per AU 311.22, the auditor should have sufficient knowledge to communicate the audit objectives of the specialist’s work; to evaluate whether the specified audit procedures will meet the auditor’s objectives; and to evaluate the results of the audit procedures applied as they relate to the nature, extent, and timing of further planned audit procedures. The auditor’s responsibilities for supervising specialists who are essentially functioning as part of the audit team are the same as for other audit team members as discussed in AU 311.22 and AU 311.28-32. Compliance with Policies in the FAM: .28: The following terms are used throughout the FAM to describe the degree of compliance with the standard or policy: * Must: Compliance is mandatory when the circumstances exist to which the standard or policy applies. Most “musts” come directly from professional auditing standards where the auditor’s failure to perform means the auditor will not be able to express an unqualified opinion on the entity’s financial statements. * Should: Compliance is expected when the circumstances exist to which the standard or policy applies, unless there is a reasonable basis for the departure. The auditor must document any such departure and the basis for it. The documentation should describe how the alternative procedures performed in the circumstances were sufficient to achieve the objectives of the standard or policy and should be approved by the reviewer.[Footnote 8] * Generally should: Although optional, compliance with this policy is strongly encouraged. The auditor may discuss any departure with the assistant director, but need not document compliance. * May: Compliance with this policy or procedure is optional. The auditor need not document compliance. Situations can arise where the auditor is unable to or decides not to perform a procedure. Frequently, this is caused by missing, incomplete, or erroneous information. If it is decided that this is a key decision, the auditor should document why the procedure was not performed. When auditors plan to deviate from a standard or policy expressed by a “should,” they should determine the needs of, and consult in a timely manner with, other auditors who plan to use their work. This is necessary to provide an opportunity for other auditors to review the documentation explaining these decisions. Use of Technical Terms: .29: The FAM uses many existing technical auditing terms and includes a glossary of significant terms towards the end of FAM Volume I. Reference to the FAM: .30: When cited in audit documentation, correspondence, or other communication, the letters “FAM” may precede section or paragraph numbers. For example, this paragraph is referred to as FAM 110.30. [End of section] Section 200: Planning Phase: Planning Phase: * Establish an Understanding with the Client: FAM: 215. * Understand the Entity’s Operations: FAM: 220. * Perform Preliminary Analytical Procedures: FAM: 225. * Determine Planning and Design Materiality and Tolerable Misstatement: FAM: 230. * Identify Significant Line Items, Accounts, Assertions, and RSSI: FAM: 235. * Identify Significant Cycles, Accounting Applications, and Systems: FAM: 240. * Identify Significant Provisions of Laws and Regulations: FAM: 245. * Identify Relevant Budget Restrictions: FAM: 250. * Identify Risk Factors: FAM: 260. * Determine Likelihood of Effective Information System Controls: FAM: 270. * Identify Relevant Operations Controls to Evaluate and Test: FAM: 275. * Plan Other Audit Procedures: FAM: 280. * Plan Locations to Visit: FAM: 285. * Documentation: FAM: 290. 210 – Overview of the Planning Phase: .01: The auditor must adequately plan the audit work. The auditor should develop effective and efficient ways to obtain the sufficient appropriate evidence necessary to report on the federal entity’s financial statements, internal controls, and compliance with laws and regulations. The nature, extent, and timing of planning varies with such factors as the entity’s size and complexity, the auditor's experience with the entity, and the auditor’s knowledge of entity operations. The FAM methodology overview in figure 200 shows the procedures performed in the planning phase of a financial audit to develop an overall strategy for the audit. .02: Senior, experienced members of the audit team should be involved in planning. Although concentrated in the planning phase, planning is an iterative process performed throughout the audit. For example, findings from the internal control phase directly affect planning the substantive audit procedures. Also, the results of control and substantive tests may require changes in the planned audit approach. .03: Auditors should consider the needs of, and consult in a timely manner with, other auditors who plan to use the work being performed, especially when exercising significant professional judgment. 215 – Establish an Understanding with the Client: .01: The auditor should establish an understanding with the client regarding an audit of the financial statements. The auditor should document the understanding through a written communication with the client. AU 311.08-.10 provides guidance to the auditor in establishing this understanding. The auditor may use an engagement letter, contract, or other written communication to describe the terms of the engagement. The auditor should also communicate these and other matters with those charged with governance,[Footnote 9] and with the individuals contracting for or requesting the audit. When auditors perform the audit pursuant to a law or regulation or they conduct the work for the legislative committee that has oversight of the entity, the auditor also should communicate with the legislative committee. If the auditor believes that an understanding with the client has not been established, the auditor should discuss the issue(s) with the audit director. .02: In the federal environment, the “client” may include the: * management of the federal entity to be audited, including senior executive and financial managers;[Footnote 10] * Inspector General if the IG has contracted for the audit; * members of a board or commission responsible for the federal entity; * audit committee; and; * congressional committees, subcommittees, or members requesting the audit. The auditor should identify and document who is the client and those charged with governance for each federal audit. The client and those charged with governance may include multiple entities from this list. See FAM 215.12 for additional guidance on identifying those charged with governance. .03: Audits may be conducted under various legal authorities. For example, the audit may be: * mandated by law, or; * performed under an audit organization’s discretionary statutory legal authority, or; * performed under contract authority to procure audit services, or; * requested by a congressional committee(s), subcommittee(s), or member(s). .04: Before establishing an understanding with the client, the auditor may conduct a pre-engagement planning meeting with the audit team to be sure they understand the various aspects of the engagement, particularly for an engagement that the auditor has not previously performed. Topics for this meeting may include (1) the engagement timeline, (2) staff specific responsibilities, (3) overall scope and any limitations of the engagement, (4) potential risks of the engagement, and (5) documentation of the engagement. Information for this meeting may be obtained from the federal entity to be audited, the IG, a statement of work in a request for proposal, or prior reports. This meeting may be combined with the fraud risk brainstorming session and the risk assessment brainstorming discussed in FAM 260. .05: The engagement letter or contract is designed to avoid misunderstandings between the federal entity to be audited, the IG if the audit is contracted out by the IG, and the auditor. The auditor and client should agree on the contract or engagement letter at the start of the audit. Where there is a contract, an engagement letter may be unnecessary since the contract (including any amendments) along with the statement of work and auditor’s proposal to perform the work should contain all of the engagement terms. If an engagement letter is not necessary, the auditor should communicate in an appropriate written form with those charged with governance and any others as needed. .06: The engagement letter or contract documents the objectives and limitations of the audit and the roles and responsibilities of both federal entity management and the auditor. An example audit engagement letter to a federal entity is presented at FAM 215 A. The letter may also communicate additional matters, such as the involvement of others and fee and billing arrangements, although these may be addressed in separate contractual documents. If both documents are prepared, the information that appears in these documents should be consistent. See AU 311.09 -.10 for further information that may be included. Establishing an Understanding on the Scope of the Engagement: .07: The auditor may use an engagement letter, contract, or other written communication to document the auditor’s and the federal entity’s responsibilities as well as the limitations of the engagement. The letter generally states that the auditor will conduct the audit in accordance with GAGAS, and if applicable, OMB audit guidance. Those standards require that the auditor obtain reasonable, rather than absolute, assurance about whether financial statements are free of material misstatement, whether caused by error or fraud. While reasonable assurance is a high level of assurance, the nature of audit evidence and the characteristics of fraud makes it such that the auditor cannot provide absolute assurance. Accordingly, a material misstatement may remain undetected. Also, an audit is not designed to detect error or fraud that is immaterial to the financial statements. If, for any reason, the auditor is unable to complete the audit or is unable to form or has not formed an opinion on the financial statements, the auditor may decline to express an opinion, or decline to issue a report. However, declining to issue a report may not be possible for audits mandated by law. .08: An audit includes obtaining an understanding of internal control sufficient to plan the audit and to determine the nature, timing, and extent of audit procedures to be performed. An auditor will either express an opinion on internal control or report on internal control as discussed in FAM 580.31. .09: Auditors should reach agreement with the client on their responsibilities in a financial statement audit, including their responsibilities for testing and reporting on internal control over financial reporting and compliance with laws and regulations. The communication should include the nature of any additional testing of internal control and compliance required by laws and regulations or otherwise requested, whether the auditor plans to express an opinion or report on internal control over financial reporting, and if applicable, the entity’s financial systems compliance with FFMIA (for CFO Act agencies). .10: The engagement letter, contract, or other written communication should provide that if the management of the federal entity to be audited does not agree with the terms of the audit reached between the party contracting for the audit and the auditor, as documented in the contract or engagement letter, the entity should promptly notify the auditor. The auditor should try to resolve any disagreements promptly. Communicating with Those Charged with Governance: .11: The auditor must communicate with those charged with governance matters related to the financial statement audit that are, in the auditor’s professional judgment, significant and relevant to the responsibilities of those charged with governance in overseeing the financial reporting process. Clear communication of specific matters is an integral part of every audit. However, the auditor is not required to perform procedures specifically to identify other significant matters to communicate with those charged with governance. .12: Similar to the process described above for client communication, the auditor should determine the appropriate persons within the entity’s governance structure with whom to communicate. The appropriate persons may vary depending on the matter to be communicated. In situations where there is not a single individual or group that both oversees the strategic direction of the entity and the fulfillment of its accountability obligations or in other situations where the identify of those charged with governance is not clearly evident, the auditor should document the process followed and conclusions reached for identifying appropriate individuals to receive the required auditor communications. When the appropriate persons with whom to communicate are not clearly identifiable, the auditor and the engaging party should agree on the relevant persons within the entity’s governance structure with whom the auditor will communicate. .13: The auditor should evaluate whether communication with a subgroup of those charged with governance, such as an audit committee or an individual, adequately fulfills the auditor’s responsibility to communicate with those charged with governance. AU 380.18 and AU 380.54 provide factors to consider when making this judgment. When all of those charged with governance are involved with managing the entity, the auditor should evaluate whether communication with person(s) with financial reporting responsibilities adequately informs all of those with whom the auditor would otherwise communicate in their governance capacity. .14: The auditor should communicate to those charged with governance (1) the auditor’s responsibilities under GAGAS, (2) an overview of the planned scope and timing of the audit, (3) the nature of planned work and level of assurance provided related to internal control over financial reporting and compliance with laws and regulations, (4) the form, general content, and timing of communications, and (5) any potential restriction on the auditors’ reports, in order to reduce the risk that the needs or expectations of the parties involved may be misrepresented. These matters may be communicated either orally or in writing. The auditor may use an engagement letter, contract, or other written communication as part of this communication. .15: The auditor’s clear communication of these matters helps establish the basis for effective two-way communication. Other discussion topics that may contribute to the effectiveness of two-way communication are discussed in AU 380.49. The auditor should evaluate whether the two-way communication between the auditor and those charged with governance has been adequate for purposes of the audit. This evaluation may be based on observations resulting from performing other audit procedures. AU 380.60-.61 provide guidance for making this evaluation. If in the auditor’s judgment, the two-way communication between the auditor and those charged with governance is not adequate, there is a risk that the auditor may not have obtained all the audit evidence required to form an opinion on the financial statements. The auditor should evaluate the effect, if any, on the auditor’s assessment of the risks of material misstatement and may take actions as discussed in AU 380.63. .16: Management’s communication of these matters to those charged with governance does not relieve the auditor of the responsibility to also communicate with them. However, communication of these matters by management may affect the form or timing of the auditor’s communication. Factors that may affect whether the communication would be most effective orally or in writing as well as the content of communication are discussed in AU 380.53. .17: The auditor should communicate significant findings from the audit in writing to those charged with governance as discussed in FAM 550.13 and FAM 580. When matters are communicated in writing, the auditor should indicate in the communication that it is intended solely for the information and use of those charged with governance, and if appropriate, management, and is not intended to be and should not be used by anyone other than these specified parties as discussed in AU 380.55. Because these audits involve government entities, the auditor’s communication also should indicate that government reports and communication are generally a matter of public record; therefore, the distribution of the communication is not limited. .18: The auditor should communicate with those charged with governance on a sufficiently timely basis to enable those charged with governance to take appropriate action. AU 380.57-.58 discuss factors relevant for making judgments regarding the timing of communications. .19: The auditor should communicate with those charged with governance the auditor’s responsibilities under GAGAS, including that: * the auditor is responsible for forming and expressing an opinion about whether the financial statements that have been prepared by management with the oversight of those charged with governance are presented fairly, in all material respects, in conformity with generally accepted accounting principles, and; * the audit of the financial statements does not relieve management or those charged with governance of their responsibilities. If the entity includes other information in documents containing audited financial statements, such as in a performance and accountability report, the auditor should communicate with those charged with governance the auditor’s responsibility with respect to such other information, any procedures performed relating to the other information, and the results. .20: The auditor may also communicate to those charged with governance the items communicated with management discussed in FAM 215.07-.09. Additionally, the auditor may communicate the auditor’s responsibility for communicating significant matters as well as the limitations on this responsibility discussed in FAM 215.11. .21: The auditor should communicate with those charged with governance an overview of the planned scope and timing of the audit. However, it is important for the auditor not to compromise the effectiveness of the audit, particularly where some of those charged with governance are involved with managing the entity. For example, communicating the nature and timing of detailed audit procedures may reduce the effectiveness of those procedures by making them too predictable. AU 380.30-.31 provide guidance on communicating the planned scope and timing of the audit. .22: AU 380.32 provides additional matters that the auditor may discuss with those charged with governance that may be useful for planning the audit and assessing the risks of material misstatement. .23: The auditor should document all communications with those charged with governance. If the communication was written, the auditor should retain a copy of the communication with the audit documentation. Intent, Notification, and Commitment Letters: .24: The auditor should establish an understanding with involved parties, that may include congressional requesters, regarding the financial audit. When the engagement letter is addressed to the head of a federal entity to be audited, or the IG if the audit is contracted out, the auditor may also provide a copy to those charged with governance if the auditor determines this to be an effective form of communication. The auditor’s internal procedures may also provide for additional communication with others in the form of an intent, notification, or commitment letter as discussed below. .25: GAO and some IGs use an intent letter to acknowledge a congressional request for any type of work. This letter may include: * acknowledgement of a meeting with congressional staff to understand the request; * indication of a survey of work or planning phase to understand the federal entity, identify accounting or auditing issues, and determine the availability and access to books and records, particularly for an initial engagement; * an estimated completion date for the planning phase; * the auditor team performing the audit; and; * auditor contact names, phone numbers, and e-mail addresses. .26: A notification letter is used by some auditors to notify federal agencies of new engagements for any type of work. This letter may include: * source of work (mandate, request, or auditor’s statutory discretionary authority); * objective(s) of the work; * agencies and locations to be contacted; * estimated start date; * estimated date of entrance conference; * auditor team performing the audit; * auditor contact names, phone numbers, and e-mail addresses; and; * engagement (job) code or other tracking number. .27: A commitment letter is used by some auditors, either after a survey of work or the planning phase has been completed as discussed in FAM 215.24, or to confirm a commitment for a congressional request, mandate, or auditor’s statutory discretionary authority for any type of work. This letter may include: * a confirmation of the auditor’s commitment to perform work and issue a report; * overview of the engagement approach, objective(s), and key aspects of the work to include a separate survey of work or planning phase, if conducted; * the planned report issuance date; * auditor team performing the audit; and; * auditor contact names, phone numbers, and e-mail addresses. .28: The auditor should send intent, notification, or commitment letters as provided by the auditor’s protocols. The auditor may use the engagement letter to assist in documenting communication with those charged with governance. The auditor may use the example letter in FAM 215 B or other communication methods to communicate with those charged with governance. .29: For agreed-upon procedure engagements as discussed in FAM 660.04, the auditor may issue an engagement letter unless covered by contract or other written communication. An example letter for agreed-upon procedure engagements is presented in FAM 660 A. 215 A – Sample Audit Engagement Letter to a Federal Entity: .01: As discussed in FAM 215.06, the engagement letter documents the objectives and limitations of the audit and the roles and responsibilities of both federal entity management and the auditor. Example 1 presents a sample audit engagement letter when the auditor plans to provide an opinion on the effectiveness of an entity’s internal control. Example 2 presents a sample audit engagement letter when the auditor plans to report on the entity’s internal control and will not provide an opinion. These sample letters are prepared on auditor letterhead and modified for the specific circumstances of each individual audit, as needed. Example 1 -- Auditor Provides an Opinion on Effectiveness of Entity’s Internal Control: Auditor letterhead: Date: [Address to the chief executive of the federal entity whose financial statements are to be audited or the Inspector General if the audit has been contracted out to a CPA firm or the client as determined by the auditor.] Dear: Pursuant to [cite legal or contract authority for audit], [name of auditor] will audit, for fiscal year 20xx, the financial statements of the [name of federal entity]. The job code for this audit is XXXXXX. Footnote 11] The objectives of our audit are as follows: 1. Express an opinion on whether the [entity’s] fiscal year 20xx financial statements are fairly presented, in all material respects, in conformity with U.S. generally accepted accounting principles. 2. Express an opinion on whether the [entity’s] internal control over financial reporting (including safeguarding assets) and compliance in place as of [end of fiscal year] are suitably designed and operated effectively to provide reasonable assurance that misstatements, losses, or noncompliance material in relation to the financial statements would be prevented or detected on a timely basis. 3. Report whether the [entity’s] financial management systems substantially comply with the requirements of the Federal Financial Management Improvement Act (FFMIA) as of [end of fiscal year 20XX]. [If the entity is subject to the act]. 4. Report on our tests of the [entity’s] compliance with selected provisions of laws and regulations. [Entity] management is responsible for preparing the financial statements and appropriate disclosures in conformity with U.S. generally accepted accounting principles. This includes maintaining adequate accounting records, developing accounting systems that comply with the requirements of FFMIA [if applicable], selecting and applying appropriate accounting policies, and safeguarding U.S. government assets related to [entity] operations. Management is also responsible for designing and implementing programs and controls to prevent and detect fraud, establishing and maintaining effective internal control over financial reporting and compliance, and identifying and ensuring compliance with applicable laws and regulations. [Entity] management is responsible for establishing and maintaining effective internal control to provide reasonable assurance that the following objectives are met for financial reporting and compliance. * Financial reporting: Transactions are properly recorded, processed, and summarized to permit the preparation of financial statements in conformity with U.S. generally accepted accounting principles, and assets are safeguarded against loss from unauthorized acquisition, use, or disposition. * Compliance with laws and regulations: Transactions are executed in accordance with laws governing the use of budget authority and with other laws and regulations that could have a direct and material effect on the financial statements and any other laws, regulations, and governmentwide policies identified in OMB audit guidance. [Entity] management is responsible for making all financial records and related information available to us to conduct the audit. [Entity] management is also responsible for adjusting the financial statements to correct material misstatements and to represent to us that any uncorrected misstatements are immaterial, both individually and in the aggregate, to the financial statements taken as a whole. Further, [entity] management agrees to communicate to us the discovery of any material misstatement that would affect the fair presentation of its fiscal year 20xx or prior fiscal year’s financial statements. We are responsible for conducting our audit in accordance with U.S. generally accepted government auditing standards. Those standards require that we obtain reasonable, rather than absolute, assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. Accordingly, a material misstatement may remain undetected. Also, an audit is not designed to detect error or fraud that is immaterial to the financial statements. We are responsible for obtaining reasonable assurance about whether management maintained effective internal control, the objectives of which are stated above. If, for any reason, we are unable to complete the audit or are unable to form an opinion on the financial statements or internal control, we may decline to express these opinions. We are also responsible for (1) testing whether [entity’s] financial management systems substantially comply with the three FFMIA requirements [if applicable], (2) testing compliance with selected provisions of laws and regulations that have a direct and material effect on the financial statements and laws for which OMB audit guidance requires testing, and (3) performing limited procedures with respect to certain other information in the Annual Financial Statement. In fulfilling our responsibilities and as part of our overall audit strategy, we will: obtain an understanding of the [entity] and its environment, including its internal control; assess the risks of material misstatement; design the nature, timing, and extent of further audit procedures; test relevant internal controls over financial reporting (including safeguarding of assets) and compliance; test whether the [entity’s] financial management systems substantially comply with the requirements of FFMIA as of [fiscal year end] [if applicable]; test compliance with selected provisions of laws and regulations[Footnote 12]; and examine, on a test basis, evidence supporting the amounts and disclosures in the [entity’s] financial statements. Our internal control testing will be limited to controls over financial reporting and compliance. This audit does not include evaluating all internal controls relevant to operating objectives as broadly defined by the Federal Managers’ Financial Integrity Act, such as those controls relevant to preparing statistical reports and ensuring efficient operations. Because of inherent limitations in internal control, misstatements due to error or fraud, losses, or noncompliance may nevertheless occur and not be detected. We will not test compliance with all laws and regulations applicable to [entity]. We will limit our tests of compliance to those laws and regulations required by OMB audit guidance that we deem applicable to the financial statements for the fiscal year ended [date]. We caution that noncompliance may occur and not be detected by these tests and that such testing may not be sufficient for other purposes. We are also responsible for communicating in writing to those charged with governance any significant deficiencies and material weaknesses in internal control that come to our attention as a result of the audit. In addition, we will communicate any suggestions for improving [entity] operations and other control deficiencies identified during our audit in a separate letter to management [as applicable]. To assist us in the audit, we will use specialists in [information technology, statistical sampling, actuarial methods, or other areas as applicable]. At the conclusion of the audit, we will require certain written representations from [entity] management about the financial statements, internal control, and related matters. These representations include a representation that the effects of any uncorrected misstatements are not material, both individually and in the aggregate, to the financial statements taken as a whole. The representations on internal control include management’s assertion that internal control over financial reporting and compliance with laws and regulations is suitably designed and operating effectively, and the internal control criteria used to make this assertion. To make efficient use of audit resources and expedite audit completion, we will request assistance from [entity] staff. This assistance may include preparing schedules or analyses; locating, copying, and providing selected documents; and participating in meetings. We will discuss this assistance with [entity] staff as the need arises. Throughout the audit, we will work with [entity] staff to obtain information needed for the completion of the audit and to arrive at mutually acceptable time frames for the delivery of requested data. We will conduct an entrance conference with [entity] staff on [or by] [date]. We will also provide periodic status reports on our work upon your request. We look forward to working with the [entity] and appreciate its cooperation in working with us to complete the audit in a timely manner. We are required by [cite legal or contract authority, as applicable] to issue our report by [date]. This assignment will be conducted under the management of [name and title], who can be reached at [phone number] or by e-mail at [address], and [name and title of site auditor, as applicable], who can be reached at [phone number] or by e-mail at [address]. Should this letter not represent your understanding of the nature of this engagement, or should you have any questions or need further information, please contact me on [phone number] or by e-mail at [address]. We look forward to a successful engagement. Sincerely yours, [Auditor’s name and title] cc: CFO of federal entity: Others as applicable: [End of example] Example 2 -- Auditor Does Not Provide an Opinion on Entity’s Internal Control: Auditor letterhead: Date: [Address to the chief executive of the federal entity whose financial statements are to be audited or the Inspector General if the audit has been contracted out to a CPA firm or the client as determined by the auditor.] Dear : Pursuant to [cite legal or contract authority for audit], [name of auditor] will audit, for fiscal year 20xx, the financial statements of the [name of federal entity]. The job code for this audit is XXXXXX. [Footnote 13] The objectives of our audit are as follows: 1. Express an opinion on whether the {entity’s} fiscal year 20xx financial statements are fairly presented, in all material respects, in conformity with U.S. generally accepted accounting principles. 2. Report any significant deficiencies and material weaknesses in internal control that come to our attention as a result of the audit. 3. Report whether the [entity’s] financial management systems substantially comply with the requirements of the Federal Financial Management Improvement Act (FFMIA) as of [end of fiscal year 20XX]. [If the entity is subject to the act]. 4. Report on our tests of the [entity’s] compliance with selected provisions of laws and regulations. [Entity] management is responsible for preparing the financial statements and appropriate disclosures in conformity with U.S. generally accepted accounting principles. This includes maintaining adequate accounting records, developing accounting systems that comply with the requirements of FFMIA [if applicable], selecting and applying appropriate accounting policies, and safeguarding U.S. government assets related to [entity] operations. Management is also responsible for designing and implementing programs and controls to prevent and detect fraud, establishing and maintaining effective internal control over financial reporting and compliance, and identifying and ensuring compliance with applicable laws and regulations. [Entity] management is responsible for establishing and maintaining effective internal control to provide reasonable assurance that the following objectives are met for financial reporting and compliance. * Financial reporting: Transactions are properly recorded, processed, and summarized to permit the preparation of financial statements in conformity with U.S. generally accepted accounting principles, and assets are safeguarded against loss from unauthorized acquisition, use, or disposition. * Compliance with laws and regulations: Transactions are executed in accordance with laws governing the use of budget authority and with other laws and regulations that could have a direct and material effect on the financial statements and any other laws, regulations, and governmentwide policies identified in OMB audit guidance. [Entity] management is responsible for making all financial records and related information available to us to conduct the audit. [Entity] management is also responsible for adjusting the financial statements to correct material misstatements and to represent to us that any uncorrected misstatements are immaterial, both individually and in the aggregate, to the financial statements taken as a whole. Further, [entity] management agrees to communicate to us the discovery of any material misstatement that would affect the fair presentation of its fiscal year 20xx or prior fiscal year’s financial statements. We are responsible for conducting our audit in accordance with U.S. generally accepted government auditing standards [and, if applicable, OMB audit guidance]. Those standards require that we obtain reasonable, rather than absolute, assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. Accordingly, a material misstatement may remain undetected. Also, an audit is not designed to detect error or fraud that is immaterial to the financial statements. If, for any reason, we are unable to complete the audit or are unable to form an opinion, we may decline to express an opinion. We are also responsible for (1) obtaining an understanding of internal control sufficient to plan and perform the audit and to determine the nature, extent, and timing of audit procedures to be performed and to comply with OMB audit guidance, (2) testing whether [entity’s] financial management systems substantially comply with the three FFMIA requirements [if applicable], (3) testing compliance with selected provisions of laws and regulations that have a direct and material effect on the financial statements and laws for which OMB audit guidance requires testing, and (4) performing limited procedures with respect to certain other information in the Annual Financial Statement. The audit is not designed to express an opinion on the effectiveness of internal control or on management’s assertion on the effectiveness of internal control included in the [entity’s] annual financial statement [if applicable][Footnote 14] In fulfilling our responsibilities and as part of our overall audit strategy, we will: obtain an understanding of the [entity] and its environment, including its internal control; assess the risks of material misstatement; design the nature, timing, and extent of further audit procedures; test relevant internal controls over financial reporting (including safeguarding of assets) and compliance [Footnote 5]; test whether the [entity’s] financial management systems substantially comply with the requirements of FFMIA as of [fiscal year end] [if applicable]; test compliance with selected provisions of laws and regulations; and examine, on a test basis, evidence supporting the amounts and disclosures in the [entity’s] financial statements. Any internal control testing will be limited to controls over financial reporting and compliance. This audit does not include evaluating all internal controls relevant to operating objectives broadly defined by the Federal Managers’ Financial Integrity Act, such as those controls relevant to preparing statistical reports and ensuring efficient operations. Because of inherent limitations in internal control, misstatements due to error or fraud, losses, or noncompliance may nevertheless occur and not be detected. We will not test compliance with all laws and regulations applicable to [entity]. We will limit our tests of compliance to those laws and regulations required by OMB audit guidance that we deem applicable to the financial statements for the fiscal year ended [date]. We caution that noncompliance may occur and not be detected by these tests and that such testing may not be sufficient for other purposes. We are also responsible for communicating in writing to those charged with governance any significant deficiencies and material weaknesses in internal control that come to our attention as a result of the audit. In addition, we will communicate any suggestions for improving [entity] operations and other control deficiencies identified during our audit in a separate letter to management [as applicable]. To assist us in the audit, we will use specialists in [information technology, statistical sampling, actuarial methods, or other areas as applicable]. At the conclusion of the audit, we will require certain written representations from [entity] management about the financial statements and related matters. These representations include a representation that the effects of any uncorrected misstatements are not material, both individually and in the aggregate, to the financial statements taken as a whole. To make efficient use of audit resources and expedite audit completion, we will request assistance from [entity] staff. This assistance may include preparing schedules or analyses; locating, copying, and providing selected documents; and participating in meetings. We will discuss this assistance with [entity] staff as the need arises. Throughout the audit, we will work with [entity] staff to obtain information needed for the completion of the audit and to arrive at mutually acceptable time frames for the delivery of requested data. We will conduct an entrance conference with [entity] staff on [or by] [date]. We will also provide periodic status reports on our work upon your request. We look forward to working with the [entity] and appreciate its cooperation in working with us to complete the audit in a timely manner. We are required by [cite legal or contract authority, as applicable] to issue our report by [date]. This assignment will be conducted under the management of [name and title], who can be reached at [phone number] or by e-mail at [address], and [name and title of site auditor, as applicable], who can be reached at [phone number] or by e-mail at [address]. Should this letter not represent your understanding of the nature of this engagement, or should you have any questions or need further information, please contact me on [phone number] or by e-mail at [address]. We look forward to a successful engagement. Sincerely yours, [Auditor’s name and title] cc: CFO of federal entity: Others as applicable: [End of example] 215 B – Sample Letter to Those Charged with Governance: Auditor letterhead: Date: [Address to board or commission responsible for the federal entity, an audit committee, secretary of a cabinet-level department, senior executives and financial managers, or congressional committees in their role as those charged with governance.] Dear : This letter is to inform you that we will soon begin (or have recently begun) our audit of the fiscal year 20xx financial statements of the [name of federal entity]. We [held or will hold] an entrance conference with officials of the [entity] on [date]. [If mandated:] We are responsible for conducting audits of the financial statements of the [federal entity] in accordance with [cite legal or contract authority]. [If requested:] As requested in your letter of [date] [or as discussed with your staff] we will conduct an audit of financial statements of the [federal entity]. [If auditor’s statutory authority:] Under our audit authority [cite legal or contract authority], we will conduct an audit of financial statements of the [federal entity]. We plan to issue our report by [date]. A copy of our [date] audit engagement letter to the [entity or IG] is attached.[Footnote 16] This letter explains the nature of the engagement, our responsibilities as auditors, and the responsibilities of [entity] management. We will provide periodic status reports on our work upon your request. We will also notify you when we will provide a draft report to the [entity] for comment and can provide a copy to you for informational purposes upon your request. Should this letter and the attached engagement letter not represent your understanding of the nature of this engagement, or should you have any questions, please contact me at [phone number] or by e-mail at [address], or [second auditor contact and title], at [phone number] or by e-mail at [address]. Sincerely yours, [Auditor name and title] Enclosure: [End of sample] 220 – Understand the Entity’s Operations: .01: The auditor must obtain an understanding of the entity and its environment, including internal control to assess the risk of material misstatement of the financial statements, whether due to error or fraud, and to design the nature, extent, and timing of further audit procedures. In planning the audit, the auditor gathers information to obtain an overall understanding of the entity, including its origin and history, size and location, organization, mission, business, strategies, inherent risks, fraud risks, control environment, risk assessment from both internal and external sources, communications, and monitoring. Understanding the entity’s operations in the planning process enables the auditor to identify and respond to risks of material misstatement at the assertion level and to resolve accounting and auditing problems early in the audit. Based on an appropriate understanding of the entity and its environment, including its internal control, the auditor should assess the risks of material misstatement at the financial statement and relevant assertion levels as discussed in the planning and internal control phases of the FAM and then should respond to those identified risks when designing the nature, extent, and timing of tests to be performed in the internal control and testing phases of the audit. .02: The auditor’s understanding of the entity and its environment does not need to be comprehensive but includes: * entity management and organization, including the nature of the entity; * external factors affecting operations, including any industry or regulatory factors; * internal factors affecting operations, including the entity’s objectives and strategies and the related business risks that may result in a material misstatement of the financial statements; * measurement and review of the entity’s performance; * accounting policies and issues; and; * the design of each of the components of internal control (control environment, entity’s risk assessment, information and communication, control activities, and monitoring) and whether the design has been implemented. Additional guidance on obtaining an understanding of these areas is included in AU 314, Appendices A and B. .03: The auditor should identify key members of management and obtain a general understanding of the organizational structure. The auditor’s main objective is to understand how the entity is managed and how the organization is structured for the particular management style. This determines the environment that exists throughout the organization and the extent to which a positive and supportive attitude exists toward internal control and conscientious management. Several other key factors affecting the control environment include: * integrity and ethical values maintained by management; * management commitment to competence; * philosophy and operating style; * delegation of authority and responsibility; * human capital policies and procedures; and * relationship with the Congress and oversight agencies. .04 The auditor should identify significant external and internal factors that affect the entity’s operations as part of understanding the entity and its environment for purposes of planning the audit. External factors include: * source(s) of funds; * seasonal fluctuations; * current political climate; and; * relevant legislation. Internal factors include: * size of the entity; * number of locations; * structure of the entity (centralized or decentralized); * complexity of operations; * information technology structure, including the extent to which information systems processing is performed externally, such as through cross-servicing agreements; * qualifications and competence of key personnel; and; * turnover of key personnel. .05 The auditor should obtain an understanding of: * the entity’s selection and application of accounting policies and whether they are appropriate for its activities and consistent with U.S. GAAP, including changes in U.S. GAAP that affect the entity, and; * whether entity management appears to follow aggressive or conservative accounting policies. The auditor should also identify financial reporting standards that are new to the entity and understand when and how the entity will adopt such standards. Where the entity has changed its selection of or method of applying a significant accounting policy, the auditor should evaluate the reasons for the change and whether it is appropriate and consistent with U.S. GAAP. .06: The auditor also should determine whether the entity is required to report any unaudited supplementary information. This includes information on: * the condition of heritage assets and stewardship land; * deferred maintenance of federal property; * stewardship investments for nonfederal physical property, human capital, and research and development; and; * certain information for social insurance programs. .07: The auditor should develop and document a high-level understanding of the entity’s use of information systems and how these systems affect the generation of financial statement and supplementary information in the annual performance and accountability report (PAR) or annual report. An IS controls specialist may assist the auditor in understanding the entity’s use of information systems. The FISCAM may be used to document this understanding. .08: The auditor may gather planning information through different methods (observation, interviews, reading policy and procedure manuals, etc.) and from a variety of sources, including: * top-level entity management; * entity management responsible for significant programs; * the IG office and internal audit management (including any internal control officer); * others in the audit organization concerning other completed, planned, or in-progress assignments; * personnel in the Special Investigator Unit; and; * entity legal representatives. .09: The auditor may gather information from relevant reports and articles issued by or about the entity, including: * the entity’s prior PARs or annual reports; * other financial information; * FMFIA reports and supporting documentation; * reports by management or the auditor about systems’ substantial compliance with FFMIA requirements; * the entity’s budget and related reports on budget execution; * GAO reports (including those for performance audits); * IG and internal audit reports (including those for performance audits and other work); * congressional hearings and reports; * consultants’ reports; and; * material published about the entity in newspapers, magazines, Internet sites, and other publications. .10: Audit documentation from prior year audits may contain useful information for planning the current year audit. However, the auditor should update any prior year information that is to be used as part of the current year audit documentation so that it reflects the current year operations, environment, risks etc. If a different auditor performed the prior year audit, the current year auditor should address the need for access to that audit documentation as part of the current year audit contract. As discussed in AU 315.11, the extent, if any, to which a predecessor auditor permits access to their audit documentation is a matter of professional judgment. 225 – Perform Preliminary Analytical Procedures: .01: During planning, as part of the risk assessment procedures, the auditor should perform preliminary analytical procedures to: * understand the entity’s business, including current-year transactions and events; * identify account balances, transactions, ratios, or trends that may signal risks of material misstatement, including any risks related to fraud (see FAM 260); and; * determine the nature, extent, and timing of further audit procedures to be performed. .02: The auditor performs preliminary analytical procedures when they are likely to provide useful planning information; this often relates to the reliability of comparative information. For example, in a first- year audit, comparative information might be unreliable; therefore, preliminary analytical procedures may be limited. Additionally, for some accounts, it may be difficult to perform preliminary analytical procedures on an interim basis because of the lack of reliable information until year-end. .03: The auditor generally should perform the following steps to achieve the objectives of preliminary analytical procedures: a. Develop expectations: The auditor should develop expectations for account balances based on plausible relationships that are reasonably expected to exist. For example, as loan activity increases, the auditor would also expect loans receivable balances to increase. If the loans receivable balance decreased, counter to the auditor’s expectations, the auditor should make inquiries to understand why. A decrease could be caused by higher loan payoffs, write-offs, or some other logical reason. However, the decrease could also have occurred due to an error or possible fraud. The financial data used in preliminary analytical procedures generally are summarized at a high level, such as the level of financial statements. If financial statements are not available, the auditor may use trial balances, the budget, or financial summaries to determine expectations for the entity’s financial position and results of operations. When preliminary analytical procedures use data summarized at a high level, the results of these procedures provide only a broad initial indication about whether a material misstatement may exist. The auditor should consider the results of these procedures along with other information gathered when identifying risks of material misstatement. b. Compare current-year amounts to expectations: Use of unaudited comparative data may not allow the auditor to identify significant fluctuations, particularly if an item consistently has been treated incorrectly, for example, if all accruals were not recorded. Also, the auditor may identify fluctuations that are not really fluctuations due to errors or omissions in unaudited comparative data. A key to effective preliminary analytical procedures is to use information that is comparable in terms of the time period presented and the presentation (i.e., same level of detail and consistent grouping of detailed accounts into summarized amounts used for comparison). The auditor may perform ratio analysis on current-year data and compare the current year’s ratios with expectations based on those derived from prior periods or budgets. The auditor does this to study the relationships among components of the financial statements and to increase knowledge of the entity’s activities. The auditor uses ratios that are relevant indicators or measures for the entity. Also, the auditor should consider any trends in the performance indicators prepared by the entity. c. Identify significant fluctuations: The auditor should identify fluctuations between recorded amounts and expectations. Fluctuations are differences between the recorded amounts and the amounts expected by the auditor, based on comparative financial information and the auditor’s knowledge of the entity. Fluctuations refer to both unexpected differences between current-year amounts and comparative financial information as well as the absence of expected differences. The auditor generally should establish parameters for identifying significant fluctuations. When setting these parameters, the auditor may consider the amount of the fluctuation in terms of absolute size, the percentage difference, or both. The amount and percentage used are usually based on materiality. An example of a parameter is “All fluctuations in excess of $10 million and/or 15 percent of the expectation or other unusual fluctuations (such as debit amounts in accounts having normally credit balances) will be considered significant.” d. Inquire about significant fluctuations: Fluctuations may result from errors or fraud, from changes in operations, or from changes in the entity organization that the auditor did not consider when determining expectations. The auditor should discuss identified fluctuations with appropriate entity personnel. The focus of this discussion is to consider whether the fluctuation could result from error or fraud and whether the auditor adequately understands the entity’s operations. In doing this, the auditor should consider the types of errors or fraud that could have caused the fluctuations. For preliminary analytical procedures, the auditor does not need to corroborate the explanations since they will be tested later. However, the auditor should determine whether the explanations obtained appear reasonable and consistent. If the entity personnel indicate that the operations or organization has changed, the auditor may adjust the expectations and then determine whether there is still a significant fluctuation. The inability of appropriate entity personnel to explain the cause of a fluctuation may indicate the existence of risk of material misstatement due to control, fraud, or inherent risk. .04: The auditor should consider the results of preliminary analytical procedures in assessing the risk of material misstatement due to error or fraud (see FAM 260). 230 - Determine Planning and Design Materiality and Tolerable Misstatement: .01: Materiality is one of several tools the auditor uses to determine the nature, extent, and timing of procedures. As defined in FASB Statement of Financial Concepts No. 2, Qualitative Characteristics of Accounting Information, materiality represents the magnitude of an omission or misstatement of an item in a financial report that in light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the inclusion or correction of the item. .02: Materiality is based on the concept that items of little importance, which do not affect the judgment or conduct of a reasonable user, do not require auditor investigation. Materiality has both quantitative and qualitative aspects. Even though quantitatively immaterial, certain misstatements could have an important impact on or warrant disclosure in the financial statements for qualitative reasons. .03: For example, intentional misstatements or omissions (fraud) usually are more critical to the financial statement users than are unintentional errors of equal amounts. This is because users generally consider an intentional misstatement more serious than clerical errors of the same amount. .04: GAGAS and incorporated U.S. GAAS indicate that the auditor should use materiality in planning, designing procedures, and reporting. Materiality is a matter of professional judgment influenced by auditor’s perception of the needs of financial statement users. Materiality judgments are made in light of surrounding circumstances and involve both quantitative and qualitative considerations, such as the public accountability of the entity under audit, various legal and regulatory requirements, and the visibility and sensitivity of government programs, activities, and functions as well as a variety of other factors discussed in AU 312.60. .05: The term “materiality” has several meanings. The FAM uses the following terms that relate to materiality: * Planning materiality is a preliminary estimate of materiality in relation to the financial statements taken as a whole, primarily based on quantitative measures. It is used to determine design materiality and tolerable misstatement, which in turn are used to determine the nature, extent, and timing of substantive audit procedures. It is also used to identify significant laws and regulations for compliance testing. * Design materiality is the portion of planning materiality that the auditor allocates to line items, accounts, or classes of transactions (such as disbursements). The auditor usually sets this amount the same for all line items or accounts as this amount is usually sufficient for testing (except for certain intragovernmental or offsetting balances as discussed in FAM 230.10). * Tolerable misstatement (formerly test materiality) is the materiality the auditor uses to test a specific line item, account, or class of transactions. Tolerable misstatement is defined in AU 312.34 as the maximum error in a population (for example, a class of transactions or account balance) that the auditor is willing to accept. Based on the auditor’s judgment, the auditor may set tolerable misstatement equal to or less than design materiality, as discussed in FAM 230.13, and may set different amounts of tolerable misstatement for different line items or accounts or assertions. .06: The FAM also uses the term “materiality” in the reporting phase. * Disclosure materiality is the threshold for determining whether to report items separately in the financial statements or in the related notes. This may differ from planning materiality. * FMFIA materiality is the threshold for determining whether a matter meets OMB criteria for reporting matters under FMFIA as described in FAM 580.36-.38. * Reporting materiality is the threshold for determining whether an unqualified opinion can be issued. In the reporting phase, the auditor assesses audit results to determine whether uncorrected misstatements (known and likely) are either quantitatively or qualitatively material. This decision is a matter of auditor judgment. There need not be a direct relationship between reporting and planning materiality when making these judgments. If uncorrected misstatements are determined to be material, the auditor would be precluded from issuing an unqualified opinion on the financial statements. See FAM 540. Unless otherwise specified, such as through using the terms above, the term “materiality” in this manual refers to the overall financial statement materiality discussed in FAM 230.01. .07: The following guidelines provide the auditor with a framework for determining planning materiality. However, this framework is not a substitute for professional judgment. The auditor may determine planning materiality outside of these guidelines. In such circumstances, the audit director should discuss the basis for the determination with the reviewer. The auditor should document planning materiality and the method of determining planning materiality. The audit director should review and approve the documentation. .08: The auditor should estimate planning materiality in relation to the element of the financial statements that the auditor judges is most significant to the primary users of the statements (the materiality base). The auditor generally uses preliminary information to estimate the materiality base. This may be prior years audited financial statements or current-year unaudited and unadjusted interim information. However, the auditor should adjust this preliminary information if there are indications of significant changes by year- end. To provide reasonable assurance that sufficient audit procedures are performed, the auditor may estimate the materiality base at the low end of the possible materiality base. .09: For capital-intensive entities, total assets may be an appropriate materiality base. For expenditure-intensive entities, total expenses may be an appropriate materiality base. Based on these concepts, the auditor generally should use as the materiality base the greater of total assets or expenses (net of adjustments for intragovernmental balances and offsetting balances). (See the discussion of these adjustments in the next paragraph.) The auditor may use other materiality bases, such as total liabilities, equity, revenues, appropriations, or, if significant, line items. Auditors may also use different materiality bases for different statements, such as total assets for the balance sheet and total expenses for the statement of net cost. The key is to use a materiality base or bases that the auditor believes are most critical to the users of the financial statements. This requires understanding the entity and the environment in which it operates. .10: In determining the materiality base, the auditor should decide how to handle significant intragovernmental balances (such as funds with the U.S. Treasury, U.S. Treasury securities, and inter-entity balances) and offsetting balances (such as future funding sources that offset certain liabilities and collections that are offset by transfers to other government entities) due to their nature as related party balances with different risks. Further, combining all of the accounts may distort the auditor’s judgment when designing the nature, extent, and timing of audit procedures. Because these amounts were removed from the materiality base as discussed in the previous paragraph, the auditor generally should establish a separate materiality base for significant intragovernmental or offsetting balances. For example, an entity that collects and remits funds on behalf of other federal entities could have operating accounts that are small in comparison to the funds processed on behalf of other entities. In this example, the auditor would determine a separate planning materiality for auditing (1) the offsetting accounts, using the balance of the offsetting accounts as the materiality base, and (2) the rest of the financial statements using the materiality base guidance in FAM 230.09. .11: The auditor generally should set planning materiality at 3 percent of the materiality base. Although the auditor may use a mechanical means to compute planning materiality, the auditor should use judgment in evaluating whether the computed level is appropriate. The auditor also should consider adjusting the materiality base for the impact of such items as unrecorded liabilities, contingencies, and other items that are not incorporated in the entity’s financial statements (and not reflected in the materiality base) but that may be important to the financial statement user. Alternatively, the auditor may set a separate materiality amount for disclosures. .12: The auditor generally should set design materiality at one-third of planning materiality to allow for the precision of audit procedures. This guideline recognizes that misstatements may occur throughout the entity’s various accounts. The design materiality represents the materiality used as a starting point to design audit procedures for assertions in line items or accounts so that the auditor will detect an aggregate material misstatement in the financial statements as discussed in FAM 260.04. See FAM 540.11 for consideration of this precision allowance when evaluating the effects of misstatements on the financial statements for the purpose of reporting on the financial statements. .13: The auditor generally sets tolerable misstatement for a specific test the same as the design materiality. Using this amount for substantive procedures usually results in a sufficient extent of testing when few misstatements are expected or when the software allows the auditor to input expected misstatement. However, the auditor may set a tolerable misstatement lower than the design materiality for substantive testing of specific line items and assertions (which increases the extent of testing) particularly when: * the audit is being performed at some, but not all, entity locations requiring increased audit assurance for those locations visited (see FAM 285); * the area tested is sensitive to the financial statement users or may be qualitatively material; or; * the auditor expects to find a significant dollar amount of misstatements.[Footnote 17] 235 - Identify Significant Line Items, Accounts, Assertions, and RSSI: .01: The auditor should identify significant line items and accounts in the financial statements and significant related financial statement assertions. These line items and accounts include budget-related information such as that presented in the statement of budgetary resources, the reconciliation of the net cost of operations to budget note disclosure, and disclosure of the components of net position. The auditor should also identify any significant required supplementary stewardship information (RSSI).[Footnote 18] The auditor should perform appropriate control and substantive tests for each significant assertion for each significant line item and account. By identifying significant line items, accounts, and the related assertions early in the planning process, the auditor is more likely to design effective and efficient audit procedures. Some insignificant line items, accounts, and assertions may not warrant substantive audit tests if they are not significant in the aggregate. However, some line items and accounts with zero or unusual balances may warrant testing, particularly with regard to the completeness assertion. .02: Financial statement assertions, as presented in AU 326, are management representations that are embodied in financial statement components. Most of the auditor’s work in forming an opinion on financial statements consists of obtaining and evaluating sufficient appropriate evidence concerning the assertions in the financial statements. The assertions can be either explicit or implicit. The FAM classifies assertions into the following five broad categories: * Existence or occurrence: Recorded transactions and events occurred during the given period, are properly classified, and pertain to the entity. An entity’s assets, liabilities, and net position exist at a given date. * Completeness: All transactions and events that should have been recorded are recorded in the proper period. All assets, liabilities, and net position that should have been recorded have been recorded in the proper period and properly included in the financial statements. * Rights and obligations: The entity holds or controls the rights to assets, and liabilities are the obligations of the entity at a given date. * Accuracy/valuation or allocation: Amounts and other data relating to recorded transactions and events have been recorded appropriately. Assets, liabilities, and net position are included in the financial statements at appropriate amounts, and any resulting valuation or allocation adjustments are properly recorded. Financial and other information is disclosed fairly and at appropriate amounts. * Presentation and disclosure: The financial and other information in the financial statements is appropriately presented and described and disclosures are clearly expressed. All disclosures that should have been included in the financial statements have been included. Disclosed events and transactions have occurred and pertain to the entity. AU 326 contains 13 assertions within three categories. See FAM 235.08 for a comparison of the above 5 assertions to the 13 assertions in AU 326. .03: The auditor should determine whether a line item or an account in the financial statements or RSSI is significant. Significant items usually have one or more of the following characteristics: * Its balance or activity is material (equals or exceeds tolerable misstatement). * A high risk of material misstatement (combined inherent and control risk, as discussed in FAM 260.02) is associated with one or more assertions relating to the line item or account. For example, a zero or unusually small balance account may have a high risk of material misstatement with respect to the completeness assertion. * Special audit concerns, such as regulatory requirements, warrant added consideration. The auditor should determine whether any accounts considered individually insignificant are significant in the aggregate. .04: An assertion is significant (relevant) if misstatements in the assertion could exceed tolerable misstatement for the related line item, account, or disclosure. Additionally, in determining whether a particular assertion is relevant to a significant account balance or disclosure, the auditor should evaluate (1) the nature of the assertion, (2) the volume of transactions or data related to the assertion, and (3) the nature and complexity of the systems, including both manual and information systems, the entity uses to process and control information supporting the assertion (see FAM 270). .05: Certain assertions for a specific line item or account, such as completeness and disclosure, could be significant even though the recorded balance of the related line item or account is not material. For example, (1) the completeness assertion could be significant for an accrued payroll account with a high risk of material understatement even if its recorded balance is zero and (2) the disclosure assertion could be significant for a loss contingency even if no amount is required to be recorded. .06: Assertions are likely to vary in degree of significance, and some assertions may be insignificant or irrelevant for a given line item or account. For example: * The completeness assertion for liabilities may be of greater significance than the existence assertion for liabilities. * All assertions related to an account that is not significant (as defined in FAM 235.03) are considered to be insignificant. .07: The auditor should document significant line items, accounts, and relevant assertions in the Account Risk Analysis (ARA) or other appropriate audit planning documentation (see FAM 395 I). The auditor should also document assertions related to budget-related balances and transactions included in the financial statements in the ARA or other audit documentation. FAM 395 F provides detailed control objectives for budgetrelated information. .08: For audits of financial statements for periods beginning on or after December 15, 2006 (calendar year 2007 and fiscal year 2008), AU 326.15 identifies three categories of assertions: (I) classes of transactions and events for the period under audit, (II) account balances at the period end, and (III) presentation and disclosure. Within these three categories, AU 326 identified 13 assertions. The auditor may use these assertions or may express them differently, provided all the aspects of the assertions are addressed (AU 326.16). The table below compares the expanded assertions in AU 326 to the assertions in FAM 235.02. Comparison of AU 326 Assertions to FAM 235.02 Assertions: I. Assertions about classes of transactions and events for the period under audit: AU 326 Assertions: 1. Occurrence – Transactions and events that have been recorded have occurred and pertain to the entity. FAM 235.02 Assertions: 1. Existence or occurrence - Recorded transactions and events have occurred during the given period, are properly classified, and pertain to the entity. An entity’s assets, liabilities, and net position exist at a given date. AU 326 Assertions: 2. Completeness – All transactions and events that should have been recorded have been recorded. FAM 235.02 Assertions: 2. Completeness - All transactions and events that should have been recorded are recorded in the proper period. All assets, liabilities, and net position that should have been recorded have been recorded in the proper period and properly included in the financial statements. AU 326 Assertions: 3. Accuracy – Amounts and other data relating to recorded transactions and events have been recorded appropriately. FAM 235.02 Assertions: 4. Accuracy/valuation or allocation - Amounts and other data relating to recorded transactions and events have been recorded appropriately. Assets, liabilities, and net position are included in the financial statements at appropriate amounts, and any resulting valuation or allocation adjustments are properly recorded. Financial and other information is disclosed fairly and at appropriate amounts. AU 326 Assertions: 4. Cutoff – Transactions and events have been recorded in the correct accounting period. FAM 235.02 Assertions: 1. Existence or occurrence - Recorded transactions and events have occurred during the given period, are properly classified, and pertain to the entity. An entity’s assets, liabilities, and net position exist at a given date. 2. Completeness - All transactions and events that should have been recorded are recorded in the proper period. All assets, liabilities, and net position that should have been recorded have been recorded in the proper period and properly included in the financial statements. AU 326 Assertions: 5. Classification – Transactions and events have been recorded in the proper accounts. FAM 235.02 Assertions: 1. Existence or occurrence - Recorded transactions and events have occurred during the given period, are properly classified, and pertain to the entity. An entity’s assets, liabilities, and net position exist at a given date. II. Assertions about account balances at the period end: AU 326 Assertions: 6. Existence – Assets, liabilities, and equity interests exist. FAM 235.02 Assertions: 1. Existence or occurrence - Recorded transactions and events have occurred during the given period, are properly classified, and pertain to the entity. An entity’s assets, liabilities, and net position exist at a given date. AU 326 Assertions: 7. Rights and obligations – The entity holds or controls rights to assets, and liabilities are the obligations of the entity. FAM 235.02 Assertions: 3. Rights and obligations – The entity holds or controls the rights to assets, and liabilities are the obligations of the entity at a given date. AU 326 Assertions: 8. Completeness – All assets, liabilities, and equity interests that should have been recorded have been recorded. FAM 235.02 Assertions: 2. Completeness - All transactions and events that should have been recorded are recorded in the proper period. All assets, liabilities, and net position that should have been recorded have been recorded in the proper period and properly included in the financial statements. AU 326 Assertions: 9. Valuation and allocation – Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts and any resulting valuation or allocation adjustments are appropriately recorded. FAM 235.02 Assertions: 4. Accuracy/Valuation or allocation -- Amounts and other data relating to recorded transactions and events have been recorded appropriately. Assets, liabilities, and net position are included in the financial statements at appropriate amounts, and any resulting valuation or allocation adjustments are properly recorded. Financial and other information are disclosed fairly and at appropriate amounts. III. Assertions about presentation and disclosure: AU 326 Assertions: 10. Occurrence and rights and obligations -- Disclosed events and transactions have occurred and pertain to the entity. FAM 235.02 Assertions: 5. Presentation and disclosure - The financial and other information in the financial statements is appropriately presented and described and disclosures are clearly expressed. All disclosures that should have been included in the financial statements have been included. Disclosed events and transactions have occurred and pertain to the entity. AU 326 Assertions: 11. Completeness - All disclosures that should have been included in the financial statements have been included. FAM 235.02 Assertions: 5. Presentation and disclosure - The financial and other information in the financial statements is appropriately presented and described and disclosures are clearly expressed. All disclosures that should have been included in the financial statements have been included. Disclosed events and transactions have occurred and pertain to the entity. AU 326 Assertions: 12. Classification and understandability - Financial information is appropriately presented and described and disclosures are clearly expressed. FAM 235.02 Assertions: 5. Presentation and disclosure - The financial and other information in the financial statements is appropriately presented and described and disclosures are clearly expressed. All disclosures that should have been included in the financial statements have been included. Disclosed events and transactions have occurred and pertain to the entity. AU 326 Assertions: 13. Accuracy and valuation: Financial and other information is disclosed fairly and at appropriate amounts. FAM 235.02 Assertions: 4. Accuracy/valuation or allocation -- Amounts and other data relating to recorded transactions and events have been recorded appropriately. Assets, liabilities, and net position are included in the financial statements at appropriate amounts, and any resulting valuation or allocation adjustments are properly recorded. Financial and other information are disclosed fairly and at appropriate amounts. [End of table] 240 - Identify Significant Cycles, Accounting Applications, and Financial Management Systems: .01: In the planning and internal control phases, the auditor should identify controls for each significant cycle and accounting application and assess the risk of material misstatement for each assertion. For CFO Act agencies subject to FFMIA, the auditor also determines whether significant financial management systems substantially comply with (1) federal financial management systems requirements, (2) federal accounting standards, and (3) the SGL at the transaction level. See FAM 701 for additional guidance on determining whether an agency’s systems substantially comply with FFMIA and FAM 701 A for related example audit procedures. A cycle or an accounting application is generally significant if it processes aggregate transactions in excess of design materiality or if it supports a significant account balance in the financial statements or RSSI. A financial management system generally consists of one or more accounting applications. If the auditor decides that one or more of the accounting applications making up a financial management system is significant, then that financial management system generally is significant for determining whether the system substantially complies with FFMIA. The auditor may also identify cycles, accounting applications, or financial management systems as significant based on qualitative considerations. For example, financial management systems covered by FFMIA include not only systems involved in processing financial transactions and preparing financial statements, but also systems supporting financial planning, management reporting, and budgeting activities; systems accumulating and reporting cost information; and the financial portion of mixed systems, such as benefit payment, logistics, personnel, and acquisition systems. .02: The entity’s accounting system may be viewed as consisting of logical groupings of related transactions and activities or accounting applications. Each significant line item or account is affected by input from one or more accounting applications (sources of debits or credits). The auditor may group related accounting applications into cycles; the entity may group related accounting applications into financial management systems. Accounting applications are classified as (1) transaction-related or (2) line item/account-related. .03: A transaction-related accounting application consists of the methods and records established to identify, assemble, analyze, classify, and record (in the general ledger) a particular type of transaction. Typical transaction-related accounting applications include billing, cash receipts, purchasing, cash disbursements, and payroll. A line item/account-related accounting application consists of the methods and records established to report an entity’s recorded transactions and to maintain accountability for related assets and liabilities. Typical line item/account-related accounting applications include cash balances, accounts receivable, inventory, property and equipment, and accounts payable. .04: Within a given entity, there may be several examples of each accounting application. For example, a different billing application may exist for each program that uses a billing process. Accounting applications that process a related group of transactions and accounts comprise cycles. For instance, the auditor may group billing, returns, cash receipts, and accounts receivable accounting applications to form the revenue cycle. Similarly, related accounting applications also comprise financial management systems. .05: For each significant line item and account, the auditor should use the ARA form at FAM 395 I or equivalent audit documentation to identify the significant transaction cycles (such as revenue, purchasing, and production) and the specific significant accounting applications that affect these significant line items, accounts, and assertions. For example, the auditor might determine that billing, returns, cash receipts, and accounts receivable are significant accounting applications that affect accounts receivable (a significant line item). The ARA provides a convenient way to document the specific risks of material misstatement by assertion for significant line items for consideration in determining the nature, extent, and timing of audit procedures. If the auditor uses an equivalent type of audit documentation, rather than the ARA, the auditor should include the information discussed in FAM 395 I. .06: Grouping related accounting applications into cycles can aid the auditor in preparing audit documentation and in designing audit procedures that are effective, efficient and relevant to the reporting objectives. The auditor may document insignificant accounts in each line item on the ARA or equivalent, indicating their insignificance and consequent lack of audit procedures applied to them. In such instances, a cycle matrix may not be necessary. Otherwise, the auditor should prepare a cycle matrix or equivalent document that links each of the entity’s accounts (in the chart of accounts) to a cycle, an accounting application, and a financial statement or RSSI line item. .07: Based on discussions with entity personnel, the auditor should determine the accounting application that is the source of the financial statement information. For example, applications that contain subsidiary records for receivables, property, and payables typically provide detailed information for testing and support for general ledger balances if appropriate reconciliations are performed. When a significant line item has more than one source of financial information, the auditor should consider the various sources and determine which is best for financial audit purposes. The auditor should evaluate the likelihood of misstatement and auditability in choosing the source to use. For audit purposes, the best source of financial information sometimes may be operational information prepared outside the accounting system. .08: Once the auditor identifies significant accounting applications, the auditor should determine which information systems are involved in those applications. The auditor should then evaluate those particular information systems by assessing information-related controls using an appropriate methodology. .03: The auditor should obtain sufficient knowledge of the information systems relevant to financial reporting to understand the design of the procedures by which transactions are initiated, recorded, processed, and reported from their occurrence to their inclusion in the financial statements (see AU 319.49 and FAM 320). The auditor should also determine whether the design was implemented. OMB audit guidance notes that the components of internal control include general and application controls. OMB audit guidance requires that, for controls that have been properly designed and placed in operation (implemented), the auditor must perform sufficient tests to support a low assessed level of control risk.[Footnote 19] General controls are the policies and procedures that apply to all or a large segment of an entity’s information system. General controls help ensure the proper operation of information systems by creating the environment for proper operation of application controls. Application controls are those controls incorporated directly into computer applications to help ensure the validity, completeness, accuracy, and confidentiality of transactions and data during application processing. The auditor should use an appropriate methodology when assessing general and application controls and should document the basis for believing that the methodology used is appropriate to satisfy these requirements. If the auditor uses the same methodology for multiple audits, the audit organization may prepare this document once and maintain a central file for reference on individual audits. GAO auditors should use the FISCAM when assessing general and application controls in a financial statement audit. The FISCAM is designed to meet these requirements, and GAO believes the FISCAM is an appropriate methodology. See FAM 295 J for a flowchart of steps generally followed in assessing information system controls in a financial statement audit. Information system security controls are also addressed in OMB Circular No. A-130, Management of Federal Information Resources, in the National Institute of Standards and Technology’s (NIST) An Introduction to Computer Security: The NIST Handbook, National Security Agency (NSA) guidance on Microsoft and other computer vendor web sites, and in various publications. OMB’s guidance on reporting under the Federal Information Security Management Act specifies NIST publications to be used by agencies when evaluating information security. See FAM 260. 245 - Identify Significant Provisions of Laws and Regulations: .01: To design relevant compliance-related audit procedures, the auditor should identify the significant provisions of laws and regulations.[Footnote 20] These provisions are those (1) for which compliance can be objectively determined and (2) that have a direct and material effect on the determination of financial statement amounts as defined in FAM 245.02b. To aid the auditor in this process, the FAM classifies provisions of laws and regulations into the following categories: * Transaction-based provisions are those for which compliance is determined on individual transactions. For example, the Prompt Payment Act requires that late payments be individually identified and interest paid on such late payments. * Quantitative-based provisions are those that require the accumulation/summarization of quantitative information for measurement. These provisions may contain minimum, maximum, or targeted amounts (restrictions) for the accumulated/summarized information. For example, the Comprehensive Environmental Response, Compensation, and Liability Act of 1980 prohibits the Environmental Protection Agency from exceeding certain spending limits on specific projects. * Procedural-based provisions are those that require the entity to implement policies or procedures to achieve certain objectives. For example, the Single Audit Act, as amended, requires the awarding entity to review certain financial information about recipients. .02: The auditor should identify the significant provisions of laws and regulations. For each significant provision, the auditor should identify and evaluate related compliance controls and should test compliance with the provision. To identify such significant provisions, the auditor should do the following: a. Review the lists of laws and regulations that OMB and the entity have determined might be significant. This list is included in an appendix of OMB’s audit guidance and in FAM 295 H. The entity develops a list that includes laws and regulations in OMB audit guidance, if they are material to the entity. In addition, the auditor should identify (with OGC assistance) any laws or regulations (in addition to those identified by OMB and the entity) that have a direct effect on determining amounts in the financial statements. The meaning of direct effect is discussed in FAM 245.03. b. Identify those provisions that are significant for each law or regulation. A provision is significant if (1) compliance with the provision can be measured objectively and (2) it meets one of the following criteria for determining that the provision has a material effect on determining financial statement amounts: * Transaction-based provisions: The aggregate amount of transactions processed by the entity that is subject to the provision equals or exceeds planning materiality. * Quantitative-based provisions: The quantitative information required by the provision or by established restrictions equals or exceeds planning materiality. * Procedural-based provisions: The provision broadly affects all or a segment of the entity’s operations that process transactions equal to or exceeding planning materiality in the aggregate. For example, a provision may require that the entity establish procedures to monitor the receipt of certain information from grantees. In determining whether to test compliance with this provision, the auditor should determine whether the total amount of money granted equals or exceeds planning materiality. .03: A direct effect means that the provision specifies: * the nature and/or dollar amount of transactions that may be incurred (such as obligation, outlay, or borrowing restrictions); * the method used to record such transactions (such as revenue recognition policies); or; * the nature and extent of information to be reported or disclosed in the basic financial statements (such as the statement of budgetary resources). For example, entity-enabling legislation may contain provisions that limit the nature and amount of obligations or outlays and therefore have a direct effect on determining amounts in the financial statements. If a provision’s effect on the financial statements is limited to contingent liabilities as a result of noncompliance (typically for fines, penalties, and interest), such a provision does not have a direct effect on determining financial statement amounts. Laws that have a direct effect might include (1) new laws and regulations (not yet reflected on OMB’s list) and (2) entity-specific laws and regulations. The concept of direct effect is also discussed in AU 801 and AU 317. .04: In contrast, indirect laws relate more to the entity’s operating aspects than to its financial and accounting aspects, and their financial statement effect is indirect. In other words, their effect may be limited to recording or disclosing liabilities arising from noncompliance. Examples of indirect laws and regulations include those related to environmental protection and occupational safety and health. .05: The auditor is not responsible for testing compliance controls over or compliance with any indirect laws and regulations not otherwise identified by OMB or the entity (see FAM 245.02a.) However, as discussed in AU 317, the auditor should inquire of management regarding policies and procedures for the prevention of noncompliance with indirect laws and regulations. Unless possible instances of noncompliance with indirect laws or regulations come to the auditor’s attention during the audit, no further procedures with respect to indirect laws and regulations are necessary. .06: The auditor may test compliance with indirect laws and regulations. For example, if the auditor becomes aware that the entity has operations similar to those of another entity that was recently in noncompliance with environmental laws and regulations, the auditor may test compliance with such laws and regulations. The auditor may also test provisions of direct laws and regulations that do not meet the materiality criteria in FAM 245.02.b. but that are deemed significant because they are qualitatively material, such as laws and regulations that have generated significant interest by the Congress, the media, or the public. .07: The significant provisions identified by the above procedures are intended to include provisions of all laws and regulations that have a direct and material effect on determining financial statement amounts and therefore comply with GAGAS, AU 801, and OMB audit guidance. .08: In considering regulations to test for compliance, the auditor should consider externally imposed requirements issued pursuant to the Administrative Procedures Act, which has a defined due process. These would include regulations in the Code of Federal Regulations as well as OMB circulars and bulletins to the extent issued under direction of law. It would not include OMB circulars and bulletins to the extent issued as a matter of policy or guidance under the entity’s general authority. Internal policies, manuals, and directives may be the basis for internal controls, but are not regulations to consider for testing compliance. The auditor should consult its OGC if the direction of law determination is not clear. 250 - Identify Relevant Budget Restrictions: .01: The auditor should identify relevant budget restrictions, evaluate budget controls (see FAM 295 G), and design compliance-related audit procedures relevant to budget restrictions. Some key documents that may be obtained from the entity or the auditor’s OGC are: * the Antideficiency Act (title 31 of the U.S. Code, sections 1341, 1342, 1349-1351, and 1517); * the Purpose Statute (title 31 of the U.S. Code, section 1301); * the Time Statute (title 31 of the U.S. Code, section 1502); * OMB Circular No. A-11, Preparation, Submission and Execution of the Budget, Part 4; * the Impoundment Control Act; and; * the Federal Credit Reform Act of 1990 (if the entity has activity subject to this law). Title 7 of GAO’s Policy and Procedures Manual for Guidance of Federal Agencies and GAO’s Principles of Federal Appropriations Law provide guidance on compliance with budget restrictions. The SGL within the Treasury Financial Manual provides guidance on budgetary accounting. .02: Information relating to the entity’s appropriation (or other budget authority) for the period of audit include: * authorizing legislation; * enabling legislation and amendments; * appropriation legislation and supplemental appropriation legislation; * apportionments and budget execution reports (including OMB forms 132 and 133 and supporting documentation); • Impoundment Control Act reports regarding rescissions and deferrals, if any; * the system of funds control document approved by OMB; and; * any other information deemed by the auditor to be relevant to understanding the entity’s budget authority, such as legislative history contained in committee reports or conference reports. Although legislative histories are not legally binding, they may help the auditor understand the political environment surrounding the entity (e.g., why the entity has undertaken certain activities and the objectives of these activities). SFFAS No. 27, Identifying and Reporting Earmarked Funds, may also help the auditor identify revenues or other financing sources of the federal entity. .03: Through discussions with the auditor’s OGC and the entity, and by using the above information and information prepared by management, the auditor should identify all legally binding restrictions on the entity’s use of appropriated funds that are relevant to budget execution. This includes any restrictions on the amount, purpose, or timing of obligations and outlays (“relevant budget restrictions”). Additionally, the auditor should determine whether the entity has established any legally binding restrictions in its fund control regulations. An example of this would be the entity’s lowering the legally binding level for compliance with the Antideficiency Act to the allotment level. .04: The auditor should obtain advice from OGC on the implications if the entity were to violate these relevant budget restrictions. In the internal control phase, the auditor identifies the design of and tests the entity’s controls to prevent or detect noncompliance with these relevant restrictions. The auditor may evaluate controls over budget restrictions that are not legally binding but that may be considered sensitive or important. .05: During these discussions with OGC and the entity, the auditor should determine whether any of these relevant budget restrictions relate to significant provisions of laws and regulations for purposes of testing compliance. .06: For those entities that do not receive appropriated funds, the auditor should identify budget-related requirements that are legally binding on the entity. These requirements, if any, are usually found in the legislation that created the entity or its programs (such as the authorizing and enabling legislation) as well as any subsequent amendments. Although budget information on these entities may be included in the President’s budget submitted to the Congress, this information usually is not legally binding. In general, certain budget- related restrictions (such as the Antideficiency Act) apply to government corporations but not to government-sponsored enterprises. 260 – Identify Risk Factors: .01: The auditor should perform risk assessments at the financial statement and relevant assertions levels based on an appropriate understanding of the entity and its environment, including its internal control. The auditor’s assessments of inherent risk, fraud risk, and the internal control components of the control environment, entity risk assessment, communication, and monitoring affect the auditor’s assessment of the risks of material misstatement. The risks of material misstatement affect the nature, extent, and timing of other audit procedures, including substantive procedures and control tests. This section describes (1) the relationship of identified risk factors to the risk of material misstatement and the impact on substantive procedures and control tests, (2) the process for identifying these risk factors, and (3) the auditor’s consideration of the entity’s process for reporting under FMFIA (both for internal control (section 2 of FMFIA) and for financial management systems’ conformance with system requirements (section 4 of FMFIA) and for formulating the budget. Audit Risk Components: .02: AU 312 provides guidance on audit risk and defines “audit risk” as the risk that the auditor may unknowingly fail to appropriately modify an opinion on financial statements that are materially misstated. Audit risk is composed of the following risks: * Inherent risk is the susceptibility of a relevant assertion to a misstatement that could be material, either individually or when aggregated with other misstatements, assuming that there are no related controls. * Control risk is the risk that a material misstatement that could occur in a relevant assertion that could be material, either individually or when aggregated with other misstatements, will not be prevented or detected and corrected on a timely basis by the entity’s internal control. That risk is a function of the effectiveness of the design and operation of internal control in achieving the entity’s objectives relevant to preparation of the entity’s financial statements. Some control risk will always exist because of the inherent limitations of internal control. Internal control consists of five components: (1) the control environment, (2) risk assessment, (3) monitoring, (4) information and communication, and (5) control activities (defined in FAM 260.08). This section discusses the first three of the components and communication, which is part of the fourth component. FAM 300 (Internal Control Phase) discusses the information systems and control activities. * Risk of material misstatement is the auditor’s combined assessment of inherent risk and control risk. The auditor may separately assess inherent risk and control risk when determining the risk of material misstatement. The auditor should assess the risk of material misstatement at the assertion level as a basis for further audit procedures. Although this assessment is a judgment rather than a precise measurement of risk, the auditor should have an appropriate basis for the assessment. * Detection risk is the risk that the auditor will not detect a misstatement that exists in a relevant assertion that could be material, either individually or when aggregated with other misstatements. Detection risk is a function of the effectiveness of an audit procedure and of its application by the auditor. Detection risk relates to the substantive procedures and is managed by the auditor’s response to the risk of material misstatement. * Fraud risk is a part of audit risk, making up a portion of inherent and control risk. Fraud risk consists of the risk of fraudulent financial reporting and the risk of misappropriation of assets that cause a material misstatement of the financial statements. The auditor should specifically assess and document the risks of material misstatements of the financial statements due to fraud and should consider fraud risk in designing audit procedures. The auditor may determine the risks of material fraud concurrently with the consideration of inherent and control risk, but should form a separate conclusion on fraud risk. The auditor should evaluate the risk of fraud throughout the audit. FAM 290 includes documentation for fraud risk. Impact on Substantive Procedures: .03: Based on tolerable misstatement, the level of audit risk, and the risks of material misstatement, including the consideration of fraud risk, the auditor should determine the nature, extent, and timing of substantive procedures necessary to achieve the level of acceptable detection risk. For example, in response to a high risk of material misstatement, the auditor may perform: * additional substantive procedures that provide more appropriate evidence (nature of procedures); * more extensive substantive procedures (extent of procedures), as discussed in FAM 295 E; or; * substantive procedures at or closer to the financial statement date (timing of procedures). .04: Audit assurance is the complement of audit risk. Assurance equals 100 percent minus the percent of allowable risk.[Footnote 21] AU 350.48 uses 5 percent as the allowable audit risk in an example explaining the audit risk model resulting in 95 percent audit assurance. The audit organization should determine the level of assurance to use, which may vary between audits based on risk. GAO auditors should use 95 percent. In other words, the GAO auditor, in order to provide an opinion, should design the audit to achieve at least 95 percent audit assurance that the financial statements are not materially misstated (5 percent audit risk). FAM 470 provides guidance on how to combine (1) the risk of material misstatement and (2) detection risk for substantive procedures to achieve the audit assurance required by the audit organization. .05: The auditor may consider it necessary to achieve increased audit assurance if the entity is politically sensitive or if the Congress has expressed concerns about the entity’s financial reporting. In this case, the level of audit assurance should be approved by the reviewer. Relationship to Control Assessment: .06: Internal control, as defined in AU 314.41, is a process effected by those charged with governance, management, and other personnel and is designed to provide reasonable assurance regarding the achievement of objectives in the following categories (OMB audit guidance expands the category definitions as noted)[Footnote 22]: * Reliability of financial reporting: Transactions are properly recorded, processed, and summarized to permit the preparation of the financial statements in accordance with U.S. GAAP, and assets are safeguarded against loss from unauthorized acquisition, use, or disposition. (Note that certain safeguarding controls (see FAM 310.05- .07) are part of financial reporting controls, although they are also operations controls.) * Compliance with applicable laws and regulations: Transactions are executed in accordance with (1) laws governing the use of budget authority and other laws and regulations that could have a direct and material effect on the financial statements and (2) any other laws, regulations, and governmentwide policies identified by OMB in its audit guidance. (Note that budget controls are part of financial reporting controls as they relate to the statement of budgetary resources and the reconciliation of the net cost of operations to budget note disclosure, and that they are also part of compliance controls in that they are used to manage and control the use of appropriated funds and other forms of budget authority in accordance with applicable law. These controls are described in more detail in FAM 295 G.) * Effectiveness and efficiency of operations: These controls include policies and procedures to carry out organizational objectives, such as planning, productivity, programmatic, quality, economy, efficiency, and effectiveness objectives. Management uses these controls to provide reasonable assurance that the entity (1) achieves its mission, (2) maintains quality standards, and (3) does what management directs it to do. .07: Some control policies and procedures belong in more than one category of control. For example, financial reporting controls include controls over the completeness and accuracy of inventory records. Such controls are also necessary to provide complete and accurate inventory records to allow management to analyze and monitor inventory levels to better control operations and make procurement decisions (operations controls). .08: The five components of internal control relate to objectives that an entity strives to achieve in each of the three categories: financial reporting (including safeguarding), compliance, and operations controls. The components in AU 314 are: * Control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. * Risk assessment is the entity’s identification and analysis of relevant risks to achievement of its objectives, forming a basis for determining how the risks should be managed. * Information and communication systems support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities. * Monitoring is a process that assesses the quality of internal control performance over time. * Control activities are the policies and procedures that help ensure that management directives are carried out. Process for Identifying Risk Factors: .09: In the planning phase, the auditor should (1) identify conditions that significantly increase inherent, fraud, and control risk (based on identified control environment, entity risk assessment, communication, or monitoring weaknesses) and (2) conclude whether any identified control risks preclude the effectiveness of specific control activities in significant applications. The auditor should identify specific inherent risks, fraud risks, and control environment, entity risk assessment, communication, and monitoring weaknesses based on information obtained in the planning phase, primarily from understanding the entity’s operations, including significant information systems processing performed outside the entity and preliminary analytical procedures. SAS No. 70 reports, which are discussed further in FAM 310 and AU 324, may be prepared by auditors for service organizations (also referred to as service auditors) performing significant information systems processing for the entity. The auditor may find these reports useful for performing risk assessments and planning other audit procedures. The auditor should update the risk assessment throughout the audit. See FAM 260.47-57 for additional discussions of control environment, entity risk assessment, communication, monitoring and the auditor’s responsibility for understanding each of these components. See FAM 290.05 for documentation requirement related to understanding each component. .10: The auditor may consider factors such as those listed in FAM 260.21-.71 in identifying such risks and weaknesses. These factors are general in nature and require the auditor’s judgment in determining (1) the extent of procedures (testing) to identify the risks and weaknesses and (2) the impact of such risks and weaknesses on the entity and its financial statements. Because this risk consideration requires the exercise of significant audit judgment, it should be performed by experienced audit team personnel. .11: The auditor may evaluate the implications of these risk factors on related operations controls. For example, inherent risk may be associated with a material liability for loan guarantees because it is subject to significant management judgment. In light of this inherent risk, the entity should have strong operations controls to monitor the entity’s exposure to losses from loan guarantees. Potential weaknesses in such operations controls could significantly affect the ultimate program cost. Therefore, the auditor may identify operations control weaknesses, including the need for operations controls in a particular area that may be further evaluated, as discussed in FAM 275. .12: Specific conditions that may indicate inherent or fraud risks or control environment, entity risk assessment, communication, or monitoring weaknesses are in FAM 295 A and FAM 295 B, respectively. These sections are designed to aid the auditor in identifying these risks and weaknesses but are not all inclusive. The auditor should evaluate any other factors and conditions deemed relevant. The auditor should determine which of the risks identified require special audit consideration. These risks are defined as “significant risks” by AU 314. Significant risks often relate to significant nonroutine transactions and judgmental matters as discussed in AU 314.111-.115. For these risks, the auditor should evaluate the design of the entity’s related controls and determine whether they have been implemented. The results of these procedures assist the auditor in developing an effective audit approach as discussed in FAM 300 and 400. Brainstorming About the Risks of Material Misstatement: .13: As required by AU 314.14, the audit team, including the auditor with final responsibility for the audit (typically the audit director), should brainstorm (discuss) the susceptibility of the entity’s financial statements to material misstatements. The objective of this discussion is for the audit team members to gain a better understanding of the potential for material misstatements of the financial statements resulting from fraud or error in the specific areas assigned to them, and to understand how the results of the audit procedures that they perform may affect other aspects of the audit, including decisions about the nature, extent, and timing of further audit procedures. These discussions provide an opportunity for more experienced team members to share insights based on their knowledge of the entity and for the team members to exchange information about the business risks related to the entity. Depending on the circumstance of the audit, multiple discussions may be held to facilitate the ongoing exchange of this information among team members. The purpose of these discussions is to share information obtained throughout the audit that may affect the risk assessments or related audit procedures. .14: During the discussion, the auditor should give particular emphasis to the susceptibility of the entity’s financial statements to material misstatement due to fraud as discussed beginning in FAM 260.23. The audit team should discuss critical issues, such as: * areas of significant risk of material misstatement; * areas susceptible to management override of controls; * unusual accounting procedures used by the entity; * important control systems; * materiality at the financial statement and account levels; * how materiality will be used to determine the extent of testing; * the application of U.S. GAAP to the entity’s facts and circumstances and in light of the entity’s accounting policies; and; * the requirement that the auditor should plan and perform the audit with an attitude of professional skepticism. This should include emphasizing the need to exercise professional skepticism throughout the engagement, being alert for information or other conditions that indicate that a material misstatement due to fraud or error may have occurred, and being rigorous in following up on such indications. .15: Key members of the audit team should be involved in this discussion; however, it is not necessary for all team members to have a comprehensive knowledge of all aspects of the audit. The auditor should use professional judgment to determine the meeting participants (including any specialists), the number of meetings, how and when the meetings should occur, and the extent of the discussion. The roles, experience, and information needs of the audit team are factors that influence the extent of the discussion. These discussions may be held concurrently with the audit team’s discussions of the susceptibility of the entity’s financial statements to fraud. See FAM 260.32-.34 for the fraud discussions and guidance for determining who should participate in these meetings as the participants would typically be the same. .16: The auditor should determine the matters to communicate to any audit team members not included in the discussion. For example, if separate discussions are held with the key staff at various locations for a multi-location audit. When the entire engagement is performed by a single auditor, the auditor should consider and document the susceptibility of the entity’s financial statement to material misstatements and consider any other factors that may be necessary in the engagement, such as personnel possessing specialized skills. .17: The auditor should identify and document any significant risks as discussed in AU 314.110 after considering (1) knowledge obtained about the entity (obtained in previous steps in the planning phase), (2) the risk factors discussed in FAM 260.16-.61, AU 314.111-114, FAM 295 A, and FAM 295 B, and (3) other relevant factors. The auditor should document these risks and weaknesses and their impact on proposed audit procedures in the audit strategy, formerly the GRA, (see FAM 290). The auditor also should summarize and document any inherent or fraud risks or control environment weaknesses that affect the specific account on the ARA or equivalent (see FAM 290 and FAM 395 I). .18: For each risk factor identified, the auditor should document the nature and extent of the risk or weakness; the condition(s) that gave rise to that risk or weakness; and the specific cycles, accounts, line items, and related assertions affected (if not pervasive). For example, the auditor may identify a risk of material misstatement in the valuation of the net receivables line item due to (1) the materiality of the receivables and potential allowance, (2) the subjectivity of management’s judgment related to the loss allowance (inherent risk), and (3) management’s history of aggressively challenging any proposed adjustments to the valuation of the receivables (control environment weakness). The auditor should also document other considerations that may mitigate the effects of identified risks and weaknesses. For example, the use of a lockbox (a control activity) may mitigate inherent risks associated with the completeness of cash receipts. .19: The auditor also should document, in the audit strategy, any risks of material misstatement that relate pervasively to the financial statements taken as a whole that potentially affect many relevant assertions. These may relate to the overall effectiveness of the control environment, entity risk assessment, communication, and monitoring, including whether weaknesses preclude the effectiveness of specific control activities. The focus should be on management’s overall attitude, awareness, and actions, including the ability to override existing controls, rather than on specific conditions related to a control environment, entity risk assessment, communication, or monitoring factor. The auditor should use this assessment when determining the risk of material misstatement for specific accounts and assertions. When developing responses to these types of risks of material misstatement at the overall financial statement level, the auditor should consider matters such as the knowledge, skill, and ability of personnel assigned significant engagement responsibilities; whether certain aspects of the engagement need the involvement of a specialist; the appropriate level of supervision of audit staff. AU 818.04-.06 discusses the auditor’s overall responses to address the assessed risks of material misstatement at the financial statement level. .20: If applicable to the entity[Footnote 23], the auditor should obtain an understanding of the entity’s process for compliance with FMFIA and OMB’s Circular No. A-123, Management’s Responsibility for Internal Control, (see FAM 260.58-.63) and whether the process has been implemented and should obtain an understanding of the budget formulation process (see FAM 260.71). Inherent Risk Factors: .21: Inherent risk factors incorporate characteristics of an entity, a transaction, an account, or an assertion that exist because of the: * nature of the entity’s programs, * prior history of audit adjustments, or; * nature of material transactions and accounts. The auditor may limit the assessment of inherent risk to significant programs, transactions, or accounts. Inherent risks may relate to the entity overall or to specific accounts and assertions. For each factor listed below, FAM 295 A lists conditions that may indicate inherent risk. a. Nature of the entity’s programs: The mission or business of an entity includes the implementation of various programs or services. The characteristics of these programs or services affect the entity’s susceptibility to errors and fraud and sensitivity to changes in economic conditions. For example, student loan guarantee programs may be more susceptible to errors and fraud because of loans issued and serviced by third parties. b. Prior history of significant audit adjustments: Significant audit adjustments identified in previous financial statement audits or other audits often identify inherent or control risks that may allow financial statement misstatements. For example, the prior year’s audit may have identified the necessity for recording a liability as the result of certain economic conditions. The auditor could then focus on: * determining whether similar conditions continue to exist; * understanding management’s response to such conditions (including implementation of controls), if any; and; * assessing the nature and extent of the related inherent and control risk. c. Nature of material transactions and accounts: The nature of an entity’s transactions and accounts has a direct relation to inherent risk. For example, accounts involving subjective management judgments, such as loss allowances, are usually of higher inherent risk than those involving more objective determinations. Information Systems Effect on Inherent Risk: .22: Information systems do not affect the audit objectives for an account or a cycle. However, information systems (or lack thereof) can introduce inherent risk factors not present in a manual accounting system. The auditor should (1) consider each of the following information system factors and (2) assess the overall impact of information systems processing on inherent risk. The impact of these factors typically will be pervasive in nature. An IS controls specialist may assist the auditor in considering these factors and making this assessment. More detail on assessing information system risks and controls in a financial statement audit is available in the FISCAM, and a flowchart of steps is in FAM 295 J. a. Uniform processing of transactions: Because information systems process groups of identical transactions consistently, any misstatements arising from erroneous computer programming will occur consistently in similar transactions. However, the possibility of random processing errors is reduced substantially in computer-based information systems. b. Automatic processing: The information system may automatically initiate transactions or perform processing functions. Evidence of these processing steps (and any related controls) may or may not be visible. c. Increased potential for undetected misstatements: Computers use and store information in electronic form and require less human involvement in processing. This increases the potential for individuals to gain unauthorized access to sensitive information and to alter data without visible evidence. Due to the electronic form, changes to computer programs and data may not be readily detectable. Also, users may be less likely to challenge the reliability of computer output than manual reports. d. Existence, completeness, and volume of the audit trail: The audit trail is the evidence that demonstrates how a specific transaction was initiated, processed, recorded, and summarized. For example, the audit trail for a purchase could include a purchase order, a receiving report, an invoice, invoice register (purchases summarized by day, month, account, or a combination of these), and general ledger postings from the invoice register. Some computerized financial management systems are designed so that the audit trail exists for only a short period (such as in online systems), only in an electronic format, or only in summary form. Also, the information generated may be too voluminous to allow effective manual review. For example, one posting to the general ledger may result from the computer summarization of information from hundreds of locations and thousands of documents. e. Nature of information systems hardware and software: The nature of information systems hardware and software can affect inherent risk, as illustrated below. * The type of computer processing (online, batch-oriented, or distributed) presents different levels of inherent risk. For example, the inherent risk of unauthorized transactions and data entry errors may be greater for online processing than for batch-oriented processing. * Peripheral access devices or system interfaces can increase inherent risk. For example, Internet and dial-up access to a system increases the system’s accessibility to additional persons and therefore increases the risk of unauthorized access to computer resources. * Distributed networks enable multiple computer processing units to communicate with each other, increasing the risk of unauthorized access to computer resources and possible data alteration. On the other hand, distributed networks may decrease the risk of conflicting computerized data between multiple processing units. * Applications software developed in-house may have higher inherent risk than vendor-supplied software that has been thoroughly tested and is in general commercial use. f. Unusual or nonroutine transactions: As with manual systems, unusual or nonroutine information system transactions increase inherent risk. Programs developed to process such transactions may not be subject to the same procedures as programs developed to process routine transactions. For example, the entity may use a utility program to extract specified information in support of a nonroutine management decision. Fraud Risks: .23: The auditor must plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. Accordingly, the auditor should evaluate the risks of material misstatement due to fraud (fraud risk). The primary factor that distinguishes fraud from error is that the action causing the misstatement in fraud is intentional. (See FAM 230 related to materiality, including quantitative and qualitative considerations.) .24: Two types of misstatements are relevant to the auditor’s consideration of fraud in an audit of financial statements— misstatements arising from fraudulent financial reporting and misstatements arising from misappropriation of assets as follows: * Misstatements arising from fraudulent financial reporting are intentional misstatements or omissions of amounts or disclosures in financial statements to deceive financial statement users. They could involve intentional alteration of accounting records, misrepresentation of transactions, intentional misapplication of accounting principles, or other means. * Misstatements arising from misappropriation of assets involve thefts of an entity’s assets that result in misstatements in the financial statements. They could involve theft of property, embezzlement of receipts, fraudulent payments, or other means. (See FAM 310 for internal control over safeguarding assets. Safeguarding controls relate to protecting assets against loss from unauthorized acquisition, use, or disposition.) .25: In considering misstatements arising from misappropriation of assets, the auditor should consider fraud risks associated with improper payments. Some of the improper payments made by federal government entities could involve fraud. The Improper Payments Information Act of 2002 (Pub. L. No. 107-300) defines an improper payment as any payment that should not have been made or that was made in an incorrect amount (including overpayments and underpayments) under statutory, contractual, administrative, or other legally applicable requirements. The act requires agency heads to annually review all programs and activities that they administer, identify those that might be susceptible to significant improper payments, estimate annual improper payments for those identified programs, and submit those estimates to the Congress. For programs for which estimated improper payments exceed $10 million, the agency head also reports certain corrective actions, such as its plans to reduce and recover improper payments. Although the act has this reporting threshold for corrective actions, the auditor may consider improper payments amounting to $10 million or less quantitatively or qualitatively material. OMB guidance on implementation of this act is included in OMB Circular No. A-123, Appendix C. .26: The auditor is responsible for obtaining reasonable, but not absolute, assurance about whether the financial statements are free of material misstatement. Reasonable assurance is a high level of assurance. Absolute assurance cannot be attained because of the nature of audit evidence and the characteristics of fraud, and the auditor’s report does not provide absolute assurance. A properly planned and performed audit might not detect a material misstatement, and the subsequent discovery of a material misstatement does not, in and of itself, provide evidence that the auditor did not conform with auditing standards. .27: In addition, the auditor should evaluate situations or transactions that could be indicative of abuse as described below. Abuse is distinct from fraud and illegal acts. Abuse involves behavior that is deficient or improper (but not necessarily fraudulent or illegal) when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances. Abuse also includes misuse of authority or position for personal financial interests or those of an immediate or close family member or business associate. Abuse does not necessarily involve fraud, violations of laws, regulations, or provisions of a contract or grant agreement. The auditor is not required to detect abuse as the determination of abuse is subjective. Accordingly, the auditor does not provide reasonable assurance of detecting abuse. However, if indications of abuse that could result in material misstatement of the financial statements or other financial data come to the auditor’s attention, the auditor should apply audit procedures specifically directed to determine whether abuse has occurred and the effect, if any, on the financial statements. The auditor should consider both quantitative and qualitative factors in making judgments about the materiality of possible abuse and about related audit procedures. After performing these additional procedures, the auditor may discover that the abuse represents potential fraud or illegal acts that should be addressed following guidance in FAM 540. (See GAGAS, paragraphs 4.12-.13.) Characteristics of Fraud: .28: Three conditions generally are present when fraud occurs: * Incentive/pressure—Management, other employees, or external parties (for example, for some improper payments) have an incentive or are under pressure, which provides a motive to commit fraud. * Opportunity—Circumstances exist, such as the absence of controls, ineffective controls, or the ability of management to override controls, that provide an opportunity to commit fraud. * Attitude/rationalization—Individuals involved are able to rationalize committing fraud. Some individuals possess an attitude, character, or ethical values that allow them to knowingly and intentionally commit a dishonest act. Generally, the greater the incentive or pressure, the more likely an individual will be able to rationalize the acceptability of committing fraud. .29: Management is in a position that could permit it to perpetrate fraud by directly or indirectly manipulating accounting records; overriding controls, sometimes in unpredictable ways; or committing other fraudulent or improper acts. Fraud Risk Factors: .30: Although fraud is usually concealed, the presence of fraud risk factors that indicate incentive/pressure, opportunity, or attitude/rationalization might alert the auditor to a significant risk of fraud. However, fraud risk factors do not necessarily indicate that fraud exists. Examples of fraud risk factors, classified by the two types of fraudulent misstatements and then by these three conditions follow. a. Examples related to misstatements arising from fraudulent financial reporting: * Incentive/pressure—Incentive exists for management to report reduced program costs or costs that are consistent with budgeted amounts, or excessive pressure exists to meet unrealistic deadlines, goals, or other requirements. * Opportunity—Key financial statement amounts are based on significant estimates that involve subjective judgments or uncertainties that are difficult to corroborate, or management is in a position to override controls for processing adjustments or unusual transactions. * Attitude/rationalization— Employees perceive that penalties exist for reporting honest results, or employees consider requirements such as performance targets unrealistic. b. Examples related to misstatements arising from misappropriation of assets are: * Incentive/pressure—Employees who are disgruntled because of impending layoffs have an incentive to misappropriate assets, or pressure to meet programmatic objectives, such as for rapid benefit payments, increases the risk of fraudulent improper payments. * Opportunity—Employees have access to assets that are small in size and value or the authority to disburse funds, or a program has weaknesses in internal control related to fraudulent improper payments. * Attitude/rationalization—Employees believe that management is unethical, or individuals believe they are entitled to the entity’s assets. Fraud risk factors represent inherent or control risk factors. As discussed in FAM 260.02, the auditor should evaluate fraud risk factors in assessing inherent and control risk. FAM 295A and FAM 295B include additional examples of fraud risk factors. Professional Skepticism: .31: The auditor should exercise professional skepticism—an attitude that includes a questioning mind and a critical assessment of audit evidence—throughout the audit. Professional skepticism involves a mind- set that recognizes the possibility that a material misstatement due to fraud (or error) might be present, regardless of any past experience with the entity and regardless of the auditor’s belief about management’s honesty and integrity. Brainstorming Meeting(s) about Potential Fraud Risks: .32: Audit team members should exchange ideas in one or more brainstorming meeting(s) to identify potential fraud risks. As discussed in FAM 260.15, the audit team may combine this meeting with the brainstorming meeting on the risks of material misstatement. They should discuss how and where the financial statements could be susceptible to material fraudulent misstatement, how management could perpetrate and conceal fraudulent financial reporting, how assets could be misappropriated (including through fraudulent improper payments), how management could override controls, and how the auditor might respond to these risks. They also should consider known internal and external fraud risk factors (including any related to fraudulent improper payments) and may categorize these factors by type of misstatement and by incentive/pressure, opportunity, and attitude/rationalization. The leader of the brainstorming discussion (typically the audit director) should emphasize the need to exercise professional skepticism in gathering and evaluating evidence throughout the audit. .33: The audit director, assistant director, and all other team members who have significant responsibilities in planning and performing the audit should participate in brainstorming, which may be performed in a single meeting or in multiple meetings. While different members may participate in different meetings, each brainstorming meeting should include at least one experienced team member, and all team members should be familiar with the collective results of the brainstorming meeting(s). Determining the brainstorming participants (for example, it might be useful to include stakeholders and specialists, such as IS controls specialists) and the number of brainstorming meeting(s) are matters of auditor judgment. .34: The auditor should consider fraud risks throughout the audit. Near the completion of the audit, the auditor should evaluate whether the audit test results indicate the need for a change in the assessment of the fraud risks or the need for additional or different audit procedures (see FAM 540.18-.19). Accordingly, communications with the audit team members about fraud should occur as needed throughout the audit, and the auditor may hold multiple, periodic brainstorming meetings. Information to Identify Fraud Risks: .35: The auditor might identify fraud risks as a result of replies to inquiries. To obtain information about fraud risks, the auditor should inquire of management about: * any knowledge of fraud or suspected fraud (including fraudulent improper payments) or related allegations; * management’s understanding of fraud risks, including any specific risks the entity has identified and any account balances, assertions, or classes of transactions having likely fraud risks (including information about any fraudulent improper payments that the agency identified in making assessments related to the Improper Payments Information Act of 2002); * any antifraud programs and controls the entity has established; [Footnote 24]; * the nature and extent that locations or business segments, if any, are monitored, and whether there are particular locations or segments for which fraud risks might be more likely; * whether and how management communicates to employees its views on business practices and ethical behavior; and; * whether management has reported to those charged with governance, such as an audit committee (referred to as financial management advisory committee in some federal entities), or others with equivalent authority and responsibility on how the entity’s internal control prevents, deters, or detects fraud. .36: In addition to inquiring of management, inquiring of others may provide a different perspective or provide other important information. Accordingly, the auditor generally should perform the following inquiries and related procedures: a. Obtain information about instances of fraud (including any related to fraudulent improper payments) reported by the IG, ordinarily by asking the Special Investigator Unit to summarize how cases of reported fraud were committed, and then ask management or the IG’s office whether related controls have been strengthened. b. Understand how those charged with governance know about fraud risks, any fraud or suspected fraud, and how they exercise oversight. c. Inquire of internal audit personnel about fraud risks, any procedures to detect fraud during the reporting period, management’s response to any such findings, and any fraud or suspected fraud. d. Inquire of other personnel about fraud or suspected fraud. The auditor should use judgment to determine whom to ask and the extent of inquiries. For example, the auditor may inquire of employees with varying levels of authority, operating personnel not directly involved in the financial reporting process, employees familiar with complex or unusual transactions or with improper payments, and in-house legal counsel. If inconsistencies arise from the auditor’s inquiries of management and others, obtain additional evidence to resolve the inconsistencies. .37: The auditor also should perform the following procedures: a. Obtain and review the entity’s (1) plan to identify improper payments, and (2) report on improper payments (or information about any findings), if any, that resulted from the agency’s review under the Improper Payments Information Act of 2002. b. Determine whether preliminary analytical procedures disclosed any unusual or unexpected relationships that might indicate fraud risks. Where revenue is (or is expected to be) material, analytical procedures should include those related to revenue—for example, trend analysis—to identify unusual or unexpected relationships that might indicate fraudulent financial reporting of revenue (see FAM 225 related to preliminary analytical procedures). c. Determine whether any fraud risk factors exist (see FAM 260.30). d. Identify other information that might help identify fraud risks, such as information that resulted from previous audits, the brainstorming meeting(s), and inherent risks identified at the account, transaction, or assertion levels. Identification and Assessment of Fraud Risks: .38: To identify fraud risks (including any related to fraudulent improper payments), the auditor should perform the following procedures: a. Evaluate the information obtained in the procedures described in FAM 260.27-.32, in the context of the three conditions that generally are present when fraud occurs— incentive/pressure, opportunity, and attitude/rationalization. While fraud risk might be greatest when all three of these conditions are evident, observation of one or more of these conditions might indicate a fraud risk. b. Where revenue is (or is expected to be) material, evaluate whether there are fraud risks related to revenue recognition (for example, through premature recognition or fictitious revenue). If the auditor concludes that improper revenue recognition does not represent a fraud risk, the auditor should document the reasons supporting that conclusion (see FAM 290.04 h). c. Evaluate the possibility that management could override controls, even if specific fraud risks have not been identified. .39: For each identified fraud risk, the auditor should determine whether it relates to (1) specific financial statement account balances or classes of transactions and related assertions or (2) more pervasively, to the financial statements as a whole. Generally, relating fraud risks to the individual accounts, classes of transactions, and assertions helps in designing audit procedures in response to these risks. .40: As part of understanding internal control sufficient to plan the audit, the auditor should (1) evaluate whether programs and controls that address identified fraud risks have been suitably designed and implemented and (2) determine whether these programs and controls mitigate these risks, or whether specific control deficiencies increase these risks. See FAM 350 regarding testing the operating effectiveness of controls that are determined to mitigate these risks. .41: The auditor should assess the identified fraud risks, taking into consideration the results of the procedures described in the preceding paragraph. In making this assessment, using professional judgment, the auditor should evaluate significant aspects of each of these risks, including the type of misstatement, the significance and pervasiveness of the risk, and the likelihood that a material misstatement could result. Response to Assessed Fraud Risks: .42: The auditor must respond to the assessed risks of material misstatement due to fraud as discussed in FAM 260.42-.46 and AU 316. The nature and significance of these fraud risks, as well as programs and controls that address identified fraud risks, influence the auditor’s response. The auditor should use professional judgment in determining the appropriate response for the circumstances and exercise professional skepticism in gathering and evaluating audit evidence. The response should (1) affect the overall conduct of the audit (see FAM 260.44), (2) address fraud risks that relate to management override of controls (see FAM 260.45), and (3) for any of these risks that relate to specific financial statement account balances or classes of transactions and related assertions, involve the nature, extent, and timing of audit procedures (see FAM 260.46). If it is not practicable, as part of a financial statement audit, to design audit procedures that sufficiently respond to the fraud risks, the auditor may request assistance from the Special Investigator Unit and evaluate the effect of omitting these procedures on the scope of the audit and the audit report. .43: In some instances, the audit strategy and audit plan could, for reasons other than responding to fraud risk, include procedures and personnel and supervisory assignments that are sufficient to respond to a fraud risk. In those instances, the auditor may conclude that no further response is required. For example, with respect to timing, audit procedures could be planned as of the date that the reporting period ends, both as a response to a fraud risk and for other reasons. .44: The auditor should respond to the fraud risks in ways that have an overall effect on the conduct of the audit, as follows: a. Assignment of personnel and supervision—Assign audit team staffing and/or supervision so that the knowledge, skill, and ability of personnel assigned significant responsibilities are commensurate with the auditor’s assessment of the fraud risks. For example, the auditor may assign a fraud specialist or more experienced staff member or may increase supervision in response to identified fraud risks (also see FAM 270 related to IS controls specialists). b. Review of accounting principles—Review management’s selection and collective application of significant accounting principles, particularly those related to subjective measurements and complex transactions. c. Unpredictability of audit procedures—Incorporate an element of unpredictability in the selection of audit procedures from reporting period to reporting period. For example, perform substantive procedures on selected account balances and assertions not otherwise tested due to their materiality and risk, adjust the timing of audit tests, use a different method to select items for testing, or perform procedures at different locations or at locations on an unannounced basis (AU 316.50). Statistical sampling selection usually provides an element of unpredictability as to the specific items tested (see FAM 480). Generally, the auditor should not inform entity personnel of specific audit procedures prior to performing them, as personnel may take actions to further conceal any fraudulent activity. However, the auditor will usually make arrangements to conduct audit work at specific sites in advance, and will instruct entity personnel to locate certain documentation so the auditor may test it upon arrival. .45: The auditor should perform procedures to specifically address the risk that management can perpetrate fraud by overriding controls as follows: a. Examination of journal entries and other adjustments—Examine journal entries and other adjustments for evidence of possible material misstatement due to fraud. These include reclassifications, consolidating entries, and other routine and nonroutine journal entries and adjustments. The auditor should: * obtain an understanding of the financial reporting process and the controls over journal entries and other adjustments; * identify and select journal entries and other adjustments for testing; * determine the nature, extent, and timing of the testing (ordinarily including tests of journal entries and other adjustments at the end of the reporting period); and; * inquire of individuals involved in the financial reporting process about inappropriate or unusual activity related to the processing of journal entries and other adjustments. b. Review of accounting estimates—Review accounting estimates for biases that could result in material misstatement due to fraud. In preparing financial statements, management is responsible for making judgments or assumptions that affect significant accounting estimates and for monitoring the reasonableness of these estimates on an ongoing basis. The auditor should evaluate whether differences between (1) estimates best supported by the evidence and (2) the estimates included in the financial statements, even if the estimates are individually reasonable, indicate possible bias by management, in which case the auditor should reconsider the estimates taken as a whole. The auditor also should perform a retrospective review of significant accounting estimates used in the prior year’s financial statements, focusing on sensitive or subjective aspects, to determine whether they indicate possible bias by management, and the auditor should be alert for aggressive or inconsistently applied estimates. For example, significant changes in allowances for uncollectible accounts that may be tied to performance measures in an effort to improve collections. c. Evaluation of business rationale for significant unusual transactions—Evaluate the business rationale for any significant unusual transactions, considering whether: * the form of these transactions is overly complex; * management has discussed the nature of and accounting for these transactions with those charged with governance; * management is placing more emphasis on particular accounting treatments than on the underlying economics of the transactions; * transactions that involve related parties require review and approval by those charged with governance; and; * the transactions involve previously unidentified related parties (see FAM 902) or related parties that do not have the substance or financial strength to support the transaction without assistance from the entity. .46: For fraud risks related to specific financial statement account balances or classes of transactions and related assertions, the specific response will depend on the types of risks and the specific balances or classes and assertions, but it generally should involve both substantive procedures and control tests. The response should involve one or more of the following: a. Nature of audit procedures—for example, obtaining related evidence from independent external sources rather than internal sources. b. Extent of audit procedures—for example, increasing sample sizes. c. Timing of audit procedures—for example, performing substantive procedures at or near the end of the reporting period rather than at an interim date. FAM 295 I provides additional examples of responses. Control Environment: .47: As discussed in AU 319, control environment risk factors incorporate management’s attitude, awareness, and actions concerning the entity’s control environment. These factors include: * integrity and ethical values; * commitment to competence; * management’s philosophy and operating style; * organizational structure; * assignment of authority and responsibility; * human resource policies and practices; * management’s control methods over budget formulation and execution; * management’s control methods over compliance with laws and regulations; and; * the functioning of those charged with governance, including oversight bodies (including congressional committees). .48: The auditor should obtain and document an understanding of the control environment sufficient to assess the risk of material misstatement and to plan the audit. The auditor should evaluate the design of the control environment and determine whether it has been implemented. In doing this, the auditor determines whether the control environment enhances or mitigates the effectiveness of specific control activities. In making this determination, the auditor should evaluate the following factors and their effect on internal control. For each factor listed below, FAM 295 B lists conditions that may indicate control environment weaknesses. a. Integrity and ethical values: Control effectiveness cannot rise above the integrity and ethical values of those who create, administer, and monitor the controls. Management’s integrity and ethical values are essential elements of the control environment, affecting the design, administration, and monitoring of the other components. Integrity and ethical behavior result when the entity’s leaders have high ethical and behavioral standards and properly communicate them and reinforce them in practice. The standards include management’s actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. The communication of entity values and behavioral standards to personnel may take place through policy statements and codes of conduct and by example. b. Commitment to competence: Competence is the knowledge and skills necessary to accomplish tasks required by an individual’s job. Commitment to competence includes management’s consideration of the competence levels for various jobs and the requisite skills and knowledge. It is supplemented by effective human resource policies and practices discussed below. c. Management’s philosophy and operating style: Management’s philosophy and operating style encompass a broad range of beliefs, concepts, and attitudes. Such characteristics may include management’s approach to taking and monitoring operational/program risks, attitudes and actions toward financial reporting, emphasis on toward information processing, accounting, personnel, and internal control. d. Organizational structure: An entity’s organizational structure provides the overall framework for planning, directing, and controlling operations. The organizational structure assigns authority and responsibility within the entity. An organizational structure includes the form and nature of an entity’s organizational units, including the data processing organization, and related management functions and reporting relationships. e. Assignment of authority and responsibility: An entity’s policies or procedures for assigning authority for operating activities and for delegating responsibility affect the understanding of established reporting relationships and responsibilities. This factor includes policies relating to appropriate business practices, knowledge and experience of key personnel, and resource allocations. It also includes policies and communications to enable personnel to understand the entity’s objectives, how they contribute to these objectives, and how and for what they will be held accountable. f. Human resource policies and practices: Human resource policies and practices affect an entity’s ability to employ sufficient competent and trustworthy personnel to accomplish its goals and objectives. Such policies and practices include hiring, training, evaluating, promoting, compensating, and assisting employees in the performance of their assigned responsibilities by giving them the necessary resources. g. Management’s control methods over budget formulation and execution: Management’s budget control methods affect the authorized use of appropriated funds. Budget formulation is discussed in more detail in FAM 260.71, and controls over budget execution (budget controls) are addressed in more detail in FAM 300. h. Management’s control methods over compliance with laws and regulations: Such methods have a direct impact on an entity’s compliance with applicable laws and regulations. (Compliance controls are addressed in more detail in FAM 300). i. The functioning of those charged with governance such as oversight groups: An entity’s oversight groups typically are responsible for overseeing both business activities and financial reporting. The effectiveness of an oversight group is influenced by its authority and its role in overseeing the entity’s business activities. In the federal government, oversight groups are the Congress and the central agencies (OMB, Treasury, and GAO) as well as GSA and OPM. Within agencies, senior management councils may also have a role in overseeing operations and programs. Oversight groups often have a monitoring function. Entity Risk Assessment: .49: Risk assessment is an entity’s process for identifying, analyzing, and managing risks relevant to achieving the objectives of reliable financial reporting, safeguarding of assets, and compliance with budget and other laws and regulations. For example, the entity’s risk assessment may address how the entity analyzes significant estimates recorded in the financial statements or how it considers the possibility of unrecorded transactions. Risks may arise due to both internal and external circumstances, such as: * changes in the operating or statutory environment; * new personnel who may have a different focus on internal control; * ability of management to override established controls; * new or significantly changed information systems; * rapid growth of programs which can strain controls; * new technology which may change risks; * new programs or activities which may introduce new control risks; * restructurings or budget cutbacks which may include downsizing and changes in supervision and segregation of duties; or; * adoption of new accounting principles which may affect risks in preparing financial statements. .50: The auditor should obtain and document an understanding of the entity’s risk assessment process sufficient to assess the risk of material misstatement and to plan the audit. The auditor should evaluate the design of the entity’s risk assessment process and determine whether it has been implemented. In doing this, the auditor should understand how management considers risks relevant to the objectives of financial reporting (including safeguarding), and compliance with budget and other laws and decides what actions to take. This understanding may include how management identifies risks, estimates their significance, assesses the likelihood of occurrence, and relates them to financial reporting. Communication Factors: .51: Communication includes providing an understanding of individual roles and responsibilities pertaining to internal control. It includes the extent to which personnel are told how their activities relate to the work of others and the means of reporting exceptions to an appropriate higher level within the entity. Open communication channels provide a means to report exceptions to the appropriate people. Communication takes such forms as Web sites, e-mails, policy manuals, accounting and financial reporting manuals, and memorandums. Communication also may be electronic, oral, and through the actions of management in demonstrating acceptable behavior. .52: The auditor should obtain and document an understanding of the entity’s communication process sufficient to assess the risk of material misstatement and to plan the audit. The auditor should evaluate the design of the entity’s communication process and determine whether it has been implemented. In doing this, the auditor should obtain sufficient knowledge of the means the entity uses to communicate roles and responsibilities for, and significant matters relating to financial reporting, including safeguarding of assets, and compliance with budget and other laws and regulations. Monitoring Factors: .53: Monitoring is the process by which management and those charged with governance assess the quality of internal control performance over time. This may include ongoing activities, such as regular management and supervision to determine that a control was performed correctly, or communications from external parties, such as regulator comments that may indicate areas in need of improvement. Monitoring does not include procedures that are control activities, such as preparing reconciliations. Monitoring may include separate evaluations, such as FMFIA (OMB Circular No. A-123) work and IG or internal auditor work, or a combination of ongoing activities and separate evaluations. See FAM 260.58-63 for discussion of the FMFIA process. .54: The auditor should obtain and document an understanding of the entity’s monitoring process sufficient to assess the risk of material misstatement and to plan the audit. The auditor should evaluate the design of the entity’s monitoring process and determine whether it has been implemented. In doing this, the auditor should gain sufficient knowledge of the major types of activities the entity uses to monitor internal control over financial reporting, including safeguarding, and compliance with budget and other laws and regulations and how monitoring is used to initiate corrective actions. .55: The IG’s office or internal audit function is often an important part of monitoring. The IG’s office (1) conducts audits and investigations relating to programs and operations, (2) provides leadership and coordination, including recommending policies for programs and operations, and (3) keeps the entity head and the Congress informed about problems and deficiencies, including the progress of corrective actions. If the IG’s office or internal audit function is part of the entity’s monitoring controls, the auditor should understand the design and implementation of the IG or internal audit office as a monitoring control. However, if the auditor is the IG, the office should not evaluate its own design and implementation as a control as the control relates to the financial accounting controls of the audited entity. Understanding an IG’s office or internal audit office includes consideration of its authority and reporting relationships, the qualifications of its staff, and its resources. (In using the work of the IG or internal auditors, refer to FAM 650.) Information System Effect on the Control Environment, Risk Assessment, Communication, and Monitoring" .56: Information systems affect the effectiveness of control activities, the control environment, entity risk assessment, communication, and monitoring. For example, controls that normally would be performed by separate individuals in manual systems may be concentrated in one computer application and pose a potential segregation-of-duties issue. See AU 314.57-.63 for further discussion of the effect of information systems on internal control. .57: The auditor should obtain and document an understanding of the control environment related to the entity’s information system sufficient to assess the risk of material misstatement and to plan the audit. The auditor should evaluate the design of the control environment related to entity’s information system and determine whether it has been implemented. In doing this, the auditor should evaluate the following IS factors in making an overall assessment of the control environment, entity risk assessment, communication, and monitoring. An IS controls specialist may assist the auditor in considering these factors. a. Management’s attitudes and awareness with respect to information systems: Management’s interest in and awareness of information system functions (including those performed for the entity by other organizations) is important in establishing an organizationwide consciousness of control issues. Management may demonstrate its interest and awareness by: * considering the risks and benefits of computer applications; * communicating policies regarding information system functions and responsibilities; * overseeing policies and procedures for developing, modifying, maintaining, and using computers, and for controlling access to programs and files; * considering the risks of material misstatement, including fraud risk, related to information systems; * responding to previous recommendations or concerns; * quickly and effectively planning for, and responding to, computerized processing crises; and; * using reliable computer-generated information for key operating decisions. b. Organization and structure of the information systems function: The organizational structure of the information systems function affects the control environment. Centralized structures often have a single computer processing organization and use a single set of system and applications software, enabling tighter management control over information systems. In decentralized structures, each computer center generally has its own computer processing organization, application programs, and system software, which may result in differences in policies and procedures and various levels of compliance at each location. c. Clearly defined assignment of responsibilities and authority: Appropriate assignment of responsibility according to typical information system functional areas can affect the control environment. Factors to consider include: * how the position of the Chief Information Officer (CIO) fits into the organizational structure; * whether duties are appropriately segregated within the information systems function, such as operators and programmers, since lack of segregation typically affects all systems; * the extent to which management external to the information systems function is involved in major systems development decisions; and; * the extent to which information system policies, standards, and procedures are documented, understood, followed, and enforced. d. Management’s ability to identify and to respond to potential risk: Computer processing, by its nature, introduces additional risk factors. The entity should be aware of these risks and should develop appropriate policies and procedures to respond to any information system issues that might occur. The auditor may evaluate: * the methods for monitoring incompatible functions and for enforcing segregation of duties, and; * management’s mechanism for identifying and responding to unusual or exceptional conditions. Federal Managers’ Financial Integrity Act of 1982[Footnote 25]: .58: If applicable to the entity, the auditor should obtain an understanding of the entity’s FMFIA process and whether the process has been implemented. Based on this understanding, the auditor should determine whether the auditor’s understanding of the FMFIA effects the auditor’s risk assessment. .59: OMB’s Circular No. A-123, Management’s Responsibility for Internal Control, provides guidance on improving the accountability and effectiveness of entity operations and programs by establishing, correcting, and reporting on internal control. The circular defines management’s responsibilities related to internal control and the process for assessing the effectiveness of internal control. Entities are required to report on the adequacy and effectiveness of internal controls as described in the circular. Management is to provide an assurance statement on the effectiveness of internal controls overall, and for CFO Act agencies, a separate assurance statement on the effectiveness of internal controls over financial reporting is to be included in the MD&A. Appendix A to the circular provides a methodology for agency use in assessing, documenting, and reporting on internal controls over financial reporting. .60: The effectiveness of the FMFIA process typically is a good indicator of management’s (1) philosophy and operating style, (2) assignment of authority and responsibility, and (3) control methods for monitoring and follow-up. The FMFIA process also may be the basis for management’s assertion about the effectiveness of internal control (section 2) and about the entity’s financial management systems’ substantial compliance with FFMIA requirements (section 4). .61: To obtain an understanding of the FMFIA process, the auditor generally should perform the following procedures. If the entity does not issue its own FMFIA report, the auditor generally should perform the following procedures with respect to information the entity contributes to the FMFIA report in which the entity is included. * Read: - FMFIA reports for the current and prior year and identify any changes; - important documentation prepared by the entity to support the current year FMFIA report and related management assertions in the MD&A; - any IG reports on the FMFIA process; - OMB’s most recent annual letter concerning FMFIA reporting; and; - management’s description of the FMFIA process. * Discuss the FMFIA process with appropriate entity management (including management’s opinion of the quality of the process), specifically: - how the FMFIA process is organized; - who is assigned to manage the process, including the staffing level, experience and qualifications of assigned personnel, and reporting responsibilities; and; - how the process finds and evaluates weaknesses. * Identify the entity’s actions on previously reported weaknesses and examine its documentation that demonstrates the results/effectiveness of those actions. * Determine whether the audit finds different issues from those identified in the FMFIA process. (If so, see FAM 580 for reporting on FMFIA.) .62: The auditor should consider whether management procedures and supporting documentation are designed to (1) provide management with reasonable assurance that FMFIA objectives have been achieved and (2) meet OMB requirements. The auditor’s consideration is based on the auditor’s understanding based on the procedures discussed in 260.61 rather than the results of extensive tests. Factors the auditor may consider include: * evidence of efforts to rectify previously identified material weaknesses; * management’s commitment of resources to the FMFIA process, as reflected in the skills, objectivity, and number of personnel assigned to manage the process; * extent to which management’s methodology and assessment process, including testing and documentation, conform to the guidance in OMB Circulars No. A-123 and A-127, revisions in Transmittal Memorandum No. 2, and related OMB guidelines; * contractor or internal auditor involvement (if any); * the process used to identify and screen material weaknesses as FMFIA reports are consolidated and moved up the entity’s hierarchy; * the sources that identify material weaknesses, since items identified by management personnel, rather than from IG, GAO, or other external reports, demonstrate that the process can detect and report weaknesses; * OMB audit guidance on FMFIA and A-123; and; * risk factors in FAM 295 B.17. .63: The auditor should document the understanding of the FMFIA process and its implementation. Based on this understanding, the auditor should determine whether the auditor’s understanding of the FMFIA process affects the auditor’s risk assessment. The auditor should consider any material weaknesses identified in the FMFIA report in determining the risks of material misstatement. The auditor is not required to test the effectiveness of the FMFIA process, unless the auditor determines in the internal control phase that testing the effectiveness of the FMFIA process is an efficient and effective means of reducing the risks of material misstatement and the extent of substantive procedures. The auditor may determine that it is appropriate to test management’s FMFIA work to reduce audit risk. The auditor’s determination, based on testing, that FMFIA is an effective control may reduce but cannot completely eliminate the need for the auditor to perform substantive procedures for related line items, accounts, and relevant assertions. FAM 360 discusses nonsampling control testing, and FAM 370 discusses the assessments of control risk and the risks of material misstatement. Federal Financial Management Improvement Act of 1996: .64: As part of its FMFIA work, management determines whether its financial management systems comply with the requirements found in OMB Circular No. A-127, Financial Management Systems. Under FFMIA, the auditor of CFO Act agencies must report whether the financial management systems substantially comply with the three requirements of the Act. OMB issues guidance for agencies and auditors when addressing compliance with FFMIA. FAM 701 contains additional guidance for auditors. .65: During the planning phase, the auditor should understand the design of management’s process for determining that the entity’s systems were or were not in substantial compliance to report under FFMIA. The entity may have used the OMB FFMIA guidance, the GAO Financial Management Series of checklists for systems reviewed under FFMIA, or other tools. The auditor generally should read this documentation to determine whether to rely on the entity’s work. If reliance is planned, see FAM 650. See FAM 350 for additional planning of audit procedures related to FFMIA. .66: If the entity previously had an assessment made of its financial management systems’ substantial compliance with these requirements that resulted in finding lack of substantial compliance, the auditor should understand the systems deficiencies identified and the potential risks of material misstatement to line items, accounts, and related assertions. The auditor also should read the remediation plan required by FFMIA and note whether the plan appears feasible and likely to remedy the deficiencies. Federal Information Security Management Act of 2002: .67: FISMA requires federal agencies to periodically test, evaluate, and report on the effectiveness of their information security policies, procedures, and practices as part of developing and implementing an entitywide information security program. FISMA requires entities to use NIST standards when performing certain functions. OMB reporting guidance for FISMA specifies the applicable NIST standards and other NIST publications to be used. .68: FISMA requires IGs to perform an independent evaluation and report on the effectiveness of these policies, procedures and practices through testing a representative subset of the entity’s information systems. Except for national security systems, an independent auditor may perform this work at the discretion of the IG or if an entity does not have an IG, at the discretion of the agency head. The independent evaluation required by FISMA may be based in whole or in part on other relevant audits or evaluations of the entity. Entity management may rely on testing performed as part of the independent evaluation when making its own assessment. .69: The auditor should read the most recent FISMA report to assess the implications of any reported significant deficiencies on the risks of material misstatement for related line items, accounts, and relevant assertions. The auditor may assess whether the procedures performed for FISMA reporting can be relied upon as part of the financial statement audit for purposes of planning and conducting other audit procedures. The auditor should use the factors in FAM 650 to help make this determination. Likewise, it may be possible for the auditor to use procedures performed as part of the financial statement audit to fulfill the FISMA requirements for certain systems, depending on the timing, nature, and extent of the work. .70: FISMA requires that significant deficiencies, as defined by the act, be reported by the entity as material weaknesses in its FMFIA report. Additionally, if a significant deficiency relates to a financial system, FISMA requires the entity to report it as an instance of lack of substantial compliance with FFMIA. See FAM 580.38-.39 for the definition and further discussion of FISMA significant deficiencies and considerations for financial audit reporting. Budget Formulation: .71: The auditor should obtain an overall understanding of the design of the budget formulation process. The auditor does this to understand better how misstatements and internal control weaknesses may affect the budget formulation process. Based on discussions with entity management responsible for the budget formulation process and review of budget documents, the auditor should understand the design of: * the entity’s process for developing and summarizing the budget, * the nature and sufficiency of instructions and training provided to individuals responsible for developing the budget, * the extent that individuals involved in approving budget requests are also involved in the budget formulation process, * the general extent to which the budget is based on historical information, * the reliability of information on which the budget is based, * the extent to which the budget formulation system is integrated with the budget execution system, and, * the extent of correlation between information developed in the budget formulation process and the allotments and suballotments in the budget execution system. .72: The auditor is not required to test the effectiveness of the budget formulation process, unless the auditor determines in the internal control phase that testing the effectiveness of the budget formulation process is an efficient and effective means of reducing the risk of material misstatement and the extent of substantive procedures. 270 - Determine Likelihood of Effective IS Controls: .01: Information system (IS) controls consist of those internal controls that are dependent on information systems processing and include general controls (entitywide, system, and business process application levels), business process application controls (input, processing, output, master file, interface, and data management system controls), and user controls (controls performed by people interacting with information systems). General and business process application controls are always IS controls. A user control is an IS control if its effectiveness depends on information systems processing or the reliability (accuracy, completeness, and validity) of information processed by information systems. Conversely, a user control is not an IS control if its effectiveness does not depend on information systems processing or the reliability of information processed by information systems. In the planning phase, the auditor, with the assistance of an IS controls specialist, should use an appropriate methodology to understand the design of IS controls and whether they have been implemented and to determine whether IS controls are likely to be effective and should therefore be considered further in the audit. The auditor may coordinate work done to meet the provisions of FISMA (44 U.S.C. 3541- 3549) with work done as part of the financial statement audit. See FAM 295 J for a flowchart of steps in assessing IS controls in a financial statement audit. The procedures performed to determine the likelihood of effective IS controls build on those procedures performed while understanding the entity’s operations, including the design of its internal controls, and assessing the effects of IS systems on inherent risk and the control environment, risk assessment, communication, and monitoring. As discussed in AU 314.40, the auditor should obtain an understanding of each of the five components of internal control—control environment, risk assessment, information and communication, monitoring, and control activities—sufficient to assess the risks of material misstatement of the financial statements whether due to error or fraud, and to design the nature, extent, and timing of further audit procedures. This understanding should include relevant information system aspects. .02: Computerized financial management systems are used extensively in the federal government. Many of these systems share programs, data files, and hardware with one another, and are networked into major subsystems. In addition to producing financial and accounting information, these systems typically generate other information and reports used in management decision making. .03: As discussed in FAM 260.06, the auditor evaluates and tests the following types of controls in a financial statement audit: * financial reporting controls; * applicable compliance controls; and; * certain operations controls (to the extent described in FAM 275). .04: For each of the specific controls to be evaluated and tested, as documented in the SCE form or equivalent document, the auditor should distinguish which are IS controls. FAM 295 F provides more detail on the three types of IS controls. The auditor and IS controls specialist should identify other IS controls (general or application, such as interface or data management system controls) upon which the effectiveness of the controls identified in the SCE depends. As discussed in 295 F, the effectiveness of user controls typically depends on the accuracy of the information produced by the information system. Testing of technical IS controls should be performed by an IS controls specialist as described in FAM 360. The audit team may work with the IS controls specialist by testing user controls and application controls involving manual follow-up. .05: The auditor and the IS controls specialist should understand the design of each of the three types of IS controls (general, application, and user controls) to the extent necessary to tentatively conclude whether these controls are likely to be effective. If they are likely to be effective, the auditor should consider specific IS controls in determining whether control objectives are achieved in the internal control phase. As discussed in AU 314.54, evaluating the design of a control involves considering whether the control, individually or in combination with other controls, is capable of effectively preventing, detecting, and correcting material misstatements. .06: If IS controls are not likely to be effective, the auditor, with the assistance of the IS controls specialist, should obtain a sufficient understanding of control risks arising from information systems to: * identify types of potential misstatements; * consider factors that affect the risks of material misstatement; * design tests of controls and substantive procedures; and; * develop appropriate findings. .07: Also, in the internal control phase, the auditor generally should understand the design of the effectiveness of manual controls in achieving control objectives, including manual controls that may mitigate weaknesses in IS controls. If IS controls are not likely to be effective due to poor general controls and if manual controls do not achieve the control objectives, the auditor should understand the design of any application-level IS controls that are intended to achieve the control objectives to develop recommendations for improving internal controls. .08: As discussed in AU 314.117-.120, in some circumstances, such as where a significant amount of information is electronically initiated, recorded, processed, and reported, it may not be practical or possible to reduce detection risk at the relevant assertion level to an acceptably low level with audit evidence obtained only from substantive procedures. In such circumstances, the auditor should test IS controls to obtain evidential matter about the effectiveness of both the design and operation of controls to reduce the assessed level of the risks of material misstatement. 275 - Identify Relevant Operations Controls to Evaluate and Test: .01: In a financial statement audit, the auditor draws a conclusion about the effectiveness of financial reporting (including safeguarding and budget) and compliance (including budget) controls. For operations controls, the auditor; * may evaluate certain operations controls considered relevant (see FAM 275.02-.07); and; * should evaluate and test operations controls that are relied on in performing audit procedures (see FAM 275.08). Relevant Operations Controls: .02: Relevant operations controls are based upon the needs of the auditor. The auditor should determine whether the evaluation of relevant operations controls will (1) be included in the financial audit, (2) become a separate audit, or (3) not be performed but any weaknesses noted will be reported to entity management and the IG. In making this determination, the auditor may consider the following factors: * the significance of the operations control to the entity’s operations; * the time required to identify and test the operations control; * available resources; * the needs of those charged with governance; and; * congressional interest. .03: The auditor should document the operations controls identified for testing, the procedures performed, and the results. .04: In the planning phase and throughout the audit, the auditor may identify significant areas where the entity would be expected to have operations controls. The auditor may become aware of these areas, as well as potential deficiencies in operations controls, through: * prior audit work; * documenting an understanding of entity operations; * assessing the risk of material misstatement and deficiencies in financial reporting and compliance controls; * other audit planning procedures, including any reviews of the FMFIA documentation prepared by the entity; * understanding the cause of misstatements noted; or; * observing activities during fieldwork. .05: In obtaining an understanding of the entity’s operations, the auditor typically would have identified areas that are critical to the operations. For each of these areas, the entity n effective operations controls. Also, in planning the audit, the auditor may identify operations controls that could be evaluated in conjunction with planned audit and other procedures. For example, the auditor may evaluate whether management considered appropriate order quantities for each inventory purchase selected in a test of inventory purchases to avoid a buildup of excess inventory. .06: The auditor may identify specific risks of material misstatement and control deficiencies in planning and performing the audit and in determining the causes of misstatements requiring audit adjustments. The auditor should evaluate the implications of those risks and deficiencies on the entity’s operations controls if: * the effectiveness of a financial reporting or compliance control depends on the effectiveness of the operations control; and; * the auditor plans to rely upon this control during the audit; or; * the auditor is required to test the control following OMB’s audit guidance. For example, misstatements in inventory records may indicate deficiencies in operations controls whose effectiveness depends on accurate inventory records. This would include the operations controls for maintaining proper inventory levels, including detecting theft or loss. .07: The auditor may find opportunities to recommend improvements to operations controls and may choose to test the effectiveness of other operations controls. Such opportunities could come to light while visiting the entity's various locations and performing audit procedures. Operations Controls Relied on in the Audit: .08: If any contemplated audit procedure relies on operations controls, the auditor should identify and test such controls. For example, assume that an auditor is using substantive analytical procedures, based on entity-generated “per unit” statistics, to test the reasonableness of certain operating costs. The auditor plans to compare such “per unit” statistics with published costs incurred by similar operations. The auditor should identify and test the entity’s operations controls and other types of controls, as appropriate, over the production of these internal statistics. As discussed in FAM 495 A.21, if the reliability of internally- generated data used in substantive tests, such as substantive analytical procedures, is dependent on the effectiveness of IS controls, the auditor should perform additional procedures before relying on the data. The auditor should test, as appropriate, (1) the relevant general controls and the specific application level controls over the data and/or (2) the data in the report. 280 - Plan Other Audit Procedures: .01: The auditor generally should plan for performing procedures in the following areas during other phases of the audit. Inquiries of Legal Counsel: .02: As discussed in AU 337, FAM 550, and FAM 1002, the auditor should make inquiries of the entity’s legal counsel and perform other audit procedures regarding litigation, claims, and assessments. This is necessary to assess potential liabilities and contingencies. Entity management and legal counsel may need significant time to gather and report necessary information, including the potential need for inquiries of Department of Justice legal counsel on a case-specific basis. Additionally, for initial audits and changes in personnel, the auditor may discuss with management why a legal representation letter is needed as part of a financial statement audit. The auditor should plan the following procedures, which are described in more detail in AU 337, for an appropriate time during the audit: * making inquiries of entity management regarding their policies and procedures for identifying, evaluating, and accounting for litigation, claims, and assessments; * obtaining a description and evaluation of all such matters existing as of the balance sheet date and through the date of management’s response, which should be near the completion of the audit; * obtaining evidence regarding internal and external legal counsel used by the entity and matters handled; and; * sending letters of audit inquiry to legal counsel. The auditor may limit the inquiry to matters that are considered individually or collectively material to the financial statements, provided the entity and the auditor have reached an understanding and agreement on the materiality level. Management Representations: .03: As discussed in FAM 550, the auditor must obtain a representation letter from entity management on specific matters at the completion of the audit. Particularly for first year audits, when standards change, and when management changes, the auditor should discuss representations with management early in the audit to identify and resolve any difficulties related to obtaining these representations at the end of the audit. Note that for federal government audits, these representations include (1) the effectiveness of internal control, (2) compliance with laws and regulations, and (3) for CFO Act agencies, financial management systems’ substantial compliance with FFMIA requirements. Additional guidance on management representations is provided in AU 333, AU 801, AT 101, AT 201, AT 501, AT 601, and FAM 1001. Additionally, a summary of uncorrected misstatements (including prior period misstatements that affect the current financial statements) aggregated by the auditor should be attached to the letter. FAM 595 C provides an example summary of uncorrected misstatements. The representation letter should state management’s belief that the effects of the misstatements are immaterial to the financial statements taken as a whole, both individually and in the aggregate. Related Party Transactions: .04: AU 334, FAM 550, and FAM 902 provide guidance on audit procedures that the auditor may perform to identify related parties and related party transactions as well as examining these transactions for appropriate disclosure in the financial statements. During the planning phase, the auditor should perform procedures to identify and document related parties and the nature of related party transactions that may need disclosure in the financial statements and related notes. Such information should be distributed to all members of the audit team for use in testing related party transactions and identifying any additional related parties. Sensitive Payments: .05: In the planning phase, the auditor should determine whether to apply audit procedures to sensitive payments. Sensitive payments encompass a wide range of functions, including executive compensation, travel, official entertainment funds, unvouchered expenditures, consulting services, speaking honoraria and gifts, and executive perquisites. For further information, see GAO’s Guide for Evaluating and Testing Controls Over Sensitive Payments, GAO/AFMD-8.1.2, Washington, D.C.: May 1993. Other Planning Issues: .06: As stated in GAGAS 4.09, auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a material effect on the financial statements. When planning the audit, auditors should ask entity management to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk of material misstatement and determining the nature, timing, and extent of further audit procedures, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. The auditor should determine whether any findings and recommendations from the prior year financial audit need follow-up that would not otherwise be evaluated in the current year procedures, such as findings at locations that would not otherwise be visited. The auditor should determine whether to test the implementation of the recommendation or to repeat the finding. .07: During planning, the auditor also should apply the additional requirements in OMB financial reporting guidance for legal letters, management representation letters, and certain agreed-upon procedures. OMB audit guidance has specific dates by which interim and updated legal letters for specified agencies are to be requested and received, specific formats for summarizing the information in the letters, and a list of specific officials to whom copies of the letters and summaries are to be forwarded. In addition, the guidance indicates that certain agreed-upon procedures are to be applied to agency payroll offices and that reports are to be submitted to OPM by a specific date. 285 – Plan Locations to Visit: .01: Most federal entities conduct operations, perform accounting functions, and retain records at multiple locations. During planning, the auditor should evaluate the effect of these multiple locations on the audit approach and should consult with a statistician when selecting locations. The auditor should develop an understanding of the respective locations, including significant accounts and accounting systems and cycles/applications. This understanding may be obtained centrally or in combination with visits to field locations, as appropriate. When planning locations to visit, the auditor should evaluate whether certain locations warrant more extensive testing than others, based on the following factors: * Materiality or significance of locations to the overall entity: More material locations, particularly those individually generating transactions or account balances that exceed design materiality, those with significant cycles/accounting applications, and/or those with significant information systems centers may indicate the need for more extensive testing. * The results of the preliminary analytical procedures applied during planning: The auditor should follow up on unusual results, possibly including on-site testing at specific locations with unusual results. * The results and the extent of audit procedures applied in prior years by the auditor or others, including the time since significant procedures were performed: Problems noted in prior audits, if not corrected, could indicate areas of concern for the current audit; the applicability of prior evidence ordinarily diminishes with the passage of time. * The auditor’s preliminary assessment of overall inherent risk at each location, including the nature of operations, sensitivity to economic conditions, and key management turnover: Locations at which inherent risk is high generally warrant more extensive testing than those where inherent risk is low. In addition, the inherent risk may be different for different accounts and assertions at each location. * The auditor’s preliminary assessment of control risk, including the control environment, risk assessment, communications, and monitoring: Locations at which control risk (particularly concerning the control environment, risk assessment, communication, and monitoring) is high warrant more extensive testing than those where control risk is low. * The auditor’s assessment of the risk of material misstatement due to fraud: Locations at which the auditor has assessed a greater risk of material misstatement due to fraud warrant more extensive testing than those where the auditor has assessed a lower risk of material misstatement due to fraud. * The auditor’s assessment of the risk of material misstatement: Locations at which risk of material misstatement is high warrant more extensive testing than locations where risk of material misstatement is low. * The extent to which accounting records are centralized: A high degree of centralization may enable the auditor to conduct the majority of work at the central location, with only limited work at other locations. * The extent of uniformity of control systems (including information systems controls) throughout the entity: The number of locations visited is a function of the uniformity of significant control systems. For example, if there are two major procurement control systems, the auditor generally should test each system to a sufficient extent. Where locations develop or modify systems, the auditor may visit more locations than for those entities using centrally developed systems that cannot be changed locally. * The extent of work performed by other auditors: The auditor may use work performed by other auditors to reduce or eliminate tests at selected locations or to assist in tests of locations not selected. (See FAM 650.) * Special reporting or entity requirements: The auditor should visit sufficient locations to meet special needs, such as separate-location reports. * Testing controls at least once every 3 years: The auditor should test controls that are properly designed and implemented at least once in every third year in an annual audit (AU 318.42). As time elapses from the time a control is tested, audit evidence provided in the current audit period about the operating effectiveness of a control tested in a prior period becomes less relevant and reliable. The auditor generally should coordinate locations selected to visit with this control testing requirement. * Development of a multiyear test plan: The auditor may develop a multiyear test plan to conduct site visits and testing over several years when multiple locations exist. .02: The auditor should plan the general nature of audit procedures to be performed at each location. The extent of testing may vary between locations, depending on test materiality, control risk, risk of material misstatement, and other factors. Using common audit programs, audit documentation formats, and indexes for the various locations visited makes it easier to plan, review the audit documentation, and combine the results of all locations or funds to improve effectiveness and efficiency. .03: The auditor should obtain an understanding of the design of the procedures for combining the locations’ financial information to prepare the entity’s financial statements. The auditor should understand and test these procedures during the audit, including controls for adjustments, reclassifications, and eliminations. .04: One approach to stratifying locations, selecting locations to visit, and selecting individual samples for multiple-location audits is presented in FAM 295 C. This method assumes that increased testing is not required at any location because of the factors in FAM 285.01. Other methods of selecting locations for on-site testing may be used with the approval of the reviewer. For example, selecting fewer locations but more items to test at each of those locations may be appropriate in some instances. Although other methods generally involve more testing than the method described in FAM 295 C, the costs of performing additional work at fewer locations may be lower. .05: The auditor should document the planned locations to visit in the audit strategy, multiyear test plan, audit plans, or equivalent documents. 290 - Documentation: .01: The auditor must prepare audit documentation in sufficient detail to provide a clear understanding of the work performed (including the nature, extent, and timing and results of audit procedures performed), the audit evidence obtained and its source, and the conclusions reached as discussed in AU 339.03. The auditor should prepare audit documentation that enables an experienced auditor, having no previous connection to the audit, to understand: * the nature, extent, and timing of auditing procedures performed to comply with GAGAS, including the SASs and applicable attestation standards, and applicable legal and regulatory requirements; * the results of the audit procedures performed and the audit evidence obtained; * the conclusions reached on significant matters; and; * whether the accounting records agree or reconcile with the audited financial statements or other audited information. AU 339.12 describes factors that the auditor should consider in determining the form, content, and extent of audit documentation. .02: In the FAM, each phase of the audit contains a separate section that describes audit documentation requirements. The auditor should document relevant information as described in FAM 290.03-.09 and update these documents to respond to any changes in circumstances during the course of the audit. Information that is likely to be useful in future audits may be documented in a permanent file. .03: The auditor should document the understanding established with the client. This documentation should include the understandings reached with congressional requesters, officials of the entity, and those charged with governance about the work to be performed, as described in FAM 215 and may consist of copies of engagement letters, contracts, and other letters used to communicate the understanding. .04: In the entity profile or an equivalent document, the auditor should document the information useful for understanding the entity and its operations (FAM 220). The auditor should document key elements of the understanding obtained regarding each of the aspects of the entity and its environment identified in FAM 220.02 to assess the risks of material misstatement of the financial statements, including the sources of information from which the understanding was obtained. However, the auditor generally should document internal control separately as discussed below and in FAM 390. The auditor may include the information in the entity profile in the audit strategy. In this profile the auditor generally should briefly document such elements as the entity's origin and history, size and location, organization, mission, results of prior and current audits, and accounting and auditing considerations. The auditor generally should limit the information in the entity profile to that which is relevant to planning the audit. This information may include documents prepared by the entity, such as historical information or the mission of the entity. If these and other documents were prepared in prior years, the auditor should update them for any changes each year. .05: In establishing the overall audit strategy. as discussed in AU 311.13-.14, the auditor should (1) determine the characteristics of the engagement that define its scope, such as the basis of reporting and locations of the entity, (2) ascertain the reporting objectives of the engagement to plan the timing of the audit and the nature of the communications required, such as deadlines for interim and final reporting and key dates for expected communications with management and those charged with governance, and (3) consider the important factors that will determine the focus of the audit team efforts, such as materiality levels, preliminary identification of material balances, locations, and areas where there may be higher risks of material misstatement, and other factors as discussed in more detail in AU 311.34 (Appendix A). The audit strategy, (formerly referred to as the GRA) should include or refer to information on the following areas: a. Preliminary analytical procedures and the results of those procedures (FAM 225): The auditor should document the following information: * data used and the sources of these data for current-year amounts and for developing expected amounts, including: - the amounts of the financial items, - the dates or periods covered by the data, - whether the data are audited or unaudited, - the person from whom the data were obtained (if applicable), and, - the source of the information, such as general ledger trial balances, prior-year audit documentation, or prior-year financial statements; * parameters for identifying significant fluctuations from expectations; * explanations for fluctuations from expectations identified and sources of those explanations, including the name and title of the person(s) from whom the explanations were obtained; and; * the auditor’s conclusion and consideration of the impact of the results of preliminary analytical procedures on the audit strategy. b. Planning and design materiality and tolerable misstatement, including the basis for their determination (FAM 230). c. Methodology used to assess IS controls (FAM 240): The auditor also should document the basis for believing that the methodology is appropriate. As discussed in FAM 240.09, GAO auditors should use the FISCAM as GAO believes it is an appropriate methodology. If the auditor uses the same methodology for multiple audits, the audit organization may prepare this document once and maintain a central file for reference on individual audits. d. Significant provisions of laws and regulations (FAM 245). e. Relevant budget restrictions (FAM 250). f. Level of audit assurance (FAM 260): The auditor should document the overall level of audit assurance and the justification for the level used. If the level of audit assurance chosen is 95 percent, the auditor may reference the FAM. g. Results of brainstorming discussions about the susceptibility of the entity’s financial statements to material misstatement due to error or fraud (FAM 260): The auditor should document these discussions, including how and when the discussion occurred, the subject matter discussed, the audit team members who participated, and significant decisions reached concerning planned responses at the financial statement and relevant assertion levels. h. Assessment of overall inherent risk and the risk factors considered in the assessment, including any significant risks requiring special audit consideration (FAM 260). i. Understanding of the design of each component of internal control- control environment, entity’s risk assessment, information and communication, and monitoring to assess the risks of material misstatement of the financial statements, including whether an ineffective control environment precludes the effectiveness of specific control activities (FAM 260): The auditor should document any inherent risks or control risks identified at the financial statement level and the auditor’s overall responses as discussed in FAM 260.19. The auditor should also document inherent and control risks assessed at the relevant assertion level arising from the auditor’s understanding of the design of control environment, entity’s risk assessment, communication and information, and monitoring components of internal control and should link them with significant financial statement line items and assertions. For each risk identified, the auditor should document the (1) nature and extent of the risk, (2) condition(s) that gave rise to that risk, and (3) specific cycles, accounts, line items, and related assertions affected (if not pervasive). The auditor should also document the understanding of the design of the control environment, entity’s risk assessment, communication and information, and monitoring to assess the risks of material misstatement. In addition, the auditor should document procedures performed and conclusions reached on whether the design was implemented. For CFO Act agencies, the auditor generally should document the entity’s basis for its determination of substantial compliance of its systems with FFMIA requirements. (FAM 390 discusses documentation of the auditor’s understanding of the design of control activities for assessing the risks of material misstatement. FAM 490 discusses documentation of substantive audit procedures to respond to the risks of material misstatement.) j. Fraud risks (FAM 260). The auditor should document (also see FAM 290.08): * specific fraud risks (categorized by type of misstatement and by incentive/pressure, opportunity, and attitude/rationalization) that were identified and the assessment of those risks; * if the auditor did not consider improper revenue recognition to represent a fraud risk, the reasons supporting that conclusion; * consideration of the risk of management override of controls; and; * the auditor’s response to the assessed fraud risks. (See FAM 590.) k. Effects of information systems (IS) (FAM 270): The auditor should document, either separately or as part of the assessments above: * a basic understanding of the design of the information system aspects of the entity’s financial management, including the significance to the entity (FAM 220); * whether the design has been implemented; * the inherent risks arising from information systems (FAM 260.22); * the impact of information systems on the design of the control environment, entity’s risk assessment, communication and information, and monitoring (FAM 260.56-.57); and; * tentative conclusions on the likelihood that information controls and any compensating controls such as manual controls, reviews, or reconciliations are operating effectively (FAM 270). When the auditor prepares documentation of the above information, the IS controls specialist generally should review and agree with the content. The director and assistant director, as part of their reviews of the audit strategy, should concur with the tentative conclusions on the likelihood that IS controls are operating effectively. If the auditor determines that IS controls are not likely to be effective, the auditor should document supporting evidence and generally should report these findings as discussed in FAM 580. Due to the sensitive nature of security issues related to information systems, the auditor may include the details of these issues in a nonpublic report. l. Operations controls to be tested, if any (FAM 275). m. Other planned audit procedures (FAM 280). n. Locations to be visited (FAM 285): This information includes: * the locations selected; * the basis for selections; * the nature and timing of procedures planned for each location; * the determination of the number of items for testing and the allocation of those items among the selected locations (this may be initially discussed and estimated and later refined when the sample is selected, particularly for a statistical sample); * the multiyear rotation plan, including how the plan was developed and meets auditing standards for a rotation plan; and; * other procedures applied. o. Staffing requirements. p. Audit timing, including milestones and the estimated date of the auditor’s report. q. Extent of assistance from entity personnel. .06: The cycle matrix or equivalent links each of the entity’s accounts in the trial balance to a cycle, an accounting application, and a financial statement line item or RSSI (FAM 240.06). The auditor may include this information in the ARA or equivalent in lieu of a separate document. .07: The ARA or equivalent contains the audit plan for each significant line item and account and identifies significant line items, assertions, and cycles/accounting applications (FAM 235 and FAM 240, respectively) and the related risks of material misstatement at the assertion level as discussed in AU 314.102 and AU 314.117. The auditor should also summarize and document the specific risks of material misstatement, other than pervasive risks, including the inherent, fraud, and control risk factors, for use in determining the nature, extent, and timing of audit procedures. The auditor may also include insignificant accounts in each line item ARA or equivalent, indicating their insignificance and the consequent lack of audit procedures applied to them. In these instances, the cycle matrix or equivalent need not be prepared. .08: Fraud risk assessments (FAM 260): This information includes: * the brainstorming meeting(s) about potential fraud risks, including how and when the discussion(s) occurred, the audit team members who participated, and the general matters discussed; * the procedures performed to obtain information about, identify, and assess fraud risks; * any other significant procedures performed or other significant matters related to the auditor’s consideration of fraud (and any significant abuse); * the effect of fraud risk on the audit strategy; and; * changes to fraud risk assessment during the audit. .09: As discussed in AU 311.19, the auditor must develop an audit plan in which the auditor documents the audit procedures to be used, that when performed, are expected to reduce audit risk to an acceptably low level. The following summarizes what the audit plan should include with the related FAM documentation in parentheses. * The nature, extent, and timing of planned risk assessment procedures sufficient to assess the risks of material misstatement (included in portions of the audit strategy, ARA, and Specific Control Evaluation (SCE) worksheets or equivalent documents prepared following the FAM). * A description of the nature, extent, and timing of planned further audit procedures at the relevant assertion level for each material class of transactions, account balances, and disclosure. The plan for further audit procedures reflects the auditor’s decision of whether to test the operating effectiveness of controls, and the nature, extent, and timing of planned substantive procedures (included in the ARA and related specific audit plans for each specific area of the audit prepared following the FAM). * A description of other audit procedures to be carried out for the engagement to comply with U.S. GAGAS, including U.S. GAAS for these audits. For example, including an overview in the audit strategy with details in related audit plans for specific areas of the audit. The audit completion checklist (see FAM 1003) also summarizes documentation of auditor compliance with GAGAS and the FAM. .10: Other auditor considerations may arise where other auditors plan to use the work being performed as discussed in FAM 650, especially in areas where the auditor makes decisions using significant auditor judgment. In these cases, the auditor should consider the needs of, and consult with, other auditors in a timely manner. If the auditors plan to deviate from a policy or procedure expressed by use of “should” in the FAM, they should provide an opportunity for the other auditors to review the documentation of the reasons explaining these deviation decisions and the alternative procedures performed to achieve the requirement. .11 As audit work is performed, the auditor may become aware of possible control deficiencies, significant deficiencies, material weaknesses, noncompliance with laws and regulations, misstatements, or other matters that should be communicated to the federal entity under audit, to the IG if the auditor is a contractor, and to those charged with governance. A structured method to document these issues aids in communicating them to the audit team, entity management, and others soon after their discovery. The auditor may document elements of potential findings, such as the nature of the condition and, if appropriate, the applicable criteria, cause, potential effect, and any recommendations for improvement throughout the audit. These elements and related reporting are discussed in GAGAS paragraphs 4.14-4.18 and in FAM 580. The auditor may discuss these matters with entity management as the conditions are identified to timely inform them and to provide assurance that information is accurate and complete, rather than waiting until the exit conference. 295 A - Potential Inherent Risk Conditions: .01: The specific conditions listed below may indicate the presence of inherent risks, some of which may also be fraud risks. Some of these may affect many accounts and assertions; others may affect only one account or assertion. This section assists the auditor in considering each of the inherent risk factors described in FAM 260.21 and the fraud risk factors described in FAM 260.30 relating to industry conditions, operating conditions, financial stability, and susceptibility of assets to misappropriation, although it is not all inclusive. The auditor should evaluate any other relevant factors and conditions. .02: Nature of the Entity’s Programs and Operations: * Programs are significantly affected by new/changing governmental regulations, economic factors, and/or environmental factors. * Contentious or difficult accounting issues are associated with the administration of a significant program(s). * Major uncertainties or contingencies, including long-term commitments, relate to a particular program(s). * New (in existence less than 2 years) or changing (undergoing substantial modification or reorganization) programs lack written policies or procedures, lack adequate resources, have inexperienced managers, and generally have considerable confusion associated with them. * Programs that are being phased out (being eliminated within 1 or 2 years), lack adequate resources, personnel motivation, and/or interest. * Significant programs have a history of improper administration, affecting operating activities. * Significant programs have a history of inadequate financial management causing management to resort to extensive, costly, time- consuming, ad hoc efforts to prepare financial statements by the required deadline. * Management faces significant pressure to obtain additional funding necessary to stay viable and maintain levels of service considering the financial or budgetary position of a program, including the need for funds to finance major research and development or capital expenditures. * Management faces significant pressure to “use or lose” appropriated funds in order to sustain future funding levels. * Partisan politics between competing political parties or factions or constituent groups create conflict and a lack of stability within the entity or programs. * Unusually rapid growth occurs in a program. * Economic conditions are deteriorating among the group served by the entity. .03: History of Significant Audit Adjustments: * The underlying cause of significant audit adjustments continues to exist. .04: Nature of Material Transactions and Accounts: * New types of transactions exist. * Significant related and/or third party transactions exist. * Classes of transactions or accounts are: - difficult to audit; - subject to significant management judgments (such as estimates); - susceptible to manipulation, loss, or misappropriation; - susceptible to inappropriate application of an accounting policy; and; - susceptible to problems with realization or valuation. * Accounts have complex underlying calculations or accounting principles. * Accounts where underlying activities, transactions, or events are operating under severe time constraints. * Significant interagency transactions or revenue sources create incentives to shift costs or otherwise manipulate accounting transactions. * Accounts where activities, transactions, or events involve the handling of unusually large cash receipts, cash payments, or wire transfers. * Inventory or equipment have characteristics such as small size, high value, high demand, marketability, or lack of ownership identification that make them easily converted to cash (for example, pharmaceutical inventory or military equipment with high street values). * Assets such as food stamps, benefits vouchers, commodities, supplies, or materials are easily converted to cash. * Assets such as cars, computers, and telephones, are susceptible to personal, nonprogram/nongovernment use. * Many payments are sent to post office boxes. * Large numbers of payments are sent to outside recipients, as in the cases of grants, medical care reimbursements, or other federal financial assistance. 295 B - Potential Control Environment, Risk Assessment, Communication, and Monitoring Weaknesses: .01: The specific conditions listed below may indicate risks of material misstatement because of control environment, entity’s risk assessment, communication, and monitoring weaknesses, as well as potential fraud risk. The auditor may use this section when separately evaluating the design of the control environment, entity’s risk assessment, communication, and monitoring components described in FAM 260.47- .55.[Footnote 26] The auditor also may evaluate any other relevant factors and conditions. Appendix B of AU 314 provides additional guidance for understanding these components of internal control. The auditor may also refer to GAO’s Internal Control Management and Evaluation Tool (GAO-01-1008G, August 2001) for additional and more detailed examples of internal control components. The auditor may evaluate these factors for the entire entity or by location. Control Environment: .02: Communication and Enforcement of Integrity and Ethical Values: * Management and those charged with governance[Footnote 27] have not established, exhibited, and communicated throughout the entity an appropriate “tone at the top,” including explicit guidance about what is right and wrong. * Management and those charged with governance have not established a formal code of conduct or other policies regarding acceptable practices, conflicts of interest, or expected standards of ethical behavior. * Employees do not understand what behavior is acceptable or unacceptable, or what to do if they encounter improper behavior. * Management covers up bad news rather than making full disclosure as quickly as possible. * Management does not quickly address signs that problems exist. * Management and employees feel pressure to cut corners or not follow established controls. * High decentralization leaves top management unaware of actions taken at lower organizational levels and thereby reduces the chances of detecting errors and fraud. * Everyday dealings with employees, auditors, the public, oversight groups, and others are not generally based on honesty and fairness (for example, overpayments received or supplier underpayments are ignored, or efforts are made to find a way to reject legitimate claims). * Penalties for improper behavior are insignificant or unpublicized and thus lose their value as deterrents. * Management has displayed a loose attitude toward internal control, for example, by not providing guidance on when intervention is allowed or not investigating and documenting deviations from controls. * Management and employees feel pressure to meet performance targets or deadlines that are unrealistic. * Management is under undue pressure from the administration to attain an unqualified opinion on the financial statements, despite significant internal control weaknesses. * Management displays lack of candor in dealing with those charged with governance, oversight committee staff, recipients of the entity’s services, or auditors regarding decisions that could have an impact on the entity. * Management does not respond to internal and external auditors’ recommendations to strengthen internal control. * Management has strained relationships with the IG and/or its current or predecessor external auditors. * Management does not encourage and consider employee suggestions. .03: Commitment to Competence: * Management has not analyzed jobs to determine the knowledge and skills needed. * Employees do not seem to have the knowledge and skills they should have to do their jobs, based on the level of judgment necessary. * Supervision of employees does not compensate for lack of knowledge and skills in their specific jobs. * Inexperienced and/or incompetent accounting personnel are responsible for transaction processing. * The number of supervisors is inadequate or supervisors are inaccessible. * Key financial staff have excessive workloads. .04: Management’s Philosophy and Operating Style: * Management lacks concern about internal control and the environment in which specific controls function. * Management demonstrates an aggressive approach to risk taking. * Management demonstrates an aggressive approach to accounting policies. For example, significant changes in allowances for uncollectible accounts that may be tied to performance measures in an effort to improve collections. * Management has a history of completing significant or unusual transactions near year-end, including transactions with related parties. * Management makes numerous adjusting journal entries, especially at year end. * The process of preparing the financial statements is complex and includes many reclassifications and last-minute changes. * Management is reluctant to (1) consult auditors/consultants on accounting issues, (2) adjust the financial statements for misstatements, or (3) make appropriate disclosures. * Management displays a significant disregard for regulatory, legal, or oversight requirements or for IG, GAO, congressional authorities, or others charged with governance. * Top-level management lacks the financial experience/background necessary for the positions held. • Management is slow to respond to crisis situations in either operating or financial areas. * Management uses unreliable and inaccurate information to make business decisions. * Unexpected reorganization or replacement of management staff or consultants occurs frequently. * Management and personnel in key areas (such as accounting, information systems, IG, and internal auditing) have a high turnover. * Individual members of top management are unusually closely identified with specific major projects. * Management has publicly disclosed overly optimistic information on performance of programs and activities. * Financial estimates consistently prove to be significantly overstated or understated. * Obtaining adequate audit evidence is difficult due to a lack of documentation and evasive or unreasonable responses to inquiries. * Financial arrangements/transactions are unduly complex. * Lack of interaction of adequate frequency between senior management and operating management, particularly with geographically dispersed locations. * Management attitude toward information systems and accounting functions is that these are necessary “bean counting” functions rather than a vehicle for exercising control over the entity’s activities or making better decisions. * Management is motivated to engage in fraudulent financial reporting because of substantial political pressure that creates undue concern about reporting positive financial accomplishments. * Management is dominated, either entitywide or at a specific component, by a single person or small group without compensating controls, such as effective oversight by the IG, GAO, congressional committees, or others charged with governance. * One or more individuals with no apparent executive position(s) within the entity appear(s) to exercise substantial influence over its affairs or over individual departments or programs (for example, a major political donor or fund-raiser). * Management has significant grantee, cooperative agreement, or contractor relationships for which there appears to be no clear programmatic or governmental justification. * Management appears more concerned with an unqualified opinion on the financial statements than fixing significant deficiencies in its systems. * Management has difficulty meeting reporting deadlines. .05: Organizational Structure: * The organizational structure is inappropriate for the entity’s size and complexity. General types of organizational structures include: - federal centralized (managed and controlled on a day-to-day basis by a centralized federal entity system), - federal decentralized (managed and controlled on a day-to-day basis by federal entity field offices or staffs), - participant administered (managed and controlled on a day-to-day basis by a nonfederal organization), and, - other (managed and controlled on a day-to-day basis by some combination of the above or by other means). * The structure inhibits segregation of duties for initiating transactions, recording transactions, and maintaining custody over assets. * Management has difficulty in determining the organization or individual(s) that control(s) the entity, parts of the entity, or particular programs. * Recent changes in the management structure disrupt the organization. * Operational responsibilities do not coincide with the divisional structure. * Delegation of responsibility and authority is inappropriate. * A lack of definition and understanding of delegated authority and responsibility exists at all levels of the organization. * Policies and procedures are established at inappropriate levels. * A high degree of manual activity or spreadsheet use is required in capturing, processing, and summarizing data to prepare financial statements. * A single person or a small group dominates activities. * Entity officials could obtain financial or other benefits on the basis of decisions made or actions taken in an official capacity. .06: Assignment of Authority and Responsibility: * The entity’s policies are inadequate regarding the assignment of responsibility and the delegation of authority for such matters as organizational goals and objectives; operating functions; and regulatory requirements, including responsibility for information systems and authorizations for changes. * Appropriate control-related standards and procedures are lacking. * The number of people, particularly in information systems and accounting, with requisite skill levels relative to the size and complexity of the operations is inadequate. * Delegated authority is inappropriate in relation to the assigned responsibilities. * Appropriate system of authorization and approval of transactions (for example, in purchasing, grants, and federal financial assistance) is lacking. * Policies are inadequate regarding physical safeguards over cash, investments, inventory, and fixed assets. .07: Human Resource Policies and Practices: * Human resource policies for hiring and retaining capable people are inadequate. * Policies and procedures for hiring, promoting, transferring, retiring, and terminating personnel are inadequate. * Training programs do not adequately offer employees the opportunity to improve their performance or encourage their advancement. * Written job descriptions and reference manuals are inadequate or inadequately maintained. * Communication of human resource policies and procedures at field locations is inadequate. * Policies on employee supervision are inappropriate or obsolete. * Management does not take remedial actions in response to departures from approved policies and procedures. * Employee promotion criteria and performance evaluations are inadequate in relation to the code of conduct. * Management does not adequately screen job applicants who will have access to assets susceptible to misappropriation. * Training is inadequate regarding controls over payments to others, such as for benefits, grants, and federal financial assistance. * Employees performing key control functions do not take vacations. * Management does not reassign work of key employees on vacation. .08: Management’s Control Methods over Budget Formulation and Execution: * Management provides little or no guidance material and instructions to those preparing the budget information. * Management and employees do not understand the budget review, approval, and revision process. * Management demonstrates little concern for reliable budget information. * Management participation in directing and reviewing the budget process is inadequate. * Management is not involved in determining when, how much, and for what purpose obligations and outlays can be made. * Management has not developed adequate planning and reporting systems that set forth management’s plans and the results of actual performance. * Employees use inadequate methods to identify the status of actual performance and exceptions from planned performance and communicate them to the appropriate levels of management. * The entity has reported noncompliance, including violations of the Antideficiency Act, and purpose, time, or other budget-related restrictions. .09: Management’s Control Methods over Compliance with Laws and Regulations: * Management is unaware of the applicable laws and regulations and potential problems. * A mechanism to inform management of the existence of illegal acts does not exist. * Management neglects to react to identified instances of noncompliance with laws and regulations. * Management is reluctant to discuss its approach toward compliance and the reasonableness of that approach. * Recurring public complaints have been received through “hotline” allegations. * FMFIA reports; congressional reports; consultants’ reports; and prior audits/evaluations by GAO, the IG, internal audit, or others disclose repeated instances of noncompliance or compliance control deficiencies. * Management is reluctant to provide evidential matter necessary to evaluate whether noncompliance with laws and regulations has occurred. * Management is not responsive to changes in legislative or regulatory bodies’ requirements. * Policies and procedures for complying with laws and regulations are weak. * Policies on such matters as acceptable business practices, conflicts of interest, and codes of conduct are weak. * Management does not have an effective legal counsel. .10: Participation of Those Charged with Governance (Including Oversight Groups, Such as Congressional Committees): * Those charged with governance, such as oversight groups or congressional committees, demonstrate little concern about controls and how and when management addresses internal and external auditors’ recommendations. * Those charged with governance have little involvement in and scrutiny of activities. * Little interaction occurs between those charged with governance and the IG and internal and external auditors. * Those charged with governance demonstrate little concern for compliance with applicable laws, regulations, and contractual requirements. Entity’s Risk Assessment Process: .11: Setting Objectives: * Management has not established or communicated its overall objectives to employees or those charged with governance, such as oversight committees. * Management does not have a strategic plan, or the strategic plan is not consistent with the entity’s objectives. * The strategic plan does not address high-level resource allocations and priorities. * The strategic plan, budgets, and/or objectives are inconsistent. * Management has not established activity-level objectives for all significant activities, or the objectives are inconsistent with each other or with the overall objectives. * Objectives do not include measurement criteria. .12: Identifying and Analyzing Risks: * Management does not have a formal risk assessment process. * For financial reporting purposes, management has not identified risks relevant to the preparation of the financial statements in accordance with U.S. GAAP. Risks relevant to reliable financial reporting also relate to specific events or transactions. See AU 314.126, Appendix B, paragraph B6, for examples of circumstances that could cause risks relevant to financial reporting to arise or change, such as (1) changes in the operating environment, (2) new personnel, (3) new or revamped information systems, (3) rapid growth, (4) new technology, (5) new programs, activities, business models or products, (6) restructuring or reorganization, (7) expanded or new foreign operations, and (8) new accounting pronouncements. * Management has not adequately identified risks to the entity’s ability to comply with laws and regulations, including maintaining effective controls over compliance with laws and regulations. * Management has not adequately identified risks to the entity’s ability to prevent and detect fraud. * Management has not adequately identified risks to achieving the entity’s objectives arising from external sources, including economic conditions, the President, the Congress, OMB, and the media. * Management has not adequately identified risks arising from internal sources, such as human resources (ability to retain key people) or information systems (adequacy of backup systems in the event of systems failure). • Once risks are identified, management has not adequately analyzed the risks, including whether controls are adequate to manage the risks, estimating the significance of risks, assessing the likelihood of their occurring, and determining needed actions to manage these risks. .13: Managing Change: * The mechanisms for identifying and communicating events, activities, and conditions that affect operations or financial reporting objectives are insufficient. * Accounting systems and/or information systems, including information systems, are not modified in response to changing conditions. * No consideration is given to designing new or alternative controls in response to changing conditions. * Management is unresponsive to changing conditions. Information System, Including the Related Business Processes Relevant to Financial Reporting, and Communication .14: Internal Communication: * The system for communicating policies and procedures is ineffective. * Formal or informal job descriptions do not adequately delineate specific duties, responsibilities, reporting relationships, and constraints. * Channels of communication for reporting suspected improprieties are inappropriate. * Management fails to display and communicate an appropriate attitude regarding internal control. * Management is not effective in communicating and supporting the entity’s accountability for public resources and ethics, especially regarding matters such as acceptable business practices, conflicts of interest, and codes of conduct. * Management is not receptive to employee suggestions of ways to enhance productivity and quality or control. * Communication across the organization (for example, between procurement and program activities) is inadequate to enable people to discharge their responsibilities effectively. .15: External Communication: * Channels of communication with suppliers, contractors, recipients of program services, customers, and other external parties are not open and effective for communicating information on changing needs. * The entity’s web site is not used as an effective communication tool. * Outside parties have not been made aware of the entity’s ethical standards. * Management does not appropriately follow up on information received in communications from program service recipients, vendors, regulators, or other external parties. Monitoring of Controls: .16: Ongoing Monitoring: * Management is not sufficiently involved in reviewing the entity’s performance or its controls. • Management control methods are inadequate to investigate unusual or exceptional situations and to take appropriate and timely corrective action. * The entity does not have an effective hotline for reporting fraud, violations of laws and regulations, and control deficiencies. * The entity does not have an effective internal audit function. * Management’s follow-up action is untimely or inappropriate in response to communications from external parties, including complaints, notification of errors in transactions with parties, and notification of inappropriate employee behavior. * Management does not review whether periodic comparisons of amounts recorded in the accounting system with physical assets are performed on a timely basis and any differences are resolved timely. * Management does not monitor whether reviews to prevent large numbers of duplicate payments and other improper payments are performed on a timely basis. * Management does not effectively monitor that policies for developing and modifying accounting systems and control activities are reviewed on systematic basis. * Management does not monitor the legal (or other appropriate) department’s oversight of compliance with the entity’s code of conduct, which may include employees’ periodic acknowledgment of compliance. * Management does not adequately monitor whether significant activities that have been outsourced to contractors or information systems components maintained by contractors are reviewed on a timely basis. .17: Separate Evaluations under FMFIA, OMB Circular No. A-123, and FFMIA: * Management displays a disregard for complying with the FMFIA and OMB Circular No. A-123 process, reports, results, and follow-up. * Management displays a disregard for complying with or a combative attitude toward the FFMIA process, reporting, results, and follow-up. * Employees without appropriate skills manage or perform FMFIA and OMB Circular No. A-123 reviews and FFMIA assessments. * Management did not establish an organizational structure to effectively implement, direct, and oversee the assessment process, including FFMIA assessments. OMB Circular No. A-123 suggests a senior management council and a senior assessment team or equivalent structures. The oversight of the assessment process may also be incorporated into existing offices or functions within the organization that currently monitor the effectiveness of the organization’s internal control. * Management did not effectively evaluate controls at the entity level and consider the components of internal control as defined in OMB Circular No. A-123, GAO’s Standards for Internal Control in the Federal Government, or the requirements of FFMIA. * Management did not use a reasonable approach to determine the scope of the assessment. The scope of the assessment would include identifying significant financial reports and key processes, controls, and/or transactions. * Management did not adequately evaluate and document the key processes and controls required by OMB Circular No. A-123, Appendix A, including documentation of decisions on determining the scope, materiality, testing methodology, and other significant decisions related to this assessment. * Management did not use a reasonable approach to determine what, when, where, and how to test the key controls, and the tests and results were not properly documented. * Management did not use the results of its testing to support its conclusion on whether internal controls over financial reporting were properly designed and operating effectively. * Management’s assurance statement did not appropriately describe any scope limitation and was not consistent with the evidence gathered during the testing process, including information gathered during the financial statement audit. * Management does not have plans in place or a process to continue assessing controls in accordance with OMB Circular No. A-123, Appendix A. * Management does not have a process in place for prompt and proper implementation of corrective actions to resolve deficiencies in internal controls, including material weaknesses. * Auditors note weaknesses that were not included in FMFIA and FFMIA reports. .18: Reporting Deficiencies: * The entity does not have a mechanism for capturing and reporting identified internal control deficiencies from both internal and external sources resulting from ongoing monitoring or separate evaluations. * The entity does not report deficiencies to the person with direct responsibility and to a person at least one level higher or to more senior management. * Management does not correct deficiencies timely. * Management does not investigate underlying causes of problems. * Management does not follow up to determine whether the necessary corrective action has been taken. .19: The Effectiveness of Other Auditors[Footnote 28]: * Auditors are responsible for making operating decisions or for controlling other original accounting work subject to audit. * Audit management personnel are inexperienced for the tasks assigned. * Auditors have minimal training, including little or no participation in formal courses and seminars and inadequate on-the-job training. * Auditors have inadequate resources to effectively conduct audits and investigations. * Audits are not focused on areas of highest exposure to the entity. * Standards against which the auditor’s work is measured are minimal or nonexistent. * Performance reviews of audit staff are nonexistent or irregular. * The audit planning process is nonexistent or inadequate, including little or no concentration on significant matters and little or no consideration of the results of prior audits and current developments. * Supervision and review procedures are nonexistent or inadequate, including little involvement in the planning process, in monitoring progress, and in reviewing conclusions and reports. * Audit documentation, such as audit strategy, audit plans/procedures, evidence of work performed, and support for audit findings, is incomplete. * An inadequate mechanism is used to keep the entity head, the Congress and others charged with governance informed about problems, deficiencies, and the progress of corrective action. * Audit coverage over payments made by others, such as state or local governments, for benefits, grants, and federal financial assistance is inadequate. * The auditor does not adequately review computer general and application controls. * The auditor does not use appropriate tools, such as audit software and sampling. * The audit organization does not have an adequate quality control system, including monitoring. * The audit organization does not have a peer review every 3 years. 295 C - An Approach for Multiple-Location Audits: .01: This section provides one approach for stratifying the locations and selecting the samples for multiple-location audits. This method assumes that the auditor has determined that it is not practical to make a centralized selection, that the auditor is not using a rotation plan, and that the auditor identifies locations to be tested each year because of specific risks of material misstatement (inherent or control risks). Other methods of selecting locations for on-site testing may be used with the approval of the reviewer. The auditor should consult with a statistician when selecting locations. Stratifying the Locations: .02: Unless the auditor uses a monetary-unit sampling (MUS) method that automatically stratifies the population by the dollar amount of transactions, the auditor stratifies the locations by separating them into an appropriate number of relatively homogeneous groups or strata. Stratification can improve the efficiency of the sample result through reducing the uncertainty of the estimate by grouping items together that are expected to behave similarly with respect to the audit measure (usually misstatements). Stratification can also be used to provide items of special interest additional coverage in the sample. The stratification may be based on relative size or qualitative factors, such as risk of material misstatement. Criteria for stratifying may include estimates of one or more of the following relative factors: * the dollar amount of assets; * the dollar amounts of revenue and expenses incurred or processed at the location; * the number of personnel, where payroll costs are significant; * the dollar amount of appropriations; * a concentration of specific items (such as a stratum consisting of significant inventory storage locations, of which those selected will undergo only inventory procedures); * the nature and extent of inherent and control risk, including fraud risk and sensitive matters or the turnover of key management; and; * special reporting requirements, such as separate reports, special disclosures, or supplementary schedules. .03: For example, the auditor may stratify locations, based on the amount of total assets, into the following strata: (1) individually material locations (top stratum), (2) relatively significant locations (intermediate stratum), and (3) relatively insignificant locations (bottom stratum). If an entity has 100 locations and if the auditor determines that total assets is the relevant criterion for stratifying locations, the first three columns of table FAM 295 C.1 may represent an acceptable stratification. Selecting Locations: .04: The auditor may select locations for on-site testing using one of the following methods for each stratum: * MUS or classical variables sampling method using a multistage approach. * Another sampling method the auditor expects will be representative. The auditor should consult with a statistician if classical variables sampling or another representative sampling method is used. * Nonrepresentative (nonsampling) selection method when the auditor determines that it is effective to select locations on a nonrepresentative basis and to apply substantive analytical procedures and/or other substantive tests to locations that are not tested on- site. These methods are described in more detail in FAM 480. .05: Table FAM 295 C.1 illustrates a possible MUS sample for each stratum, using design materiality of $3 million, no expected misstatement, and 95 percent assurance. For an MUS sample, the sampling interval would be $1 million, and the preliminary estimate of the sample size would be 100 ($100 million divided by $1 million). FAM 400 provides additional information on calculating the amounts in the table and the various selection methods. Table FAM 295 C.1: Example of MUS Sampling: Stratum: Top; Number of locations: 5; Assets: $70,000,000; Preliminary estimate of sample size[A]: 70; Actual number of locations tested[B]: 5. Stratum: Intermediate; Number of locations: 85; Assets: $29,000,000; Preliminary estimate of sample size[A]: 29; Actual number of locations tested[B]: 29. Stratum: Bottom; Number of locations: 10; Assets: $1,000,000; Preliminary estimate of sample size[A]: 1; Actual number of locations tested[B]: 1. Stratum: Total; Number of locations: 100; Assets: $100,000,000; Preliminary estimate of sample size[A]: 100; Actual number of locations tested[B]: 35. [A] The preliminary estimate of sample size is computed by dividing the total balance by the sampling interval of $1,000,000. Refer to FAM 400 for additional information concerning sampling. [B] The actual number of items tested in the top stratum may be fewer than the preliminary estimate of sample size because a top stratum selection may include more than one sample item. For example, if the implicit sampling interval is $1,000,000, a $10 million selection would include 10 sample items. [End of table] Testing the Items: .06: The auditor determines the number of items to be tested at each location, and then selects and tests those items. For each line item/account the auditor determines the total number of items to be tested, based on the applicable selection method and population, tolerable misstatement, and the level of assurance desired, as described in FAM 480 and FAM 495 E. .07: The auditor generally should perform analytical and other procedures, as applicable, for both the locations selected and those not selected. The auditor generally should perform supplemental analytical procedures, including comparisons of locations with each other, with other years’ information, and with non-financial measures for all locations, regardless of the selection method. When nonrepresentative selection is used, the auditor should apply appropriate substantive analytical procedures and/or other substantive procedures for locations not tested on-site, unless those locations are immaterial in total. FAM 400 provides guidance on substantive and supplemental analytical procedures. Specific matters noted during the audit—for example, cutoff misstatements at one or more locations—may warrant increased or different audit procedures at locations not previously selected for on-site testing. .08: In evaluating the result of a sample, the auditor should estimate the effects, both quantitative and qualitative, on the financial statements taken as a whole of any misstatements noted, as discussed in FAM 480 and FAM 540. In visiting selected locations, in addition to the issues concerning evaluation of samples in those sections, the auditor, using professional judgment, generally should apply the following additional procedures when the auditor finds misstatements or control deviations: a. Determine if apparent misstatements are, in fact, misstatements that have not been corrected at some level in the entity. b. Ask management to identify the cause of the misstatements and whether similar misstatements are likely to have occurred at locations not visited. c. Test and evaluate management’s identification of cause. d. Determine whether the misstatements indicate that there is a control deficiency. If so, determine whether the control deficiency applies only to the location visited or to all locations. Determine whether control deficiencies indicate a need to change the control risk assessment, risk of material misstatement, or substantive procedures, either for the location or overall. e. Obtain evidence to test management’s evaluation as to whether the same or similar types of misstatement exist at other locations, including locations not tested on-site. If the evidence is highly persuasive that the misstatement does not exist at other locations and the audit director concurs, the auditor may treat the effect on the entity the same as that on the location. See FAM 480.40 for a discussion of deciding whether evidence is highly persuasive. If the misstatement is not isolated to the location, ask management to investigate whether there is evidence that the misstatement exists in other than a similar proportion throughout the entity. If such evidence exists and is appropriate and sufficient, the auditor generally should obtain evidence of the incidence rate and determine the effect on the entity. If no such evidence exists, the auditor should project the misstatement to the financial statements in determining likely misstatement. The statistician should review these projections. .09: In a nonrepresentative selection, the auditor generally should evaluate the possible effects of misstatements on locations not visited and determine whether to perform additional audit procedures. Because the selection is not representative, the misstatements cannot be projected to the entity as a whole. .10: The auditor should evaluate the sufficiency of audit procedures applied. The auditor should use professional judgment and should identify all relevant factors to determine whether the audit objectives are met in the specific circumstances. 295 D - Interim Substantive Testing of Balance Sheet Accounts: .01: The auditor may decide to perform significant substantive tests of balance sheet line items/accounts as of a date before the balance sheet date. If the auditor performs interim tests, the auditor should also apply further substantive procedures or substantive procedures combined with tests of controls that cover the period between the interim testing date and the year end balance sheet date, often referred to as the “roll-forward period,” and provide a reasonable basis for extending audit conclusions from the interim date to period end.[Footnote 29] .02: Because evidence obtained as of the year-end about an asset or liability balance provides more assurance than evidence obtained as of a prior or subsequent date, risk of material misstatement generally increases as the length of the roll forward period increases. The auditor should evaluate the risk of material misstatement (inherent, control, and fraud risk) in determining whether substantive or control tests of the roll forward period can be designed to provide a reasonable basis for extending the audit conclusions from the interim testing date to year-end. Although it is not necessary to obtain audit evidence about the operating effectiveness of controls to have a reasonable basis for extending audit conclusions from an interim date to year-end, the auditor should evaluate whether performing only substantive procedures to cover the remaining period is sufficient. If the auditor concludes that substantive procedures alone would not be sufficient to cover the remaining period, tests of the operating effectiveness of relevant controls should be performed or the substantive tests should be performed as of year-end. .03: The additional audit procedures performed for the roll forward period ordinarily increase the overall audit costs. However, by performing interim tests before year-end, the auditor may be able to: * more quickly identify and address significant risks of material misstatements, including audit and accounting issues, such as problem areas and complex or unusual transactions, enabling the entity to either correct misstatements or the auditor to modify the audit strategy and audit plan/procedures; * complete the audit and issue the audit report earlier; and; * improve staff utilization and enable a smaller number of staff members to perform the audit by allocating the total audit hours over a longer period before the report issuance date. .04: Interim testing of a balance sheet line item/account or an assertion with a high risk of material misstatement typically involves greater detection risk than performing all substantive testing of balance sheet line items/accounts/assertions as of year-end. However, in some cases, the auditor may be able to perform interim tests depending on the auditor’s assessment of the factors in FAM 295 D.06. .05: If the auditor finds control deviations in the tests of controls during interim tests, the auditor uses professional judgment, considering the nature, cause, and estimated effects of the deviations, to determine whether to revise the preliminary risk assessments, audit strategy, and the audit plan/procedures, including decisions regarding the nature, extent and timing of substantive procedures. .06: In determining whether to apply interim testing, the auditor should consider the following factors. * The assessment of risk of material misstatements: The auditor should evaluate the risk of material misstatement during the roll forward period including relevant factors, such as business conditions that may make management more susceptible to pressures, providing a rationale for them to misstate the financial statements. As the risk of material misstatement increases, the auditor generally increases the extent of the procedures applied to the roll forward period or year-end, possibly making interim testing much more costly than only testing the year-end balances. * The anticipated comparability of risk of material misstatement and the nature of the line item/account balances from the interim testing date to year end: The auditor may more easily extend the audit conclusions from the interim date to the year-end date if the risk of material misstatement does not increase from the interim date to the year-end date and if the line item/account balances consist of similar types of items at both dates. * The amount of the line item/account balance at the interim testing date in relation to the expected year-end balance: A significant increase in the amount of the line item/account balance between interim and year-end dates would diminish the auditor’s ability to extend the audit conclusions to the year end. In addition, applying substantive interim tests to a large line item/account balance may be inefficient if the year-end balance is much lower than the balance at the interim date. * The length of the roll forward period: The longer the roll forward period, the more difficult it is to control the increased risk of material misstatement. The auditor generally should not use a roll forward period longer than 3 months for assertions in account balances with significant activity during the roll forward period. However, the auditor may use a longer roll forward period in certain situations depending on the auditor’s assessment of the anticipated activity during the roll forward period discussed below. * The anticipated level of transaction activity during the roll forward period: Interim testing generally decreases in effectiveness and efficiency as the level of transaction activity during the roll forward period increases, particularly if there are large or unusual transactions during this period. * The ease with which audit procedures can be applied to test the transactions or controls during the roll forward period: As the difficulty of such procedures increases, the efficiency of interim testing generally decreases. * The availability of information to test roll forward period activity using substantive analytical procedures, detail tests, tests of controls, or a combination of procedures: If sufficient information is not available, interim testing is not appropriate. * The timing of the audit, staffing and scheduling requirements, and reporting deadlines: Tight deadlines or staff availability for performing audit procedures at the year’s end may necessitate interim testing. .07: In determining the timing of audit tests, the auditor should consider the relationships between line items/accounts that are affected by the same transactions. For example, if the auditor applies interim testing to inventory, the auditor should evaluate the risk of material misstatement associated with inventory-related accounts payable, including cutoff matters. The auditor may apply substantive procedures to each of the related line items/accounts as of the same interim testing date or may apply other procedures to obtain sufficient appropriate audit evidence. .08: The auditor should document in the ARA, or equivalent, the line items/accounts (and assertions, where applicable) to which interim substantive testing is applied. The auditor should document the basis for concluding that the use of interim testing is appropriate in the audit strategy. 295 E - Effect of Risk of Material Misstatement on Extent of Audit Procedures: .01: The concepts of materiality and risk interrelate and sometimes are confused. The auditor determines materiality based on the users’ perceived concerns and needs. The auditor also assesses risk of material misstatement based on (but not limited to) knowledge of the entity, its business (purpose), applicable laws and regulations, and internal control. .02: The auditor uses both materiality and risk in (1) determining the nature, extent, and timing of audit procedures and (2) evaluating the results of audit procedures. The evaluation of risk usually does not affect materiality. However, risk affects the extent of testing needed. The higher the auditor's assessment of risk of material misstatement, the higher the required level of substantive assurance from the audit procedures. The discussion of consideration of risk in planning begins at FAM 260.02. Use of risk in determining sample size is discussed in FAM 470. .03: As an example, assume that the auditor is testing accounts receivable using MUS techniques described in FAM 480. Pertinent data for this test is: * accounts receivable total $2.5 million, * tolerable misstatement is $100,000, and, * no misstatements are expected. If the auditor assesses risk of material misstatement as low, the sample size would be 25 items. If the auditor assesses the risk of material misstatement as high, the sample size would be 75 items. The increase in risk caused the sample size to triple with the same tolerable misstatement. 295 F - Types of Information System Controls: .01: As discussed in FAM 270.04, the auditor should obtain an understanding of the design of information systems (IS) controls and whether they have been implemented. An IS controls specialist should test the IS controls identified by the auditor as described in FAM 300 using an appropriate methodology. IS controls can be classified into three types: * general controls, * application controls, and, * user controls. General Controls: .02: General controls are the policies and procedures that apply to all or a large segment of an entity’s information systems. General controls help ensure the proper operation of information systems by creating the environment for proper operation of application controls. Ineffective general controls may prevent application controls from operating properly and allow misstatements to occur and not be detected. Without effective general controls, application controls can generally be rendered ineffective by circumvention or modification. General controls include: * security management that provides a framework and continuing cycle of activity for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of the entity’s computer- related controls; * logical and physical access controls that limit or detect access to computer resources (data, programs, equipment, and facilities), thereby protecting these resources against unauthorized modification, loss, and disclosure. Logical access controls require users to authenticate themselves (through the use of passwords or other identifiers) and limit the files and other resources that authenticated users can access and the actions that they can execute. Physical access controls involve restricting physical access to computer resources and protecting them from intentional or unintentional loss or impairment; * configuration management that prevents unauthorized changes to information system resources (for example, software programs and hardware configurations) and provides reasonable assurance that systems are configured and operating securely and as intended; * segregation of duties that includes having policies, procedures, and an organizational structure to manage who can control key aspects of computer-related operations and thereby conduct unauthorized actions or gain unauthorized access to assets or records; and; * contingency planning so that when unexpected events occur, critical operations continue without interruption or are promptly resumed and critical and sensitive data are protected. FISCAM has detailed guidance on evaluating and testing general controls. See FAM 240 and FAM 270 for additional discussion of general controls. .03: The entity may establish general controls at entitywide, system, and application levels. * In evaluating general controls at the entitywide or system level, the auditor and the IS controls specialist may evaluate access control on an overall basis. For instance, the IS controls specialist may evaluate the entity’s use of security access software, including its proper implementation. * When evaluating general controls at the application level, the auditor and the IS controls specialist may evaluate access controls that limit access to particular applications and related computer files, such as restricting access to payroll applications and related files (such as the employee master file and payroll transaction files) to authorized users. * Finally, the auditor and the IS controls specialist may evaluate the security built into the application itself to further restrict access. This security is usually accomplished by means of menus and other restrictions programmed into the application software. Thus, a payroll clerk may have access to payroll applications but may be restricted from access to a specific function, such as reviewing or updating payroll data on payroll department employees. .04: The effectiveness of general controls is a significant factor in determining the effectiveness of application controls and certain user controls. Without effective general controls, application controls may be rendered ineffective by circumvention or modification. For example, the production and review of an exception report of unmatched items can be an effective application control. However, this control would be ineffective if the general controls permitted unauthorized program modifications such that certain items would be inappropriately excluded from the report. Application Controls: .05: Application controls are controls that are incorporated directly into computer applications to help ensure the validity, completeness, accuracy, and confidentiality of transactions and data during application processing. Application controls, sometimes referred to as business process controls, include controls over: * input, * processing, * output, * master data, * application interfaces, and, * data management system interfaces. The effectiveness of application level controls depends on the effectiveness of entitywide and system level general controls. Weaknesses in entitywide and system level general controls can permit unauthorized changes to business process applications and data that can circumvent or impair the effectiveness of application level controls. .06: FISCAM uses control categories that complement the methodology used in the FAM. Most of the following categories relate to the financial statement assertions. * Validity controls. This category relates to the assertion of existence or occurrence. Validity controls provide reasonable assurance (1) that all recorded transactions actually occurred (are real), relate to the organization, and were properly approved in accordance with management’s authorization; and (2) that output contains only valid data. A transaction is valid when it has been authorized (for example, buying from a particular supplier) and when the master data relating to that transaction is reliable (for example, the name, bank account and other details on that supplier). Validity includes the concept of authenticity, including prevention or detection of duplicate transactions. Examples of validity controls are one-for-one checking and matching. * Completeness controls. This category relates to the assertion of completeness and deals with whether all valid transactions are recorded. Completeness controls provide reasonable assurance that all transactions that occurred are input into the system, accepted for processing, processed once and only once by the system, and properly included in output. Completeness controls include the following key elements: * transactions are completely input, * valid transactions are accepted by the system, * rejected transactions are identified, corrected and reprocessed; and, * all transactions accepted by the system are processed completely. The most common completeness controls in applications are batch totals, sequence checking, matching, duplicate checking, reconciliations, control totals and exception reporting. Reconciliations not only help detect misstatements relating to transaction completeness, but also identify the cutoff and summarization misstatements associated with both the existence or occurrence and completeness assertions. * Accuracy controls. This category relates to the assertion of valuation or allocation, which deals with whether transactions are recorded at correct amounts. This control category, however, is not limited to valuation, and also includes controls designed to properly classify transactions. Accuracy controls should provide reasonable assurance that transactions are properly recorded, with the correct amount/data, and on a timely basis (in the proper period); key data elements input for transactions are accurate; and data elements are processed accurately by applications that produce reliable results; and output is accurate. Accuracy control techniques include programmed edit checks (e.g., validations, reasonableness checks, dependency checks, existence checks, format checks, mathematical accuracy, range checks, etc.), batch totals and check digit verification. * Confidentiality controls. These controls should provide reasonable assurance that application data and reports and other output are protected against unauthorized access. Examples of confidentiality controls include restricted physical and logical access to sensitive business process applications, data files, transactions, and output, and adequate segregation of duties. Confidentiality controls also include restricted access to data reporting/extraction tools as well as copies or extractions of data files. User Controls: .07: User controls are controls that are performed by people interacting with IS controls. The effectiveness of user controls typically depends on the accuracy of the information produced by the information system, such as exception reports or other reports. If this IS dependency exists, the user controls are information system controls. If the auditor has an expectation of the effectiveness of a user control to reduce the risk of material misstatement, the auditor should understand the design of and test any related controls that affect the accuracy of the information in the reports used as part of the user control. For example, if the IS control (a user control) is the review of an exception report, the auditor should understand the design of and test the application controls directly related to the production of the exception report, as well as the general and other application controls upon which the reliability of the information in the exception report depends. This testing would include controls over the proper functioning of the business process application that generated the exception report and the reliability of the data used to generate the exception report. In addition, the auditor should test the effectiveness of the user control (i.e., management review and followup on the items in the exception report). .08: In certain circumstances, user controls may be manual controls used to monitor the effective functioning of information systems and IS controls. For example, a user control may be to manually check the accuracy and completeness of IS computed transactions against manually prepared records. Also, the effectiveness of the user control to monitor the information system and related controls is affected by the effectiveness of manual controls over the accuracy of the manually prepared data. 295 G - Budget Controls: .01: Budget controls are management’s policies and procedures for managing and controlling the use of appropriated funds and other forms of budget authority. Budget controls are part of the internal controls covered in OMB’s audit guidance. During planning, the auditor should understand the design of budget controls and determine whether they have been implemented as part of assessing the risk of material misstatement as discussed in FAM 250 and 260. .02: Certain controls may achieve both financial reporting and other control objectives. Accordingly, for efficiency, the auditor may coordinate obtaining an understanding of budget controls with obtaining an understanding of financial reporting, compliance, and relevant operations controls. .03: Budget authority is authority provided by law to allow federal agencies to enter into financial obligations that will result in immediate or future outlays involving government funds (2 U.S.C. 622(2)). The Congress provides an entity with budget authority and may place restrictions on the amount, purpose, and timing of the obligation or outlay of such authority. .04: There are four basic forms of budget authority: * Appropriation authority. The most common form of budget authority provides authorization by an act of Congress which permits federal entities to incur obligations and to make payments out of the Treasury for specified purposes. Appropriations do not represent cash actually set aside in the Treasury for purposes specified in the appropriation acts. Appropriations represent amounts that entities may obligate during the period specified in the appropriation acts. Periods can be single-year, multiyear, or no-year. * Borrowing authority. Provides statutory authority that permits federal entities to borrow money and then to obligate against amounts borrowed. The amount to be borrowed may be definite or indefinite in nature and the purposes for which the borrowed funds are to be used are stipulated by the authorizing statute. * Contract authority. Provides statutory authority that permits obligations to be incurred in advance of appropriations or in anticipation of receipts to be credited to a revolving fund or other account (offsetting collections). Contract authority is unfunded. Subsequent funding by an appropriation or by offsetting collections is needed to liquidate the obligations incurred under the contract authority. * Offsetting receipts and collections authority. Permits federal entities to obligate and expend the proceeds of offsetting receipts and collections. See 295 G.05 for further details. .05: Offsetting receipts and collections are of a business- or market- oriented nature and may include intragovernmental transactions. If, pursuant to law, they are deposited to receipt accounts and are available for obligation, they are considered budget authority and referred to as offsetting receipts. Contract authority and immediate availability of offsetting receipts for use are the usual forms of budget authority for revolving funds. Offsetting collections may also include reimbursements for materials or services provided to other government entities. .06: Borrowing authority and contract authority are sometimes called “back door authority,” which refers to any type of budget authority that is provided by legislation outside the normal appropriations process. .07: For additional information and terminology on the federal budget process, consult GAO’s A Glossary of Terms Used in the Federal Budget Process (GAO-05-734SP, September 2005). 295 H - Laws Identified in OMB Audit Guidance and Other General Laws: .01: When identifying significant provisions of laws and regulations (see FAM 245.02), the auditor should determine whether the following laws and regulations listed in OMB audit guidance could have a direct and material effect on the financial statements in addition to other laws identified for testing. Following each listed law is the section in the FAM that contains the compliance summary and audit procedures for that law. * Antideficiency Act (codified as amended in 31 U.S.C. 1341, 1342, 1351, and 1517). Provisions: 31 U.S.C. 1341(a) (1) (A) and (B), and 31 U.S.C. 1517(a). See FAM 803. * Federal Credit Reform Act of 1990 (FCRA), Pub. L. No. 101-508, 104 Stat. 1388-610 (codified in various sections of 2 U.S.C.) Provisions: 2 U.S.C. 661c (b) and (e). See FAM 808. * Provisions Governing Claims of the United States Government as provided primarily in sections 3711-3720E of Title 31, Unites States Code (including provisions of the Debt Collection Improvement Act of 1996, Pub. L. No. 104-134, 110 Stat. 1321-358, which also is codified in various sections of 5 U.S.C., 18 U.S.C., 26 U.S.C., 31 U.S.C., and 42 U.S.C.) Provisions: 31 U.S.C. 3711, 31 U.S.C. 3717(a), (b), (c), (e), and (f), and 31 U.S.C. 3719. See FAM 809. * Prompt Payment Act (codified as amended in 31 U.S.C. 3901-3907). Provisions: 31 U.S.C. 3902(a), (b), and (f) and 31 U.S.C. 3904. See FAM 810. * Pay and Allowance System for Civilian Employees as provided primarily in Chapters 51-59 of Title 5, United States Code. Provisions: 5 U.S.C. 5332, 5343, 5376, and 5383. See FAM 812. OMB audit guidance lists the specific provisions for each of the laws above that the auditor is expected to test if the auditor identifies the law for testing. .02: The auditor should also determine whether any other general or entity-specific laws are significant laws for the audited entity, per FAM 245 and FAM 802. The following are some general laws for which we have included in FAM 800 a compliance summary for internal control testing and a compliance audit plan (program). See FAM 802 (Part II), General Compliance Checklist, and the referenced section for each law for internal control and compliance testing for: * Civil Service Retirement Act (CSRA), 5 U.S.C. Chapter 83, subchapter III. See FAM 813. * Federal Employees Health Benefits Act, 5 U.S.C. Chapter 89. See FAM 814. * Federal Employees' Compensation Act (FECA), 5 U.S.C. Chapter 81, subchapter I. See FAM 816. * Federal Employees Retirement System Act of 1986 (FERS), provided primarily in 5 U.S.C. Chapter 84. See FAM 817. 295 I - Examples of Auditor Responses to Fraud Risks: .01: As discussed in FAM 260, the auditor’s response to assessed fraud risks should (1) have an overall effect on the conduct of the audit, (2) address fraud risks that relate to management override of controls, and (3)—for any fraud risks that relate to specific financial statement account balances or classes of transactions and related assertions—involve the nature, extent, or timing of audit procedures. This section provides examples of auditor responses in this third category—changing the nature, extent, or timing of audit procedures. Examples of Auditor Responses (to Fraud Risks) Involving the Nature, Extent, or Timing of Audit Procedures: .02: Examples of auditor responses to fraud risks involving the nature, extent, or timing of audit procedures include: * Inquiring of management and other personnel involved in areas having fraud risks, such as risks related to any improper payments, to obtain their insights about those risks and whether and how controls mitigate those risks. * Inquiring of those charged with governance to obtain their insights about those risks and whether and how controls mitigate those risks. * Inquiring of additional members of management, such as program directors or center directors, or other nonaccounting personnel to assist in identifying issues and corroborating other evidential matter. * Using data-mining or other computer-assisted audit techniques, such as Interactive Data Extraction and Analysis (IDEA), to gather more extensive evidence about data contained in significant accounts. Such techniques can be used to select audit sample items from electronic files, locate items with specific characteristics (to perform substantive analytical procedures or make a nonrepresentative selection), or test an entire population. * Inspecting or observing physical counts of tangible assets, such as property, plant, and equipment and certain inventories, for which other procedures may otherwise have been sufficient. * Conducting surprise or unannounced procedures, such as inventory observations or cash counts on unexpected dates or at unexpected locations. * Making inquiries of major suppliers or customers in addition to obtaining written confirmations, requesting confirmations of a specific individual within an organization, or requesting confirmation of additional or different information. * Where a specialist’s (see FAM 650 and AU 336) work is particularly significant, performing additional procedures related to some or all of the specialist’s methods, assumptions, or findings to evaluate whether the findings are unreasonable, or engage another specialist to do that. * Performing additional or more focused tests of budget to actual variances and their underlying causes. * Performing targeted tests of the timing of cost/expense recognition. * Requesting that physical inventory counts be made on or closer to year-end. * If fraud risks relate to an interim period, performing audit tests that are focused on transactions that occurred in that interim period (or throughout the reporting period). * Testing a larger sample of disbursement transactions for validity. * Performing substantive analytical procedures that are more detailed by location, program, month, or other category (for example, analyzing specific credit lines in an allowance for loan losses, rather than the portfolio as a whole), or that use more precise techniques (for example, regression analysis). * Discussing with other auditors who are auditing the financial statements of one or more entity components the extent of work necessary to address fraud risks resulting from intragovernmental transactions and activity among those components. Additional Examples of Auditor Responses to Fraud Risks Related to Misstatements Arising from Fraudulent Financial Reporting: .03: The following paragraphs provide additional examples of auditor responses to fraud risks related to misstatements arising from fraudulent financial reporting in the areas of (1) management’s estimates, (2) revenue recognition, and (3) inventory quantities. These example responses involve the nature, extent, and timing of audit procedures. Management’s Estimates: .04: Fraud risks may relate to management’s development of accounting estimates. These risks may affect various accounts and assertions, such as valuation and completeness of liabilities related to insurance and credit programs, pensions, postretirement benefits, and environmental cleanup. These risks may also relate to significant changes in assumptions for recurring estimates. Further, because estimates are based on both subjective and objective factors, bias may exist in the subjective factors. .05: Examples of procedures that the auditor may perform in response to fraud risks related to management estimates include: * Gathering additional information about the entity and its environment to assist in evaluating more extensively the reasonableness of management’s estimates and underlying judgments and assumptions, focusing on more sensitive or subjective aspects. * Performing a more extensive retrospective review of management judgments and assumptions applied in estimates made for prior periods. This could encompass analyzing each significant judgment and assumption in light of the events that occurred subsequently. The auditor may then identify (with management’s assistance) reasons for any differences and whether these reasons apply to current period estimates. * Using the work of a specialist to evaluate management’s estimate, or developing an independent estimate to compare to management’s estimate. Revenue Recognition: .06: Revenue recognition is affected by the particular facts and circumstances and sometimes—for example, for certain government corporations—by accounting principles that vary by type of operations. Hence, where revenue is (or is expected to be) material, the auditor should understand the criteria for revenue recognition the entity uses and should design audit procedures based on the entity’s operations and its environment, including the composition of revenue, specific attributes of the revenue transactions, and any other specific entity considerations. .07: Examples of procedures that the auditor may perform in response to fraud risks related to improper revenue recognition include: * Performing substantive analytical procedures related to revenue that are based on more precisely developed expectations, such as comparing revenue between the current year and expectations by location, program, and month, or that establish the limit (see FAM 475.04-.05) at a lower percentage of tolerable misstatement. Audit techniques such as regression analysis may be helpful in performing these procedures. * Inquiring of entity personnel, including its general counsel, about any revenue-related transactions near the end of the reporting period and their knowledge of any unusual terms or conditions that may be related to those transactions. * Confirming with customers and other appropriate parties the relevant contract terms and the absence of side agreements that may influence the appropriate accounting. * Physically observing goods being shipped or readied for shipment (or returns awaiting processing) at one or more locations at the end of the reporting period and performing appropriate sales and inventory cutoff procedures. * Expanding tests of general and application controls related to revenue transactions that are electronically initiated, processed, and recorded. Inventory Quantities: .08: Examples of procedures that the auditor may perform in response to fraud risks related to inventory quantities include: * Reviewing entity’s inventory records to identify locations, items, or issues that warrant attention during or after the physical inventory count. As a result, the auditor may decide to observe inventory counts at some locations on an unannounced basis or to request that physical inventory counts be made at all locations on the same date and on a date that is on, or closer to, year-end. * Performing additional inventory observation procedures, such as more rigorously examining the contents of boxed items, the manner in which the inventory is stacked (to identify hollow squares or other issues) or labeled, and—using the work of a specialist, if needed—the purity, grade, and concentration of inventory substances, such as specialty chemicals. * Performing additional tests of physical inventory count sheets or tags, and retaining copies of these documents to minimize the risk of subsequent alteration or inappropriate extension and summarization of the inventory. * Performing additional procedures focused on the quantities included in the priced inventory to further test the count quantities—such as comparing quantities for the current period with those for prior periods by inventory category, location, or other criteria, or comparing count quantities with perpetual records. * Using computer-assisted audit techniques (such as IDEA) to test the extension and summarization of the physical inventory counts—such as sorting by tag number to test tag controls or by item number to test for item omission or duplication—and to test for unusual quantities and cost amounts. * Establishing the limit (see FAM 475.04-.05) at a lower percentage of tolerable misstatement when performing substantive analytical procedures related to inventories. Additional Examples of Auditor Responses to Fraud Risks Related to Misstatements Arising from Misappropriation of Assets: .09: Additional examples of auditor responses to fraud risks related to misstatements arising from misappropriation of assets involving the nature, extent, and timing of audit procedures include: * Using information on any improper payments, including information resulting from entity review of programs and activities under the Improper Payments Information Act of 2002, to develop and perform audit procedures that are focused on specific vulnerable areas. * Expanding the extent of participant eligibility testing for benefit programs to encompass unannounced visits to intake centers or work sites to test the existence and identity of participants; to observe benefit payment distribution to identify “ghost” or deceased participants; or to use confirmation requests to test the existence of program participants. The auditor may also use data mining to search for duplicate payments, ineligible, ghost, or deceased participants, and other issues. * Obtaining a more comprehensive understanding of internal controls for assets that are highly susceptible to misappropriation, in order to identify relevant controls to prevent and detect a misappropriation; expanding the tests of those controls; and physically inspecting those assets at or near the end of the reporting period. * Assigning higher inherent risk to locations that have higher fraud risks (such as when large quantities of assets that are particularly susceptible to such risks are present), and modifying substantive procedures at those locations. * Establishing the limit (see FAM 475.04-.05) at a lower percentage of tolerable misstatement when performing substantive analytical procedures related to assets that are particularly susceptible to misappropriation. 295 J - Steps in Assessing Information System (IS) Controls: .01: As discussed in FAM 270, the following flowcharts illustrate steps the auditor and the IS controls specialist generally follow in understanding and assessing IS controls in a financial statement audit. However, the audit team may decide to test the effectiveness of the general controls even if they are not likely to be effective (see fig. 1) or review application controls even though general controls are not effective (see fig. 2), in order to make recommendations on how to fix weak controls. Figure 1: Steps in Assessing IS Controls in a Financial Statement Audit: [See PDF for image] This figure is a flow chart depicting the following information: * Identify significant applications and key processing locations[A]; * Obtain background information[B]; - Appendix I in FISCAM, "Information System Controls and Audit Planning Checklist" may be used[B]; * Obtain overview of each significant application and design of related business process application controls[A]; - Consider: Business process controls (input, processing, output, and master data); Interface controls; Data management systems controls[B]; * Perform preliminary assessment of design of relevant IS controls (based primarily on inquiry with limited observation and walk-through procedures)[B]; - Appendices II and III in FISCAM may be used to document design of general controls[B]; - Consider: Security management; Logical and physical access controls; Configuration management; Segregation of duties; Contingency planning[B]; - Develop an approach that assesses control risk as high (maximum for all IS related controls); approach can not rely on any related IS controls[A]; - Indicate on SCA Form that all IS controls are ineffective[A]; - Perform revised substantive tests[B[; - Develop findings[B]; - Report results[B]; - Stop. * Perform preliminary assessment of design of relevant IS controls (based primarily on inquiry with limited observation and walk-through procedures)[B]; * Are controls likely to be effective? If no: - Develop an approach that assesses control risk as high (maximum for all IS related controls); approach can not rely on any related IS controls[A]; - Indicate on SCA Form that all IS controls are ineffective[A]; - Perform revised substantive tests[B[; - Develop findings[B]; - Report results[B]; - Stop. * Are controls likely to be effective? If yes: * Perform detail tests of relevant General Controls (entitywide, system, and business process application levels)[B]; - Appendices II and III in FISCAM may be used to document design of general controls[B]; - Use of practice aids for technical areas[B]; * Are General Controls effective? If no: - Develop an approach that assesses control risk as high (maximum for all IS related controls); approach can not rely on any related IS controls[A]; - Indicate on SCA Form that all IS controls are ineffective[A]; - Perform revised substantive tests[B[; - Develop findings[B]; - Report results[B]; - Stop. * Are General Controls effective? If yes: * Perform audit. [A] Usually done by auditor in consultation with IS controls specialist; [B] Usually done by IS controls specialist in consultation with auditor. Source: GAO. [End of figure] Figure 2: Steps for Each Significant Application in Assessing IS Controls in a Financial Statement Audit: [See PDF for image] This figure is a flow chart depicting the following information: Audit: * Identify on SCE form the IS controls that are the basis of control risk assessment[A]; * Perform detail tests of those IS controls and related business process application controls on which their effectiveness depends[B]; - Appendices II and III in FISCAM may be used to document test of business process application controls[B]; - Consider: Business process controls (input, processing, output, master data); Interface controls; Data management system controls[B]; * Are these IS controls operating effectively: If no: - Change control risk assessment and related substantive testing[A]; - Perform revised substantive tests[A]; - Develop, findings[A]; - Report results[A]; - Stop. * Are these IS controls operating effectively: If yes: - Do not change control risk assessment[A]; - Perform planned substantive testing[A]; - Develop, findings[A]; - Report results[A]; - Stop. [A] Usually done by auditor in consultation with IS controls specialist; [B] Usually done by IS controls specialist in consultation with auditor. Source: GAO. [End of figure] [End of section] Section 300: Internal Control Phase: Internal Control Phase: * Understand Information Systems; FAM: 320. * Identify Control Objectives; FAM: 330. * Identify and Understand Relevant Control Activities; FAM: 340. * Determine the Nature, Extent, and Timing of Control Tests and Compliance with FFMIA; FAM: 350. * Perform Nonsampling Control Tests and Test Compliance with FFMIA; FAM: 360. * Assess Internal Control on a Preliminary Basis; FAM: 370. * Other Considerations; FAM: 380. * Documentation; FAM: 390. 310 - Overview of the Internal Control Phase: .01: In the internal control phase, the auditor continues the risk assessment procedures begun in the planning phase. The auditor expands the understanding of the entity’s internal control gained during the planning phase of the audit in FAM 200 for all types of controls, and for financial reporting controls, assesses control risk and risk of material misstatement separately for each significant financial statement assertion in each significant cycle or accounting application. See fig. 300. The auditor should: * understand and document the design of each of the five components of internal control and whether the controls are implemented (placed in operation) to prevent or detect and correct misstatements; * assess the control risk component of the risk of material misstatement and assess the risk of material misstatement on a preliminary basis; * plan the nature, extent, and timing of control tests; and; * perform any nonsampling control tests of control effectiveness for internal controls that have been properly designed and placed in operation to support a low assessed level of control risk. The auditor uses results of this internal control work to: * reassess the risk of material misstatement; * determine the nature, extent, and timing of further audit procedures (sampling control, compliance, and substantive testing discussed in FAM 400); * update the evaluation of internal control as further evidence is obtained throughout the audit; * determine any effects on the risk of material misstatement and the related sufficiency of other audit procedures (discussed in FAM 400 and 500); and; * use the audit evidence obtained during the internal control and testing phases to form an opinion or report on internal control over financial reporting and compliance (discussed in FAM 500). .02: Before SAS No. 110, for audits not subject to OMB guidance there may have been some circumstances in which the auditor may have assessed control risk at a high (maximum) level and forgone evaluation and testing of financial reporting controls if the auditor determined that evaluating their effectiveness would be inefficient. However, the auditor should no longer choose to default to the maximum level for the control risk assessment without determining the impact on detection risk. AU 319.04 provides that the auditor needs to be satisfied that performing only substantive procedures for the relevant assertion would be effective in reducing detection risk to an acceptably low level. OMB audit guidance requires the auditor to perform sufficient tests of internal controls that have been properly designed and placed in operation to support a low assessed level of control risk. Thus, the auditor should not elect to forgo control tests solely because it is more efficient to extend substantive and compliance audit procedures. .03: Entity management is responsible for establishing and maintaining internal control to provide reasonable assurance that the entity’s objectives will be met. In a financial statement audit, the auditor evaluates those internal controls designed to provide reasonable assurance that the following objectives are met. * Reliability of financial reporting (“financial reporting controls”): Transactions are properly recorded, processed, and summarized to permit the preparation of the financial statements in accordance with U.S. GAAP, and assets are safeguarded against loss from unauthorized acquisition, use, or disposition. * Compliance with applicable laws and regulations (“compliance controls”): Transactions are executed in accordance with (1) laws governing the use of budget authority and other laws and regulations that could have a direct and material effect on the basic financial statements and (2) any other laws, regulations, and governmentwide policies identified by OMB in its audit guidance that could have a direct and material effect on the basic financial statements or RSSI. .04: The auditor should determine whether such internal control provides reasonable assurance that misstatements, losses, or noncompliance, material in relation to the financial statements, would be prevented or detected during the period under audit. If the auditor intends to opine on internal control, the auditor should form a separate conclusion on internal control as of the end of the period. Additionally, the auditor may test certain operations controls as discussed in the planning phase (FAM 275). .05: Internal control over safeguarding assets constitutes a process, implemented by management and other personnel, designed to provide reasonable assurance regarding the prevention or timely detection of unauthorized acquisition, use, or disposition of entity assets that could have a material effect on the financial statements. Safeguarding controls consist of (1) controls that prevent or detect unauthorized access (direct or indirect) to assets, and (2) segregation of duties. The auditor should understand the design of certain safeguarding controls as part of financial reporting controls. These controls relate to protecting assets from loss arising from misstatements in processing transactions and handling the related assets. FAM 395 C includes a list of typical control activities. The auditor need not evaluate safeguarding controls related to the loss of assets arising from management’s business decisions. Such a loss may occur from incurring expenditures for equipment or material that might prove to be unnecessary, which is part of operations controls. .06: Just as safeguarding controls are part financial reporting and part operations controls, budget controls are part financial reporting and part compliance controls. Budget controls that provide reasonable assurance that budgetary transactions, such as obligations and outlays, are properly recorded, processed, and summarized to permit the preparation of the financial statements, primarily the statement of budgetary resources in accordance with U.S. GAAP, are financial reporting controls. Budget controls are generally also compliance controls in that they provide reasonable assurance that transactions are executed in accordance with laws governing the use of budget authority. Some budget controls may be compliance controls only; for example, controls over allotments to prevent Antideficiency Act violations. .07: If the auditor’s understanding is that controls have been suitably designed and placed in operation, the auditor should test the following types of controls: * Financial reporting controls (including certain safeguarding and budget controls) for each significant assertion in each significant cycle/accounting application (identified in FAM 240). * Compliance controls for each significant provision of laws and regulations identified for testing (see FAM 245), including budget controls for each relevant budget restriction (see FAM 250). * Operations controls (1) for data relied on in performing financial audit procedures or (2) selected for testing by the audit team. .08: The auditor is not required to test controls that have not been properly designed and placed in operation. Thus, internal controls that are not effective in design (or in operation, based on prior years’ testing and no changes have occurred) do not need to be tested. If the auditor determined in a prior year that controls in a particular accounting application were ineffective and if management indicates that controls have not improved, the auditor need not test them in the current year. On the other hand, if controls have been determined to be effective in design and placed in operation, the auditor should perform sufficient tests of their effectiveness to support a low assessed level of control risk. In such cases, the auditor may use a multiyear approach over no more than three years to testing controls over the various accounting applications, as described in FAM 395 G. .09: If the auditor expects to disclaim an opinion because of scope limitations or ineffective controls, the auditor may limit internal control work to updating the understanding of the design of controls and whether they have been placed in operation. The auditor may do this by inquiring as to whether previously identified control weaknesses have been corrected. In the year the auditor expects to issue an opinion on the financial statements, the auditor should perform sufficient work on internal control to support the opinion. .10: In gaining an understanding of an entity’s internal control, including internal control related to information systems and other business processing performed outside the entity, the auditor should obtain evidence about the design of relevant controls and whether they have been implemented (placed in operation). In obtaining evidence about whether controls have been implemented, the auditor should determine whether the entity is using them, rather than merely having them written in a manual, for example. This differs from determining a control’s operating effectiveness, which is concerned with how the control was applied, the consistency with which it was applied, and by whom. Gaining an understanding of the design of internal control does not require that the auditor obtain evidence about operating effectiveness. .11: The auditor should obtain an understanding of the design of internal control for information systems and other business processing performed outside the entity under a service agreement or other contract arrangements for assessing risk and planning other audit procedures. The auditor may obtain this understanding by performing work directly at the service organization or by using SAS No. 70 reports that include these internal controls as discussed in AU 324.06-.21. Reports prepared by auditors of service organizations are generally of two types: (1) reports on controls placed in operation or (2) reports on controls placed in operation and tests of operating effectiveness. The auditor should evaluate whether the scope of the SAS No. 70 work performed by the service organization auditor is sufficient for purposes of the audit. .12: OMB audit guidance requires service organizations to provide SAS No. 70 reports on whether (1) internal controls were designed properly to achieve specified objectives and placed into operation as of a specified date and (2) the controls that were tested were operating effectively to provide reasonable assurance that the related control objectives were met during the period specified. Auditors are required to use these reports when obtaining assurance on the internal control of a service organization. If these SAS No. 70 reports do not exist, or the auditor does not judge the scope of these reports to be sufficient, the auditor should request to perform the work directly or to have the service auditor perform such work. .13: The service organization auditor may perform substantive procedures for use by the entity auditor. If necessary substantive procedures are not performed by the service organization auditor, the entity auditor should request to perform this work directly. The entity auditor should determine whether sufficient audit evidence has been obtained to meet the audit objectives. .14: If the auditor is unable to obtain sufficient evidence to achieve the audit objectives, the auditor should qualify the opinion or disclaim an opinion on the entity’s financial statements and/or internal control, if applicable, due to a scope limitation as discussed in FAM 580.14-.18, and .40-.42. If the auditor is not providing an opinion on internal control, the auditor also should evaluate whether the audit evidence is sufficient for purposes of achieving the audit objectives related to internal control described in the OMB audit bulletin. The auditor also should evaluate whether the scope of the work is sufficient for purposes of meeting the audit objective related to compliance with laws and regulations. If the scope is not sufficient, the auditor should report a scope limitation as discussed in FAM 580.74-.76. .15: In the internal control phase, the auditor should perform and document the following procedures: * Understand the entity’s design of the information systems for financial reporting, compliance with laws and regulations, and relevant operations (see FAM 320). * Identify control objectives by assertion (see FAM 330). * Identify and understand relevant control activities that effectively achieve the control objectives by assertion (see FAM 340). * Determine whether controls have been placed in operation and the nature, extent, and timing of control testing (see FAM 350). * Perform control tests of control effectiveness that do not involve sampling (nonsampling control tests (see FAM 360).[Footnote 30] Sampling control tests, if necessary, are performed in the testing phase (see FAM 450). * On a preliminary basis, based on the evidence obtained, assess (1) the effectiveness of financial reporting, compliance, and relevant operations controls, (2) control risk, and (3) the risk of material misstatement (see FAM 370). The risk of material misstatement (formerly referred to in the FAM as combined risk) includes inherent and control risk and is discussed in FAM 370.09. * Consider multiyear testing of controls, partial year controls, and planned changes in controls (see FAM 380). * Document understanding and testing of controls (see FAM 390). 320 - Understand Information Systems: .01: The auditor should obtain an understanding of the design of the entity’s information systems (whether automated or manual), including the processes relevant to financial reporting, for processing and reporting of: * accounting, budget, compliance, and operations data, and; * maintaining accountability for the related assets, liabilities, equity, and budgetary resources.[Footnote 31] These systems include procedures established to initiate, authorize, record, process, and report entity transactions (as well as events and conditions) to maintain accountability and to monitor compliance. Information systems are part of the information and communication component of internal control. The communication portion of this component is in FAM 260. The auditor should obtain sufficient knowledge of each type of system to understand the information reflected in FAM 320.03-.07 in a manner that is appropriate to the entity’s circumstances. This includes obtaining an understanding of how transactions originate within the entity’s business processes as discussed in AU 314.87. It also includes understanding procedures for preparing financial statements and related disclosures (including year- end journal entries and reclassifications) and understanding how misstatements may occur. The auditor may use an IS controls specialist to assist in understanding and documenting the information technology aspects of these systems. The auditor should document the understanding of these systems in cycle memorandums, or other equivalent narratives, and generally should prepare or obtain related flow charts. FAM 340 and 350 discuss identifying and documenting controls that are designed to mitigate inherent risk. .02: The auditor generally should perform sufficient system walk- throughs to confirm the understanding of significant information about such systems. However, if the auditor already has a sufficient understanding of the systems as a result of procedures performed in the preceding year, the auditor generally should discuss any system changes with management. This discussion may be sufficient to substitute for the walk-throughs at this point in the audit. FAM 350.09 discusses walk- throughs to confirm the auditor’s understanding of controls. In a walk- through of an accounting system, the auditor traces one or more transactions from initiation through all processing to inclusion in the general ledger, observing the processing in operation, making inquiries of entity staff, and examining related documents. Walk-throughs are important for understanding the transaction process and for determining appropriate audit procedures. The auditor should perform walkthroughs for all significant accounting applications. Walkthroughs of budget, accounting, compliance, and operations systems provide evidence about the functioning of such systems. The auditor should document these walk-throughs. The auditor should incorporate the information technology aspects of each system into the audit documentation and may include additional flow charts, narratives, and checklists. Accounting System(s): .03: For each significant cycle and accounting application identified for significant line items and assertions in FAM 240 the auditor should obtain an understanding of and should document the design of: * procedures by which transactions are initiated, authorized, recorded, processed, summarized, and reported in the financial statements; * nature and type of related records, journals, ledgers, feeder systems, and source documents, and the accounts involved; * processing involved from the initiation of transactions to their inclusion in the financial statements, including the nature of computer files and the manner in which they are accessed, updated, and deleted; * process for resolving the incorrect processing of transactions, for example, such an understanding might include how the entity determines whether suspense items are cleared out of an automated suspense file on a timely basis, and how system overrides or bypasses to controls are processed and accounted for; * processes for reconciling transaction detail to the general ledger and correcting reconciling items as needed; * processes by which the information systems capture events and conditions, other than classes of transactions, that are significant to the financial statements; and; * processes used to prepare the entity’s financial statements and budget information, including significant accounting estimates, disclosures, and information system processing. These processes include: - procedures used to enter transaction totals into the general ledger; - procedures used to initiate, authorize, record, and process journal entries in the general ledger; - procedures used to record recurring and nonrecurring adjustments to the financial statements; - procedures used to combine and consolidate general ledger data; and; - closing process, including manual and automated procedures, for preparing the financial statements and related disclosures. .04: When the auditor is required to report on compliance with FFMIA, the auditor’s understanding of these processes can help the auditor determine whether the financial management systems substantially comply with federal financial management systems requirements, federal accounting standards, and the SGL at the transaction level. If the entity is likely to receive an unqualified opinion and to have no identified material weaknesses in internal control, the auditor should test significant information the entity provides to support its assertion about the substantial compliance of its systems. The auditor may perform this testing in conjunction with nonsampling control tests (see FAM 350). Budget Accounting System(s): .05: Through discussions with appropriate entity personnel, the auditor should understand and document the design of the entity’s processes for: * developing and requesting apportionments from OMB; * establishing and allocating allotments within the entity, including reprogramming of allotments; * establishing and recording commitments, if applicable; * establishing, recording, and monitoring obligations (undelivered orders, which include contracts and purchase orders); * establishing and recording expended authority (delivered orders); * establishing and recording outlays; * monitoring supplemental appropriations; * deobligating excess amounts when orders are completed; * recording transactions in and adjustments to expired accounts; and; * monitoring canceled (closed) accounts. Compliance System(s): .06: The compliance system includes the entity’s policies and procedures to monitor compliance with laws and regulations applicable to the entity. Through discussions with appropriate entity personnel, the auditor should understand and document the design of the entity’s process for: * identifying and documenting all laws and regulations applicable to the entity; * monitoring changes in applicable laws and regulations and responding on a timely basis; * establishing policies and procedures for complying with specific laws and regulations and clearly documenting and communicating these policies and procedures to appropriate personnel; * ensuring that an appropriate number of competent individuals at appropriate levels within the entity monitor the entity’s compliance with applicable laws and regulations; and; * investigating, resolving, communicating, and reporting any noncompliance with laws and regulations. Operations System(s): .07: Through discussions with appropriate entity personnel, the auditor should understand and document the design of entity systems in which operations controls to be evaluated and tested operate. For example, if the auditor intends to evaluate and test an operations control that depends on certain statistical information, the auditor should understand how the statistical information is developed. 330 - Identify Control Objectives: .01: In designing their systems, entities identify control objectives for each type of control that if achieved, would provide the entity with reasonable assurance that individual and aggregate misstatements (whether caused by error or fraud), losses, or noncompliance material to the financial statements would be prevented or detected. For the Statement of Social Insurance and nonmonetary information in the financial statements, such as physical units of heritage assets, the objectives would relate to controls that would provide reasonable assurance that misstatements, losses, or noncompliance that would be considered material by users of the information would be prevented or detected. These control objectives involve: * Financial reporting controls to prevent or detect misstatements in significant financial statement assertions. These includes safeguarding controls to safeguard assets against loss from unauthorized acquisition, use, or disposition, and segregation-of-duties controls to prevent one person from controlling multiple aspects of a transaction allowing that person to both cause and conceal misstatements whether errors or fraud. * Budget controls to execute transactions in accordance with budget authority. * Compliance controls to comply with significant provisions of applicable laws and regulations. * Operations controls to achieve the performance desired by management for planning, productivity, quality, economy, efficiency, or effectiveness of the entity's operations. FAM 330.02-.11 describes the process for identifying control objectives. Financial Reporting Controls: .02: The auditor should evaluate and test financial reporting controls for each significant assertion in each significant financial statement line item or account, including related disclosures if the auditor has determined that controls have been suitably designed and implemented (placed in operation). (See FAM 235.02 for a discussion of financial statement assertions.) The first step in developing control objectives for financial reporting controls is to consider the types of misstatements that might occur in each significant assertion in each significant line item or account. One or more potential misstatements can occur in each financial statement assertion. For example, for the existence or occurrence assertion, potential misstatements can occur in four areas. * Occurrence/validity: Recorded transactions and events do not represent economic events that actually occurred that pertain to the entity. * Cutoff: Transactions are recorded in the current period, but the related economic events occurred in a different period. * Summarization: Transactions are summarized improperly, resulting in an overstated total. * Substantiation: Recorded assets and liabilities of the entity do not exist at a given date. For each potential misstatement in each assertion, there are one or more control objectives that if achieved, would prevent or detect the potential misstatement. These potential misstatements and control objectives provide the auditor with the primary basis for assessing the effectiveness of an entity’s control activities. Identifying Potential Misstatements and Control Objectives: .03: As discussed in FAM 240, the auditor identifies the significant accounting applications that provide the source of significant entries to each significant line item or account. For example, as illustrated in FAM 395 A, (1) sources of significant entries to cash typically include the cash receipts, cash disbursements, payroll, and cash accounting applications, while (2) sources of significant entries to accounts receivable typically include the billing, cash receipts, and accounts receivable accounting applications. The auditor should identify the accounting applications in the cycle matrix and ARA, or equivalent documentation. .04: The auditor should understand how potential misstatements in significant accounting applications could affect the related line item or account at an assertion level. For example, an overstatement of cash receipts typically results in (1) an overstatement of the cash account (by overstating the debit to cash) and (2) an understatement of accounts receivable (by overstating the credit to accounts receivable). To illustrate this concept using the assertions, a misstatement in the existence or occurrence assertion for cash receipts typically results in misstatements in (1) the existence or occurrence assertion for the cash account and (2) the completeness assertion for accounts receivable. .05: To understand the effect of potential misstatements as discussed in FAM 330.04, the auditor may consult the following table 330 regarding transaction-related accounting application assertions as they affect line items/account assertions. Table 330: Transaction-Related Accounting Application Assertions and Line Items/Account Assertions Affected: Line item/account assertions affected: Transaction-related accounting application assertion: Existence or occurrence; Line item/account assertions affected: * Existence or occurrence, if the application increases the line item/account balance; * Completeness, if the application decreases the line item/account balance. Transaction-related accounting application assertion: Completeness; Line item/account assertions affected: • Completeness, if the application increases the line item/account balance; • Existence or occurrence, if the application decreases the line item/account balance. Transaction-related accounting application assertion: Accuracy/valuation; Line item/account assertions affected: * Accuracy/valuation. [End of table] .06: For each potential misstatement in the accounting application, the auditor should identify related control objectives (and ultimately related controls) that could prevent or detect the potential misstatement. FAM 395 B includes a list of potential misstatements that could occur in each assertion in an accounting application and related control objectives. The auditor exercises judgment in determining which potential misstatements and control objectives to use. The auditor may tailor the list included in FAM 395 B to the accounting application and to the entity and may supplement the list with additional objectives or subobjectives. .07: If the auditor performs procedures that are documented by line item or account, a given application might be addressed two or more times. For example (see FAM 395 A), the purchasing accounting application typically would be addressed in evaluating controls relating to the inventory, property, liabilities, expense, and obligation accounts. To avoid duplication, the auditor may use a SCE worksheet or equivalent to document the procedures discussed in FAM 330.03-.06. The SCE groups potential misstatements and control objectives by accounting application (within each cycle), providing a format to perform and document the evaluation and testing of internal controls efficiently. See FAM 395 H for an example of an SCE worksheet. Sample forms for preparing the ARA and SCE worksheets electronically are available at [hyperlink, http://www.gao.gov]. The Need for Testing Safeguarding and Segregation-of-Duties Controls: .08: Safeguarding controls and segregation-of-duties controls are often critical to the effectiveness of controls over liquid (easily sold or traded) and readily marketable assets (such as cash, inventories, or property) that are highly susceptible to theft, loss, or misappropriation in material amounts. These controls are also important when there is an increased risk of fraud. Before selecting specific control activities to test, the auditor should determine whether safeguarding controls are relevant. If the auditor determines that (1) an asset is highly liquid or marketable and (2) material amounts are susceptible to theft, loss, or misappropriation, the auditor should include control objectives for safeguarding such assets and understand whether safeguarding controls have been suitably designed and implemented, and if so, should test safeguarding controls. On the other hand, if the asset is not liquid or marketable or amounts readily susceptible to theft, loss, or misappropriation are not material, the auditor might not need to understand and test safeguarding controls. Testing for segregation of duties is discussed in FAM 360.12-.13. The auditor may evaluate other safeguarding controls in connection with financial reporting controls. Budget Controls: .09: The objectives of budget controls are to provide reasonable assurance that the entity (1) properly records, processes, and summarizes transactions to permit the preparation of the statement of budgetary resources and reconciliation of net cost to budget note disclosure in accordance with U.S.GAAP and (2) executes transactions in accordance with budget authority. FAM 395 F presents a list of budget control objectives, organized by steps in the budget process. In addition, FAM 395 D presents a list of selected statutes relevant to the budget, and FAM 395 E describes budget steps of interest to the auditor in evaluating an entity’s budget controls. The auditor may document budget control objectives in a separate SCE worksheet for budget controls, in a memo, or incorporate them in an SCE with related financial reporting controls. Compliance Controls: .10: The objective of compliance controls is to provide reasonable assurance that the entity complies with significant provisions of applicable laws and regulations. The auditor should identify compliance control objectives for the related provision identified for testing and may document these objectives in a separate SCE worksheet for compliance controls, in a memo, or incorporate them in an SCE with related financial reporting controls. Operations Controls: .11: The objectives of operations controls are to provide reasonable assurance that the entity effectively and efficiently meets its goals. The auditor should identify control objectives for any operations controls identified for testing and may document operations control objectives in a separate SCE worksheet for operations controls, in a memo, or incorporate them into an SCE with related financial reporting controls. The auditor should test operations controls relied on in performing financial audit procedures, and any others selected for testing by the audit team, if any. See FAM 275.08 and FAM 495 A.21-.22 for examples of the auditor using entity-prepared reports for substantive tests, such as substantive analytical procedures, and discussions of tests of related controls over the report data, such as operations controls. 340 - Identify and Understand Relevant Control Activities: .01: For each control objective, based on discussions with entity personnel and the results of other procedures performed, the auditor should identify the control activities designed by management to achieve the specific control objective.[Footnote 32] The auditor may indicate these controls in the auditor’s informal notes and/or interview write-ups for use in the following procedures, but the auditor need not formally document them on the SCE worksheet at this time. The auditor should first screen the activities to identify those that are effective in design to test. An IS controls specialist may assist the auditor in identifying and understanding the design of information system controls. As discussed in FAM 350, the auditor should use walk-throughs, inquiry, and observation to determine whether the entity has implemented these controls identified for further audit procedures. Basic Understanding of Effectiveness of Control Activities: .02: The auditor should obtain a sufficient understanding of the design of the identified control activities to determine whether they are likely to achieve the control objectives, assuming an effective control environment, entity risk assessment, communication, monitoring, appropriate segregation of duties, and effective general controls. The purpose of this assumption is for the auditor to identify any deficiencies in the specific control activities of the entity that the auditor should report as discussed in FAM 580 and recommend that the entity correct. Often only multiple control activities, together with other elements of internal control, will be sufficient to address a risk. When other internal control components are poorly designed or not implemented, there is inadequate segregation of duties, or poor general controls preclude the effectiveness of specific control activities that would otherwise be effective, the auditor may limit the testing of these specific control activities to determining whether such controls are adequately designed and implemented. To accomplish this, the auditor generally should (1) discuss the cycle and specific controls with management and then (2) perform walk-throughs by observing the controls in place and examining documentary evidence of their existence. Factors to Consider: .03: When evaluating whether controls are likely to achieve the control objectives, the factors that the auditor should consider include: * directness, * selectivity, * manner of application, and, * follow-up. In determining whether control objectives are achieved, the auditor should consider both manual and information system controls, if likely to be effective (see FAM 270). .04: Directness refers to the extent that a control activity relates to a control objective. The more direct the relationship, the more effective that activity may be in achieving the objective. For example, management reviews of inventory reports that summarize the inventory by storage facility may be less effective in preventing or detecting and correcting misstatements in the existence assertion for inventory than a periodic physical inventory, which is more directly related to the existence assertion. .05: Selectivity refers to the magnitude of the amount, or the significance of other criteria or distinguishing characteristics, that a specific control will identify as an exception condition. Examples of selectivity thresholds are (1) a requirement for additional approvals of all payments to vendors in excess of $25,000 and (2) management reviews of all payments to vendors not on an entity’s approved vendor list. When determining whether a control is likely to be effective, the auditor should evaluate the likelihood that items that do not meet the selectivity threshold could, in the aggregate, result in material misstatements of financial statements, material noncompliance with budget authority, material noncompliance with significant provisions of laws and regulations, or significant ineffective or inefficient use of resources. The auditor also should evaluate the appropriateness of the specified criteria used to identify items in a management or exception report. For example, information system input controls (such as the matching of vendor invoices with receiving reports and purchase orders) that require exact matches of data from different sources before a transaction is accepted for processing may be more effective than controls that accept transactions that fall within a broader range of values. On the other hand, controls based on exception reports that are limited to selected information or use more selective criteria may be more effective than lengthy reports that contain excessive information. .06: Manner of application refers to the way in which an entity places a specific control into operation. The manner of application can influence the effectiveness of a specific control. When determining the effectiveness of controls, the auditor should evaluate: * Frequency of application: This refers to the regularity with which controls are applied. Generally, the more frequently a control is applied, the greater the likelihood that it will be effective. * Experience and skills of personnel: This refers to whether the person applying a control has the necessary knowledge and expertise to properly apply it. The lesser the person’s experience and skills, the less likely that the control will be effective. Also, the effective application of a control is generally adversely affected if the technique (1) is performed by an employee who has an excessive volume of work or (2) is not performed carefully. .07: Follow-up refers to the procedures performed when a control identifies an exception condition. A control’s effectiveness depends on the effectiveness of follow-up procedures. To be effective, an entity needs to (1) apply these procedures on a timely basis, (2) determine whether control exceptions represent misstatements, and (3) correct all misstatements noted. For example, as a control, an accounting system may identify and put exception transactions into a suspense file or account. Lack of timely follow-up procedures by the entity to (1) reconcile and review the suspense file or account and (2) correct items in the suspense file or account would render the control ineffective. .08: When evaluating whether controls are likely to be effective, the auditor should evaluate whether the controls also are applied effectively to adjustments/corrections made to the financial records. Such adjustments/corrections may occur at the transaction level, or during summarization of the transactions, or may be posted directly to the general ledger accounts. Further, the auditor should also evaluate the design and implementation of controls applied to the financial statement preparation process. .09: Based on the understanding of the design of control activities and the determination as to whether they are likely to achieve the control objectives, the auditor should assess control risk to decide whether to test controls. If control risk is high for a relevant assertion because the control activities for the related accounting application are not effective in design or likely to be effective in implementation (based on prior years’ testing of the control activities, and the results of procedures performed in the current year to understand the controls, including management’s indication that the controls have not improved from the prior year), the auditor does not need to test the operating effectiveness of the controls in the current year. According to OMB audit guidance, if controls are likely to be effective, the auditor must test them, but may consider using a multiyear approach to testing controls over no more than 3 years, as discussed in FAM 395 G. Further, as discussed in FAM 350.06-.07, the auditor generally should only test the control activities that achieve the objective. 350 - Determine the Nature, Extent, and Timing of Control Tests and Compliance with FFMIA: .01: For each control objective, the auditor should: * identify specific relevant control activities to potentially test (FAM 350.06-.08), * perform walk-throughs to determine whether those controls have been placed in operation (FAM 350.09), * document these control activities in the SCE worksheet or equivalent (FAM 350.10), * determine the nature of control tests (FAM 350.11-.18), * determine the extent of control tests (FAM 350.19-.20), and, * determine the timing of control tests (FAM 350.21). Internal control includes information system controls, as discussed further in FAM 360.03-.10. .02: For CFO Act agencies, the auditor also should determine the nature, extent, and timing of tests for compliance of the entity’s systems with federal financial management systems requirements (these requirements are established by OMB Circular No. A-127 and include the JFMIP/Office of Federal Financial Management’s (OFFM) series of system requirements documents), federal accounting standards (U.S. GAAP -- see FAM 560), and the SGL at the transaction level in order to report in accordance with FFMIA. Substantial compliance includes the ability of the financial management systems to routinely provide reliable and timely financial information for managing day-to-day operations as well as to produce reliable financial statements, maintain effective internal control, and comply with legal and regulatory requirements. OMB guidance states that all of the financial management system requirements referenced in Section 7 of OMB Circular No. A-127, Financial Management Systems are important, but not essential to substantially comply with the three FFMIA Section 803(a) requirements. FFMIA is intended to ensure that agencies use financial management systems that provide reliable, timely, and consistent information. Agencies that can: 1) prepare financial statements and other required financial budget reports using information generated by the financial management system(s); 2) provide reliable and timely financial information for managing current operations; 3) account for their assets reliably, so that they can be properly protected from loss, misappropriation, or destruction; and do all three in a way that is consistent with Federal GAAP and the USSGL are substantially compliant with FFMIA. See FAM 701 for further guidance and discussion. .03: If it is likely that the financial statement opinion will be unqualified and internal control will be determined to be effective, the auditor should plan to test the systems’ substantial compliance with the requirements. On recurring audits for which FFMIA noncompliance was previously reported, the auditor should determine through inquiries and other procedures whether the entity has improved its controls and financial statement reporting to the point that the auditor should plan to test system compliance with FFMIA. Many control tests may also serve as tests for compliance with the systems requirements and the SGL and generally should be performed concurrently as discussed in FAM 350.23. Determining compliance with federal accounting standards (U.S. GAAP) involves substantive testing. Accordingly, the auditor may find it effective and efficient to combine tests for systems compliance with control and substantive testing (multipurpose testing). In addition, for purposes of FFMIA, financial management systems include systems that produce the information management uses day-to-day, not just systems that produce annual financial statements. Thus, to report on system compliance with FFMIA, the auditor should understand the design of and test, as needed, the financial management systems (including the financial portion of any mixed systems) used for managing financial operations, supporting financial planning, management reporting, budgeting activities, and systems accumulating and reporting cost information. .04: For agencies with long-standing, well-documented financial management systems weaknesses that severely affect the systems’ ability to comply with FFMIA requirements, the auditor may not need to perform specific tests of the systems’ compliance with the FFMIA requirements. By gaining an understanding of the design of the systems and performing internal control and substantive testing, the auditor may have adequate information about the systems to describe the instances of lack of substantial compliance and make recommendations, as required by FFMIA. The auditor also should understand management’s process for determining whether the entity’s systems comply with the FFMIA requirements and report any deficiencies in management's process (for example, management has not compared its systems with JFMIP/OFFM system requirements). Entity assessments for FMFIA (A-123 work) may assist the auditor in understanding systems compliance with FFMIA. .05: If it is likely that the opinion on the financial statements will not be unqualified, that the entity has material weaknesses or significant deficiencies in internal control, or that it has significant noncompliance with legal and regulatory requirements, then the auditor may limit the scope of testing performed to support the FFMIA assessment. However, if the auditor is concerned that it may be difficult to convince management of the systems’ noncompliance without specific tests, the auditor generally should perform the testing needed for this purpose, the extent of which is a matter of professional judgment. If the entity has improved its controls and, in contrast to prior years, the financial statement opinion may be unqualified, the auditor generally should test the systems for FFMIA compliance. Identify Relevant Control Activities to Potentially Test: .06: For each control objective identified in FAM 330, the auditor should identify the control activity, or combination of control activities, that is likely to (1) achieve the control objective and (2) improve the efficiency of control tests. In doing this, the auditor should consider (1) the extent of any inherent risk [Footnote 33] and control environment, entity risk assessment, communication, or monitoring weaknesses,[Footnote 34] including those related to information systems (as documented in the ARA and/or audit strategy document, or equivalent (see FAM 260)), and (2) the tentative determination of the likelihood that information system controls will be effective, as determined in the planning phase (see FAM 270). The auditor generally should test only the control activities necessary to achieve the objective. For example, the entity may have several controls that are equally effective in achieving an objective. In such a case, the auditor generally should test the control activity that is efficient to test, considering such factors as (1) the extent to which a control achieves several control objectives and thereby reduces the number of controls that would ordinarily need to be tested, and (2) the time that will be required to test the control. .07: For those control objectives for which the auditor preliminarily determines that effective control activities have been designed and implemented, the auditor should test the selected control activities, as discussed in FAM 360 and FAM 450. The auditor may test all or only certain control activities (because others are not likely to be effective), related to a control objective. The auditor may not elect to forgo control tests solely because it is more efficient to extend substantive or compliance audit procedures. If, in any phase of the audit, the auditor determines that control activities selected for testing are, in fact, ineffective in design or operation, the auditor may discontinue the specific control evaluation of the related control objectives and should report the identified deficiencies in internal control as discussed in FAM 580. If entity’s management does not agree with the auditor’s conclusion that effective control activities do not exist or are unlikely to exist, the auditor may need to perform procedures sufficient to support that conclusion. .08: Before testing controls the auditor believes will be effective, the auditor may complete the ARA or equivalent tentatively, assuming that such controls are effective. Perform Walk-throughs to Determine Whether Controls Are in Operation: .09: Before performing control tests, the auditor should perform one or more walk-throughs of each control activity to determine whether the control activities are functioning in the manner understood by the auditor. These walk-throughs are designed to confirm the auditor’s understanding of the design and implementation of the control activities as part of the auditor’s risk assessment process and differ from those performed to confirm the auditor’s understanding of the information systems (see FAM 320.02). Through observations, inspection, and discussions with personnel responsible for applying or maintaining each control (including walkthroughs), the auditor should determine whether each control has, in fact, been placed in operation. If a control has not been placed in operation, the auditor should consider whether other controls are likely to achieve the related control objective(s) (compensating controls) and should consider testing such controls. Document Control Activities to Be Tested: .10: The auditor should document the control activities to be tested on the SCE worksheet or equivalent (see an illustration in FAM 395 H). The auditor generally should test other components of internal control by observation and inquiry in the planning phase (see FAM 260.09). The auditor may list (and evaluate) controls that satisfy more than one control objective only once and refer to these controls, when applicable, on subsequent occasions. For each control to be tested, the auditor should determine whether the control is an information system control as discussed in FAM 270. An IS controls specialist generally should review and concur with the auditor’s identification of information system controls. Determine the Nature of Control Tests: .11: To obtain additional sufficient, appropriate evidence of the effectiveness of specific controls, the auditor should determine the combination of control tests (observation, inquiry, inspection, or reperformance) to be performed. No one specific control test is always necessary, applicable, or equally effective in every circumstance. The auditor should use a combination of audit procedures to obtain sufficient, appropriate audit evidence regarding the operating effectiveness of controls and to provide the necessary level of assurance. In determining the types of tests to apply, the auditor should determine the tests that are effective and efficient, as discussed in FAM 350.15-.18. Specific types of control tests and methods to apply them are discussed in the following paragraphs. .12: Observation. The auditor conducts observation tests by observing entity personnel actually performing control activities in the normal course of their duties. Observation generally provides highly reliable evidence that a control activity is properly applied when the auditor is there to observe it. However, it provides no evidence that the control was in operation at any other time. Consequently, the auditor should supplement observation tests with corroborative evidence obtained from other tests (such as inquiry and inspection) about the operation of controls at other times. .13: Inquiry. The auditor conducts inquiry tests by making either oral or written inquiries of entity personnel involved in the application of specific control activities to determine what they do or how they perform a specific control activity. Such inquiries are typically open ended. Evidence obtained from inquiry alone is not sufficient; thus, the auditor should supplement inquiry with other types of control tests – observation or inspection (which may include reperformance). Combining inquiry with inspection or reperformance typically provides more assurance than inquiry combined only with observation. The reliability of evidence obtained from inquiry depends on various factors to include: * The competence, experience, knowledge, independence, and integrity of the person of whom the inquiry was made. The reliability of evidence is enhanced when the person possesses these attributes. * Whether the evidence was general or specific. Evidence that is specific is usually more reliable than evidence that is general. * The extent of corroborative evidence obtained. Evidence obtained from several entity personnel is usually more reliable than evidence obtained from only one. * Whether the evidence was provided orally or in writing. Generally, evidence provided in writing is more reliable than evidence provided orally. .14: Inspection. The auditor conducts inspection tests by examining documents and records for evidence (such as the existence of initials or signatures) that a control activity was applied to those documents and records. System documentation, such as operations manuals, flowcharts, and job descriptions, may provide evidence of control design but do not provide evidence that controls are actually operating and being applied consistently. To use system documentation as part of the evidence of effective control activities, the auditor should obtain additional evidence on how the controls were applied. Inspection is generally a reliable source of audit evidence and is frequently used in multipurpose testing. Because evidence of performance is documented, this type of test can be performed at any time. The evidence previously obtained from (1) the inspection of documents in walk-throughs (in which inspection is performed to a lesser extent than in sampling control tests) and (2) observation or inquiry tests may provide sufficient evidence of control effectiveness. However, the auditor should consider sampling items for inspection if additional audit evidence is needed. Since documentary evidence generally does not provide evidence concerning how effectively the control was applied, the auditor generally should supplement inspection tests with observation and/or inquiry of persons applying the control. For example, the auditor generally should supplement inspection of initials on documents with observation and/or inquiry of the individual(s) who initialed the documents to understand the procedures they followed before initialing the documents. The auditor may also reperform the control being tested to determine if it was properly applied. .15: The auditor should select the type of control tests based on (1) the nature of the control to be tested, and (2) the timing of the test and period covered by the control. .16: The nature of the control influences the type of evidential matter that is available. For example, if the control provides documentary evidence, the auditor may inspect the documentation. For other controls, documentation may not be available or relevant. For example, segregation- of-duties controls generally do not provide documentary evidence. In these circumstances, the auditor may obtain evidential matter about the effectiveness of the control's operation through observation or inquiry. .17: The timing of the control test and the period covered by the control influences the control test. The auditor should obtain evidential matter relating to the audit period. Unless it is documentary evidence, the auditor generally should obtain the evidence during the audit period, when sufficient corroborative evidence is most likely to be available. When the evidence relates to only a specific point in time, such as evidence obtained from observation, the auditor should obtain additional evidence that the control was effective during the entire audit period. For example, the auditor may observe the control in operation during the audit period and use inquiry and inspection of procedures manuals to determine that the control was in operation during the entire audit period. FAM 380.02 provides guidance concerning situations when new controls are implemented during the year. If the auditor tests controls after the audit period, the auditor should determine if any changes occurred between the end of the audit period and the time of the test. See FAM 350.21 for further discussion of interim testing of controls. .18: When selecting a particular control test from among equally effective tests, the auditor should select the most efficient test. For example, the auditor may find that inquiry, observation, and walk- throughs (tests of controls that do not involve sampling) provide sufficient evidence that the control was effective during the year and are the most efficient to test. When sampling is considered necessary, the auditor should consider performing multipurpose tests to enhance audit efficiency (see FAM 430 and FAM 450). Determine the Extent of Control Tests: .19: After selecting the nature of control tests to be performed, the auditor should determine the extent of control tests (including information system controls). This determination is based on the information gathered in developing an understanding of internal control, the nature of the control to be tested, the nature and availability of evidential matter, and the auditor's determination of the amount of additional evidence needed. As the planned level of assurance increases, the auditor should seek more reliable or more extensive audit evidence. For each control activity considered necessary to achieve the control objectives, the auditor should test the control activity to determine whether it achieves the control objectives. Relevant financial reporting, budget, compliance, and operations controls generally should be tested to the same level of assurance. The extent of this testing is discussed in FAM 360 for nonsampling control tests and in FAM 450 for sampling control tests. .20: Controls that do not leave documentary evidence of existence or application generally cannot be tested with sampling procedures. When control activities, such as segregation of duties, do not leave documentary evidence, the auditor should test their effectiveness by observation and/or inquiry. For example, the auditor may obtain evidential matter about the proper segregation of duties by (1) direct observation of the control activities being applied during the audit period, and (2) inquiry of the individual(s) involved about applying the activities at other times during the audit period. The appropriate extent of observation and inquiry is not readily quantifiable. To determine whether a control is effective, the auditor should consider whether sufficient evidence has been obtained to support the preliminary assessment of control effectiveness (see FAM 370). Determine the Timing of Control Tests: .21: The auditor should determine when to perform control tests. For efficiency, the auditor may perform most control testing on an interim basis that covers 9 or 10 months of the audit period and perform a roll forward and limited testing for the remaining audit period. This is particularly applicable in control tests of payroll and nonpayroll expenditures. Another approach is for the auditor to determine the actual population of transactions for the audit period through an interim date and estimate the transactions for the remaining audit period. A statistical sample can then be drawn that covers the entire audit period with the bulk of testing completed during the interim period, and the remaining items tested immediately after year-end. The auditor generally should overestimate the remaining items in the population so every item will have a chance of selection. An underestimate by the auditor would leave some items outside the population sample and not subject to audit sampling, although they may be tested in other ways. Determine the Nature, Extent, and Timing for Compliance with FFMIA: .22: If the auditor believes it is likely that the opinion on the financial statements will be unqualified (or that qualifications will not relate to the entity’s ability to prepare reliable financial statements or provide reliable financial information when needed), that internal control will be determined to be effective, and that the auditor will find no instances of noncompliance with legal and regulatory requirements, then the auditor should test each of the elements of systems’ compliance with FFMIA. Also, the auditor may test for systems’ compliance with FFMIA in other circumstances, as discussed in FAM 350.05. .23: When the auditor tests systems’ compliance with FFMIA as discussed in FAM 350.03, the auditor generally should perform these tests concurrently with control tests as described in FAM 360. The issues relevant to determining the nature, extent, and timing of control tests discussed in the FAM also apply to tests of systems’ compliance with FFMIA. The auditor should read any management-developed documentation for its assertion about the systems’ conformance with systems requirements in its FMFIA section 4 report and any work it may have done for FFMIA as described in OMB Circular No. A-123. .24: Management’s documentation may be the basis for tests of the systems’ compliance. If, for example, management provides the auditor with a checklist detailing the functions the systems are able to perform, the auditor generally should select some significant functions from the checklist and determine whether the systems actually perform them. The auditor may do this based on knowledge the auditor has acquired from gaining an understanding of the systems, as well as by additional observation, inquiry, inspection, and walk-throughs for control tests. If management has not provided documentation, the auditor may perform direct testing of systems for compliance based on the requirements of FFMIA. If management is unable to provide any documentation, the auditor should inquire why there is no documentation and how management has determined whether it is in compliance. Lack of documentation often indicates that the systems do not substantially comply with FFMIA. 360 -Perform Nonsampling Control Tests and Test Compliance with FFMIA: .01: The auditor should design and conduct tests of control activities that are effective in design and have been implemented to determine their effectiveness in operation. (See FAM 380.02 if control activities are not effective in design during the entire audit period.) The auditor generally should: * request assistance from an IS controls specialist to test information system (IS) controls (FAM 360.03-.10); * perform nonsampling control tests (the auditor generally should perform sampling control tests in the testing phase, as discussed in FAM 450), FAM 360.11-.13); and; * evaluate the results of nonsampling control tests (FAM 360.14-.15). .02: The auditor also should design and conduct tests of the financial management systems’ compliance with the three requirements of FFMIA, if the auditor determines that such tests are necessary (see FAM 350.02-.05 and 350.22-.24). Many nonsampling control tests can also serve as tests for compliance with FFMIA, especially the systems requirements and the SGL, although testing for accounting standards (U.S. GAAP) will include substantive procedures, done as part of the testing phase. After testing, the auditor may make a preliminary conclusion as to whether the entity’s financial management systems comply with FFMIA (see FAM 360.16). Test Information System Controls: .03: The auditor should identify controls listed in the SCE or equivalent document whose effectiveness depends on information system processing (IS controls). Due to the technical nature of many IS controls, the auditor generally should obtain assistance from an IS controls specialist in conducting tests of these controls and should document conclusions on the effectiveness of IS controls during the audit period. FAM 295 F discusses types of IS controls. IS controls consist of those internal controls that are dependent on information systems processing and include general controls (entitywide, system, and business process application levels), business process application controls (input, processing, output, master file, interface, and data management system controls), and user controls (controls performed by people interacting with information systems). General and business process application controls are always IS controls. A user control is an IS control if its effectiveness depends on information systems processing or the reliability (accuracy, completeness, and validity) of information processed by information systems. Conversely, a user control is not an IS control if its effectiveness does not depend on information systems processing or the reliability of information processed by information systems. The auditor, with the assistance on the IS controls specialist, should identify and test the general controls and business process application controls upon which the effectiveness of each IS control identified in the SCE form depends. For example, if the IS control is the review of an exception report, the auditor should identify and test the business process application controls directly related to the production of the exception report, as well as the general and other business process application controls upon which the reliability of the information in the exception report depends. This testing would include controls over the proper functioning of the business process application that generated the exception report and the reliability of the data used to generate the exception report. In addition, the auditor should test the effectiveness of the user control (i.e., management review and followup on the items in the exception report). .04: If the auditor identifies IS controls for testing, the auditor, with IS controls specialist assistance, should evaluate the effectiveness of: * general controls at the entitywide and system levels; * general controls at the application level; and; * specific application (business process) controls, interface controls, data management system controls, and/or user controls, unless the IS controls that achieve the control objectives are general controls. If controls are not effective, see FAM 360.07 and FAM 360.09. .05: The auditor, with IS controls specialist assistance, should determine whether entitywide and system-level general controls are effectively designed, placed in operation, and operating effectively by: * identifying applicable general controls; * determining how those controls function, and whether they have been placed in operation; and; * evaluating and testing the effectiveness of the identified controls. The auditor and the IS controls specialist generally should use knowledge obtained in the planning phase. The auditor, with assistance from the IS controls specialist, should document the understanding of general controls and should conclude whether such controls are effectively designed, placed in operation, and, for those controls tested, operating as intended. Tests of General Controls at the Entitywide and System Levels: .06: The auditor may test general controls through a combination of procedures, including observation, inquiry, inspection (which includes a review of documentation on systems and procedures), and reperformance using appropriate test software. Although sampling is generally not used to test general controls, the auditor may use sampling to test certain controls, such as those involving approvals. .07: If general controls are not effectively designed and operating as intended, the auditor will generally be unable to obtain satisfaction that application controls are effective. In such instances, the auditor should (1) determine and document the nature and extent of risks resulting from ineffective general controls, (2) identify and test any manual controls that achieve the control objectives that the IS controls in the SCE or equivalent document were unable to achieve, and (3) see FAM 580 for classifying and reporting control deficiencies. If manual controls do not achieve the control objectives, the auditor, with IS controls specialist assistance, should determine whether any specific IS controls are designed to achieve the objectives. If not, the auditor should develop appropriate findings principally to provide recommendations to improve internal control. If specific IS controls are designed to achieve the objectives, but are in fact ineffective because of poor general controls, testing would typically not be necessary, except to support findings. Tests of General Controls at the Application Level: .08: If the auditor reaches a favorable conclusion on general controls at the entitywide and system levels, the IS controls specialist should evaluate and test the effectiveness of general controls for those applications within which application controls or user controls are to be tested. .09: If general controls are not operating effectively within the application, application controls and user controls generally will be ineffective. In such instances, the IS controls specialist should discuss the nature and extent of risks resulting from ineffective general controls with the audit team. The auditor should determine whether to proceed with the evaluation of application controls and user controls. Tests of Application Controls and User Controls: .10: The auditor, with IS controls specialist assistance, generally should perform tests of those application controls and user controls necessary to achieve the control objectives where the entitywide, system, and application-level general controls were determined to be effective. Perform Nonsampling Control Tests: .11: The auditor should (1) develop audit procedures that incorporate the nature, extent, and timing of planned nonsampling control tests, including tests for compliance with FFMIA for CFO Act agencies, and (2) perform nonsampling control tests according to the audit procedures. When testing controls, the auditor should determine whether adequate segregation of duties exist as indicated in FAM 360.12-.13. Segregation of Duties: .12: Segregation-of-duties controls are designed to reduce the opportunities for any person to be in a position both to perpetrate and to conceal misstatements, especially fraud, in the normal course of duties. Typically, an entity achieves adequate segregation of duties by establishing controls (such as segregating asset custody from recordkeeping functions) to prevent any person from having uncontrolled access to both assets and related records. .13: The auditor should test segregation of duties in the situations described in FAM 330.08. The auditor may use the following procedures to test segregation-of-duties controls: a. Identify the assets to be controlled through the segregation of duties. b. Identify the individuals who have authorized access (direct or indirect) to the assets. Direct access exists when the individual is authorized to handle the assets directly (such as during the processing of cash receipts). Indirect access exists when the individual is authorized to prepare documents that cause the release or transfer of assets (such as preparing the necessary forms to request a cash disbursement or transfer of inventory). c. For each individual with authorized access to assets, determine whether there are sufficient asset access controls. Asset access controls are those controls that are designed to provide assurance that actions taken by individuals with authorized access to assets are reviewed and approved by other individuals. For example, an approval of an invoice for payment generally provides asset access controls (relating to cash) over those individuals authorized to prepare supporting documentation for the transaction. If information systems provide access to assets, the auditor should design tests of IS controls to identify (1) individuals (including IS personnel) who may use the computer to obtain access, and (2) asset access controls over such individuals. d. For individuals with authorized access to assets over which asset access controls are insufficient, determine whether such individuals can affect any recording of transactions in the accounting records. If so, segregation of duties is insufficient, unless such access to accounting records is controlled. For example, the person who processes cash receipts may also be able to record entries in the accounting records. Such a person may be in a position to manipulate the accounting records to conceal a shortage in the cash account, unless another individual reviews all accounting entries made (and those that should have been made) by that person. In an IS accounting system, access to assets frequently provides access to records. For example, generation of a check may automatically record a related accounting entry. In such circumstances, a lack of asset access controls would result in inadequate segregation of duties, and the auditor should determine whether other controls would mitigate the effects of this lack of asset access control. Evaluating the Results of Nonsampling Control Tests: .14: The auditor should investigate and understand the reasons for any deviations from control activities noted during nonsampling control tests. The auditor may find, for example, that significant subpopulations were not subject to controls or that controls were not applied during a specific period during the year. In such instances, the auditor may determine whether controls are effective for at least some parts of the population. For example, an otherwise effective control may not have been applied effectively in one month due to personnel turnover. For all but that month, the auditor may assess controls as effective and reduce related substantive testing. For the one month that controls were not effective, the auditor may increase substantive testing, if these tests are sufficient to reduce detection risk. The auditor also should determine whether other controls achieve the related control objective(s). .15: Additionally, the auditor should gather sufficient evidence to report the control deficiency as discussed in FAM 580.33-.61. Test Compliance with FFMIA: .16: The auditor may make preliminary conclusions as to whether the entity’s financial management systems substantially comply with federal financial management systems requirements, federal accounting standards (U.S. GAAP), and the SGL at the transaction level. However, the auditor should not form a final conclusion as to compliance, especially with accounting standards, until the auditor completes substantive procedures (see FAM 470). 370 - Assess Internal Control on a Preliminary Basis: .01: Based on the evaluation of the design and implementation of internal control and the results of nonsampling control tests, the auditor should preliminarily assess the effectiveness of internal control during the period (for reporting on internal control in a nonopinion report and for determining the risk of material misstatement used to determine the nature, extent, and timing of further audit procedures) and as of the end of the period, if the auditor is expressing an opinion on internal control as of that point in time. Assessing the effectiveness of IS controls is discussed in FAM 370.03- .05. Assessing the effectiveness of each type of control – financial reporting (including safeguarding), budget, compliance, and operations – is discussed in FAM 370.06-.14. .02: To assess the effectiveness of internal control, the auditor determines whether internal control provides reasonable assurance that control objectives are achieved. Internal control only provides reasonable assurance that misstatements, losses, or noncompliance, material in relation to the financial statements, would be prevented or detected during the period under audit. For each control objective that is not achieved, the auditor should obtain sufficient (1) information to determine whether the deficiency is a material weakness, other significant deficiency, or other control deficiency and to develop comments in the auditor’s report or separate management report (see FAM 580.32-.61) and (2) evidence to support the preliminary assessment of the effectiveness of internal control and the risk of material misstatement. Information System Results: .03: Based on the procedures performed, the auditor and IS controls specialist should discuss conclusions on the effectiveness of IS controls and reach agreement. The auditor should (1) incorporate the conclusions into the audit documentation for each IS control tested and (2) perform tests of application controls (principally manual follow-up of exceptions) or user controls identified by the IS controls specialist for the audit team to test. .04: If the auditor and the IS controls specialist determine that IS controls are effective, the auditor may also ask the IS controls specialist to identify any IS controls within the applications tested that were not previously identified by the auditor using the above procedures. For example, such IS controls might achieve control objectives not otherwise achieved through manual controls or might be more efficient or effective to test than manual controls. The IS controls specialist may assist the auditor in determining the efficiency and effectiveness of searching for and testing additional IS controls. The auditor should document these decisions, including a description of the expected nature, extent, and timing of work for the IS controls specialist. .05: The auditor and the IS controls specialist should work together to document the procedures for evaluating and testing the effectiveness of IS controls and the results of this work. Financial Reporting Controls: .06: Based on audit procedures performed but before sampling control tests,[Footnote 35] if any, the auditor generally should form a preliminary conclusion about (1) the effectiveness of financial reporting controls as of the end of the period, and (2) the assessed level of control risk and the risk of material misstatement during the period for each significant assertion in each significant line item or account. The risk of material misstatement is the risk that, prior to the application of substantive audit procedures, a material misstatement exists in a financial statement assertion. The risk of material misstatement (formerly referred to in the FAM as “combined risk”) consists of the risks that (1) a financial statement assertion is susceptible to material misstatement (inherent risk), and (2) such material misstatement, either individually or when aggregated with other misstatements, is not prevented or detected on a timely basis by the entity’s internal control (control risk). The auditor uses professional judgment in assessing inherent risk, control risk, and the risk of material misstatement. .07: Preliminary assessment of control risk. For each significant assertion in each significant line item or account, the auditor should assess control risk at one of three levels: * Low: The auditor believes that controls will prevent or detect any aggregate misstatements that could occur in the assertion in excess of design materiality. * Moderate: The auditor believes that controls will more likely than not prevent or detect any aggregate misstatements that could occur in the assertion in excess of design materiality. * High: The auditor believes that controls will more unlikely than likely prevent or detect any aggregate misstatements that could occur in the assertion in excess of design materiality. .08: In assessing control risk in a line item/account assertion, the auditor generally should consider the aggregate magnitude of misstatements that might not be prevented or detected in significant accounting applications that affect the line item or account. For example, the cash receipts, cash disbursements, and payroll accounting applications typically affect the cash account. Accordingly, the auditor should evaluate the risk that aggregate misstatements could arise from a combination of those accounting applications and not be prevented or detected by controls. .09: Preliminary assessment of the risk of material misstatement. In assessing the risk of material misstatement, the auditor should evaluate the likelihood that a material misstatement would occur (inherent risk) and not be prevented or detected on a timely basis by the entity’s internal control (control risk). The auditor should base this preliminary assessment of the risk of material misstatement on the auditor’s assessment of inherent risk and control risk. For each significant assertion in each significant account, the auditor should assess the risk of material misstatement at one of three levels: * Low: Based on the evaluation of inherent risk and control risk, but prior to the application of substantive audit procedures, the auditor believes that any aggregate misstatements in the assertion do not exceed design materiality. * Moderate: Based on the evaluation of inherent risk and control risk, but prior to the application of substantive audit procedures, the auditor believes that it is more likely than not that any aggregate misstatements in the assertion do not exceed design materiality. * High: Based on the evaluation of inherent risk and control risk, but prior to the application of substantive audit procedures, the auditor believes that it is more unlikely than likely that any aggregate misstatements in the assertion do not exceed design materiality. As a result, the auditor should obtain most, if not all, audit evidence from substantive procedures. .10: The minimum substantive assurance from substantive procedures varies directly with the risk of material misstatement. In other words, as the risk of material misstatement increases, so does the minimum substantive assurance level. FAM 470 discusses the assurance level in more detail. The auditor should document the preliminary assessment of control risk and the risk of material misstatement in the ARA or equivalent. Budget Controls: .11: When forming conclusions on the effectiveness of internal control related to budget execution, the auditor should evaluate the impact of any uncorrected misstatements noted in the proprietary accounts and should determine any impact on the budgetary amounts. If the budgetary amounts are also misstated, the auditor should determine whether these misstatements are indications of deficiencies in internal control related to budget execution. If audit evidence indicates that internal control might not provide reasonable assurance that the entity executed transactions in accordance with budget authority, the auditor should discuss the legal implications with OGC and document the conclusions. Compliance Controls: .12: Based on the results of compliance control tests and other audit procedures, the auditor should: * conclude whether the entity’s internal control provides reasonable assurance that the entity complied with the significant provisions of laws and regulations and executed transactions in accordance with budget authority during the period (to assess control risk, to test compliance as discussed in FAM 460, and/or to report (nonopinion report) on internal control) and/or as of the end of the period (to support the opinion on internal control), and; * report deficiencies in compliance controls that come to the auditor’s attention (see FAM 580.32-.61). If compliance controls are effective in preventing or detecting noncompliance with relevant provisions of laws and regulations during the period, the extent of compliance testing can be less than if such controls were not effective, as discussed in FAM 460. Operations Controls: .13: If the results of control tests indicate that operations controls were not effective during the period, the auditor should not place reliance on the ineffective operations controls when designing other audit procedures. See FAM 580.32-.61 regarding reporting of significant deficiencies. Reevaluation of Control Risk and the Risk of Material Misstatement: .14: After completing the testing phase, discussed in FAM 400, the auditor should reevaluate the preliminary assessment of control risk and the risk of material misstatement for financial reporting controls and control effectiveness for budget, compliance, and operations controls. If the test results are contrary to the preliminary assessment, the auditor should reevaluate the adequacy of the audit procedures performed and perform additional procedures as considered necessary. 380 - Other Considerations: Multiyear Testing of Controls: .01: When the entity’s control environment, risk assessment, communication, and monitoring are strong and inherent and fraud risk are low, the auditor may use a multiyear approach for testing IS controls. When appropriate, based primarily on favorable results from tests in prior years and limited work in the current year, the auditor may test IS controls of certain cycles or applications on a multiyear basis rather than every year. The auditor should test the operating effectiveness of some of these controls each year so that all relevant controls are tested at least once during a 3-year period. This is because as time elapses, audit evidence becomes less relevant and reliable. While the auditor may elect to perform procedures at locations (see FAM 285) over a longer period for other purposes, only controls at locations tested within the last 2 years (plus the current year audit) can be relied upon by the auditor as part of the current year audit if these controls have not changed subsequent to the previous audits. In recurring annual audits, if the auditor plans to use audit evidence about the operating effectiveness of controls for a particular cycle or application obtained in prior audits, the auditor should obtain evidence about whether changes in those specific controls have occurred subsequent to the prior audit. The auditor should obtain this evidence through a combination of observation, inquiry, and inspection to confirm the understanding of those specific controls. If the auditor plans to rely on controls that have changed since they were last tested, the auditor should test the operating effectiveness of such controls in the current audit. Based on the results of these procedures, the auditor should assess and document whether continued reliance on the effectiveness of these controls is appropriate or whether to modify other planned audit procedures. For example, to confirm that IS controls for a particular cycle or application that were assessed as operating as intended in prior audits are continuing to operate effectively, the auditor may make inquiries of management and inspect IS logs that would indicate whether the controls have been changed. This would include whether management was still periodically reviewing the IS logs and investigating any changes. Based on the results of these procedures, the auditor would then reassess whether continued reliance on these controls is appropriate or whether to modify other planned audit procedures. Multiyear testing is not applicable in first-time audits (although the auditor may use it in subsequent year audits), or for audits of entities that do not have strong control environments, risk assessment, communication, and monitoring, as the auditor cannot rely upon the controls. Additionally, for assertions for which the auditor has preliminarily assessed the risk of material misstatement as a significant risk (see FAM 260.12) and the auditor plans to rely on the effectiveness of controls to reduce the substantive procedures performed, the auditor should obtain audit evidence about the operating effectiveness of those controls in the current year. FAM 395 G provides additional requirements and guidelines for multiyear testing of controls. See AU 318.40-.45. Partial-Year Controls: .02: In certain situations, such as when new controls are implemented during the year, the auditor may elect to test controls only for the period that the new controls were operating. In such situations, the extent of control testing should remain similar, but be concentrated over the period the new controls are in place. For any portion of the audit period that financial reporting, budget, and compliance controls were not tested (other than as part of a multiyear plan as discussed in FAM 380.01), the auditor should design compliance and substantive procedures as if these controls were ineffective. However, the auditor should evaluate whether substantive procedures alone can mitigate the risk of material misstatement for this period as discussed in AU 318.08 and AU 314.117-.120. Planned Changes in Controls: .03: The auditor may become aware of an entity’s plans to implement new accounting or control systems after the audit period ends. Even though new systems or controls are planned, the auditor should evaluate the design and implementation of and test controls that were adequately designed and implemented through the end of the audit period to: * assess the risk of material misstatement; * determine the nature, extent, and timing of further audit procedures; * provide support for the report or opinion on internal controls; and; * recommend any improvements to the current system that should be considered in designing the new systems or controls. During the current audit, the auditor may review controls designed into the new system and generally should bring any identified deficiencies to the attention of entity management. 390 - Documentation: .01: In addition to preparing an audit plan with control testing audit procedures (formerly referred to as an audit program) and other documentation relevant to the internal control phase, the auditor should prepare the documents described in FAM 390.04-.07 or their equivalent. .02: In the audit plan, the auditor generally should state the objectives to achieve by performing the audit procedures for significant assertions. The auditor may prepare written guidance for the rest of the audit team, either within or accompanying the audit procedures, to explain possible exceptions, their nature, and why they might be important. This also may help the auditor focus on key matters, more readily determine which exceptions are important, and identify significant exceptions. .03: The auditor also should document: * the results of the audit procedures performed, and; * when multiyear testing of controls is used, the auditor’s conclusion as to whether reliance in the current year on evidence obtained in prior year audits about the effectiveness of internal controls is appropriate. (See FAM 380.01.) .04: As the audit work is performed, the auditor may become aware of possible significant deficiencies or other matters that should be communicated to the entity, including those charged with governance. The auditor should document and communicate these as described in FAM 290.02 and FAM 580.52-61. Cycle Memorandums and Flowcharts: .05: The auditor should document the understanding gained of each of the five components of internal control (control environment, entity risk assessment, information and communication, control activities, and monitoring), including information systems. The auditor should prepare sufficient documentation to clearly describe the accounting system. The auditor should include in this documentation evidence about implementation of the controls. For each significant cycle, the auditor should prepare a cycle memorandum or equivalent. Also, the auditor generally should prepare a flowchart of the cycle and component accounting application(s). Flowcharts provide a good mechanism to document the process and the flow of transactions through the system. However, the auditor generally should avoid extreme detail, which makes the charts confusing and hard to follow. Complex systems, particularly those involving information technology, may be difficult to understand without a flowchart. To the extent required as described above, the auditor should use the following documents or equivalents to document relevant accounting systems information for financial reporting controls: * A cycle memorandum: (1) identifies the cycle transactions, each significant accounting application, and each significant financial management system included in the cycle; (2) describes interfaces with other cycles; (3) identifies financial statement line items, relevant assertions, and general ledger accounts included in the cycle; (4) describes the operating policies and procedures relating to the processing of cycle transactions (see FAM 320.03);[Footnote 36] and; (5) identifies major internal controls (overview only). The auditor should describe the procedures performed and conclusions reached on implementation of controls. For CFO Act agencies, the auditor may include in the cycle memorandum information on FFMIA requirements considered to this point, such as systems requirements and the SGL. * Flowcharts complement the related cycle memorandum and summarize the significant transaction flows in terms of: (1) input and report documents; (2) processing steps; (3) files used; (4) units involved; and; (5) interfaces with other cycles and accounting applications. Although the auditor may have gathered information on control activities when preparing flowcharts, the auditor should document these control activities in the SCE worksheet or equivalent. Major controls may be included in the flowchart. .06: The auditor should document the understanding of relevant compliance and operations control systems in a memorandum and, generally should prepare a flowchart addressing each point discussed in FAM 320.05-.07. SCE Worksheet: .07: The auditor should document the evaluation of specific control activities in the SCE worksheet or equivalent. The auditor should document control tests in the control test audit plan (formerly referred to as the audit program) and in accompanying documents. The auditor should also document any information system control tests as discussed in FAM 370.05. FAM 395 H presents an example of a completed SCE worksheet. Updating the ARA Form: .08: The auditor should update the ARA form or equivalent by completing the internal control phase columns, as illustrated in FAM 395 I. The ARA should also include the results of risk assessment procedures and evaluation of the design and implementation of controls for risks for which the auditor has judged that detection risk at the relevant assertion level cannot be reduced to acceptably low level using only audit evidence from substantive procedures as discussed FAM 310.02 and AU 314.117. 395 A - Typical Relationships of Accounting Applications to Line Items/Accounts: This section illustrates the typical relationships between accounting applications and line items or accounts. For example, sources of significant accounting entries to cash typically include the cash receipts, cash disbursements, payroll, and cash accounting applications. For each significant line item or account, the auditor should develop an understanding of how potential misstatements in significant accounting applications could affect the significant assertions of the related line item or account. In turn, the auditor should identify the control objectives and relevant control techniques to achieve those objectives. The relationship between accounting applications and line item assertions is discussed in FAM 330.04- 330.07. Line items/accounts: Cash or FBWT; Transaction-related accounting applications: Billing: [Empty]; Transaction-related accounting applications: Cash receipts: [Check]; Transaction-related accounting applications: Purchasing: [Empty]; Transaction-related accounting applications: Cash disbursements: [Check]; Transaction-related accounting applications: Payroll: [Check]; Line item/account-related accounting applications: Cash: [Check]; Line item/account-related accounting applications: Accounts receivable: [Empty]; Line item/account-related accounting applications: Inventory: [Empty]; Line item/account-related accounting applications: Property: [Empty]; Line item/account-related accounting applications: Accounts payable: [Empty]; Line item/account-related accounting applications: Obligation: [Empty]. Line items/accounts: Accounts Receivable; Transaction-related accounting applications: Billing: [Check]; Transaction-related accounting applications: Cash receipts: [Check]; Transaction-related accounting applications: Purchasing: [Empty]; Transaction-related accounting applications: Cash disbursements: [Empty]; Transaction-related accounting applications: Payroll: [Empty]; Line item/account-related accounting applications: Cash: [Empty]; Line item/account-related accounting applications: Accounts receivable: [Check]; Line item/account-related accounting applications: Inventory: [Empty]; Line item/account-related accounting applications: Property: [Empty]; Line item/account-related accounting applications: Accounts payable: [Empty]; Line item/account-related accounting applications: Obligation: [Empty]. Line items/accounts: Inventory; Transaction-related accounting applications: Billing: [Check]; Transaction-related accounting applications: Cash receipts: [Empty]; Transaction-related accounting applications: Purchasing: [Check]; Transaction-related accounting applications: Cash disbursements: [Empty]; Transaction-related accounting applications: Payroll: [Empty]; Line item/account-related accounting applications: Cash: [Empty]; Line item/account-related accounting applications: Accounts receivable: [Empty]; Line item/account-related accounting applications: Inventory: [Check]; Line item/account-related accounting applications: Property: [Empty]; Line item/account-related accounting applications: Accounts payable: [Empty]; Line item/account-related accounting applications: Obligation: [Empty]. Line items/accounts: Property; Transaction-related accounting applications: Billing: [Empty]; Transaction-related accounting applications: Cash receipts: [Empty]; Transaction-related accounting applications: Purchasing: [Check]; Transaction-related accounting applications: Cash disbursements: [Check]; Transaction-related accounting applications: Payroll: [Empty]; Line item/account-related accounting applications: Cash: [Empty]; Line item/account-related accounting applications: Accounts receivable: [Empty]; Line item/account-related accounting applications: Inventory: [Empty]; Line item/account-related accounting applications: Property: [Check]; Line item/account-related accounting applications: Accounts payable: [Empty]; Line item/account-related accounting applications: Obligation: [Empty]. Line items/accounts: Liabilities; Transaction-related accounting applications: Billing: [Empty]; Transaction-related accounting applications: Cash receipts: [Empty]; Transaction-related accounting applications: Purchasing: [Check]; Transaction-related accounting applications: Cash disbursements: [Check]; Transaction-related accounting applications: Payroll: [Empty]; Line item/account-related accounting applications: Cash: [Empty]; Line item/account-related accounting applications: Accounts receivable: [Empty]; Line item/account-related accounting applications: Inventory: [Empty]; Line item/account-related accounting applications: Property: [Empty]; Line item/account-related accounting applications: Accounts payable: [Check]; Line item/account-related accounting applications: Obligation: [Empty]. Line items/accounts: Revenue; Transaction-related accounting applications: Billing: [Check]; Transaction-related accounting applications: Cash receipts: [Check]; Transaction-related accounting applications: Purchasing: [Empty]; Transaction-related accounting applications: Cash disbursements: [Empty]; Transaction-related accounting applications: Payroll: [Empty]; Line item/account-related accounting applications: Cash: [Empty]; Line item/account-related accounting applications: Accounts receivable: [Empty]; Line item/account-related accounting applications: Inventory: [Empty]; Line item/account-related accounting applications: Property: [Empty]; Line item/account-related accounting applications: Accounts payable: [Empty]; Line item/account-related accounting applications: Obligation: [Empty]. Line items/accounts: Expenses; Transaction-related accounting applications: Billing: [Empty]; Transaction-related accounting applications: Cash receipts: [Empty]; Transaction-related accounting applications: Purchasing: [Check]; Transaction-related accounting applications: Cash disbursements: [Check]; Transaction-related accounting applications: Payroll: [Check]; Line item/account-related accounting applications: Cash: [Empty]; Line item/account-related accounting applications: Accounts receivable: [Empty]; Line item/account-related accounting applications: Inventory: [Empty]; Line item/account-related accounting applications: Property: [Empty]; Line item/account-related accounting applications: Accounts payable: [Empty]; Line item/account-related accounting applications: Obligation: [Empty]. Line items/accounts: Obligations; Transaction-related accounting applications: Billing: [Empty]; Transaction-related accounting applications: Cash receipts: [Empty]; Transaction-related accounting applications: Purchasing: [Check]; Transaction-related accounting applications: Cash disbursements: [Check]; Transaction-related accounting applications: Payroll: [Empty]; Line item/account-related accounting applications: Cash: [Empty]; Line item/account-related accounting applications: Accounts receivable: [Empty]; Line item/account-related accounting applications: Inventory: [Empty]; Line item/account-related accounting applications: Property: [Empty]; Line item/account-related accounting applications: Accounts payable: [Empty]; Line item/account-related accounting applications: Obligation: [Check]. [End of table] 395 B - Financial Statement Assertions, Potential Misstatements, and Control Objectives: This section lists potential misstatements that could occur in each financial statement assertion within an accounting application, together with related control objectives. The auditor may tailor this information to the accounting application and to the entity and may add other control objectives or subobjectives. The assertion, potential misstatement, and control objective illustrated in this section may be used in preparing the first, fourth, and fifth columns of the SCE worksheet, which is illustrated in FAM 395 H. However, this section is provided as a reference and does not require completion as a form. Transaction-related: Assertion: Existence or occurrence; Potential misstatement: Occurrence/validity: 1. Recorded transactions and events do not represent economic events that actually occurred or do not pertain to the entity. Control objective: Occurrence/validity: 1a. Recorded transactions, underlying events, and related processing procedures are authorized by federal laws, regulations, and management policy. 1b. Appropriate individuals approve recorded transactions in accordance with management’s general or specific criteria. 1c. Recorded transactions represent events that actually occurred, are properly classified, and pertain to the entity. Assertion: Existence or occurrence; Potential misstatement: Cutoff: 2. Transactions are recorded in the current period, but the related economic events occurred in a different period. Control objective: Cutoff; 2. Transactions recorded in the current period represent economic events that occurred during the current period. Assertion: Existence or occurrence; Potential misstatement: Summarization: 3. Transactions are summarized improperly, resulting in an overstated total. Control objective: Summarization: 3. The summarization of recorded transactions is not overstated. Line item/account-related: Assertion: Existence or occurrence; Potential misstatement: Substantiation: 4. Recorded assets and liabilities do not exist at a given date. Control objective: Substantiation: 4a. Recorded assets and liabilities exist at a given date. 4b. Recorded assets and liabilities of the entity, at a given date, are supported by appropriate detailed records that are accurately summarized and reconciled to the account balance. 4c. Access to assets, critical forms, records, and processing and storage areas is permitted only in accordance with laws, regulations, and management policy. Transaction-related: Assertion: Completeness: Potential misstatement: Transaction completeness: 5. Valid transactions are not recorded or are improperly classified. Control objective: Transaction completeness: 5. All valid transactions are recorded and classified properly. Assertion: Completeness: Potential misstatement: Cutoff: 6. Economic events occur in the current period, but the related transactions are recorded in a different period. Control objective: Cutoff: 6. All economic events that occurred in the current period are recorded as transactions in the current period. Assertion: Completeness: Potential misstatement: Summarization: 7. Transactions are summarized improperly, resulting in an understated total. Control objective: Summarization: 7. The summarization of recorded transactions is not understated. Line item/account-related: Assertion: Completeness: Potential misstatement: Account completeness: 8. Assets and liabilities of the entity exist but are omitted from the financial statements. Control objective: Account completeness: 8. All accounts, assets and liabilities that exist as of the reporting date that belong in the financial statements are included in the financial statements. There are no undisclosed assets or liabilities. Transaction-related: Assertion: Accuracy/Valuation; Potential misstatement: Accuracy: 9. Transactions are recorded at incorrect amounts. Control objective: Accuracy: 9. Transactions are recorded at correct amounts. Line item/account-related: Assertion: Accuracy/Valuation; Potential misstatement: Valuation: 10. Assets and liabilities included in the financial statements are valued on an inappropriate basis. Control objective: Valuation: 10. Assets and liabilities included in the financial statements are valued on an appropriate valuation basis. Assertion: Accuracy/Valuation; Potential misstatement: Measurement: 11. Revenues and expenses included in the financial statements are measured improperly. Control objective: Measurement: 11. Revenues and expenses included in the financial statements are measured properly. Line item/account-related: Assertion: Rights and obligations; Potential misstatement: Ownership: 12. Recorded assets are owned by others because of sale, consignment, or other contractual arrangements. Control objective: Ownership: 12. The entity owns (i.e. has valid title to) recorded assets. Assertion: Rights and obligations; Potential misstatement: Rights: 13. The entity does not have certain rights to recorded assets because of liens, pledges, or other restrictions. Control objective: Ownership: 13. The entity has the rights to recorded assets at a given date. Assertion: Rights and obligations; Potential misstatement: Obligations: 14. The entity does not have an obligation for recorded liabilities at a given date. Control objective: Obligations: 14. Liabilities are the entity's obligations at a given date. Line item/account-related: Assertion: Presentation and disclosure; Potential misstatement: Account classification: 15. Accounts or the transactions they accumulate are not properly classified and described in the financial statements. Control objective: Account classification: 15. Accounts and all the transactions they accumulate are properly classified and described in the financial statements. Assertion: Presentation and disclosure; Potential misstatement: Consistency: 16. The current period financial statement components are based on accounting principles different from those used in the prior periods presented. Control objective: Consistency: 16. The financial statement components are based on accounting principles that are applied consistently from period to period. Assertion: Presentation and disclosure; Potential misstatement: Disclosure: 17. Information needed for fair presentation in accordance with U.S. GAAP is not disclosed in the financial statements or in the related footnotes.[Footnote 37] Control objective: Disclosure: 17. The financial statements and related footnotes contain all information needed for fair presentation in accordance with U.S. GAAP. Transaction-related: Assertion: Presentation and disclosure; Potential misstatement: Segregation of duties: [Footnote 38] 18. The entity is exposed to loss of assets and various potential misstatements, including certain of those above, as the result of inadequate segregation of duties. Control objective: Segregation of duties: 18. Persons do not have uncontrolled access to both assets and records; they are not assigned duties to put them in a position that would allow them to both commit and conceal errors or fraud. [End of table] 395 C - Typical Control Activities: Authorization: .01: Authorization controls are designed to provide reasonable assurance that (1) transactions, (2) events from which they arise, and (3) procedures under which they are processed are authorized in accordance with laws, regulations, and management policy. Typical authorization controls include: * documented policies establishing events or transactions that the entity is authorized to engage in by law, regulation, or management policy; * documented policies and procedures exist for processing transactions in accordance with laws, regulations, or management policy; and; * master files include only authorized employees, customers, or suppliers. Approval: .02: Approval controls are designed to provide reasonable assurance that appropriate individuals approve recorded transactions in accordance with management’s general or specific criteria. Typical approval controls occur when: * Transactions are approved by persons having the authority to do so (such as the specific approval of purchases by the procurement officer or other designated individual with procurement authority) in accordance with established policies and procedures. * Transactions are compared with predetermined expectations (invoice terms are compared with agreed-upon prices, input is checked for valid data type for a particular field, etc.), and exceptions are reviewed by someone authorized to approve them. * Transactions are compared with approved master files (such as approved customer credit limits or approved vendors) before approval or acceptance, and exceptions are reviewed by someone authorized to approve them or correct the situation. * Key records are matched before a transaction is approved (such as the matching of purchase order, receiving report, and vendor invoice records before an invoice is approved for payment). * Before acceptance, changes to data in existing files are independently approved, evidenced by either documentary or online approval of input before processing. Segregation of Duties: .03: Segregation-of-duties controls are designed to reduce the opportunities for someone to both cause and conceal errors or fraud. Typically, an entity achieves adequate segregation of duties by establishing controls (such as segregating asset custody from recordkeeping functions) to prevent any person from having uncontrolled access to both assets and records. See FAM 330.08 and 360.12-.13 for additional discussions of segregation-of-duties controls. Design and Use of Documents and Records: .04: Controls over the design and use of records help provide reasonable assurance that transactions and events are recorded. Such controls typically include: * Prenumbered forms are used to record all of an entity’s transactions, and accountability is maintained for the sequence of all numbers used. (For example, prenumbered billing documents, vouchers, purchase orders, etc., are accounted for in numerical sequence when they are used, and any numbers missing from the sequence are investigated). * Receiving reports, inspection documents, purchase orders, and other information is matched with billing notices, such as vendor invoices, or other documents used to record delivered orders and related liabilities to provide assurance that all and only valid transactions are recorded. * Transaction documents (such as vendor invoices or shipping documents) are stamped with the date and tracked (through periodic supervisory reviews) to provide assurance that transactions are recorded. * Source documents are canceled after processing (for example, invoices are stamped, perforated, or written on after they are paid) to provide assurance that the same documents will not be reused and will not result in the entity recording transactions more than once. Also, only original documents are used to process transactions. Safeguards over Access to and Use of Assets and Records: .05: Access controls are designed to protect assets and records against physical harm, theft, loss, misuse, or unauthorized alteration. These controls restrict unauthorized access to assets and records. The auditor should determine whether to evaluate segregation of duties of persons who have authorized access to assets and records following FAM 330.08. Typical access controls include: * Cash receipt totals are recorded before cash is deposited. * Secured facilities (locked rooms, fenced areas, vaults, etc.) are used. Access to critical forms and equipment (such as check signing machines and signature stamps) is limited to authorized personnel. * Access to information system programs and data files is restricted to authorized personnel. (For example, manual records, computer terminals, and backup files are kept in secured areas to which only authorized persons can gain access. Access is restricted by logical access controls.) * Assets and records are protected against physical harm. (For example, intruder alarms, security guards, fire walls, a sprinkler system, etc., are used to prevent intentional or accidental destruction of assets and records.) * Incoming and outgoing assets are counted, inspected, and received or given up only on the basis of proper authorization (such as a purchase order, contract, or shipping order) in accordance with established procedures. * Procedures provide reasonable assurance that current files can be recovered in the event of a computer failure. (For example, the entity has implemented a backup and recovery plan, such as using on-premises or off-premises file backup, off-site storage of duplicate programs and operating procedures, and standby arrangements to use a second processing facility if the entire data center is destroyed.) * Access to critical forms and records is restricted. (For example, secured conditions are established and maintained for manual records and media used to access assets, such as blank checks or forms for the release of inventory.) Independent Checks: .06: Controls are designed to provide independent checks on the validity, accuracy, and completeness of processed data. Procedures that are typical of this category of controls include: * Calculations, extensions, additions, and accounting classifications are independently reviewed. (For example, arithmetic on vouchers is independently recomputed (either manually or by computerized systems), and transactions and accounting classifications are subsequently reviewed.) * Assets on hand are periodically inspected and counted, and the results are compared with asset records. (For example, inventories are inspected and physically counted at the end of each year and compared with inventory records.) * Subsidiary ledgers and records are reconciled to general ledgers. * The entity promptly follows up on complaints from vendors, customers, employees, and others. * Management reviews performance reports. (For example, the warehouse manager reviews performance reports on the accuracy and timeliness of fulfilling shipping orders and recording them in the sales processing system.) * Data from different sources are compared for accuracy and completeness. (For example, the cash journal entry is compared with the authenticated bank deposit slip and with the detailed listing of cash receipts prepared independently when mail was opened, and units billed are compared with units shipped.) * Actual operating results (such as personnel cost or capital expenditures for a particular organizational component or an entity as a whole) are compared with approved budgets, and variances are explained. Valuation of Recorded Amounts: .07: Controls in this category are designed to provide assurance that assets are accurately valued at appropriate amounts. Typical valuation controls are: * Periodic evaluation of the condition and marketability of assets. (For example, inventory is periodically reviewed for physical damage, deterioration, or obsolescence, or receivables are evaluated for collectibility.) * Recorded data are compared with information from an independent third party. (For example, recorded cash is reconciled to bank statements, and suppliers’ accounts are reconciled to monthly statements from suppliers.) * Assessed values (such as independent appraisals of assets) are compared with the accounting records. Summarization of Accounting Data: .08: Controls in this category are designed to provide assurance that transactions are accurately summarized and that any adjustments are valid. Typical controls in this category include: * The sources of summarized data (such as ledgers, journals, and/or other records) are compared with the underlying subsidiary records and/or documents before the data are accepted for inclusion in summarized records and reports. (For example, when FBWT in the general ledger is reconciled to the balance from Treasury, any necessary journal entries are compared to source documents, and the summaries of journal entries are compared to the individual journal entries before the summarized entries are posted to the general ledger.) * Procedures are followed to check the completeness and accuracy of data summarization, and exceptions are reviewed and resolved by authorized persons. (For example, batch totals are compared with appropriate journals, hash totals are compared at the beginning and end of processing, and totals passed from one system or application to another are compared.) Rights and Obligations: .09: Controls in this category are designed to provide assurance that (1) the entity owns recorded assets, with the ownership supported by appropriate documentation; (2) the entity has the rights to its assets at a given date, and (3) recorded liabilities reflect the entity’s obligations at a given date. Procedures that are typical of this category of controls include: * Policies and procedures are documented (such as policy, procedures, and training manuals, together with organization charts) for initiating transactions and for identifying and monitoring those transactions and accounts warranting attention with respect to ownership. * Policies and procedures are documented for initiating and monitoring transactions and accounts related to obligations. * Significant transactions require the approval of senior management. * Reported results and balances are compared with plans and authorizations. Presentation and Disclosure: .10: Controls in this category are designed to provide assurance that (1) accounts are properly classified and described in the financial statements, (2) the financial statements are prepared in conformance with U.S. GAAP, and (3) footnotes contain all information needed for fair presentation. Procedures that are typical of this category of controls include: * Policies and procedures are documented for accumulating and disclosing financial information in the financial statements by appropriate personnel. Responsibility is assigned to specific individuals. * Policies and procedures are documented for preparing financial statements by authorized personnel having sufficient experience and expertise to comply with U.S. GAAP. * Policies and procedures are documented (such as policy and procedures manuals, together with organization charts) for properly classifying and clearly describing financial information in the financial statements. * Reports are periodically compared with underlying documents and evaluated by supervisory personnel. Procedures are implemented to detect and correct misstatements and to evaluate recorded balances. * A written chart of accounts containing a description of each account is used, such as the SGL. Journal entries are prepared, reviewed, compared with supporting details where necessary, and approved each accounting period, including year-end closing. * Appropriate processing procedures are used, including control totals, batch totals, edit checks, or other computerized controls. Written cutoff and closing schedules are also used. * The same chart of accounts is used for both budgeting and reporting, and variances between actual and planned results are analyzed. 395 D - Selected Statutes Relevant to Budget Execution: .01: Antideficiency Act: This statute places limitations on the obligation and expenditure of government funds. Expenditures and obligations may not exceed the amounts available in the related appropriation or fund accounts. Unless allowed by law, amounts may not be obligated before they are appropriated. Additionally, the amount of obligations and expenditures may not exceed the amount of the apportionments received. (See 31 U.S.C. sections 1341-1342, 1351, and 1517 for further information.) Also, see FAM 803. .02: Purpose statute: This statute states that appropriations may be obligated and expended only for the purposes stated in the appropriation. (See 31 U.S.C. 1301 for further information.) .03: Time statute: This statute states that appropriations may be obligated or expended only during the period of availability specified by law. (See 31 U.S.C. 1502 for further information.) One-year (annual) or multiple-year (multiyear) appropriations often are referred to as fixed accounts. These accounts are available for obligation for a definite period of time. Multiple-year appropriations may also cover periods different than the fiscal year, such as July 1 of one fiscal year through September 30 of the next fiscal year – a period of 15 months. This type of multiple-year authority is sometimes referred to as forward funding. No-year authority or accounts are budgetary resources that are available for obligation for an indefinite period of time, usually until the purposes for which they were provided are carried out. A no-year appropriation is usually identified by words of futurity such as “to remain available until expended.” .04: Appropriation Acts: The entity’s appropriations may contain other budgetary restrictions on the appropriations provided. 395 E - Budget Execution Process: .01: The steps of a simplified budget process are illustrated in the following table. General phases: Events: Accounting recognition: General phases: Formulation; Events: Budget submission; Accounting recognition: None. General phases: Approval; Events: Granting budget authority; Accounting recognition: Appropriations. General phases: Execution; Events: Delegation of authority; Accounting recognition: Apportionment; Allotment. General phases: Execution; Events: Use of authority; Accounting recognition: Commitment; Obligation; Expended authority; Outlay; Expiration; Cancellation. [End of table] .02: The design of the budget execution process is of interest to the auditor when testing the statement of budgetary resources and reconciliation of net cost of operations to budget note disclosure and when evaluating an entity's internal control relating to budget execution:[Footnote 39] * Congress provides an entity with an appropriation (or other budget authority), which is authority provided by law to enter into obligations that result in immediate or future outlays (2 U.S. 622(2)). The Secretary of the Treasury issues warrants, which establish the amount of moneys authorized to be withdrawn from the central accounts maintained by Treasury. * OMB makes an apportionment, which is a distribution of amounts available for obligation. Apportionments divide amounts available for obligation by specific periods (usually quarters), activities, projects, or objects, or a combination thereof. The amounts apportioned limit the amount of obligations that may be incurred. * The entity head (or other authorized employee) makes an allotment, which is an authorization to subordinates to incur obligations within a specified amount. The total amount allotted by an entity may not exceed the amount apportioned by OMB. The entity, through its fund control regulations, establishes allotments at a legally binding level for complying with the Antideficiency Act. Suballotments and allowances are further administrative divisions of funds, usually at a more detailed level (i.e., suballotments are divisions of allotments established as needed). * The entity may make a commitment, which is an administrative reservation of an allotment or of other funds in anticipation of their obligation. Commitments are not required by law or regulation nor are they formal/official uses of budget authority. Rather, commitments are used by entities for financial planning in the acquisition of goods and services and control over obligations and the use of budget authority. * The entity incurs an obligation, which is the amount of purchase orders placed, contracts awarded, services received, and similar transactions during a given period that will require payments during the same or future periods. The entity should comply with legal requirements before recording obligations against appropriation accounts (title 7 of the GAO Policies and Procedures Manual). These legal requirements include determining whether the purpose, the amount, and the timing of when the obligation was incurred are in accordance with the appropriation. Additionally, there are legal requirements concerning the documentary evidence necessary for recording an obligation. The term obligation in this manual refers to orders for goods and services that have not been delivered (undelivered orders). The reconciliation of net cost of operations to budget note disclosure reconciles the budgetary resources obligated for a federal entity’s programs and operations shown on the statement of budgetary resources and determined using budgetary accounting with the net cost of operations shown on the statement of net cost, which is determined using U.S. GAAP (often referred to proprietary accounting). * The entity records expended authority, which is the reduction of an obligation by the receipt and acceptance of goods and services ordered. Expended authority means that the budget authority has been used to acquire goods or services.[Footnote 40] * The entity records an outlay, which, as used in the President’s budget, congressional budget documents, and the statement of budgetary resources, refers to payments (cash disbursements) made to liquidate obligations for goods and services. The statement of budgetary resources reconciles obligations incurred net of offsetting collections to net outlays. * The appropriation account expires when, according to the restrictions contained in the appropriation, the appropriation is no longer available for new obligations. For annual appropriations this occurs at midnight on September 30.[Footnote 41] Adjustments may be made for valid obligations that were either (1) recorded at an estimated amount that differs from the actual amount[Footnote 42] or (2) incurred before the authority expired, but were not recorded. Adjustments may be recorded for 5 years after the appropriation expires. For both expired accounts and closed accounts, the entity’s obligations and expenditures may not exceed the related budget authority. See OMB Circular No. A-11, part 4, for additional guidance on these types of adjustments and transactions. Examples of valid adjustments to expired accounts within the 5-year period include adjustments for: (1) canceled orders or orders for which delivery is no longer likely; (2) refunds received in the current period that relate to recovery of erroneous payments or accounting errors; (3) legal and valid obligations that were previously unrecorded; and; (4) differences between the estimated and actual obligation amounts. * After the 5-year period, the budget authority for the expired accounts is canceled and the expired accounts are closed.[Footnote 43] No further adjustments or outlays may be made in those closed accounts. Payments for any outstanding unliquidated obligations in closed accounts may be made from unexpired appropriations that have the same general purpose (but are limited in aggregate to 1 percent of the current year appropriation). For both expired accounts and closed accounts, the entity’s obligations and expenditures may not exceed the related budget authority. See OMB Circular No. A-11, part 4, for additional guidance on these types of adjustments and transactions. 395 F - Budget Control Objectives: .01: This section lists budget control objectives by steps in the budget process. The auditor may use these control objectives for either or both of the audit of the statement of budgetary resources and the reconciliation of net cost of operations to budget note disclosure, the evaluation of financial reporting controls, and/or as part of the evaluation of the design of compliance controls. The auditor may evaluate the design of many of these controls at the same time as evaluating the design of controls over expenses, disbursements, and liabilities. When testing control effectiveness, the auditor may test these controls at the same time, which is referred to as multipurpose testing. a. Appropriations (or other forms of budget authority): The recorded appropriation (or other form of budget authority) is the same as that made available in the appropriation or other appropriate legislation, including restrictions on amount, purpose, and timing. b. Apportionments: The recorded apportionments agree with the OMB apportionments (as indicated on the apportionment schedules), and the total amount apportioned does not exceed the total amount appropriated. [Footnote 44] c. Allotments/suballotments: The total amount allotted does not exceed the total amount apportioned. d. Commitments: The auditor may not be concerned with controls over budgetary commitments because commitments are not required by law or regulation nor are they formal/official uses of budget authority. Controls over budgetary commitments are a type of operations control. The auditor generally should evaluate the design of controls over commitments if the entity relies on controls over commitments to achieve the control objectives relating to obligations. If the auditor evaluates the design of controls over commitments, the auditor generally should use the same control objectives as used for obligations and expenditures, as discussed below. The auditor should test those controls that are adequately designed and implemented. e. Obligation transactions: The control objectives relating to obligation transactions (undelivered orders) are: * Validity/occurrence: Obligations recorded are valid. An obligation is valid only if it meets these criteria: 1. The obligation has been incurred. This is usually evidenced by appropriate supporting documentation, such as a purchase order or binding contract. The auditor may look for instances of “block obligating” or “block dumping”, which occur when an entity records obligations to “reserve” funds even though the goods or services have not been ordered. This is most likely to occur near the expiration of the appropriation and usually occurs in large dollar services and equipment contracts. The auditor may look for such signs as large, even-amount obligations near the end of the fiscal year for annual appropriations or during the last year of a multiyear appropriation account. 2. The purpose of the obligation is one for which the appropriation was made. 3. The obligation was incurred within the time that the appropriation was made available for new obligations. 4. The obligation did not exceed the amount allotted or appropriated by statute, nor was it incurred before the appropriation became law, unless otherwise provided by law. 5. The obligation complies with any other legally binding restrictions, such as obligation ceilings or earmarks, identified in the planning phase. 6. The obligation has not subsequently been canceled nor have the goods or services been received. 7. For adjustments to obligations in expired accounts, objectives are: i. If the adjustment represents a “contract change” as defined in OMB Circular No. A-11, refer to the entity’s reporting and approval requirements in that circular. ii. The adjustment does not cause the entity to exceed the amount allotted or appropriated by statute. iii. The adjustment is recorded during the period when the account is available for adjustments (5 years) and was made for a valid obligation incurred before the authority expired. iv. New obligations are not to be recorded in expired accounts. * Completeness: All obligation transactions are recorded. * Valuation/accuracy: Obligations are recorded at the best available estimate of actual cost. * Cutoff: Obligations are recorded in the proper period. * Classification: Obligations are recorded in the proper appropriation or fund accounts (also by program and by object, if applicable), including the proper appropriation year if the account is multiyear. Examples of programmatic account classifications are “school lunch program” and “nutrition education and training.” Examples of object account classifications are “salaries,” “rent,” and “travel.” e. Expended authority transactions: Control objectives relating to expended authority transactions, as defined in FAM 395 E, are generally the same as those for obligation transactions: * Validity/occurrence: For all expended authority transactions, recorded expended authority transactions have occurred. This occurrence is usually evidenced by appropriate supporting documentation. For expended authority transactions (or adjustments to expended authority transactions) in expired accounts, the entity objectives are that: 1. the expended authority transaction does not cause the entity to exceed the amount appropriated by statute; 2. the expended authority transaction is recorded during the period when the account is available for adjustments (5 years); and; 3. the expenditure is not made out of a closed account. * Completeness: All expended authority transactions and adjustments are recorded. * Valuation/accuracy: Expended authority transactions and adjustments are recorded at the correct amount. * Cutoff: Expended authority transactions and adjustments are recorded in the proper period. * Classification: Expended authority transactions and adjustments are recorded in the proper appropriation or fund accounts (also by program and by object, if applicable), including the proper appropriation year if the account is multiyear. f. Outlay transactions: Control objectives that relate to outlay transactions and may be tested while auditing cash disbursements are: * Validity/occurrence: Outlays are supported by evidence such as contractor invoices and receiving reports. The outlay is recorded against an obligation made during the period of availability of the appropriation (not made out of a closed account). The outlay is also for a purpose for which the appropriation was provided and in an amount not exceeding the obligation, as adjusted, authorizing the outlay. Use of “first-in, first-out” or other arbitrary means to liquidate obligations based on outlays is not generally acceptable estimating techniques reasonably represent the manner in which costs are incurred. Accrual of liabilities based on incurred but unbilled contractor costs alone is not sufficient evidence of validity (i.e., it may not meet the purpose, time, and amount provisions of an appropriation). Note: internal control over outlays and related liquidation of obligations may provide safeguards against improper payments, including erroneous, duplicative, or fraudulent contractor billings. * Completeness: All outlays and adjustments are recorded. * Valuation/accuracy: Outlays and adjustments are recorded at the correct amounts. * Classification: Outlays are recorded in the proper accounts (both by program and by object, if applicable), including the proper appropriation year if the account is multiyear. This is evidenced by “matching” the outlay to the underlying obligation. * Cutoff: Outlays and adjustments are recorded in the proper period. g. Obligation and expended authority balances: Control objectives relating to obligation and expended authority balances as of a point in time are: * Summarization: Recorded balances of obligation and expended authority accounts as of a given date are supported by appropriate detailed records that are accurately summarized and reconciled to the appropriation or fund account balance, by year, for each account. * Substantiation: Recorded account balances are supported by valid obligations and expended authority transactions. * Limitation: Total undelivered orders plus total expended authority transactions do not exceed the amount of the appropriation or other statutory limitations (such as obligation ceilings or earmarks) that may exist by appropriation period. These other statutory limitations may limit the amount of obligations that can be incurred by program or object classification. In addition, total payments of outstanding unliquidated obligations that relate to closed accounts do not exceed the limits described in OMB Circular No. A-11 (for annual accounts, 1 percent of the account’s current year appropriation; for multiyear accounts, 1 percent of all appropriations that are available for obligation for the same purpose, which is a single, cumulative limit). h. Appropriation account balances: Control objectives relating to appropriation account balances as of a point in time are: * Fixed appropriation accounts are identified by fiscal year after the end of the period in which they are available for obligation until they are closed (31 U.S.C. 1553(a)). * Fixed appropriation accounts are closed on September 30 of the 5th fiscal year after the end of the period that they are available for obligation. Any remaining balance (whether obligated or unobligated) in the account is canceled and is no longer available for obligation or expenditure for any purpose (31 U.S.C. 1552(a)). For example, at the end of fiscal year 2008, the entity has accounts only for fixed appropriations that expired at the end of fiscal years 2004, 2005, 2006, 2007, and 2008. All fixed appropriations that expired prior to these dates have been closed and canceled as of the end of fiscal year 2008. * Appropriation accounts that are available for obligation for an indefinite period are closed if (1) the entity head or the President determines that the purposes for which the appropriation was made have been carried out, and (2) no disbursement has been made against the appropriation for 2 consecutive fiscal years (31 U.S.C. 1555). i. Outlay account balances: Control objectives relating to outlay account balances appearing in the statement of budgetary resources for the fiscal year are: * Summarization: Recorded balances of outlay accounts for the fiscal year are supported by appropriate detailed records that are accurately summarized for each account. * Substantiation: Recorded account balances are supported by valid outlay transactions. j. Recording of cash receipts related to closed appropriation accounts: (To be evaluated only if these amounts are expected to exceed design materiality.) The control objective is: * Collections authorized or required to be credited to an appropriation account but not received before the account is closed are deposited in the Treasury as miscellaneous receipts (31 U.S.C. 1552(b)). 395 FS - Budget Control Objectives for Federal Credit Reform Act: .01: The Federal Credit Reform Act (FCRA) contains provisions regarding the recording and reporting of activity related to direct loans, loan guarantees, and modifications of these items for budget accounting purposes. Definitions of these and other FCRA terms are included in the notes to this supplement. For transactions and account balances related to these types of activities, the auditor generally should use the budget control objectives listed in FAM 395 F and supplement them with the following budget control objectives related to FCRA. Additional guidance on FCRA accounting for budget purposes is included in OMB Circular No. A-11. Also, see Federal Financial Accounting and Auditing Technical Releases No. 3, Auditing Estimates for Direct Loan and Loan Guarantee Subsidies Under the Federal Credit Reform Act (as amended), and No. 6, Preparing Estimates for Direct Loan and Loan Guarantee Subsidies Under the Federal Credit Reform Act, issued by FASAB’s Accounting and Auditing Policy Committee (AAPC). .02: Obligation transactions: Obligation transactions include direct loan obligations, loan guarantee commitments, and modifications that change the cost of an outstanding direct loan or loan guarantee (except modifications within the terms of existing contracts or through other existing authorities). Supplemental control objectives relating to obligation transactions under FCRA are: * Valuation: Obligations are recorded at the best available estimate of actual cost. 1. The cost of a direct loan is recorded at the net present value, at the time when the loan is disbursed, of cash flows for: i. loan disbursements; ii. estimated principal repayments; iii. estimated interest payments; and; iv. estimated amounts and timing of any other payments by or to the government over the life of the loan. These amounts include fees, penalties, and other recoveries. Administrative costs and any incidental effects on governmental receipts and outlays are excluded (2 U.S.C. 661a(5)(A) and (B)). These estimated cash flows include the effects of the timing and amounts of expected defaults and prepayments. These cash flows are discounted using the appropriate rate as described below. 2. The cost of a loan guarantee is recorded at the net present value, at the time when the related guaranteed loan is disbursed, of the cash flows for: i. estimated amounts and timing of payments by the government for defaults, delinquencies, interest subsidies, or other payments, excluding administrative costs, and; ii. estimated amounts and timing of payments to the government for origination and other fees, penalties, and recoveries (2 U.S.C. 661a(5)(A) and (C)). Any incidental effects on governmental receipts and outlays are excluded. These cash flows are discounted using the appropriate rate as described below. 2. The cost of a modification is recorded at the difference between the current estimated net present value of the cash flows under the existing direct loan or guarantee contract and the estimated net present value of the cash flows under the modified contract. The cash flows for each of these calculations are discounted at the rate for modifications described below (2 U.S.C. 661a(5)(D)). 3. The discount rate used to estimate the net present values described above is the average interest rate, in effect when the obligation is incurred, for marketable Treasury securities of similar maturity to the related loan. For modifications, the discount rate used is the average rate, in effect at the time of modification, for marketable Treasury securities with a maturity similar to the remaining maturity of the modified loan (2 U.S.C. 661a(5)(E)). .03: Expended authority transactions: Expended authority transactions include transactions that occur when loans are disbursed. Supplemental control objectives relating to expended authority transactions under FCRA are: * Valuation: Expended authority transactions are recorded at the proper amount. The same specific criteria for the amounts of FCRA obligations are also applicable to expended authority transactions. * Cutoff: Expended authority transactions are recorded in the proper period. Expended authority transactions for the cost of loans or guarantees are recorded in the fiscal year in which the direct or guaranteed loan is disbursed or its costs altered (2 U.S.C. 661c(d)(2)). * Classification/presentation and disclosure: Amounts are recorded in the proper account and reported appropriately for: 1. Differences in subsequent years between original estimated costs and reestimated costs are recorded in a separately identified subaccount in the credit program account and shown as a change in program costs and a change in net interest (2 U.S.C. 661c(f)). 2. Funding for the administration of a direct loan or loan guarantee program is recorded in separately identified subaccounts within the same budget account as the program’s cost (2 U.S.C. 661c(g)). 3. Cash disbursements for direct loan obligations or loan guarantee commitments made on or after October 1, 1991, are made out of the financing account (2 U.S.C. 661a(7)). .04: Obligation and expended authority balances: Supplemental control objectives relating to obligation and expended authority balances under FCRA as of a point in time are: * Limitation: Total obligations plus total expended authority transactions do not exceed the appropriation amount or other statutory limitations that may exist by appropriation period. Specifically: 1. Direct loan obligations made on or after October 1, 1991, do not exceed the available appropriation or other budget authority. 2. Modifications made to direct loan obligations or direct loans do not exceed the available appropriation or other budget authority. Note: Prior to performing any control or compliance tests, the auditor should discuss with OGC the applicability of this budget restriction to direct loans and direct loan obligations that were outstanding prior to October 1, 1991. 3. Obligations for new loan guarantee commitments made on or after October 1, 1991, do not exceed the available appropriation or other budget authority. 4. Modifications made to loan guarantee commitments or outstanding loan guarantees do not exceed the available appropriation or other budget authority. Note: Prior to performing any control or compliance tests, the auditor should discuss with OGC the applicability of this budget restriction to loan guarantees, or loan guarantee commitments that existed prior to October 1, 1991. .05: Cash receipts: Control objectives for cash receipts under FCRA are: * Classification: Cash receipts are recorded in the proper account for: 1. Cash receipts related to direct loans obligated or loan guarantees committed prior to October 1, 1991, are recorded in the liquidating accounts (2 U.S.C. 661f(b)). 2. Cash receipts related to direct loan obligated or loan guarantees committed on or after October 1, 1991, are recorded in the financing account (2 U.S.C. 661a(7)). .06: Definitions used in FCRA are: * Direct loans are a disbursement of funds by the government to a nonfederal borrower under a contract that requires the repayment of such funds with or without interest. Direct loans also include the purchase of, or participation in, a loan made by another lender. Direct loans do not include the acquisition of a federally guaranteed loan in satisfaction of default claims or the price support loans of the Commodity Credit Corporation (2 U.S.C. 661a(1)). * Direct loan obligations are binding agreements by a federal agency to make a direct loan when specified conditions are fulfilled by the borrower (2 U.S.C. 661a(2)). * Loan guarantees are any guarantee, insurance, or other pledge with respect to the payment of all or a part of the principal or interest on any debt obligation of a nonfederal borrower to a nonfederal lender, but does not include the insurance of deposits, shares, or other withdrawable accounts in financial institutions (2 U.S.C. 661a(3)). * Loan guarantee commitment are binding agreements by a federal agency to make a loan guarantee when specified conditions are fulfilled by the borrower, the lender, or any other party to the guarantee agreement (2 U.S.C. 661a(4)). * Costs are defined as the estimated long-term cost to the government of a direct loan or loan guarantee, calculated on a net present value basis, or modification thereof, excluding administrative costs and any incidental effects on governmental receipts or outlays (2 U.S.C. 661a(5)). These calculations are described in further detail under the valuation control objective for obligations in FAM 395 F. * Credit program accounts are the budget account associated with each program account into which an appropriation to cover the cost of a direct loan or loan guarantee program is made and from which such cost is disbursed to the financing account (2 U.S.C. 661a(6)). * Liquidating accounts are the budget account that includes all cash flows to and from the government resulting from direct loan obligations or loan guarantee commitments made prior to October 1, 1991. These accounts are shown on a cash basis (2 U.S.C. 661a(8)). * Financing accounts are the nonbudget account associated with each credit program account that holds balances, receives the cost payment from the credit program account, and also includes all other cash flows to and from the government resulting from direct loan obligations or loan guarantee commitments made on or after October 1, 1991 (2 U.S.C. 661a(7)). * Modifications are government actions that alter the estimated cost of an outstanding direct loan or loan guarantee from the current estimate of cash flows (2 U.S.C. 661c(9)); for example, a policy change affecting the repayment period or interest rate for a group of existing loans. Changes within the terms of existing contracts or through other existing authorities are not modifications under FCRA. In addition, “work outs” of individual loans, such as a change in the amount or timing of payments to be made, are not modifications. The effects of these changes are included in the annual reestimates of the estimated net present value of the obligations. * Reestimates are made annually to adjust the net present value of direct loans and loan guarantee obligations for changes in the estimated amounts of items such as defaults and the timing of payments. Permanent indefinite authority has been provided for reestimates. 395 G - Multiyear Testing of Controls: Overview: .01: In certain circumstances, the auditor may test controls on a multiyear basis as discussed in FAM 380.01. If the auditor uses multiyear testing, the auditor should test the operating effectiveness of some of the controls each year so that all controls that are adequately designed and implemented are tested at least once during a 3- year period. As time elapses, the audit evidence becomes less relevant and reliable (AU 318.42). While the auditor may elect to visit locations (see FAM 285) over a longer cycle for other purposes, only controls or locations tested within the last 2 years (plus the current year audit) may be relied on by the auditor as part of the current year audit. For example, a multiyear plan for an entity with five significant cycles/applications might include tests of controls in two or three cycles/applications annually, covering all controls and cycles/applications that are adequately designed and implemented within a 2- or 3-year period, if there are no changes in controls. The auditor generally should limit multiyear testing to situations in which the entity has strong information system controls because computer programs ordinarily function consistently in the absence of programming changes, reducing the probability of random errors. .02: For controls in significant cycles/applications not selected for detailed testing in the current year, but on which the auditor plans to place reliance in the current year, the auditor should determine whether changes in those specific controls have occurred subsequent to the prior audit. The auditor should use a combination of observation, inquiry, and inspection to update the understanding of those specific controls. If the auditor plans to rely on controls that have changed since they were last tested, the auditor should test the operating effectiveness of such controls in the current audit. Based on the results of these procedures, the auditor should assess and document whether continued reliance on these controls is appropriate or whether to modify other planned audit procedures. .03: The auditor generally should decide to use multiyear testing on a cycle-bycycle or application-by-application basis, so some cycles/applications might be tested annually and others in subsequent years. In multiyear testing, the auditor relies on cumulative audit evidence and knowledge, including that gathered in prior years, to support the assessment of and report on internal control. Accordingly, the auditor may use multiyear testing only when all the following conditions exist: * The auditor possesses a “foundation” of audit evidence on which to develop current audit conclusions. * Control risk is low; the design of the control environment, risk assessment, communication, and monitoring are strong; inherent and fraud risk are low and, thus, the risk of material misstatement is low. * Controls that have been adequately designed and implemented over all significant cycles/applications have been tested at least once within a 3- year period. * Recurring audits of the entity enable a multiyear testing plan to be effective. .04: The auditor should perform annual tests for: * any cycle/application that is disproportionately significant; and; * any cycle/application that has undergone major change since controls were most recently tested. .05: The auditor may obtain the foundation of audit evidence to support a multiyear test plan, which is updated and increased through limited tests and other relevant audit evidence, from one or a combination of: * evidence gathered in one or more prior audits; and; * the current or prior work of another auditor, after the auditor applies FAM 650. Circumstances under Which Multiyear Testing May Be Used: .06: The auditor should determine whether to use multiyear testing after evaluating factors, such as: * The results and extent of the auditor’s prior experiences with the entity and its cycles/applications, including the length of time since financial reporting controls were tested. This includes effectiveness of the control and its application by the entity, including the nature and extent of any control deviations identified during previous audits. The effectiveness of prior evidence typically diminishes with the passage of time. * The importance of the cycles/applications to the entity and the nature of the assertion or assertions involved. As the significance of cycles/applications and assertions increases, the auditor generally should increase the frequency of testing. * The auditor’s preliminary assessment of control risk, considering the effectiveness of the design of other components of internal control, including the control environment, the entity’s monitoring of controls, and the entity’s risk assessment process and the effectiveness of information system controls. The effectiveness of multiyear testing ordinarily diminishes rapidly as control risk increases. A weak control environment, weak monitoring and risk assessment processes, and weak information system controls would typically decrease the period for retesting a control, or result in not relying on audit evidence obtained in prior periods. * The extent to which control is centralized or decentralized. The appropriateness of multiyear testing diminishes rapidly as control becomes more decentralized. * The characteristics of the control, such as whether the control is manual or automated as discussed in AU 314.57-.63, and the extent to which there are personnel changes that affect the application of the control. The appropriateness of multiyear testing diminishes if there are significant manual elements of the controls and if there are personnel changes that significantly affect the application of the controls. * The number and relative sizes of the respective cycles/applications. The efficiency of multiyear testing typically increases as the number and size of cycles/applications increase. * The nature and extent of audit evidence about internal controls that may result from substantive procedures in the current audit. Information obtained concurrently with substantive procedures may provide some evidence about the functioning of controls over cycles/applications. * The extent of monitoring, including testing performed by others. The auditor may use the work performed by others, such as internal auditors, to reduce tests of controls. (See FAM 650.) * Any special reporting or entity requirements. The auditor should perform sufficient tests to meet any special requirements, such as a special report on the functioning of a specific cycle/application. * Changing circumstances that indicate the need for changes in controls. The effectiveness of multiyear testing decreases as changing circumstances, such as new types of programs, indicate the need for changes in controls. The lack of a change in a particular control may pose a risk due to changing circumstances. * The effects of the risks of material misstatement and planned reliance on controls. The appropriateness of multiyear testing typically diminishes as the risk of material misstatements increase. The greater the planned reliance on the controls, the more frequent the control testing should be. .07: For any multiyear testing plan, the auditor should document: * the schedule for testing all significant cycles/applications; * the basis for using such a plan; * any limitations on the use of such a plan; * the locations to be tested; and; * any other significant aspects, including descriptions of any modifications to multiyear test plans established in previous years. The auditor should reevaluate a multiyear plan during the audit, at the end of the audit, and while planning each annual audit. The reviewer (usually the director) should approve the documentation described above. 395 H - Specific Control Evaluation Worksheet: .01: The auditor should use the SCE worksheet or equivalent to document the evaluation of the design of the control activities in the internal control phase and the results of testing in the testing phase. This section illustrates an SCE worksheet for the cash receipts application for a hypothetical federal government entity, “XYZ Agency” (XYZ). .02: The auditor should prepare an SCE worksheet or equivalent for each significant accounting application. The auditor generally should use the SCE worksheet to document the evaluation of compliance (including budget) and operations controls. The worksheet may be completed for financial reporting controls as follows: 1. List each assertion that is relevant to the accounting application. While all five financial statement assertions described in FAM 235 relate to line item/account-related accounting applications, the existence or occurrence, completeness, and accuracy/valuation assertions relate principally to transaction-related accounting applications, as illustrated in FAM 395 B. Therefore, assertions relevant to cash receipts would be existence or occurrence, completeness, and accuracy/valuation. 2. From the ARA (see FAM 240), list the significant line items or accounts that the accounting application affects. For example, cash receipts typically affect cash and accounts receivable. 3. Document the assertions (see FAM 330), for each line item or account identified in step 2 that relate to each accounting application assertion. 4. For each significant account assertion, identify the potential misstatements (inherent risks) that could occur in the accounting application and the related control objectives, based primarily on the list of potential misstatements and control objectives included in FAM 395 B. The auditor may tailor this list to the accounting application and the entity and, if necessary, add additional objectives or subobjectives. [Footnote 45] 5. List control activities selected for testing that achieve each control objective identified above and indicate whether each is or is not an information system (IS) control. FAM 395 C illustrates typical control activities to achieve financial reporting control objectives. User controls where the user would be able to detect misstatements in the computer-generated information independently is not an IS control. 6. Document the effectiveness of control activities in achieving the control objectives in relation to each potential misstatement and crossreference to the audit procedures in the testing program. The auditor should include the overall assessment of financial reporting controls in the ARA or equivalent document, as illustrated in FAM 395 I. If the results of testing indicate that the preliminary assessment of control effectiveness based on the design of the control was not appropriate, the auditor should document the revised assessment in the SCE or other document such as the audit summary memo and the ARA or equivalent document. 395 H - Specific Control Evaluation Worksheet: Entity: XYZ Agency (XYZ): Date Of Fin. Stmts: 9/30/xx: Accounting Application: Cash Receipts: Specific Control Evaluation File: Preparer: Date: Page: of: Accounting Application: Cash Receipts: * Accounting Application Assertion: Existence or occurrence; * Relevant Assertions In Related Groups Of Accounts, Cash: Existence or occurrence; * Relevant Assertions In Related Groups Of Accounts, Accts. Rec.: Completeness; * Potential Misstatement In Accounting Application Assertions: Occurrence/validity: 1. Receipt is recorded, but cash is not received. Cutoff: 2. Receipts are recorded in this period, but the cash is received in a different period. Summarization: 3. Receipt transactions are overstated due to improper summarization. * Control Objectives: 1a. Recorded cash receipts and cash receipt processing procedures are authorized by federal laws, regulations, and management's policy. 1b. Appropriate individuals approve recorded receipts in accordance with management's general or specific criteria. 1c. Recorded receipts represent amounts actually received by the entity and are properly classified. 2. Cash receipts: recorded in the period are actually received in the period. 3. The summarization of receipt transactions is not overstated. * Internal Control Activities: 1a. Receipts processing is governed by documented procedures for accepting, obtaining, reviewing, and approving receipts. 1b. A supervisor reviews receipts processing to provide reasonable assurance that procedures are followed. 1c. Recorded cash receipts are matched with the appropriate supporting documentation. 1d. Entries to the accounting records are reviewed and approved by supervisory personnel. 2. Recorded receipts are reconciled to cash receipts listings and bank deposit reports before posting. 3a. Receipt data in the general ledger are reconciled to subsidiary cash ledgers and records. * IS (Y/N): 1a. N; 1b: N; 1c: N; 1d: N. 2: Y; 3a: Y; 3b: Y; * Effectiveness Of Control Activities: 1a. Effective; 1b: Effective; 1c: Effective; 1d: Effective; 2: Effective; 3a: Effective; 3b: Effective; * Doc Ref. & Control Testing Step: [In this column, the auditor would indicate, by cross-referencing, the audit procedures in the detailed control testing audit plan that were designed to test each effective control determined to be relevant. Such tests will involve inquiry, observation, inspection, or a combination thereof.] * Accounting Application Assertion: Completeness; * Relevant Assertions In Related Groups Of Accounts, Cash: Completeness; * Relevant Assertions In Related Groups Of Accounts, Accts. Rec.: Existence or occurrence; * Potential Misstatement In Accounting Application Assertions: Transaction completeness: 4. Cash is received, but receipt is not recorded. Cutoff: 5. Cash is received in this period, but receipt is recorded in a different period. Summarization: 6. Receipt transactions are understated as a result of improper summarization. * Control Objectives: 4. All receipts of cash are recorded and properly classified. 5. Cash receipts actually received in the period are recorded in the period. 6. The summarization of cash receipt transactions are not understated. * Internal Control Activities: 4a. Cash receipts are listed by the central mailroom staff and independently reconciled to deposits and accounting summaries, providing adequate segregation of duties. Collections and complaints are handled by others. 4b. Supervisory reviews of the processing of cash receipts. 5. Same as procedure 2 above. 6. Same as procedure 3a and 3b above. * IS (Y/N): 4a. N; 4b. N; 5. Y; 6. Y; * Effectiveness Of Control Activities: 4a. Effective; 4b. Effective; 5. Effective; 6. Effective; * Doc Ref. & Control Testing Step: [In this column, the auditor would indicate, by cross-referencing, the audit procedures in the detailed control testing audit plan that were designed to test each effective control determined to be relevant. Such tests will involve inquiry, observation, inspection, or a combination thereof.] * Accounting Application Assertion: Accuracy/Valuation; * Relevant Assertions In Related Groups Of Accounts, Cash: Valuation; * Relevant Assertions In Related Groups Of Accounts, Accts. Rec.: Valuation; * Potential Misstatement In Accounting Application Assertions: Accuracy: 7. Receipt transactions are recorded at incorrect amounts. * Control Objectives: 7. Receipt transactions are recorded accurately. * Internal Control Activities: 7a. Recorded receipts are compared with bank statements by persons who have no other receipts processing responsibilities. 7b. Supervisor reviews and approves reconciliations of recorded receipts to bank statements. * IS (Y/N): 7a. Y; 7b. N; * Effectiveness Of Control Activities: 7a. Effective; 7b. Effective; * Doc Ref. & Control Testing Step: [In this column, the auditor would indicate, by cross-referencing, the audit procedures in the detailed control testing audit plan that were designed to test each effective control determined to be relevant. Such tests will involve inquiry, observation, inspection, or a combination thereof.] * Accounting Application Assertion: Segregation of duties; * Relevant Assertions In Related Groups Of Accounts, Cash: Various; * Relevant Assertions In Related Groups Of Accounts, Accts. Rec.: Various; * Potential Misstatement In Accounting Application Assertions: Segregation of Duties: 8. The entity is exposed to loss of cash receipts and various misstatements as the result of inadequate segregation of duties. * Control Objectives: 8. Persons are prevented from having uncontrolled access to both cash receipts and records. * Internal Control Activities: 8a. No individual has uncontrolled access (direct or indirect) to both cash receipts and records. * IS (Y/N): 8a. N; * Effectiveness Of Control Activities: 8a. Effective; * Doc Ref. & Control Testing Step: [In this column, the auditor would indicate, by cross-referencing, the audit procedures in the detailed control testing audit plan that were designed to test each effective control determined to be relevant. Such tests will involve inquiry, observation, inspection, or a combination thereof.] Preparation Notes: 1. The third column is for use when the effects of the accounting application on the line items are different. For example, misstatements in the existence or occurrence assertion for cash receipts typically result in misstatements in the existence or occurrence assertion for cash and in the completeness assertion for accounts receivable (see FAM 330.05). 2. If there is inadequate segregation of duties, the auditor should identify the specific affected account assertions in columns 2 and 3. [End of form] 395 I - Account Risk Analysis Form: .01: The auditor should use the ARA form or equivalent to summarize for significant line items, specific risks of material misstatement to determine the nature, extent, and timing of further audit procedures. The auditor should document any significant risks usually in the audit strategy and evaluate them when designing audit procedures, but need not document them on the ARA form. The auditor should prepare an ARA form or equivalent for each significant line item and identify the significant accounts and related assertions. .02: The auditor may complete the form as the related phases of the audit are performed as follows: Planning Phase: * In column 1 list each significant account name and in column 2, the account balance as discussed in FAM 235. The auditor generally groups accounts and applications together that share the same risks of material misstatement. As noted in FAM 290.06, insignificant accounts may be listed following the significant accounts. This would allow the auditor to add all account balances to the line item total and demonstrate that such balances are insignificant. In such cases, the cycle matrix is not necessary. * In column 3 list each financial statement assertion (see FAM 260). * In column 4 summarize any specific inherent, fraud, or control risk factors that relate to the account and assertion from the Overall Audit Strategy. * In column 5 list the significant cycles and accounting applications that affect each assertion. Internal Control Phase: * In column 6 indicate the assessment of the effectiveness of the related control activities for the assertion for each cycle and accounting application as either effective or ineffective. This assessment is obtained from the related SCE worksheet. * In column 7 assess the control risk for each assertion as either low, moderate, or high (see FAM 370.06) and document the assessment. * In column 8 assess the risk of material misstatement for each assertion as either low, moderate, or high (see FAM 370.06) and document the assessment. Testing Phase: * In column 9 identify the timing of audit procedures performed as either interim (I) or final (F) (see FAM 420 and FAM 430). * In column 10 briefly describe the nature and extent of audit procedures performed (see FAM 420 and FAM 430). * In column 11 provide a documentation reference to the audit procedures performed. .03: If the results of testing indicate that the preliminary assessment of the risk of material misstatement was not appropriate, the auditor should document the revised assessment in the ARA and provide a summary of the factors contributing to the revised assessment in a memorandum, as appropriate. .04: The auditor may also document insignificant line items and accounts on the ARA form rather than in the cycle matrix. Regardless, the auditor should document that all accounts have been considered in the audit. 395 I - Account Risk Analysis Form: Entity: XYZ Agency (XYZ): Date Of Financial Statements: 9/30/xx: Line Item: Accounts Receivable - Net: Account Risk Analysis Form File: Preparer: Date: Page: Of: Planning Phase: Account: Name: Accounts Receivable-Net; Planning Phase: Account: Balance: $876,000,000; Planning Phase: Financial Statement Assertions: Existence or occurrence; Planning Phase: Inherent, Fraud, and Control Risk Factors: No significant inherent, fraud, or control risk factors identified; Planning Phase: Cycle/Accounting Application: Sales/Billing; Internal Control Phase: Effectiveness of Control Activities: Effective; Internal Control Phase: Control Risk: Low; Internal Control Phase: Risk of Material Misstatement: Low; Testing Phase: Timing I/F: F; Testing Phase: Nature & Extent: Confirm balances and test reconciliation of subsidiary ledger to the general ledger; Testing Phase: Doc. Ref. & Audit Step: III-5 to III-7. Planning Phase: Account: Name: Accounts Receivable-Net; Planning Phase: Account: Balance: $876,000,000; Planning Phase: Financial Statement Assertions: Existence or occurrence; Planning Phase: Inherent, Fraud, and Control Risk Factors: No significant inherent, fraud, or control risk factors identified; Planning Phase: Cycle/Accounting Application: Sales Returns; Internal Control Phase: Effectiveness of Control Activities: Effective; Internal Control Phase: Control Risk: Low; Internal Control Phase: Risk of Material Misstatement: Low; Testing Phase: Timing I/F: F; Testing Phase: Nature & Extent: Confirm balances and test reconciliation of subsidiary ledger to the general ledger; Testing Phase: Doc. Ref. & Audit Step: III-5 to III-7. Planning Phase: Account: Name: Accounts Receivable-Net; Planning Phase: Account: Balance: $876,000,000; Planning Phase: Financial Statement Assertions: Existence or occurrence; Planning Phase: Inherent, Fraud, and Control Risk Factors: No significant inherent, fraud, or control risk factors identified; Planning Phase: Cycle/Accounting Application: Cash Receipts; Internal Control Phase: Effectiveness of Control Activities: Effective; Internal Control Phase: Control Risk: Low; Internal Control Phase: Risk of Material Misstatement: Low; Testing Phase: Timing I/F: F; Testing Phase: Nature & Extent: Confirm balances and test reconciliation of subsidiary ledger to the general ledger; Testing Phase: Doc. Ref. & Audit Step: III-5 to III-7. Planning Phase: Account: Name: Accounts Receivable-Net; Planning Phase: Account: Balance: $876,000,000; Planning Phase: Financial Statement Assertions: Existence or occurrence; Planning Phase: Inherent, Fraud, and Control Risk Factors: No significant inherent, fraud, or control risk factors identified; Planning Phase: Cycle/Accounting Application: Accounts Receivable; Internal Control Phase: Effectiveness of Control Activities: Effective; Internal Control Phase: Control Risk: Low; Internal Control Phase: Risk of Material Misstatement: Low; Testing Phase: Timing I/F: F; Testing Phase: Nature & Extent: Confirm balances and test reconciliation of subsidiary ledger to the general ledger; Testing Phase: Doc. Ref. & Audit Step: III-5 to III-7. Planning Phase: Account: Name: Accounts Receivable-Net; Planning Phase: Account: Balance: $876,000,000; Planning Phase: Financial Statement Assertions: Completeness; Planning Phase: Inherent, Fraud, and Control Risk Factors: No significant inherent, fraud, or control risk factors identified; Planning Phase: Cycle/Accounting Application: Sales/Billing; Internal Control Phase: Effectiveness of Control Activities: Effective Internal Control Phase: Control Risk: Low; Internal Control Phase: Risk of Material Misstatement: Low; Testing Phase: Timing I/F: F; Testing Phase: Nature & Extent: Perform analytical procedures. Test cutoff; Testing Phase: Doc. Ref. & Audit Step: III-8 to III-12. Planning Phase: Account: Name: Accounts Receivable-Net; Planning Phase: Account: Balance: $876,000,000; Planning Phase: Financial Statement Assertions: Completeness; Planning Phase: Inherent, Fraud, and Control Risk Factors: No significant inherent, fraud, or control risk factors identified; Planning Phase: Cycle/Accounting Application: Sales Returns; Internal Control Phase: Effectiveness of Control Activities: Effective Internal Control Phase: Control Risk: Low; Internal Control Phase: Risk of Material Misstatement: Low; Testing Phase: Timing I/F: F; Testing Phase: Nature & Extent: Perform analytical procedures. Test cutoff; Testing Phase: Doc. Ref. & Audit Step: III-8 to III-12. Planning Phase: Account: Name: Accounts Receivable-Net; Planning Phase: Account: Balance: $876,000,000; Planning Phase: Financial Statement Assertions: Completeness; Planning Phase: Inherent, Fraud, and Control Risk Factors: No significant inherent, fraud, or control risk factors identified; Planning Phase: Cycle/Accounting Application: Cash Receipts; Internal Control Phase: Effectiveness of Control Activities: Effective Internal Control Phase: Control Risk: Low; Internal Control Phase: Risk of Material Misstatement: Low; Testing Phase: Timing I/F: F; Testing Phase: Nature & Extent: Perform analytical procedures. Test cutoff; Testing Phase: Doc. Ref. & Audit Step: III-8 to III-12. Planning Phase: Account: Name: Accounts Receivable-Net; Planning Phase: Account: Balance: $876,000,000; Planning Phase: Financial Statement Assertions: Completeness; Planning Phase: Inherent, Fraud, and Control Risk Factors: No significant inherent, fraud, or control risk factors identified; Planning Phase: Cycle/Accounting Application: Accounts Receivable; Internal Control Phase: Effectiveness of Control Activities: Effective Internal Control Phase: Control Risk: Low; Internal Control Phase: Risk of Material Misstatement: Low; Testing Phase: Timing I/F: F; Testing Phase: Nature & Extent: Perform analytical procedures. Test cutoff; Testing Phase: Doc. Ref. & Audit Step: III-8 to III-12. Planning Phase: Account: Name: Accounts Receivable-Net; Planning Phase: Account: Balance: $876,000,000; Planning Phase: Financial Statement Assertions: Accuracy/valuation; Planning Phase: Inherent, Fraud, and Control Risk Factors: The bankruptcy filing by a major debtor and the financial difficulties of several other debtors in the current economic environment give rise to an inherent risk. No significant fraud or control risk factors identified; Planning Phase: Cycle/Accounting Application: Sales/Billing; Internal Control Phase: Effectiveness of Control Activities: Effective Internal Control Phase: Control Risk: Low; Internal Control Phase: Risk of Material Misstatement: Moderate; Testing Phase: Timing I/F: F; Testing Phase: Nature & Extent: Perform analytical procedures. Confirm balances (see Existence), test the accuracy of the aging, analytically review bad debts and allowance, and examine evidence of collectibility or selected accounts receivable. Discuss with management collectibility from troubled debtors; Testing Phase: Doc. Ref. & Audit Step: III-13 to III-18. Planning Phase: Account: Name: Accounts Receivable-Net; Planning Phase: Account: Balance: $876,000,000; Planning Phase: Financial Statement Assertions: Accuracy/valuation; Planning Phase: Inherent, Fraud, and Control Risk Factors: The bankruptcy filing by a major debtor and the financial difficulties of several other debtors in the current economic environment give rise to an inherent risk. No significant fraud or control risk factors identified; Planning Phase: Cycle/Accounting Application: Sales Return; Internal Control Phase: Effectiveness of Control Activities: Effective Internal Control Phase: Control Risk: Low; Internal Control Phase: Risk of Material Misstatement: Moderate; Testing Phase: Timing I/F: F; Testing Phase: Nature & Extent: Perform analytical procedures. Confirm balances (see Existence), test the accuracy of the aging, analytically review bad debts and allowance, and examine evidence of collectibility or selected accounts receivable. Discuss with management collectibility from troubled debtors; Testing Phase: Doc. Ref. & Audit Step: III-13 to III-18. Planning Phase: Account: Name: Accounts Receivable-Net; Planning Phase: Account: Balance: $876,000,000; Planning Phase: Financial Statement Assertions: Accuracy/valuation; Planning Phase: Inherent, Fraud, and Control Risk Factors: The bankruptcy filing by a major debtor and the financial difficulties of several other debtors in the current economic environment give rise to an inherent risk. No significant fraud or control risk factors identified; Planning Phase: Cycle/Accounting Application: Cash Receipts; Internal Control Phase: Effectiveness of Control Activities: Effective Internal Control Phase: Control Risk: Low; Internal Control Phase: Risk of Material Misstatement: Moderate; Testing Phase: Timing I/F: F; Testing Phase: Nature & Extent: Perform analytical procedures. Confirm balances (see Existence), test the accuracy of the aging, analytically review bad debts and allowance, and examine evidence of collectibility or selected accounts receivable. Discuss with management collectibility from troubled debtors; Testing Phase: Doc. Ref. & Audit Step: III-13 to III-18. Planning Phase: Account: Name: Accounts Receivable-Net; Planning Phase: Account: Balance: $876,000,000; Planning Phase: Financial Statement Assertions: Accuracy/valuation; Planning Phase: Inherent, Fraud, and Control Risk Factors: The bankruptcy filing by a major debtor and the financial difficulties of several other debtors in the current economic environment give rise to an inherent risk. No significant fraud or control risk factors identified; Planning Phase: Cycle/Accounting Application: Accounts Receivable; Internal Control Phase: Effectiveness of Control Activities: Effective Internal Control Phase: Control Risk: Low; Internal Control Phase: Risk of Material Misstatement: Moderate; Testing Phase: Timing I/F: F; Testing Phase: Nature & Extent: Perform analytical procedures. Confirm balances (see Existence), test the accuracy of the aging, analytically review bad debts and allowance, and examine evidence of collectibility or selected accounts receivable. Discuss with management collectibility from troubled debtors; Testing Phase: Doc. Ref. & Audit Step: III-13 to III-18. Planning Phase: Account: Name: Accounts Receivable-Net; Planning Phase: Account: Balance: $876,000,000; Planning Phase: Financial Statement Assertions: Rights and obligations; Planning Phase: Inherent, Fraud, and Control Risk Factors: No significant fraud or control risk factors identified; Planning Phase: Cycle/Accounting Application: Accounts Receivable; Internal Control Phase: Effectiveness of Control Activities: Effective Internal Control Phase: Control Risk: Low; Internal Control Phase: Risk of Material Misstatement: Low; Testing Phase: Timing I/F: F; Testing Phase: Nature & Extent: Identify accounts receivable from related parties or major debtors. Review confirmations for indication of guarantees or encumbrances; Testing Phase: Doc. Ref. & Audit Step: III-19 to III-22. Planning Phase: Account: Name: Accounts Receivable-Net; Planning Phase: Account: Balance: $876,000,000; Planning Phase: Financial Statement Assertions: Presentation and disclosure; Planning Phase: Inherent, Fraud, and Control Risk Factors: No significant fraud or control risk factors identified; Planning Phase: Cycle/Accounting Application: Accounts Receivable; Internal Control Phase: Effectiveness of Control Activities: Effective Internal Control Phase: Control Risk: Low; Internal Control Phase: Risk of Material Misstatement: Low; Testing Phase: Timing I/F: F; Testing Phase: Nature & Extent: Determine appropriateness of footnote disclosures using FAM 2010 and FAM 2020 checklists. Summarize and test credit risk disclosures. Review accounting principles used; Testing Phase: Doc. Ref. & Audit Step: III-25 to IV-16. Planning Phase: Account: Name: Accounts Receivable-Net; Planning Phase: Account: Balance: $876,000,000; Line Item Total: $876,000,000. [End of form] [End of section] Section 400: Testing Phase: Testing Phase: * Design the Nature, Extent, and Timing of Further Audit Procedures; FAM: 420. * Design Tests; FAM: 430. * Perform Tests and Evaluate Results; FAM: 440. * Sampling Control Tests; FAM: 450. * Compliance Tests; FAM: 460. * Substantive Procedures -- Overview; FAM: 470. * Substantive Analytical Procedures; FAM: 475. * Substantive Detail Tests; FAM: 480. * Documentation; FAM: 490. 410 – Overview of the Testing Phase: .01: Audit evidence is all the information used by the auditor in arriving at the conclusions on which the auditor’s reports are based and includes the information contained in the accounting records underlying the financial statements and other information (see AU 326). During the testing phase of the audit, the auditor gathers sufficient appropriate evidence to report on the entity’s financial statements, internal control, whether entity systems are in substantial compliance with the three requirements of FFMIA (for CFO Act agencies), and the entity’s compliance with significant provisions of laws and regulations. (See fig. 400) .02: Audit sampling is often used in audit testing. The auditor uses professional judgment, as well as knowledge of statistical sampling methods in applying audit sampling. FAM 400 provides a framework for applying audit sampling to financial audits, but is not a comprehensive discussion. Additional background and guidance on audit sampling is provided in the Audit Guide Audit Sampling (2008), published by the AICPA. The auditor should consult with the statistician for assistance in designing and evaluating audit samples and in evaluating the costs and benefits when deciding the appropriate type of audit sampling to use. .03: During this phase, the auditor performs activities for each type of test to: * determine the nature, extent, and timing of further audit procedures (FAM 420); * design tests (FAM 430); and; * perform tests and evaluate results (FAM 440). .04: The types of procedures performed in the testing phase are: * Sampling control tests that may be performed by the auditor to obtain evidence about the achievement of specific control objectives. If the auditor obtains sufficient evidence regarding control objectives through nonsampling control tests (such as observation, inquiry, and walk-throughs, including inspection of documents), sampling control tests are not necessary, as discussed in FAM 350. Further guidance on sampling control tests is in FAM 450. * Compliance tests are performed by the auditor to obtain evidence about compliance with significant provisions of laws and regulations. Further guidance on compliance tests is in FAM 460. * Substantive procedures are performed by the auditor to obtain evidence that provides reasonable assurance about whether the financial statements and related assertions are free of material misstatement. Further guidance on substantive procedures is in FAM 470, FAM 475, and FAM 480. .05: Audit documentation of the nature, extent, and timing of procedures performed during this test phase, as well as conclusions reached, is discussed in FAM 490. 420 - Design the Nature, Extent, and Timing of Further Audit Procedures: Designing Further Audit Procedures: .01: As discussed in FAM 200 (Planning Phase) and FAM 300 (Internal Control Phase), the auditor performs risk assessment procedures to plan further audit procedures for obtaining audit evidence about control effectiveness and about assertions in account balances and classes of transactions. Audit evidence is all the information used by the auditor in arriving at the conclusions on which the auditor’s reports are based. Obtaining evidence is a cumulative process. .02: In designing substantive tests, the auditor should design audit procedures whose nature, extent, and timing are responsive to the assessed risk of material misstatement at the relevant assertion level and should consider the: * significance of risk; * likelihood that a material misstatement will occur; * characteristics of the class of transactions, account/line item balance, or disclosure involved; * nature of the specific controls used by the entity, in particular, whether they are manual or automated; and; * whether the auditor expects to obtain audit evidence to determine if the entity’s controls are effective in preventing or detecting material misstatements. The design of specific audit procedures is further discussed in FAM 430; sampling control tests in FAM 450; compliance tests in FAM 460; FFMIA tests in FAM 701 and 701A; and substantive procedures in FAM 470, FAM 475, and FAM 480. Determine the Nature of Tests: .03: Further audit procedures consist of tests of controls and substantive procedures. The auditor should determine the nature of sampling control tests, compliance tests, and substantive procedures that will achieve the audit objectives. .04: Substantive procedures are classified as either substantive analytical procedures or detail tests. Substantive analytical procedures involve the comparison of the recorded test amount with the auditor’s expectation of the recorded amount and the investigation of any significant differences between these amounts. Further information on substantive analytical procedures is in FAM 475. Detail tests are classified in two general categories – audit sampling and nonsampling. Audit sampling methods involve the selection of individual items from a population with the objective of reaching a conclusion on all the items in the population (including those not selected for testing). Nonsampling methods involve selections to reach a conclusion only on the items tested. When using nonsampling, the auditor must assess the risk of material misstatement in the items not tested. .05: The higher the auditor’s assessment of risk of material misstatement, the more reliable and relevant is the audit evidence needed from substantive procedures. The auditor should determine the nature of the population and the objectives of the test procedures. For tests that involve audit sampling, efficiencies can be achieved by using a common sample for each test. These potential efficiencies are discussed in FAM 430. Determine the Extent of Tests: .06: For each type of test, the auditor should determine the extent of tests to be performed. The extent of sampling control tests is a function of the auditor’s preliminary assessment of the risk of material misstatement, tolerable rate, and the rate of control deviations expected. The extent of compliance tests is a function of the effectiveness of compliance controls. The extent of substantive procedures is a function of the risk of material misstatement, expected misstatement, and tolerable misstatement. Determine the Timing of Tests: .07: As discussed in FAM 295 D, the auditor may conduct tests before the balance sheet date (interim testing) or conduct all tests as of the balance sheet date. FAM 495 C provides guidance on interim testing, tests of the period between the interim date and the balance sheet date (the roll forward period), and related documentation. 430 - Design Tests: .01: After considering the risk of material misstatement discussed in FAM 420, the auditor should design specific tests to be performed. The auditor generally should coordinate similar tests. For tests that involve audit sampling, efficiencies can be realized by performing several tests on a common sample (multipurpose testing).[Footnote 46] The auditor generally should minimize the number of separate sampling applications performed on the same population by attempting to effectively achieve as many objectives as possible using the items selected for testing. .02: As discussed in FAM 480, there are several methods of selecting items for testing. When determining the selection method to use during a multipurpose test, the auditor generally should use the selection method appropriate for substantive detail tests in the particular situation. Use of this selection method is usually the most efficient because sampling control and compliance tests generally may be based on any type of sample. .03: For example, the auditor may use a sample of property additions to (1) substantively test the amount of additions and (2) test financial reporting controls over property acquisition. If a substantive test would require 135 sample items selected using MUS and if the test of financial reporting controls would require 45 sample items, the auditor would select 135 items in the MUS but test controls relating only to 45. The auditor may use IDEA[Footnote 47] or other software to select the random sample from the 135 items in the MUS. Or the auditor would systematically select every third item (using a random start) from the 135. The auditor would not use the first 45 sample items for control testing as IDEA selects MUS using either systematic sampling or the cell-method, meaning that the 45 items are from the first part of the population not from across the entire population. 440 - Perform Tests and Evaluate Results: .01: The auditor should perform the planned tests as designed in FAM 420 and FAM 430 and should evaluate the results of each type of test separately, without respect to whether the items were chosen as part of a multipurpose test. Guidance on performing and evaluating the results is presented for each type of test in: * FAM 450 - Sampling Control Tests. * FAM 460 - Compliance Tests. * FAM 470 - Substantive Procedures. .02: If the results of tests are different from what was expected when designing the tests, the auditor may want to expand the sample to test additional items; however, this is usually not appropriate. In a well- designed sample, the expanded sample will usually produce the same results as the original sample. For MUS and attribute samples, unless the auditor plans for the expansion of the sample in advance,[Footnote 48] expansion of the sample is generally not appropriate. See AICPA Audit Sampling Guide for further guidance. The auditor should consult with the statistician before expanding any samples (see FAM 450.17, FAM 460.02, and FAM 480.28). .03: For CFO Act agencies and components listed in OMB audit guidance, the auditor is required to report on the substantial compliance of their financial management systems with the requirements of FFMIA. The auditor should conclude on compliance at the completion of all audit work as discussed in FAM 540. Evaluating the Risk of Material Misstatement: .04: Evaluating the risk of material misstatement due to errors or fraud is a cumulative ongoing process throughout the audit (as discussed in FAM 260). During testing, the auditor may become aware of additional fraud risk factors or other conditions that may affect the auditor’s evaluation of the risk of material misstatement, such as: * discrepancies in the accounting records; * conflicting or missing evidential matter; or; * problematic or unusual relationships between management and the entity being audited. In response to fraud risk factors or other conditions, the auditor should evaluate whether to perform additional or different audit procedures (see FAM 540.18-.24), including consultation with the Special Investigator Unit and OGC. 450 - Sampling Control Tests: .01: The auditor should perform tests of control effectiveness at the relevant assertion level when the auditor’s preliminary assessment of the risk of material misstatement includes an expectation of the operating effectiveness of controls, or when substantive procedures alone do not provide sufficient appropriate audit evidence. For agencies subject to OMB audit guidance, for controls that have been properly designed and placed into operation, the auditor should perform sufficient tests to support a low level of assessed control risk. .02: The auditor may test controls that leave documentary evidence of their existence and application by inspecting this evidence. If the auditor cannot obtain sufficient evidence using walk-throughs in combination with other observation and inquiry tests, the auditor should obtain more evidence by inspecting individual items selected using audit sampling procedures. The auditor may use multipurpose testing by using the same sample to test controls and/or compliance and/or balances (test of details) for efficiency. Alternatively, the auditor may design a sample to test controls alone. In this case, the auditor should use attribute sampling, selected either randomly or systematically where appropriate, as described beginning in FAM 450.06). .03: When planning sampling control tests, the auditor should determine: * the objectives of the test (including what constitutes a deviation); * the population (including sampling unit and frame); * the method of selecting the sample; and; * the sample design and resulting sample size. The auditor should include the sampling plan in audit documentation. See FAM 495 E for sampling flowcharts and example documentation. Objectives of the Test: .04: The auditor should document the objectives of each control test. In designing samples for control tests, the auditor should plan to evaluate operating effectiveness in terms of the rate of deviations in units or dollars from prescribed controls. This involves defining (1) the specific control to be tested, and (2) the deviation conditions. The auditor should define control deviations in terms of control activities not followed. For example, the auditor may define a deviation in cash disbursements as “invoice not approved and initialed by an authorized individual.” Population: .05: In defining the population, the auditor should identify the whole set of items on which the auditor needs to reach a conclusion and from which the sample will be drawn. This includes: * describing the population; * determining the source document or the transaction documents to be tested; and; * defining the period covered by the test. When multiple locations are involved, the auditor should determine whether to use one population of all or several locations, or whether to use separate populations. The auditor may be able to use one population if the controls at each location are components of one overall control system. In making this decision, the auditor should evaluate such factors as: * the extent of uniformity of the controls and their applications at each location; * whether significant changes can be made to the controls or their application at the local level; * the amount and nature of centralized oversight or control over local operations; and; * whether there could be a need for separate conclusions for each location. If the auditor concludes that the locations are separate populations, the auditor should select separate samples at each location and evaluate the results of each sample separately. Method of Selection: .06: The auditor should select a sample that the auditor expects to be representative of the population. For tests of controls, attribute sampling achieves this objective. Attribute sampling requires random or systematic, if appropriate, selection of sample items without considering the transactions’ dollar amount or other special characteristics. The auditor may also use IDEA or other software to make random selections. Sample Size: .07: In designing attribute samples for which documentary evidence is the principal source of evidence of control effectiveness, the auditor should determine the objectives of the sample. For financial reporting control tests, the objective is to support the preliminary assessment of control risk as either moderate or low. For compliance and operations control tests, the objective is to support the preliminary assessment of the control as effective. In addition, for financial reporting and compliance control tests, there is an objective of obtaining evidence to support the auditor’s report on internal control. .08: To determine the sample size, the auditor uses professional judgment to determine three factors: * confidence level;[Footnote 49] * tolerable rate (maximum rate of deviations from the prescribed control that the auditor is willing to accept without altering the preliminary control risk); and; * expected population deviation rate (expected error rate). Once the auditor determines these factors, the auditor may use computer software (such as IDEA) to determine sample size and to select samples for testing. The auditor may also use FAM Tables I and II below in figure 450.1 to determine sample size and to evaluate test results. Figure 450.1: Sample Sizes and Acceptable Numbers of Deviations (90% Confidence level): Table I: (Tolerable rate of 5%); (Use for determining sample sizes in all cases): Sample size: 45; Acceptable number of deviations: 0. Sample size: 78; Acceptable number of deviations: 1. Sample size: 105; Acceptable number of deviations: 2. Sample size: 132; Acceptable number of deviations: 3. Sample size: 133; Acceptable number of deviations: 4. Table II: (Tolerable rate of 10%); (Use for evaluating sample results only if preliminary assessment of control risk is low and deviations exceed Table I): Sample size: 45; Acceptable number of deviations: 1. Sample size: 78; Acceptable number of deviations: 4. Sample size: 105; Acceptable number of deviations: 6. Sample size: 132; Acceptable number of deviations: 8. Sample size: 133; Acceptable number of deviations: 10. [End of figure] The auditor may use FAM Table I to determine the sample sizes necessary to support the preliminary assessments of controls in all cases and to conclude on the effectiveness of the controls. The auditor may use FAM Table II to evaluate sample results only when the preliminary assessment of financial reporting control risk is low and the number of deviations found exceeds the acceptable number of deviations from FAM Table I. The AICPA has other examples in its guidance, and FAM Table factors are within the range of the AICPA examples and are statistically valid. If an auditor chooses to use factors other than FAM Tables I and II, the auditor should consult with the statistician. .09: FAM Tables I and II are based on a 90 percent confidence level. The auditor generally uses this confidence level for sampling control tests because the auditor generally obtains additional satisfaction on controls through other audit tests such as substantive procedures, inquiry, observation, and walkthroughs. .10: FAM Tables I and II are each based on different tolerable rates. FAM Table I is based on a tolerable rate of 5 percent, and FAM Table II is based on a tolerable rate of 10 percent. Each table shows various sample sizes and the maximum number of deviations that may be detected in each sample to rely on the controls at the determined control risk level. See FAM 450.13-.15 for a discussion of the evaluation of test results.[Footnote 50] .11: For financial reporting controls, if the preliminary assessment of control risk is low or moderate, the auditor may use FAM Table I to determine sample size. OMB audit guidance requires the auditor to perform sufficient control tests to justify a low assessed level of control risk, if controls have been properly designed and placed in operation. For compliance and operations controls, the auditor may determine sample sizes using FAM Table I. .12: The auditor may use the sample size indicated for 0 acceptable deviations (45 items) if the auditor expects no deviations. If no deviations are expected, this sample size will be the most efficient for assessing control effectiveness. If no deviations are found, this sample will be sufficient to support the assessment of control risk. However, the auditor may use a larger sample size if control deviations are expected to occur but are not expected to exceed the acceptable number of deviations in FAM Table I. Evaluating Test Results: Financial Reporting Controls: .13: Deviations from controls may be caused by factors such as changes in key personnel, significant seasonal fluctuations in the volume of transactions, and human error. When deviations are detected during tests of controls, the auditor should make specific inquiries to understand these matters and their potential consequences, for example, by inquiring about the timing of personnel changes in key internal control functions. In addition, the auditor should determine whether any misstatements detected from the performance of substantive procedures alter the auditor’s judgment as to the effectiveness of related controls. The auditor should determine whether the tests of controls performed provide an appropriate basis for reliance on the controls, whether tests of other controls (such as compensating controls) are necessary, or whether the potential risks of material misstatement need to be addressed using substantive procedures. .14: To evaluate sample results, the auditor needs the sample size, the number of deviations, and the confidence level. The auditor may use software (such as IDEA), the FAM tables, or other tables to evaluate results.[Footnote 51] If the auditor used FAM Table I to determine sample size, and deviations exceed the acceptable number for the sample size, the auditor should follow the guidance below in deciding how to revise the preliminary assessment of control risk. * Low control risk: If the preliminary assessment of control risk is low and if deviations are noted that exceed the acceptable number for FAM Table I, but not FAM Table II, the auditor may reassess control risk as moderate. For example, if the original sample was 45 items, the auditor may reassess control risk as moderate if there is not more than 1 deviation. If the auditor finds more than one deviation with a sample size of 45 items, the auditor should conclude that the controls being tested are not operating effectively and should reassess control risk as high. Based upon this revised assessment, the auditor would change the risk of material misstatement and would reconsider the nature, extent, and timing of substantive procedures. * Moderate control risk: If the preliminary assessment of control risk is moderate and if control deviations exceed the acceptable number for FAM Table I, the auditor should conclude that control risk is high. The preliminary assessment of control risk is based on the assumption that the controls operate as designed. If the preliminary assessment of control risk is moderate and if control tests indicate that the control is not operating as designed (because deviations exceed the acceptable number in FAM Table I), the auditor should conclude that the control is ineffective and revise the control risk assessment to high. Based on the revised assessment, the auditor would change the risk of material misstatement and would reconsider the nature, extent, and timing of substantive procedures. Compliance Controls: .15: If the auditor used FAM Table I to determine sample size and deviations exceed the acceptable number for the sample sizes shown in the table, the auditor should conclude that the compliance control is not effective. The auditor also should determine whether any deviations noted ultimately resulted in noncompliance with a budget-related or other law or regulation. Based on the revised assessment, the auditor would change the risk of noncompliance and would reconsider the nature, extent, and timing of tests of compliance. Operations Controls: .16: If the auditor used FAM Table I to determine sample size and deviations exceed the acceptable number for the sample sizes shown in the table, the auditor should conclude that the operations control is not effective. The auditor should not place reliance on ineffective operations controls when performing other auditing procedures. Other Considerations: .17: If, during the testing of sample items, the number of deviations exceeds the acceptable number of deviations in FAM Table I or II (as applicable), the auditor should conclude that controls are not operating effectively and decide whether to stop further testing. In making this decision, the auditor should determine whether there are reasons for continuing to test the remaining sample items. For example, audit team management should determine whether additional information (such as an estimate of the population rate of occurrence) is needed to report control deficiencies as described in FAM 580.32-.59. An interval estimate may help the auditor decide whether the deficiency is a material weakness, other significant deficiency or other control deficiency. The auditor should determine which elements of the finding (condition, cause, criteria, possible effect, and recommendation or suggestion) need to be developed. The auditor may decide to include an interval estimate in the report. The auditor should consult with audit team management and the statistician in deciding whether to complete the testing of the sample. .18: If the auditor finds an unacceptable number of deviations in the original sample and the auditor believes the use of a larger sample size may result in an acceptable number of deviations, the auditor should consult with the statistician before selecting additional sample items. The auditor should not use a revised sample size and evaluate additional sample items based on FAM Tables I or II or on the formulas used by IDEA. .19: The auditor should consult with the statistician when projecting the rate of sample control deviations to a population for disclosure in a report. If the auditor has used attribute sampling, the auditor should project the deviation rate as a percentage of transactions. If the auditor has used MUS, the auditor should project the deviation rate as a percentage of dollars in the population (see FAM 480). 460 - Compliance Tests: .01: The type of provision of a law or regulation and the assessment of the effectiveness of compliance controls affect the nature and extent of compliance testing. Based on the three categories of provisions (as discussed in FAM 245.01) the auditor should perform the compliance tests discussed below. Transaction-Based Provisions: .02: To test transaction-based provisions, the auditor should use audit sampling to select specific transactions for testing compliance. The auditor may use the same sample to test financial reporting, compliance, or operations controls and/or substantive tests, as appropriate (multipurpose testing). If the selection is solely for compliance testing, the auditor generally should use a random attribute sample (see FAM 450.06). To determine sample size, the auditor should make judgments as to confidence level, tolerable rate, and expected population deviation rate. The auditor should determine confidence level based on compliance control risk. For example, if the auditor determines compliance controls are effective, the auditor may use an 80 percent confidence level or if ineffective, a 95 percent confidence level. Tolerable rate is the rate of transactions not in compliance that could exist in the population without causing the auditor to believe the noncompliance rate is too high. GAO auditors generally use a 5 percent tolerable rate. Since the auditor will assess the impact of all identified noncompliance, many auditors use zero as the expected population deviation rate. Using the above factors yields the sample sizes in Table 460.1. Table 460.1: Compliance Controls, Confidence Level, and Minimum Sample Size: Compliance Controls: Effective; Confidence Level: 80 percent; Minimum Sample Size[A]: 32. Compliance Controls: Not Effective; Confidence Level: 95 percent; Minimum Sample Size[A]: 58. [A] Tolerable rate of 5 percent, expected population deviation rate of zero and a population over 5,000 items. If the population is smaller, the auditor may ask the statistician to calculate a reduced sample size and to evaluate the results. [End of table] Since the auditor usually reports compliance on an entitywide basis, the auditor may use these sample sizes on an entitywide basis. Evaluation of test results is discussed in FAM 460.07. The auditor should test the entire sample, even if instances of noncompliance are detected. If the auditor assessed compliance controls on a preliminary basis as effective and the results of testing indicated that this assessment is not appropriate, the auditor should consult with the statistician to determine the appropriate sample size and selection procedures. The auditor should choose the other sample size, but may, for example, increase the sample size from 32 to 65 by using sequential sampling and randomly selecting 33 additional items. The statistician should evaluate results when the auditor expands a test. Quantitative-Based Provisions: .03: Effective compliance controls provide reasonable assurance that the accumulation/summarization of transactional information is accurate, complete, and within authorized limits. If compliance controls do not provide such reasonable assurance, the auditor should test the accumulated information directly for existence, completeness, and summarization. Such tests may be either statistical samples or nonsampling selections. The auditor should design tests to detect misstatements that either exceed an auditor-determined percentage of the total amount of the summarized information or the amount of the restriction stated in the provision, if any. GAO auditors generally use 5 percent for this tolerable misstatement. The amount of the restriction is described in FAM 245.01. The auditor may discontinue such tests if significant misstatements in the accumulated information are noted that would preclude compliance. The test for compliance is the comparison of the accumulated or summarized information with any restrictions on the amounts stated in the identified provision. .04: If the auditor determines that provisions of budget-related laws and regulations are significant and if related budget and, consequently, compliance controls are ineffective, the auditor should test the accumulated or summarized information directly for the following potential misstatements in budget execution information: * Occurrence/validity: Recorded amounts are not valid. (See FAM 395 F for occurrence/validity criteria for obligations, expended authority, and outlays.) * Completeness: Not all amounts that should have been recorded are recorded. * Cutoff: Obligations, expended authority, and outlays are not recorded in the proper period. * Accuracy: Obligations, expended authority, and outlays are not recorded at the proper amounts. * Classification: Obligations, expended authority, and outlays are not recorded in the proper account by program and by object, if applicable, including the proper appropriation year if the account has multiple years. (Examples of program and object classifications are provided in FAM 395 F.) * Summarization: Transactions are not properly summarized to the respective account totals. .05: An example of audit procedures to test for these misstatements is included in FAM 495 B. Procedural-Based Provisions: .06: In testing compliance controls relating to a procedural-based provision, the auditor should obtain sufficient evidence to conclude whether the entity performed the procedure and therefore complied with the provision. For example, the auditor performs tests of compliance controls concerning receipt of information from grantees to obtain evidence of whether such information was received and therefore whether the entity complied. If compliance control tests do not provide sufficient evidence to determine compliance, the auditor should perform additional procedures, as necessary, to obtain such evidence. Evaluating Test Results: .07: For any possible instances of reportable noncompliance (see FAM 580.70) noted in connection with the procedures described above or other audit procedures, the auditor should: * discuss such possible instances of reportable noncompliance with OGC and, when appropriate, the Special Investigator Unit and conclude whether noncompliance has occurred and the implications of any noncompliance; * identify the deficiency in compliance controls that did not prevent or detect and correct the noncompliance, if not previously identified during compliance control testing; * report any material weakness and other significant deficiencies in compliance controls and determine the effect, if any, on the report (or opinion) on internal control (see FAM 580.32-.56); * determine the implications of any instances of reportable noncompliance on the financial statements; and * report instances of noncompliance, as appropriate (see FAM 580.68-.76). 470 - Substantive Procedures – Overview: .01: In the internal control phase, the auditor performed a preliminary assessment of the risk of material misstatement for each significant assertion within each significant line item or account (see FAM 370). In the testing phase, the auditor plans and performs further audit procedures to be responsive to the risk of material misstatement. Based on the assessed risk of material misstatement, the auditor should design and perform substantive procedures for relevant assertions related to each material class of transactions (such as payroll or nonpayroll expenditures), line items (such as FBWT), and account balances (such as individual FBWT accounts). .02: The auditor’s objective during substantive procedures is to determine whether assertions are materially misstated and to form an opinion about whether the financial statements taken as a whole are presented fairly, in all material respects, in accordance with U.S. GAAP. To determine if assertions are misstated, the auditor should design substantive procedures to detect each of the likely misstatements in assertions that were developed in the internal control phase (see FAM 330). The auditor’s substantive procedures also should include the following audit procedures related to the financial statement reporting processes: * agreeing the financial statements, including their accompanying notes, to the underlying accounting records; and; * examining material journal entries and other adjustments made during the course of preparing the financial statements. In addition, the auditor should determine whether efficiencies can be achieved by using the concepts of directional testing, as discussed in FAM 470.15-.18. .03: As discussed in FAM 260.04, detection risk is the risk that the auditor will not detect a material misstatement that exists in an assertion. Based on the assessed risk of material misstatement, the auditor should determine the nature, extent, and timing of substantive audit procedures to reduce the level of detection risk to an acceptably low level. The auditor determines the level of audit assurance to use for all substantive procedures to detect misstatements that in total exceed materiality established in FAM 230. Audit assurance relates to the entire audit. The auditor should determine the audit assurance needed based on the risk of material misstatement. The higher the risk of material misstatement, the more audit assurance the auditor needs. For example, based on the audit risk model in AU 350 and a desired overall audit assurance of 95 percent, GAO auditors generally use the audit assurance for each risk of material misstatement as indicated in Table 470.1. Table 470.1: Risk of Material Misstatement and Minimum Levels of Audit Assurance: Risk of material misstatement: Low; Minimum level of audit assurance: 63%. Risk of material misstatement: Moderate; Minimum level of audit assurance: 86%. Risk of material misstatement: High; Minimum level of audit assurance: 95%. [End of table] Types of Substantive Procedures: .04: There are two types of substantive procedures: (1) substantive analytical procedures, and (2) tests of details. To achieve the audit assurance as discussed above, the auditor may use either of these tests or a combination of the two. The type of test to use and the amount of reliance to place on each type of procedure is a matter of the auditor’s professional judgment to include considerations of audit effectiveness and efficiency. To determine an appropriate mix of substantive procedures the auditor may use the audit matrix in FAM 470.11. Substantive Analytical Procedures: .05: Substantive analytical procedures involve the auditor’s comparison of a recorded amount with an expectation of that amount and subsequent investigation of any significant differences to reach a conclusion on the recorded amount. Analytical procedures involve a study of plausible relationships among both financial and nonfinancial data. A basic premise is that plausible relationships among data may reasonably exist and continue in the absence of errors, fraud, or changes in circumstances. (See AU 329.) .06: The auditor may perform substantive analytical procedures at one of three levels for an assertion, as follows: * Complete: The auditor relies solely on substantive analytical procedures for all of the assurance required from substantive procedures. The procedure is so persuasive that the auditor believes that it is highly likely to detect any aggregate misstatements that exceed tolerable misstatement. Complete assurance from substantive analytical procedures requires procedures that are extremely effective and persuasive to serve as the sole source of audit evidence for achieving the audit objective. This level of effectiveness or persuasiveness is very difficult to achieve when risk of material misstatement is high. Therefore, complete reliance on substantive analytical procedures for audit assurance in these situations is rare, particularly for balance sheet accounts. * Partial: The auditor relies on a combination of substantive analytical procedures and tests of details to obtain an appropriate level of audit assurance. For partial assurance, the auditor believes that the analytical procedures more likely than not will detect any aggregate misstatements that exceed tolerable misstatement. * None: The auditor does not rely on substantive analytical procedures for audit assurance and the auditor will obtain assurance from tests of details. In this situation, the auditor may perform supplemental analytical procedures to increase an understanding of account balances and transactions, but not to provide any additional audit assurance. These procedures are similar in scope to those performed on an overall basis at the financial statement level (see FAM 520). .07: To determine whether to perform complete or partial substantive analytical procedures, the auditor should evaluate the effectiveness, or persuasiveness and efficiency, of such procedures. In so doing, the auditor may use the factors discussed in FAM 495 A. Test of Details: .08: Tests of details are procedures applied to individual items selected by the auditor for testing and include: * Confirmation of a balance or transaction or the related terms (such as the terms of payment), by obtaining and evaluating direct communication from a third party, such as for accounts receivable or accounts payable. * Physical observation by inspecting, counting, and applying related audit procedures for tangible assets, such as inventory or property, plant, and equipment. * Examination of supporting documents to determine whether a balance is properly stated, such as examining invoices for expenses and the purchase of inventory and property. * Recalculation by checking the mathematical accuracy of entity records by footing, cross-footing, or recomputing amounts and tracing journal postings, subsidiary ledger balances, and other details to corresponding general ledger accounts. For example, the auditor may recalculate unit cost extensions in an inventory list, foot the list (whether prepared manually or by computer), and trace the total to the general ledger amount. .09: Detail tests are often used in combination to provide sufficient substantive audit assurance about an assertion. For example, to test the valuation/accuracy of accounts receivable, the auditor might confirm balances, recalculate the aging schedule, examine documents supporting the aging and specific delinquent accounts, and discuss collectibility with management. On the other hand, a single detail test procedure might provide audit assurance about more than one of the five financial statement assertions. For example, a physical observation of inventory may provide evidence about existence, valuation/accuracy, and presentation and disclosure. .10: The minimum extent of detail testing to be performed is based on the risk of material misstatement and the assurance obtained from substantive analytical procedures, as illustrated in the audit matrix in Table 470.2. Determining Mix of Substantive Procedures: .11: In determining an appropriate mix of substantive analytical procedures and detail tests, the auditor generally should use the audit matrix in Table 470.2, which illustrates the integration of such tests for each level of risk of material misstatement, when the auditor is using a desired overall audit assurance of 95 percent. The audit standards use the term detection risk which is 1 minus the audit assurance from detail tests. Table 470.2: Audit Matrix: Assessed risk of material misstatement: Low; Substantive audit assurance (Table 470.01): 63%; Audit assurance from substantive analytical procedures[A]: Complete; Minimum audit assurance from detail tests: 0%. Assessed risk of material misstatement: Low; Substantive audit assurance (Table 470.01): 63%; Audit assurance from substantive analytical procedures[A]: Partial; Minimum audit assurance from detail tests: 50%. Assessed risk of material misstatement: Low; Substantive audit assurance (Table 470.01): 63%; Audit assurance from substantive analytical procedures[A]: None; Minimum audit assurance from detail tests: 63%. Assessed risk of material misstatement: Moderate; Substantive audit assurance (Table 470.01): 86%; Audit assurance from substantive analytical procedures[A]: Complete; Minimum audit assurance from detail tests: 0%. Assessed risk of material misstatement: Moderate; Substantive audit assurance (Table 470.01): 86%; Audit assurance from substantive analytical procedures[A]: Partial; Minimum audit assurance from detail tests: 77%. Assessed risk of material misstatement: Moderate; Substantive audit assurance (Table 470.01): 86%; Audit assurance from substantive analytical procedures[A]: None; Minimum audit assurance from detail tests: 86%. Assessed risk of material misstatement: High; Substantive audit assurance (Table 470.01): 95%; Audit assurance from substantive analytical procedures[A]: Complete; Minimum audit assurance from detail tests: 0%. Assessed risk of material misstatement: High; Substantive audit assurance (Table 470.01): 95%; Audit assurance from substantive analytical procedures[A]: Partial; Minimum audit assurance from detail tests: 92%. Assessed risk of material misstatement: High; Substantive audit assurance (Table 470.01): 95%; Audit assurance from substantive analytical procedures[A]: None; Minimum audit assurance from detail tests: 95%. [A] Complete assurance from substantive analytical procedures is difficult to achieve, as discussed in FAM 470.06. [End of table] .12: Additional factors to consider in determining an appropriate mix of substantive analytical procedures and detail tests include the following: * The nature and significance of the assertion being tested: Analytical procedures are generally more likely to be effective for assertions related to accounts that reflect the audit period’s activity, such as accounts included in the statement of net cost, than for accounts related to balance sheet accounts or other cumulative balances. Significant assertions generally require more or higher-quality audit evidence that may not be available from analytical procedures. * The nature of the risk of material misstatement: The auditor should design substantive procedures that address the specific type and level of risk of material misstatement for each assertion. For example, for certain loss claim liabilities, the auditor may design detail tests to search subsequent claim payments for potential liabilities in testing the completeness assertion, while the auditor may use analytical procedures to test the related valuation assertion by evaluating the average amounts per claim. * The availability of different types of evidence: Using evidence that can be readily obtained may be more efficient. For example, in federal government audits, the auditor may use budgets and other information in performing analytical procedures. * The quality of the types of evidence available: The higher the quality of a type of evidence, the greater the level of assurance the auditor may derive from that type (see FAM 470.14). * The anticipated effectiveness of substantive analytical procedures: The auditor should use detail tests if substantive analytical procedures are not expected to be effective. .13: When determining the types of substantive procedures to use, the auditor should choose the mix of effective procedures that are efficient in combination with sampling control tests and compliance tests. .14: When considering a procedure’s relative effectiveness, the auditor should evaluate the expected quality of the evidence. The quality of evidence obtained in substantive procedures depends highly on the circumstances under which it is obtained. Some generalizations about evidence are: * Evidence obtained from independent third parties provides a higher level of assurance than evidence obtained from sources in the entity. * Evidence obtained directly by the auditor through confirmation, physical examination, vouching, or recalculation provides a higher level of assurance than evidence obtained indirectly, such as through inquiry. * Documentary evidence provides a higher level of assurance than oral representations. * Evidence obtained at or near the balance sheet date concerning an asset or liability balance provides a higher level of assurance than evidence obtained before or after the balance sheet date, because the audit risk generally increases with the length of the intervening period. * The lower the control risk associated with an entity’s internal control, the higher the assurance concerning the information subject to that internal control. Directional Testing: .15: In planning tests, the auditor may use the relationships between recorded amounts to help achieve efficiencies. For example, in double- entry accounting, a misstatement in one account affects at least one other related account. This relationship gives rise to the opportunity to test more than one account with a single test. Additionally, the relationship between budgetary and proprietary[Footnote 52] accounts may provide an opportunity for efficiencies in testing, such as undelivered orders and delivered orders – unpaid for budgetary accounts and expenses and accounts payable for proprietary accounts. .16: As stated, in double-entry accounting, a misstatement in one account affects at least one other related account. For example, a misstatement of accrued payroll typically results in a misstatement of payroll expense. In this example, substantive procedures performed on accrued payroll usually will detect misstatements in both accrued payroll and payroll expense. In designing substantive procedures after considering risk of material misstatement and developing an understanding of each related account, the auditor should determine the effect of tests on related accounts. For example, a test of revenue for completeness may provide substantive evidence about the completeness of accounts receivable. Where the entity uses double-entry accounting, the auditor may (1) design an overall audit strategy that tests certain accounts substantively for either existence or completeness (the two assertions most affected by testing related accounts), and (2) rely on such tests to detect misstatements in the related accounts. For example, the auditor may test (1) assets and expenses directly for existence, and (2) liabilities, equity, and revenue for completeness, thereby indirectly testing the related accounts for existence or completeness, as applicable. This logic is called a directional testing approach. .17: In some instances, the auditor may supplement a directional testing approach to address a specific risk of material misstatements. For example, if cutoff is a significant risk the auditor may test both existence and completeness assertions in a test of cutoff as of the balance sheet date. During initial financial statement audits, the auditor generally should test both existence and completeness directly, when those assertions are significant, because the cumulative knowledge about the interaction of accounts may be limited. .18: The audit assurance that can be obtained from directional testing is diminished in balance-sheet-only audits if related accounts are not also tested and in audits of entities having single-entry accounting systems (since double-entry account interrelationships do not exist). In these instances, the auditor should test both existence and completeness directly when those assertions are significant. .19: The auditor generally should combine the testing of budgetary and proprietary accounts where the combination is appropriate. For example, the auditor may combine tests of outlays on the statement of budgetary resources with tests of cash disbursements used to test net costs. .20: If an entity has budget accounting records but does not maintain separate proprietary accounting records, or the proprietary records are incomplete, the auditor should directly test expended authority produced by the budget system and the items necessary to reconcile the budget to the proprietary accounts. .21: Also, if (1) relevant budget restrictions relate to significant quantitative-based provisions of laws and regulations, and (2) budget controls are not effective, the auditor should test the accumulated or summarized information directly (see FAM 460.03-.05). 475 - Substantive Analytical Procedures: .01: FAM 475 provides guidance on the application of substantive analytical procedures. These procedures consist of evaluations of financial information made by a study of plausible relationships among both financial and nonfinancial data. Analytical procedures also encompass the investigation of identified fluctuations and relationships that are inconsistent with other relevant information or deviate significantly from predicted amounts. The auditor develops an expectation or estimate of the recorded amount based on an analysis and understanding of relationships between the recorded amounts and other data. This expectation is then used to form a conclusion on the recorded amount. A basic premise underlying analytical procedures is that plausible relationships among data may reasonably be expected to continue unless conditions have changed or the data are misstated. (For further information, refer to AU 329 or the AICPA Audit Guide, Analytical Procedures.) .02: Scanning account detail and recomputation are two other audit procedures related to substantive analytical procedures. Scanning consists of searching for unusual items in the detail of account balances. Scanning is an appropriate tool for investigating the cause of a significant fluctuation, but it is not a substantive analytical procedure on its own. The auditor should investigate unusual items identified through scanning to obtain substantive audit assurance about the cause of the fluctuation. For example, the auditor identifies an unusual fluctuation in the property balance when performing other substantive procedures. In scanning a detail listing of vehicles, the auditor may find an auto valued at $600,000.00 which appears unusually high. Further investigation finds the decimal point was misplaced when the data was entered and the vehicle should be recorded at $6,000.00. The auditor may also independently compute an estimate of an account balance, which is sometimes referred to as recomputation or an overall test of reasonableness. These recomputations are considered substantive analytical procedures. When making recomputations, the auditor should assess the reliability of the data used and should follow the steps used for performing substantive analytical procedures. An example is recomputing the amount of depreciation expense on equipment using the accounting method, useful life, and date the asset was placed into service. .03: The risk of forming the incorrect conclusion on the account balance tested may be higher for substantive analytical procedures than for detail tests due to the extensive use of the auditor’s professional judgment. Accordingly, quality control is of critical importance. To help maintain quality in these procedures, experienced audit team personnel should perform, or closely supervise and review, the assessment of the reliance to place on procedures, design of procedures, and formulation of conclusions as a result of procedures. .04: In designing substantive analytical procedures, as discussed in AU 318, the auditor should determine: * the suitability of using substantive analytical procedures, given the assertions; * the reliability of the data, whether internal or external, from which the expectation of recorded amounts or ratios are developed; * whether the expectation is sufficiently precise to identify the possibility of a material misstatement at the desired level of assurance; * the amount of any difference in recorded amounts from expected values that is acceptable; and; * the risk of management override of controls. The auditor should determine whether to test the controls, if any, over the entity’s preparation of information to be used by the auditor in applying analytical procedures. When such controls are effective, the auditor has greater confidence in the reliability of the information and therefore in the results of analytical procedures. Performing Substantive Analytical Procedures: .05: If substantive analytical procedures are used, the auditor generally should: a. Determine the amount of the limit. The limit is the amount of difference between the auditor’s expectation and the recorded amount that the auditor will accept without investigation. The determination of the limit is a matter of the auditor’s judgment, although some guidelines are provided in FAM 475.06. These guidelines incorporate the amount of substantive audit assurance desired from analytical procedures. b. Identify a plausible, predictable relationship and develop a model to calculate an expectation of the recorded amount. Determine the type of misstatements that are likely to occur and how those misstatements would be detected by the model. c. Gather data for developing the expectation, and perform appropriate procedures to establish the reliability of the data. The reliability of data is discussed further in FAM 495.15 A. d. Develop the expectation of the recorded amount using the information obtained during the previous steps. The preciseness of the expectation is subject to the auditor’s judgment and is discussed further in FAM 495.23-.25 A. e. Compare the expectation with the recorded amount, and note the difference. f. Obtain explanations from appropriate entity personnel for differences that exceed the limit, since such differences are significant. g. Corroborate the entity’s explanations for significant differences by examining evidence. h. Determine whether the explanations and corroborating evidence provide sufficient evidence for the desired level of substantive audit assurance. If unable to obtain a sufficient level of substantive audit assurance from substantive analytical procedures, the auditor should perform additional procedures as discussed in FAM 475.13-.18 and evaluate whether the difference represents a misstatement. i. Evaluate whether the assessment of risk of material misstatement remains appropriate, particularly in light of any misstatements identified. Revise the assessment of risk of material misstatement, if necessary, and consider the effects on the extent of detail tests. j. Document on the Schedule of Uncorrected Misstatements (as discussed in 540.04) the amount of any misstatements detected by substantive analytical procedures and their estimated effects. The limit (the amount of the difference between the recorded amount and the expectation that does not require explanation) is not a known or likely misstatement and is not posted to the Schedule of Uncorrected Misstatements. The amount of any known or likely misstatements does not include the amount of the limit. k. Conclude on the fair presentation of the recorded amount. l. Include documentation of work performed, results, and conclusions. See FAM 490. Guidelines for Establishing the Limit: .06: As discussed above, the limit is the amount of the difference between the expected and recorded amounts that can be accepted without further investigation. The auditor generally should use the following guidelines in establishing the limit for each level of reliance on analytical procedures for substantive audit assurance: * Complete reliance: The limit is 20 percent or less of tolerable misstatement. * Partial reliance: The limit is 30 percent or less of tolerable misstatement. * No reliance: Substantive analytical procedures are not needed. Auditors using different limits should document the basis for the limit used. Investigating Significant Differences: Causes of Significant Differences: .07: Differences between the expectation and the recorded amount relate to either factors not included in the model (such as specific unusual transactions or changes in accounting policies), a lack of preciseness of the model, or misstatements (either errors or fraud). The auditor’s objective in investigating significant differences is to determine whether they represent misstatements or one of the other factors. Amount of Difference to Be Explained: .08: When obtaining explanations, the auditor should discuss with entity personnel the model and assumptions used to develop the expectation. Entity personnel will then be in a better position to provide the auditor with a relevant explanation. If the amount of the difference exceeds the limit, the auditor generally should ask entity personnel to provide an explanation for the entire difference between the recorded amount and the expectation. However, the auditor may decide to stop if the explanation covers the portion of the difference that exceeds the limit (see fig. 475.1). If the difference does not exceed the limit, an explanation is not required. The auditor should identify and corroborate all significant factors that cause the expectation to differ from the actual amount, regardless of whether the factors increase or decrease the difference. Figure 475.1: Explanations When Recorded Amount Exceeds Limit: [See PDF for image] This figure is an illustration of explanations when recorded amount exceeds limit, as follows: Expectation to Limit: May not need an explanation; Limit to recorded amount: Minimum to explain. [End of figure] Corroboration of Explanations: .09: The relevance and reliability of corroborating evidence may vary significantly. Therefore, the extent of corroboration of explanations is left to the auditor’s professional judgment. Corroboration may consist of examining supporting documentation or corroborating explanations from personnel in the accounting department and personnel in the appropriate operating department knowledgeable about the entity’s operations. The auditor should quantify and address the direction and magnitude of the event causing the fluctuation and corroborate explanations received. In determining whether sufficient corroborating evidence has been obtained, the auditor should determine whether sufficient corroborating evidence has been obtained based on the guidelines for complete and partial assurance discussed in FAM 470.06. In evaluating explanations, the auditor should also determine whether the difference is caused by error or fraud. Example of an Adequate Explanation for a Significant Fluctuation: .10: Assume that the auditor assessed tolerable misstatement to be $25 million. Additionally, assume that the auditor has determined, after evaluating the risk of material misstatement, to perform a substantive analytical procedure with a limit of $5 million. The auditor estimated interest expense at $80 million by multiplying the average loan balance of $1 billion by an average interest rate of 8 percent. Both of these averages were computed through a simple average of beginning-of-year and end-of-year amounts. The recorded amount of interest expense, $95 million, is higher than the estimated amount by $15 million and exceeds the limit by $10 million. .11: An explanation from entity personnel that ”we borrowed more money this year and interest rates are higher than last year” would not be adequate since it explains why interest is likely to be higher but not how much higher (it corroborates direction, not amount). The auditor should ask management to quantify the explanation by indicating when interest rates changed and when amounts borrowed changed. The auditor should then corroborate the information provided. .12: An example of an adequate explanation follows. Management determined that interest rates increased during the year and then fell and were computed to average 9 percent based on the attached monthly weighted average. Additionally, $100 million was borrowed and repaid during the year, and the additional borrowings were outstanding for 6 months. Therefore, the average loan balance was actually $50 million higher and the average interest rate was 1 percent higher than the figures used in the original estimate. Therefore, 97 percent of the interest expense in excess of the expectation can be explained as follows (in thousands): $1,000,000 X 1% = $10,000; + 50,000 X 9% = 4,500; Amount of difference explained: $14,500. The auditor examined correspondence from lenders and loan statements to corroborate these explanations. The auditor was satisfied that these covered the significant factors and that it was not necessary to obtain an explanation for the remaining $.5 million or 3 percent difference. The auditor concluded that interest expense is not misstated and no amounts are posted to the Schedule of Uncorrected Misstatements. Course of Action in the Event of Inadequate Explanations or Corroborating Evidence: .13: If an explanation and/or corroborating evidence does not adequately explain the fluctuation sufficient to provide either complete or partial assurance, the auditor should perform additional substantive procedures. These procedures may consist of: * increasing the effectiveness of the substantive analytical procedures by making the expectation more precise to obtain the desired assurance; * performing tests of details and placing no reliance on the substantive analytical procedures that were ineffective; or; * treating the difference as a misstatement. .14: The auditor should determine the effectiveness and efficiency of the above options. Deciding whether to perform additional substantive procedures is a matter of the auditor’s professional judgment. The auditor should perform additional procedures to provide adequate assurance that aggregate misstatements that exceed tolerable misstatement have been identified. .15: To increase the persuasiveness or effectiveness of an analytical procedure, the auditor may make the expectation more precise by: * building a more sophisticated model by identifying more key factors and relationships; * disaggregating the data (such as using monthly instead of annual data[Footnote 53]); or; * using more reliable data or obtaining greater confidence in the data’s reliability by corroborating the data to a greater extent. Measuring the precision of the expectation and the impact of changing each of these factors on the procedure’s effectiveness is difficult. The auditor may consult with an expert in this field. Supplemental Analytical Procedures: .16: If detail tests are used to test the account balance because adequate explanations cannot be obtained or corroborated, the auditor still should obtain an overall understanding of the current-year financial statements when applying overall analytical procedures at the financial statement level. See FAM 520. .17: Additionally, if analytical procedures originally performed as a substantive test do not provide the necessary assurance, the auditor may use those procedures to supplement an understanding of the account balances or transactions after performing detail tests. .18: When the auditor places no reliance on substantive analytical procedures, all assurance is provided by detail tests. In this situation, the auditor may use supplemental analytical procedures to increase the auditor’s understanding of the account balances and transactions after performing the detail tests. When using supplemental analytical procedures, the auditor uses professional judgment to determine which fluctuations to obtain explanations for and which explanations to corroborate. 480 - Substantive Detail Tests: Population to Be Tested: .01: In designing detail tests, the assertion tested affects the choice of the population (an account balance or a portion of an account balance) from which items are selected. For example, the existence assertion deals with whether recorded assets or liabilities exist as of a given date and whether recorded transactions have occurred during a given period. To detail test the existence assertion, the auditor should test the recorded account balance by: * selecting items from those that compose the account balance; and; * testing those items to evaluate whether inclusion in the account balance is proper. For example, to test an expense account for existence, the auditor may select from a detail general ledger individual expense amounts included in the balance and then examine invoices that support the expense amount. It would be inappropriate to select invoices directly and then trace invoice amounts to inclusion in the general ledger balance. .02: For the existence assertion, the auditor should determine if the population agrees with or is reconciled to the recorded amount of the account balance being tested. The auditor should test reconciling items, if any, in an appropriate manner. If this is not done, the auditor can conclude only on the population tested and not on the recorded population. .03: Conversely, the completeness assertion deals with whether all transactions and accounts that are expected to be in the financial statements are included. To detail test the completeness assertion, the auditor should select from an independent population of items that are expected to be recorded in the account. The auditor should (1) select items from a source that is likely to contain all the items that are expected to be recorded, and (2) determine whether they are included in the recorded balance. For example, to test completeness of recorded revenue, the auditor may select shipments from a shipping log (which is believed to be reasonably complete), trace them to recorded revenue amounts, and then test the summarization of those amounts to inclusion in the general ledger revenue balance. To test completeness of recorded accounts payable, the auditor may select payments made subsequent to year-end plus invoices on hand but not yet paid. The auditor may then trace transactions in which the receipt of goods or services occurred before year-end for inclusion in year-end accounts payable. For those transactions where the receipt occurred after year-end the auditor should test for exclusion from accounts payable. Selection Methods for Detail Tests: .04: The auditor may apply detail tests to any of the following: * all items composing the population; * a nonrepresentative selection (nonsampling selection) of items; and; * a representative selection (sample) of items composing the population. Flowchart 1 in FAM 495 E illustrates the process of deciding the selection method. .05: Detail testing of all items composing the population is generally most appropriate for populations consisting of a small number of large items. For example, several large accounts receivable or investments might compose an entire balance. .06: Detail testing of a nonrepresentative selection (nonsampling selection) is appropriate where the auditor knows enough about the population to identify a relatively small number of items of interest, usually because they are likely to be misstated or otherwise have a high risk of material misstatement. The auditor also uses nonrepresentative selections to test controls through inquiry, observation, and walk-through procedures and to obtain planning information, for example, by performing a walkthrough to understand the items in the population. While the dollar amount is frequently the characteristic that indicates that an item is of interest, other relevant characteristics might include an unusual nature (such as an item identified on an exception report), an association with certain entities (such as balances due from high-risk, financially troubled entities), or a relationship to a particular period or event (such as transactions immediately before and after the year-end). The auditor should evaluate the effects of any misstatements found in the nonrepresentation selection. However, unlike sampling, the results of procedures applied to items selected under nonsampling selection apply only to the selected items. It is incorrect for the auditor to project the results to the portion of the population that was not tested. Accordingly, the auditor should apply appropriate substantive analytical and/or other substantive procedures to the remaining items, unless those items are immaterial in total or the auditor has already obtained enough assurance that there is a low risk of material misstatement in the untested population. .07: Detail testing of a representative selection (sample) of items composing the population is necessary where the auditor cannot efficiently obtain sufficient assurance (based on the assessed risk of material misstatement and other substantive procedures including analytical procedures) about the population from nonrepresentative selections. AU 350.45 indicates that samples may be either statistical or nonstatistical. The auditor should select sample items in such a way that the sample and its results are expected to be representative of the population. The auditor should select the sample in a way that each item in the population has an opportunity to be selected. The auditor should project the results of the procedures performed to the entire population. In random selection, each item has an equal chance of selection (see glossary for definition). For MUS, each monetary unit (dollar) has an equal chance of selection. For classical variables estimation sampling, each item in a stratum has an equal chance of selection. .08: The auditor may use a nonrepresentative selection for part of the population and a sample for the remainder of the population. For example, the auditor may select all inventory items with a book amount greater than $10,000,000 and all items that have not had any activity in the previous 6 months for nonrepresentative sampling, and perform a statistical sample of the balance of the population. The auditor is able to project any misstatements found in the statistical sample to the population of items less than $10,000,000 with activity in the last 6 months. The auditor is also able to compute a combined evaluation for the three selections by adding the results of the two 100 percent selections to the results of the statistical sample selection. .09: The auditor should document (usually in audit procedures) whether a selection is intended to be a representative selection (a sample projectable to the population) or a nonrepresentative selection (not projectable to the population). If it is a nonrepresentative selection, the auditor also should document the basis for concluding that enough work has been done to obtain sufficient assurance that the items not tested are free from aggregate material misstatement. Representative Selections (Sampling): .10: The following paragraphs through FAM 480.20 provide an overview of sampling, primarily with respect to the existence and valuation assertions. Similar concepts and methods apply to the completeness assertion, except that the population to be tested differs as discussed in FAM 480.01-.03. .11: In statistical sampling, the auditor uses probability theory to determine sample size, select the sample, and evaluate the results for the purpose of reaching a conclusion about the population. Statistical sampling permits the auditor to objectively determine sample size (based on subjective decisions about risk and materiality), objectively select the sample items, and objectively evaluate the results. Thus, by using statistical sampling the auditor determines objectively whether enough work has been performed. Because of these advantages, when a sample is necessary, the auditor generally should use statistical sampling. Software such as IDEA allows the auditor to quickly perform the calculations necessary for statistical sampling. .12: In nonstatistical sampling, the auditor considers statistical concepts, but does not explicitly use them to determine sample size, select the sample,[Footnote 54] or evaluate results. Because the auditor using statistical sampling objectively evaluates the same factors that the auditor using nonstatistical sampling subjectively evaluates, the auditor should not use a nonstatistical sample that is less than the size of a properly calculated statistical sample. .13: The auditor who uses nonstatistical sampling first calculates a statistical sample size using MUS, then subjectively adds a factor because (1) a nonstatistical sample is not as objective as a statistical sample, and (2) the MUS would have been selected proportionate to size while the auditor might not select the nonstatistical sample proportionate to size. There is no good guidance on how much to add. It depends primarily on how homogeneous or heterogeneous the population is and on whether the auditor first stratified the population. For heterogeneous unstratified populations, the auditor may double the statistical sample size. For relatively homogeneous populations that have been stratified, the auditor may use 1.25 to 1.5 times the statistical sample size and allocate the sample size proportionate to the strata size. The auditor who uses nonstatistical sampling for a particular test should obtain the approval of the reviewer (usually the director), in consultation with the statistician, before performing the test. Approval is not needed to use nonrepresentative selections (nonsampling) since they do not involve projections. .14: In sampling, the auditor should select the sample from all the items that compose the population so that each item has an opportunity for selection. In statistical sampling, the auditor can determine the probability of selection. For example, the auditor may select sample items from a list of all accounts receivable balances that is reconciled to the related general ledger account balance. Selecting sample items from file drawers is not a valid selection method for any type of sampling unless the auditor has determined that all items composing the population are included in the drawers. .15: For statistical samples, the auditor should select sample items using either random or monetary-unit selection methods. The auditor may use either computer software or manual selection. Manual selection uses random number tables, a computer-based random number generator, or systematic selection (every nth item with a random start between 1 and n). For example, the auditor might begin with a random start and then choose every nth item, where n is the sampling interval. The sampling interval is determined by dividing the number of items in the population by the desired number of selections. .16: The sample size is a function of the size of the population, the desired confidence level (based on the amount of substantive audit assurance the auditor requires from detail tests, as shown on the audit matrix in FAM 495 D), tolerable misstatement (based on design materiality, expected misstatements, and other factors discussed in FAM 230.13), and the sample selection method. .17: Once the auditor decides that a sample is necessary, the choice of the sampling method to be used is a matter of the auditor’s professional judgment concerning the most efficient method to achieve the audit objectives. Sampling methods available for substantive procedures are: * MUS – see FAM 480.21; * classical variables estimation sampling – see FAM 480.32; and; * classical probability proportional to size (PPS) sampling (evaluating a PPS sample using a classical variables sampling approach) – see FAM 480.34. The auditor may use attribute sampling for tests of controls and for tests of compliance with laws and regulations. For example, the auditor may select an MUS of expenditure transactions for testing and include testing the sample for approvals, for entry into the general ledger, and for compliance with the Prompt Pay Act. For classical variable estimation sampling, stratification and/or use of ratio estimates and regression estimates often lead to smaller sample sizes. Multistage samples may reduce time and travel costs. The auditor should consult with the statistician before using any sampling method. .18: Each of these sampling methods yields a projected (likely) misstatement and an upper limit at the desired confidence level. In addition, classical PPS and classical variables sampling yield a two- sided confidence interval (MUS yields an upper limit). The auditor should choose the appropriate method based on the test objectives and efficiency. .19: When deciding the sampling method, the auditor should determine whether the monetary amounts of the individual items composing the population are available (such as on a detail listing or a computer file), the expected amount of misstatements, and the relative efficiency of each appropriate sampling method. Flowchart 2 in FAM 495 E summarizes the process of choosing the sampling method once the auditor has decided a sample is necessary. The subsequent pages of the flowchart indicate the steps that the auditor generally should perform for each sampling method. Example audit documentation for attribute, monetary-unit, and classical variables sampling are in FAM 495 E. .20: If the dollar amounts of the individual items composing the population are known, the auditor should use MUS, classical PPS, or classical variables estimation sampling. If dollar amounts of individual items are not known, see FAM 480.36. Sample Selection: MUS: .21: MUS is a type of statistical sampling that the auditor generally should use when: a. the monetary amounts of individual items in the population are known; b. the primary objective is to test for overstatement of the population (see below for testing a population related to the line item); c. the auditor expects that the total monetary amount of misstatement in the population is not large;[Footnote 55] and; d. the amount of misstatement in an individual item cannot exceed the selected amount.[Footnote 56] MUS is also known as probability proportional to size (PPS) and as dollar unit sampling (DUS). MUS works best in populations where the total misstatement is not large and where the objective is to test for overstatement of a population. When the objective is to test for understatement of a line item, the auditor often is able to define a related population to test for overstatement. For example, to test for understatement of accounts payable, the auditor may select an MUS of subsequent disbursements. See also FAM 480.36. .22: In a manually applied MUS, a sampling interval (n) is used to select every nth dollar from the dollars in the individual items that compose the population. These items may be recorded amounts for individual receivable balances, inventory items, invoices, or payroll expenses. The item that contains the nth dollar is selected for testing. MUS is representative of all monetary units (dollars) in the population. However, larger items have a higher probability of selection (for example, a $2,000 item has an approximately 20 times greater probability of selection than a $100 item). .23: When the total misstatement in the population is not large, MUS will yield the smallest sample size for a given population, tolerable misstatement, and desired confidence level when all statistical sampling methods are considered. If the auditor expects that the population contains a large amount of misstatement, the auditor should use classical variables sampling (see FAM 480.33). Manual Computation of Monetary Unit Sample Size: .24: The auditor may compute monetary unit sample size either manually or by using computer software (FAM 480.27). To calculate a monetary-unit sample size manually, the auditor uses the monetary amount of the population (usually dollars), tolerable misstatement (see FAM 230), and confidence level. When calculating sample size manually, the auditor may use the statistical risk factor from Table 480.1 to determine sample sizes for the appropriate confidence level. Table 480.1: Statistical Risk Factors: Confidence Level: 50%; Statistical Risk Factor[A]: 0.7. Confidence Level: 64%; Statistical Risk Factor[A]: 1.0. Confidence Level: 77%; Statistical Risk Factor[A]: 1.5. Confidence Level: 86%; Statistical Risk Factor[A]: 2.0. Confidence Level: 92%; Statistical Risk Factor[A]: 2.5. Confidence Level: 95%; Statistical Risk Factor[A]: 3.0. [A] These are based on the Poisson distribution, which approximates the binomial distribution. Therefore, the sample size computed using this table may differ slightly from the sample size computed using IDEA or other software that uses the binomial distribution. [End of table] FAM 495 D contains the audit matrix with the appropriate statistical risk factor based on the auditor’s assessed risk of material misstatement and reliance on other substantive procedures, including analytical procedures. .25: The statistical risk factors are used in the following formulas to determine the sampling interval and sampling size for MUS: 1. sampling interval = tolerable misstatement ÷ statistical risk factor. 2. sample size = recorded amount ÷ sampling interval. Sample sizes are stated in whole numbers. Uneven amounts are rounded up to the next whole number. For example, a sample size of 40.2 items is rounded up to 41 items. .26: For example, to test a recorded amount of $30 million with a tolerable misstatement of $900,000 and a 95 percent confidence level, the statistical risk factor is 3.0. The sampling interval is $300,000 (tolerable misstatement of $900,000 divided by the statistical risk factor of 3.0). Essentially, from a random start, every 300,000th dollar is selected. Therefore, the preliminary estimate of sample size of 100 items is calculated by dividing the recorded amount of $30 million by the sampling interval of $300,000. Because the amount of some items might equal or exceed the sampling interval, a selection might include more than 1 sample item (for example, a $600,000 selection includes 2 of the 100 estimated sample items – 600,000/$300,000 = 2), thereby making the actual number of items tested fewer than 100. This situation is not a problem, and the auditor does not need to select additional items. Software Computation of Monetary Unit Sample Size: .27: When the auditor uses IDEA to calculate monetary unit sample size, the inputs are materiality, expected total (dollar) amount of misstatements in the population, confidence level, and the (dollar) amount of the population. Whether the auditor should input design materiality or tolerable misstatement depends on why the auditor reduced design materiality to get tolerable misstatement (see FAM 230.13). If the auditor reduced design materiality to tolerable misstatement because not all entity locations are being tested or because the area is sensitive to financial statement users, the auditor should input tolerable misstatement. If the auditor reduced design materiality to tolerable misstatement solely because misstatements were expected, the auditor should input design materiality rather than tolerable misstatement. The reason for this is that the auditor inputs the expected dollar amount of misstatements in the population, and the software considers it in adjusting materiality (if the auditor inputs tolerable misstatement, the adjustment will have been made twice). Additional Sample Items for MUS Testing: .28: It is difficult to select additional items for MUS after the original sample is selected. If the auditor believes that extension of the sample might be necessary, the auditor generally should plan for that possibility and consult with the statistician. For example, the auditor might use a 95 percent confidence level (statistical risk factor of 3.0) to select the sample but test only the number of items necessary to achieve the planned confidence level. The items tested are spread evenly throughout all of the items selected. For example, in a manual selection, if a statistical risk factor of 1.5 is appropriate based on the planned confidence level, the auditor makes selections using a statistical risk factor of 3.0 (twice as many selections as the factor of 1.5) and initially tests every other selection (beginning with a random start). .29: If the preliminary assessment of risk of material misstatement or reliance on substantive analytical procedures is not supported by the results of testing, the substantive audit assurance needed from detail tests increases, and the auditor then may test the additional items selected in the initial sample. However, expanding the test may not be appropriate where the sample indicates that the account balance is materially misstated. Extending the sample when the initial sample result was indicative of the true misstatement in the population will likely result in further misstatements being identified. If there is evidence that the misstatement was intentional or could be an indicator of a fraud, then the auditor should discuss the appropriate next steps with the director and the statistician. .30: If additional sample items are not selected during the initial sample and it is necessary to select additional items, the auditor should consult with the statistician to determine how to select the additional sample items. Selection of these additional items may be more complex and less efficient than if they were chosen during the initial sample. .31: FAM 495 F describes how to manually select items using MUS. The auditor generally should us software, such as IDEA, to select a sample. [Footnote 57] Classical Variables Estimation Sampling: .32: Classical Variables Estimation Sampling is a type of statistical sampling that may be used when the auditor expects that one or more conditions exist in the population, such as: * the dollar amount of misstatement in the population is large (see footnote 3); * individual misstatements may exceed the selected amount of sampling units; * significant understatements cannot be identified using other tests; * there are no book amounts for each sampling unit; or; * the auditor cannot add the dollar amounts in the population (see flowchart 2 in FAM 495 E). .33: Classical Variables Estimation Sampling is useful because it frequently results in smaller sample sizes in higher misstatement situations than those that would be obtained using MUS. Because applying this method is somewhat complex, the auditor should consult with the statistician before using it. Both this method and Classical PPS Sampling discussed in FAM 480.34 require knowledge of the population to determine sample size. In many audits, the auditor learns about the population over several audits and may use this knowledge to refine the sampling methodologies to improve efficiency. Classical PPS Sampling: .34: Classical PPS Sampling is a type of statistical sampling that the auditor generally should use when testing for overstatement of the defined population and expects a large misstatement rate. Since there is no exact way to determine sample size, the auditor uses MUS to calculate sample size (proportional to size). However, since Classical PPS Sampling is used when there are large misstatement rates, the auditor should use a conservative (high) estimate of the expected misstatement to avoid needing to subsequently expand the sample size to obtain a sufficient sample size. .35: Classical PPS Sampling yields a valid measure of likely misstatement and precision and is easier to design and evaluate than Classical Variables Estimation Sampling. Thus, in higher misstatement situations, the auditor may choose to use Classical PPS sampling if there are not reasons other than expected high misstatement rate for using Classical Variables Estimation Sampling. Sampling When Dollar Amounts Are Not Known: .36: The auditor cannot use MUS if the dollar amounts of individual items in the population are not known. The auditor may use Classical Variables Estimation Sampling, but this method has some difficulties. There is no way to accurately calculate the sample size without the individual dollar amounts, and the method is inefficient unless the auditor finds a large misstatement rate. The lack of individual dollar amounts usually occurs when testing the completeness assertion where the selection is made from a population independent of the population being tested such as a shipment from a shipping log (see FAM 480.01- .03). One approach may be for the auditor to select a random or systematic sample of the individual items. For example, the auditor may randomly select items from a shipping log to test the completeness/cutoff assertion for revenue and accounts receivable that shipments have been billed in the proper period. .37: For this type of test, the sample size may be approximated from the total (dollar) amount of either the population that the auditor is sampling from (the total dollars of the shipping log if the log has amounts), or the amount of the population that the auditor is testing (the total recorded revenue). Because this method is less efficient than MUS, the auditor generally should use a preliminary estimate of sample size that exceeds the sample size that would result from using MUS, for example, at least a 25 percent increase in sample size. [Footnote 58] .38: The auditor should consult with the statistician to determine whether to use Classical Variables Estimation Sampling and to perform the evaluation. In using attribute sampling for substantive tests, the auditor generally should use the upper limit of the misstatement rate to make a conservative estimate of the dollar amount of misstatement in the population. If the upper limit is less than materiality, the auditor has evidence that the population is free of material misstatement. Evaluation of Sample Results: .39: Evaluation of sampling results involves: a. Projecting the results of the sample to the population (for nonstatistical samples, making a judgment about likely misstatement in the population). b. Calculating either the upper limit of misstatement in the population or an interval estimate of misstatement or of the population audited value at the desired confidence level (for nonstatistical samples, considering the risk of further misstatement). c. Determining any qualitative aspects of misstatements. d. Bringing known and likely misstatements to management’s attention. e. Asking management to correct known misstatements and determine the cause of likely misstatement. f. Concluding as to whether the population is fairly stated, after management’s adjustments, if any. g. Evaluating the effect of misstatements on the financial statements taken as a whole. The auditor usually does steps a and b with software such as IDEA. The auditor should perform the evaluation in consultation with the statistician. .40: The effects of any misstatements detected in a sample are projected to the population. In doing so, the auditor asks entity management to determine the cause of any misstatement found. The auditor should project all misstatements unless highly persuasive evidence is obtained that the misstatement is not representative of the entire population. If the evidence is highly persuasive that a misstatement is not representative of the population, the auditor should: * perform procedures to test that the same type of misstatement does not exist elsewhere in the population; * evaluate the misstatement that is not representative; * evaluate the sample, excluding the misstatement that is not representative; and; * obtain the approval of the audit director that the evidence is highly persuasive. The projected misstatement amount is included as a likely misstatement in the Example Schedule of Uncorrected Misstatements in FAM 595 C (example 1), the evaluation of which is discussed in FAM 540. .41: At the conclusion of the test, the auditor also should determine whether the assessment of risk of material misstatement remains appropriate, particularly in light of any misstatements identified. If the preliminary risk of material misstatement assessment was not appropriate, the auditor should consult with the reviewer to determine whether the extent of substantive procedures is adequate. .42: When understated amounts are detected in any sample designed primarily to test the existence assertion (i.e., designed to test primarily for overstatement), the auditor should consult with the statistician in evaluating the sample results. Calculating the Projected Misstatement for MUS: .43: If the auditor does not use software to evaluate sample results, the auditor should calculate projected misstatement as follows. For a misstatement detected in which the item equals or exceeds the amount of the sampling interval (each of which is selected for testing), the projected misstatement is the amount of the misstatement detected. For any other misstatement detected, the projected misstatement is computed by: * dividing the amount of misstatement by the recorded amount of the sample item; and; * multiplying the result by the amount of the sampling interval. The sum of all projected misstatements represents the aggregate projected misstatement for the sample. For example, assume the following two misstatements are detected in a sample for which the sampling interval is $300,000: (1) a $50,000 misstatement detected in a $500,000 item (which exceeds the amount of the sampling interval) results in a projected misstatement of $50,000 and (2) a $100 misstatement in a $1,000 sample item represents a 10 percent misstatement, which results in a projected misstatement of $30,000 (10 percent of the $300,000 sampling interval). In this example, the aggregate projected misstatement is $80,000. Evaluating a Monetary Unit Sample as a Classical PPS Sample: .44: If an MUS results in a large number of misstatements, it is likely that the evaluation calculated using the method illustrated above would indicate that the upper limit of misstatement in the population exceeds materiality (IDEA indicates the number of misstatements that would yield acceptable results). However, if there are a large number of misstatements,[Footnote 59] the auditor, in consultation with the statistician, generally should evaluate the sample using Classical PPS Sampling. This evaluation is complex and cannot be done directly using IDEA. Evaluating the Results of a Classical Variables Estimation Sample: .45: The auditor should consult with the statistician in evaluating the results of a Classical Variables Estimation Sample. Evaluating the Results of Other Samples: .46: When the auditor detects misstatements in a sample for which guidance on evaluation is not described above, the auditor should consult with the statistician. Effects of Misstatements on the Financial Statements: .47: The auditor should evaluate the quantitative and qualitative effects of all misstatements detected in the audit – both known and likely – in relation to the financial statements taken as a whole. FAM 540 provides guidance on this evaluation. 490 - Documentation: .01: The auditor should document the nature, extent, and timing of procedures performed during this testing phase of the audit, as well as the results and conclusions reached. The auditor should document how these procedures are responsive to the assessed risk of material misstatement at the relevant assertion level (as discussed in AU 318). The auditor should also specifically identify the procedures used to obtain substantive audit assurance for an account balance, for example, when the auditor relies on detail tests for complete substantive audit assurance and performs supplemental analytical procedures to increase the auditor’s understanding of the account balances and transactions. .02: In order to focus on key matters and identify significant exceptions, the auditor generally should document and explain in the audit plan the audit objectives, procedures to be performed, possible exceptions, and why they may be important. .03: The auditor also should document, usually in the applicable audit plan with the audit procedures, whether a selection is intended to be a representative selection (a sample projectable to the population) or a nonrepresentative selection (not projectable to the population). If it is a nonrepresentative selection, the auditor should document the assessment of the risk of material misstatement for the items not tested as part of the selection and the basis for concluding that enough work has been done to obtain sufficient assurance that the items not tested are free from aggregate material misstatement. .04: As audit work is performed, the auditor may become aware of possible material weaknesses, other significant deficiencies, other control deficiencies, or other matters to communicate to entity management and those charged with governance. The auditor should document and communicate these issues as described in FAM 580.31-.62. .05: The auditor should document the items below. Also, see FAM 495 E for example audit documentation. a. For tests involving sampling: * the sampling method used; * the sample size and the method of determining it; * how the sample was selected; * a list of items tested; * the audit procedures performed; and; * the results of tests, including evaluations of sample results, and conclusions. b. For substantive analytical procedures: * the model used to develop the expectation and the basis for the model; * the data used and the data sources; * the auditor’s assessment of the reliability of the data used and procedures performed to establish or increase the amount of reliability, if applicable; * the amount of the limit and the criteria for establishing the limit; * management’s explanations for significant fluctuations, sources of these explanations, and corroborating evidence obtained; * the additional procedures performed and related conclusions if misstatements are detected or if the initial procedures are not considered adequate; and; * conclusions regarding findings, including treatment of any misstatements detected and assessment of any other effects of these misstatements. c. Interim testing procedures (see FAM 495 C for documentation guidance). d. Individual and total misstatements on the Schedule of Uncorrected Misstatements. See FAM 595 C. 495 A – Substantive Analytical Procedure Determinations: .01: When determining whether performing substantive analytical procedures will be effective and efficient as a substantive test, the auditor generally should evaluate the: * nature of the account balance, the audit objective (including the assertions being tested), and the assessed risk of material misstatement (FAM 495.02-.04 A); * expected availability and reliability of explanations for fluctuations and related corroborating evidence (FAM 495.05 A); * plausibility and predictability of the relationship (FAM 495.06-.13 A); * availability and reliability of data (FAM 495.14-.22 A); and; * preciseness of the expectation (FAM 495.23-.25 A). This FAM section provides additional guidance to the auditor in these areas. Nature of the Account Balance, the Audit Objective, and the Assessed Risk of Material Misstatement: .02: Analytical procedures are usually more effective for testing accounts that accumulate transactions for the period, such as statement of net cost accounts, than for testing balance sheet accounts. This is because balance sheet amounts are more difficult to predict as they are as of a specific point in time. Additionally, net cost statement amounts generally have relationships with other data, such as cost of sales as a percentage of sales, interest expense as a function of the debt balance and interest rates, or sales revenue as a function of the number of units shipped and the average sales price. Analytical procedures are usually less effective for testing amounts that are subject to management discretion or are unpredictable, such as repairs or miscellaneous expenses. .03: The auditor should use the audit objective, including relevant assertions, and the assessed risk of material misstatement to determine whether substantive analytical procedures will be effective. The auditor can obtain three levels of substantive assurance from analytical procedures—complete, partial, or none. The effectiveness and the amount of assurance provided by an individual procedure are matters of the auditor’s professional judgment and are difficult to measure. .04: When the risk of material misstatement is high, the auditor will rarely be able to place complete reliance on analytical procedures for substantive assurance, particularly for balance sheet accounts. Therefore, in these cases, the auditor should design analytical procedures that are extremely effective and persuasive, if they are to serve as the sole source of audit evidence for achieving the audit objective. Explanations for Fluctuations and Corroborating Evidence: .05: Explanations for fluctuations and related, reliable corroborating evidence may not be readily available. This evidence is essential when the auditor uses analytical procedures as a substantive test. The auditor generally should evaluate the relative ease of obtaining explanations for significant differences and relevant, reliable corroborating evidence when determining whether analytical procedures will be effective. Plausibility and Predictability of the Relationship: .06: Relationships between the amount being tested (the recorded amount) and other data are an essential component of substantive analytical procedures. The auditor generally should identify relationships that are good indicators of the account balance. A good indicator of the recorded balance means that the relationship between the recorded amount and the other data is plausible and predictable. Plausibility: .07: If one set of data provides a reasonable basis for predicting another set of data, the relationship between the two sets of data is plausible. As the plausibility of the relationship increases, so does the effectiveness of analytical procedures as a substantive test. .08: For example, there is a plausible relationship between payroll expense, the average number of employees, and the average pay rate. This relationship generally is effective for the auditor to use in developing an expectation for payroll expense of salaried employees. Alternatively, there is not usually a plausible relationship between revenue and interest expense. Therefore, this relationship would not be used for developing an expectation. Predictability: .09: The more predictable the relationship is, the more effective the substantive analytical procedure will be. Relationships are more predictable in a stable environment. As relationships become more complex as a result of increases in the number and type of contributing factors, related amounts become more difficult to effectively and efficiently predict. .10: For example, payroll expense generally is very predictable if there is little employee turnover during the period, if all employees receive the same percentage raise at the same time, and if all employees are salaried. Payroll expense becomes more difficult to predict if any of these factors changes, such as high turnover resulting in a different mix of employee pay, a wide range of raises awarded at different times, or a mix of hourly and salaried employees. Therefore, to effectively estimate payroll expense, the auditor may need to use a more complex relationship that considers these factors. .11: The relationships may be between the recorded amount and either prior-year or current-year data, using financial or nonfinancial data, including underlying business factors. For example, the auditor may determine an expectation for (1) current-year interest expense using current-year audited, long-term debt amounts and interest rate information, or for (2) cost of sales based on the auditor's estimate of the expected gross margin percentage applied to the audited sales amounts. When using current-year relationships, the auditor should test the data used to develop the expectation by a method other than a substantive analytical procedure that uses a relationship with the recorded amount. .12: The auditor generally should develop a rationale for using prior- year amounts as the only basis for the expectation. The auditor should document why, in the auditor’s professional judgment, the prior-year amount, and any adjustments to that amount, have a plausible and predictable relationship with the current-year recorded amount. The auditor generally should test any adjustments to the prior amount, such as for the effects of inflation. Additionally, the auditor should determine whether the prior-year amount is reliable. The easiest way is if the prior-year amount is audited. .13: For an example of prior-year relationship, assume that the payroll raises for the current year were authorized at 5 percent and that the number and salary mix of employees have remained relatively stable. In this example, the auditor may reasonably expect current-year payroll expense to be 5 percent higher than the prior-year’s payroll expense. However, the auditor would need to test the reliability of the percentage pay increase and the assumptions regarding the number and mix of employees. Availability and Reliability of Data: Availability of Data: .14: Data needed to perform analytical procedures as a substantive test may not be readily available. The auditor generally should determine when data will be available and the relative ease of obtaining relevant, reliable data when determining whether analytical procedures will be efficient and effective. Reliability of Data: .15: The more reliable data are, the more effective analytical procedures will be as a substantive test. In assessing the reliability of data, which is a matter of the auditor’s professional judgment, the auditor should evaluate: * the source of the data, including whether the data are audited or unaudited; * conditions under which the data were developed and gathered, including related internal controls; and; * other knowledge the auditor may have about the data. Sources of Data: .16: Data obtained from an independent source outside the entity are generally more reliable than data obtained from inside the entity. However, the auditor should determine if the outside information is comparable to the item being tested. This issue of comparability is important if the auditor is using industry statistics. .17: Data obtained from entity sources are more reliable if the sources are independent of the accounting function and if the data are not subject to manipulation by personnel in the accounting function. If multiple data sources are used, the auditor generally should determine the reliability of all sources used. Audited Versus Unaudited Data: .18: The auditor should determine whether the data are audited or unaudited because audited data are more reliable than unaudited data. (See FAM 650 on using the work of others.) .19: Unaudited data are not reliable unless the auditor performs procedures to establish their reliability. These procedures could consist of either evaluation and tests of controls over data production or tests of the data. The extent of such procedures is a matter of professional judgment. For example, interest rates from an entity’s loan register may be used to estimate interest income. The reliability of this information may be established by including the interest rate on loan confirmations that are sent to the borrowers or by reviewing original loan documents. Conditions Under Which the Data Were Gathered: .20: Another consideration for internal data is whether the data were developed under a reliable system with adequate financial reporting or operations controls. The auditor may test operations controls to assess the reliability of the data used for substantive analytical procedures. The extent of this testing is a matter of the auditor’s professional judgment. .21: If the system used to develop internal data is computerized rather than manual, the auditor should perform additional procedures before relying on the data. The auditor should test either (1) the general controls and the specific application controls over the information system that generated the report, or (2) the data in the report. .22: An auditor may test operations controls when using entity-prepared statistics for a substantive analytical procedure. For example, the auditor may use Air Force statistics to test the reasonableness of its Airlift Services aircraft operating costs. The auditor may compare the per hour fuel and maintenance costs for Airlift Services cargo and passenger aircraft with the “block hour” costs incurred by major airlines for similar aircraft as published by Aviation Week and Space Technology. The auditor would first determine if the industry statistics are comparable, for example, if the statistics are for the same or similar types of aircraft and if the types of items included in maintenance costs are similar. The auditor may then identify and test the internal controls over the production of these operating statistics. Preciseness of the Expectation: .23: The auditor should develop an expectation of the account balance that is precise enough to provide the desired substantive assurance. When determining how precise the expectation should be, the auditor should determine the proper balance between effectiveness and efficiency. Any work to make the expectation more precise than the desired level of assurance is unnecessary. .24: If the audit objective cannot be achieved with the original expectation, the auditor may be able to perform additional procedures to make the expectation more precise. The preciseness of the expectation and changes in this preciseness are difficult to measure in quantifiable terms, unless the auditor uses regression analysis for the analytical procedures. The auditor should consult with the statistician before using regression analysis. .25: Factors that influence the expectation’s preciseness are: * The identification and use of key factors when building the model based on the relationships identified by the auditor: The expectation generally becomes more precise as additional key factors are identified. * The reliability of the data used to develop the expectation: The expectation becomes more precise as the reliability of the data increases. * The degree of disaggregation of the data: The expectation becomes more precise as the disaggregation of the data increases. 495 B - Example Procedures for Tests of Budget Information: .01: This section includes examples of procedures that auditors may perform in testing budget information for the statement of budgetary resources and reconciliation of net cost of operations to budget. .02: In addition, if budget controls are ineffective and quantitative provisions of budget-related laws and regulations are significant, the auditor generally should perform audit procedures sufficient to detect material misstatements in the types of budget information listed in FAM 460.04. Tolerable misstatement for use in determining sample sizes is discussed in FAM 460. Testing Obligations and Expended Authority Transactions: .03: The following are examples of procedures that the auditor may use to test obligation and expended authority transactions for these misstatements. Validity, accuracy/valuation, and classification assertions: * Select obligations recorded as of the end of the audit period and expended authority transaction recorded during the audit period. * Determine if each selected item is a valid obligation or expended authority transaction based on the criteria set forth in FAM 395 F. * Determine if each selected item is recorded at the accurate amount (value). * Determine if each selected item is properly classified in the appropriation or fund account (also by program and by object, if applicable), including the proper appropriation year. Completeness and cutoff assertions: * Select obligations and expended authority transactions recorded during the period between the balance sheet date and a date near the audit completion date. * Examine open purchase orders, unpaid invoices, and contracts as of a date near the audit completion date. * Select items representing payments by Treasury or cash disbursements by the entity during the audit period. Substantive detail test selections of expenses and additions to inventory, property, and prepaid accounts may be used for this purpose if the populations from which they are selected are complete. * For each selection, determine whether the obligation or expended authority transaction is recorded in the proper period. If transactions are not recorded, or are recorded in the incorrect period, determine the effects of this misstatement on budget amounts, the evaluation of budget controls, and the risk of material misstatement. * If the selected obligation or expended authority transaction relates to the audit period and is recorded in that period, determine if it is recorded at the proper amount and properly classified in the appropriation or fund account (also by program and by object, if applicable), including the proper appropriation year. Summarization assertion: * Test the footing of the detail of the obligation account balance recorded as of the end of the audit period and expended authority accounts recorded during the audit period. * Reconcile the total of these details to the recorded totals for obligation and expended authority accounts as of the end of the audit period. Audit software is often an effective tool for footing the transactions recorded in the accounts and for selecting items for testing. .04: The auditor generally should coordinate the audit procedures discussed above for testing expended authority transactions with the audit of other financial statement amounts. For example, if appropriate, the auditor may coordinate tests of accounts payable for completeness with the selection of subsequent obligations and expended authority transactions described above. Testing Outlay Transactions: .05: The following are examples of procedures that the auditor may use to test outlay transactions. The auditor generally should coordinate these audit procedures with the audit of the other financial statement amounts, chiefly cash disbursements. Validity and classification assertions: * Select outlays recorded during the audit period. Determine if an invoice and a receiving report support each selected outlay. Determine the obligation that was liquidated by the outlay. * Examine the support for the obligation and determine if the invoice billed for goods or services is related to or properly “matches” the obligation and, in turn, the appropriation. * Obtain the accounting data of the matched obligation to include appropriation and year. Match these data to the type of services paid for of the selected outlay. Determine if the related appropriation authorizes payment for the services billed and paid. .06: The auditor also generally should test upward and downward adjustments of prior year obligations. If any of these adjustments relate to closed accounts, the auditor generally should determine whether the adjustments are in compliance with the requirements of the National Defense Authorization Act for fiscal year 1991, section 1405(a), Closing Appropriation Accounts, 31 U.S.C. 1551-1558. 495 C - Guidance for Interim Testing: Misstatements in Interim Balances: .01: The auditor should use professional judgment to determine whether any known and likely misstatements detected in interim tests warrant a revision of (1) the risk of material misstatement and (2) the nature, extent, and timing of planned audit procedures. (See FAM 295 D for a discussion of factors in deciding whether to use interim substantive testing of balance sheet accounts). The auditor should determine the effects of misstatements by evaluating relevant factors, including: * the nature and cause of the misstatement; * the estimated known and likely effects on the overall line item/account balance; * whether the entity has subsequently corrected the misstatement; and; * the impact of the misstatement on other parts of the audit. .02: The auditor should discuss financial statement misstatements with entity management. Based on the nature and cause of the misstatements detected, the auditor should determine, and obtain supporting evidence on whether the misstatements are likely to occur in the remainder of the line item/account balance at the interim testing date and at the year’s end. (See FAM 480.40 for a discussion of the need to project all misstatements unless evidence is highly persuasive that a misstatement is isolated[Footnote 60] and the audit director approves.) The auditor should request that entity management correct such misstatements in the population. Based on the following guidance, the auditor should use professional judgment to determine the extent that interim testing can be relied upon, in conjunction with substantive procedures in the roll-forward period, to provide sufficient appropriate evidence on the year-end line item/account balance if: * The misstatements are not material when projected to the entire population (likely misstatements plus an allowance for further misstatements is less than tolerable misstatement) and are expected to be representative of the misstatements of the year-end balance, the auditor may rely upon the results of the interim testing. * The auditor has obtained highly persuasive evidence that the misstatements are isolated (generally by nature, cause, or extent), the auditor may be able to rely upon unaffected parts of the interim testing and apply procedures at year-end to test only those financial statement assertions associated with the misstatements. For example, in interim testing of inventory, the auditor might determine that the misstatements concern only the valuation of inventory. Accordingly, the auditor may rely upon other parts of the interim testing, such as those for the accuracy of the physical count and cutoff, and perform detail valuation testing and related procedures at year-end. * The misstatements are material or pervasive, the auditor should determine (1) whether to place any reliance on the interim testing, (2) the effect on the risk of material misstatement, and (3) the nature and extent of substantive procedures to be performed on the line item/account balance as of the balance sheet date. .03: For any misstatements found during interim testing, the auditor uses professional judgment to evaluate, in a manner appropriate for the circumstances, the effects on the year-end balance. Testing the Roll-forward Period: .04: Because the auditor reports on the financial statements as of year- end, not the interim test date, the auditor should perform further substantive procedures or substantive procedures combined with tests of controls (if the auditor concludes that substantive procedures alone would not be sufficient to cover the remaining period). The auditor should perform procedures to provide the auditor with a reasonable basis for extending the audit conclusions from the interim date to year end. The auditor should perform substantive procedures of the roll- forward period activity to the year-end balance. For example, after interim testing of the loans receivable balance as of June 30, the auditor may examine supporting documents for selected debits and credits to the balance during the roll-forward period of July 1 through September 30. The auditor may also apply analytical procedures to compare the amount of roll-forward activity, on a month- by-month basis, with expectations based on results for preceding months or similar periods of preceding years. .05: The auditor should determine the nature and extent of substantive procedures based on the assessment of risk of material misstatement and tolerable misstatement. In some instances, the auditor may determine that specific risk of material misstatement warrants additional or different substantive procedures at year-end, such as cutoff tests. If risk of material misstatement is moderate or low, the auditor generally should determine whether the internal controls as of the interim testing date were in place and were operating effectively during the roll-forward period. The auditor may refer to the results of tests of financial reporting controls, which cover the entire year under audit for significant systems. Documentation: .06: The auditor should document: * line items/accounts and assertions to which interim testing is applied; * basis for using interim testing; * audit procedures used to test interim balances and the roll-forward period (including tests of controls, findings, and conclusions); * effects of any misstatements found during interim testing and during roll-forward testing; and; * conclusions on the line items as of and for the year. 495 D - Example of Audit Matrix with Statistical Risk Factors: .01: Table 495 D-1 illustrates the correlation between risk of material misstatement and the substantive audit assurance obtained from substantive analytical procedures and detail tests as discussed in FAM 470.11 and Figure 470.2. This example is based on 95 percent audit assurance.[Footnote 61] The table also provides the statistical risk factors the auditor generally should use to manually compute sample size using MUS as discussed in FAM 480.24 and Table 480.1. Table 495 D-1: Example Audit Matrix: Risk of material misstatement: Low; Substantive audit assurance (1 minus detection risk for account balance): 63%; Audit assurance from substantive analytical procedures and other related substantive tests[A]: Complete; Minimum audit assurance from detail tests (1 minus detection risk for detail tests): 0%; Statistical risk factor[B]: N/A[C]. Risk of material misstatement: Low; Substantive audit assurance (1 minus detection risk for account balance): 63%; Audit assurance from substantive analytical procedures and other related substantive tests[A]: Partial; Minimum audit assurance from detail tests (1 minus detection risk for detail tests): 50%; Statistical risk factor[B]: 0.7. Risk of material misstatement: Low; Substantive audit assurance (1 minus detection risk for account balance): 63%; Audit assurance from substantive analytical procedures and other related substantive tests[A]: None; Minimum audit assurance from detail tests (1 minus detection risk for detail tests): 63%; Statistical risk factor[B]: 1.0. Risk of material misstatement: Moderate; Substantive audit assurance (1 minus detection risk for account balance): 86%; Audit assurance from substantive analytical procedures and other related substantive tests[A]: Complete; Minimum audit assurance from detail tests (1 minus detection risk for detail tests): 0%; Statistical risk factor[B]: N/A; Risk of material misstatement: Moderate; Substantive audit assurance (1 minus detection risk for account balance): 86%; Audit assurance from substantive analytical procedures and other related substantive tests[A]: Partial; Minimum audit assurance from detail tests (1 minus detection risk for detail tests): 77%; Statistical risk factor[B]: 1.5. Risk of material misstatement: Moderate; Substantive audit assurance (1 minus detection risk for account balance): 86%; Audit assurance from substantive analytical procedures and other related substantive tests[A]: None; Minimum audit assurance from detail tests (1 minus detection risk for detail tests): 86%; Statistical risk factor[B]: 2.0. Risk of material misstatement: High; Substantive audit assurance (1 minus detection risk for account balance): 95%; Audit assurance from substantive analytical procedures and other related substantive tests[A]: Complete; Minimum audit assurance from detail tests (1 minus detection risk for detail tests): 0%; Statistical risk factor[B]: N/A. Risk of material misstatement: High; Substantive audit assurance (1 minus detection risk for account balance): 95%; Audit assurance from substantive analytical procedures and other related substantive tests[A]: Partial; Minimum audit assurance from detail tests (1 minus detection risk for detail tests): 92%; Statistical risk factor[B]: 2.5. Risk of material misstatement: High; Substantive audit assurance (1 minus detection risk for account balance): 95%; Audit assurance from substantive analytical procedures and other related substantive tests[A]: None; Minimum audit assurance from detail tests (1 minus detection risk for detail tests): 95%; Statistical risk factor[B]: 3.0. [A] Complete assurance from analytical procedures means that procedures are extremely effective and persuasive to serve as the sole source of audit evidence for achieving the audit objective. This level of effectiveness or persuasiveness is very difficult to achieve when risk of material misstatement is high. Therefore, complete reliance on analytical procedures for substantive assurance in these situations is rare, particularly for balance sheet accounts. [B] Based on the Poisson distribution; used if sample size is computed manually. [C] Not applicable. [End of table] 495 E - Sampling: Sampling Flowcharts and Example Audit Documentation: .01: This section contains sampling flowcharts (FAM 495 E-2 through E- 6) and example audit documentation for sampling (FAM 495 E-7 through E- 19). .02: Flowchart 1 (FAM 495 E-2) is to assist the auditor in determining the selection method for substantive, internal control, and compliance tests. Selection methods are either nonrepresentative (nonsampling selections) or representative selections (samples – either statistical or nonstatistical). .03: Flowchart 2 (FAM 495 E-3) is to help the auditor determine the type of sampling. The choices are (1) Attribute Sampling, (2) Monetary Unit Sampling (MUS), and (3) Classical Variables Estimation Sampling. When testing for overstatement in the defined population and a large misstatement rate is expected, the auditor may use Classical PPS Sampling. See FAM 480.34-.35 and FAM 480.44 for further information and consult the statistician. .04: The remaining flowcharts are to assist the auditor in performing: * Attribute Sampling at FAM 495 E-4 (flowchart 3); * MUS at FAM 495 E-5 (flowchart 4); and; * Classical Variables Estimation Sampling at FAM 495 E-6 (flowchart 5). .05 Example audit documentation for sampling are provided for: * Attribute Sampling at FAM 495 E-7 through E-10; * MUS at FAM 495 E-11 through E-15; and; * Classical Variables Estimation Sampling at FAM 495 E-16 through E-19. Flowchart 1: Determining the Selection Method For Substantive, Internal Control, and Compliance Tests: [See PDF for image] Selection: * Nonrepresentative selections (Nonsampling selections); - Results not intended to be projected; * Examples: - 100% test; - Large item test; - Test of unusual items; - Inquiries; - Observations; - Walkthroughs; - Analytical procedures; - Items likely misstated; - Case studies; - Other nonrepresentative selections; - Combinations of above; * Used when auditor knows enough about the population to identify which items are of interest and that the items not of interest in total have a low risk of material misstatement. Selection: * Representative selections (samples); - Expected to be representative; * Statistical: - Auditor uses probability theory to determine sample size, select the sample, and evaluate the results; - Projections are defensible; * Examples: - Monetary unit sampling; - Classical variables estimation sampling; - Classical PPS sampling; - Attributes sampling; * Used when, for example: - Line item is material; - Risk of material misstatement is high; - Sampling will provide significant evidence; - Federal entity or report reader likely to question nonstatistical sampling results; - Results likely to be included in report. Selection: * Representative selections (samples); - Expected to be representative; * Nonstatistical: - Auditor considers statistical concepts, but does not explicitly use them to determine sample size, select the sample, or evaluate the results; - Requires approval of Reviewer in consultation with statistician; - Sample size generally should be at least 25% to 50% greater than statistical sample size; * Used, for example, when: - Line item is material; - Risk of material misstatement is low; - Analytical procedures effective; - Sample size is small; - Sampling does not provide an important part of audit evidence; - Results will not be reported separately. - Nonsampling may be more efficient in these cases. [End of figure] Flowchart 2: Determining Which Type of Sampling to Use: [See PDF for image] * Determine the objectives of the test: * Does objective include a substantive test? - If No: Use attributes sampling; - Plate 1. - If yes: Define population; - Obtain information about population; * Purpose of test to audit recorded amount? - If no, help client estimate an amount; - Use classical variables estimation sampling; - Plate 3. * Purpose of test to audit recorded amount? - If yes: * Can we add the dollar amounts in the population (manually or with software)? - If no, help client estimate an amount; - Use classical variables estimation sampling; - Plate 3. - If yes: * Can we segregate zero & negative balances? - If no, help client estimate an amount; - Use classical variables estimation sampling; - Plate 3. - If yes: * Primary risk is overstatement of recorded population or related population (see paragraph 480.21); - If no, help client estimate an amount; - Use classical variables estimation sampling; - Plate 3. - If yes: * Expect that total dollar amount of misstatement in population is large? (For GAO, large means greater than 30% of sampling units are expected to be misstated and misstatements are expected to be mostly partial misstatement); - If no, help client estimate an amount; - Use classical variables estimation sampling; - Plate 3. - If yes: * Use monetary-unit sampling to determine sample size - Plate 2. Plate #1: For Attribute Sampling, see flowchart 3 at FAM 495 E-4. Plate #2: For MUS, see flowchart 4 at FAM 495 E-5. Plate #3: For Classical Variables Estimation Sampling, see flowchart 5 at FAM 495 E-6. [End of figure] Flowchart 3: Testing Using Attribute Sampling: [See PDF for image] Plate 1: * Define the population; * Determine the sample size; * Select random sample; * Perform the test; * Evaluate the results; * Are the results acceptable? * If yes: - Used the planned risk of material misstatement assessment; - Perform substantive procedures; - End; * If no: - Reassess control risk of material management; - Reconsider nature, extent, and timing of substantive procedures; - End. [End of figure] Flowchart 4: Testing Using Monetary Unit Sampling: [See PDF for image] Plate 2: * Define item to be tested; * Define misstatements; * Determine confidence level; * Define materiality; * Determine estimated misstatements; * Determine sample size; * Select sample (Extending monetary unit sampling in usually not efficient); (If error rate is high enough, and sample size is 75 or more, use classical PPS to evaluate); * Perform the test; * Reassess the risk misstatement and consider need to change confidence level; * Evaluate the test; * Is additional work necessary to issue unqualified opinion? * If no: - Post known misstatement and likely misstatement; - End; * If yes: - Should we do additional work? * If no: - Issue qualified opinion, disclaimer of opinion, or adverse opinion; - End; * If yes: - Perform the additional work; * Return to step and continue process until reaching end: Reassess the risk misstatement and consider need to change confidence level. [End of figure] Flowchart 5: Testing Using Classical Variables Sampling: [See PDF for image] Plate 3: * Determine tolerable misstatement; * determine confidence level; * Determine stratification plan; * Select pilot sample; * Perform the test; * Reassess risk of material misstatement and consider need to change confidence level; * Evaluate the results; * Is additional work necessary to issue unqualified opinion? * If no: - Post known misstatement and likely misstatements; - End. * If yes: - Should we do additional work? * If no: - Issue qualified opinion, disclaimer of opinion, or adverse opinion; - End; * If yes: - Should we extend the sample? * If no: - Perform the additional work; * Return to step and continue process until reaching end: Reassess risk of material misstatement and consider need to change confidence level; * If yes: - Select additional items; * Return to step and continue process until reaching end: Perform the test. [End of figure] Example Audit Documentation for Attribute Sampling: Entity: Period ended: During planning, Prepared by: Initials: Date: During planning, Reviewed by: Initials: Date: At end of test, Prepared by: Initials: Date: At end of test, Reviewed by: Initials: Date: Section I - Definition of Control Techniques and Sampling Method for Attribute Sampling: Cycle: Application: Control techniques (from SCE forms): Sampling method: Random using IDEA; Documentation reference to IDEA output: Other—explain: Section II - Definition of Population and Attributes to Test for Attribute Sampling: Population is: Population size (units): Attribute(s) to test: Document(s) to examine: When this period is less than the entire period under audit or where the population being tested is less than the population in the financial statements, describe briefly (and cross-reference to) procedures for obtaining satisfaction about the remainder of the population: List steps needed to achieve satisfaction that the selection is from a population equivalent to the defined population: Section III - Determination of Sample Size and Evaluation of Sample Results for Attribute Sampling: Control activity number: Deviation definitions (each will constitute a deviation)[A]: A: Preliminary assessment of control risk (see SCEs): B: Sample size (per table I in FAM 450.09, IDEA, or other source): C: Acceptable number of deviations: D: Number of deviations found: E: Is result acceptable or not acceptable?[B] [A] Insert deviation definitions and data for columns A through C for each control technique before selection of sample. [B] Results are acceptable if column D is less than column C. When results are unacceptable, complete section IV. Method of testing when more than one control technique: Use largest sample size for all key controls (generally because same documents are tested): Use different sample sizes for different controls (using random numbers in order selected): Section IV - Explain Unacceptable Results and Other Control Deviations for Attribute Sampling: Deviation: Possible cause: Cycles, assertions, and accounts that could be affected: Further action taken: Conclusion/revised risk of material misstatement[A]: [A]: Where the preliminary assessment of the risk of material misstatement was low, the risk may be assessed as moderate if the number of deviations found does not exceed the acceptable number of deviations in table II (FAM 450.09) for the same sample size. Section V - Overall Conclusions about Risk of Material Misstatement: [End of form] Example Audit Documentation for MUS: Entity: Period ended: During planning, Prepared by: Initials: Date: During planning, Reviewed by: Initials: Date: At end of test, Prepared by: Initials: Date: At end of test, Reviewed by: Initials: Date: Section I - Define Objectives and Method of Testing for MUS: Line item: Assertion: Test: Section II - Define Population for MUS: Population is: Population size [monetary unit (dollars)]: Logical unit (balance or transaction that includes the selected dollar): Direction of test: Starting from (source): Testing to (documents to be examined): When this period is less than the entire period under audit or where the population being tested is less than the population in the financial statements, describe briefly (and cross-reference to) procedures to obtain satisfaction about the remainder of the population: List steps needed to achieve satisfaction that the selection is from a population equivalent to the defined population: Population analyzed by: - Review of printout of population: - Review of manual listing of population: - IDEA stratification: - Other computer-assisted method—describe: Section III - Determine Sample Size and Interval for MUS: a. Total population (from section II): b. Risk of material misstatement from the ARA: c. Amount of substantive audit assurance required (from audit matrix): d. Substantive assurance from analytical procedures that relate to the assertion tested: e. Other substantive tests of detail that relate to the assertion: f. Minimum substantive audit assurance from detail tests: g. For MUS calculated manually: 1. Risk factor (from audit matrix): 2. Tolerable misstatement: h. For MUS using IDEA: 1. Confidence level %: 2. Materiality (generally design—see FAM 480.27) $: 3. Expected misstatement amount $: i. Interval based on these factors is: Random start or seed is: j. Sample size based on these factors is: Audit documentation reference to: Software output (IDEA): Manual computation: Section IV - Evaluation of Substantive Tests for MUS: (If many errors are found and the sample size is 75 or greater, the auditor generally should consult with the statistician to evaluate and document as classical PPS.) Known Substantive Misstatements: Items greater than sampling interval: Misstatement number: (A)Book amount: (B) Audited amount: (C) Misstatement amount* (A-B): Nature of misstatement: Possible cause: 1. 2. 3. Total*: Items less than sampling interval: (D) Misstatement as a percentage of book amount* (C/A): Should misstatement be projected? If not explain: 1. 2. 3. Total*: * Calculated amounts may be omitted if calculation done using IDEA. Note 1: When sampling from a different population for understatement of a primary population (such as when sampling subsequent disbursements to test completeness of recorded accounts payable), in computing “misstatement as a percentage of book amount” the “book amount” is the subsequent disbursement (not the recorded payable). The audited amount is the amount that was either correctly accrued or not correctly accrued. For example, assume the auditor finds a $10,000 subsequent disbursement that was omitted improperly from accounts payable as of the balance sheet date. The “book amount” is $10,000 and the “audited amount” is zero, thus the “misstatement as a percentage of book amount” is 100 percent. The “book amount” is based on the source of selection, not necessarily what is recorded in the financial statements. Note 2: If IDEA selects an item twice and it is misstated, include the item twice in this listing. Section IV - Evaluation of Substantive Tests for MUS: Compute projected misstatements: (Omit steps E through H if computed by IDEA) (E) Number of equivalent complete misstatements in sample from column D on previous page (excluding misstatements found in 100% examined items - see Note 1 on previous page): (F) Sampling interval: (G) Projected misstatements (E x F): (H) Misstatements found in 100% examined items: (I) Total projected misstatement (G + H) (or from IDEA output): (If from IDEA, document reference to IDEA output): Conclusion: Are we satisfied that book amount is fairly stated? Yes: No: Not enough evidence: If no or not enough evidence, what will we do? Explain below: [End of form] Example Audit Documentation for Classical Variables Estimation Sampling: Entity: Period ended: During planning, Prepared by: Initials: Date: During planning, Reviewed by: Initials: Date: At end of test, Prepared by: Initials: Date: At end of test, Reviewed by: Initials: Date: Section I - Define Objectives and Method of Testing for Classical Variables Estimation Sampling: Line item: Assertion: Test: Description of 100 percent examined items: Section II - Define Population for Classical Variables Estimation Sampling: Population is: Population size: Dollars: Number of items: Direction of Test: Starting from (source): Testing to (documents to be examined): When this period is less than entire period under audit or where the population being tested is less than the population in the financial statements, describe briefly (and cross-reference to) procedures to obtain satisfaction about the remainder of the population: Steps to be satisfied that the selection is from a population equivalent to the defined population: Population analyzed by: Review of printout of population; Review of manual listing of population; IDEA stratification; Other computer-assisted method—describe: Section III - Determine sample size for Classical Variables Estimation Sampling: a. Confidence level %: b. Tolerable misstatement $: c. Precision for total population $: d. Strata definitions: Stratum: From: To: Number of items: Dollars: Stratum: From: To: Number of items: Dollars: Stratum: From: To: Number of items: Dollars: Stratum: From: To: Number of items: Dollars: e. Sample size based on these factors is: Audit documentation reference to: IDEA; Other calculation; Pilot sample estimate. Section IV - Evaluation of Substantive Tests for Classical Variables Estimation Sampling: a. Evaluation method -- W/P reference to: IDEA; Other calculation; Spreadsheet. b. Estimating technique: Direct projection; Difference estimation; Separate ratio; Combined ratio; Combined regression; Other. c. Point estimate $: Confidence interval: From $: To $: At % Confidence level: Conclusion: Are we satisfied that book amount is fairly stated? Yes ; No; Not enough evidence. If no or not enough evidence, what will we do? Explain below: [End of form] 495 F - Manually Selecting a Monetary Unit Sample: .01: Even though auditors usually use software (such as IDEA) to select an MUS, it is helpful to understand the process for manually selecting an MUS. To select an MUS sample manually, the auditor should: a. Determine the sampling interval using the following formula: sampling interval = tolerable misstatement ÷ statistical risk factor. b. Clear the calculator. c. Select and document a random start and enter as a negative number in the calculator. For the random start use a random number between 1 and the sampling interval calculated in step a. d. Enter the positive amounts in the test population (items) until the calculator’s running subtotal becomes positive. The item that caused the subtotal to become positive is the item selected for testing. [See FAM 495 F-3. Note that the calculator subtotals were positive for invoices #3, 10, 17, 19, and 24.] Do not enter into the calculator any items in the population with zero or credit balances. Accumulate these items separately and test them in conjunction with tests of completeness of the account balance or class of transactions if they are significant. e. After each selection, subtract the sampling interval until the subtotal is negative. Even if the last item in the population is selected, subtract the sampling interval until the subtotal is negative. [See FAM 495 F-3. For invoice #19, the auditor had to subtract the sampling interval twice to get a negative subtotal.] f. Repeat steps d and e above until all items in the test population have been entered into the calculator and the ending subtotal is negative. g. To test the footing of the population, reconcile the sample to the recorded amount of the test population as follows: Add: (a) random start; (b) sampling interval multiplied by the number of times the sampling interval was subtracted during selection of the sample; and; (c) remaining subtotal on the calculator. Determine whether the total equals the test population amount. If the total on the reconciliation is not equal to the population amount, there is either an error in the total population amount or there was an error in entering the population items into the calculator. Determine whether investigation of the difference is necessary and, if so, the steps needed to investigate. Immaterial amounts may not need investigation. [See FAM 495 F-4 for a sample reconciliation to test the footing.] Example of Systematic Selection for MUS: Random starting point: $6,000. Sampling interval: $50,000. Start $0: Adding Machine Tape Entries: -6,000; Adding Machine Tape Subtotals: (6,000); Selection: [Empty]. Invoice Register Number: 1; Invoice Register Amount: $2,500; Adding Machine Tape Entries: +2,500; Adding Machine Tape Subtotals: (3,500) Selection: [Empty]. Invoice Register Number: 2; Invoice Register Amount: $2,500; Adding Machine Tape Entries: +2,500; Adding Machine Tape Subtotals: (1,000) Selection: [Empty]. Invoice Register Number: 3; Invoice Register Amount: $4,500; Adding Machine Tape Entries: +4,500; Adding Machine Tape Subtotals: 3,500; Selection: [Check]. Adding Machine Tape Entries: -50,000; Adding Machine Tape Subtotals: (46,500); Selection: [Empty]. Invoice Register Number: 4; Invoice Register Amount: $12,000; Adding Machine Tape Entries: +12,000; Adding Machine Tape Subtotals: (34,500); Selection: [Empty]. Invoice Register Number: 5; Invoice Register Amount: $25; Adding Machine Tape Entries: 25; Adding Machine Tape Subtotals: (34,475); Selection: [Empty]. Invoice Register Number: 6; Invoice Register Amount: $3,500; Adding Machine Tape Entries: +3,500; Adding Machine Tape Subtotals: (30,975); Selection: [Empty]. Invoice Register Number: 7; Invoice Register Amount: $10,000; Adding Machine Tape Entries: +10,000; Adding Machine Tape Subtotals: (20,975); Selection: [Empty]. Invoice Register Number: 8; Invoice Register Amount: $8,000; Adding Machine Tape Entries: +8,000; Adding Machine Tape Subtotals: (12,975); Selection: [Empty]. Invoice Register Number: 9; Invoice Register Amount: $5,000; Adding Machine Tape Entries: +5,000; Adding Machine Tape Subtotals: (7,975); Selection: [Empty]. Invoice Register Number: 10; Invoice Register Amount: $25,000; Adding Machine Tape Entries: +25,000; Adding Machine Tape Subtotals: 17,025; Selection: [Empty]. Adding Machine Tape Entries: -50,000; Adding Machine Tape Subtotals: (32,975); Selection: [Check]. Invoice Register Number: 11; Invoice Register Amount: $1,000; Adding Machine Tape Entries: +1,000; Adding Machine Tape Subtotals: (31,975); Selection: [Empty]. Invoice Register Number: 12; Invoice Register Amount: $500; Adding Machine Tape Entries: +500; Adding Machine Tape Subtotals: (31,475); Selection: [Empty]. Invoice Register Number: 13; Invoice Register Amount: $7,000; Adding Machine Tape Entries: +7,000; Adding Machine Tape Subtotals: (24,475); Selection: [Empty]. Invoice Register Number: 14; Invoice Register Amount: $10,500; Adding Machine Tape Entries: +10,500; Adding Machine Tape Subtotals: (13,975); Selection: [Empty]. Invoice Register Number: 15; Invoice Register Amount: $12,000; Adding Machine Tape Entries: +12,000; Adding Machine Tape Subtotals: (1,975); Selection: Invoice Register Number: 16; Invoice Register Amount: $1,275; Adding Machine Tape Entries: +1,275; Adding Machine Tape Subtotals: (700); Selection: [Empty]. Invoice Register Number: 17; Invoice Register Amount: $9,500; Adding Machine Tape Entries: +9,500; Adding Machine Tape Subtotals: 8,800; Selection: [Check]. Adding Machine Tape Entries: -50,000; Adding Machine Tape Subtotals: (41,200); Selection: [Empty]. Invoice Register Number: 18; Invoice Register Amount: $10,000; Adding Machine Tape Entries: +10,000; Adding Machine Tape Subtotals: (31,200); Selection: [Empty]. Invoice Register Number: 19; Invoice Register Amount: $100,000; Adding Machine Tape Entries: +100,000; Adding Machine Tape Subtotals: 68,800; Selection: [Check]. Adding Machine Tape Entries: -50,000; Adding Machine Tape Subtotals: 18,800; Selection: [Empty]. Adding Machine Tape Entries: -50,000; Adding Machine Tape Subtotals: (31,200); Selection: [Empty]. Invoice Register Number: 20; Invoice Register Amount: $20,200; Adding Machine Tape Entries: +20,200; Adding Machine Tape Subtotals: (11,000); Selection: [Empty]. Invoice Register Number: 21; Invoice Register Amount: $1,800; Adding Machine Tape Entries: +1,800; Adding Machine Tape Subtotals: (9,200); Selection: [Empty]. Invoice Register Number: 22; Invoice Register Amount: $4,000; Adding Machine Tape Entries: +4,000; Adding Machine Tape Subtotals: (5,200); Selection: [Empty]. Invoice Register Number: 23; Invoice Register Amount: $250; Adding Machine Tape Entries: +250; Adding Machine Tape Subtotals: (4,950); Selection: [Empty]. Invoice Register Number: 24; Invoice Register Amount: $20,550; Adding Machine Tape Entries: +20,550; Adding Machine Tape Subtotals: 15,600; Selection: [Check]. Adding Machine Tape Entries: -50,000; Adding Machine Tape Subtotals: (24,400); Selection: [Empty]. Invoice Register Number: 25; Invoice Register Amount: $20,000; Adding Machine Tape Entries: +20,000; Adding Machine Tape Subtotals: (14,400); Selection: [Empty]. Invoice Register Amount: $291.600. Reconciliation of book amounts footed to test population: Random start $6,000 + Sampling interval x number of times subtracted ($50,000 x 6) 300,000; + Remaining subtotal (14,400); Population total $291,600. [End of table] [End of section] Section 500: Reporting Phase: Reporting Phase: * Perform Overall Analytical Procedures; FAM: 520. * Reassess Materiality and Risk; FAM: 530. * Evaluate Misstatements; FAM: 540. * Conclude Other Audit Procedures; FAM: 550. * Determine Conformity with U.S. GAAP; FAM: 560. * Determine Compliance with GAO/PCIE Financial Audit Manual; FAM: 570. * Draft Reports; FAM: 580. * Documentation; FAM: 590. 510 – Overview of the Reporting Phase: .01: Based on the work in the preceding phases, the auditor must decide how to report on: (1) the financial statements taken as a whole; (2) management’s discussion and analysis, required supplementary and stewardship information, and other information presented with the financial statements; (3) the entity’s internal control for financial reporting and compliance with laws and regulations; (4) the financial management systems’ substantial compliance with the three FFMIA requirements (for CFO Act agencies); and; (5) the entity’s compliance with laws and regulations. The following sections provide guidance in making these determinations and in formulating the report type and form. Guidance is also provided on other activities that the auditor should perform during the reporting phase (See fig. 500). 520 - Perform Overall Analytical Procedures: Purposes of Overall Analytical Procedures: .01: As the audit nears completion, the auditor should perform overall analytical procedures as discussed in AU 329. The purpose of these procedures are: * to determine if an adequate understanding of all fluctuations from expectations and relationships in the financial statements has been obtained; or; * if not, to identify and resolve significant or unusual fluctuations from expectations that have not been identified and resolved in other audit procedures; and; * to determine if other audit evidence is consistent with explanations for fluctuations from expectations documented during overall analytical procedures; and; * to assist the auditor in forming an opinion on the financial statements that is based upon all the audit evidence obtained. .02: If overall analytical procedures indicate that an adequate understanding of relationships and fluctuations has not been obtained or if there are inconsistencies in audit evidence gathered from other audit procedures, the auditor should make further inquiries and perform sufficient testing to obtain an adequate understanding or to resolve the inconsistencies. .03: The auditor may perform overall analytical procedures in more detail than the financial statement level (supplemental analytical procedures) and then use the results of these procedures to “roll up” into and support the overall analytical procedures at the financial statement level. For example, the auditor may perform overall analytical procedures at the account level and roll them up to the financial statement line item to which they belong. .04: The auditor may use analytical procedures to obtain complete or partial substantive assurance for certain accounts or to perform supplemental analytical procedures when detail tests are used exclusively to obtain substantive assurance. The auditor may use information obtained during these procedures as the basis for explanations of fluctuations for overall analytical procedures. .05: The auditor who conducted the detail tests on an account generally should also conduct supplemental analytical procedures. This usually improves audit efficiency and effectiveness by building on the knowledge obtained during detail testing. .06: The auditor generally should coordinate overall analytical procedures with the evaluation of the MD&A. For example, the auditor generally should use the MD&A, if available, to assist in performing overall analytical procedures. The auditor generally should also use the results of the analytical procedures to assist in forming conclusions about the information in the MD&A. Performance of Overall Analytical Procedures: .07: The auditor should achieve the purposes of overall analytical procedures described above by: * Assessing expectations: The auditor should determine if expectations previously developed during preliminary analytical procedures in FAM 225.03 (a) are still appropriate or should be revised. * Comparing current-year amounts with expectations: This information may be on a summarized level, such as the level of financial statements, or a more detailed level, as discussed in FAM 520.03. * Identifying significant or unusual fluctuations from expectations that have not already been identified and resolved: The auditor should determine whether previously established parameters for determining if a fluctuation is significant are still appropriate. Parameters are usually based on tolerable misstatement. Unusual fluctuations include inappropriate accounting balances (such as debit balances in liability accounts), balances with either no current year or no prior year comparison, and decreases in property accounts that would normally occur only by disposition (instead of by misstatements). Fluctuations identified are a matter of the auditor’s professional judgment. The auditor should also evaluate the absence of expected fluctuations when identifying significant fluctuations (such as lower foreclosure rates on home loans despite higher default rates). * Understanding identified fluctuations from expectations: The auditor should understand all significant fluctuations identified, obtain audit evidence corroborating the cause, and document the causes for the fluctuations. The documentation may be a brief description with a reference to corroborating audit evidence. If the auditor does not understand the cause of the fluctuation or if the understanding is not consistent with the audit evidence, the auditor should perform procedures to obtain an understanding or to resolve any inconsistencies. * Evaluating the results of overall analytical procedures: The auditor should evaluate these results to determine if the auditor obtained an adequate understanding of significant fluctuations from expectations and if audit evidence is consistent and adequate to support the report on the financial statements. 530 – Reassess Materiality and Risk: .01: In the planning phase, the auditor should have determined planning materiality based on preliminary information. Based on this planning materiality, the auditor should have determined design materiality and tolerable misstatement, which affected the extent of audit testing. Also in planning, the auditor assessed the risk of material misstatement by assertion. During the audit, the auditor may have revised these determinations and assessments if better information became available. .02: Before the end of the audit, the auditor should determine whether, in light of the final financial statements, the planning materiality used is still appropriate. The auditor should also reassess, based upon the audit evidence obtained, the risk of material misstatement and the overall audit assurance needed. If material weaknesses or other significant deficiencies are identified, the auditor should consider their implications on this risk assessment. .03: Based upon these reassessments, the auditor should determine whether the nature, extent, and timing of substantive audit procedures were sufficient, such as the appropriateness of sample sizes for detail tests and the limit for investigation of differences during substantive analytical procedures. When the auditor has questions regarding the adequacy of work performed, the auditor should consult with the reviewer to determine the need for additional procedures. .04: When the auditor determines whether an opinion can be expressed on the financial statements, the auditor should evaluate limitations on the nature, extent, or timing of work performed. Additional guidance on scope limitations and their impact is provided in FAM 580.14-.18. 540 – Evaluate Misstatements: Overview: .01: The auditor may detect misstatements during substantive tests or other procedures. The auditor should evaluate misstatements individually and in the aggregate in both quantitative and qualitative terms. Based on the evaluation of all misstatements, the auditor should determine the type of report to issue on the financial statements. .02: As discussed in AU 318, the auditor should not assume that an instance of fraud or error is an isolated occurrence, and therefore, should evaluate how the detection of the misstatement affects the assessed risks of material misstatement, including, (1) the related nature, extent, and timing of substantive audit procedures, and (2) the audit evidence of the operating effectiveness of relevant controls, including the entity’s risk assessment process. Accordingly, the auditor should evaluate the effect of misstatements on: * The auditor’s evaluation of internal control and risks of material misstatement (see FAM 580.31-.62). The auditor should determine whether the misstatements indicate control deficiencies that had not been previously identified, whether the assessment of the controls and the risk of material misstatement at the relevant assertion level remain appropriate, whether audit procedures are appropriate in light of any revisions to the risks of material misstatement, and whether the categorization of control deficiencies for reporting purposes is appropriate (whether they are material weaknesses or other significant deficiencies). * The consideration of the risk of material misstatement due to fraud (see FAM 540.18-.24). The auditor should determine whether to change the risk of material misstatement due to fraud determined during planning, based on the accumulated results of audit procedures. * The auditor’s evaluation of the financial management systems' substantial compliance with the 3 FFMIA requirements (see FAM 580.64- .68). The auditor should determine whether to change, based upon the misstatements and identified control deficiencies, the auditor’s conclusions with respect to the financial management systems’ substantial compliance with the 3 FFMIA requirements. * The entity’s compliance with laws and regulations (see FAM 580.69- .77). The auditor should determine whether to change, based upon the misstatements, the auditor’s conclusions with respect to the entity’s compliance with laws and regulations. * Budget formulation and execution. The auditor should determine whether the misstatements have a significant impact on budget related matters for purposes of reporting budget control deficiencies, reporting on the statement of budgetary resources and reconciliation of net cost to budget note disclosure, and reporting on compliance with budget-related provisions of laws and regulations. * Other reports. The auditor should determine whether the misstatements and any underlying internal control deficiencies affect other reports prepared by the entity that are (1) used for management decision-making, or (2) distributed outside the entity. .03: FAM 475 (substantive analytical procedures) and FAM 480 (substantive detail tests) discuss the evaluation of individual misstatements from a quantitative standpoint. Following that guidance, the auditor should quantify the effects of the misstatements and classify them as either: * known misstatement: the amount of misstatement actually found, or; * likely misstatement: the auditor’s best estimate of the amount of the misstatement in the population (likely misstatement includes the known misstatement). For sampling applications, this amount is the projected misstatement. (Also see FAM 540.11.) Accumulation of Misstatements: .04: To evaluate the aggregate effects of misstatements on the financial statements, the auditor should accumulate known and likely misstatements; this should be done on a Schedule of Uncorrected Misstatements, an example of which is illustrated at FAM 595 C, example 1. The auditor should include any misstatements (known or likely) that the entity brings to the auditor’s attention that have not been corrected in the financial statements. The summary allows the auditor to have a record of the impact of the audit, bring all misstatements to the attention of management and those charged with governance, and evaluate the risk of further misstatement as a part of the consideration of uncorrected misstatements as discussed in FAM 540.11- .12. The reviewer should review the Schedule of Uncorrected Misstatements. Per AU 312.42, the auditor may designate an amount below which misstatements are not accumulated. The auditor should set this trivial or de minimis amount so that any such misstatements, either individually or when aggregated with all other misstatements, would not be material to the financial statements, after the possibility of further undetected misstatements is considered. .05: The financial statements usually include various estimates made by management, such as the recoverability of assets (through allowances for doubtful accounts receivable or loans) and liabilities for loan guarantees. If the recorded amount falls outside a range of amounts that the auditor determines is reasonable, the auditor should include at least the difference between the recorded amount and the closest end of the auditor’s range as a likely misstatement in the Schedule of Uncorrected Misstatements. There might be situations when including the difference between management’s estimate and the midpoint of the range is a better measure of likely misstatements; the auditor generally should discuss these with the reviewer and the statistician. .06: Additionally, the auditor should evaluate whether management’s estimates, while individually reasonable, consistently overstate or understate components of the financial statements, such as total assets or total expenditures, and indicate possible management bias. If so, the auditor should evaluate the effects on the financial statements in addition to any uncorrected misstatements when determining the appropriate type of opinion. Further guidance on evaluating estimates is provided in AU 312.56-.58 and AU 342. Review of Misstatements with Management and Those Charged with Governance: .07: After accumulating and summarizing the adjustments on a Schedule of Uncorrected Misstatements (an example of which is at FAM 595 C) the auditor: * Must bring all misstatements found (except those below the auditor- designated amount at which misstatements need not be accumulated as discussed at FAM 540.04) to the attention of appropriate entity management. This includes communicating both known and likely misstatements. * Should request entity management to adjust the entity’s financial statements and underlying records to correct all known misstatements. * Should request entity management, for likely misstatements that are material either individually or when aggregated with other misstatements, to examine the class of transactions, account balance or disclosure to identify and quantify their own amount of the related misstatements. This may also help determine the cause of the likely misstatements. The auditor should then test management’s procedures and the amount of their proposed adjustment to determine the reasonableness of their amount. The auditor may perform additional audit procedures if needed. For likely misstatements involving differences in estimates, the auditor may share the assumptions and methods used to develop the estimate with management for the purpose of management revising its estimate. Entity management may establish valuation allowances for likely misstatements, net of known misstatements (since the likely misstatement represents the best estimate of the correction needed).[Footnote 62] If management does not correct the financial statements, the auditor should ascertain management’s reasons for not making the corrections and should evaluate these reasons when concluding on the qualitative aspects of the entity’s accounting practices and determining the implications for the auditor’s report. Also, the auditor should communicate uncorrected known and likely misstatements to those charged with governance as discussed in AU 380.40-.41. .08: In presenting the misstatements to management, the auditor generally should remind management that AU 333 requires the entity to indicate in the management representation letter that the uncorrected misstatements aggregated by the auditor, both individually and in the aggregate, are not material to the financial statements taken as a whole. AU 333 also requires that a summary of the uncorrected misstatements be attached to the representation letter. Attaching this summary is further discussed in FAM 1001 and presented in representation No. 5 in the example representation letter at FAM 1001 A. Thus, management may consider some of the same factors presented in FAM 540.09-.16. Consideration of Uncorrected Misstatements: .09: If entity management declines to record adjustments for any misstatements, the auditor must determine the potential effects of these misstatements on the audit opinion in both quantitative and qualitative terms. Overall guidance on evaluating misstatements is provided in AU 312.50-.67. If total likely uncorrected misstatements (which includes known misstatements) is material, the auditor should modify the opinion on the financial statements (see FAM 580.22). Misstatements, either individually or in the aggregate, are material if, in light of surrounding circumstances, it is probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the correction of the items. The concept of materiality includes both quantitative and qualitative considerations as further discussed in FAM 540.10-14. Deciding whether and how to modify the opinion based on the materiality of total likely uncorrected misstatements involves significant auditor’s judgment. The decision and the basis for it should be documented. The audit director should be involved in the decision and review the documentation related to it. Also, the reviewer should review and approve the documentation of the decision. Quantitative Considerations: .10: Although there is some point where total likely uncorrected misstatements would generally be considered material, there is no single amount that can be used for the auditor’s decision to modify the opinion. Instead, the auditor should follow a process that considers various quantitative factors in reaching this decision as well as qualitative factors discussed in FAM 540.14. .11: In addition to the total likely uncorrected misstatements, the auditor should evaluate the risk of further misstatement, which is due to the imprecision of audit procedures as discussed in FAM 230.12. This risk includes the allowance for sampling risk (the combined precision of all sampling applications), an allowance for imprecision of analytical and other substantive audit procedures, and an allowance for unaudited immaterial account balances. The statistician should compute the combined precision for all sampling applications. .12: The auditor should determine the total of likely uncorrected misstatement plus an overall allowance for further misstatement. The auditor should evaluate this amount in relation to reporting materiality (see FAM 230.06) and the relative importance of the misstated items to readers of the financial statements. This is done to determine whether the financial statements as a whole may be materially misstated. For example, if the aggregate likely uncorrected misstatement is $10 million and the allowance for imprecision of audit procedures is probably no more than $5 million, the auditor should determine whether the total of $15 million materially misstates the financial statements taken as a whole. The reviewer should be consulted in considering these issues. .13: The auditor’s report addresses the fair presentation of the financial statements taken as a whole. When determining the effects of any uncorrected misstatements on the financial statements, the auditor considers individual line items in the financial statements in relation to the financial statements taken as a whole. If the auditor provides assurance on any combining statements and supplemental schedules in relation to the financial statements taken as a whole, the auditor should determine whether these statements and schedules are materially misstated due to likely misstatements. Qualitative Considerations: .14: The auditor should evaluate appropriate qualitative factors when determining the effect of uncorrected misstatements on the auditor’s report. Examples of these qualitative factors are in AU 312.60. The auditor may choose to modify or qualify the report on the financial statements, even if the amounts of any uncorrected misstatements are not quantitatively material. The decision of whether to modify or qualify the auditor’s report is a matter of auditor judgment considering the nature of the misstatement. Examples of misstatements for which the auditor might issue a modified or qualified report include: * misstatements of account balances or transactions that are considered sensitive to financial statement users; * misstatements that offset one another in the aggregate but are individually significant; and; * misstatements that have a significant effect on the MD&A presented by management (most likely a modified report – see FAM 580.81). Treatment of Uncorrected Misstatements Detected in Prior Periods: .15: The auditor should evaluate the effects on the current-period financial statements of any misstatements detected in prior periods as discussed in AU 312.52-.53. Also, see FAM 580.87- .89 regarding financial statement restatements. Treatment of Misstatements that Arose in Prior Periods But were Detected in the Current Period: .16: If, during the audit of the current period, the auditor detects a misstatement that arose in a prior period but was not previously detected, the auditor should include the misstatement in the Schedule of Uncorrected Misstatements and bring it to management’s attention. The auditor should determine if the misstatement, together with other misstatements, are material to the prior- or current-period financial statements. The auditor should gather sufficient information to evaluate the cumulative effects, as well as the current year change, related to the misstatement on beginning and ending balances such as those for balance sheet accounts as well as the related impact on the current year’s activity such as that shown on the statement of net cost. Guidance for evaluating the effects of these potential prior period adjustments is in the AICPA Audit Guide, Assessing and Responding to Audit Risk in a Financial Statement Audit and Staff Accounting Bulletin No. 108 published by the Securities and Exchange Commission (SEC) that expresses the SEC staff's views regarding the process of quantifying financial statement misstatements. If the misstatement is material, the auditor should consult with the reviewer to determine the effect on the current-period statements and the auditor's report. Also, see FAM 580.87-.89 regarding financial statement restatements. Management Disagreement with Likely Misstatements: .17: If management disagrees with the auditor’s likely misstatements, and if the disagreement involves amounts that are material, the auditor should again request that entity management perform procedures, such as reviewing all or substantially all of the items in the relevant population, to determine their own estimated amount of the misstatement and provide more assurance as to the auditor’s estimate, if the entity has not yet done so. If the entity determines their own estimate of the misstatement, the auditor should test management’s procedures and conclusions and determine whether additional audit procedures are necessary. If management refuses to perform the necessary investigation, the audit director may decide not to expend additional time and audit resources to resolve the disagreement, for example, because additional testing is unlikely to provide different conclusions. If the auditor believes the estimate is sufficiently accurate, the auditor should express a qualified or adverse opinion, depending on the materiality of the item to the financial statements taken as a whole. If the auditor believes the estimate is not sufficiently accurate, the auditor should express a qualified opinion or disclaimer of opinion for a scope limitation, depending on the materiality of the item to the financial statements taken as a whole. The auditor should document an overall evaluation, including decisions reached, of any management disagreement with likely misstatements. Reconsideration of Fraud Risk: .18: The auditor should update the fraud risk evaluation throughout the audit, because evidence gathered later in the audit could change or support an earlier judgment about fraud risks. For example, the auditor may identify discrepancies in the accounting records or conflicting or missing evidence. .19: Near the completion of the audit, the auditor should evaluate whether the audit test results indicate the need for a change in the assessment of the fraud risks made earlier, or the need for additional or different audit procedures. The auditor should: (1) perform overall analytical procedures related to revenue, if revenue is (or is expected to be) material; (2) evaluate whether substantive or overall analytical procedures indicate a previously unrecognized fraud risk; (3) evaluate whether responses to inquiries during the audit have been vague, implausible, or inconsistent with other evidence; and; (4) evaluate other evidence gathered during the audit. Further, the audit director should determine whether appropriate communications have occurred among the audit team members regarding fraud risks. .20: The auditor should evaluate whether misstatements identified might be indicative of fraud. If, preliminarily, the auditor believes that a misstatement is or might be the result of fraud, the auditor should consult with the audit director and the reviewer, who should determine whether to seek assistance from the Special Investigator Unit or OGC. If performing the audit under contract, the auditor should consult with the Assistant Inspector General for Audit, or the GAO managing director, having responsibility for the audit. If on the basis of evidence obtained, the auditor believes that an instance of fraud (or significant abuse) has occurred or is likely to have occurred, the auditor should: (1) consult with the Special Investigator Unit and OGC; (2) include relevant information in the audit report unless the instance is clearly inconsequential; and; (3) determine that those charged with governance are adequately informed. In some circumstances, the auditor may be required by law or regulation to report directly to outside parties about fraud (or significant abuse). However, the auditor should limit public reporting to matters that would not compromise any related investigative or legal proceedings (see GAGAS, paragraphs 5.12 and 5.17-.25). .21: If a misstatement is or might be the result of fraud and the effect is not material to the financial statements, the auditor should evaluate the implications, especially those regarding the organizational position and responsibilities of the individual involved. If the matter involves a relatively low-level employee who is not responsible for significant activities (for example, a misappropriation from a small petty cash fund by a nonmanagement employee), the auditor may conclude that the matter has little significance to the audit. However, if the matter involves higher-level management, even though the amount of misstatement is not material to the financial statements, the auditor should evaluate whether (1) it is qualitatively material, and (2) it might indicate a more pervasive problem. Accordingly, the auditor should reevaluate the assessment of fraud risk, as well as the risk of material misstatement, and the resulting effects on the nature, extent, and timing, of substantive procedures. Regardless of the level of the employee, the auditor should report the potential fraud to at least the next level of management. In addition, the auditor should reach an understanding with those charged with governance regarding the nature and extent of communications with them about fraud perpetrated by lower-level employees. .22: If a misstatement is or might be the result of fraud and either the effect could be material or the auditor is unable to determine whether the effect is material, the auditor should: (1) attempt to obtain additional evidential matter to determine whether material fraud has occurred or is likely to have occurred and its effect on the financial statements and the related audit report; (2) evaluate the implications for other aspects of the audit, including reevaluating the assessment of risks and the resulting effects on testing as described in the preceding paragraph; (3) discuss the matter and the approach for further investigation with at least the next higher level of entity management and with senior management and those charged with governance; and; (4) determine whether to advise entity management to consult with its general counsel. .23: The auditor should discuss in the audit report fraud that causes a material misstatement of the financial statements (see FAM 540.20). Depending on circumstances, fraud could affect the reports on the financial statements, internal controls, compliance with laws and regulations, and the quality of management representations. The auditor should consult with the audit director and the reviewer and should report the matter to those charged with governance. .24: If the auditor has identified fraud risk factors that have control implications, the auditor should determine whether these risk factors represent material weaknesses or significant deficiencies to include in the audit report in the internal control section. Further, the auditor should evaluate whether the absence of, or deficiencies in, antifraud programs and controls also represent material weaknesses or significant deficiencies. Financial Management Systems: .25: For audits of the CFO Act agencies and other components OMB identified in its audit guidance, the auditor should determine whether the entity’s financial management systems substantially comply with the three requirements of FFMIA. FAM 350 and FAM 360 discuss federal financial management systems requirements and the SGL at the transaction level during the internal control phase of the audit. Additionally, FAM 701 provides guidance to the auditor to assess FFMIA compliance and example audit procedures are provided at FAM 701 A. During the reporting phase of the audit, the auditor should conclude on the systems compliance with federal accounting standards based on the results of control, compliance, and substantive testing and evaluation of misstatements found. If the auditor concludes that the systems do not substantially comply with the requirements, the auditor should report the noncompliance. In addition, if the auditor performed only limited testing, the auditor should report that the audit would not necessarily disclose all non-compliance with FFMIA requirements (see FAM 580 for further reporting guidance). 550 - Conclude Other Audit Procedures: .01: The auditor should perform procedures to: * obtain legal representations (see FAM 550.02.-.03); * identify material subsequent events (see FAM 550.04.-.06); * obtain management representations (see FAM 550.07-.11); * assess related party transactions (see FAM 550.12); and; * communicate with those charged with governance (see FAM 550.13). Obtain Legal Representations: .02: In considering any liabilities, contingencies, or uncertainties that may affect the federal entity or its financial statements, the auditor should obtain representations from the entity’s legal counsel regarding litigation, claims, and assessments. This would include existing internal legal counsel and external legal counsel who have devoted substantive attention to a matter. Further guidance on these inquiries, as well as on interpreting and using responses received from legal counsel, is provided in AU 337, AU 9337, OMB audit guidance, and FAM 280.02 and FAM 1002. .03: The inquiries and responses should cover the entire period under audit and the subsequent period through audit completion (the date of the auditor’s report). The auditor should obtain a legal representation letter from legal counsel at the completion of the audit. If a long period elapses from audit completion to report issuance, the auditor should obtain an update, either written or oral (and include in audit documentation), to identify whether there have been any significant changes in legal representation matters occurring up to the audit completion date. Identify Material Subsequent Events: .04: Events or transactions may occur after the balance sheet date but before the audit report is issued. Such events or transactions that have a material effect on the financial statements and therefore require adjustment to or disclosure in the financial statements are referred to as subsequent events. AU 560 and FAM 1005 provide further guidance on determining whether a particular subsequent event requires adjustment to or disclosure in the financial statements. .05: The auditor should perform procedures near the completion of the audit. If a long period elapses from audit completion to report issuance, the auditor should update the procedures through the issuance of the auditor’s report. The auditor should follow the guidance in AU 530 on dating the auditor’s report if any subsequent events are identified that affect the report. .06: The auditor has no obligation to perform procedures to identify subsequent events after the report is issued. However, if the auditor becomes aware of facts that might have affected the report if the auditor had known about them before issuance, the auditor should follow the guidance in AU 561. Obtain Management Representations: .07: The auditor must obtain written representations from entity management as part of the audit. These representations supplement the other audit procedures performed by the auditor but are not a substitute for them. Written representations help avoid any misunderstandings that could arise if only oral representations were received from management. In some circumstances, corroborating evidence for representations may not be readily available, such as for those involving management’s intent concerning a future transaction or business decision. Additionally, the auditor may request representations on other matters unique to the entity under audit. Examples of the written representations usually obtained from management are provided in AU 333.06, AT 501.52, and AU 801.07. Additional guidance for these representations is provided in FAM 280.03 and FAM 1001, with an example representation letter provided at FAM 1001 A. The auditor may use these examples as guidance and tailor them based on entity circumstances. .08: Auditors should obtain further representations from federal entity management in addition to those required by U.S. GAAS. These management representations concern management assertions about the effectiveness of internal control and assumptions regarding the statement of social insurance, as applicable. For CFO Act agencies, auditors also should obtain management representation about substantial compliance of the entity’s financial management systems with the 3 requirements of FFMIA. Additionally, OMB audit guidance includes representations regarding the consistency of budget data in the statement of budgetary resources and specific budget data submitted for preparing the annual budget of the U.S. government. .09: If management refuses to provide the requested written representations, this a limitation on the audit scope, and the auditor must modify the report (see FAM 580.14-.18). In these situations, the auditor should consider the reliability of other representations received from management during the audit. The auditor generally should discuss representations with management early in the audit to identify and resolve any difficulties related to obtaining these representations at the completion of the audit. This is particularly true for first year audits, when standards change, and when management changes (see FAM 280.03). .10: The auditor should request members of management who, in the auditor’s view, are responsible for and knowledgeable, directly or through others, about the matters in the representation letter, to sign the letter (see AU 333.09). As discussed in OMB audit guidance, the signers should be officials at the highest levels of the audited entity and generally should be the head of the entity, the CFO, and any others deemed responsible for matters presented in this letter. .11: Entity management should date the representation letter as of the date of audit completion contained in the auditor’s report. The auditor should encourage senior management to review the final financial statements and disclosures to take responsibility for them, before signing the representation letter. If there is a significant delay between audit completion and the issuance of the report, the auditor should obtain updated management representations. Assess Related Party Transactions: .12: The auditor should identify and evaluate relationships with related parties and material related party transactions that could affect the financial statements. AU 334 and FAM 902 provide further guidance on identifying related parties, examining related party transactions, and evaluating financial statement disclosures. Communicate With Those Charged With Governance: .13: The auditor must communicate with those charged with governance significant audit matters relevant to the responsibilities of those charged with governance in overseeing the financial reporting process (AU 380). Those charged with governance are those responsible for overseeing the strategic direction of the entity and obligations related to the accountability of the entity, including overseeing the entity’s financial reporting process. At the start of the audit, as part of gaining an understanding of the entity, the auditor should have identified those charged with governance for the entity (see FAM 215). The auditor should communicate significant findings from the audit to those charged with governance, such as: * The auditor’s views regarding the qualitative aspects of significant accounting practices, including accounting policies, accounting estimates, and financial statement disclosures. If the auditor determines a significant accounting practice is not appropriate, the auditor should explain the reasons for this conclusion and, when considered necessary, the auditor should request changes. If the requested changes are not made, the auditor should inform those charged with governance that the auditor will evaluate the effect of this on both the financial statements and the auditor’s report. * Significant difficulties related to performing the audit, if any, that the auditor encountered with management. See AU 380.39 for examples of difficulties that include significant delays in receiving required information, extensive unexpected effort necessary to obtain sufficient appropriate audit evidence, and an unnecessarily brief time within which to complete the audit. * Uncorrected misstatements, other than those the auditor believes are trivial, if any, including the effect they may have on the auditor’s opinion on the financial statements (see FAM 595 C, example 2). The auditor should request correction of these misstatements and should communicate the effect of material uncorrected misstatements individually. The auditor should discuss the implications of failing to correct known and likely misstatements, if any, and qualitative as well as quantitative considerations, including the possible implications in relation to future financial statements. The auditor should also communicate the effect of uncorrected misstatements related to prior periods on the relevant classes of transactions, account balances or disclosures, and the financial statements taken as a whole. * Any disagreements with management, whether or not satisfactorily resolved, about matters that individually or in the aggregate could be significant to the entity’s financial statements or the auditor’s report. * Other findings or issues, if any, arising from the audit that are, in the auditor’s professional judgment, significant and relevant to those charged with governance regarding their oversight of the financial reporting process. * Material corrected misstatements identified by the auditor (see FAM 595 C, example 3). * Management representations requested by the auditor. The auditor may provide those charged with governance a copy of management’s written representations. * Management’s consultation with other accountants, if any, regarding accounting and auditing matters of which the auditor is aware. The auditor should discuss with those charged with governance the auditor’s views about significant matters that were the subject of consultation. AU 625.09 describes circumstances when the accountant should communicate with the auditor. * Any significant issues arising from the audit that were discussed with management or that were the subject of correspondence with management. AU 380.44 includes examples of significant matters that the auditor may communicate. AU 380 provides further guidance on the communication of each of these matters. .14: The auditor should determine the form, expected content, and timing of communications, which may be oral or written, and should document all required communications. The auditor should communicate significant findings in writing if oral communication would not be adequate. Effective communication may involve formal presentations and written reports as well as less formal communications, including discussions. Written communications may include an engagement letter which may be provided to those charged with governance (see FAM 215). AU 380 provides guidance on deciding whether to communicate matters in writing or orally and the formality of the communication. The auditor should communicate on a sufficiently timely basis to enable those charged with governance to take appropriate action. .15: The auditor should evaluate the adequacy of the two-way communication between the auditor and those charged with governance for purposes of the audit. Adequate communication is necessary to obtain all the audit evidence required for the auditor to form an opinion on the financial statements. Inadequate two-way communication may indicate an unsatisfactory control environment, which could influence the auditor’s assessment of the risk of material misstatement. The auditor does not need to design specific procedures to evaluate the adequacy of this communication. Instead, the auditor may base the evaluation on observations resulting from other audit procedures. Such observations may include: * The appropriateness and timeliness of actions taken by those charged with governance in response to matters communicated by the auditor. * The apparent openness of those charged with governance in their communications with the auditor. * The willingness and capacity of those charged with governance to meet with the auditor without management present. * The apparent ability of those charged with governance to fully comprehend matters communicated by the auditor, such as the extent to which those charged with governance probe issues and question recommendations made. * Difficulty in establishing with those charged with governance a mutual understanding of the form, timing, and expected general content of communications. * Where all or some of those charged with governance are involved in managing the entity, their apparent awareness of how matters discussed with the auditor affect their broader governance responsibilities, as well as their management responsibilities. .16: If, in the auditor’s judgment, the two-way communication between the auditor and those charged with governance is not adequate, the auditor should determine the effect, if any, on the auditor’s assessment of the risk of material misstatement. AU 380 provides additional considerations for addressing situations in which the two- way communication is not adequate, which include possible modification of the auditor’s report for a limitation on the scope of the audit. 560 - Determine Conformity with U.S. Generally Accepted Accounting Principles: .01: U.S. GAAP for federal government entities are promulgated by the Federal Accounting Standards Advisory Board (FASAB). The board was created in 1990 by a memorandum of understanding signed by the Comptroller General of the United States, the Secretary of the Treasury, and the Director of OMB (the three sponsors). FASAB was recognized by the AICPA as the standard-setting body to establish U.S. GAAP for federal governmental entities under Rule 203, “Accounting Principles,” of the AICPA’s Code of Professional Conduct. Pursuant to resolutions adopted by the AICPA Council since October 19, 1999, Statements of Federal Financial Accounting Standards (SFFAS) issued by FASAB are recognized as U.S. GAAP for the applicable federal governmental entities. FASAB promulgates federal accounting concepts or standards through a due process that includes public hearings and exposure drafts to obtain public comments. After FASAB submits proposed standards to the three sponsors and the Director of the Congressional Budget Office (CBO), they become final 90 calendar days after submittal, unless the Comptroller General or the Director of OMB object. Accounting standards and principles involving human and other capital do not become final until the passage of a period of 45 continuous session days of the Congress after they are submitted to the Congress. .02: The hierarchy of accounting principles for federal entities is presented below from most authoritative to least authoritative. The AICPA recognizes this hierarchy as U.S. GAAP for applicable federal entities, according to AU 411. a. FASAB Statements and Interpretations plus AICPA and FASB pronouncements made applicable to federal governmental entities by a FASAB Statement or Interpretation. b. FASAB Technical Bulletins and the following pronouncements if specifically made applicable to federal governmental entities by the AICPA and cleared by FASAB: AICPA Industry Audit and Accounting Guides, and AICPA Statements of Position. c. AICPA AcSEC Practice Bulletins if specifically made applicable to federal governmental entities and cleared by FASAB and Technical Releases of its Accounting and Auditing Policy Committee. d. Implementation guides published by FASAB staff and practices that are widely recognized and prevalent in the U.S. government. .03: In the absence of a pronouncement in the above hierarchy, the auditor may evaluate other accounting literature, including: * FASAB Concepts Statements; * pronouncements in categories a through d in FAM 560.02 when not specifically made applicable to federal governmental entities; * FASB and Government Accounting Standards Board (GASB)[Footnote 63] Concepts Statements; * GASB Statements, Interpretations, and Technical Bulletins; * AICPA Issues Papers; * International Accounting Standards of the International Accounting Standards Committee; * pronouncements of other professional associations or regulatory agencies; * AICPA Technical Practice Aids; and; * accounting textbooks, handbooks, and articles. .04: Entities summarize their significant accounting policies, usually in note 1 to the financial statements. .05: The auditor should evaluate the financial statements for conformity with U.S. GAAP and should identify any instances of nonconformity, which may include incomplete disclosure or use of an accounting principle that is contrary to U.S. GAAP. To assist the entity in preparing federal entity financial statements with appropriate and adequate disclosure in accordance with U.S. GAAP and to assist the auditor in evaluating those statements, a Checklist for Federal Accounting (FAM 2010), and a Checklist for Federal Reporting and Disclosures (FAM 2020), are presented in FAM Volume 3. .06: The auditor should evaluate the impact of nonconformity with U.S. GAAP on the financial statements and should determine the effects, if any, on the auditor’s report (see FAM 580.22). 570 - Determine Compliance with GAO/PCIE Financial Audit Manual: .01: The auditor must determine whether the audit was conducted in accordance with GAGAS and OMB audit guidance. If the auditor is using the GAO/PCIE FAM, the auditor should determine if this methodology was followed. The auditor should use the audit completion checklist in FAM 1003 for determining and documenting compliance. If the auditor is using a different methodology, and if required by contract, the auditor should use the audit completion checklist to provide a crosswalk between the audit methodology used and the FAM. 580 - Draft Reports: .01: At the conclusion of the audit, the auditor must draft reports, which include the auditor’s conclusions on: * the financial statements (see FAM 580.10-.31); * internal control (see FAM 580.32-.63); * for CFO Act agencies, whether the financial management systems substantially comply with the requirements of FFMIA: federal financial management systems requirements, federal accounting standards (U.S. GAAP), and the SGL at the transaction level (see FAM 580.64-.68); [Footnote 64] * compliance with laws and regulations (see FAM 580.69-.77); and; * other unaudited information including the MD&A required by SFFAS No. 15; required supplementary information, (RSI) including any required supplementary stewardship information (RSSI); and other accompanying information (see FAM 580.78-.85). .02: The auditor’s report should clearly identify the entity audited, the annual financial statement(s) on which the auditor is reporting, and the period covered by the annual financial statement(s), usually the current year with comparative prior year. .03: The auditor should date the report as of the completion of the audit. If the auditor identifies a material subsequent event for disclosure in the report, the auditor should follow guidance in AU 530 with respect to report dating. Report Format: .04: An example of an unqualified auditor's report is presented in FAM 595 A. The auditor may use another reporting format, such as issuing separate reports on the financial statements (see AU 508), and on internal control and compliance (see AICPA Audit and Accounting Guide: Audits of State and Local Governmental Units) and should document the reasons for deviations from the language required by the professional standards. GAO auditors also should document the reasons for deviations from the example reporting format or language in FAM 595 A and/or B. The example report in FAM 595 A includes: * Auditor’s report on: - financial statements; - internal control; - financial management systems’ substantial compliance with FFMIA requirements (for CFO Act agencies); - compliance with laws and regulations; and; - consistency of other information; - objective, scope, and methodology; and; - agency comments and auditor evaluation. .05: The auditor may prepare a highlights page or executive summary to provide a high level presentation of the audit report and significant matters of interest to the users of federal financial reports. The auditor generally should present matters in nontechnical language so that report users can readily grasp their significance. A transmittal letter may also include significant matters. .06: The auditor should disclose in auditor’s reports situations where there are: * significant limitations on the scope of the audit (FAM 580.14-.18, .41-.43, and .75-.77); * uncertainties for which the auditor has disclaimed an opinion (FAM 580.19); * inconsistencies of comparability between the financial statements for all periods presented, including changes in accounting principles (FAM 580.20-.21); * material departures from U.S. GAAP (FAM 580.22); * important explanations or departures from an unqualified opinion (FAM 580.23-25) such as an explanatory paragraph (FAM 580.26-.27), qualified opinion (FAM 580.28-.29), adverse opinion (FAM 580.30), or disclaimer of opinion (FAM 580.31); * material weaknesses and significant deficiencies in a report or opinion on internal control or other control deficiencies that the auditor has decided to describe in the audit report (FAM 580.32-.62); * material inconsistencies between the Summary of Management’s Report on Internal Controls prepared under FMFIA and the results of the auditor’s evaluation of internal control (FAM 580.63); * instances of lack of entity systems’ compliance with the three requirements of FFMIA for CFO Act agencies (FAM 580.64-.68); * instances of noncompliance with laws and regulations that are reportable under GAGAS (which incorporates U.S. GAAS) or OMB audit guidance, which are not clearly inconsequential (FAM 580.69-.74); * material inconsistencies between other information (MD&A, required supplementary information (RSI), including any required supplementary stewardship information (RSSI), and other accompanying information) and the financial statements, or material nonconformity of the other information with U.S. GAAP or OMB guidance for such information (FAM 580.78-.82); or; * any other significant matters coming to the auditor's attention that in the auditor’s judgment should be communicated to the entity head, OMB, the Congress, and those charged with governance. .07: The objectives, scope, and methodology includes a discussion of management’s and the auditor’s responsibilities, what the auditor did to fulfill the responsibilities, the scope of the auditor’s work on internal control, and a statement that the audit was performed in accordance with GAGAS and OMB audit guidance. .08: The agency comments and (auditor) evaluation discusses the extent the entity agrees with the facts and conclusions presented by the auditor and the reasons for any disagreements. The auditor should evaluate any disagreements expressed by the entity and present the auditor’s view. The entity may also present efforts it is taking to correct or mitigate matters in the report. The auditor should disclaim an opinion on this information. (FAM 580.83-.85). .09: FAM 580 provides guidance to the auditor in forming conclusions on the financial statements, internal control, financial management systems’ substantial compliance with the three requirements of FFMIA for CFO Act agencies, compliance with laws and regulations, and other information. Additionally: * FAM 595 A provides example wording for an unqualified auditor’s report. * FAM 595 B provides guidance and example wording for modifying the unqualified report in FAM 595 A based on the auditor’s conclusions. When findings are extensive, the auditor may modify the report format. Financial Statements: .10: Under U.S. GAAS, the fourth standard of reporting on financial statements is “The auditor must either express an opinion regarding the financial statements, taken as a whole, or state that an opinion cannot be expressed in the auditor’s report. When the auditor cannot express an overall opinion, the auditor should state the reasons therefore in the auditor’s report. In all cases where an auditor’s name is associated with financial statements, the auditor should clearly indicate the character of the auditor’s work, if any, and the degree of responsibility the auditor is taking, in the auditor’s report.” .11: When reporting on financial statements, the auditor should evaluate (1) audit scope, (2) uncertainties, (3) consistency, and (4) departures from U.S. GAAP. Each of these areas and their effects on the report are discussed below. .12: The auditor should evaluate the four areas in FAM 580.11 and the results of all audit procedures performed to determine if an opinion can be expressed on the financial statements and, if so, the type of opinion. If an opinion cannot be expressed, the auditor should issue a disclaimer of opinion report. If the auditor can express an opinion, the auditor may issue one of the following opinion types: (1) unqualified, (2) unqualified with an explanatory paragraph, (3) qualified, or (4) adverse. .13: The auditor should formulate the type of report on the financial statements following the guidance provided below and in FAM 595 A and FAM 595 B. Audit Scope: .14: To express an opinion, first the auditor must determine if the audit has been conducted in accordance with GAGAS and OMB audit guidance. If the auditor is not able to perform all procedures considered necessary, the scope of the audit is restricted, and the auditor should modify the GAGAS compliance statement in the report as discussed in GAGAS paragraph 1.12b. .15: Restrictions on the scope of the auditor’s work may be imposed by the entity or may be caused by circumstances beyond the entity’s control. Scope limitations may result from the timing of the audit work; the inability to obtain sufficient, appropriate audit evidence; or inadequate accounting records. If the audit scope has been limited, the auditor should determine whether to qualify or disclaim an opinion (see AU 508.22-.28). .16: The auditor should conclude whether sufficient, appropriate audit evidence has been obtained to reduce the risk of material misstatement to an appropriately low level in the financial statements. When making this determination, the auditor should evaluate all relevant audit evidence regardless of whether it appears to corroborate or to contradict the relevant assertions in the financial statements. AU 318.75 presents factors that may influence this conclusion on the sufficiency and appropriateness of audit evidence. The auditor should determine the impact of any misstatements on the audit scope from a qualitative standpoint. The auditor should also determine whether the audit scope is adequate in light of any misstatements or other findings that indicate noncompliance with laws and regulations. If the auditor has not obtained sufficient appropriate audit evidence as to a material financial statement assertion, the auditor should attempt to obtain further audit evidence. If the auditor is unable to obtain sufficient appropriate audit evidence, the auditor should express a qualified opinion or disclaimer of opinion. .17: Whether to qualify or disclaim an opinion because of a scope limitation is a matter of the auditor’s professional judgment. The auditor should assess how important the omitted procedures were to the auditor’s ability to form an opinion on the financial statements. This assessment is influenced by the nature, significance, and magnitude of the items to which the omitted procedures relate. For example, the potential effect of a scope limitation on a material account is likely to be greater than on an immaterial account. .18: If the audit scope is adequate for expressing an opinion, the auditor must determine the appropriate type of opinion. Three areas that the auditor should evaluate when forming an opinion are uncertainties, consistency, and departures from U.S. GAAP. Uncertainties: .19: Uncertainties are matters affecting the financial statements whose outcome is expected to be resolved at a future date when conclusive evidence becomes available. Uncertainties may be related to the resolution of litigation or the valuation of assets, such as real estate owned, and include the contingencies discussed in SFFAS No. 5, as amended by SFFAS No. 12, as well as other matters. Guidance on evaluating uncertainties and their effects on the auditor’s report is provided in AU 508.29-.32. Depending on the nature of the uncertainty, the auditor may need to add an explanatory paragraph or disclaim an opinion, as discussed in AU 508. Because of the nature of uncertainties, conclusive evidence cannot be expected to exist at the time of the audit. Management is responsible for estimating the effect of future events on the financial statements or determining that a reasonable estimate cannot be made and making required disclosures. The auditor should give an unqualified opinion if, in the judgment of the auditor, evidence is sufficient to support management’s analysis of the nature of the uncertainty and its presentation or disclosure in the financial statements. The auditor may also add a matter of emphasis paragraph (see AU 508.19). Additionally, if the uncertainty involves a scope limitation due to unavailable or insufficient evidence to support recorded amounts or disclosure relating to the uncertainty, a qualification or disclaimer may be appropriate as discussed in FAM 580.28-.29 and .31 (see AU 508.29-.32). If the uncertainty involves a departure from accounting principles such as inadequate disclosure, inappropriate accounting principles, or unreasonable accounting estimates, the auditor should express either a qualified opinion as discussed in FAM 580.28-.29, or an adverse opinion as discussed in FAM 580.30 (see AU 508.45-.49). Consistency: .20: The auditor is concerned with comparability between the financial statements for all periods presented or with the prior period if only 1 year is presented. A lack of comparability may be caused by an inconsistency in the accounting principles used; the method of applying these principles; changes in the classification of accounts, or changes in the nature of transactions. Guidance on the auditor’s evaluation of accounting and other changes that may affect the consistency of the financial statements is contained in AU 420.06-.21. If the auditor finds inconsistencies that are not changes in accounting principles, the auditor may describe them in an explanatory paragraph (see FAM 580.26). If the auditor finds departures from U.S. GAAP, the auditor should issue a qualified or adverse opinion. Guidance on reporting a lack of consistency is provided in AU 508.16-.18. For first-year audits, the auditor should determine if accounting principles are consistent with the prior period, following the guidance in AU 420.22-.25. If the entity has a change in accounting principles, the auditor should include a paragraph on consistency in the auditor’s report, regardless of whether or not the financial statements of the previous period are presented. For example, the paragraph may state that the entity adopted SFFAS No. X, as discussed in note XX. The FASAB standards generally specify the accounting treatment and what disclosures are required upon adoption. Departure from U.S. GAAP: .21: The auditor must consider whether the financial statements are materially affected by a departure from U.S. GAAP. If such a departure exists, the auditor should determine the effects of the departure on the financial statements, considering both quantitative and qualitative factors, as discussed in AU 508.35-.36. Additionally, the auditor should determine whether the departure involves risks and uncertainty, including estimates as discussed in AU 508.45-.49. The auditor also should determine whether adequate disclosures have been made in the financial statements and related notes (see AU 431 and AU 508.41-.44) and should evaluate whether any changes in accounting principles used by the entity are appropriate (see AU 508.50-.57). Depending on the extent of the departure, the auditor should express either a qualified or adverse opinion. Guidance on reporting these departures is included in AU 508.37-.40 for qualified opinions and AU 508.58-.60 for adverse opinions (see FAM 595 B for modifications to be made to the auditor's report). In rare cases when the auditor can demonstrate that compliance with U.S. GAAP would result in misleading financial statements, the auditor may issue an unqualified opinion (see AU 508.14 -.15) that includes a description of the nature of the departure, the effects, if practicable, and why compliance with US GAAP would result in misleading financial statements. The reviewer should approve the auditor’s conclusion in these circumstances. Types of reports: .22: The auditor may express various types of opinions or may disclaim an opinion. Guidance on reporting is included in AU 411, 420, 431, 504, 508, and 558. Additionally, FAM 595 A includes an example of an unqualified report. FAM 595 B includes example wording for changes to the unqualified report under various circumstances. Each type of report is discussed in FAM 580.24-.31. Unqualified Opinion: .23: In an unqualified opinion on the financial statements, the auditor concludes that the financial statements and accompanying notes[Footnote 65] present fairly, in all material respects, the assets, liabilities, and net position of the entity at the end of the period, and the net costs, changes in net position, budgetary resources,[Footnote 66] custodial activity (if applicable) for the period then ended, and the financial condition of the entity’s social insurance programs (if applicable), as of the specified date in conformity with U.S. GAAP. .24: If the auditor does not reach the conclusion in FAM 580.23 (for reasons discussed in FAM 580.14-.22), the auditor should modify the report on the financial statements. This report modification may take the form of an explanatory paragraph and the opinion expressed in the report may be qualified or adverse. Additionally, if the auditor expresses an opinion only on the balance sheet, the auditor should follow AU 508.33-.34. Explanatory Paragraphs: .25: An auditor may express an unqualified opinion and also include explanatory paragraphs in the report. As discussed in AU 508.11,the auditor should add an explanatory paragraph or other explanatory language when conditions exist as follows: * The auditor’s opinion refers to another auditor’s report. * The predecessor auditor’s report is not presented for comparative financial statements and the successor auditor is not reporting on the prior year’s financial statements (see AU 508.74). * The accounting principles or their method of application changes between periods and the effect on the financial statements is material. For a discussion of consistency see FAM 580.20. * Certain circumstances exist relating to reports on comparative financial statements (see AU 508.68-.69 and .72-.74). * Supplementary information required by FASAB or OMB has been omitted; the presentation of such information departs materially from FASAB or OMB guidance or is materially inconsistent with information in the financial statements; the auditor is unable to complete prescribed procedures concerning such information; or the auditor is unable to remove substantial doubts about whether the supplementary information conforms to FASAB or OMB guidance. For guidance on required supplementary information (see AU 558). * The auditor has substantial doubt about the entity’s ability to continue to carry out its mission without substantial additional resources or changes in operations (see AU 341). * Other information in a document containing audited financial statements is materially inconsistent with information appearing in the financial statements (see AU 550). * There is the unusual circumstance of a departure from U.S. GAAP that has a material effect on the financial statements for which the auditor can demonstrate that the financial statements would be misleading without this departure (see Rule 203 of the Code of Professional Conduct of the AICPA and AU 508.14 and .15). .26: Additionally, the auditor may add an explanatory paragraph to emphasize a matter, such as significant transactions with related parties, as discussed in AU 508.19. Further, the auditor may add an explanatory paragraph when the financial statements are affected by uncertainties concerning future events whose outcome cannot be reasonably estimated as of the report date. For a discussion of uncertainties see FAM 580.19. Qualified Opinion: .27: A qualified opinion states that except for the effects of the matter to which the qualification relates, the financial statements present fairly, in all material respects, the assets, liabilities, net position, net costs, changes in net position, budgetary resources, reconciliation of net costs with budgetary obligations,[Footnote 67] custodial activities (if applicable), and the financial condition of the entity’s social insurance programs, (if applicable), in conformity with U.S. GAAP. Guidance on qualified opinions is provided in various paragraphs of AU 508. .28: The auditor should issue a qualified opinion as discussed in AU 508.20 when conditions exist as follows: * the audit scope is limited or there is insufficient, appropriate audit evidence but the auditor has decided it is not appropriate to issue a disclaimer (see FAM 580.14-.18); or; * based on the audit results, the auditor believes that a departure from U.S. GAAP had a material effect on the financial statements but has decided not to express an adverse opinion (see FAM 580.22). AU 508.21 provides guidance on qualified opinions. FAM 595 B provides examples of report modifications for a qualified opinion. Adverse Opinion: .29: An adverse opinion states that the financial statements do not present fairly the assets, liabilities, net position, net costs, changes in net position, budgetary resources, reconciliation of net costs with budgetary obligations,[Footnote 68] custodial activities, (if applicable), or the financial condition of the entity’s social insurance programs, (if applicable), in conformity with U.S. GAAP. This type of opinion is expressed on the financial statements taken as a whole when there are material departures from U.S. GAAP as discussed in FAM 580.22. The auditor should add an explanatory paragraph that includes all the substantive reasons for the adverse opinion and, if practicable, the principal effects on the financial statements of the matter giving rise to the adverse opinion. If the effects are not reasonably determinable, the auditor should state this in the report. Guidance on adverse opinions is provided in AU 508.58-.60. FAM 595 B provides example report modifications for an adverse opinion. Disclaimer of Opinion: .30: In a disclaimer of opinion, the auditor does not express an opinion on the financial statements. A disclaimer of opinion is appropriate when the audit scope is not sufficient to enable the auditor to express such an opinion, as discussed in FAM 580.14-.18, or when there are material uncertainties involving a scope limitation, as discussed in FAM 580.19. AU 508.61-.63 provides guidance on issuing a disclaimer of opinion. The auditor should describe the reasons that caused the auditor to disclaim an opinion following the guidance in AU 508.25. Example wording for a disclaimer of opinion is included in FAM 595 B. Internal Control: .31: Federal financial auditors may take one of two different approaches to reporting on internal control: (1) management provides an assertion about the effectiveness of its internal control and the auditor expresses an opinion on internal control or on management’s assertion following the guidance in AT 501 (see FAM 580.40-.50), [Footnote 69] or (2) the auditor reports material weaknesses and significant deficiencies found but does not give an opinion on internal control (see FAM 580.51-.52). OMB reporting guidance requires management to include representations about internal control in the management representation letter, and requires CFO Act agencies to include these representations in the MD&A in the annual financial statement. OMB audit guidance does not require auditors to express an opinion on control; however, GAO auditors generally should express an opinion on internal control. In either case, the auditor should evaluate whether the design and implementation of internal control is sufficient to meet the control objectives insofar as those objectives pertain to preventing or detecting misstatements, losses, or noncompliance that would be material in relation to the financial statements. These control objectives are: * Reliability of financial reporting—transactions are properly recorded, processed, and summarized to permit the preparation of the financial statements in accordance with U.S. GAAP, and assets are safeguarded against loss from unauthorized acquisition, use, or disposition. * Compliance with applicable laws and regulations—transactions are executed in accordance with laws governing the use of budget authority and other laws and regulations that could have a direct and material effect on the financial statements and any other laws, regulations, and governmentwide policies identified by OMB in its audit guidance that could have a direct and material effect on the basic financial statements. If the auditor finds that management’s representations about internal control in the MD&A are inappropriate, the auditor should ask management to correct the MD&A. If management does not do so, the auditor should describe the issue in the consistency of other information section of the auditor’s report. Classifying Control Weaknesses: .32: A control deficiency exists when the design or operation of a control does not allow management or employees in the normal course of performing their assigned functions to prevent or detect misstatements on a timely basis. The auditor should classify internal control deficiencies following AU 325 as: * A significant deficiency is a control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to initiate, authorize, record, process, or report financial data reliably in accordance with U.S. GAAP such that there is more than a remote likelihood that a misstatement of the entity’s financial statements that is more than inconsequential[Footnote 70] will not be prevented or detected. * A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected.[Footnote 71] To avoid confusion, the auditor generally should include the definitions of these terms in the auditor’s report as these definitions differ from those in other auditing standards, such as standards issued by the Public Company Accounting Oversight Board (PCAOB). .33: A misstatement is inconsequential if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements. If a reasonable person would not reach such a conclusion regarding a particular misstatement, that misstatement is more than inconsequential. In determining whether a potential misstatement would be more than inconsequential, the auditor should consider qualitative and quantitative factors.[Footnote 72] The auditor must determine whether each control deficiency or combination of control deficiencies is a significant deficiency or material weakness. The significance of a control deficiency depends on the potential for a misstatement, not on whether a misstatement has actually occurred. When making this determination, the auditor should evaluate: * The likelihood and magnitude of potential misstatement that would not be prevented or detected because of the control deficiencies. AU 325.11- .12 provide examples of factors for evaluating the likelihood and magnitude of misstatement. * If individual control deficiencies that affect the same account balance, disclosure, relevant assertion, or component of internal control collectively result in an internal control deficiency. * Possible mitigating effects of effective compensating controls [Footnote 73] that have been tested and evaluated as part of the financial statement audit. The auditor also should conclude whether prudent officials, having knowledge of the same facts and circumstances, would agree with the auditor’s classification of the deficiency. .34: Additional guidance on classification of internal control weaknesses is provided in AU 325.18.-.19. AU 325.18 includes a list of areas in which control deficiencies are typically at least significant deficiencies, such as deficiencies in controls over non-routine and nonsystemic transactions or controls over the year-end financial reporting process. AU 325.19 includes indicators of control deficiencies that the auditor should regard as at least a significant deficiency and a strong indicator of a material weakness such as the auditor’s identification of a material misstatement of the financial statements under audit that was not initially identified by the entity’s internal control. Additionally, circumstances that may be considered control deficiencies, significant deficiencies, or material weaknesses are described in the appendix to AU 325. Guidance on concluding on the effectiveness of internal control and reporting findings is provided in FAM 580.44-.50 and FAM 580.53-60. .35: OMB Circular No. A-123 provides guidance on materiality for management to report control weaknesses under FMFIA. The term “material weakness” as used by OMB (FMFIA material weakness) is different from the above definition and includes matters of an operational nature. Management and the auditor should evaluate the material weaknesses reported under FMFIA to determine whether they meet the auditor’s definitions of material weakness and significant deficiency for reporting as part of management’s assertion about the effectiveness of internal control (see FAM 580.31). .36: For management reporting under FMFIA following OMB Circular No. A-123, the term “reportable condition” is to be used by management when classifying financial reporting control weaknesses. This term has the same definition as “significant deficiency” used by financial statement auditors. The term “material weakness” in OMB Circular No. A-123 is defined essentially the same as that used by financial statement auditors; however, it encompasses other significant financial reports in addition to the financial statements. For controls other than financial reporting controls, a weakness is an FMFIA material weakness if it is significant enough to be reported outside the agency, as determined by the agency head. That is, it was included in the annual FMFIA report to the President and the Congress. Agency reporting of system noncompliance identified under OMB Circular No. A-127 is governed by the criteria for FMFIA reporting in OMB Circular No.A-123. .37: FISMA requires agency management to report any “significant deficiency” in policy, procedure, or practice as a material weakness when reporting under FMFIA and also as an instance of a lack of substantial compliance under FFMIA if related to financial management systems. The auditor should determine how these FISMA significant deficiencies relate to the control deficiencies identified during the financial statement audit. .38: As discussed in OMB FISMA reporting guidance, a significant deficiency for FISMA reporting is a weakness in an agency’s overall information systems security program or management control structure, or within one or more information systems that significantly restricts the capability of the agency to carry out its mission or compromises the security of its information, information systems, personnel, or other resources, operations, or assets. In this context, the risk is great enough that the agency head and outside agencies must be notified and immediate or near immediate corrective action must be taken. Opinion on Internal Control: .39: Although not required by OMB audit guidance, if the auditor plans to express an opinion on internal control, the auditor’s evaluation of the entity’s internal control and the results of other audit procedures form the basis for this opinion. The opinion may be (1) unqualified, (2) unqualified with reference to significant deficiencies, (3) qualified, or (4) adverse. Additionally, there may be restrictions on the scope of the procedures that result in a qualified opinion or a disclaimer of opinion (see FAM 580.40-.43). The auditor should communicate any identified internal control deficiencies (including weaknesses in operations controls), as discussed in FAM 580.53-.60, and consider the effects of these deficiencies on other reports prepared by the entity (see FAM 580.61). Scope of Procedures: .40: To express an unqualified opinion on internal control, the auditor must have a written assertion from management about the effectiveness of internal control and must perform all necessary procedures, as described in FAM 300 and FAM 450. The auditor should evaluate whether management has a reasonable basis for its assertion. For example, the assertion may be based on management’s monitoring procedures. The audit results alone cannot be the basis for management’s assertion. .41: If there is a restriction on the scope of the audit, such that not all of these procedures can be performed, the auditor may need to qualify or disclaim the opinion on internal control and modify the GAGAS compliance statement in the report as discussed in GAGAS paragraph 1.12b. Scope restrictions may be imposed by the entity or may be due to other circumstances. The decision of whether to qualify or disclaim an opinion is a matter of the auditor’s professional judgment regarding the importance of the omitted procedures to forming an opinion on internal control. However, if a significant scope restriction is imposed by the entity, the auditor should disclaim an opinion. When determining the severity of a scope limitation on internal control, the auditor should use the control objectives listed in the report for financial reporting, including safeguarding assets, and compliance with laws and regulations. If the scope of work on internal control relevant to one of these objectives is limited, the auditor may need to qualify or disclaim the opinion on internal control regarding that objective. Also, the auditor should determine whether that limitation affects the ability to express an opinion regarding the other objectives. If a scope limitation is encountered for a control objective, the auditor uses professional judgment in determining if it is appropriate to give an unqualified opinion on internal control over either objective. .42: In the case of a scope limitation, the auditor should consult with the reviewer to determine the appropriate type of opinion (see AT 501.59-.62). FAM 595 B contains example language for situations in which (1) the auditor is satisfied that the scope limitation affects only one control objective and that the auditor has determined that it is appropriate to give an opinion on internal control over the other objective, and (2) the auditor believes a disclaimer report on internal control, as a whole, is appropriate due to a scope limitation. .43: If the auditor determines that an opinion can be expressed on one or both of the control objectives, the type of opinion to be given depends on whether any internal control deficiencies are identified and the significance of such deficiencies. In identifying and evaluating deficiencies, the auditor should consider deficiencies in each of the five components of internal control (control environment, entity risk assessment, information and communications, control activities, and monitoring). In concluding as to the effectiveness of internal control, the auditor should categorize control deficiencies in order of decreasing significance, as (1) material weaknesses, (2) significant deficiencies that are not considered to be material weaknesses (other significant deficiencies), and (3) other deficiencies that are less significant than significant deficiencies (other deficiencies). Each of these types of weaknesses and its effects on the auditor's conclusion on internal control is discussed below. If no material weaknesses are identified, the auditor generally should conclude that internal control is effective in meeting the control objectives. Effects of Control Deficiencies on the Auditor's Conclusion as to the Effectiveness of Internal Control: .44: Based on the types of deficiencies noted, the auditor should conclude as to the effectiveness of internal control as of the end of the audit period, as discussed in FAM.45-.49. Management also should conclude as to the effectiveness of internal control in deciding what assertion to make. Material Weaknesses: .45: If one or more material weaknesses exist at the end of the audit period, the auditor should conclude that the entity’s internal control is ineffective for the control objective(s) that the weakness affects. The existence of a material weakness precludes a conclusion that internal control is effective for that objective. If a material weakness relates only to one control objective, the auditor should determine whether internal control is effective in achieving the other control objective. The auditor should exercise professional judgment when concluding that the effects of a material weakness are limited to one control objective. .46: The auditor generally should not conclude that “except for” a material weakness, internal control is effective for the objective. Management should exercise judgment in deciding what assertion to make about the effectiveness of internal control. If, after careful consideration, the auditor, the director, and the reviewer determine that although a material weakness, the deficiency does not indicate that internal control for that objective is ineffective, the auditor may conclude that internal control for that objective is effective “except for” the material weakness. However, if in the auditor’s professional judgment, the material weakness(es) is(are) significant enough that the auditor cannot judge internal control to be effective for that objective, even “except for” the material weakness(es), the auditor should conclude that internal control is ineffective for that objective. Factors the auditor should evaluate in deciding whether an “except for” conclusion is appropriate include whether: * there is a single material weakness related to the objective or several; * the material weakness relates to ancillary areas that are less significant or to one of the more significant aspects of the entity; and; * the material weakness is limited to one or a few assertions that are not generally considered the most significant ones related to the line item or the assertions are quite significant. .47: If a material weakness is presented in a report that also includes an unqualified opinion on the financial statements, the auditor should add a statement to the unqualified opinion to indicate that as a result of a material weakness, material misstatements may nevertheless occur in other financial information reported by the entity. Example report modifications for material weaknesses are provided in FAM 595 B. Significant Deficiencies Other than Material Weaknesses: .48: If significant deficiencies existed at the end of the audit period, other than those determined to be either individually or in combination material weaknesses, the auditor generally should conclude that the controls are effective in achieving the control objectives. However, to conform with GAGAS, the auditor should indicate in the report (see FAM 595 B) that the work performed identified significant deficiencies and should describe the deficiencies. Control Deficiencies that Do Not Meet the Criteria for Significant Deficiencies: .49: Control deficiencies that do not meet the criteria for significant deficiencies in FAM 580.32 do not affect the auditor’s conclusion as to the effectiveness of internal control. The auditor may communicate these matters in a separate management letter or orally. The auditor should document any oral communication of these deficiencies. Type of Opinion: .50: As described in FAM 580.39-.43, if the auditor is unable to apply all the audit procedures considered necessary in the circumstances, a scope limitation exists and the auditor should issue a qualified opinion or a disclaimer of opinion on internal control. If all the procedures considered necessary were performed, the auditor should issue one of the opinions as follows: * If the auditor and management agree as to the effectiveness of internal control and there are no material weaknesses, the auditor should issue an unqualified opinion on internal control or on the assertion (see FAM 595 A). * If the auditor and management agree as to the effectiveness of internal control and there are no material weaknesses in internal control, but there are other significant deficiencies, the auditor should issue an unqualified opinion and then modify the report on internal control to state that internal control is effective, but could be improved, and make reference to the other significant deficiencies (see FAM 595 B). * If the auditor and management agree as to the effectiveness of internal control and there are material weaknesses in internal control, the auditor should modify the opinion on internal control by (1) referring to the material weakness(es) noted in management’s assertion (which states that internal control with respect to one or both of the internal control objectives for financial reporting, including safeguarding, or compliance, is either effective “except for” the material weakness (qualified opinion), or ineffective (adverse opinion), and (2) describing the material weakness(es) (see FAM 595 B). Although OMB Circular No. A-123 allows management to provide a qualified assertion on internal control effectiveness even if material weaknesses exist, the auditor should consult with the reviewer on the opinion on internal control if the auditor concludes that a material weakness is isolated to one control objective. * If the auditor and management disagree as to the effectiveness of internal control, either because (1) management does not agree that material weakness(es) exist, or (2) management does not appropriately modify its assertion about the effectiveness of internal control in light of the material weakness(es), the auditor should issue an adverse opinion. The existence of a material weakness precludes management from asserting that its internal control is effective for that objective. Thus, an adverse opinion is appropriate if management states that internal control is effective “except for” the material weakness when, in the auditor’s professional judgment, the material weakness indicates that internal control is ineffective (see FAM 580.46 and FAM 595 B). Nonopinion Report: .51: If the purpose of the audit is not to express an opinion on internal control, the auditor should report material weaknesses and other significant deficiencies in internal control, or state that no material weaknesses were found (see FAM 595 A and/or B). The auditor should not issue a written communication stating that no significant deficiencies were identified during the audit because of the potential for misinterpretation of the limited amount of assurance provided by such communication. If, in the auditor’s professional judgment, material weaknesses were so significant that the auditor concludes internal control was ineffective for one or more objectives, the auditor may state that conclusion in the report (see FAM 595 B). Further, the auditor should conclude whether the scope of the work and the related audit evidence are sufficient to meet the audit objectives described in the OMB audit guidance. If the work is not sufficient, the auditor should report a scope limitation. .52: Under AU 532.07, a report on internal control in which no opinion is issued is considered a by-product report. When no opinion is issued, the report provides only a limited degree of assurance about internal control as internal control is not the primary objective of the engagement. The auditor should indicate the intended use of the internal control report because of the potential for misunderstanding related to a by-product report’s limited degree of assurance. Because the distribution of government audit reports is not restricted, the reports should explain their limitations. See FAM 595 A, example 2, for a report for when the auditor does not provide an opinion on internal control and cautions the reader that the internal control testing performed may not be sufficient for other purposes. Where and When to Report Control Deficiencies: .53: The means of communicating deficiencies in internal control depends on the type of weakness, as discussed in FAM 580.32. The auditor must communicate in writing material weaknesses and other significant deficiencies to entity management and those charged with governance. Under GAGAS, this communication is part of the auditor’s report on financial statements. For other deficiencies, the auditor should communicate no later than 60 days following the report release date. For most federal audits, OMB requires the auditor’s reports on the financial statements and internal control to be combined. However, the auditor may issue other written communication containing further details on the deficiencies. The auditor must include any material weaknesses or other significant deficiencies that were communicated in previous financial statement audits that have not yet been corrected. The auditor may do this by referring to the previously issued written communication and the date of the communication. Communicating each type of weakness is discussed in FAM 580.54-.57. Significant Deficiencies (Including Material Weaknesses): .54: The auditor should report material weaknesses and other significant deficiencies in the internal control section of the auditor’s report. The auditor may report these deficiencies in a separate report that is referenced to in the auditor’s report on the financial statements. If management’s assertion about the effectiveness of internal control is printed with the audit report, the auditor’s report should refer to the discussion of the material weakness (or other significant deficiency) in management’s assertion. .55: The auditor generally should limit the internal control section of the auditor’s report to summarized information. As such, the auditor may limit the discussion of control deficiencies included in this section to providing the reader with an understanding of the nature and extent of the deficiency. The auditor may combine related control deficiencies. To the extent that any such control deficiencies contribute to a significant deficiency, the auditor generally should describe them in conjunction with the related significant deficiency. .56: If more complete information concerning control deficiencies is provided in other reports issued prior to or at the same time as the auditor’s report, the auditor generally should include a reference to such other reports (such as date and title or report number). The auditor may also subsequently report significant deficiencies in more detail in a separate management report or other written communication that includes other elements of the findings as discussed in FAM 580.59. Other Control Deficiencies: .57: The auditor may orally communicate other control deficiencies that are not significant deficiencies to an appropriate level of entity management or determine that no further consideration is necessary. The auditor should document any oral communication or the basis for the decision not to communicate the deficiency. What to Report About Control Deficiencies: .58: Control deficiencies identified by the auditor are findings. GAGAS paragraphs 4.15-4.18 describe the four elements of a finding: * Criteria (what should be). * Condition (what is). * Cause (why the condition occurred). * Effect (the nature of the possible past or future impact). .59: The auditor should decide whether to fully develop each of the four elements of a finding. The auditor uses professional judgment in determining whether to apply resources to investigate a control deficiency, based on the elements that the auditor decides to report. For each significant deficiency, the minimum extent to which the auditor should develop the elements of a finding depends on how it is communicated as follows: * Significant deficiencies (including material weaknesses) reported in the auditor’s report: The auditor generally should identify at least the criteria, condition, cause, and possible asserted effect (as to nature, not necessarily amount) to permit entity management to determine the effect and to take prompt and proper corrective action. The auditor generally should provide recommendations to improve internal control and obtain management’s response as part of agency comments on the auditor’s report. * Significant deficiencies described briefly in the auditor’s report and detailed in a separate management report: The auditor should identify at least the condition and the criteria and generally should identify the possible asserted effect. to bring them to management’s attention, particularly if there are sensitive or information technology issues. The auditor may also evaluate the benefits of identifying the cause. The auditor generally should provide recommendations or suggestions to improve reported findings and obtain management’s response as part of agency comments on the auditor’s report. In discussing each material weakness that meets FMFIA reporting criteria, the auditor should determine whether the material weakness was identified in the entity's FMFIA report or in the FMFIA report of the organization of which the entity is a part (see FAM 580.63). .60: For control deficiencies that do not meet the criteria for significant deficiencies, the auditor need not develop all of the elements of a finding if the auditor decides to report these control deficiencies. Other Considerations: .61: To communicate findings promptly, the auditor may issue reports during the audit. For example, GAO issued a report to a federal entity where some installations on an interim basis were reporting in millions of dollars and others in billions of dollars causing materially inaccurate consolidations of amounts. GAO did this so the agency could improve the consistency and accuracy of amounts in time for year end reporting. In such instances, the auditor may describe the control deficiency and refer to the reports as discussed in FAM 580.56. .62: The auditor should determine whether internal control deficiencies, particularly material weaknesses, could affect information in other reports generated by the entity for external distribution or internal decision making. The auditor generally should make inquiries and evaluate other knowledge obtained during the audit concerning use of reports affected by these deficiencies. The auditor uses professional judgment to determine whether such reports might contain inaccuracies as a result of control deficiencies that would likely influence the judgment of report users. If so, the auditor generally should describe, in the auditor’s report, the nature of such reports and the effect of control deficiencies on them. In determining if such reports are significant, the auditor should evaluate whether user judgments or management decisions based on such reports could affect the entity in amounts that would be material in relation to the financial statements. Reporting on Management’s FMFIA Reports: .63: In the internal control section of the auditor’s report, the auditor should disclose whether material weaknesses or financial management systems’ nonconformance identified during the audit were identified in management’s FMFIA report. If the auditor found material weaknesses or systems’ nonconformance that should have been reported under FMFIA (see FAM 580.35-.39), the auditor should refer to them as indicated at FAM 580.59, and determine whether management’s FMFIA process has deficiencies that the auditor should report. Such deficiencies might result from a problem where entity management: * Did not initially recognize internal control deficiencies or systems’ nonconformance, perhaps due to a lack of training, understanding, or limitations in the scope of the FMFIA process. For example, certain areas were not reviewed annually or certain types of controls or systems were not reviewed. * Did not recognize that identified deficiencies were FMFIA material weaknesses or systems’ nonconformance. * Relied upon controls that the auditor concluded were ineffective. * Failed to report identified deficiencies due to inappropriate report preparation. This was perhaps due to errors in aggregating the internal control deficiencies or systems’ nonconformance of individual components or locations. The auditor may refer to the assessment of management’s FMFIA process performed during planning, as discussed at FAM 260.58-FAM 260.63, when concluding as to how to report these matters. Financial Management Systems: .64: FFMIA requires the auditor to report whether the financial management systems of CFO Act agencies or the components designated by OMB comply substantially with three federal financial management systems requirements. These requirements, also required by OMB Circular No. A-127, are: * Federal financial management systems requirements, including those found in the JFMIP/OFFM functional requirements documents. * Applicable federal accounting standards, which are now recognized as U.S. GAAP (see FAM 560). * The SGL at the transaction level. As discussed in FAM 540.25, the auditor should conclude on whether the agency’s systems complied with FFMIA, following the guidance provided in FAM 701 and by OMB. Reporting on Systems’ Substantial Compliance with FFMIA Requirements: .65: Specific guidance for FFMIA reporting when the auditor determines that the financial management systems are in substantial compliance with the three FFMIA requirements is provided in FAM 595 A for GAO auditors and others expressing an opinion on systems’ compliance. OMB audit guidance provides information for reporting on FFMIA compliance without expressing an opinion. .66: If the auditor finds the entity’s financial management systems lack substantial compliance with any of the three requirements, the auditor should summarize the lack of substantial compliance in the auditor’s report. Additionally, as discussed in FAM 580.38, the auditor should report significant deficiencies identified for FISMA purposes as an instance of a lack of substantial compliance with FFMIA if the deficiency relates to financial reporting systems. For further reporting guidance see FAM 595 B. Frequently, the system’s lack of substantial compliance is related to significant deficiencies in internal control. If so, the auditor may combine the discussion. .67: If the auditor finds that the entity’s systems did not substantially comply with the requirements, the auditor is required by FFMIA to identify the entity or organization responsible for the systems found not to comply. The auditor should include pertinent facts such as the nature and extent of noncompliance; areas in which there is substantial but not full compliance; primary reason or cause; and any relevant comments from management or responsible employees. The auditor may make recommendations for corrective actions and obtain management’s response as part of agency comments on the auditor’s report. Scope of Procedures: .68: If the auditor is unable to perform all the procedures considered necessary, as discussed in FAM 350, the scope of the audit is restricted. Generally, if the scope of the audit is restricted, such as due to unavailability of needed information from the system, the auditor should report that the financial management systems are not in substantial compliance with FFMIA requirements. Also, if the auditor concluded the systems were not in substantial compliance with FFMIA based on limited testing, the auditor should report that the work on FFMIA would not necessarily disclose all instances of noncompliance with FFMIA requirements (see FAM 595 B). Compliance with Laws and Regulations: .69: The auditor should report on the results of compliance testing and on compliance matters (including fraud as discussed in FAM 540) that come to the auditor’s attention during procedures other than compliance tests. The manner in which noncompliance is reported depends on the significance of the noncompliance that has occurred or is likely to have occurred and whether such noncompliance is material to the financial statements, as described below. The auditor should consult with OGC regarding conclusions on the entity’s compliance with laws and regulations. .70: The auditor generally should classify noncompliance using the following guidelines: * Reportable noncompliance includes all matters coming to the auditor’s attention except those that in the auditor’s professional judgment are clearly inconsequential. * Material noncompliance is reportable noncompliance in which a failure to comply with laws or regulations results in misstatements that are material to the financial statements. .71: The auditor should present material and reportable noncompliance in the auditor’s report to communicate to the entity head, those charged with governance, OMB, and the Congress. The auditor may combine related instances of noncompliance. The auditor may also report noncompliance in detail in another report and refer to that report in the auditor’s report. To the extent that any such noncompliance contributes to a significant deficiency, the auditor should generally describe it in conjunction with the related significant deficiency. .72: The auditor may communicate orally or in writing any noncompliance that does not meet the criteria for reportable noncompliance to an appropriate level of entity management, or the auditor may determine that no further communication is necessary. The auditor should document any oral communication or the reason not to communicate in the audit documentation. Reporting on Compliance Tests: .73: The auditor should state directly whether any reportable noncompliance was detected during compliance tests. This type of direct statement is illustrated in FAM 595 A for a situation in which the compliance tests disclosed no reportable noncompliance. If the auditor identifies any reportable noncompliance, the auditor should modify the statement as shown in FAM 595 B, and the auditor should discuss the reportable noncompliance in the auditor's report according to the guidance in FAM 580.69-.71. .74: Under AU 532, a report on compliance with laws and regulations in which no opinion is issued is a by-product of a financial statement audit that provides a limited degree of assurance about compliance. When no opinion is issued, the report on compliance is not the primary objective of the engagement. The auditor should indicate the intended use of the compliance report because of the potential for misunderstanding related to a by-product report’s limited degree of assurance. Because the distribution of government audit reports is not restricted, the auditor’s report should explain this limitation as follows: “However, the objective of our audit was not to provide an opinion on overall compliance with laws and regulations. Accordingly, we do not express such an opinion.” Scope of Procedures: .75: The auditor should perform all of the procedures that the auditor determines necessary for obtaining sufficient appropriate evidence to report on compliance with laws and regulations. If the auditor is unable to perform all of the procedures for each of the significant provisions of laws and regulations, the auditor may be able to report on the laws and regulations tested. However, the auditor should modify the report to alert the reader that not all of the laws that the auditor believed were necessary were tested. See FAM 595 B for report modifications. .76: If the scope limitation is so significant that the auditor believes that any statement could be misleading, the auditor should omit it. The auditor should describe significant scope limitations in the auditor’s report, and auditor should modify the auditor’s report as described in FAM 595 B. The auditor also should determine the effect of such a scope limitation on the opinion on the financial statements. .77: If deficiencies in compliance controls are identified but no instances of noncompliance are found during compliance testing, the auditor should determine whether controls or other mitigating factors prevented or detected instances of noncompliance. If sufficient additional controls or other mitigating factors are not identified, the auditor should consult with the reviewer and OGC concerning the appropriate reporting of such deficiencies and compliance tests. Other Information in the Annual Financial Statement: .78: As discussed in OMB financial reporting guidance, certain other information is to be included in the annual financial statement. This information consists of an MD&A, required supplementary information (RSI) including any stewardship information (RSSI), and other accompanying information. .79: U.S. GAAP requires the entity to report certain RSSI, primarily stewardship investments (including nonfederal physical property, such as highways; human capital, such as expenditures for training and education; and research and development) and risk-assumed information (such as pension and deposit insurance projections). The entity should mark RSSI “unaudited.” .80: As RSSI is required by U.S. GAAP, the auditor should apply procedures consistent with AU 558. The auditor should compare the consistency of RSSI with the financial statements and should discuss the methods of measurement and presentation with entity officials. .81: If there are no material inconsistencies or nonconformance with U.S. GAAP or OMB guidance that come to the auditor’s attention during these or other audit procedures, the auditor should state this as shown in FAM 595 A. Although AU 558.08 requires reporting on the other information only if material inconsistencies or nonconformance with U.S. GAAP or OMB guidance are found, OMB audit guidance requires the auditor to report based on AU 551.15. If material inconsistencies or instances of nonconformance are noted and are not remedied by the entity, the auditor should describe these situations in the auditor’s report and refer to the discussion in this section as illustrated in FAM 595 B. .82: The auditor should also determine whether circumstances that resulted in modification of the auditor’s report, such as a scope limitation or departure from U.S. GAAP, also affect this other information. If so, the auditor should discuss these effects in the auditor’s report as described in FAM 595 B. Agency Comments: .83: The auditor should obtain and report the views of responsible entity officials concerning the findings, conclusions, recommendations, and planned corrective actions, if included. The auditor should allow the audited entity to review a draft of the report prior to issuance and provide either written or oral comments. This is to identify any errors in fact, avoid surprises in the message, and strive for fairness, balance, objectivity, accuracy, and completeness. Written comments are generally preferred, especially when the report is sensitive or controversial, when significant disagreements exist, or when the report makes wide-ranging recommendations. When the entity provides written comments, the auditor should include a copy of these comments or summarize the comments in the auditor’s report. Oral comments may be appropriate when (1) there is a reporting date critical to meeting a user’s needs, (2) the auditor has worked closely with the entity so that it is familiar with the findings and issues addressed in the draft report, or (3) the auditor does not expect major disagreements with the findings, conclusions, or recommendations in the draft report or major controversies with regard to the issues discussed in the draft report. If the entity provides only oral comments, the auditor should prepare a summary of these comments and provide a copy of the summary to the responsible officials to verify that the comments are accurately stated and may report the entity’s views. If the report is unqualified and does not include any material weaknesses or material noncompliance, the entity may decide not to comment. .84: The auditor generally should include an agency comments and (auditor’s) evaluation section in the auditor’s report. The auditor generally should briefly characterize the overall response to the draft regarding facts and conclusions such as: the entity generally agrees, partially agrees, or disagrees with the report. The auditor generally should summarize the major points made in the comments, whether written or oral, usually in the last section of the auditor’s report and should include an evaluation of the comments, as appropriate. If agency officials concurred with all the findings, conclusions, and recommendations, the auditor should state that they concurred, mention any actions the agency has agreed to take, and provide the auditor’s response to those actions. If agency officials disagree with or have concerns regarding portions of the report, the auditor should discuss these concerns in the auditor’s report and provide the auditor’s evaluation of them. .85: The auditor generally should include the agency’s written comments as an appendix to the report. These comments may include matters such as a description of corrective actions taken by the entity, the entity’s plans to implement new controls, or a statement indicating that management believes the cost of correcting a significant deficiency or material weakness would exceed the benefits to be derived from doing so. If these types of comments are included in the document containing the auditor’s written communication regarding material weaknesses or other significant deficiencies, the auditor should disclaim an opinion on such information as described in FAM 595 A. Dating the Auditor’s Report: .86: The auditor should date the report not earlier than the date on which the auditor has obtained sufficient appropriate audit evidence to support the opinion as discussed in AU 339.27. Among other things, sufficient appropriate audit evidence includes evidence that supervisors, first partners, and the reviewer have completed their reviews, that the entity’s financial statements, including disclosures, have been prepared, that management has asserted that it has taken responsibility for them by signing the representation letter, and that any significant issues have been resolved. The engagement quality control reviewer (second partner) may complete the review between the audit completion date and the report release date. However, if additional evidence is needed, the auditor should determine whether to change the date of the auditor’s report. This will ordinarily result in a report date that is close to the date the auditor grants the entity permission to use the auditor's report in connection with the financial statements (report release date). If there are delays in releasing the report, the auditor should perform additional procedures to comply with AU 530 and AU 560. There are three important dates to consider as follows: * Auditor’s report date. This is the date on which the auditor has obtained sufficient appropriate audit evidence to support the opinion. * Report release date. This is the date that the auditor grants the entity permission to use the auditor’s report in connection with the financial statements. Often, the report release date will be the date that the auditor delivers the audit report to the entity. The auditor’s report date will ordinarily be a date that is close to the report release date. The report release date is important because it starts the period when the auditor must complete the audit documentation. * Documentation completion date. This is the date that the auditor determines that the audit documentation is assembled, final, and complete. The auditor should complete final audit documentation within 60 days following the report release date. Further guidance can be obtained from the AICPA’s Practice Alert 2007-1, Dating of the Auditor’s Report and Related Practical Guidance. Restatement of Audited Financial Statements: .87: If the auditor becomes aware of information that relates to financial statements on which the auditor previously reported that could have affected that report, the auditor should follow AU 561 and GAGAS paragraphs 5.26-5.31. These standards address the subsequent discovery of facts existing at the date of the auditor’s report. SFFAS No. 21, Reporting Corrections of Errors and Changes in Accounting Principles, addresses restatement of prior year federal entity financial statements. AU 420 on consistency of application of U.S. GAAP and AU 508 on auditor’s reports, provide guidance on when to reissue auditors’ reports on restated financial statements. Additionally, OMB financial reporting guidance requires entity management to notify their auditor when material errors are found in published financial statements and provides guidance regarding footnote disclosure of restatements. .88: Under AU 561, if auditors become aware of new information that might have affected their opinion on previously-issued financial statement(s), then the auditors should advise entity management to determine the potential effect(s)of the new information on the previously-issued financial statement(s) as soon as reasonably possible. Such new information may lead management to conclude that previously-issued financial statements were materially misstated and to restate and reissue the misstated financial statements. In such circumstances, auditors should advise management to make appropriate disclosure of the newly discovered facts and their impact on the financial statements to those who are likely to rely on the financial statements.[Footnote 74] .89: Under GAGAS, auditors should advise management to make appropriate disclosures when the auditors believe that (1) it is likely that previously-issued financial statements are misstated, and (2) the misstatement is or reasonably could be material. Under GAGAS, auditors also should perform the following procedures related to restated financial statements: a. Evaluate the timeliness and appropriateness of management’s disclosure and actions to determine and correct misstatements in previously-issued financial statements (see GAGAS paragraph 5.28 for specific procedures to perform). b. Report on restated financial statements (see GAGAS paragraphs 5.29- 5.30). c. Report directly to appropriate officials if the audited entity does not take the necessary corrective steps (see GAGAS paragraph 5.31). Other Reporting Matters: .90: OMB has encouraged federal entities to prepare a Performance and Accountability Report (PAR) highlights document based upon its PAR for the same year. Entity management may determine the content following OMB financial reporting guidance. Management may choose to include condensed financial statements and may ask the auditor to report on the condensed financial statements. Auditors should follow AU 552 for reporting on condensed financial statements or selected financial data. Additional guidance is provided in OMB reporting guidance. 590 – Documentation: .01: The auditor should document the nature and extent of work performed in the reporting phase and the related conclusions including: * audit summary memorandum (FAM 590.02-.03); * overall analytical procedures (FAM 590.04); * deficiencies in internal control (FAM 590.05); * evaluation and communication of misstatements (FAM 540); * letters from legal counsel (FAM 1002); * subsequent events (FAM 1005); * management representations (FAM 1001); * related party transactions (FAM 902); * procedures performed to determine consistency of the other information in the annual financial statement with the financial statements and on conformity with U.S. GAAP or OMB financial reporting guidance, currently OMB Circular No. A-136 (FAM 580.77-.81); and; * exit conference(s) (FAM 590.10). Specific Documentation Considerations: Audit Summary Memorandum: .02: At the completion of the audit, the auditor should prepare an audit summary memorandum that summarizes the audit results and demonstrates the adequacy of the audit procedures, appropriateness and sufficiency of the audit evidence, and the reasonableness of the conclusions on: * the financial statements; * internal control; * the financial management systems substantial compliance with FFMIA requirements (for CFO Act agencies); * the entity’s compliance with laws and regulations; * MD&A; * required supplementary information (RSI), including any stewardship information (RSSI); and; * other accompanying information. .03: In the audit summary memorandum, the auditor may refer to other documentation where this information is described in more detail. The auditor generally should summarize and refer in the documentation to: * any significant changes from the auditor’s original assessment of the risk of material misstatement; * any additional fraud risks or other conditions beyond those considered in planning (FAM 260), including analytical relationships identified during the audit that caused the auditor to believe additional audit procedures or any other response was required, as well as any further response the auditor concluded was appropriate; * the results of the procedures performed to specifically address the risk of management override of controls; * the auditor’s evaluation of misstatements that the auditor believes is or might be the result of fraud; * the nature of any communications about fraud or possible fraud (and any significant abuse) made to management, those charged with governance, the Special Investigator Unit, the Office of Inspector General, or others; * the auditor’s summary conclusions related to the consideration of fraud; * significant accounting, auditing, or reporting issues; * any limitations on the audit scope and the auditor’s assessment of whether the audit procedures were adequate to support conclusions on the financial statements, internal control, the systems’ substantial compliance with FFMIA requirements (for CFO Act agencies), compliance with laws and regulations, MD&A, RSI, RSSI, and other accompanying information; * the auditor’s conclusions on whether the audit evidence obtained is sufficient, appropriate, and supports the conclusions on the financial statements, internal control, the systems’ substantial compliance with FFMIA requirements, compliance with laws and regulations, MD&A, RSI and RSSI, and other accompanying information; * the auditor’s conclusions on whether sufficient appropriate audit evidence was obtained to reduce audit risk to an appropriately low level; * the auditor’s conclusion on whether the audit was performed in compliance with GAGAS, OMB audit guidance, and, if used, the GAO/PCIE Financial Audit Manual, and whether the report is appropriate; * the auditor’s conclusion on whether the entity’s financial statements are in accordance with U.S. GAAP; * significant subsequent events, if any; * the Summary of Uncorrected Misstatements (FAM 595 C) and communication of known and likely misstatements to management and those charged with governance; * a summary of internal control weaknesses classified as material weaknesses, other significant deficiencies, and other control deficiencies, and a comparison of material weaknesses the auditor found to the weaknesses reported in management's assertion about the effectiveness of internal control; * a summary of instances of the systems’ lack of substantial compliance with FFMIA requirements, including areas in which there is substantial but not full compliance (for CFO Act agencies); * a summary of instances of noncompliance with laws and regulations; * documentation of overall analytical procedures; * documentation of oral or written communication with those charged with governance of matters required to be communicated in FAM 550.13 - .14. If the communication was in writing, the auditor should include a copy of the communication in the audit documentation; and; * the auditor’s conclusion on the adequacy of two-way communication with those charged with governance (see FAM 550.15-.16). Overall Analytical Procedures: .04: The auditor should document: * Expectations: These are developed by the auditor for account/line item balances based upon plausible relationships that are reasonably expected to exist. * Data used and sources of data: Documentation on the specific financial data used for the current-year amounts and expectations including the amounts of the financial items; the dates or periods covered by the data; whether the data were audited or unaudited; the persons from whom the data were obtained, if applicable; and the source of the information, such as the general ledger trial balance, prior- year audit documentation, or prior-year financial statements. * Parameters for identifying significant fluctuations: These parameters are left to the auditor’s professional judgment based on tolerable misstatement. * Explanations for significant fluctuations from expectations and sources of these explanations: The auditor should determine if explanations obtained are consistent with corroborating evidence in the documentation and should reference to this work. * Auditor’s conclusions on the results of the procedures: The auditor should document conclusions reached on the results of overall analytical procedures. Deficiencies in Internal Control: .05: The auditor should document: * the basis for considering internal control deficiencies as material weaknesses, other significant deficiencies, or other control deficiencies; * any oral communications of control deficiencies that are not included in a written report; and; * procedures performed to determine the effects of deficiencies in internal control on other reports used by the entity. Lack of Systems’ Substantial Compliance with FFMIA Requirements: .06: The auditor should document the basis for deciding whether systems’ noncompliances with FFMIA requirements (for CFO Act agencies) represent lack of substantial compliance (FAM 580.63-.67 and FAM 701). Instances of Noncompliance: .07: The auditor should document the basis for classification of instances of noncompliance as material noncompliance, other reportable noncompliance, or not reportable. The auditor should also document any oral communications of noncompliance that are not included in a written report (FAM 580.68-.76 and FAM 800). Other Reporting Matters: .08: The auditor should document procedures performed with respect to any subsequent discovery of facts that could have affected a previously issued audit report on the financial statements (FAM 580.86). .09: The auditor should document procedures performed with respect to the issuance of condensed financial statements or selected financial data (FAM 580.87). Exit Conference(s): .10: The auditor should document exit conference(s) with appropriate entity officials. The auditor should also document any exit conference held with those charged with governance, as appropriate. 595 A - Example Unqualified Auditor’s Reports: OMB audit guidance requires the auditor to report on internal control, but does not require the auditor to express an opinion on the effectiveness of internal control. Example 1 presents a report in which the auditor expresses an opinion on internal control effectiveness. Example 2 presents a report in which the auditor has not identified any material weaknesses in internal control and does not express an opinion on internal control effectiveness. In both examples, the auditor’s opinion on the financial statements is unqualified. See FAM 595 B for modifications to the auditor’s report for a variety of situations. Example 1 - Unqualified Financial Statement, Internal Control Opinion, and Opinion on Substantial Compliance of Entity’s Systems with FFMIA: [Addressee] In accordance with [cite audit authority] we are responsible for conducting audits of [full name of entity]. In our audits of the [entity] for fiscal year(s) [cite], we found: * the financial statements are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles, * [entity] had effective internal control over financial reporting (including safeguarding assets) and compliance with laws and regulations, * [entity’s] financial management systems substantially complied with the requirements of the Federal Financial Management Improvement Act of 1996 (FFMIA),[Footnote 75] [for CFO Act agencies, omit for non-CFO Act agencies] and[Footnote 76], * no reportable noncompliance with laws and regulations we tested. The following sections discuss in more detail (1) these conclusions, (2) our conclusions on Management’s Discussion and Analysis and other supplementary information, (3) our audit objectives, scope, and methodology, and (4) agency comments and our evaluation. Opinion on Financial Statements: The financial statements including the accompanying notes present fairly, in all material respects, in conformity with U.S. generally accepted accounting principles, [entity’s] assets, liabilities, and net position as of September 30, 20XX [and 20X1]; the financial condition of [entity’s] social insurance programs (if applicable) as of [the specified date]; and net costs; changes in net position; budgetary resources; and custodial activity (if applicable)[Footnote 77] for the year[s] then ended. Opinion on Internal Control: [Entity] maintained, in all material respects, effective internal control over financial reporting (including safeguarding assets) and compliance as of [end of fiscal year] that provided reasonable assurance that misstatements, losses, or noncompliance material in relation to the financial statements would be prevented or detected on a timely basis. Our opinion is based on criteria established under 31 U.S.C. 3512 (c), (d), the Federal Managers’ Financial Integrity Act, and the Office of Management and Budget (OMB) Circular No. A-123, Management’s Responsibility for Internal Control, [or other criteria]. Systems’ Compliance with FFMIA Requirements [Omit this section for non-CFO act entities]: [Entity’s] financial management systems, as of [end of fiscal year], substantially complied with the following requirements of FFMIA: (1) federal financial management systems requirements, (2) federal accounting standards, and (3) the U.S. Government Standard General Ledger (SGL) at the transaction level. Our opinion is based on criteria established under FFMIA, OMB Circular No. A-127, Financial Management Systems (which includes the Joint Financial Management Improvement Program/Office of Federal Financial Management series of system requirements documents), U.S. generally accepted accounting principles, and the SGL.[Footnote 78] Compliance With Laws and Regulations: Our tests of the [entity’s] compliance with selected provisions of laws and regulations for fiscal year 20XX disclosed no instances of noncompliance that would be reportable under U.S. generally accepted government auditing standards or OMB audit guidance. However, the objective of our audit was not to provide an opinion on overall compliance with laws and regulations. Accordingly, we do not express such an opinion. Consistency of Other Information: The [entity’s] Management’s Discussion and Analysis, required supplementary information (including stewardship information), and other accompanying information contain a wide range of information, some of which is not directly related to the financial statements.[Footnote 79] We do not express an opinion on this information. However, we compared this information for consistency with the financial statements and discussed the methods of measurement and presentation with [name of entity] officials. On the basis of this limited work, we found no material inconsistencies with the financial statements, U.S. generally accepted accounting principles, or OMB guidance. Objectives, Scope, and Methodology: [Entity] management is responsible for (1) preparing the financial statements in conformity with U.S. generally accepted accounting principles, (2) establishing, maintaining, and assessing internal control to provide reasonable assurance that the broad control objectives of the Federal Managers’ Financial Integrity Act are met, (3) ensuring that the [entity’s] financial management systems substantially comply with FFMIA requirements (for CFO Act agencies), and (4) complying with applicable laws and regulations. We are responsible for obtaining reasonable assurance about whether (1) the [entity’s] financial statements are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles and (2) [entity] management maintained effective internal control, the objectives of which are as follows: * Financial reporting: Transactions are properly recorded, processed, and summarized to permit the preparation of financial statements in conformity with U.S. generally accepted accounting principles, and assets are safeguarded against loss from unauthorized acquisition, use, or disposition. * Compliance with laws and regulations: Transactions are executed in accordance with (1) laws governing the use of budget authority, (2) other laws and regulations that could have a direct and material effect on the financial statements, and (3) any other laws, regulations, and governmentwide policies identified by OMB audit guidance. We are also responsible for (1) testing whether [entity’s] financial management systems substantially comply with the three FFMIA requirements [omit for non-CFO Act agencies], (2) testing compliance with selected provisions of laws and regulations that have a direct and material effect on the financial statements and laws for which OMB audit guidance requires testing, and (3) performing limited procedures with respect to certain other information appearing in the Annual Financial Statement. In order to fulfill these responsibilities, we: * examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements; * assessed the accounting principles used and significant estimates made by management; • evaluated the overall presentation of the financial statements; * obtained an understanding of the entity and its operations, including its internal control related to financial reporting (including safeguarding assets), and compliance with laws and regulations (including execution of transactions in accordance with budget authority); * tested relevant internal controls over financial reporting and compliance, and evaluated the design and operating effectiveness of internal control; * considered the design of the process for evaluating and reporting on internal control and financial management systems under the Federal Managers’ Financial Integrity Act; * tested whether [entity’s] financial management systems substantially complied with the three FFMIA requirements [omit for non-CFO Act agencies]; and; * tested compliance with selected provisions of the following laws and regulations: [list laws and regulations] We did not evaluate all internal controls relevant to operating objectives as broadly defined by the Federal Managers’ Financial Integrity Act, such as those controls relevant to preparing statistical reports and ensuring efficient operations. We limited our internal control testing to controls over financial reporting and compliance. Because of inherent limitations in internal control, misstatements due to error or fraud, losses, or noncompliance may nevertheless occur and not be detected. We also caution that projecting our evaluation to future periods is subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with controls may deteriorate. We did not test compliance with all laws and regulations applicable to [entity]. We limited our tests of compliance to selected provisions of laws and regulations that have a direct and material effect on the financial statements and those required by OMB audit guidance that we deemed applicable to the [entity’s] financial statements for the fiscal year ended [date]. We caution that noncompliance may occur and not be detected by these tests and that such testing may not be sufficient for other purposes. We performed our audit in accordance with U.S. generally accepted government auditing standards and OMB audit guidance. Agency Comments and Our Evaluation: In commenting on a draft of this report (see appendix x), [entity] concurred [or partially concurred, or did not concur] with the facts and conclusions in our report. Discuss agency comments with auditor evaluation if agency partially concurred or did not concur.[Footnote 80] [Auditor’s signature] [Date of audit completion] [End of example] Example 2 - Unqualified Financial Statement Opinion, No Internal Control Opinion and No Identified Material Weaknesses, and Opinion on Substantial Compliance of Entity’s Systems with FFMIA: [Addressee] In accordance with [cite audit authority] we are responsible for conducting audits of [full name of entity]. In our audits of the [entity] for fiscal year(s) [cite], we found: * the financial statements are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles, * no material weaknesses in internal control over financial reporting (including safeguarding assets) and compliance with laws and regulations, * [entity’s] financial management systems substantially complied with the requirements of the Federal Financial Management Improvement Act of 1996 (FFMIA),[Footnote 81] [for CFO Act agencies, omit for non-CFO Act agencies] and, [Footnote 82] * no reportable noncompliance with laws and regulations we tested. The following sections discuss in more detail (1) these conclusions, (2) our conclusions on Management’s Discussion and Analysis and other supplementary information, (3) our audit objectives, scope, and methodology, and (4) agency comments and our evaluation. Opinion on Financial Statements: The financial statements including the accompanying notes present fairly, in all material respects, in conformity with U.S. generally accepted accounting principles, [entity’s] assets, liabilities, and net position as of September 30, 20XX [and 20x1]; the financial condition of [entity’s] social insurance programs (if applicable) as of [the specified date]; and net costs; changes in net position; budgetary resources; and custodial activity (if applicable)[Footnote 83] for the year[s] then ended. Consideration of Internal Control: In planning and performing our audit, we considered [entity’s] internal control over financial reporting and compliance. [Here the auditor may include a footnote stating the objectives of internal control, which are reasonable assurance that the two bullets in the objectives, scope, and methodology section are achieved.] We did this to determine our procedures for auditing the financial statements and to comply with OMB audit guidance, not to express an opinion on internal control. Accordingly, we do not express an opinion on internal control over financial reporting and compliance or on management’s assertion on internal control included in Management’s Discussion and Analysis. However, for the controls we tested, we found no material weaknesses in internal control over financial reporting (including safeguarding assets) and compliance. A material weakness is a control deficiency that results in more than a remote likelihood that the design or operation of one or more internal controls will not allow management or employees, in the normal course of performing their duties, to promptly detect or prevent errors, fraud, or noncompliance in amounts that would be material to the financial statements. Our internal control work would not necessarily disclose all deficiencies in internal control that might be material weaknesses or other significant deficiencies. Systems’ Compliance with FFMIA Requirements [Omit this section for non-CFO act entities] [Entity’s] financial management systems, as of [end of fiscal year], substantially complied with the following requirements of FFMIA: (1) federal financial management systems requirements, (2) federal accounting standards, and (3) the U.S. Government Standard General Ledger (SGL) at the transaction level. Our opinion is based on criteria established under FFMIA, OMB Circular No. A-127, Financial Management Systems (which includes the Joint Financial Management Improvement Program/Office of Federal Financial Management series of system requirements documents), U.S. generally accepted accounting principles, and the SGL.[Footnote 84] Compliance With Laws and Regulations: Our tests of the [entity’s] compliance with selected provisions of laws and regulations for fiscal year 20XX disclosed no instances of noncompliance that would be reportable under U.S. generally accepted government auditing standards or OMB audit guidance. However, the objective of our audit was not to provide an opinion on overall compliance with laws and regulations. Accordingly, we do not express such an opinion. Consistency of Other Information: The [entity’s] Management’s Discussion and Analysis, required supplementary information (including stewardship information), and other accompanying information contain a wide range of information, some of which is not directly related to the financial statements.[Footnote 85] We do not express an opinion on this information. However, we compared this information for consistency with the financial statements and discussed the methods of measurement and presentation with [name of entity] officials. Based on this limited work, we found no material inconsistencies with the financial statements, U.S. generally accepted accounting principles, or OMB guidance. Objectives, Scope, and Methodology: [Entity] management is responsible for (1) preparing the financial statements in conformity with U.S. generally accepted accounting principles, (2) establishing, maintaining, and assessing internal control to provide reasonable assurance that the broad control objectives of the Federal Managers’ Financial Integrity Act are met, (3) ensuring that [entity’s] financial management systems substantially comply with FFMIA requirements (for CFO Act agencies), and (4) complying with applicable laws and regulations. We are responsible for obtaining reasonable assurance about whether the financial statements are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles. We are also responsible for (1) obtaining a sufficient understanding of internal control over financial reporting and compliance to plan the audit, (2) testing whether [entity’s] financial management systems substantially comply with the three FFMIA requirements [omit for non- CFO Act agencies], (3) testing compliance with selected provisions of laws and regulations that have a direct and material effect on the financial statements and laws for which OMB audit guidance requires testing, and (4) performing limited procedures with respect to certain other information appearing in the Annual Financial Statement. In order to fulfill these responsibilities, we: * examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements; * assessed the accounting principles used and significant estimates made by management; * evaluated the overall presentation of the financial statements; * obtained an understanding of the entity and its operations, including its internal control related to financial reporting (including safeguarding assets), and compliance with laws and regulations (including execution of transactions in accordance with budget authority); * tested relevant internal controls over financial reporting, and compliance, and evaluated the design and operating effectiveness of internal control; * considered the design of the process for evaluating and reporting on internal control and financial management systems under the Federal Managers’ Financial Integrity Act; * tested whether [entity’s] financial management systems substantially complied with the three FFMIA requirements [omit for non-CFO Act agencies]; and; * tested compliance with selected provisions of the following laws and regulations: [list laws and regulations] We did not evaluate all internal controls relevant to operating objectives as broadly defined by the Federal Managers’ Financial Integrity Act, such as those controls relevant to preparing statistical reports and ensuring efficient operations. We limited our internal control testing to controls over financial reporting and compliance. Because of inherent limitations in internal control, misstatements due to error or fraud, losses, or noncompliance may nevertheless occur and not be detected. We also caution that projecting our evaluation to future periods is subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with controls may deteriorate. In addition, we caution that our internal control testing may not be sufficient for other purposes. We did not test compliance with all laws and regulations applicable to [entity]. We limited our tests of compliance to selected provisions of laws and regulations that have a direct and material effect on the financial statements and those required by OMB audit guidance that we deemed applicable to the [entity’s] financial statements for the fiscal year ended [date]. We caution that noncompliance may occur and not be detected by these tests and that such testing may not be sufficient for other purposes. We performed our audit in accordance with U.S. generally accepted government auditing standards and OMB audit guidance. Agency Comments and Our Evaluation: In commenting on a draft of this report (see appendix x), [entity] concurred [or partially concurred, or did not concur] with the facts and conclusions in our report. Discuss agency comments with auditor evaluation if agency partially concurred or did not concur. [Footnote 86] [Auditor’s signature] [Date of audit completion] [End of example] 595 B – Example Modifications to the Auditor’s Report: This section provides examples to modify the unqualified auditor’s reports in FAM 595 A for each of the situations listed below. The auditor may tailor these examples as appropriate. Situation: Page: Situations relating to the financial statements: 1. Scope limitation resulting in a qualified opinion on the financial statements; Page: 595 B-3. 2. Scope limitation resulting in a disclaimer of an opinion on the financial statements; Page: 595 B-4. 3. Uncertainty resulting in the addition of an explanatory paragraph; Page: 595 B-4. 4. Lack of consistency in the application of accounting principles resulting in the addition of an explanatory paragraph; Page: 595 B-5. 5. Departure from U.S. GAAP resulting in a qualified opinion on the financial statements; Page: 595 B-5. 6. Departure from U.S. GAAP resulting in an adverse opinion on the financial statements; Page: 595 B-6. Situations relating to internal control: 7. Scope limitation resulting in a disclaimer of opinion on internal control; Page: 595 B-7. 8. Scope limitation resulting in a qualified opinion on internal control; Page: 595 B-8. 9. Material weakness in internal control; Page: 595 B-9. 10. Significant deficiency (other than material weakness) in internal control: Page: 595 B-12. 11. The purpose was not to give an opinion on internal control and other significant deficiencies were found; Page: 595 B-14. 12. The purpose was not to give an opinion on internal control and one or a few material weaknesses were found; Page: 595 B-16. 13. The purpose was not to give an opinion on internal control and many material weaknesses were found; Page: 595 B-18. Situations relating to financial management systems’ substantial compliance with FFMIA requirements (for CFO Act agencies): 14. Lack of financial management systems’ substantial compliance with FFMIA requirements; Page: 595 B-20. Situations relating to compliance with laws and regulations: 15. Scope limitation—some laws and regulations could not be tested; Page: 595 B-21. 16. Scope limitation—all laws and regulations could not be tested—disclaimer; Page: 595 B-22. 17. Material noncompliance with laws and regulations; Page: 595 B-23. 18. Reportable noncompliance (other than material noncompliance) with laws and regulations; Page: 595 B-24. Situations relating to the consistency of other information in the Annual Financial Statement [management’ discussion and analysis, required supplementary information (including stewardship information), and other accompanying information]: 19. Material inconsistency between other information and the financial statements; Page: 595 B-25. 20. Nonconformance of other information with U.S. GAAP or OMB audit guidance; Page: 595 B-26. 21. Any situation that caused the auditor to modify the report on the financial statements, internal control, or compliance with laws and regulations that also affects other information; Page: 595 B-27. Notes to Modifications of Auditor’s Report: Notes 1 through 8; Page: 595 B-28. Financial Statements: Situation: 1. Scope limitation—qualified opinion (see FAM 580.14). Introduction: First bullet: ”Sufficient appropriate evidence about [identify account(s) affected by the scope limitation] in the financial statements was not available because of limitations on the scope of our work. Otherwise, we found the financial statements are presented fairly in conformity with U.S. generally accepted accounting principles.” Significant Matters (see note 1): Describe significant limitations on the scope of the work. Opinion or Conclusion: Qualified opinion on financial statements: “Because of the limitations on the scope of our work described above, we cannot determine if the financial statements’ presentation of [identify account(s) affected by the scope limitation] is free of material misstatement. Otherwise, the financial statements including the accompanying notes present fairly ...” Objectives, Scope, and Methodology: Delete the last sentence on GAGAS compliance. Insert: “Except for the limitations on the scope of our work, we performed our audit in accordance with U.S. generally accepted government auditing standards and OMB guidance. We considered the limitations on the scope of our work in forming our conclusions.” Situation: 2. Scope limitation—disclaimer (see FAM 580.14). Introduction: First bullet: “We are unable to give an opinion on the fiscal year [year] financial statements of [name of entity] because of limitations on the scope of our work. Thus, the financial statements may be materially misstated.” Significant Matters (see note 1): Describe scope limitations that caused the disclaimer of the opinion and conclude with the following statement: “Because of this limitation on the scope of our work, we are unable to give an opinion on the financial statements.” Opinion or Conclusion: Disclaimer of opinion on financial statements: “As described above, we are unable to give an opinion on the financial statements.” Objectives, Scope, and Methodology: Delete all references to the auditor’s responsibility for auditing the financial statements and how that responsibility was fulfilled. Insert wording from note 2. Situation: 3. Uncertainty - explanatory paragraph (see FAM 580.19). Introduction: No changes; Significant Matters (see note 1): No changes (see note 7); Opinion or Conclusion: Opinion on financial statements (see note 7): After the opinion, include an explanatory paragraph describing the uncertainty; Objectives, Scope, and Methodology: No changes. Situation: 4. Lack of consistency in the application of accounting principles— explanatory paragraph (see FAM 580.20); Introduction: No changes; Significant Matters (see note 1): No changes (see note 7); Opinion or Conclusion: Opinion on financial statements (see note 7): After the opinion, include an explanatory paragraph explaining the accounting change. For example: “As discussed in Note X to the financial statements, the entity changed its method of computing depreciation in fiscal year [year];” Objectives, Scope, and Methodology: No changes. Situation: 5. Departure from U.S. GAAP— qualified opinion (see FAM 580.22). Introduction: First bullet: “Entity departed from U.S. generally accepted accounting principles in [identify account(s) affected by the departure from U.S. GAAP]. Otherwise the financial statements are presented fairly in conformity with U.S. generally accepted accounting principles.” Significant Matters (see note 1): Describe material departures from U.S. GAAP. Opinion or Conclusion: Qualified Opinion on Financial Statements: “Except for the departure from U.S. generally accepted accounting principles described above, the financial statements, including the accompanying notes, present fairly ...” Objectives, Scope, and Methodology: No changes. Situation: 6. Departure from U.S. GAAP— adverse opinion (see FAM 580.22); Introduction: First bullet: “The financial statements are not presented fairly in conformity with U.S. generally accepted accounting principles;” Significant Matters (see note 1): Describe material departures from U.S. GAAP; Opinion or Conclusion: Adverse opinion on financial statements: “Because of the departure from U.S. generally accepted accounting principles described above, the financial statements, including the accompanying notes, do not present fairly ...” Objectives, Scope, and Methodology: No changes. Internal Control: Situation: 7. Scope limitation--disclaimer (see FAM 580.40); Bullets: Second bullet: “We are unable to give an opinion on the effectiveness of internal control because of limitations on the scope of our work;” Significant Matters (see note 1): Describe limitations on the scope of the work that caused the disclaimer of opinion and conclude with the following statement: “Because of this limitation on the scope of our work, we are unable to give an opinion on internal control;” Opinion or Conclusion: Disclaimer of opinion on internal control: “As described above, we are unable to give an opinion on internal control.” Objectives, Scope, and Methodology: Delete all references to the auditor’s responsibility for giving such an opinion and how that responsibility was fulfilled. Insert specific wording from note 3. Situation: 8. Scope limitation on one objective— qualified opinion (see FAM 580.40); Bullets: Second bullet: “We are unable to give an opinion on internal control over [state objective affected, for example, financial reporting] because of limitations on the scope of our work. We found that management had effective internal control over [state objective not affected, for example, compliance with laws and regulations.]” Significant Matters (see note 1): Describe significant limitations on the scope of the work. Follow the discussion of a scope restriction on the audit of the financial statements, if any, and conclude with the following statement: “Because of this limitation on the scope of our work, we are unable to give an opinion on internal control over [state the affected control objective, such as financial reporting].” Opinion or Conclusion: Qualified opinion on internal control: “As described above, we are unable to give an opinion on internal control over [state control objective affected]. However, we did evaluate internal control over [list control objective not affected by scope limitation].” State the opinion on the other objective: “[Entity] maintained in all material respects effective internal control over [list unaffected areas, for example, financial reporting or compliance] as of [end of fiscal year] that provided reasonable assurance that [list unaffected areas, for example, misstatements and losses or noncompliance] material in relation to the financial statements would be prevented or detected on a timely basis. Our opinion is based on... [continue with second sentence]” Objectives, Scope, and Methodology: Delete the last sentence on GAGAS compliance. Insert: “Except for the limitations on the scope of our work, we performed our audit in accordance with U.S. generally accepted government auditing standards and OMB guidance. We considered the limitations on the scope of our work in forming our conclusions.” Situation: 9. Material weakness in internal control relevant to one or more control objective(s) (see FAM 580.44); Bullets: Second bullet: “[Entity] did not have effective internal control over [state objective(s) affected, for example, financial reporting], but had effective internal control over [state objective not affected, for example, compliance with laws and regulations].” Significant Matters (see note 1): Describe material weakness in internal control and include the term “material weakness” in the description. Indicate whether each weakness was reported by management in FMFIA reports. Add the following to address the possible effects of material weaknesses on other reports: “These deficiencies in internal control may adversely affect any decision by management that is based, in whole or in part, on information that is inaccurate because of the deficiencies. Unaudited financial information reported by [name of entity], including budget information, also may contain misstatements not prevented because of these deficiencies; Opinion or Conclusion: Adverse opinion on internal control: “Because of the material weakness in internal control described above, [entity] did not maintain effective internal control over [state objective(s) affected, for example, financial reporting or compliance] as of [end of fiscal year], which thus did not provide reasonable assurance that [state control objective(s) affected, such as misstatements and losses or noncompliance] material in relation to the financial statements would be prevented or detected on a timely basis.” If controls were effective over one objective, add the following: “However, [entity] maintained in all material respects effective internal control over [state objective not affected, such as compliance or financial reporting] as of [date of fiscal year-end] that provided reasonable assurance that [state appropriate effect(s) such as, noncompliance or misstatements and losses] material in relation to the financial statements would be prevented or detected on a timely basis.” Continue with sentence about the basis of the opinion. Opinion on financial statements: If the opinion on financial statements is unqualified, include the following at the end of the opinion on the financial statements: “However, misstatements may nevertheless occur in other financial information reported by [name of entity] and may not be prevented or detected because of the internal control deficiencies described above.” If the report also includes significant deficiencies other than the material weakness, insert wording from note 6; Objectives, Scope, and Methodology: No changes unless both control objectives are affected by material weakness. In that situation, delete the sentences of caution on projection of the evaluation of controls to future periods that begins: “Because of inherent limitations [delete rest of paragraph]...” Add: “We considered the material weaknesses identified above in determining the nature, timing, and extent of our audit procedures on the 20XX financial statements.” Situation: 10. Significant deficiency (other than material weakness) (see FAM 580.47); Bullets: Second bullet: “Although internal controls could be improved, [entity] had effective internal control over ...” Significant Matters (see note 1): For a significant deficiency to be communicated to the entity head, those charged with governance, OMB, and the Congress (as defined in FAM 580.53): Describe the deficiency and indicate (1) that the deficiency is not a material weakness and (2) whether the deficiency was reported by management in the summary of FMFIA reports. For a significant deficiency that is not considered to be a significant matter individually (as defined in FAM 580.54): List the weakness. Combine related weaknesses; Opinion or Conclusion: Opinion on internal control: No change to the two sentences on the opinion on internal control. Following that, continue: “However, our work identified the need to improve certain internal control, as described above and in [identify other reports or management letters that discuss the internal control deficiency in more detail by reference to date and GAO or IG/other auditor document number]. This deficiency in internal control, although not considered to be a material weakness, represents a significant deficiency in the design or operations of internal control, which adversely affects the entity’s ability to meet the internal control objective(s) listed above or meet OMB criteria for reporting matters under FMFIA.” If a significant deficiency is included as a significant matter and the opinion on the financial statements is unqualified, include the following: “In addition, misstatements may occur in other financial information reported by [name of entity] and not be prevented or detected because of the internal control deficiency described above.” If the report also includes a material weakness, see note 6. Objectives, Scope, and Methodology: No changes. Situation: 11. The purpose was not to give an opinion on internal control and significant deficiencies other than material weaknesses were found (see FAM 580.50). Bullets: Second bullet: “No material weaknesses in internal control over financial reporting (including safeguarding assets) and compliance and its operation, although internal control could be improved.” Significant Matters (see note 1): For a significant deficiency to be communicated to the entity head, those charged with governance, OMB, and the Congress (as defined in FAM 580.53) were found: Describe the weaknesses and indicate (1) that the weaknesses are not material weaknesses and (2) whether the weaknesses were reported by management in the summary of FMFIA reports. If significant deficiencies are not considered to be significant matters individually (as defined in FAM 580.53): List the weaknesses. Combine related weaknesses; Opinion or Conclusion: Consideration of internal control: “We considered internal control over financial reporting and compliance.” “We do not express an opinion on internal control over financial reporting and compliance because the purpose of our work was to determine our procedures for auditing the financial statements and to comply with OMB audit guidance, not to express an opinion on internal control. However, our work identified the need to improve certain internal controls, as described above. These deficiencies in internal control, although not considered material weaknesses, represent significant deficiencies in the design or operation of internal control, which adversely affect the entity’s ability to meet the internal control objectives listed in the objectives, scope, and methodology or meet OMB criteria for reporting matters under FMFIA. A material weakness is a control deficiency that results in more than a remote likelihood that the design or operation of one or more internal controls will not allow management or employees, in the normal course of performing their duties, to promptly detect or prevent errors, fraud, or noncompliance in amounts that would be material to the financial statements. Our internal control work would not necessarily disclose all deficiencies in internal control that might be material weaknesses or other significant deficiencies.” Objectives, Scope, and Methodology: See note 8. Situation: 12. The purpose was not to give an opinion on internal control and one or a few material weaknesses were found (see FAM 580.50). Bullets: Second bullet: “Material weakness(es) over [briefly describe area affected by material weakness(es), for example, reporting expenditures].” Significant Matters (see note 1): Describe material weakness(es) found and include the term “material weakness” in the description. Indicate whether each weakness was reported by management in FMFIA reports. Add the following to address the possible effects of material weakness(es) on other reports: “These deficiencies in internal control may adversely affect any decision by management that is based, in whole or in part, on information that is inaccurate because of these deficiencies. Unaudited financial information reported by [name of entity], including budget information, also may contain misstatements not prevented or detected because of these deficiencies.” Opinion or Conclusion: “Consideration of internal control: “We considered internal control over financial reporting and compliance.” “We do not express an opinion on internal control over financial reporting and compliance because the purpose of our work was to determine our procedures for auditing the financial statements and to comply with OMB audit guidance, not to express an opinion on internal control. However, we found the material weakness(es) described above. A material weakness is a control deficiency that results in more than a remote likelihood that the design or operation of one or more internal controls will not allow management or employees, in the normal course of performing their duties, to promptly detect or prevent errors, fraud, or noncompliance in amounts that would be material to the financial statements. Our internal control work would not necessarily disclose all deficiencies in internal control that might be material weaknesses other significant deficiencies.” Objectives, Scope, and Methodology: See note 8. Situation: 13. The purpose was not to give an opinion on internal control and many material weaknesses were found (see FAM 580.50). Bullets: Second bullet: “Material weaknesses in internal control that resulted in ineffective controls over [state objectives(s) affected, for example, financial reporting].” Significant Matters (see note 1): Describe material weaknesses found and include the term “material weakness” in the description. Indicate whether each weakness was reported by management in FMFIA reports. Add the following to address the possible effects of material weaknesses on other reports: “These deficiencies in internal control may adversely affect any decision by management that is based, in whole or in part, on information that is inaccurate because of the deficiencies. Unaudited financial information reported by [name of entity], including budget information, also may contain misstatements resulting from these deficiencies.” Opinion or Conclusion: “Consideration of internal control: “We considered internal control over financial reporting and compliance.” “We do not express an opinion on internal control over financial reporting and compliance because the purpose of our work was to determine our procedures for auditing the financial statements and to comply with OMB audit guidance, not to express an opinion on internal control. However, we found the material weaknesses described above, which resulted in ineffective controls over [state objective(s) affected, for example, financial reporting]. A material weakness is a control deficiency that results in more than a remote likelihood that the design or operation of one or more internal controls will not allow management or employees, in the normal course of performing their duties, to promptly detect or prevent errors, fraud, or noncompliance in amounts that would be material to the financial statements. Our internal control work would not necessarily disclose all deficiencies in internal control that might be material weaknesses or other significant deficiencies.” Objectives, Scope, and Methodology: See note 8. Financial Management Systems' Substantial Compliance with FFMIA Requirements: Situation: 14. Lack of financial management systems’ compliance with FFMIA requirements (see FAM 580.64). Bullets: Third bullet: “[entity’s] financial management systems did not substantially comply with the requirements of FFMIA.” Significant Matters (see note 1): Describe instances of lack of substantial compliance of financial management systems with federal financial management systems requirements, federal accounting standards, or the SGL at the transaction level. Indicate whether each instance was reported by management in FMFIA reports. In addition, as required by FFMIA, identify the entity or organization responsible for the systems found not to comply; include the nature and extent of the noncompliance, areas in which there was substantial but not full compliance, primary reason or cause, and relevant management comments; and make recommendations (in the recommendation section) and report time frames to implement recommendations; Opinion or Conclusion: “Systems’ compliance with FFMIA requirements: “Our work disclosed instances, described above, in which [entity’s] financial management systems did not substantially comply with [specify the requirements where a lack of substantial compliance was found, such as federal financial management systems requirements or the U.S. Government Standard General Ledger at the transaction level].” Note: OMB audit guidance provides information for reporting on FFMIA compliance without expressing an opinion. Objectives, Scope, and Methodology: Add: “Our work on FFMIA would not necessarily disclose all instances of lack of compliance with FFMIA requirements.” Compliance with Laws and Regulations: Situation: 15. Scope limitation —some laws could not be tested (see FAM 580.74). Bullets: Fourth bullet: “No reportable noncompliance with laws and regulations we tested; however, we could not test compliance with certain laws we considered necessary because of limitations on the scope of our work.” Significant Matters (see note 1): Describe significant scope limitations, including a list of the laws not tested. Opinion or Conclusion: Compliance with laws and regulations: “Our tests for compliance with selected provisions of laws and regulations disclosed no instances of non compliance that would be reportable under U.S. generally accepted government auditing standards or OMB audit guidance; however, as discussed above, we could not test for compliance with all the laws we considered necessary.” Objectives, Scope, and Methodology: Exclude laws not tested from list of laws. Change the GAGAS statement as follows: Except for the limitation in the scope of our work, we performed our audit in accordance with U.S. generally accepted government auditing standards and OMB audit guidance. We considered the limitations on the scope of our work in forming our conclusions.” Situation: 16. Scope limitation —all laws could not be tested— disclaimer (see FAM 580.74). Bullet: Fourth bullet: “We were unable to test [entity’s] compliance with laws and regulations because of limitations on the scope of our work.” Significant Matters (see note 1): Describe scope limitation and conclude with: “Because of this limitation on the scope of our work, we were unable to test [entity’s] compliance with laws and regulations.” Opinion or Conclusion: Compliance with laws and regulations: Omit statement regarding compliance with laws and regulations and replace with: “We were unable to test for compliance with the laws we considered necessary; accordingly, we are unable to report on the entity’s compliance with laws and regulations.” Omit the last two sentences. Objectives, Scope, and Methodology: Delete all references to the auditor’s responsibility for testing compliance with laws and regulations and how that responsibility was fulfilled. Insert specific wording from note 4. Situation: 17. Material noncompliance with laws and regulations (see FAM 580.69). Bullets: Fourth bullet: “Reportable noncompliance with laws and regulations we tested.” Significant Matters (see note 1): Describe the material noncompliance and place the findings in proper perspective to give readers a basis for judging the prevalence and consequences of the conditions. Opinion or Conclusion: Compliance with laws and regulations: “Except as noted above, our tests for compliance with the provisions of selected laws and regulations disclosed no other instances of noncompliance that would be reportable under U.S. generally accepted government auditing standards or OMB audit guidance.” [Continue paragraph with last two sentences.] Objectives, Scope, and Methodology: No changes. Situation: 18. Reportable noncompliance (other than material noncompliance) (see FAM 580.70). Bullets: Fourth bullet: “Reportable noncompliance with laws and regulations we tested.” Significant Matters (see note 1): For noncompliance that is considered to be reportable and to be communicated to the entity head, those charged with governance, OMB, and the Congress: Describe the noncompliance. Indicate that the noncompliance is not material to the financial statements. For reportable noncompliance that is not considered to be significant: List the noncompliance. Combine related instances of noncompliance. Opinion or Conclusion: Compliance with laws and regulations: “Except as noted above, our tests for compliance with selected provisions of laws and regulations disclosed no other instances of noncompliance that would be reportable under U.S. generally accepted government auditing standards or OMB audit guidance.” [Continue paragraph with last two sentences.] Objectives, Scope, and Methodology: No changes. Consistency of Other Information (MD&A, Required Supplementary Information, and Other Accompanying Information): Situation: 19. Material inconsistency between other information and the financial statements (see FAM 580.80). Introduction: No changes. Describe the material inconsistency. Opinion or Conclusions: Consistency of other information: Omit statement that we found no material inconsistencies and add: “As discussed above, the [list type(s) of other information in the Annual Financial Statement)—MD&A, required supplementary information (including required supplementary stewardship information), other accompanying information—that is not consistent with the financial statements] is inconsistent with the financial statements.” If certain type(s) of information are consistent, add: “Otherwise, we found no other material inconsistencies with the affected] or nonconformance with generally accepted accounting principles or OMB guidance.” Objectives, Scope, and Methodology: No changes. Situation: 20. Nonconformance of other information with U.S. generally accepted accounting principles or OMB audit guidance (see FAM 580.80). Introduction: No changes. Significant Matters (see note 1): Describe the nonconformance with U.S. GAAP or OMB audit guidance. Opinion or Conclusions: Consistency of other information: Omit statement that we found no nonconformance with U.S. GAAP or OMB guidance and add: “As discussed above, the [list the type(s) of other information in the Annual Financial Statement)—MD&A, required supplementary information, or other accompanying information— that is not in conformity] does not conform with U.S. generally accepted accounting principles or OMB audit guidance.” If certain type(s) of other information conforms to U.S. GAAP or OMB guidance, add: “Otherwise, we found no other material inconsistencies with the financial statements or nonconformance of the [state type(s) of information not affected] with U.S. generally accepted accounting principles or OMB audit guidance.” Objectives, Scope, and Methodology: No changes. Situation: 21. Any situation that caused the auditor to modify the report on the financial statements, internal control, or compliance with laws and regulations that also affects other information (see FAM 580.81). Introduction: No changes. Significant Matters (see note 1): In the discussion of the situation, include the effects on the other information in the Annual Financial Statement. Opinion or Conclusions: Consistency of other information: Omit statement that we found no inconsistency or nonconformance (or modify to refer only to unaffected type(s) of other information in the Annual Financial Statement —MD&A, required supplementary information, or other accompanying information) if considered to be misleading in light of the particular situation. Omit statement that we found no inconsistencies or nonconformance if there is a scope limitation that resulted in a disclaimer of a report on the financial statements. Objectives, Scope, and Methodology: If a scope limitation on the work on the financial statements, internal control, or compliance with laws and regulations results in the omission of the statement that we found no inconsistency of other information, delete all references to the auditor's responsibility for this other information and how we fulfilled that responsibility. Insert specific wording from note 5. Notes to Modifications of Auditor’s Report: Note 1: Significant matters: The auditor may include significant matters of interest in a transmittal letter as discussed in FAM 580.05 and may begin the section with the following statement: "Described below are significant matters we considered in performing our audit and forming our conclusions." Note 2: Disclaimer due to a scope limitation on financial statements: In the “Objectives, Scope and Methodology” section delete the following words in quotation marks. We are responsible for obtaining reasonable assurance about whether "(1) the financial statements are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles], and (2)” [continue with rest of paragraph]. Delete the following: " (1) examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements, (2) assessed the accounting principles used and significant estimates made by management, (3) evaluated the overall presentation of the financial statements," Add the following words in quotation marks: Because of the significance of the limitations on the scope of our work, we were unable to and did not perform our audit in accordance with U.S. generally accepted government auditing standards and OMB audit guidance. “We considered the limitations on the scope of our work in forming our conclusions.” Note 3: Disclaimer of opinion on internal control due to a scope limitation: In the “Objectives, Scope, and Methodology” section, delete the following words in quotations marks: We are responsible for obtaining reasonable assurance about whether “(1)” the financial statements are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles “and (2) management maintained effective internal control, the objectives of which are the following: * Financial reporting: Transactions are properly recorded, processed, and summarized to permit the preparation of financial statements in conformity with U.S. generally accepted accounting principles, and assets are safeguarded against loss from unauthorized acquisition, use, or disposition. * Compliance with laws and regulations: Transactions are executed in accordance with laws governing the use of budget authority and with other laws and regulations that could have a direct and material effect on the financial statements and any other laws, regulations, and governmentwide policies identified by OMB audit guidance.” [continue with rest of paragraph] Delete the following: “(4) obtained an understanding of internal control related to financial reporting (including safeguarding assets), compliance with laws and regulations (including execution of transactions in accordance with budget authority); (5) tested relevant internal controls over financial reporting (including safeguarding assets), compliance, and evaluated the design and operating effectiveness of internal control; (6) considered the process for evaluating and reporting on internal control and financial management systems under the Federal Managers’ Financial Integrity Act of 1982,” ...[continue with rest of paragraph] “We did not evaluate all internal controls relevant to operating objectives as broadly defined by FMFIA, such as those controls relevant to preparing statistical reports and ensuring efficient operations. We limited our internal control testing to those controls over financial reporting and compliance. Because of inherent limitations in internal control, misstatements due to error or fraud, losses, or noncompliance may nevertheless occur and not be detected. We also caution that projecting our evaluation to future periods is subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with controls may deteriorate." Add the following: Because of the significance of the limitations on the scope of our work, we were unable to and did not perform our audit of internal control in accordance with U.S. generally accepted government auditing standards and OMB audit guidance. We considered the limitations on the scope of our work in forming our conclusions and in testing the financial statements. Note 4: Disclaimer of a report on compliance with laws and regulations due to a scope limitation: In the objectives, scope and methodology section, delete the following words in quotation marks: We are also responsible for “(1)” testing whether [entity’s] financial management systems substantially comply with the three FFMIA requirements, “(2) testing compliance with selected provisions of laws and regulations that have a direct and material effect on the financial statements and laws for which OMB audit guidance requires testing,” and “(3)” performing limited procedures with respect to certain other information appearing in the Annual Financial Statement. Delete the following: “(8) tested compliance with selected provisions of the following laws and regulations [do not list any laws and regulations]." Add the following: Because of the significance of the limitations on the scope of our work, we were unable to and did not perform our audit of internal control in accordance with U.S. generally accepted government auditing standards and OMB audit guidance. We considered the limitations on the scope of our work in forming our conclusions and in testing the financial statements. Note 5: Disclaimer of a report on the financial statements, internal control, or compliance with laws and regulations: If scope limitations on our work on the financial statements, internal control, or compliance with laws and regulations result in the omission of the statement that we found no inconsistency of other information, delete the following words in quotation marks from the objectives, scope, and methodology section: We are also responsible for ... “and (3) performing limited procedures with respect to certain other information appearing in the Annual Financial Statement.” Add the following: Because of the significance of the limitations on the scope of our work, we were unable to and did not perform our audit of internal control in accordance with U.S. generally accepted government auditing standards and OMB audit guidance. We considered the limitations on the scope of our work in forming our conclusions and in testing the financial statements. Note 6: Reporting both material weaknesses and other significant deficiencies in the significant matters section: If both material weaknesses and other significant deficiencies are included in the significant matters section, the auditor should include the changes for material weaknesses first, and then continue with an additional paragraph for significant deficiencies that begins "Our work also identified the need to improve certain internal controls...." Note 7: Explanatory paragraphs: Explanatory paragraphs may be included in either the significant matters section or the opinion section of the report as discussed in FAM 580.26. Note 8: No management assertion about the effectiveness of internal control: In the objectives, scope, and methodology section, delete the following words in quotations marks: We are responsible for obtaining reasonable assurance about whether “(1)” the financial statements are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles “and (2) management maintained effective internal control, the objectives of which are the following: * Financial reporting: Transactions are properly recorded, processed, and summarized to permit the preparation of financial statements in conformity with U.S. generally accepted accounting principles, and assets are safeguarded against loss from unauthorized acquisition, use, or disposition. * Compliance with laws and regulations: Transactions are executed in accordance with laws governing the use of budget authority and with other laws and regulations that could have a direct and material effect on the financial statements and any other laws, regulations, and governmentwide policies identified by OMB audit guidance.” ... [continue with rest of paragraph] Insert the following words in quotation marks into the sentence following the objectives: We are also responsible for “obtaining a sufficient understanding of internal control over financial reporting and compliance to plan the audit and for” testing compliance with ... Add the following sentence at the end of the paragraph that begins, “We did not evaluate all internal controls...” “In addition, we caution that our internal control testing may not be sufficient for other purposes.” [End of example] 595 C - Uncorrected Misstatements and Adjusting Entries: .01: As discussed in FAM 540.04, the auditor should accumulate known and likely misstatements identified by the auditor during the audit but not yet corrected by the entity. The auditor may do this on a Schedule of Uncorrected Misstatements that includes related adjusting entries. Because the entity is responsible for its financial statements, as discussed in FAM 540.07-.08, management has to decide which misstatements to correct in the financial statements and which amounts will remain uncorrected misstatements. The auditor should communicate misstatements to those charged with governance. Schedule of Uncorrected Misstatements: .02: The auditor generally should include the effect of uncorrected misstatements on the entity’s financial statements, and provide the related adjusting entries to entity management. Because this information follows the entity’s financial statements, the specific line items may differ for each entity. See example 1 in this section for a Schedule of Uncorrected Misstatements. .03: The auditor should list all uncorrected misstatements other than those below a trivial[Footnote 87] or deminimus amount (see FAM 540.04). The auditor may include those that will be corrected by the entity. The auditor should also include any misstatements identified by the entity and brought to the auditor’s attention (after the auditor is satisfied they are misstatements) that have not been corrected in the financial statements. .04: The auditor should also include the effect of uncorrected misstatements from the prior year on the current year’s financial statements (the carryover effect) or note that there were none. .05: The auditor generally should include in the related adjusting entries information as follows: (1) Reference to an adjustment number or documentation reference. (2) Whether or not management has agreed to record the adjustment in its financial statements (after discussion with management as discussed in FAM 595 C.06). (3) Whether the misstatement is either known or likely. (4) Whether the misstatement is the carryover effect from a prior year (PY) or a misstatement identified in the current year (CY). (5) Description of the adjustment. (6) Indication of whether each account affected is a federal intragovernmental (F) or a nonfederal public account (N). (7) Standard general ledger account number and account description. (8) Amount of the debit and credit. (9) Line items affected in the entity’s financial statements. For entities required to submit misstatements for use in the preparation and audit of the U.S. government’s Consolidated Financial Statements (CFS), the auditor generally should indicate the CFS line item affected. See example 1 in this FAM section. Discuss Uncorrected Misstatements with Management: .06: The auditor must communicate known and likely misstatements identified during the audit to the appropriate level of management as required AU 312. The auditor should request management to correct all known misstatements. The auditor should also request management to investigate likely misstatements as discussed in FAM 540.07-.08. If management investigates and challenges assumptions or methods used in developing an estimate for likely misstatements, the auditor should reevaluate the misstatement and determine whether to perform additional audit procedures. The auditor should document discussions with management on misstatements and any additional audit procedures performed on likely misstatements. In example 1 of this section, adjustment #6 is a material misstatement of $10 million on a base of $400 million of earned revenue or 2.5 percent that management should record in the financial statements to obtain an unqualified opinion. .07: If management declines to correct all misstatements to the financial statements, the auditor generally should use the Schedule of Uncorrected Misstatements to create a new Summary of Uncorrected Misstatements for any uncorrected misstatements as indicated in Example 2 of this FAM section. The example summary includes a last column of final account balances to assist the auditor in calculating, evaluating, and concluding the effect of uncorrected misstatements on the final financial statements. In example 2, management has declined to correct misstatements #1-5 in the financial statements as immaterial. .08: If management corrects the misstatement, the auditor generally should transfer the misstatement to a Summary of Misstatements Corrected as indicated in example 3 of this FAM section. In example 3, management has agreed to correct misstatement #6 in the financial statements as material. .09: The auditor should attach the Summary of Uncorrected Misstatements without the auditor’s calculations, evaluation, and conclusion (or a listing of uncorrected misstatements if the number and amount of the misstatements are insignificant) to the management representation letter as discussed in FAM 1001. Communication with Those Charged with Governance: .10: The auditor should communicate with those charged with governance uncorrected misstatements and material misstatements corrected as a result of audit procedures (AU 380). The auditor may communicate uncorrected misstatements to those charged with governance by using the Summary of Uncorrected Misstatements (without the auditor’s calculations, evaluation, or conclusion) in example 2 and the Summary of Misstatements Corrected in example 3. The auditor may also encourage those charged with governance to ask management why the misstatements were not corrected. .06: The auditor also may communicate other corrected immaterial misstatements, such as frequently recurring immaterial misstatements that may indicate a particular bias in the preparation of the financial statements. An example would be recurring cutoff errors for liabilities at year end. .07: If there are a large number of small uncorrected misstatements, the auditor may communicate the number and overall monetary effect of the misstatements, rather than the details of each individual misstatement. The auditor should also communicate with those charged with governance the effect of uncorrected misstatements related to prior periods on the relevant classes of transactions, account balances or disclosures, and the financial statements as a whole. .08: The auditor should discuss with those charged with governance the implications of management’s failure to correct known and likely misstatements, considering qualitative as well as quantitative considerations, including possible implications in relation to future financial statements. Final Evaluation: .09: The auditor should evaluate the effect of the uncorrected misstatements in relation to final materiality (FAM 530), and determine whether the financial statements taken as a whole are materially misstated from a quantitative or qualitative viewpoint. .10: The auditor should also conclude (in consultation with the reviewer as discussed in FAM 540.04) as to the adequacy of the scope of procedures performed in light of the total uncorrected misstatements identified above. Example 1- Schedule of Uncorrected Misstatements (before discussion with management) [See PDF for image] Example 1 – Adjusting Entries to Correct Misstatements (before discussion with management) [See PDF for image] Example 2 – Summary of Uncorrected Misstatements (after discussion with management) [See PDF for image] Example 2 – Adjusting Entries to Correct Misstatements (after discussion with management) [See PDF for image] Example 3 – Summary of Corrected Misstatements (after discussion with management) [See PDF for image] [End of section] Appendixes: Appendix A - Consultations: Reviewer: .01: The FAM paragraphs below refer to situations in which the auditor should consult with the reviewer. 110.28: If departing from a policy or standard designated as “should” in the FAM the auditor must document the departure and the basis for the departure. The documentation should include how the alternative procedures were sufficient to achieve the objectives of the standard or policy and the auditor should obtain the reviewer’s approval of the departure. 230.07: Using an amount for planning materiality that does not follow the guidelines in the manual should be approved by the reviewer. 260.05: Using an increased overall audit assurance should be approved by the reviewer. 285.04, 295 C.01: Using a plan other than that described in FAM 295 C for selecting locations to visit should be approved by the reviewer. 395 G.07: Planned multiyear control testing should be approved by the reviewer. 480.13: Using nonstatistical sampling should be approved by the reviewer. 480.41: The auditor should consult with the reviewer when determining the adequacy of substantive procedures in light of any reassessment of combined risk. 530.03: The auditor should consult with the reviewer when determining the need to perform additional procedures when there are questions about the adequacy of work performed. 540.04, 595 C.15: The reviewer should review the Schedule of Uncorrected Misstatements. 540.09: The auditor should consult with the reviewer when reviewing documentation of a decision to modify the opinion based on the materiality of total likely misstatements, which includes known misstatements and the reviewer should approve. 540.12: The auditor should consult with the reviewer when evaluating the materiality of total likely uncorrected misstatements plus an allowance for further misstatement and their effects on the financial statements. 540.16: The auditor should consult with the reviewer when determining the effects on the auditor's report and current-period statements, if any, of material misstatements detected in the current year that arose during prior periods but were not detected during prior audits. 540.17: The auditor should consult with the reviewer before performing additional procedures to increase assurance in projected misstatements. 540.20: The auditor should consult with the reviewer when determining whether misstatements may be the result of fraud. 540.23: The auditor should consult with the reviewer when before including fraud in the audit report that involves senior management or that causes a material misstatement of the financial statements. 580.21: The auditor should consult with the reviewer when concluding on whether the financial statements are materially affected by a departure from U.S. GAAP and the reviewer should approve. 580.41: The auditor should consult with the reviewer when determining the appropriate type of opinion on internal control when there is a scope limitation. 580.49: The auditor should consult with the reviewer when determining the opinion on internal control. 580.76: The auditor should consult with the reviewer when determining the effects on the auditor's report if weaknesses are found in compliance controls but no instances of noncompliance are detected. Statistician: .02: The following FAM paragraphs refer to situations in which the auditor should consult with the statistician. 285.01, 295C.01: The auditor should consult with the statistician when selecting locations. 295 C.04, 480.33: The auditor should consult with the statistician when using classical variables sampling or another representative sampling method to select locations. 410.02: The auditor should consult with the statistician for assistance in designing and evaluating samples and in determining the costs and benefits when deciding the appropriate type of sampling to use. 440.02, 450.17, 460.02, 480.28, 480.30: The auditor should consult with the statistician when expanding the sample size to test additional items. 450.08: The auditor should consult with the statistician when determining sample sizes for tests of controls when not using Tables I and/or II. 450.09 (footnote), 460.02 (footnote): The auditor should consult with the statistician when computing reduced sample sizes and evaluating results for small populations. 450.16: The auditor should consult with the statistician when continuing to test a sample when deviations exceed the acceptable number. 450.18: The auditor should consult with the statistician when projecting the rate of sample control deviations to a population for a report. 460.02: The auditor should consult with the statistician when evaluating the results of an expanded test. 480.13: The auditor should consult with the statistician before performing nonstatistical sampling tests. 480.17: The auditor should consult with the statistician before using any sampling method. 480.21 (footnote): The auditor should consult with the statistician when deciding when to use MUS versus classical variables estimation sampling. 480.38: The auditor should consult with the statistician before performing Classical Variables Estimation Sampling. 480.39: The auditor should consult with the statistician when evaluating sample results for substantive tests. 480.42: The auditor should consult with the statistician when evaluating samples designed to test existence when understatements are found. 480.44: The auditor should consult with the statistician when evaluating monetary-unit samples when a significant number of misstatements is found. 480.45: The auditor should consult with the statistician when evaluating classical variables estimation sampling. 480.46: The auditor should consult with the statistician when evaluating the results of other samples. 495 A.24: The auditor should consult with the statistician when using regression analysis for analytical procedures. 495E.03: The auditor should consult with the statistician when determining the type of sampling when testing for overstatement and a large misstatement rate is expected. 495E, IV: The auditor should consult with the statistician when evaluating and documenting the results of classical PPS sampling when many errors are found and the sample size is 75 or greater. 540.11: The auditor should consult with the statistician when computing the combined precision for all sampling applications. Office Of General Counsel (OGC): .03: The FAM paragraphs listed below refer to situations in which the auditor should consult with its OGC. 245.02: a The auditor should consult with OGC when identifying laws and regulations that have a direct effect on determining amounts in the financial statements. 250.03, 250.05: The auditor should consult with OGC when identifying relevant budget restrictions. 370.11: The auditor should consult with OGC when determining the legal implications of indications that internal control might not provide reasonable assurance that the entity executed transactions in accordance with budget authority. 395 F.01 (footnote): The auditor should consult with OGC when identifying any impoundments (rescissions or deferrals) as a result of evaluating budgetary controls. 395 FS.04: The auditor should consult with OGC when determining, prior to performing control or compliance tests, the applicability of budget restrictions to modifications made to direct loans, direct loan obligations, loan guarantees, or loan guarantee commitments that were outstanding prior to October 1, 1991. 460.07: The auditor should consult with OGC when evaluating possible instances of noncompliance noted in connection with compliance testing. 540.20: The auditor should consult with OGC when considering whether misstatements may be the result of fraud. 580.68: The auditor should consult with OGC when concluding on the entity’s compliance with laws and regulations. 580.76: The auditor should consult with OGC when determining the effects on the auditor's report if weaknesses are found in compliance controls but no instances of noncompliance are detected. [End of Appendix A] Appendix B -- Instances Where the Auditor “Must” Comply in the FAM: .01: In the FAM paragraphs listed below the word “must” is mostly used to indicate a situation in which the auditor is required to comply with professional standards and policies. 110.04 (footnote): When an auditor opines on internal control, the opinion must be on internal control and not management’s assertion if material weaknesses are present. 110.28: Defines “must” as mandatory compliance when circumstances exist to which the standard or policy applies. 210.01: The auditor must adequately plan the audit work. 215.11, 550.13: The auditor must communicate with those charged with governance matters related to the financial statement audit that are, in the auditor’s professional judgment, significant and relevant to the responsibilities of those charged with governance in overseeing the financial reporting process. 220.01: The auditor must obtain an understanding of the entity and its environment, including internal control, to assess the risk of material misstatement, whether due to error or fraud, and to design the nature, extent, and timing of further audit procedures. 240.09: For entities subject to OMB audit guidance, for controls that are properly designed and implemented, the auditor must perform sufficient tests to support a low assessed level of control risk. 260.23: The auditor must plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. 260.42: The auditor must respond to the assessed risks of material misstatement due to fraud. 260.64: The auditor must report whether the financial management systems substantially comply with FFMIA requirements (for CFO Act agencies). 280.03: The auditor must obtain a representation letter from entity management on specific matters at the completion of the audit. 290.01: The auditor must prepare audit documentation in sufficient detail to provide a clear understanding of the work performed (including the nature, extent, timing, and results of audit procedures performed), the audit evidence obtained and its source, and the conclusions reached. 290.09: The auditor must develop an audit plan in which the auditor documents the audit procedures to be used, that, when performed, are expected to reduce audit risk to an acceptably low level. 340.09: For entities subject to OMB audit guidance, the auditor must test controls that are likely to be effective, but may consider using a multi-year approach to testing controls over no more than 3 years. 510.01, 580.01: The auditor must draft reports which include: the auditor’s conclusions on the financial statements taken as a whole; internal control; substantial compliance with FFMIA requirements (for CFO Act agencies); compliance with laws and regulations tested; and other unaudited information. 540.07, 595C.06: The auditor must bring all misstatements found (known and likely) to management’s attention (except those below the auditor- designated amount at which misstatements need not be accumulated). 540.09: If entity management declines to record adjustments for any misstatements, the auditor must determine the potential effects of these misstatements on the audit opinion in both quantitative and qualitative terms. 550.07: The auditor must obtain written representations from entity management as part of the audit. 550.09: If management refuses to provide written representations, this a limitation on the audit scope and the auditor must modify the report. 570.01, 580.14: The auditor must determine whether the audit was conducted in accordance with GAGAS and OMB audit guidance. 580.10: The auditor must express an opinion regarding the financial statements, taken as a whole, or state that an opinion cannot be expressed in the auditor’s report. 580.18: If the audit scope is adequate for expressing an opinion, the auditor must determine the appropriate type of opinion. 580.21: The auditor must consider whether the financial statements are materially affected by a departure from U.S. GAAP. 580.33: The auditor must determine whether each control deficiency or combination of control deficiencies is a significant deficiency or a material weakness. 580.40: In order to express an unqualified opinion on internal control, the auditor must have a written management assertion about the effectiveness of internal control and must perform all the procedures the auditor considers necessary as discussed in FAM 300 and FAM 450. 580.53: The auditor must communicate in writing material weaknesses and other significant deficiencies to entity management and those charged with governance. The auditor must include any material weaknesses or other significant deficiencies that were communicated in previous financial statement audits that have not yet been corrected. [End of Appendix B] Glossary: Accounting applications: The methods and records used to (1) identify, assemble, analyze, classify, and record a particular type of transaction or (2) report recorded transactions and maintain accountability for related assets and liabilities. Common accounting applications are (1) billings, (2) accounts receivable, (3) cash receipts, (4) purchasing and receiving, (5) accounts payable, (6) cash disbursements, (7) payroll, (8) inventory control, and (9) property, plant, and equipment (PP&E). Accounting system: The methods, records, and processes used to identify, assemble, analyze, classify, record, and report an entity’s transactions and to maintain accountability for the related assets and liabilities. Activity: The actual work task or step performed in producing and delivering products and services. An aggregation of actions performed within an organization that is useful for purposes of activity-based costing. Analytical procedures: The comparison of recorded account balances with expectations developed by the auditor, based on an analysis and understanding of the relationships between the recorded amounts and other data, to form a conclusion on the recorded amount. A basic premise underlying the application of analytical procedures is that plausible relationships among data may reasonably be expected to continue unless there are known conditions that would change the relationships or the data are misstated. Annual financial statement: As defined by OMB, the annual financial statement comprises: * unaudited Management’s Discussion and Analysis (MD&A), * audited basic financial statements, including note disclosures, * unaudited required supplementary stewardship information (RSSI), if applicable, * unaudited required supplementary information (RSI), if applicable, and, * unaudited other accompanying information, if applicable. This report is also referred to as the Performance and Accountability Report (PAR). Application controls: Controls that are incorporated directly into computer applications to help ensure the validity, completeness, accuracy, and confidentiality of transactions and data during application processing. Application controls include controls over input, processing, output, master data, application interfaces, and data management system interfaces. These controls are sometimes referred to as business process controls. FISCAM uses control categories that complement the FAM methodology: (1) authorization control, (2) completeness control, (3) accuracy control, and (4) control over integrity of processing and data files. Appropriation: Budget authority to incur obligations and to make payments from the Treasury for specified purposes. An appropriation act is the most common means of providing appropriations; however, authorizing and other legislation itself may provide appropriations. Appropriations do not represent cash actually set aside in the Treasury for purposes specified in the appropriation acts. They represent amounts that agencies may obligate during the period of time specified in the respective appropriation acts. Assertions: Management representations that are embodied in financial statement components. The FAM classifies assertions in the following five broad categories (as described in FAM 235.02): * Existence or occurrence; * Completeness; * Rights and obligations; * Accuracy/valuation or allocation; * Presentation and disclosure. Assessing control risk: The process of evaluating the effectiveness of an entity’s internal control in preventing or detecting misstatements that could be material, either individually or when aggregated with other misstatements, in financial statement assertions on a timely basis. Assurance, level of: The complement of audit risk, which is an auditor judgment. This is not the same as confidence level, which relates to an individual sample. Attributes sampling: Statistical sampling that reaches a conclusion about a population in terms of a rate of occurrence. Audit risk: A combination of (1) the risk (consisting of inherent and control risk) that the balance or class and related assertions contain misstatements that could be material to the financial statements when aggregated with misstatements in other balances or classes, and (2) the risk (detection risk) that the auditor will not detect such misstatement. Back door authority/Backdoor spending: A colloquial phrase for budget authority provided in laws other than appropriations acts, including contract authority and borrowing authority, as well as entitlement authority and the outlays that result from that budget authority. (See also appropriation and contract authority.) Borrowing authority: Budget authority enacted to permit an agency to borrow money and then to obligate against amounts borrowed. It may be definite or indefinite in nature. Usually the funds are borrowed from the Treasury, but in a few cases agencies borrow directly from the public. Budget authority: Authority provided by federal law to enter into financial obligations that will result in immediate or future outlays involving federal government funds. The basic forms of budget authority include (1) appropriations, (2) borrowing authority, (3) contract authority, and (4) authority to obligate and expend offsetting receipts and collections. Budget authority includes the credit subsidy cost for direct loan and loan guarantee programs, but does not include the underlying authority to insure or guarantee the repayment of indebtedness incurred by another person or government. Budget controls: Management’s policies and procedures for managing and controlling the use of appropriated funds and other forms of budget authority. Cause and effect basis: In cost accounting, a way to group costs into cost pools in which an intermediate activity may be a link between the cause and the effect. Classical probability proportional to size sampling: A type of statistical sampling where the sample is selected with probability proportional to the size (usually dollar amount) of an item and the evaluation is performed using variables methods (not monetary unit sampling). Classical variables estimation sampling: A sampling approach that measures sampling risk using the variation of the underlying characteristic of interest. This approach includes methods such as mean-per-unit, difference estimation, and ratio estimation. Closed (canceled) account: An appropriation account whose balance has been canceled. Once balances are canceled, the amounts are not available for obligation or expenditure for any purpose. Combined precision: The achieved precision for all statistical sampling applications. Common data source: All of the financial and programmatic information available for the budgetary, cost, and financial accounting processes. It includes all financial and much non-financial data, such as environmental data, that are necessary for budgeting and financial reporting as well as evaluation and decision information developed as a result of prior reporting and feedback. Compliance control: A process, by management and others, designed to provide reasonable assurance regarding the achievement of objectives for compliance with applicable laws and regulations. Compliance tests: Tests to obtain evidence on the entity’s compliance controls for each significant provision of laws and regulations identified for testing, including budget controls for each relevant budget restriction. Confidence interval: A statistical sample-based estimate expressed as an interval or range of values. The sample is designed such that there is a specified confidence level for which the population value being estimated is expected to be located within the interval. More specifically, it is the projected misstatement or point estimate plus or minus precision at the desired confidence level and is also known as a precision or precision interval. Confidence level: The complement of the applicable sampling risk. The measure of probability associated with a sampling interval. This is not the same as level of assurance. Contingency: An existing condition, situation, or set of circumstances involving uncertainty as to possible gain or loss to an entity. The uncertainty will ultimately be resolved when one or more future events occur or fail to occur. Contract authority: Budget authority that permits an entity to incur obligations in advance of appropriations, including collections sufficient to liquidate the obligation or receipts. Contract authority is unfunded, and a subsequent appropriation or offsetting collection is needed to liquidate the obligations. Control activities: One of the five components of internal control, in addition to control environment, risk assessment, information and communications, and monitoring. Control activities are the policies and procedures that help ensure that management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity’s objectives. Control activities, whether automated or manual, help achieve control objectives and are applied at various organizational and functional levels. Control environment: One of the five components of internal control, in addition to risk assessment, control activities, information and communications, and monitoring. The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. The control environment represents the collective effect of various factors on establishing, enhancing, or mitigating the effectiveness of specific control activities. Such factors include (1) integrity and ethical values, (2) commitment to competence, (3) management’s philosophy and operating style, (4) organizational structure, (5) assignment of authority and responsibility, (6) human resource policies and practices, (7) control methods over budget formulation and execution, (8) control methods over compliance with laws and regulations, and (9) oversight groups. Control risk: The auditor’s assessment of the risk that a material misstatement that could occur in an assertion will not be prevented or detected on a timely basis by the entity’s controls. Control tests: Tests of a specific control activity to assess its effectiveness in achieving control objectives. Cost: The monetary value of resources used or sacrificed or liabilities incurred to achieve an objective, such as to acquire or produce a good or to perform an activity or service. Department (per FASAB Interpretation No. 6): Any department, agency, administration, or other financial reporting entity (see SFFAC No. 2) that is not part of a larger financial reporting entity other than the government as a whole. Used in distinguishing inter and intradepartmental activity and balances. Design materiality: The portion of planning materiality that the auditor allocates to line items, accounts, or classes of transactions. Detection risk: The auditor’s assessment of the risk that the auditor will not detect a material misstatement that exists in an assertion. Entity risk assessment: One of the five components of internal control, in addition to control environment, control activities, information and communications, and monitoring. Risk assessment is the entity’s identification and analysis of relevant risks to achievement of its objectives, forming a basis for determining how the risks should be managed. An entity’s risk assessment for financial reporting purposes is its identification, analysis, and management of risks relevant to the preparation of financial statements that are fairly presented in conformity with U.S. GAAP. Errors: Unintentional misstatements of amounts or disclosures in financial statements. Expectation: The auditor’s estimate of a recorded amount (based on an analysis and understanding of relationships between the recorded amounts and other data) in an analytical procedure. Expected misstatement: The dollar amount of misstatements the auditor expects in a population. Expired account: An account within Treasury to hold expired budget authority. The expired budget authority retains its fiscal year (or multiyear) identify for an additional 5 fiscal years. After the 5-year period has elapsed, all obligated and unobligated balances are canceled, the expired account is closed, and all remaining funds are returned to the general fund of the Treasury and are thereafter no longer available for any purpose. Federal financial management systems requirements: One of the three requirements of FFMIA. They include the requirements of OMB Circulars No. A-127 and the JFMIP/OFFM series of systems requirement documents. Financial reporting control: A process, created by management and other personnel, designed to provide reasonable assurance regarding the achievement of financial reporting objectives. Financial statements (also called the basic or principal statements): A component of a federal entity’s annual financial statement (also referred to as the Accountability Report), which consist of: * Balance Sheet; * Statement of Net Cost; * Statement of Changes in Net Position; * Statement of Budgetary Resources; * Statement of Custodial Activity (if applicable); * Statement of Social Insurance (if applicable); * Related note disclosures. Fraud: Fraud is an intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage. Two types of misstatements resulting from fraud are relevant to the auditor’s consideration in a financial statement audit: misstatements arising from fraudulent financial reporting and misstatements arising from misappropriation of assets. Fraudulent financial reporting: Intentional misstatements or omissions of amounts or disclosures in financial statements to deceive financial statement users. Fraudulent financial reporting could involve intentional alteration of accounting records, misrepresentation of transactions, intentional misapplication of accounting principles, or other means. Full cost: The total amount of resources used to produce the output. More specifically, the full cost of an output produced by a responsibility segment is the sum of (1) the costs of resources consumed by the responsibility segment that directly or indirectly contribute to the output and (2) the costs of identifiable supporting services provided by other responsibility segments within the reporting entity and by other reporting entities. Functional classification: A system of classifying budget authority, outlays, receipts, and tax expenditures according to the national needs being addressed. Each concurrent resolution on the budget allocates budget authority and outlays among the various functions. Each budget account appears in the single budget function (for example, national defense or health) that best reflects its major purpose, an important national need. A function may be divided into two or more subfunctions, depending upon the complexity of the national need addressed. Fund Balance with Treasury account (FBWT): An asset account representing the unexpended spending authority in entity appropriations. Also serves as a mechanism to prevent entity disbursements from exceeding appropriated amounts. General controls: Management’s policies and procedures that apply to all or a large segment of an entity’s information systems. General controls help ensure the proper operation of information systems by creating the environment for proper operation of application controls. General controls include (1) security management, (2) logical and physical access, (3) configuration management, (4) segregation of duties, and (5) contingency planning. Haphazard sample: A sample consisting of sampling units selected without any conscious bias, that is, without any special reason for including or omitting items from the sample. It does not consist of sampling units selected in a careless manner and is selected in a manner that can be expected to be representative of the population. Information and communication: One of the five components of internal control, in addition to control environment, entity risk assessment, control activities, and monitoring. The information and communication systems support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their internal control and other responsibilities. Information Security (IS) controls specialist: A person with technical expertise in information technology systems, general controls, applications, and information security. IS controls: Internal controls that are dependent on information systems processing and include general controls and application controls (described in FAM 295 F). Inherent risk: The auditor’s assessment of the susceptibility of an assertion to a material misstatement, assuming there are no related controls. Interdepartmental: Activity and balances between two different departments. (See department.) The intradepartmental and interdepartmental amounts are subsets of intragovernmental activity and balances. Inter-entity: Activities or balances between two or more entities, departments, or bureaus. (See interdepartmental and intradepartmental.) Internal control: An integral component of an organization’s management systems that provides reasonable assurance that the following objectives are being achieved: * effectiveness and efficiency of operations, * reliability of financial reporting, and, * compliance with applicable laws and regulations. Intradepartmental amounts: Activity and balances within the same department (see department). The intradepartmental and interdepartmental amounts are subsets of intragovernmental activity and balances. Intragovernmental amounts: Activity and balances occurring within or between federal entities. Intragovernmental Payment and Collection (IPAC) system: The primary method used by most federal entities to electronically bill and/or pay for services and supplies within the U.S. government. IPAC is used to communicate between the Treasury and the trading partner entities that the online billing and/or payment for services and supplies has occurred. Joint Financial Management Improvement Program (JFMIP): The original source of governmentwide requirements for financial management systems software functionality that describes the basic elements of an integrated financial management system (including the core financial system). These requirements are now issued by OMB. This former joint undertaking consisted of the U.S. Department of the Treasury, the U.S. Government Accountability Office (GAO), the Office of Management and Budget (OMB), and the Office of Personnel Management (OPM). Judgment fund: A permanent and indefinite appropriation administered by the Department of the Treasury that is available to pay judgments, settlement agreements, and certain types of administrative awards against the United States when such payment is not otherwise provided for in entity appropriations. Known misstatement: The specific misstatement identified during the audit arising from the incorrect selection or misapplication of accounting principles or misstatements of facts identified, including, for example, those arising from mistakes in gathering or processing data and the overlooking or misinterpretation of facts. Likely misstatement: A misstatement that: * arises from differences between management’s and the auditor’s judgments concerning accounting estimates that the auditor considers unreasonable or inappropriate (for example, because an estimate included in the financial statements by management is outside of the range of reasonable outcomes the auditor has determined). * The auditor considers likely to exist based on an extrapolation from audit evidence obtained (for example, the amount obtained by projecting known misstatements identified in an audit sample to the entire population from which the sample was drawn). Limit: Used in performing substantive analytical procedures, the limit is the amount of difference between the expectation and the recorded amount that the auditor will accept without investigation. Therefore, the auditor should investigate amounts that exceed the limit during analytical procedures. Limitation: A restriction on the amount, purpose, or period of availability of budget authority. While limitations are most often established through appropriations acts, they may also be established through authorization legislation. Limitations may be placed on the availability of funds for program levels, administrative expenses, direct loan obligations, loan guarantee commitments, or other purposes. Logical Unit: The balance or transaction that includes the selected dollar in a probability-proportional-to-size sample. Materiality: The magnitude of an item’s omission or misstatement in a financial statement that, in the light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the inclusion or correction of the item (FASB Statement of Financial Concepts No. 2). See planning materiality, design materiality, and tolerable misstatement. Mean-per-unit approach: A classical variables sampling technique that projects the sample average to the total population by multiplying the sample average by the total number of items in the population. Misappropriation of assets: Theft of an entity’s assets causing misstatements in the financial statements. Monetary unit sampling: A variables sampling evaluation method that utilizes a probability- proportional-to-size (PPS) sample selection technique. Since the auditor randomly selects the sample from a population of dollars, large value transactions have more chance of selection and are more likely to be sampled than small-value transactions. Monitoring: One of the five components of internal control, in addition to control environment, risk assessment, control activities, and information and communications. Monitoring is a process that assesses the quality of internal control performance over time. Internal control monitoring should assess the quality of performance over time and ensure that the findings of audits and other reviews are promptly resolved. Multipurpose testing: Performing several tests, such as control tests, compliance tests, and substantive tests, on a common selection, usually a sample. Nonrepresentative selection: A selection of items to reach a conclusion only on the items selected. The auditor using a nonrepresentative selection (formerly referred to as a nonsampling selection) may not project the results to the portion of the population that was not tested. Accordingly, the auditor applies appropriate analytical and/or other substantive procedures to the remaining items, unless those items are immaterial in total or the auditor has already obtained enough assurance that there is a low risk of material misstatement in the total population. The auditor also uses nonrepresentative selections to test controls through inquiry, observation, and walkthrough procedures and to obtain planning information. Nonstatistical sampling: A sampling technique for which the auditor considers sampling risk in evaluating an audit sample without using statistical theory to measure the risk. Offsetting receipts and collections: A form of budget authority that permits agencies to obligate and expend the proceeds of offsetting receipts and collections. The Congressional Budget Act of 1974, as amended by the Budget Enforcement Act of 1990, defines offsetting receipts and collections as negative budget authority and the reductions to it as positive budget authority. In the President’s budget, OMB reports offsetting receipts as appropriations. Operations controls: A process by management and others, designed to provide reasonable assurance regarding the achievement of objectives for the effectiveness and efficiency of operations. Overall analytical procedures: Analytical procedures performed as an overall financial statement review during the reporting phase. Performance and Accountability Report (PAR): See annual financial statement. Planning materiality: The auditor’s preliminary estimate of materiality in relation to the financial statements taken as a whole. It is used to determine design and tolerable misstatement, which are used to determine the nature, extent, and timing of substantive audit procedures. It is also used to identify significant laws and regulations for compliance testing. Point estimate (estimated value): Most likely amount of the population characteristic based on the sample. Population: The items comprising the account balance or class of transactions of interest. The population excludes individually significant items that the auditor has decided to examine 100 percent or other items that will be tested separately. Precision (allowance for sampling risk): A measure of the difference between a sample estimate and the corresponding population characteristic at a specified sampling risk. Preliminary analytical procedures: Analytical procedures performed during the audit planning phase. Principal statements: See financial statements. Probable: In evaluating a contingency for pending or threatened litigation and unasserted claims, a future confirming event(s) occurring is likely to occur (SFFAS #12.10). For other contingencies, the future event or events are more likely than not to occur (SFFAS #5.33). Projected misstatement: An estimate of the misstatement in a population, based on the misstatements found in the examined sample items; represents misstatements that are probable. The projected misstatement includes the known misstatement. Providing entity: The entity providing services, products, goods, transfer funds, investments, debt, and/or incurring the reimbursable costs. This includes bureaus, departments, and/or programs within entities. The providing agency is the seller. The providing entity transfers out funds to another entity (transfers out) when appropriations are transferred without the exchange of goods or services. Random sample: A sample selected so that every combination of the same number of items has an equal probability of selection. Ratio estimation: A classical variables sampling technique that uses the ratio of audited amounts to recorded amounts in the sample to estimate the total dollar amount of the population and an allowance for sampling risk. Reasonably possible: The chance of the future confirming event or events occurring is more than remote but less than probable. Receiving entity: The entity receiving services, products, goods, transfer funds, purchasing investments, and/or borrowing from Treasury (or other entities). This includes bureaus, departments, and/or programs within entities. The receiving entity is the purchaser. The receiving entity receives transfers of funds (transfers in) when appropriations are transferred without the exchange of goods or services. Reciprocal accounts: Corresponding SGL accounts that should be used by a providing/seller and receiving/buyer entity to record like intragovernmental transactions. For example, the providing entity’s accounts receivable would normally be reconciled to the reciprocal account, accounts payable, on the receiving entity’s records. Recorded amount: The financial statement amount being tested by the auditor in the specific application of substantive tests. Regression estimate: An estimate of a population parameter for one variable that is obtained by substituting the known total for another variable into a regression equation calculated on the basis of sample values of the two variables. Ratio estimates are special kinds of regression estimates. Reimbursable activity: In intragovernmental activity, similar to goods or services, except the amounts billed to the receiving entity by the providing entity are based on some agreed-upon price, which may or may not represent market value. Related parties: Affiliates; trusts for the benefits of employees, such as pensions, that are managed by or under trusteeship of management; management of the entity; their immediate families; and other parties the entity deals with if one party controls or can significantly influence the management or operating policies of the other to an extent that one of the parties might be prevented from fully pursuing its own separate interests. Remote: The chance of potential liability to the entity is slight. Responsibility segment: In cost accounting, a significant organizational, operational, functional, or process component that has the following characteristics: (a) its manager reports to the entity’s top management, (b) it is responsible for carrying out a mission, performing a line of activities or services, or producing one or a group of products, and (c) for financial reporting and cost management purposes, its resources and results of operations can be clearly distinguished, physically and operationally, from those of other entity segments. Risk: See audit risk, inherent risk, control risk, risk of material misstatement, and detection risk. Risk of material misstatement: The auditor ’s combined assessment of inherent risk and the control risk. (The risk of material misstatement was formerly referred to as combined risk.) Safeguarding controls: Internal controls to protect assets from loss from unauthorized acquisition, use, or disposition and may include controls relating to financial reporting and operations objectives. Sample: Items selected from a population to reach a conclusion about the population as a whole. (Compare with nonrepresentative selection.) Sampling: The application of audit procedures to fewer than all items composing a population to reach a conclusion about the entire population. The auditor selects sample items in such a way that the sample and its results are expected to be representative of the population. Each item has an opportunity to be selected, and the results of the procedures performed are projected to the entire population. Sampling interval: An amount between two consecutive sample items in a systematic sample. The sampling interval is determined by dividing the number of items in the population by the desired number of selections. When used in the context of a systematic sample used to select items for monetary-unit sampling (MUS), it is the tolerable misstatement divided by the statistical risk factor. Sampling risk: The risk that the auditor’s conclusion based on a sample might differ from the conclusion that would be reached by applying the test in the same way to the entire population. For tests of controls, sampling risk is the risk of assessing control risk either too low or too high. For substantive testing, sampling risk is the risk of incorrect acceptance or the risk of incorrect rejection. Sampling strata: Two or more mutually exclusive subdivisions of a population defined in such a way that each element in the population can belong to only one subdivision or stratum. Sampling unit: Any of the individual elements, as defined by the auditor, that constitute the population. Sequential sampling: A sampling plan for which the sample is selected in several steps, with each step conditional on the results of the previous steps. Specific control evaluation (SCE): Evaluating the effectiveness of specific control activities in achieving the control objectives. This process is documented on the SCE worksheet. Standard General Ledger (SGL): A uniform chart of accounts and guidance for standardizing U.S. federal accounting. Composed of five major sections: (1) chart of accounts, (2) accounts and descriptions, (3) account transactions, (4) SGL attributes, and (5) SGL crosswalks to standard external reports. Prescribed by the Department of the Treasury in its Treasury Financial Manual. Standard General Ledger (SGL) at the transaction level: One of the three requirements of FFMIA. Implementing the SGL at the transaction level means that transactions are recorded in full compliance with the SGL Chart of Account’s descriptions and posting models/attributes that demonstrate how the SGL is to be used for recording transactions of the federal government accounting process; reports produced by the systems provide financial information, whether used internally or externally, that can be traced directly to the SGL accounts; and transactions from feeder systems, which may be summarized and interfaced into the core financial system’s general ledger, are posted following SGL requirements. Statistical sampling: Audit sampling that uses the laws of probability for selecting and evaluating a sample from a population for the purpose of reaching a conclusion about the population. Stewardship information: Required supplementary stewardship information includes stewardship investments that are substantial investments made by the federal government for the benefit of the nation but are not physical assets owned by the federal government. When incurred, they are treated as expenses in determining the net cost of operations. Such investments should be measured in terms of expenses incurred for: (1) federally- financed but not federally-owned physical property (non-federal physical property), (2) certain education and training programs (human capital), and (3) federally-financed research and development (research and development). Non-federal physical property investments are expenses incurred by the reporting entity for the purchase, construction, or major renovation of physical property owned by state and local governments. Human capital investments are expenses incurred to increase or maintain national economic productivity capacity and to produce outputs and outcomes that provide evidence of maintaining or increasing national productive capacity. (The definition excludes education and training expenses for federal civilian and military personnel.) Research and development investments are expenses incurred to support the search for new or refined knowledge and ideas and for the application or use of such knowledge and ideas for developing new or improved products and processes, with the expectation of maintaining or increasing national economic productive capacity or yielding other future benefits. Stratified random sample: A sample design by first classifying the population into several strata and then taking a random sample from each stratum. Substantive analytical procedures: Analytical procedures used as substantive tests. Substantive audit assurance: The auditor’s judgment about the probability that all substantive tests of an assertion will detect aggregate misstatements that exceed materiality. Not the same as confidence level. Substantive procedures or tests: Specific procedures, including substantive analytical procedures and substantive detail tests, performed to determine whether assertions are materially misstated and to form an opinion about whether the financial statements are presented fairly in accordance with U.S. GAAP. Suitable criteria: In agreed upon procedures engagements or other attestation engagement engagements, standards for acceptability which have the attributes of objectivity, measurability, completeness, and relevance. Supplemental analytical procedures: Analytical procedures to increase the auditor’s understanding of account balances and transactions when detail tests are used as the sole source of substantive assurance. Systematic sampling: A method of selecting a sample in which every nth item is selected from a random start. Test materiality: Former term, now see tolerable misstatement. Tolerable misstatement: The materiality the auditor uses to test a specific line item, account balance or class of transactions. Tolerable misstatement is defined in AU 312 as the maximum error in a population that the auditor is willing to accept. Tolerable rate: The maximum population rate of deviations from a prescribed control that the auditor will tolerate without modifying the planned assigned level of control risk. For tests of compliance with laws and regulations, the tolerable rate is the maximum rate of noncompliance that could exist in the population without causing the auditor to believe the noncompliance rate is too high. (In statistical terms, margin or bound of error.) Trading partner code: Assigned by the U.S. Department of the Treasury, trading partner codes are used to facilitate the preparation of the Financial Report of the United States Government. Trading partners: Federal entities that request or provide transactions and transfers between federal entities. Transfers: Shifting of all or part of the budget authority in one appropriation or fund account to another. Entities may transfer budget authority only as specifically authorized by law. For accounting purposes, the nature of the transfer determines whether the transaction is treated as an expenditure or a nonexpenditure transfer. Treasury Financial Manual (TFM): The Treasury Financial Manual (TFM) is Treasury’s official publication for financial accounting and reporting of all receipts and disbursements of the federal government. It provides policies, procedures, and instructions for federal departments, agencies, Federal Reserve Banks, and other concerned parties to follow in carrying out their fiscal responsibilities. U.S. generally accepted accounting principles (U.S. GAAP): The U.S. accounting principles that are promulgated by a standard setter approved by the AICPA. AU 411 contains the hierarchy of accounting standards for financial statements of federal government entities, The standards issued by FASAB are the first level of the hierarchy. For government corporations and certain other entities, the standards issued by FASB are the first level of the hierarchy. Universe: See population. User controls: Controls that are performed by people interacting with IS controls. The effectiveness of user controls typically depend on the accuracy of the information produced by the IS controls. Walk-throughs: Audit procedures to help the auditor understand the design of controls and whether they have been implemented. They may also provide some evidence of control effectiveness. Walk-throughs of financial reporting controls include tracing one or more transactions from initiation, through all processing, to inclusion in the general ledger; observing the processing and applicable controls in operation; making inquiries of personnel applying the controls; and examining related documents. [End of Glossary] Other Glossaries: Note 1: The Federal Information System Controls Audit Manual (FISCAM), contains a glossary of information systems terms, (see GAO/AIMD-12.19.6, January 1999), and is currently under revision. Note 2: A Glossary of Terms Used in the Federal Budget Process, contains additional terms and definitions. (See GAO-05-734SP, September 2005). Note 3: The AICPA, Audit Sampling Guide, contains a glossary of terms. [End of other glossaries] Abbreviations: AAPC: Accounting and Auditing Policy Committee: ABA: American Bar Association: AcSEC: Accounting Standards Executive Committee of the AICPA: AICPA: American Institute of Certified Public Accountants: ARA: Account Risk Analysis: ASB: Auditing Standards Board: AT: reference to Statements on Standards for Attestation Engagements in the AICPA Codification of Statements on Auditing Standards: AU: reference to Statements on Auditing Standards in the sections of the AICPA Codification of Statements on Auditing Standards: AUP: Agreed-upon procedures: CFO: Chief Financial Officer: CIO: Chief Information Officer: COSO: Committee of Sponsoring Organizations of the Treadway Commission: CSRS: Civil Service Retirement System: DCIA: Debt Collection Improvement Act: FAM: GAO/PCIE Financial Audit Manual: FASAB: Federal Accounting Standards Advisory Board: FASB: Financial Accounting Standards Board: FBWT: Fund Balance With Treasury: FCRA: Federal Credit Reform Act: FECA: Federal Employees’ Compensation Act: FERS: Federal Employees' Retirement System: FISCAM: Federal Information System Controls Audit Manual: FISMA: Federal Information Security Management Act: FFMIA: Federal Financial Management Improvement Act of 1996: FMFIA: Federal Managers' Financial Integrity Act of 1982: GAAP: generally accepted accounting principles (U.S.): GAAS: generally accepted auditing standards (U.S.): GAGAS: generally accepted government auditing standards: GAO: Government Accountability Office: GRA: General Risk Analysis: IDEA: Interactive Data Extraction and Analysis: IG: Inspector General: IT: information technology: JFMIP: Joint Financial Management Improvement Program: MD&A: Management’s Discussion and Analysis: MUS: Monetary unit sampling [also known as dollar unit sampling (DUS)]: NIST: National Institute of Standards and Technology: NSA: National Security Agency: OAI: other accompanying information: OFFM: Office of Federal Financial Management: OGC: Office of General Counsel: OMB: Office of Management and Budget: PAR: Performance and Accountability Report: PCIE: President’s Council on Integrity and Efficiency: PP&E: property, plant, and equipment: PPS: classical probability proportional to size: RSI: required supplementary information: RSSI: required supplementary stewardship information: SAS: Statement on Auditing Standard: SCE: Specific Control Evaluation: SFFAC: Statement of Federal Financial Accounting Concepts: SFFAS: Statement of Federal Financial Accounting Standards: SGL: Standard General Ledger of the U.S. government: SIU: Special Investigator Unit: SSAE: Statement on Standards for Attestation Engagements: U.S.C. United States Code: [End of abbreviations] Index: Abuse, Indications of: 260.27. Account Risk Analysis (ARA) Control risk and risk of material misstatement, Preliminary assessment of: 370.10. Documentation of internal control phase: 390.08. Documentation of planning phase: 235.07, 290. Sample completed form: 395 I. Accounting application: Audit requirements for internal controls: 310.07. Description: 240.02. Documentation: 240.05, 290.07, 390.08. Potential misstatements: 330.06. Relation to line items/accounts: 330.05, 395 A. Walkthrough procedures: 320.02. Analytical procedures: Overall: 520. Preliminary: 225. Substantive: 470.05-.07, 475. Supplemental: 475.16-.18, 520.03. Application controls: See IS controls. Assertions: Audit requirements for internal controls: 310.07. Risk of material misstatement, Preliminary assessment of: 370.09. Control risk, Preliminary assessment of: 370.07. Control activities, Effectiveness of: 340.02. Definition: 235.02. Management, about internal control: See Internal control. Relation to potential misstatements and control objectives: 330.02. Significant: 235.04. Audit assurance: GAO guidelines: 260.04. Audit matrix: 470.10-.11 With statistical risk factors: 495 D. Auditor’s reports: 580.04. See Report on Performance and Accountability Report (annual financial statement and report on financial statements. Audit risk: Definition: 260.02. GAO guidelines: 260.04. Audit sampling: See Sampling. Audit scope: 530.04, 580.14-.18, 580.40-.42, 580.68, 580.74-.76. Audit summary memorandum: 590.02-03. Auditing standards and related OMB guidance: Audit requirements beyond “yellow book” (GAGAS): 110.13. Determine accordance with: 570.01. Relevant standards: 110.01, 110.14. Standards and policies not addressed: 110.13, 110.20. Budget: Audit requirements: 310.07. Controls: 260.06, 295 G, 310.06. Budget accounting system: 320.05. Control objectives: 330.09, 395 F. Execution statutes: 395 D. Execution process: 395 E. Formulation, understanding: 260.71. Definition: 260.06, 260.48g. Documentation: 390. Evaluate the impact on budgetary amounts: 370.11. Reporting: 580.32. Restrictions, identify: 250. Tests of budget information, example: 495 B. Compliance with laws and regulations: Checklist, General compliance: 802. Identify the significant provisions of laws and regulations: 245.01. Laws identified in OMB audit guidance and other general laws: 295 H. Material noncompliance, definition: 580.69. Reportable noncompliance, definition: 580.69. Reporting on: 580.72-.73. Scope of procedures: 580.74-.76. Supplements, Compliance: 803 - 816. See Compliance controls. See Compliance tests. Compliance controls: Audit programs: 803 - 816. Audit requirements: 310.07. Compliance system: 320.06. Control objective: 330.10. Definition: 260.06. Documentation: 390. Effect on compliance tests: 370.12, 460.02, 460.06. Conclude on the effectiveness: 370.12. Reporting: 370.11, 580.32. Compliance tests: Definition: 410.04. Evaluation of results: 460.07. Procedural-based provisions: 460.06. Quantitative-based provisions: 460.03. Tests of budget information for use in: 495 B. Transaction-based provisions: 460.02. Control activities: Definition: 260.08. Documentation: 390.07. Effectiveness of: 340.02. Efficiency of testing: 350.06. Factors to consider: 340.03-.09. Identify and understand: 340. IS control, Determine if: 350.10. Segregation of duties: 330.08. Specific control evaluation (SCE worksheet): 340.01, 390.06. Typical, List of: 395 C. Understanding: 340.02. Control environment: Definition: 260.08. Documentation: 260.19, 290.05. Factors: 260.47-.48. Identify risk factors: 260.09-.20. IS effects on: 260.56-.57. Potential weaknesses: 295 B.01-.10. Weaknesses: 260.09. Control objectives: Identifying: 330.01. Potential misstatements, Relationship to: 330.02. See Budget controls. See Compliance controls. See Financial reporting controls. See Operations controls. See Safeguarding controls. Control risk: Assessment of: 370.06-.07, 370.14. Risk of material misstatement, Component of: 370.09. Definition: 260.02. Documentation of assessment: 370.10, 395 I. Control tests: Attribute sampling: 450.02. Control assessment, Relation to: 370.01. Documentation: 370.05, 390.01, 390.07, 395 H, 450.03-.04, 490. Efficiency considerations: 350.18. Evaluation of results, nonsampling tests: 360.14-.15. Evaluation of results, sampling tests: 450.13-.15. Evidence, Documentary: 350.16. Inquiry: 350.13. IS controls, Performing tests of: 360.03-.05. IS controls, Evaluating results of : 370.03. Inspection: 350.14. Method of selection: 350.06. Multiple locations, Impact on sampling control tests of 450.0.05. Multipurpose testing: 450.02. Multiyear testing of controls: 380.01, 395 G. Nature: 350.11-.18. Nonsampling tests: 350.19, 360. Observation: 350.12. Partial-year controls: 380.02. Planned changes in controls: 380.03. Population, sampling control tests: 450.05. Sample size: 450.07-.12. Samples, Design of: 430.03, 450.07. Sampling control tests: 410.04, 450. Segregation of duties: 330.08, 360.12-.13, 395 C.03. Timing: 350.21. Tolerable rate of deviations, sampling control tests: 450.08, 450.10. Cycle: Audit requirements for internal controls: 310.07. Documentation: 390.05. Identification: 240.01. Cycle matrix: 240.06, 290.06. Detail tests: 470.08-.09, 480. Detection risk: 260.02. Differences in estimates: 540.05-.06. Discussion and analysis: See Management’s discussion and analysis. Dual-purpose tests: See Multipurpose testing. Entity profile: 290.04. Errors: See Misstatements. FFMIA: Conclusion: 590.02. Determine nature, extent, and timing of control tests: 350. Documentation: 590.02, 590.06. Planning: 260.65. Reporting: 580.63. Requirements: 110.17, 320.04. Testing: 360.02, 360.16. Understanding accounting systems: 320.04. Financial reporting controls: Accounting system: 320.03. Audit requirements: 310.06. Control objectives: 330.01. Definition: 260.06. Documentation: 390. Preliminary assessment of control risk: 370.06. Reporting requirements: 580.32. Sampling control tests: 450. Flowcharts, Use of: 390.05. FMFIA: Assessing: 260.58-.63. Material weakness: 580.36. Reliance on management's process: 260.63, 320.01. Reporting on management's reports: 580.36, 580.61. Fraud risk: Audit requirements: 260.23, 260.26. Auditor responses: 260.42-.46, 295 I. Brainstorming meeting(s): 260.32-.34. Characteristics: 260.28.-.29. Consideration: 260.24-.25. Continuing assessment: 440.04. Documentation: 290.05, 590.03. Factors: 260.30. Identify and assess: 260.35-.41. Professional skepticism: 260.31. Reconsideration: 540.18-.24. GAO/PCIE Financial Audit Manual, Compliance with: 570.01. General Controls: See IS controls. General Risk Analysis (GRA): 290.05. Information and communication: 260.08, 320.01. Information systems: Understanding: 320. Information systems controls: See IS controls. Inherent risk: Definition: 260.02. Documentation: 260.17, 290.05. Identifying: 260.09. IS effects on: 260.22. Risk factors: 260.21, 295 A. Inquiries of attorneys: 280.02, 550.02-.03. Interim testing: 295 D, 495 C. Internal control: Audit requirements: 310.07. Classifying control weaknesses: 580.33-.38. Components: 260.08. Control deficiency: 580.33. Effects of control deficiencies on assessment: 580.42-.48. Management assertion about: 550.08, 580.32. Material weakness: 580.33. Nonopinion report: 580.50. Opinion report: 580.39-.49. Reporting on: 580.32. Reporting on management’s FMFIA reports: 580.36, 580.61. Reporting deficiencies: 580.52-.59. Scope of procedures: 580.40-.42. Significant deficiency: 580.33. See Budget controls. See Compliance controls. See Control activities. See Control environment. See Financial reporting controls. See Information and communication. See Monitoring. See Operations controls. See Risk assessment. Information system controls: Application controls: 295 F.05-.06. Assessing: 295 J. Control activities, Identification for testing: 350.10. Determining likelihood of effective: 270. Develop high-level understanding: 220.04, 220.07. Documentation: 290.05, 370.03, 370.05. Effects on inherent risk: 260.22. Effects on the control environment, risk assessment, communication, and monitoring: 260.56-.57. General controls: 295 F.02-.04. Information system: 320.01-.02. IS control specialist: 110.26-.27, 220.07, 260.22, 260.33, 260.44, 260.57, 270.01, 270.04-.07, 320.01, 340.01, 350.10, 360.01, 360.03-.05, 360.07-.10. Testing: 360.03. Types of: 295 F.01. User controls: 295 F.07-.08. Laws and regulations: See Compliance with laws and regulations. Management’s discussion and analysis (MD&A): 110.05, 220.07, 520.06, 580.01, 580.06, 580.32, 580.78, 590.02-.03. Coordination with overall analytical procedures: 520.06. Reporting on: 580.32. Management report: 580.48. Management representations: 280.03, 550.07-.11, 1001. Materiality: Base, Definition and use of: 230.08. Definition of: 230.01. Design: 230.05, 230.12. Disclosure: 230.06. FMFIA: 230.06. Guidelines: 230.07. Planning: 230.05, 230.08, 230.11. Reassess: 530. Reporting: 230.06. Tolerable misstatement: 230.05, 230.13. Misstatements: Budgetary amounts: 370.11. Communicate to those charge with governance: 540.07. MUS sample: 480.43. Effects on audit opinion: 540.09. Effects on financial statements: 480.47, 540.04. Evaluation of misstatements: 540.01. Known and likely: 540.03. Results of other samples: 480.46. Present to management: 540.07-.08. Substantive analytical procedures: 475.13. Schedule of Uncorrected Misstatements: 540.04, 595 C. Summary of Uncorrected Misstatements: 540.09, 595 C. Monitoring: 260.08, 260.53. Documentation: 290.04. Factors for consideration: 260.53-.55. IS effects on: 260.56-.57. Potential weaknesses: 295 B. Weaknesses: 260.09. Multipurpose testing, Definition of: 430.01. Multiple-location audits: Locations to visit: 285.01, 295 C. Multiyear testing of controls: 380, 390.03, 395G. Operations, Understanding the entity's: See Understanding the entity's operations. Operations controls: Audit requirements: 310.07. Control objectives: 330.11. Definition: 260.06. Documentation: 390.01-.08. Identify for evaluation and testing: 275; Operations system: 320.07. Results of control tests: 370.13. Reporting requirements: 580.32. Other accompanying information: 110.12, 580.77, 590.02. Other auditors, Using the work of: 110.24, 285.01, 290.10, 295 B, 580.26, 650. Overall analytical procedures: Documentation: 590.04. Performance: 520. Positions, References to: 100.26. Potential misstatements: Accounting applications, Relation to: 330.04. Assertions, Relation to: 330.02. Control objectives, Relation to: 395 B. Line item/account, Relation to: 330.04. Typical, List of: 395 B. Preliminary analytical procedures: 225. Professional judgment: 110.23-.25, 260.15, 260.41, 260.42. Professional skepticism: 110.23, 260.14, 260.31-.34, 260.42. Related party transactions: 280.04, 550.12, 1006. Report on Performance and Accountability Report (annual financial statement): Compliance with laws and regulations: 580.70. Dating: 580.03. Example, unqualified: 595 A. Example, various modifications: 595 B. Financial statements: 580.10. Internal control: 580.32-.62. Other information (MD&A, RSSI, RSI, and other accompanying information): 580.77-.84. Report format: 580.04. Significant matters section: 580.05. Report on financial statements: Adverse opinion: 580.30. Consistency: 580.20. Departure from U.S. GAAP: 580.22. Disclaimer of opinion: 580.31. Explanatory paragraphs: 580.26-.27. Qualified opinion: 580.28-.29. Scope limitations: 580.15, 580.17. Uncertainties: 580.19. Unqualified opinion: 580.24. Representation letter from management: See Management representations. Representation letter, Legal: See Inquiries of attorneys. Representative sampling: See Sampling. Required supplementary stewardship information (RSSI): 110.12, 220.06, 580.77, 590.02. Risk: See Audit risk. See Risk of material misstatement. See Control risk. See Detection risk. See Fraud risk. See Inherent risk. Risk assessment (as part of an entity's internal control): 260.01-.02, 260.08, 260.09-.20, 260.49-.50, 260.56-.58, 260.71. Documentation: 290.05, 290.08-.09; Process for identifying risk factors: 260.09-.20. IS effects on: 260.22. Potential weaknesses: 295 B. Risk of material misstatement: Assurance level for substantive tests, Relationship to: 370.10, 470.01. Definition: 370.09. Effect on audit procedures: 295 E.02. Reevaluation of assessment: 370.14. Rotation testing of controls: See Multiyear testing of controls. Safeguarding controls: 260.06, 310.04. See Financial reporting controls. Sampling: Attribute sampling: 450.02, 450.06, 450.19. Classical variables estimation sampling: 480.32-.33, 480.38, 480.45. Classical PPS Sampling: 480.34-.35. Control tests: 410.04, 450. Monetary-unit sampling (MUS): 480.21-.31, 480.43, 495F. Evaluation of sample results: 450.13, 480.39-.46. Sampling flowcharts and example documentation: 495 E. Population: 450.05, 480.01-.03. Representative selections (sampling): 480.10-.20. Sample selection: 480.21-.38. Sampling when dollar amounts are not known: 480.36-.38. Selection methods for detail tests: 480.04-.09. Sensitive payments: 280.05. Significant cycles/accounting applications: Audit requirements for internal controls: 310.06. Documentation: 290.06, 290.07, 390.05. Identifying: 240.01. Relationship to line items/accounts: 240.03, 240.05, 330.04. Significant line items, accounts, assertions, and RSSI: Documentation: 290.07. Identifying: 235. Specific control evaluation (SCE): Control objectives, Documentation of: 330.07. Control activities, Documentation of: 340.01, 390.07. Sample completed worksheet: 395 H. Statistical risk factors: 480.24, 495 D. Stewardship information: Reporting: 580.77. See Required supplementary stewardship information (RSSI). Subsequent events: 550.04-.06, 1005. Substantive analytical procedures: 475. Substantive analytical procedure determinations: 495 A. Documentation: 490.05 b. Establishment of limit, guidelines: 475.05 a., 475.06. Increasing effectiveness of: 475.15. Investigation of significant differences: 475.07. Levels of assurance: 470.06. Performing substantive analytical procedures: 475.05. Substantive procedures: Definition: 410.04. Determining mix: 470.11. Directional testing: 470.15-.21. Levels of assurance: 470.03. Types of substantive procedures: 470.04-.10. See Detail tests. See Substantive analytical procedures. Schedule of Uncorrected Misstatements: 540.04, 595 C. Summary of Uncorrected Misstatements: 540.09, 595 C. Supplemental analytical procedures: 470.06, 475.16-.18, 520.03. Understand the entity’s operations: 220. Accounting policies and issues: 220.05. Documentation: 290.04. IS systems: 220.07. Sources of information: 220.08, 220.09. User controls: See IS system controls. U.S. generally accepted accounting principles: Determining conformity with: 560. Walkthrough procedures: Control activities, Operation of: 350.09. Information systems, Understanding of: 320.02. Use as limited control test: 340.02. Yellow book: See Auditing standards and related OMB guidance. [End of index] Footnotes: [1] The American Institute of Certified Public Accountants (AICPA) has recognized the Federal Accounting Standards Advisory Board (FASAB) as the accounting standards-setting body for federal government entities under Rule 203 of the AICPA's Code of Professional Conduct. Thus, FASAB standards are recognized as U.S. GAAP for federal entities. However, some federal entities, including government corporations and certain others, are required by law, regulation, or policy to publish financial statements using U.S. GAAP issued by the Financial Accounting Standards Board (FASB). For such entities, FASAB provides general principles. See FASAB’s Statement of Federal Financial Accounting Standards No. 8, paragraph .40. [2] Testing for compliance with FFMIA is efficiently accomplished, for the most part, as part of the work done in understanding agency systems in the internal control phase of the audit. [3] The methodology presented is for a financial statement audit. If the auditor is to use the work of another auditor, see FAM 650. [4] The FAM refers specifically to objectives for GAO auditors in various sections. Such objectives are optional for other audit organizations. [5] If the auditor plans to report on internal control effectiveness, AICPA attestation standards (AT 501) allow the auditor to give an opinion directly on internal control or on management’s assertion about the effectiveness of internal control. However, if material weaknesses are present, the opinion must be directly on the effectiveness of internal control, rather than management’s assertion, so as not to be misleading. The example 1 auditor’s report in FAM 595 A illustrates expressing an opinion on internal control directly. Although the FAM distinguishes between internal control objectives related to financial reporting and to compliance with laws and regulations, compliance controls tested as part of federal financial statement audits are limited to controls over compliance with selected significant provisions of laws and regulations that have a direct and material effect on the determination of financial statement amounts. Consequently, compliance controls in federal financial statement audits are considered to be the equivalent of financial reporting controls for purposes of reporting on control effectiveness under AT 501. [6] As defined in OMB reporting guidance, the annual Performance and Accountability Report (PAR) consists of (1) unaudited MD&A, part of required supplementary information (RSI); (2) audited basic financial statements, including note disclosures; (3) unaudited required supplementary stewardship information (RSSI), if applicable; (4) unaudited RSI, if applicable; and (5) unaudited other accompanying information, if applicable. The audited basic financial statements at an entity level include the (1) balance sheet; (2) statement of net cost; (3) statement of changes in net position; (4) statement of budgetary resources; (5) statement of custodial activity, if applicable; and (6) statement of social insurance, if applicable. The statements include related audited note disclosures. [7] Audit organizations obtain legal counsel in a variety of ways and each audit organization’s “OGC” size and configuration can vary. In that regard, the designation of “OGC” in the FAM could include legal counsel in IG offices that employ or hire their own legal counsel as well as their agency’s legal counsel. [8] Similar to the AICPA auditing standards, if the FAM states that a procedure or action is one that the auditor “should consider,” determining whether to perform the procedure or action is required; however, performing the procedure or action is not. Because this is a “should,” the auditor should document any reasons for not performing this procedure and the alternative procedures performed to meet the objective. When the FAM lists factors that the auditor should evaluate when making a judgment, the auditor is expected to use these factors to make an informed judgment. However, the auditor may also consider other factors. [9] Those charged with governance refers to those who have the responsibility for overseeing the strategic direction of the entity and obligations related to the accountability of the entity, including overseeing the entity’s financial reporting and disclosure process. For a federal entity, this may be members of a board or commission, an audit committee, the Secretary of a cabinet-level department, or senior executives and financial managers responsible for the entity. Additionally, this may include congressional committees with oversight of the audited entity. [10] Management means the persons responsible for achieving the objectives of the entity and who have the authority to establish policies and make decisions by which those objectives are to be pursued. Management is responsible for the financial statements, including designing, implementing, and maintaining effective internal control over financial reporting. [11] Optional: However, some numerical code is normally used by organizations for tracking purposes. [12] If applicable, add “and contracts and grant agreements” as discussed in GAGAS. [13] Optional: However, some numerical code is normally used by organizations for tracking purposes. [14] If the audit is not designed to comply with OMB audit guidance related to internal control testing, omit this phrase and revise audit scope description related to internal control following AU 310.06. [15] If applicable, add “and contracts and grant agreements” as discussed in GAGAS. [16] Sample engagement letter to a federal entity or IG from FAM 215 A. [17] If computer software is used to calculate sample size, the auditor should understand how the software handles expected misstatements. For example, assume that an auditor is using Interactive Data Extraction and Analysis (IDEA) to calculate sample size when tolerable misstatement is lower than design materiality because the auditor expects misstatements. The auditor should use the design materiality in IDEA because the expected misstatement amount is separately input and used by IDEA to determine the sample size. See FAM 480.27. [18] The auditor is not required to opine on RSSI. FASAB has been phasing out RSSI with stewardship investments remaining as the last significant RSSI item. [19] Control risk is defined in AU 312.21 as “the risk that a misstatement could occur in a relevant assertion and that could be material, either individually or when aggregated with other misstatements, will not be prevented or detected on a timely basis by the entity’s internal control.” Control risk assessment is discussed in FAM 370. [20] These also include significant provisions of contracts and grant agreements, if applicable. [21] Assurance is not the same as statistical confidence. Assurance is a combination of quantitative measurement and auditor judgment. [22] See Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21.3.1] (November 1999). [23] Applies to entities that do not issue their own FMFIA report, but have an FMFIA process for contributing information to another entity’s FMFIA report, such as bureau-level information included in a department- level FMFIA report. [24] Guidance to establish these programs and controls can be found in Management Antifraud Programs and Controls, commissioned by the Fraud Task Force of the Auditing Standards Board of the AICPA, and is available at the AICPA’s Web site at [hyperlink, http://www.aicpa.org]. [25] FMFIA was repealed and codified at 31 U.S.C. 3512(c), (d). Because of the common usage of the act’s name, the FAM will continue to refer to FMFIA. However, auditors should correctly cite the applicable provisions in their reports. See FAM 595 A. [26] These four components are also contained in GAO’s Standards for Internal Control in the Federal Government (GAO/AIMD-00-21.3.1, November 1999), with the fifth component, control activities, discussed in FAM 260.08 and FAM 340. [27] Those charged with governance refers to those who have the responsibility for overseeing the strategic direction of the entity and obligations related to the accountability of the entity, including overseeing the entity’s financial reporting and disclosure process. For a federal entity, this may be the secretary of a cabinet-level department, members of a board or commission, an audit committee, or senior executive and financial managers responsible for the entity. [28] The term “other auditors” refers to auditors other than the audit organization performing the entity’s financial statement audit as principal auditor. These “other” auditors may be part of the entity’s monitoring controls. See FAM 650 for further discussion of principal auditor and using the work of other auditors in certain circumstances. [29] The auditor may also perform audit procedures on September 30 interim amounts to be included in the consolidated financial statements of the U.S. government for federal entities with different year-ends. [30] The auditor should coordinate sampling control tests with substantive audit procedures and/or tests of compliance with laws and regulations (multipurpose tests), to maximize efficiency. See FAM 450 for further discussion. [31] As indicated in FAM 260.58-.63, the FMFIA report and its supporting documentation may be used as a starting point for understanding and evaluating internal control. The auditor may use management's documentation of systems and internal control, including A- 123 work, where appropriate. The auditor may use management’s tests of controls as part of the auditor’s tests of controls, if such tests were executed by competent individuals independent of the controls. (See AU 322 and FAM 650 for further information.) [32] FAM 395 C presents a list of typical control activities that an entity may establish to help prevent or detect and correct misstatements in financial statement assertions. [33] Assertions that have high inherent risk normally require stronger or more extensive controls to prevent or detect and correct misstatements than assertions without such risk. [34] Control environment, risk assessment, communication, and monitoring weaknesses may result in ineffective control activities. If so, the auditor should still understand the design of specific control activities and determine whether they have been implemented, but may limit the extent of testing as discussed in FAM 340.02. [35] The auditor may assess the risk of material misstatement on a preliminary basis at an earlier point in the audit, if preferred. This may be particularly appropriate for a recurring audit where the auditor has an understanding of the design of the control environment, entity risk assessment, information and communication, and monitoring components of internal control. [36] Specific relevant control activities for significant assertions are documented later in the SCE worksheet or equivalent, after related control objectives have been identified (see FAM 330.02-.11). [37] Based on inherent risk, the auditor may choose to add an additional potential misstatement and control objective regarding the overstatement of disclosure information. The potential misstatement may be worded as “All information disclosed in the financial statements actually occurred and pertains to the rights and obligations of the entity.” [38] Segregation-of-duties controls are a type of safeguarding control and are often crucial to the effectiveness of controls, particularly over liquid, readily marketable assets that are highly susceptible to theft, loss, or misappropriation. Such controls are designed to reduce the opportunities for any person to be in a position to both commit and conceal fraud. The lack of segregation-of-duties controls may be pervasive and affect several misstatements. FAM 330.08 discusses when the auditor should test segregation-of-duties controls. [39] For additional information on budget execution, see OMB Circular No. A-11, Preparation, Submission, and Execution of the Budget, part 4. Another useful document is GAO’s A Glossary of Terms Used in the Federal Budget Process (GAO-05-734SP, September 2005). The SGL and related accounting in the TFM can be found at [hyperlink, http://www.fms.treas.gov]. [40] In the normal flow of business, when obligations are incurred, a credit to “undelivered orders” or “unexpended obligations - unpaid” is recorded (SGL account 4801) with a debit to commitments (SGL account 4700 or 4720). When the goods or services are received, the obligation is debited (SGL account 4801) with a credit to “delivered orders- unpaid” or “expended authority - unpaid” (SGL account 4901). At this time, a proprietary accounting entry is also made to debit expenditures (usually an SGL account 6100) with a credit to accounts payable (SGL account 2110). When the obligation is paid and the outlay is made, the transaction is credited to “delivered orders-paid” or “expended authority - paid” (SGL account 4902). At this time, a proprietary accounting entry is also made to debit accounts payable (SGL account 2110) with a credit to FBWT (SGL account 1010). For additional transaction details, see TFM’s “U.S. Standard General Ledger Accounting Transactions Supplement”. [41] Unobligated amounts are debited and moved to “allotments – expired authority” with a credit to SGL account 4650. [42] Amounts of commitments, obligations, and expended authority may differ for a particular item acquired. Commitments are made at “initial” estimates, obligations at “later” estimates, and expended authority at “actual” amounts. [43] Expired authority (SGL account 4650) is debited and moved to canceled authority by a credit to SGL account 4350. At this time, a proprietary entry is made to debit and reduce unexpended appropriations (SGL account 3106) and to credit and reduce FBWT (SGL account 1010). [44] OMB apportionments may, as a result of impoundments (rescissions or deferrals), be less than the amount of the apportionments requested by the entity. The auditor generally should notify OGC of any impoundments that come to his or her attention. OMB may also approve amounts available different from those requested by time period, activity, project, or object class. [45] On the SCE worksheet, the auditor may either commingle the documentation of compliance (including budget) and operations controls with that of financial reporting controls to the extent relevant or present each of these types of controls in a separate SCE. To complete the SCE worksheet for these controls, the auditor begins by inserting relevant control objectives and performs steps 5 and 6. [46] Many factors influence efficiency in addition to number of sampling applications, such as sample size, number of locations it is necessary to visit to achieve audit objectives, nature of the audit procedures, extent of review required, and whether rework can be avoided by designing easy-to-follow procedures. [47] Software such as IDEA allows the auditor to quickly perform the calculations necessary for statistical sampling. IDEA is the primary software GAO uses. It is distributed by Audimation Services, Inc., Houston, Texas. [48] Usually, this is covered by selecting a larger sample than needed. For example, if 135 items are the sample size, the auditor may draw an IDEA random sample of 160 items and test the first 135 as they are randomly selected from across the population. The auditor may use the additional 25 items as replacements (such as for a voided item) or to expand the sample, if appropriate. [49] The probability associated with the precision, that is, the probability that the true misstatement is within the confidence interval. This is not the same as assurance. [50] Tables I and II assume a population over 2,000 items. If the population is smaller, the auditor may ask the statistician to calculate a reduced sample size and to evaluate the results. The effect is generally small unless the sample size per the table is more than 10 percent of the population. [51] Using the AICPA guidance, the auditor computes the deviation rate and the upper limit at the desired confidence level (usually the same confidence level used to determine sample size). If the upper limit of deviations is less than the tolerable rate, the results support the control risk assessment. If not, the auditor should increase the assessed control risk when designing substantive procedures. [52] The proprietary accounting system supports the accrual basis of accounting. [53] If data are disaggregated, the limit is still applied on an annual basis. [54] Usually the auditor applying nonstatistical sampling will select a “haphazard sample.” A haphazard sample is a sample consisting of sampling units selected without conscious bias, that is, without any special reason for including or excluding items from the sample. It does not consist of sampling units selected in an arbitrary manner; rather it is selected in a way the auditor expects to be representative of the population. Since a haphazard sample is not the same as a statistical sample, the auditor using a haphazard sample cannot calculate precision at a given confidence level. However, AICPA guidance indicates that the auditor may use the haphazard sample to make a judgment of what a statistical sample might have shown. For example, the auditor may use the haphazard sample to make a judgment as to the likely misstatement in areas that are not very significant. Even though the judgment will not be a statistical projection, it may assist the auditor in determining whether the possible misstatement could be material. Professional standards and the FAM do not use the term “judgment sample.” All selections (including statistical selections) require judgment. The term “judgment sample” is often used to refer to nonrepresentative selections, although it sometimes refers to nonstatistical samples. [55] This expectation affects the efficiency of the sample, not its effectiveness. GAO auditors who use IDEA to calculate sample size (based on the binomial distribution) use classical variables estimation sampling when they expect that more than 30 percent of the sampling units contain misstatements (no matter what the size of the misstatement). When GAO auditors expect that 10 percent or fewer of the sampling units contain misstatements, GAO auditors use MUS. When GAO auditors expect between 10 and 30 percent of the sampling units contain misstatements, GAO auditors consult with the statistician. The auditor, in consultation with the statistician, generally should determine whether to use classical PPS to evaluate the sample to obtain a smaller precision, if a large misstatement rate is found. Other auditors, in consultation with their statisticians, may use different rules of thumb in deciding when to use MUS versus classical variables estimation sampling. [56] This means, for example, that an item that has a selected amount of $1,000 cannot be misstated by more than $1,000. This is not an issue in testing existence (overstatement) or valuation (overstatement). However, it might be an issue in testing completeness (understatement) or valuation (understatement). Thus, if understatements larger than the selected amount are expected, the auditor generally should use classical variables estimation sampling. [57] IDEA offers two methods of selecting a sample. The auditor generally should use the cell method rather than the fixed interval method. In the cell method, the program divides the population into cells such that each cell is equal in size to an interval. Then the program selects a random dollar in each cell. The random dollar selected identifies the transaction, account, or line item to be tested (sometimes called the logical unit). [58] The 25 percent is a rough estimate that is used because there is no way to calculate the correct sample size. [59] As a general rule, this means 10 misstatements if the sample size is from 75 to 100, 10 percent if the sample size is from 100 to 300, and 30 if the sample size is over 300. Minimum sample size for Classical PPS Sampling is 75. [60] The auditor should not assume that an instance of fraud or error is an isolated occurrence, and therefore should consider how the detection of such misstatement affects the assessed risks of material misstatement (AU 318.73). [61] Audit assurance is not the same as statistical confidence level. It is the complement of audit risk. For example, a 5 percent audit risk yields a 95 percent audit assurance level. Assurance is a combination of quantitative measurement and the auditor’s professional judgment. [62] Generally entities resist booking likely misstatements based upon projections citing no supporting transactions. However, the amount can be booked through a general journal entry and reversed the following year. [63] GASB establishes U.S. GAAP for units of state and local government. [64] Non-GAO auditors may combine bullets 3 and 4. [65] These are usually comparative statements for the current and prior years unless it is the entity’s initial audit. [66] If the statement of financing is presented as a basic statement rather than as a note disclosure, insert “reconciliation of net costs to budgetary obligations.” [67] See note 66. [68] See note 66. [69] If the auditor finds no material weaknesses in internal control, the auditor may express an opinion on management’s assertion or directly on internal control. [70] The phrase “more than inconsequential” as used in the definition of significant deficiency describes the magnitude of potential misstatement that could occur as a result of a significant deficiency and serves as a threshold for evaluating whether a control deficiency or combination of control deficiencies is a significant deficiency. [71] This definition is used to determine whether a material weakness exists. The auditor may use abbreviated language in the report (see FAM 595 A). [72] Inconsequential in this context is not the same concept as the threshold amount the auditor establishes in an audit of financial statements below which known and likely misstatements need not be accumulated. [73] A compensating control is a control that limits the severity of a control deficiency and prevents it from rising to the level of a significant deficiency or, in some cases, a material weakness. Compensating controls operate at a level of precision, considering the possibility of further undetected misstatements that would result in the prevention or detection of a misstatement that is more than inconsequential or material to the financial statements. Although compensating controls mitigate the effects of a control deficiency, they do not eliminate the control deficiency. [74] In GAGAS audits, those likely to rely on the financial statements include those charged with governance, appropriate oversight bodies, and funding agencies. [75] OMB audit guidance provides guidance for reporting on FFMIA compliance without expressing an opinion. [76] Non-GAO auditors may combine bullets 3 and 4. [77] This list assumes the entity follows U.S. GAAP issued by FASAB. If the entity follows U.S. GAAP issued by FASB (government corporations and others such as the U.S. Postal Service), modify the list accordingly. [78] Non-GAO auditors may combine this information with compliance with laws and regulations. [79] The Annual Financial Statement that includes the MD&A, any RSSI, RSI, and OAI, may be included in a larger document such as a Performance and Accountability Report (PAR). Depending on the presentation of these items in the PAR, the auditor may find it useful to refer to the specific page numbers on which this information appears. Additionally, there may be additional information presented in the PAR on which the auditor may need to provide an additional disclaimer. This disclaimer may be worded as “The other accompanying information included on pages XX, XX, and XX of this PAR is presented for purposes of additional analysis and is not a required part of the financial statements. This information has not been subjected to the auditing procedures applied in the audit of the financial statements and, accordingly, we express no opinion on it.” [80] If the entity’s comments include discussions of corrective action plans or other matters as discussed in FAM 580.84, example wording is: “We did not perform audit procedures on [entity’s] written response to the significant deficiencies [and material weaknesses, if applicable] and, accordingly, we express no opinion on it.” [81] OMB audit guidance provides guidance for reporting on FFMIA compliance without expressing an opinion. [82] Non-GAO auditors may combine bullets 3 and 4. [83] This list assumes the entity follows U.S. GAAP issued by FASAB. If the entity follows U.S. GAAP issued by FASB (government corporations and others such as the U.S. Postal Service), modify the list accordingly. [84] Non-GAO auditors may combine this information with compliance with laws and regulations. [85] The Annual Financial Statement that includes the MD&A, any RSSI, RSI, and OAI, may be included in a larger document such as a Performance and Accountability Report (PAR). Depending on the presentation of these items in the PAR, the auditor may find it useful to refer to the specific page numbers on which this information appears. Additionally, there may be additional information presented in the PAR on which the auditor may need to provide an additional disclaimer. This disclaimer may be worded as “The other accompanying information included on pages XX, XX, and XX of this PAR is presented for purposes of additional analysis and is not a required part of the financial statements. This information has not been subjected to the auditing procedures applied in the audit of the financial statements and, accordingly, we express no opinion on it.” [86] If the entity’s comments include discussions of corrective action plans or other matters discussed in FAM 580.84, example wording is: “We did not perform audit procedures on [entity’s] written response to the significant deficiencies [and material weaknesses, if applicable] and, accordingly, we express no opinion on it.” [87] Matters that are “trivial” are amounts designated by the auditor below which misstatements do not need to be accumulated. This amount is set so that any such misstatements, either individually or when aggregated with all other misstatements, would not be material to the financial statements, after the possibility of further undetected misstatements is considered. [End of section] [End of manual]