Auditor Communication During Planning

6.06 Under AICPA standards and GAGAS, auditors should establish an understanding with the entity regarding the services to be performed for each engagement. Auditors also should obtain written acknowledgment or other evidence of the entity's responsibilities for the subject matter or the written assertion as it relates to the objectives of the engagement. GAGAS broaden the parties included in the communications during planning and contain additional items in the communications.

6.07 Under GAGAS, when planning the engagement, auditors should communicate certain information, including their understanding of the services to be performed for each engagement, in writing to entity management, those charged with governance,80 and to the individuals contracting for or requesting the engagement. When auditors perform the engagement pursuant to a law or regulation or they conduct the work for the legislative committee that has oversight of the entity, auditors should communicate with the legislative committee. In those situations where there is not a single individual or group that both oversees the strategic direction of the entity and the fulfillment of its accountability obligations or in other situations where the identity of those charged with governance is not clearly evident, the auditors should document the process followed and conclusions reached for identifying the appropriate individuals to receive the required auditor communications. Auditors should communicate the following additional information under GAGAS:

a . the nature, timing, and extent of planned testing and reporting;

b . the level of assurance the auditor will provide; and

c. any potential restriction on the auditors' reports, in order to reduce the risk that the needs or expectations of the parties involved may be misinterpreted.

6.08 If an engagement is terminated before it is completed and a report is not issued, auditors should document the results of the work to the date of termination and why the engagement was terminated. Determining whether and how to communicate the reason for terminating the engagement to those charged with governance, appropriate officials of the entity, the entity contracting for or requesting the engagement, and other appropriate officials will depend on the facts and circumstances and, therefore, is a matter of professional judgment.

Previous Audits and Attestation Engagements

6.09 Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a material effect on the subject matter. When planning the engagement, auditors should ask entity management to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter of the attestation engagement being undertaken, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current engagement objectives.

Internal Control

6.10 In planning examination-level attestation engagements, auditors should obtain a sufficient understanding of internal control that is material to the subject matter in order to plan the engagement and design procedures to achieve the objectives of the attestation engagement.

6.11 In planning an examination-level attestation engagement, auditors should obtain an understanding of internal control as it relates to the subject matter to which the auditors are attesting. The subject matter may be financial or nonfinancial. (See paragraph 1.23 for a discussion of possible attestation engagement subject matters.)

6.12 A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, detect, or correct errors in assertions made by management on a timely basis. A deficiency in design exists when (1) a control necessary to meet the control objective is missing or (2) an existing control is not properly designed so that, even if the control operates as designed, the control objective is not met. A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.

Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, or Abuse That Could Have a Material Effect on the Subject Matter

6.13 The auditors' responsibility with regard to fraud,81 illegal acts, violations of provisions of contracts or grant agreements, or abuse for attestation engagements performed in accordance with GAGAS is as follows:

a. Examination-level engagements: In planning, auditors should design the engagement to provide reasonable assurance of detecting fraud, illegal acts, or violations of provisions of contracts or grant agreements that could have a material effect on the subject matter of the attestation engagement. Thus, auditors should assess the risk and possible effects of material fraud, illegal acts, or violations of provisions of contracts or grant agreements on the subject matter of the attestation engagement. When risk factors are identified, auditors should document the risk factors identified, the auditors' response to those risk factors individually or in combination, and the auditors' conclusions.

b. Review-level and agreed-upon-procedures-level engagements: If during the course of the engagement, information comes to the auditors' attention indicating that fraud, illegal acts, or violations of provisions of contracts or grant agreements that could have a material effect on the subject matter may have occurred, auditors should perform procedures as necessary to
(1) determine if fraud, illegal acts, or violations of provisions of contracts or grant agreements are likely to have occurred and, if so, (2) determine their effect on the results of the attestation engagement. Auditors are not expected to provide assurance of detecting potential fraud, illegal acts, or violations of provisions of contracts or grant agreements for these types of engagements unless it is specified in the procedures.

c. For all levels of attestation engagements: If during the course of the engagement, auditors become aware of abuse that could be quantitatively or qualitatively material, auditors should apply procedures specifically directed to ascertain the potential effect on the subject matter or other data significant to the engagement objectives. After performing additional work, auditors may discover that the abuse represents potential fraud or illegal acts. Because the determination of abuse is subjective, auditors are not required to provide reasonable assurance of detecting abuse in attestation engagements.

6.14 Abuse involves behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances. Abuse also includes misuse of authority or position for personal financial interests or those of an immediate or close family member or business associate. Abuse does not necessarily involve fraud, violation of laws, regulations, or provisions of a contract or grant agreement.

Developing Elements of a Finding

6.15 Audit findings may involve deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse. The elements needed for a finding depend entirely on the engagement objectives. Thus a finding or set of findings is complete to the extent that the engagement objectives are satisfied. When auditors identify deficiencies, auditors should plan and perform procedures to develop the elements of the findings that are relevant and necessary to achieve the engagement objectives. The elements of a finding are discussed in paragraphs 6.16 through 6.19.

6.16 Criteria: The laws, regulations, contracts, grant agreements, standards, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated. Criteria identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding the findings.

6.17 Condition: Condition is a situation that exists. The condition is determined and documented during the engagement.

6.18 Cause: The cause identifies the reason or explanation for the condition or the factor or factors responsible for the difference between the situation that exists (condition) and the required or desired state (criteria), which may also serve as a basis for recommendations for corrective actions. Common factors include poorly designed policies, procedures, or criteria; inconsistent, incomplete, or incorrect implementation; or factors beyond the control of program management. Auditors may assess whether the evidence provides a reasonable and convincing argument for why the stated cause is the key factor or factors contributing to the difference.

6.19 Effect or potential effect: The effect is a clear, logical link to establish the impact or potential impact of the difference between the situation that exists (condition) and the required or desired state (criteria). The effect or potential effect identifies the outcomes or consequences of the condition. When the engagement objectives include identifying the actual or potential consequences of a condition that varies (either positively or negatively) from the criteria identified in the engagement, "effect" is a measure of those consequences. Effect or potential effect may be used to demonstrate the need for corrective action in response to identified problems or relevant risks.

Attest Documentation

6.20 Under GAGAS, auditors must prepare attest documentation in connection with each engagement in sufficient detail to provide a clear understanding of the work performed (including the nature, timing, extent, and results of engagement procedures performed); the evidence obtained and its source; and the conclusions reached. Documentation provides the principal support for

a. the statement in the engagement report that the auditors performed the attestation engagement in accordance with GAGAS and any other standards cited and

b. the auditors' conclusion.

6.21 Auditors should prepare attest documentation in sufficient detail to enable an experienced auditor,82 having no previous connection to the attestation engagement, to understand from the documentation the nature, timing, extent, and results of procedures performed and the evidence obtained and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. Auditors should prepare attest documentation that contains support for findings, conclusions, and recommendations before they issue their report.

6.22 Auditors also should document the following for attestation engagements performed under GAGAS:

a. the objectives, scope, and methodology of the attestation engagement;

b. the work performed to support significant judgments and conclusions, including descriptions of transactions and records examined;83

c. evidence of supervisory review, before the engagement report is issued, of the work performed that supports findings, conclusions, and recommendations contained in the engagement report; and

d. the auditors' consideration that the planned procedures be designed to achieve objectives of the attestation engagement when (1) evidence obtained is dependent on computerized information systems,
(2) such evidence is material to the objective of the engagement, and (3) the auditors are not relying on the effectiveness of internal control over those computerized systems that produced the evidence. Auditors should document (1) the rationale for determining the nature, timing, and extent of planned procedures; (2) the kinds and competence of available evidence produced outside a computerized information system, or plans for direct testing of data produced from a computerized information system; and (3) the effect on the attestation engagement report if evidence to be gathered does not afford a reasonable basis for achieving the objectives of the engagement.

6.23 When auditors do not comply with applicable GAGAS requirements due to law, regulation, scope limitations, restrictions on access to records, or other issues impacting the engagement, the auditors should document the departure, the impact on the engagement and on the auditors' conclusions. This applies to departures from mandatory requirements and presumptively mandatory requirements where alternative procedures performed in the circumstances were not sufficient to achieve the objectives of the standard. (See paragraphs 1.12 and 1.13.)

6.24 Audit organizations should establish policies and procedures for the safe custody and retention of documentation for a time sufficient to satisfy legal, regulatory, and administrative requirements for records retention. Whether engagement documentation is in paper, electronic, or other media, the integrity, accessibility, and retrievability of the underlying information could be compromised if the documentation is altered, added to, or deleted without the auditors' knowledge, or if the documentation is lost or damaged. For attest documentation that is retained electronically, the audit organization should establish information systems controls concerning accessing and updating the attest documentation.

6.25 Underlying GAGAS engagements is the premise that audit organizations in federal, state, and local governments and public accounting firms engaged to perform an engagement in accordance with GAGAS cooperate in performing attestation engagements of programs of common interest so that auditors may use others' work and avoid duplication of efforts. Subject to applicable laws and regulations, auditors should make appropriate individuals, as well as attest documentation, available upon request and in a timely manner to other auditors or reviewers to satisfy these objectives. The use of auditors' work by other auditors may be facilitated by contractual arrangements for GAGAS engagements that provide for full and timely access to appropriate individuals, as well as attest documentation.

6.26 Audit organizations should develop policies to deal with requests by outside parties to obtain access to attest documentation, especially when an outside party attempts to obtain information indirectly through the auditor rather than directly from the entity. In developing such policies, audit organizations should determine what laws and regulations apply, if any.

Materiality in GAGAS Attestation Engagements

6.28 The concept of materiality recognizes that some matters, either individually or in the aggregate, are important for fair presentation of a subject matter or an assertion about a subject matter, while other matters are not important. In performing the engagement, matters that, either individually or in the aggregate, could be material to the subject matter are a primary consideration. In engagements performed in accordance with GAGAS, auditors may find it appropriate to use lower materiality levels as compared with the materiality levels used in non-GAGAS engagements because of the public accountability of government entities and entities receiving government funding, various legal and regulatory requirements, and the visibility and sensitivity of government programs.

Ongoing Investigations or Legal Proceedings

6.29 Avoiding interference with investigations or legal proceedings is important in pursuing indications of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse. Laws, regulations, or policies might require auditors to report indications of certain types of fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse to law enforcement or investigatory authorities before performing additional procedures. When investigations or legal proceedings are initiated or in process, auditors should evaluate the impact on the current engagement. In some cases, it may be appropriate for the auditors to work with investigators and/or legal authorities, or withdraw from or defer further work on the engagement or a portion of the engagement to avoid interfering with an investigation.

Reporting Auditors' Compliance with GAGAS

6.32 When auditors comply with all applicable GAGAS requirements, they should include a statement in the attestation report that they performed the engagement in accordance with GAGAS. (See paragraphs 1.12 and 1.13 for additional requirements on citing compliance with GAGAS.) GAGAS do not prohibit auditors from issuing a separate report conforming only to the requirements of other standards.

Reporting Deficiencies in Internal Control, Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse

6.33 For attestation engagements, auditors should report, as applicable to the objectives of the engagement, and based upon the work performed,
(1) significant deficiencies in internal control, identifying those considered to be material weaknesses; (2) all instances of fraud and illegal acts unless inconsequential; and (3) violations of provisions of contracts or grant agreements and abuse that could have a material effect on the subject matter of the engagement.

Reporting Views of Responsible Officials

6.44 If the attestation engagement report discloses deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse, auditors should obtain and report the views of responsible officials concerning the findings, conclusions, and recommendations, as well as planned corrective actions.

6.45 Providing a draft report with findings for review and comment by responsible officials of the audited entity and others helps the auditors develop a report that is fair, complete, and objective. Including the views of responsible officials results in a report that presents not only the auditors' findings, conclusions, and recommendations, but also the perspectives of the responsible officials of the audited entity and the corrective actions they plan to take. Obtaining the comments in writing is preferred, but oral comments are acceptable.

6.46 When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments, or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments and provide a copy of the summary to the responsible officials to verify that the comments are accurately stated.

6.47 Auditors should also include in the report an evaluation of the comments, as appropriate. In cases in which the audited entity provides technical comments in addition to its written or oral comments on the report, auditors may disclose in the report that such comments were received.

6.48 Obtaining oral comments may be appropriate when, for example, there is a reporting date critical to meeting a user's needs; auditors have worked closely with the responsible officials throughout the conduct of the work and the parties are familiar with the findings and issues addressed in the draft report; or the auditors do not expect major disagreements with the findings, conclusions, and recommendations in the draft report, or major controversies with regard to the issues discussed in the draft report.

6.49 When the entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, or when planned corrective actions do not adequately address the auditors' recommendations, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported with sufficient, appropriate evidence.

6.50 If the entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors may issue the report without receiving comments from the entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments.

Reporting Confidential or Sensitive Information

6.51 If certain pertinent information is prohibited from public disclosure or is excluded from a report due to the confidential or sensitive nature of the information, auditors should disclose in the report that certain information has been omitted and the reason or other circumstances that make the omission necessary.

6.52 Certain information may be classified or may be otherwise prohibited from general disclosure by federal, state, or local laws or regulations. In such circumstances, auditors may issue a separate classified or limited use report containing such information and distribute the report only to persons authorized by law or regulation to receive it.

6.53 Additional circumstances associated with public safety and security concerns could also justify the exclusion of certain information from a publicly available or widely distributed report. For example, detailed information related to computer security for a particular program may be excluded from publicly available reports because of the potential damage that could be caused by the misuse of this information. In such circumstances, auditors may issue a limited use report containing such information and distribute the report only to those parties responsible for acting on the auditors' recommendations. The auditors may consult with legal counsel regarding any requirements or other circumstances that may necessitate the omission of certain information.

6.54 Considering the broad public interest in the program or activity under review assists auditors when deciding whether to exclude certain information from publicly available reports. When circumstances call for omission of certain information, auditors should evaluate whether this omission could distort the engagement results or conceal improper or illegal practices.

6.55 When audit organizations are subject to public records laws, auditors should determine whether public records laws could impact the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. For example, the auditors may communicate general information in a written report and communicate detailed information verbally. The auditor may consult with legal counsel regarding applicable public records laws.

Distributing Reports

6.56 Distribution of reports completed under GAGAS depends on the relationship of the auditors to the entity and the nature of the information contained in the report. If the subject matter or the assertion involves material that is classified for security purposes or contains confidential or sensitive information, auditors may limit the report distribution. Auditors should document any limitation on report distribution. The following discussion outlines distribution for reports completed under GAGAS:

a. Audit organizations in government entities should distribute reports to those charged with governance, to the appropriate entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on engagement findings and recommendations, and to others authorized to receive such reports.

b. Internal audit organizations in government entities may follow the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing. Under GAGAS and IIA standards, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should:
(1) assess the potential risk to the organization,
(2) consult with senior management and/or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report.

c. Public accounting firms contracted to perform an engagement under GAGAS should clarify report distribution responsibilities with the engaging organization. If the contracting firm is to make the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public.