Chapter 5: Reporting Standards for Financial Audits
Introduction
5.01
This chapter establishes reporting standards and provides guidance for financial audits conducted in accordance with generally accepted government auditing standards (GAGAS). For financial audits, GAGAS incorporate the American Institute of Certified Public Accountants (AICPA) field work and reporting standards and the related statements on auditing standards (SAS) unless specifically excluded or modified by GAGAS. This chapter identifies the AICPA reporting standards and prescribes additional standards for financial audits performed in accordance with GAGAS.
5.02
For financial audits performed in accordance with GAGAS, chapters 1 through 5 apply.
AICPA Reporting Standards
5.03
The four AICPA generally accepted standards of reporting are as follows:
a.
The auditor must state in the auditor's report whether the financial statements are presented in accordance with generally accepted accounting principles (GAAP).
b.
The auditor must identify in the auditor's report those circumstances in which such principles have not been consistently observed in the current period in relation to the preceding period.
c.
When the auditor determines that informative disclosures are not reasonably adequate, the auditor must so state in the auditor's report.
d.
The auditor must either express an opinion regarding the financial statements, taken as a whole, or state that an opinion cannot be expressed, in the auditor's report. When the auditor cannot express an overall opinion, the auditor should state the reasons therefor in the auditor's report. In all cases where an auditor's name is associated with financial statements, the auditor should clearly indicate the character of the auditor's work, if any, and the degree of responsibility the auditor is taking in the auditor's report.
Additional Government Auditing Standards
5.04
GAGAS establish reporting standards for financial audits in addition to the standards contained in the AICPA standards. Auditors should comply with these additional standards when citing GAGAS in their audit reports. The additional government auditing standards relate to
a.
reporting auditors' compliance with GAGAS (see paragraphs 5.05 and 5.06);
b.
reporting on internal control and compliance with laws, regulations, and provisions of contracts or grant agreements (see paragraphs 5.07 through 5.09);
c.
reporting deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse (see paragraphs 5.10 through 5.22);
d.
communicating significant matters in the auditors' report (see paragraphs 5.23 through 5.25);
e.
reporting on the restatement of previously-issued financial statements (see paragraphs 5.26 through 5.31);
f.
reporting views of responsible officials (see paragraphs 5.32 through 5.38);
g.
reporting confidential or sensitive information (see paragraphs 5.39 through 5.43); and
h.
distributing reports (see paragraph 5.44).
Reporting Auditors' Compliance with GAGAS
5.05
When auditors comply with all applicable GAGAS requirements, they should include a statement in the auditors' report that they performed the audit in accordance with GAGAS. (See paragraphs 1.12 and 1.13 for additional requirements on citing compliance with GAGAS.)
5.06
An audited entity receiving a GAGAS audit report may also request auditors to issue a financial audit report for purposes other than complying with requirements for a GAGAS audit. For example, the audited entity may need audited financial statements to issue bonds or for other financing purposes. GAGAS do not prohibit auditors from issuing a separate report conforming only to AICPA or other standards.
Reporting on Internal Control and Compliance with Laws, Regulations, and Provisions of Contracts or Grant Agreements
5.07
When providing an opinion or a disclaimer on financial statements, auditors must also report on internal control over financial reporting and on compliance with laws, regulations, and provisions of contracts or grant agreements.
5.08
Auditors should include either in the same or in separate report(s) a description of the scope of the auditors' testing of internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements. If the auditors issue separate reports, they should include a reference to the separate reports in the report on financial statements. Auditors should state in the reports whether the tests they performed provided sufficient, appropriate evidence to support an opinion on the effectiveness of internal control over financial reporting and on compliance with laws, regulations, and provisions of contracts or grant agreements. The internal control reporting standard under GAGAS differs from the objective of an examination of internal control in accordance with the AICPA Statement on Standards for Attestation Engagements (SSAE), which is to express an opinion on the design or the design and operating effectiveness of an entity's internal control, as applicable. To form a basis for expressing such an opinion, the auditor must plan and perform the examination to obtain reasonable assurance about whether the entity maintained, in all material respects, effective internal control as of a point in time or for a specified period of time.
5.09
When auditors report separately (including separate reports bound in the same document) on internal control over financial reporting and compliance with laws and regulations and provisions of contracts or grant agreements, they should state in the financial statement audit report that they are issuing those additional reports. They should include a reference to the separate reports and also state that the reports on internal control over financial reporting and compliance with laws and regulations and provisions of contracts or grant agreements are an integral part of a GAGAS audit and important for assessing the results of the audit. If auditors issued or intend to issue a management letter, they should refer to that management letter in the reports.
Reporting Deficiencies in Internal Control, Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse
5.10
For financial audits, including audits of financial statements in which auditors provide an opinion or disclaimer, auditors should report, as applicable to the objectives of the audit, and based upon the audit work performed, (1) significant deficiencies in internal control, identifying those considered to be material weaknesses; (2) all instances of fraud and illegal acts unless inconsequential; and (3) violations of provisions of contracts or grant agreements and abuse that could have a material effect on the financial statements.
Deficiencies in Internal Control
5.11
For all financial audits, auditors should report the following deficiencies in internal control:
a.
Significant deficiency: a deficiency in internal control, or combination of deficiencies, that adversely affects the entity's ability to initiate, authorize, record, process, or report financial data reliably in accordance with GAAP such that there is more than a remote likelihood that a misstatement of the entity's financial statements that is more than inconsequential
will not be prevented or detected.
b.
Material weakness: a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected.
5.12
Assessing the significance of control deficiencies includes qualitative considerations such as public accountability of the audited entity, legal and regulatory requirements, the visibility and sensitivity of the entity or program, the needs of users and concerns of oversight officials, and current and emerging risks and uncertainties facing the government entity or entity that receives government funding. The significance of a deficiency in internal control also is influenced by
a.
the likelihood that a deficiency, or combination of deficiencies, could fail to prevent or detect a material misstatement of an account balance or disclosure; and
b.
the magnitude of the potential misstatement.
5.13
Auditors should include all significant deficiencies in the auditors' report on internal control over financial reporting and indicate those that represent material weaknesses. If (1) a significant deficiency is remediated before the auditors' report is issued and (2) the auditors obtain sufficient, appropriate evidence supporting the remediation of the significant deficiency, then the auditors should report the significant deficiency and the fact that it was remediated before the auditors' report was issued.
5.14
Determining whether and how to communicate to officials of the audited entity internal control deficiencies that have an inconsequential effect on the financial statements is a matter of professional judgment. Auditors should document such communications.
Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse
5.15
Under AICPA standards and GAGAS, auditors have responsibilities for detecting fraud and illegal acts that have a material effect on the financial statements and determining whether those charged with governance are adequately informed about fraud and illegal acts. GAGAS include additional reporting standards. When auditors conclude, based on sufficient, appropriate evidence, that any of the following either has occurred or is likely to have occurred, they should include in their audit report the relevant information about
a
. fraud and illegal acts that have an effect on the financial statements that is more than inconsequential,
b.
violations of provisions of contracts or grant agreements that have a material effect on the determination of financial statement amounts or other financial data significant to the audit, and
c.
abuse that is material, either quantitatively or qualitatively. (See paragraphs 4.12 and 4.13 for a discussion of abuse.)
5.16
When auditors detect violations of provisions of contracts or grant agreements or abuse that have an effect on the financial statements that is less than material but more than inconsequential, they should communicate those findings in writing to officials of the audited entity. Determining whether and how to communicate to officials of the audited entity fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that is inconsequential is a matter of professional judgment. Auditors should document such communications.
5.17
When fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse either have occurred or are likely to have occurred, auditors may consult with authorities or legal counsel about whether publicly reporting such information would compromise investigative or legal proceedings. Auditors may limit their public reporting to matters that would not compromise those proceedings, and for example, report only on information that is already a part of the public record.
Reporting Findings Directly to Parties Outside the Audited Entity
5.18
Auditors should report known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly to parties outside the audited entity in the following two circumstances.
a.
When entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties.
b.
When entity management fails to take timely and appropriate steps to respond to known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that (1) is likely to have a material effect on the financial statements and (2) involves funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the entity's failure to take timely and appropriate steps directly to the funding agency.
5.19
The reporting in paragraph 5.18 is in addition to any legal requirements to report such information directly to parties outside the audited entity. Auditors should comply with these requirements even if they have resigned or been dismissed from the audit prior to its completion.
5.20
Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate assertions by management of the audited entity that it has reported such findings in accordance with laws, regulations, and funding agreements. When auditors are unable to do so, they should report such information directly as discussed in paragraph 5.18.
Presenting Findings in the Auditors' Report
5.21
In presenting findings such as deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse, auditors should develop the elements of the findings to the extent necessary to achieve the audit objectives. Clearly developed audit findings, as discussed in paragraphs 4.14 through 4.18, assist management or oversight officials of the audited entity in understanding the need for taking corrective action. If auditors sufficiently develop the elements of a finding, they may provide recommendations for corrective action.
5.22
Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as applicable, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures, as appropriate. If the results cannot be projected, auditors should limit their conclusions appropriately.
Communicating Significant Matters in the Auditors' Report
5.23
Under AICPA standards, auditors may emphasize in the auditors' report significant matters regarding the financial statements. Due to the public interest in the operations of government entities and entities that receive or administer government awards, there may be situations in GAGAS audits in which certain types of information would help facilitate the readers' understanding of the financial statements and the auditors' report. These situations may be in addition to the examples presented in AICPA standards.
5.24
Examples of matters that auditors may communicate in a GAGAS audit include the following:
a.
Significant concerns or uncertainties about the fiscal sustainability of a government or program or other matters that could have a significant impact on the financial condition or operations of the government entity beyond 1 year of the financial statement date. Such concerns or uncertainties may arise due to revenue or expenditure trends; economic dependency on other governments or entities; the government's current commitments, responsibilities, liabilities, or promises to citizens for future benefits that are not sustainable over the long term; deficit trends; the relationship between the financial information and other key indicators; and other significant risks and uncertainties that raise doubts about the long-term sustainability of current government programs in relation to the resources expected to be available. However, auditors are not responsible for designing audit procedures to detect such concerns or uncertainties, and any judgment about the future is based on information that is available at the time the judgment is made.
b.
Unusual or catastrophic events that will likely have a significant ongoing or future impact on the entity's financial condition or operations.
c.
Significant uncertainties surrounding projections or estimations in the financial statements.
d.
Any other matter that the auditors consider significant for communication to users and oversight bodies in the auditors' report.
5.25
Determining whether to communicate such information in the auditors' report is a matter of professional judgment. The communication may be presented in a separate paragraph or separate section of the auditors' report and may include information that is not disclosed in the financial statements.
Reporting on Restatement of Previously-Issued Financial Statements
5.26
AICPA Professional Standards, AU Section 561,
Subsequent Discovery of Facts Existing at the Date of the Auditor's Report,
establish standards and provide guidance for situations when auditors become aware of new information that could have affected their report on previously-issued financial statements. Under AU Section 561, if auditors become aware of new information that might have affected their opinion on previously-issued financial statement(s), then the auditors should advise entity management to determine the potential effect(s) of the new information on the previously-issued financial statement(s) as soon as reasonably possible. Such new information may lead management to conclude that previously-issued financial statements were materially misstated and to restate and reissue the misstated financial statements. In such circumstances, auditors should advise management to make appropriate disclosure of the newly discovered facts and their impact on the financial statements to those who are likely to rely on the financial statements.
5.27
Under GAGAS, auditors should advise management to make appropriate disclosures when the auditors believe that the following conditions exist: (1) it is likely that previously-issued financial statements are misstated and (2) the misstatement is or reasonably could be material. Under GAGAS, auditors also should perform the following procedures related to restated financial statements:
a.
evaluate the timeliness and appropriateness of management's disclosure and actions to determine and correct misstatements in previously-issued financial statements (see paragraph 5.28),
b.
report on restated financial statements (see paragraphs 5.29 and 5.30), and
c.
report directly to appropriate officials when the audited entity does not take the necessary steps (see paragraph 5.31).
Evaluate the Timeliness and Appropriateness of Management's Disclosure and Actions to Determine and Correct Misstatements in Previously-Issued Financial Statements
5.28
Auditors should evaluate the timeliness and appropriateness of management's disclosure to those who are likely to rely on the financial statements and management's actions to determine and correct misstatements in previously-issued financial statements in accordance with AU Sections 561.06 through 561.08. Under GAGAS, auditors also should evaluate whether management
a.
acted in an appropriate time frame after new information was available to (1) determine the financial statement effects of the new information and (2) notify those who are likely to rely on the financial statements;
b.
disclosed the nature and extent of the known or likely material misstatements on Web pages where management has published the auditors' report on the previously-issued financial statements; and
c.
disclosed the following information in the entity's restated financial statements: (1) the nature and cause(s) of the misstatement(s) that led to the need for restatement, (2) the specific amount(s) of the material misstatement(s), and (3) the related effect(s) on the previously-issued financial statement(s) (e.g., year(s) being restated, specific financial statement(s) affected and line items restated, actions the agency's management took after discovering the misstatement), and (4) the impact on the financial statements as a whole (e.g., change in overall net position, change in the audit opinion) and on key information included in the Management Discussion & Analysis.
Report on Restated Financial Statements
5.29
When management restates financial statements, auditors should perform audit procedures sufficient to reissue or update the auditors' report on the restated financial statements regardless of whether the restated financial statements are separately issued or presented on a comparative basis with those of a subsequent period. Auditors should include the following in an explanatory paragraph in the reissued or updated auditors' report:
a.
a statement disclosing that the previously-issued financial statements have been restated;
b.
a statement that (1) the previously-issued auditors' report (identified by report date) is not to be relied on because the previously-issued financial statements were materially misstated and (2) the previously-issued auditors' report is replaced by the auditors' report on the restated financial statements;
c.
a reference to the note(s) to the restated financial statements that discusses the restatement; and
d
. if applicable, a reference to the report on internal control containing a discussion of any significant internal control deficiency identified by the auditors as having failed to prevent or detect the misstatement and any corrective action taken by management to address the deficiency.
5.30
Management's failure to include appropriate disclosures, as discussed in paragraph 5.28c, in restated financial statements may have implications for the audit. In addition, auditors should include the omitted disclosures in the auditors' report, if practicable.
Report Directly to Appropriate Officials When the Audited Entity Does Not Take the Necessary Steps
5.31
Auditors should notify those charged with governance if entity management (1) does not act in an appropriate time frame after new information was available to determine the financial statement effects of the new information and take the necessary steps to timely inform those who are likely to rely on the financial statements and the related auditors' reports of the situation or (2) does not restate with reasonable timeliness the financial statements under circumstances in which auditors believe they need to be restated. Auditors should inform those charged with governance that the auditors will take steps to prevent further reliance on the auditors' report and advise them to notify oversight bodies and funding agencies that rely on the financial statements. If those charged with governance do not notify appropriate oversight bodies and funding agencies, then the auditors should do so.
Reporting Views of Responsible Officials
5.32
If the auditors' report discloses deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse, auditors should obtain and report the views of responsible officials concerning the findings, conclusions, and recommendations, as well as planned corrective actions.
5.33
Providing a draft report with findings for review and comment by responsible officials of the audited entity and others helps the auditors develop a report that is fair, complete, and objective. Including the views of responsible officials results in a report that presents not only the auditors' findings, conclusions, and recommendations, but also the perspectives of the responsible officials of the audited entity and the corrective actions they plan to take. Obtaining the comments in writing is preferred, but oral comments are acceptable.
5.34
When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments, or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments and provide a copy of the summary to the responsible officials to verify that the comments are accurately stated.
5.35
Auditors should also include in the report an evaluation of the comments, as appropriate. In cases in which the audited entity provides technical comments in addition to its written or oral comments on the report, auditors may disclose in the report that such comments were received.
5.36
Obtaining oral comments may be appropriate when, for example, there is a reporting date critical to meeting a user's needs; auditors have worked closely with the responsible officials throughout the conduct of the work and the parties are familiar with the findings and issues addressed in the draft report; or the auditors do not expect major disagreements with findings, conclusions, and recommendations in the draft report, or major controversies with regard to the issues discussed in the draft report.
5.37
When the audited entity's comments are inconsistent or in conflict with findings, conclusions, or recommendations in the draft report, or when planned corrective actions do not adequately address the auditors' recommendations, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported with sufficient, appropriate evidence.
5.38
If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors may issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments.
Reporting Confidential or Sensitive Information
5.39
If certain pertinent information is prohibited from public disclosure or is excluded from a report due to the confidential or sensitive nature of the information, auditors should disclose in the report that certain information has been omitted and the reason or other circumstances that make the omission necessary.
5.40
Certain information may be classified or may otherwise be prohibited from general disclosure by federal, state, or local laws or regulations. In such circumstances, auditors may issue a separate, classified, or limited use report containing the information and distribute the report only to persons authorized by law or regulation to receive it.
5.41
Additional circumstances associated with public safety and security concerns could also justify the exclusion of certain information from a publicly available or widely distributed report. For example, detailed information related to computer security for a particular program may be excluded from publicly available reports because of the potential damage that could be caused by the misuse of this information. In such circumstances, auditors may issue a limited use report containing such information and distribute the report only to those parties responsible for acting on the auditors' recommendations. The auditors may consult with legal counsel regarding any requirements or other circumstances that may necessitate the omission of certain information.
5.42
Considering the broad public interest in the program or activity under review assists auditors when deciding whether to exclude certain information from publicly available reports. When circumstances call for omission of certain information, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices.
5.43
When audit organizations are subject to public records laws, auditors should determine whether public records laws could impact the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. For example, the auditors may communicate general information in a written report and communicate detailed information verbally. The auditors may consult with legal counsel regarding applicable public records laws.
Distributing Reports
5.44
Distribution of reports completed under GAGAS depends on the relationship of the auditors to the audited organization and the nature of the information contained in the report. If the subject of the audit involves material that is classified for security purposes or contains confidential or sensitive information, auditors may limit the report distribution. Auditors should document any limitation on report distribution. The following discussion outlines distribution for reports completed under GAGAS:
a.
Audit organizations in government entities should distribute audit reports to those charged with governance, to the appropriate officials of the audited entity, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations, and to others authorized to receive such reports.
b.
Internal audit organizations in government entities may follow the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing. Under GAGAS and IIA standards, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should:
(1) assess the potential risk to the organization,
(2) consult with senior management and/or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report.
c.
Public accounting firms contracted to perform an audit under GAGAS should clarify report distribution responsibilities with the engaging organization. If the contracted firm is to make the distribution, it should reach agreement with the party contracting for the audit about which officials or organizations will receive the report and the steps being taken to make the report available to the public.
|
