How to Pass an ALGA Yellow Book Peer Review Training by the Association of Local Government Auditors (ALGA) Tampa, Florida September 20, 2013

Transcription

1 How to Pass an ALGA Yellow Book Peer Review Training by the Association of Local Government Auditors (ALGA) Tampa, Florida September 20, :30 8:00 Continental Breakfast & Registration 8:00 8:30 Section I - Introductions and Course Objectives 8:30 9:15 Section II - Overview of the ALGA Peer Review Process Complete Form E (Background Information) 9:15 9:30 Break 9:30 10:45 Section III Preparing Your Shop for the Peer Review Flexibility in Applying Standards (Exercise I) 10:45 11:00 Break 11:00 11:30 Description of Quality Control System (From G) 11:30 11:45 Section IV Common Exceptions Noted on Peer Reviews and How to Avoid 11:45 11:55 Questions and Wrap-Up

2 E. AUDIT ORGANIZATION BACKGROUND INFORMATION (Revision Date: 06/06/12) ALGA Peer Review Guide (2011) The audit organization uses this form to provide the peer review team with information regarding the audit organization s operating environment and type of work performed. Additional pages may be attached, if necessary, to respond to the information requested in this form. The audit organization should complete this form and provide a copy to each member of the review team at least one month prior to the site visit. 1. Government Entity: 2. Audit Organization: 3. Name and Title of Audit Director: 4. Liaison for this review: Name and Title: Address: Phone: 5. Audit Organization Staffing Level: Professional Auditors Support Staff Total Staff 6. Current Annual Operating Budget: Audit Organization Government Entity 7. Describe the authority of your audit organization, how the Audit Director is appointed, to whom the audit organization reports, and where the audit organization is located within the governmental entity. Please attach an organization chart, if available. 8. Describe the mission, duties and responsibilities of your audit organization. Include any duties or responsibilities other than auditing performed by your audit organization as required by charter, ordinance, trust indenture, state statute, benefit/retirement plan, etc. II: E-1

3 9. Describe the following documents and, if practical, attach copies of the documents or excerpts of relevant documents to this form. If attaching the referenced documents is not practical, please make the documents available to the review team upon their arrival. a. Establishes your audit organization s authority, duties and responsibilities b. Summarizes the activities of your audit organization [e.g. annual report] c. Guides audit staff in performing their work [e.g. policy manual] Document/Cite 10. Describe the longevity of the Director and audit staff. List any former audit staff that transferred to other areas of the organization during the review period along with their current assignment. List any current audit staff that worked in other areas of the organization during the review period along with their past assignment. Is any audit staff designated to specific audit areas/auditees on a recurring basis? 11. The information presented in Chapter 1 on Foundation and Ethical Principles sets forth fundamental principles rather than establishing specific standards or requirements. However, inclusion of those principles in government auditing standards conveys the message that management will set the tone for ethical behavior through policies and procedures that: maintain an ethical culture; clearly communicate acceptable behavior and expectations to each employee; and create an environment that reinforces and encourages ethical behavior throughout the organization. (GAS 1.11) Describe any policies, procedures, training, and awareness measures you have provided audit staff that assist in promoting an ethical culture in your organization. 12. Briefly describe your audit organization s peer review history including the number of times reviewed, overall period covered by these reviews, professional standards within the scope of the reviews, and entities conducting the reviews. Attach a copy of the report relating to your audit organization s most recent peer review, regardless of whether the review was conducted by ALGA, and describe any corrective actions taken by your audit organization to address the results of the peer review. II: E-2

4 13. For all work performed and/or services provided by your audit organization, list the number of activities and the approximate percentage of total staff time spent on each type of activity during the review period. Type of Activity Financial Audits [GAS 2.07] Attestation Engagements [GAS 2.09] Performance Audits [GAS 2.10] Nonaudit Services [GAS 2.12] Other (Investigations) Number of Activities Percentage of Time 14. Please provide the following information on the Audit Engagements Completed and Nonaudit Services Performed form (II: F-1): a. List all reports issued during the review period for financial audits, performance audits, and/or attestation engagements performed in accordance with GAS. b. List each nonaudit service totaling more than 40 hours that was performed by your audit organization during the review period. c. For those audits/engagements listed in (a) above, also provide the number of hours of nonaudit and other services that: - are relevant to the subject matter of the audit/engagement, - totaled more than 40 hours. 15. Please provide the following information on the Continuing Professional Education form (II: F-2): a. List all auditors involved in any amount of planning, directing, or reporting on GAGAS audits and auditors who are not involved in those activities, but charge 20 percent or more of their time annually to GAGAS along with their total CPE hours and total government CPE hours. c. Indicate which years are parts of the 2-year reporting period in the last column. Copy and paste form tables as necessary. Audit organizations may substitute an in-house monitoring report in lieu of completing the form as long as it contains the required information. d. Evidence supporting the number of CPE hours reported should be made available to the peer review team during the site visit. II: E-3

5 Exercise 1 Flexibility in Applying Standards Objective: Gain appreciation for the flexibility in Government Auditing Standards and learn how other audit organizations apply some of the standards. Assignment: For each of the following standards, outline your audit organization s approach to meeting the standard. Example The audit report should include a reference to compliance with government auditing standards. Department policy addresses requirement to state compliance in all reports Standard compliance statement is included in introductory paragraph of report ALGA checklist is used to verify compliance before audit is finalized Standard report template includes the standard compliance statement 1. Ethical Principles in Government Auditing Management of the audit organization sets the tone for ethical behavior throughout the organization by maintaining an ethical culture, clearly communicating acceptable behavior and expectations to each employee, and creating an environment that reinforces and encourages ethical behavior throughout all levels of the organization (GAS 1.11). 2. General Standard on Independence Auditors participating on an audit assignment must be free from personal impairments to independence (GAS 3.02).

6 Conducting an ALGA Peer Review Exercise 1 Page 2 3. General Standard on Competence The staff assigned to perform the audit or attestation engagement must collectively possess adequate professional competence for the tasks required. (GAS 3.69) 4. General Standard on Competence Each auditor performing work under GAGAS should complete, every 2 years, at least 24 hours of CPE that directly relates to government auditing, the government environment, or the specific or unique environment in which the audited entity operates. An additional 56 hours is required every 2 years for auditors involved in planning, directing, or reporting on GAGAS assignments, and for auditors who charge 20 percent or more of their time annually to GAGAS audits (GAS 3.76). 5. General Standard on Quality Control and Assurance Each audit organization performing audits or attestation engagements in accordance with GAGAS must have an external peer review at least once every three years (GAS 3.96). 6. Fieldwork standards for performance audits Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives (GAS 6.11f).

7 Conducting an ALGA Peer Review Exercise 1 Page 3 7. Fieldwork standards for performance audits Audit supervisors or those designated to supervise auditors must properly supervise audit staff (GAS 6.53). 8. Reporting standards for performance audits Auditors should prepare audit reports that contain a summary of the views of responsible officials (GAS 7.32).

8 G. AUDIT ORGANIZATION DESCRIPTION OF QUALITY CONTROL SYSTEM (Revision Date: 11/19/12) ALGA Peer Review Guide (2011) FOUNDATION AND ETHICAL PRINCIPLES The information presented in Chapter 1, Ethical Principles in Government Auditing, deals with fundamental principles and does not contain additional requirements. However, audit organizations may choose to establish procedures that align with the principles included in generally accepted government auditing standards (GAGAS). Because auditing is essential to government accountability to the public, the public expects audit organizations and auditors who conduct their work in accordance with GAGAS to follow ethical principles. Management of the audit organization sets the tone for ethical behavior throughout the organization by maintaining an ethical culture, clearly communicating acceptable behavior and expectations to each employee, and creating an environment that reinforces and encourages ethical behavior throughout all levels of the organization. The ethical tone maintained and demonstrated by management and staff is an essential element of a positive ethical environment. The ethical principles that guide the work of the auditors who conduct audits in accordance with GAGAS are: a. the public interest; b. integrity; c. objectivity; d. proper use of government information, resources, and positions; and e. professional behavior. (GAS 1.14) GENERAL STANDARD ON INDEPENDENCE: In all matters relating to the audit work, the audit organization and the individual auditor, whether government or public, must be independent in mind and appearance. ( ) 1. Audit organizations are responsible for establishing an internal quality control system to assure compliance with the independence standards. Quality Control System procedures should include: Standard: P&P Ref: QCS Description: Verify auditors were independent during the period covered by the subject matter of the audit and the period of the engagement. (3.05) Identify threats to II: G - 1

9 Description of Quality Control System independence, evaluate their significance, determine if identified threats to independence have been eliminated or are at an acceptable level, and apply and document safeguards as necessary. (3.08, , 3.24, 3.59) Evaluate the categories of threats to independence: self-interest, self-review, bias, familiarity, undue influence, management participation, and structural. (3.14) Decline or terminate the audit if threats cannot be eliminated or reduced to an acceptable level. (3.25) Evaluate the impacts of threats identified after report issuance and take appropriate steps. (3.26) 2. The ability of audit organizations to perform work and report the results objectively can be affected by placement within and the structure of the government entity being audited. The independence standard applies to auditors who report to third parties externally, to senior management within the audited entity, or both. Organizational independence can be achieved in various ways for external and internal audit organizations. (3.27) Enter policy and procedure reference and description under the structure that applies to your audit organization: An external audit organization that is structurally located within the government entity and subject to constitutional or statutory safeguards that mitigate the effects of structural threats; safeguards may include a structure under which the audit organization is: - at a level of government other than the one of which the audited entity is part (federal, state, local), or; - placed within a different branch of government from that of the audited entity. (3.28) II: G - 2

10 Description of Quality Control System External auditors or auditors who report both externally and internally; structural threats may be mitigated if the head of the audit organization is: - directly elected by voters, or; - elected, appointed, and subject to removal by a legislative body and reports the results of audits and is accountable to a legislative body, or; - confirmed by a legislative body when appointed and whose removal is subject to oversight or approval by a legislative body, and who reports the results of audits to and is accountable to a legislative body, or; - appointed by, accountable to, reports to, and can only be removed by a statutorily created governing body, the majority of whose members are independently elected or appointed and who are outside the organization being audited. (3.29) External audit organizations under other organizational structures may be considered independent if they have all of the following statutory protections in place that: - prevent the abolishment of the audit organization by the audited entity; - require that if the head of the audit organization is removed from office, the head of the agency reports this fact and the reasons for removal to the legislative body; - prevent the audited entity from interfering with the initiation, scope, timing, and completion of any audit; - prevent the audited entity from interfering with reporting on any audit; - require the audit organization to report to a legislative body or other independent governing body on a recurring basis; - give the audit organization sole authority over the selection, retention, advancement, and dismissal of its staff, and - grant access to records and documents that relate to the agency, program, or function being audited, and access to individuals as needed to conduct the audit. The audit organization should document how each of the safeguards was satisfied and provide documentation to external peer reviewers. (3.30, 3.59) II: G - 3

11 Description of Quality Control System Internal audit organizations are considered to be organizationally independent for the purposes of reporting internally if the head of the audit organization meets all of the following criteria: - is accountable to the head or deputy head of the government entity or to those charged with governance; - reports the results both to the head or deputy head of the government entity and those charged with governance; - is located organizationally outside the staff or line management function of the unit under audit; - has access to those charged with governance; and - is sufficiently removed from political pressure. (3.31) 3. Before an auditor agrees to provide a nonaudit service to an audited entity the auditor should: Standard: P&P Ref: QCS Description: Determine if providing the service would create a threat to independence, either by itself or in aggregate with other nonaudit services provided, with respect to any GAGAS audit it performs. (3.34) Determine that the audited entity has designated an individual to oversee the nonaudit service; the auditor should document his or her consideration of the individual s ability to effectively oversee the nonaudit service. (3.34, 3.59) Obtain assurance that management assumes all management responsibilities, will oversee the services, will evaluate the adequacy and results of the service being performed, and will accept responsibility for the results. II: G - 4

12 Description of Quality Control System (3.37) Document their understanding with management or the governing body regarding: - objectives of the nonaudit service, - services to be performed, - audited entity s acceptance of its responsibilities, - the auditor s responsibilities, - limitations of the nonaudit service. (3.39, 3.59) 4. An auditor who previously performed nonaudit services for an entity that is a prospective subject of an audit should evaluate the impact of those nonaudit services on independence before accepting the audit. (3.42) 5. An auditor required to perform a nonaudit service that could impair his or her independence with respect to a required audit should disclose the nature of the threat that could not be eliminated or reduced to an acceptable level and modify the GAGAS statement accordingly. (3.44) 6. When performing nonaudit services not specifically prohibited, use the conceptual framework to evaluate independence. (3.46) 7. When preparing separate evaluations about the effectiveness of the internal control system, evaluate the management participation threat and any applied safeguards. (3.55) II: G - 5

13 Description of Quality Control System GENERAL STANDARD ON PROFESSIONAL JUDGMENT: Auditors must use professional judgment in planning and performing audits and in reporting the results. (3.60) 8. Professional judgment includes exercising reasonable care and professional skepticism: - Professional skepticism is an attitude that includes a questioning mind and a critical assessment of evidence. (3.61) - Professional skepticism includes a mindset in which auditors assume neither that management is dishonest nor of unquestioned honesty. (3.61) - Professional judgment represents the application of the collective knowledge, skills, and experiences of all personnel involved with an audit. (3.63) - Professional judgment may involve collaboration with other stakeholders, external specialists, and management in the audit organization. (3.63) - Using professional judgment is important in determining the required level of understanding of the audit subject matter and related circumstances. (3.66) - An auditor s consideration of the risk level of each audit, including the risk of arriving at improper conclusions, is also important [determining sufficiency and appropriateness of evidence]. (3.67) GENERAL STANDARD ON COMPETENCE: The staff assigned to perform the audit must collectively possess adequate professional competence needed to address the audit objectives and perform the work in accordance with GAGAS. (3.69) 9. Audit organization management should assess skill needs to consider whether its workforce has the essential skills that match those necessary to perform a particular audit. (3.70) 10. Audit organizations should have a process for recruitment, hiring, continuous development, assignment, and evaluation of staff to maintain a competent workforce. (3.70) II: G - 6

14 Description of Quality Control System 11. The staff assigned to conduct an audit should collectively possess the technical knowledge, skills, and experience necessary to be competent for the type of work being performed before beginning work on that audit. (3.72) 12. Auditors performing financial audits or attestation engagements should be knowledgeable of the applicable financial reporting framework being used. Auditors should also be knowledgeable of relevant AICPA Standards, and competent in applying these to the audit work. ( ) 13. Auditors involved in planning, directing, performing, or reporting on an audit conducted in accordance with GAGAS should complete, every 2 years, at least 24 hours of CPE that directly relates to government auditing, the government environment, or the specific or unique environment in which the audited entity operates. Auditors involved in any amount of planning, directing, or reporting on GAGAS audits, and those not involved in those activities but who charge 20 percent or more of their time annually to GAGAS audits, should obtain an additional 56 hours of CPE [80 total hours every 2 year period] that enhances the auditor s professional proficiency to perform audits. Auditors required to have 80 hours should complete at least 20 hours in any given year. Auditors hired or initially assigned to GAGAS audits after the 2 year CPE period begins should complete a prorated number of CPE hours. (3.76) 14. The audit organization should have quality control procedures to help ensure that auditors meet the continuing education requirements, including documentation of the CPE completed. (3.78) 15. The audit team should determine if external/internal specialists are qualified and competent in their areas of specialization. CPE requirements only apply II: G - 7

15 Description of Quality Control System to internal specialists who direct or perform audit procedures, or who report on GAGAS audits as part of the audit team. ( ) GENERAL STANDARD ON QUALITY CONTROL AND ASSURANCE Each audit organization performing audits in accordance with GAGAS must: a. establish and maintain a system of quality control that is designed to provide the audit organization with reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements, and b. have an external peer review performed by reviewers independent of the audit organization being reviewed at least once every 3 years. (3.82, 3.84) 16. Each audit organization should document its quality control policies and procedures and communicate those policies and procedures to its personnel. The audit organization should document compliance with its quality control policies and procedures and maintain such documentation for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent of the audit organization s compliance with its quality control policies and procedures. Policies and procedures should collectively address: Standard: P&P Ref: QCS Description: Leadership responsibilities for quality within the audit organization. ( ) Independence, legal, and ethical requirements. (3.85, 3.88) Initiation, acceptance, and continuance of audits. (3.85, 3.89) Human resource processes to reasonably ensure personnel are capable and competent to perform audits in accordance with professional standards, legal and regulatory requirements. (3.85, 3.90) II: G - 8

16 Description of Quality Control System Audit performance, documentation, and reporting processes to reasonably ensure audits are performed and reported in accordance with professional standards, legal and regulatory requirements and policies and procedures for safe custody and retention of audit documentation. (3.85, ) Monitoring of quality, including analyses of its monitoring process and identification of systemic issues needing improvement, at least annually. (3.85, ) 17. The audit organization should obtain an external peer review at least once every 3 years that is sufficient in scope to provide a reasonable basis for determining whether, for the period under review, the reviewed audit organization s system of quality control was suitably designed and whether the audit organization is complying with its quality control system in order to provide the audit organization with reasonable assurance of conforming with applicable professional standards. (3.82, 3.96) 18. An external audit organization 1 should make its most recent peer review report publicly available; for example, by posting the peer review report on a publicly available web site or to a publicly available file designed for public transparency of peer review results. Internal audit organizations that report to internally to management and those charged with governance should provide a copy of the peer review report to those charged with governance. (3.105) 1 An external audit organization is defined in paragraph 1.08 of GAS II: G - 9

17 Description of Quality Control System STANDARDS FOR FINANCIAL AUDITS AND ATTESTATION ENGAGEMENTS II: G - 10

18 Description of Quality Control System STANDARDS FOR FINANCIAL AUDITS AND ATTESTATION ENGAGEMENTS: AICPA STANDARDS For financial audit:. GAGAS incorporates the AICPA standards and related AICPA Statements on Auditing Standards (SAS). All sections of the SASs are incorporated, including the introduction, objectives, definitions, requirements, and application and other explanatory material. (4.01, 4.02) For attestation engagements: GAGAS incorporates the AICPA general standard on criteria, the fieldwork and reporting attestation standards, and the corresponding AICPA Statements on Standards for Attestation Engagements (SSAEs). (5.01, 5.02) 19. For financial audits, auditors should comply with the additional GAGAS requirements as well as the requirements contained in the AICPA standards, along with the incorporated SASs, when citing GAGAS in their reports. For attestation engagements, auditors should determine which of the three levels of services apply to the engagement and refer to the appropriate AICPA standards and GAGAS section for applicable requirements and considerations. (4.02, 5.02) STANDARDS FOR FINANCIAL AUDITS AND ATTESTATION ENGAGEMENTS: AUDITOR COMMUNICATION 20. Auditors should communicate, in writing, pertinent information that in the auditors professional judgment needs to be communicated to individuals contracting for or requesting the audit or examination engagement, and to cognizant legislative committees when auditors perform the audit pursuant to law or regulation, or they conduct the work for the legislative committee that has oversight. ( , ) STANDARDS FOR FINANCIAL AUDITS AND ATTESTATION ENGAGEMENTS: PREVIOUS AUDITS AND ATTESTATION ENGAGEMENTS. 21. Auditors should evaluate whether appropriate corrective action has been taken and recommendations implemented to address findings and recommendations from previous audits, attestation engagements, and other studies directly related to the objectives of the audit. Auditors should use this II: G - 11

19 Description of Quality Control System information in assessing risk and determining the nature, timing, and extent of current work and determining the extent to which testing of the corrective actions is applicable to the audit objectives. ( ) STANDARDS FOR FINANCIAL AUDITS AND ATTESTATION ENGAGEMENTS: FRAUD, NONCOMPLIANCE WITH PROVISIONS OF LAWS, REGULATIONS, CONTRACTS, AND GRANT AGREEMENTS, AND ABUSE Auditors have the following responsibilities relating to fraud, noncompliance with provisions of laws, regulations, contracts, and grant agreements, and abuse in financial audits and attestation engagements: 22. For financial audits: Extend the AICPA requirements pertaining to the auditors responsibilities for laws and regulations to also apply to consideration of compliance with provisions of contracts or grant agreements. If auditors become aware of abuse that could be quantitatively or qualitatively material to the financial statements or other financial data significant to the audit objectives, auditors should apply audit procedures specifically directed to ascertain the potential effect on the financial statements or other financial data significant to the audit objectives. (4.06, 4.08) 23. For examination-level attestation engagements: Design the engagement to detect instances of fraud and noncompliance with provisions of laws, regulations, contracts, or grant agreements that may have a material effect on the subject matter or the assertion thereon of the examination engagement. If auditors become aware of abuse that could be quantitatively or qualitatively material, auditors should apply procedures specifically directed to ascertain the potential effect on the subject matter, or the assertion thereon, or other data significant to the objective of the examination engagement. ( ) 24. Auditors should avoid interfering with investigations or legal proceedings in their pursuance of indications of fraud, noncompliance with provisions of laws, regulations, contracts, or grant agreements, or abuse. (4.09, 5.10) II: G - 12

20 Description of Quality Control System STANDARDS FOR FINANCIAL AUDITS AND ATTESTATION ENGAGEMENTS: ELEMENTS OF A FINDING 25. Auditors should plan and perform procedures to develop the elements of findings that are relevant and necessary to achieve the audit or examination engagement objectives. The elements of an audit finding are: criteria, condition, cause, and effect or potential effect. ( , ) STANDARDS FOR FINANCIAL AUDITS AND ATTESTATION ENGAGEMENTS: DOCUMENTATION 26. For financial audits: In addition to the AICPA requirements for audit documentation, auditors should comply with the following additional requirements when performing a GAGAS financial audit: (a) Document supervisory review, before the report release date, of the evidence that supports the findings, conclusions, and recommendations contained in the auditors report. (4.15) (b) Document any departures from the GAGAS requirements and the impact on the audit and on the auditors conclusions when the audit is not in compliance with applicable GAGAS requirements due to law, regulation, scope limitations, restrictions on access to records, or other issues impacting the audit. (4.15) 27. For examination-level attestation engagements: In addition to the AICPA requirements for audit documentation, auditors should comply with the following additional requirements when performing a GAGAS examination engagement: (a) Prepare attest documentation in sufficient detail to enable an experienced auditor to understand the nature, timing, extent, and results of procedures performed, the evidence obtained, the sources of evidence, and the conclusions reached. (5.16) II: G - 13

21 Description of Quality Control System (b) Document supervisory review, before the date of the examination report, of the evidence that supports the findings, conclusions, and recommendations contained in the examination report. (5.16) (c) Document any departures from the GAGAS requirements and the impact on the engagement and on the auditors conclusions when the examination is not in compliance with applicable GAGAS requirements due to law, regulation, scope limitations, restrictions on access to records, or other issues impacting the audit. (5.16) 28. When performing GAGAS financial audits or examination engagements, auditors should make appropriate individuals, as well as audit or attest documentation available upon request and in a timely manner to other auditors or reviewers; subject to applicable laws and regulations. (4.16, 5.17) STANDARDS FOR FINANCIAL AUDITS AND ATTESTATION ENGAGEMENTS: REPORTING AUDITOR S COMPLIANCE WITH GAGAS In addition to the AICPA requirements for reporting on financial audits and examination engagements, auditors should comply with the following additional requirements when citing GAGAS in financial audit and examination reports. (4.17, 5.18) 29. Reports should state that the audit or examination engagement was performed in accordance with GAGAS. When auditors do not comply with applicable requirement(s), they should assess the significance of the noncompliance to the audit objectives, document the assessments, along with their reasons for not following the requirement(s) and determine the type of GAGAS compliance statement. (2.24, 2.25, 4.18, 5.19) STANDARDS FOR FINANCIAL AUDITS AND ATTESTATION ENGAGEMENTS: REPORTING ON INTERNAL CONTROL AND COMPLIANCE 30. For financial audits: When providing an opinion or a disclaimer on financial statements, auditors must also report on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts or II: G - 14

22 Description of Quality Control System grant agreements that have a material effect on the financial statements. (4.19) a. Auditors should include a description of the scope of the auditors testing of internal controls and compliance. Auditors should state in the reports whether tests they performed provided sufficient, appropriate evidence to support an opinion on the effectiveness of internal control and on compliance. (4.20) b. If separate report(s) are issued, the auditor should: - Include a reference to the separate reports in the report on financial statements; - State in the financial statement audit report that they are issuing those additional reports; - State that the reports on internal control over financial reporting and compliance are an integral part of a GAGAS audit in considering internal control over financial reporting and compliance. (4.22) STANDARDS FOR FINANCIAL AUDITS AND ATTESTATION ENGAGEMENTS: REPORTING DEFICIENCIES IN INTERNAL CONTROL, FRAUD, NONCOMPLIANCE WITH LAWS, REGULATIONS, CONTRACTS, AND GRANT AGREEMENTS, AND ABUSE 31. For financial audits: Auditors should communicate in the report, based on the work performed, on internal control over financial reporting and compliance - Significant deficiencies and material weaknesses in internal control, - Instances of fraud and noncompliance with provisions of laws or regulations that have a material effect on the subject matter and any other instances that warrant attention of those charged with governance, - Noncompliance with provisions of contracts or grant agreements that has a material effect on the audit, - Abuse that has a material effect on the subject matter. (4.23) 32. For examination engagements: Auditors should report, based upon the work performed: - Significant deficiencies and material weaknesses in internal control, - Instances of fraud and noncompliance with provisions of laws or regulations that have a material effect on the subject matter and any other instances that warrant attention of those charged with governance Noncompliance with provisions of contracts or grant agreements that has II: G - 15

23 Description of Quality Control System a material effect on the subject matter or an assertion about the subject matter of the engagement, - Abuse that has a material effect on the subject matter. If separate report(s) are issued, the examination report should include a reference to the separate report(s) and state the separate report(s) are an integral part of the examination engagement. ( ) 33. When auditors conclude, for financial audits and examination engagements, that any of the following has occurred or is likely to have occurred, they should include in their report the relevant information about: a. Fraud and noncompliance that have a material effect on the subject matter/financial statements and any other instances that warrant the attention of those charged with governance; (4.25, 5.24) b. Abuse that is material, either quantitatively or qualitatively. (4.25, 5.24) When auditors detect instances of noncompliance or abuse that are less than material but warrant the attention of those charged with governance, they should communicate those findings in writing to audited entity officials. (4.26, 5.25) 34. Develop the elements of the findings to the extent necessary to assist with understanding the need for taking corrective actions and making recommendations. Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of work performed. The findings should be related to the population or number of cases examined or other measures as appropriate. If results cannot be projected, the auditors conclusions should be appropriately limited. ( , ) STANDARDS FOR FINANCIAL AUDITS AND ATTESTATION ENGAGEMENTS: REPORTING FINDINGS DIRECTLY TO PARTIES OUTSIDE THE AUDITED ENTITY II: G - 16

24 Description of Quality Control System 35. For financial audits and examination engagements, report known or likely fraud or noncompliance with laws, regulations, contracts, or grant agreements or abuse to outside parties when: 1) management fails to report as required or 2) management fails to take timely and appropriate steps to respond to fraud or noncompliance even if they have resigned or been dismissed from the engagement prior to its completion. Obtain sufficient, appropriate evidence to corroborate assertions that such findings have been reported in accordance with laws, regulations, or funding agreements. If auditors are unable to do so, then such information should be reported directly by the auditor. ( , ) STANDARDS FOR FINANCIAL AUDITS AND ATTESTATION ENGAGEMENTS: REPORTING VIEWS OF RESPONSIBLE OFFICIALS 36. For financial audits and examination engagements, if the auditors report discloses deficiencies in internal control, fraud, noncompliance with provision of laws, regulations, contracts, or grant agreements, or abuse, auditors should obtain and report the views of responsible officials concerning the findings, conclusions, and recommendations, as well as planned corrective actions. (4.33, 5.32) a. Auditors should include in their report a copy of the officials written comments or a summary. Auditors should include a summary of any oral comments received once they are reviewed for accuracy by the responsible officials. (4.35, 5.34) b. Auditors should include in the report an evaluation of the comments, as appropriate. (4.36, 5.35) c. When the audited entity s comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, or when planned corrective actions do not adequately address the auditors recommendations, the auditors should evaluate the validity of the audited entity s comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported with sufficient, appropriate evidence. (4.38, 5.37) d. If the officials refuse to provide comments or are unable to provide comments in a reasonable timeframe, the auditors should indicate in the report that the audited entity did not provide comments. (4.39, 5.38) II: G - 17

25 Description of Quality Control System STANDARDS FOR FINANCIAL AUDITS AND ATTESTATION ENGAGEMENTS: REPORTING CONFIDENTIAL AND SENSITIVE INFORMATION 37. For financial audits and examination engagements, if certain pertinent information is prohibited from public disclosure or excluded from the report due to confidential or sensitive nature of the information, auditors should disclose in the report that certain information has been omitted and the reason or other circumstance that makes the omission necessary. Auditors should evaluate whether this omission could distort the audit or examination engagement results or conceal improper or illegal practices. When the audit organizations are subject to public records laws, auditors should determine whether these laws could impact the availability of classified or limited use reports and affect how they might communicate results. ( , ) STANDARDS FOR FINANCIAL AUDITS AND ATTESTATION ENGAGEMENTS: DISTRIBUTING REPORTS 38. For financial audits, and examination, review, and agreed upon attestation agreements, auditors should document any limitation on report distribution. a. Government auditors should distribute reports to those charged with governance, to the appropriate officials of the audited entity, and to the appropriate oversight bodies. As appropriate, auditors should also distribute copies of the report to other officials who have legal oversight authority or who may be responsible for acting on findings and recommendations, and to others authorized to receive such reports. (4.45, 5.44, 5.52, 5.62) b. Internal audit organizations should communicate results to the parties who can ensure that the results are given due consideration. Prior to release to parties outside of the organization, the head of the internal audit organization should assess the potential risk to the organization, consult with senior management and/or legal counsel, and control dissemination. (4.45, 5.44, 5.52, 5.62) c. Public accounting firms contracted to perform a financial audit or attestation engagement under GAGAS should clarify report distribution responsibilities with the organization. If the audit firm is to distribute reports, it should reach agreement with the party contracting for the audit or attestation engagement about which officials or organizations will II: G - 18

26 Description of Quality Control System receive the report and the steps taken to make the report available to the public. (4.45, 5.44, 5.52, 5.62) ADDITIONAL GAGAS CONSIDERATIONS FOR FINANCIAL AUDITS AND EXAMINATION ENGAGEMENTS 39. For financial audits: Auditors are required to apply the concept of materiality appropriately in planning and performing the audit. (4.47) 40. For examination engagements: The AICPA Standards require that one of the factors to be considered when planning the engagement includes preliminary judgments about attestation risk and materiality for attest purposes. (5.46) ADDITIONAL GAGAS REQUIREMENTS FOR REVIEW AND AGREED-UPON PROCEDURE ENGAGEMENTS 41. For review and agreed-upon procedures engagements, if, on the basis of conducting the procedures necessary to perform a review, significant deficiencies; material weaknesses; instances of fraud, noncompliance with provisions of laws, regulations, contracts, or grant agreements; or abuse come to the auditors attention that warrant the attention of those charged with governance, GAGAS requires that auditors should communicate such matters to audited entity officials. (5.49, 5.59) 42. For review and agreed-upon procedures engagements, when auditors comply with all applicable requirements for a review engagement conducted in accordance with GAGAS, they should include a statement in the report that they performed the engagement in accordance with GAGAS. (5.51, 5.61) 43. For review and agreed-upon procedures engagements, the AICPA standards require auditors to establish an understanding with the audited entity (client) II: G - 19

27 Description of Quality Control System regarding the services to be performed. The understanding includes the objectives of the engagement, responsibilities of entity management, responsibilities of auditors, and limitations of the engagement. (5.54, 5.64) 44. For review engagements: The AICPA standards require that the auditors review report be in the form of a conclusion expressed in the form of negative assurance. (5.56) 45. For agreed-upon procedures engagements: The AICPA standards require that the auditors report on agreed-upon procedures engagements be in the form of procedures and findings and specifies the required elements to be contained in the report. (5.66) II: G - 20

28 Description of Quality Control System STANDARDS FOR PERFORMANCE AUDITS II: G - 21

29 Description of Quality Control System FIELD WORK STANDARDS FOR PERFORMANCE AUDITS: PLANNING 46. Auditors must plan and document the planning of the audit work necessary to address the audit objectives, scope and methodology such that their work will provide reasonable assurance that sufficient, appropriate evidence will support their findings and conclusions. Auditors should assess significance and audit risk when defining the audit objectives, scope, and methodology. (6.06, 6.07, 6.10) 47. Auditors should assess audit risk and significance within the context of the audit objectives by gaining an understanding of the: a. Nature and profile of the program and user needs (6.11a, 6.13) b. Design and implementation of internal controls (6.11b, 6.16) c. Design and implementation of information system controls (6.11c, 6.24, 6.27) d. Legal and regulatory requirements, contract provisions, grant agreements, potential fraud and abuse (6.11d, 6.28, , 6.34) e. Impact of ongoing investigation and legal proceedings (6.11e, 6.35) f. Results of previous engagements (6.11f, 6.36) 48. To the extent relevant to the audit objectives, auditors should identify potential criteria and sources of audit evidence, including the work of other auditors or experts, necessary to plan the audit work. (6.12 a-c, 6.37, 6.38, ) 49. Based on assessment of the information gained, auditors should determine the type and amount of evidence needed to obtain sufficient, appropriate evidence to address the audit objectives. When auditors conclude that sufficient, appropriate evidence is not available, auditors should evaluate whether internal control or other program weaknesses are the cause. (6.39) 50. Auditors should extend audit procedures when there are indications that fraud or abuse significant to the audit objectives may have occurred. If the potential II: G - 22

30 Description of Quality Control System fraud is not significant to the audit objectives, auditors may conduct additional work as a separate engagement or refer the matter to other parties with oversight responsibility. Auditors should avoid interfering with legal proceedings or investigations. (6.32, ) 51. Auditors who intend to use the work of a specialist should assess the specialist s professional qualifications and independence, which involves the following: - Professional Certifications - Licenses, or other recognition of competence - Reputation and standing with peers - Experience and previous work - Prior experience the auditor has had with the specialist Assessing independence includes identifying threats and applying safeguards in the same manner as would apply to assigned auditors. (6.12d, ) 52. Audit management should assign a sufficient number of staff with the appropriate collective skill and competence to perform the audit, including staff and supervisors, providing for on-the-job training of staff, and engaging specialists when necessary. Auditors should document the nature and scope of work to be performed by specialists engaged. (6.12d, ) 53. Auditors should communicate an overview of the planned objectives, scope, methodology, timing and reporting of the performance audit to management of the audited entity, those charged with governance, and requestors as applicable; except when communication would impair ability to obtain evidence. Auditors should document the communication and any process used to identify those who should receive communications. II: G - 23

31 Description of Quality Control System If an audit is terminated before it is completed and no audit report is issued, auditors should document the results of their work to date and why it was terminated. (6.12e, ) 54. Auditors must prepare a written audit plan for each audit. Auditors should update the plan as necessary. (6.12f; 6.51) FIELD WORK STANDARDS FOR PERFORMANCE AUDITS: SUPERVISION 55. Audit supervisors must properly supervise audit staff. Elements of supervision include: - Directing and guiding staff members in conducting work and following standards, - Staying informed about significant problems encountered, - Reviewing the work performed before the audit report is issued, and - Providing effective on-the-job training. The nature and extent of supervision of staff and the review of audit work may vary depending on a number of factors. Reviews of audit work should be documented. ( , 6.83c) FIELD WORK STANDARDS FOR PERFORMANCE AUDITS: EVIDENCE 56. Auditors must obtain sufficient, appropriate evidence to provide a reasonable basis for their findings and conclusions. Sufficiency refers to the amount of evidence gathered and presented. Appropriateness refers to the quality of evidence including its relevance to the audit objectives, reliability, and validity. ( ) II: G - 24

32 Description of Quality Control System 57. Document assessment that evidence taken as a whole is sufficient and appropriate for addressing audit objectives and supporting findings and conclusions. (6.58, 6.67, 6.69) 58. Evaluate testimonial evidence and information provided by officials when used as evidence. (6.62, 6.65) 59. Assess sufficiency and appropriateness of computer-processed information. (6.66) 60. Based on the assessment of the evidence, apply additional procedures, redefine the audit objectives, or revise the findings and conclusions, if necessary. ( ) 61. Plan and perform procedures to develop the elements of a finding to address audit objectives and develop recommendations for corrective action. (6.73) FIELD WORK STANDARDS FOR PERFORMANCE AUDITS: DOCUMENTATION 62. Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit before issuing the report. Documentation should provide enough detail for an experienced auditor to understand the nature, timing, extent and results of work; evidence obtained; sources of evidence; and auditors conclusions and significant judgments including: objectives, scope, methodology of the audit; work performed and evidence obtained to support significant judgments and conclusions, including descriptions of transactions and records examined; II: G - 25

33 Description of Quality Control System evidence of supervisory review of the evidence that supports the findings, conclusions, and recommendations. ( ) 63. Auditors should document departures from GAGAS requirements and the impact on the audit and auditors conclusions (6.84) 64. The audit organization should make appropriate individuals and audit documentation available to other auditors or reviewers upon request, subject to applicable laws and regulations. (6.85) REPORTING STANDARDS FOR PERFORMANCE AUDITS: REPORTING 65. Auditors must issue audit reports communicating the results of each completed performance audit. Auditors should use a form of the audit report that is appropriate for its intended use and is in writing or in some other retrievable form. The purposes of audit reports are to: - Communicate the results of audits to the appropriate officials - Make results less susceptible to misunderstanding - Make results available to the public, unless specifically limited (see 7.40) - Facilitate follow-up to determine whether appropriate corrective actions have been taken ( ) If an audit is terminated before it is completed and no audit report is issued, auditors should document results of their work to date and why it was terminated. (7.06) 66. If after the report is issued, auditors discover that they did not have sufficient, appropriate evidence, they should communicate this information to appropriate officials, remove the report from publicly accessible websites, and determine whether to conduct additional audit work necessary to revise or confirm the original findings and conclusions. (7.07) II: G - 26