This is the accessible text file for GAO report number GAO-08-210G entitled 'Government Auditing Standards: Implementation Tool: Professional Requirements Tool for Use in Implementing Requirements Identified by "Must" and "Should" in the July 2007 Revision of Government Auditing Standards' which was released on January 2, 2008. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: Government Auditing Standards: Implementation Tool: Professional Requirements Tool for Use in Implementing Requirements Identified by "Must" and "Should" in the July 2007 Revision of Government Auditing Standards: This Professional Requirements Tool lists the requirements for audit organizations and auditors included in the July 2007 Revision of Generally Accepted Government Auditing Standards (GAGAS), also commonly known as the Yellow Book. This tool lists professional responsibilities that are specifically identified in the standards by the words "must" and "should." This tool is divided into four sections. The general requirements section contains entity-wide requirements for the audit organization and is intended for use in addition to the specific sections for financial audits, attestation engagements, and performance audits, which contain engagement-specific requirements for the auditors conducting the engagement. Audit organizations and auditors should also refer to the complete text of the July 2007 Revision of GAGAS to understand the context for those requirements along with related guidance. This tool was prepared by GAO's government auditing standards staff to facilitate audit organizations' and auditors' implementation of the standards, and does not represent additional standards or requirements. The staff welcomes your feedback and comments. If you have questions or comments related to this tool, please contact Heather Keister, at (202) 512-2943 or keisterh@gao.gov. For other questions on GAGAS, please contact us at yellowbook@gao.gov. Signed by: Jeanette M. Franzel: Director, Financial Management and Assurance: Contents: Background: General Requirements For Audit Organizations: Specific Requirements For Financial Audits: Specific Requirements For Attestation Engagements: Specific Requirements For Performance Audits: Background: In July 2007, the Comptroller General issued a major revision to Government Auditing Standards.[Footnote 1] The July 2007 Revision uses clarified language to define the auditors' level of responsibility and distinguish between auditor requirements and additional guidance. As described in the July 2007 Revision (paragraphs 1.05 through 1.08), GAGAS use two categories of professional requirements to describe the degree of responsibility for auditors and audit organizations, as follows: * Unconditional requirements: Auditors and audit organizations are required to comply with an unconditional requirement in all cases in which the circumstances exist to which the unconditional requirement applies. GAGAS use the words must or is required to specify an unconditional requirement. * Presumptively mandatory requirements: Auditors and audit organizations are also required to comply with a presumptively mandatory requirement in all cases in which the circumstances exist to which the presumptively mandatory requirement applies; however, in rare circumstances, auditors and audit organizations may depart from a presumptively mandatory requirement provided they document their justification for the departure and how the alternative procedures performed in the circumstances were sufficient to achieve the objectives of the presumptively mandatory requirement. GAGAS use the word should to specify a presumptively mandatory requirement. For financial audits and attestation engagements, GAGAS incorporates the AICPA field work and reporting standards and the related Statements on Auditing Standards (SAS) and Statements on Standards for Attestation Engagements (SSAE). Therefore, in addition to the requirements contained in this tool, documentation of compliance with the requirements in the AICPA field work and reporting standards is required for financial audits and attestation engagements conducted in accordance with GAGAS. This tool is intended to assist auditors with documenting compliance with GAGAS. The columns to the right of the requirements may be used for auditor notations to indicate the location of audit documentation that supports compliance with the GAGAS requirement. The words "must" and "should" that are applicable to each section are bolded and underlined in this tool for emphasis. Explanatory material that identifies or describes other procedures does not represent a professional requirement for the audit organization or auditor to perform such procedures. How and whether to carry out such procedures depends on the exercise of professional judgment consistent with the objective of the standard. This tool does not include explanatory material from the July 2007 Revision of Government Auditing Standards. Therefore, audit organizations and auditors should read the entire text of the July 2007 Revision of GAGAS, including the explanatory material when planning the audit and making professional judgments about compliance with professional requirements. General Requirements for Audit Organizations: General Requirements - Audit organizations: Chapter 1 - Use and Application of GAGAS; Types of GAGAS Audits and Attestation Engagements; Professional Services Other Than Audits (Nonaudit Services) Provided by Audit Organizations; 1.33: GAGAS do not cover professional services other than audits or attestation engagements (nonaudit services)...Therefore, auditors must not report that the nonaudit services were conducted in accordance with GAGAS. When performing nonaudit services for an entity for which the audit organization performs a GAGAS audit or attestation engagement, audit organizations should communicate, as appropriate, with requestors and those charged with governance to clarify that the scope of work performed does not constitute an audit under GAGAS; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Types of GAGAS Audits and Attestation Engagements; Professional Services Other Than Audits (Nonaudit Services) Provided by Audit Organizations; 1.34: Audit organizations that provide nonaudit services must evaluate whether providing nonaudit services creates an independence impairment either in fact or appearance with respect to the entities they audit... Must: [Empty] Should: [Check]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Independence; 3.02: In all matters relating to the audit work, the audit organization and the individual auditor, whether government or public, must be free from personal, external, and organizational impairments to independence, and must avoid the appearance of such impairments of independence; Must: [Empty] Should: [Check]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Independence; 3.03: Auditors and audit organizations must maintain independence so that their opinions, findings, conclusions, judgments, and recommendations will be impartial and viewed as impartial by objective third parties with knowledge of the relevant information. Auditors should avoid situations that could lead objective third parties with knowledge of the relevant information to conclude that the auditors are not able to maintain independence and thus are not capable of exercising objective and impartial judgment on all issues associated with conducting the audit and reporting on the work; Must: [Empty] Should: [Check]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Independence; 3.04: When evaluating whether independence impairments exist either in fact or appearance with respect to the entities for which audit organizations perform audits or attestation engagements, auditors and audit organizations must take into account the three general classes of impairments to independence--personal, external, and organizational. [Footnote not shown.] If one or more of these impairments affects or can be perceived to affect independence, the audit organization (or auditor) should decline to perform the work--except in those situations in which an audit organization in a government entity, because of a legislative requirement or for other reasons, cannot decline to perform the work, in which case the government audit organization must disclose the impairment(s) and modify the GAGAS compliance statement...; Must: [Empty]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Independence; 3.06: If an impairment to independence is identified after the audit report is issued, the audit organization should assess the impact on the audit. If the audit organization concludes that it did not comply with GAGAS, it should determine the impact on the auditors' report and notify entity management, those charged with governance, the requesters, or regulatory agencies that have jurisdiction over the audited entity and persons known to be using the audit report about the independence impairment and the impact on the audit. The audit organization should make such notifications in writing; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Personal Impairments; 3.08: Audit organizations and auditors may encounter many different circumstances or combinations of circumstances that could create a personal impairment. Therefore, it is impossible to identify every situation that could result in a personal impairment. Accordingly, audit organizations should include as part of their quality control system procedures to identify personal impairments and help ensure compliance with GAGAS independence requirements. At a minimum, audit organizations should: a. establish policies and procedures to identify, report, and resolve personal impairments to independence, b. communicate the audit organization's policies and procedures to all auditors in the organization and promote understanding of the policies and procedures, c. establish internal policies and procedures to monitor compliance with the audit organization's policies and procedures, d. establish a disciplinary mechanism to promote compliance with the audit organization's policies and procedures, e. stress the importance of independence and the expectation that auditors will always act in the public interest, and; f. maintain documentation of the steps taken to identify potential personal independence impairments; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Personal Impairments; 3.09: When the audit organization identifies a personal impairment to independence prior to or during an audit, the audit organization should take action to resolve the impairment in a timely manner. If the personal impairment cannot be eliminated, the audit organization should withdraw from the audit. In situations in which auditors employed by government entities cannot withdraw from the audit, they should follow paragraph 3.04; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; External Impairments; 3.10: Audit organizations must be free from external impairments to independence. Factors external to the audit organization may restrict the work or interfere with auditors' ability to form independent and objective opinions, findings, and conclusions. External impairments to independence occur when auditors are deterred from acting objectively and exercising professional skepticism by pressures, actual or perceived, from management and employees of the audited entity or oversight organizations...; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; External Impairments; 3.11: Audit organizations should include policies and procedures for identifying and resolving external impairments as part of their quality control system for compliance with GAGAS independence requirements; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Organizational Independence; 3.12: The ability of audit organizations in government entities to perform work and report the results objectively can be affected by placement within government, and the structure of the government entity being audited. Whether reporting to third parties externally or to top management within the audited entity internally, audit organizations must be free from organizational impairments to independence with respect to the entities they audit. Impairments to organizational independence result when the audit function is organizationally located within the reporting line of the areas under audit or when the auditor is assigned or takes on responsibilities that affect operations of the area under audit; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Organizational Independence for External Audit Functions; 3.15:..For an external audit organization to be considered free from organizational impairments under a structure different from the ones [government entity structures] listed in paragraphs 3.13 and 3.14, the audit organization should have all of the following safeguards. In such situations, the audit organization should document how each of the following safeguards were satisfied and provide the documentation to those performing quality control monitoring and to the external peer reviewers to determine whether all the necessary safeguards have been met: a. statutory protections that prevent the audited entity from abolishing the audit organization; b. statutory protections that require that if the head of the audit organization is removed from office, the head of the agency report this fact and the reasons for the removal to the legislative body; c. statutory protections that prevent the audited entity from interfering with the initiation, scope, timing, and completion of any audit; d. statutory protections that prevent the audited entity from interfering with audit reporting, including the findings and conclusions or the manner, means, or timing of the audit organization's reports; e. statutory protections that require the audit organization to report to a legislative body or other independent governing body on a recurring basis; f. statutory protections that give the audit organization sole authority over the selection, retention, advancement, and dismissal of its staff; and; g. statutory access to records and documents related to the agency, program, or function being audited and access to government officials or other individuals as needed to conduct the audit. [Footnote not shown.]; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Organizational Independence for Internal Audit Functions; 3.17: The internal audit organization should report regularly to those charged with governance; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Organizational Independence for Internal Audit Functions; 3.19: The internal audit organization should document the conditions that allow it to be considered free of organizational impairments to independence for internal reporting and provide the documentation to those performing quality control monitoring and to the external peer reviewers to determine whether all the necessary safeguards have been met; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Organizational Independence When Performing Nonaudit Services; 3.20:...Audit organizations that provide nonaudit services must evaluate whether providing the services creates an independence impairment either in fact or appearance with respect to entities they audit. [Footnote not shown.]...; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Organizational Independence When Performing Nonaudit Services; 3.21: Audit organizations in government entities generally have broad audit responsibilities and, therefore, should establish policies and procedures for accepting engagements to perform nonaudit services so that independence is not impaired with respect to entities they audit...Independent public accountants may provide audit and nonaudit services (commonly referred to as consulting) under contractual commitments to an entity and should determine whether nonaudit services they have provided or are committed to provide have a significant or material effect on the subject matter of the audits; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Overarching Independence Principles; 3.22: The following two overarching principles apply to auditor independence when assessing the impact of performing a nonaudit service for an audited program or entity: (1) audit organizations must not provide nonaudit services that involve performing management functions or making management decisions and (2) audit organizations must not audit their own work or provide nonaudit services in situations in which the nonaudit services are significant or material to the subject matter of the audits. [Footnote not shown.]; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Overarching Independence Principles; 3.23: In considering whether audits performed by the audit organization could be significantly or materially affected by the nonaudit service, audit organizations should evaluate (1) ongoing audits; (2) planned audits; (3) requirements and commitments for providing audits, which includes laws, regulations, rules, contracts, and other agreements; and (4) policies placing responsibilities on the audit organization for providing audit services; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Overarching Independence Principles; 3.24: If requested [footnote not shown] to perform nonaudit services that would impair the audit organization's ability to meet either or both of the overarching independence principles for certain types of audit work, the audit organization should inform the requestor and the audited entity that performing the nonaudit service would impair the auditors' independence with regard to subsequent audit or attestation engagements; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Supplemental Safeguards for Maintaining Auditor Independence When Performing Nonaudit Services; 3.30: Performing nonaudit services described in paragraph 3.28 will not impair independence if the overarching independence principles stated in paragraph 3.22 are not violated. For these nonaudit services, the audit organization should comply with each of the following safeguards: a. document its consideration of the nonaudit services, including its conclusions about the impact on independence; b. establish in writing an understanding with the audited entity regarding the objectives, scope of work, and product or deliverables of the nonaudit service; and management's responsibility for (1) the subject matter of the nonaudit services, (2) the substantive outcomes of the work, and (3) making any decisions that involve management functions related to the nonaudit service and accepting full responsibility for such decisions; c. exclude personnel who provided the nonaudit services from planning, conducting, or reviewing audit work in the subject matter of the nonaudit service; [footnote not shown] and; d. do not reduce the scope and extent of the audit work below the level that would be appropriate if the nonaudit service were performed by an unrelated party; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Competence; 3.41: The audit organization's management should assess skill needs to consider whether its workforce has the essential skills that match those necessary to fulfill a particular audit mandate or scope of audits to be performed. Accordingly, audit organizations should have a process for recruitment, hiring, continuous development, assignment, and evaluation of staff to maintain a competent workforce. The nature, extent, and formality of the process will depend on various factors such as the size of the audit organization, its structure, and its work; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Continuing Professional Education; 3.48: Improving their own competencies and meeting CPE requirements are primarily the responsibilities of individual auditors. The audit organization should have quality control procedures to help ensure that auditors meet the continuing education requirements, including documentation of the CPE completed...; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; Quality Control and Assurance; 3.50: Each audit organization performing audits or attestation engagements in accordance with GAGAS must: a. establish a system of quality control that is designed to provide the audit organization with reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements, and; b. have an external peer review at least once every 3 years.[35]. [35] An audit organization's noncompliance with the peer review requirements (paragraph 3.50b and 3.55 through 3.60) results in a modified GAGAS compliance statement. The audit organization's compliance (or noncompliance) with the requirements for a system of quality control in paragraphs 3.50a and 3.51 through 3.54 are tested and reported on as part of the peer review process and do not impact the GAGAS compliance statement...; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; System of Quality Control; 3.52: Each audit organization must document its quality control policies and procedures and communicate those policies and procedures to its personnel. The audit organization should document compliance with its quality control policies and procedures and maintain such documentation for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent of the audit organization's compliance with its quality control policies and procedures...; Must: [Empty]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; System of Quality Control; 3.53 An audit organization should include policies and procedures in its system of quality control that collectively address: a. Leadership responsibilities for quality within the audit organization: Policies and procedures that designate responsibility for quality of audits and attestation engagements performed under GAGAS and communication of policies and procedures relating to quality...; b. Independence, legal, and ethical requirements: Policies and procedures designed to provide reasonable assurance that the audit organization and its personnel maintain independence, and comply with applicable legal and ethical requirements. [Footnote not shown.]; c. Initiation, [footnote not shown] acceptance, and continuance of audit and attestation engagements: Policies and procedures for the initiation, acceptance, and continuance of audit and attestation engagements, designed to provide reasonable assurance that the audit organization will undertake audit engagements only if it can comply with professional standards and ethical principles and is acting within the legal mandate or authority of the audit organization; d. Human resources: Policies and procedures designed to provide the audit organization with reasonable assurance that it has personnel with the capabilities and competence to perform its audits in accordance with professional standards and legal and regulatory requirements. [Footnote not shown.]; e. Audit and attestation engagement performance, documentation, and reporting: Policies and procedures designed to provide the audit organization with reasonable assurance that audits and attestation engagements are performed and reports are issued in accordance with professional standards and legal and regulatory requirements...; f. Monitoring of quality: An ongoing, periodic assessment of work completed on audits and attestation engagements designed to provide management of the audit organization with reasonable assurance that the policies and procedures related to the system of quality control are suitably designed and operating effectively in practice...The audit organization should perform monitoring procedures that enable it to assess compliance with applicable professional standards and quality control policies and procedures for GAGAS audits. Individuals performing monitoring should collectively have sufficient expertise and authority for this role; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; System of Quality Control; 3.54 The audit organization should analyze and summarize the results of its monitoring procedures at least annually, with identification of any systemic issues needing improvement, along with recommendations for corrective action. (Under GAGAS, reviews of the work and the report that are performed as part of supervision are not monitoring controls when used alone. However, these types of pre-issuance reviews may be used as a part of this analysis and summary.); Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; External Peer Review; 3.55 Audit organizations performing audits and attestation engagements in accordance with GAGAS must have an external peer review performed by reviewers independent of the audit organization being reviewed at least once every 3 years. [Footnote not shown.]; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; External Peer Review; 3.56 The audit organization should obtain an external peer review sufficient in scope to provide a reasonable basis for determining whether, for the period under review, [footnote not shown] the reviewed audit organization's system of quality control was suitably designed and whether the audit organization is complying with its quality control system in order to provide the audit organization with reasonable assurance of conforming with applicable professional standards; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; External Peer Review; 3.57: The peer review team should include the following elements in the scope of the peer review: a. review of the audit organization's quality control policies and procedures; b. consideration of the adequacy and results of the audit organization's internal monitoring procedures; c. review of selected audit and attestation engagement reports and related documentation; d. review of other documents necessary for assessing compliance with standards, for example, independence documentation, CPE records, and relevant human resource management files; and; e. interviews with a selection of the reviewed audit organization's professional staff at various levels to assess their understanding of and compliance with relevant quality control policies and procedures; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; External Peer Review; 3.58: The peer review team should perform a risk assessment to help determine the number and types of engagements to select. Based on the risk assessment, the team should use one or a combination of the following approaches to selecting individual audits and attestation engagements for review: (1) select GAGAS audits and attestation engagements that provide a reasonable cross-section of the GAGAS assignments performed by the reviewed audit organization or (2) select audits and attestation engagements that provide a reasonable cross- section from all types of work subject to the reviewed audit organization's quality control system, including one or more assignments performed in accordance with GAGAS. [Footnote not shown.]; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; External Peer Review; 3.59: The peer review team should prepare one or more written reports communicating the results of the peer review, including the following: a. description of the scope of the peer review, including any limitations; b. an opinion on whether the system of quality control of the reviewed audit organization's audit and/or attestation engagement practices was adequately designed and compiled with during the period reviewed to provide the audit organization with reasonable assurance of conforming with applicable professional standards; c. specification of the professional standards to which the reviewed audit organization is being held; d. for modified or adverse opinions, [footnote not shown] a description of reasons for the modification or adverse opinion, along with a detailed description of the findings and recommendations, in the peer review report, to enable the reviewed audit organization to take appropriate actions; and; e. reference to a separate letter of comments, if such a letter is issued; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; External Peer Review; 3.60: The peer review team should meet the following criteria: a. The review team collectively has current knowledge of GAGAS and government auditing; b. The organization conducting the peer review and individual review team members are independent (as defined in GAGAS) of the audit organization being reviewed, its staff, and the audits and attestation engagements selected for the peer review; c. The review team collectively has sufficient knowledge of how to perform a peer review. Such knowledge may be obtained from on-the-job training, training courses, or a combination of both. Having personnel on the peer review team with prior experience on a peer review or internal inspection team is desirable; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; External Peer Review; 3.61: An external audit organization [footnote not shown] should make its most recent peer review report[45] publicly available; for example, by posting the peer review report on an external Web site or to a publicly available file designed for public transparency of peer review results. If neither of these options is available to the audit organization, then it should use the same transparency mechanism it uses to make other information public, and also provide the peer review report to others upon request. Internal audit organizations that report internally to management should provide a copy of the external peer review report to those charged with governance. Government audit organizations should also communicate the overall results and the availability of their external peer review reports to appropriate oversight bodies. [45] This requirement does not include the letter of comment; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; External Peer Review; 3.62:...audit organizations seeking to enter into a contract to perform an audit or attestation engagement in accordance with GAGAS should provide the following to the party contracting for such services: a. the audit organization's most recent peer review report and any letter of comment, and; b. any subsequent peer review reports and letters of comment received during the period of the contract; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Types of GAGAS Audits and Attestation Engagements; 3.63:...Auditors who are using another audit organization's work should request a copy of the audit organization's latest peer review report and any letter of comment, and the audit organization should provide these documents when requested...; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Additional Government Auditing Standards; Audit Documentation; 4.22: Audit organizations should establish policies and procedures for the safe custody and retention of audit documentation for a time sufficient to satisfy legal, regulatory, and administrative requirements for record retention...For audit documentation that is retained electronically, the audit organization should establish information systems controls concerning accessing and updating the audit documentation; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Additional Government Auditing Standards; Audit Documentation; 4.24: Audit organizations should develop policies to deal with requests by outside parties to obtain access to audit documentation, especially when an outside party attempts to obtain information indirectly through the auditor rather than directly from the audited entity. In developing such policies, audit organizations should determine what laws and regulations apply, if any; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Distributing Reports; 5.44: Distribution of reports completed under GAGAS depends on the relationship of the auditors to the audited organization and the nature of the information contained in the report. If the subject of the audit involves material that is classified for security purposes or contains confidential or sensitive information, auditors may limit the report distribution. Auditors should document any limitation on report distribution. The following discussion outlines distribution for reports completed under GAGAS: [One of the following will apply depending on the type of audit organization.]; a. Audit organizations in government entities should distribute audit reports to those charged with governance, to the appropriate officials of the audited entity, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations, and to others authorized to receive such reports; b. Internal audit organizations in government entities may follow the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing. Under GAGAS and IIA standards, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should: (1) assess the potential risk to the organization, (2) consult with senior management and/or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report; c. Public accounting firms contracted to perform an audit under GAGAS should clarify report distribution responsibilities with the engaging organization. If the contracted firm is to make the distribution, it should reach agreement with the party contracting for the audit about which officials or organizations will receive the report and the steps being taken to make the report available to the public; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Attest Documentation; 6.24: Audit organizations should establish policies and procedures for the safe custody and retention of documentation for a time sufficient to satisfy legal, regulatory, and administrative requirements for records retention...For attest documentation that is retained electronically, the audit organization should establish information systems controls concerning accessing and updating the attest documentation; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Attest Documentation; 6.26: Audit organizations should develop policies to deal with requests by outside parties to obtain access to attest documentation, especially when an outside party attempts to obtain information indirectly through the auditor rather than directly from the entity. In developing such policies, audit organizations should determine what laws and regulations apply, if any; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Distributing Reports; 6.56: Distribution of reports completed under GAGAS depends on the relationship of the auditors to the entity and the nature of the information contained in the report. If the subject matter or the assertion involves material that is classified for security purposes or contains confidential or sensitive information, auditors may limit the report distribution. Auditors should document any limitation on report distribution. The following discussion outlines distribution for reports completed under GAGAS: [One of the following will apply depending on the type of audit organization.]; a. Audit organizations in government entities should distribute reports to those charged with governance, to the appropriate entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on engagement findings and recommendations, and to others authorized to receive such reports; b. Internal audit organizations in government entities may follow the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing. Under GAGAS and IIA standards, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should: (1) assess the potential risk to the organization, (2) consult with senior management and/or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report; c. Public accounting firms contracted to perform an engagement under GAGAS should clarify report distribution responsibilities with the engaging organization. If the contracting firm is to make the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Audit Documentation; 7.82: Audit organizations should establish policies and procedures for the safe custody and retention of audit documentation for a time sufficient to satisfy legal, regulatory, and administrative requirements for records retention...For audit documentation that is retained electronically, the audit organization should establish information systems controls concerning accessing and updating the audit documentation; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Audit Documentation; 7.84: Audit organizations should develop policies to deal with requests by outside parties to obtain access to audit documentation, especially when an outside party attempts to obtain information indirectly through the auditor rather than directly from the audited entity. In developing such policies, audit organizations should determine what laws and regulations apply, if any; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits. Distributing Reports; 8.43: Distribution of reports completed under GAGAS depends on the relationship of the auditors to the audited organization and the nature of the information contained in the report. If the subject of the audit involves material that is classified for security purposes or contains confidential or sensitive information, auditors may limit the report distribution. Auditors should document any limitation on report distribution. The following discussion outlines distribution for reports completed under GAGAS: [One of the following will apply depending on the type of audit organization.]; a. Audit organizations in government entities should distribute audit reports to those charged with governance, to the appropriate officials of the audited entity, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations, and to others authorized to receive such reports; b. Internal audit organizations in government entities may follow the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing. Under GAGAS and IIA standards, the head of the internal audit organization should communicate results to parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should: (1) assess the potential risk to the organization, (2) consult with senior management and/or legal counsel as appropriate, and (3) control dissemination by indicating the intended users of the report; c. Public accounting firms contracted to perform an audit under GAGAS should clarify report distribution responsibilities with the engaging organization. If the contracted firm is to make the distribution, it should reach agreement with the party contracting for the audit about which officials or organizations will receive the report and the steps being taken to make the report available to the public; Must: [Check]; Should: [Empty]. Specific Requirements for Financial Audits: GAGAS incorporate the AICPA field work and reporting standards and the related Statements on Auditing Standards (SAS). The requirements listed in this professional requirements tool for financial audits represent the supplemental GAGAS requirements for financial audits. In addition to the requirements contained in this tool, documentation of compliance with the requirements in the AICPA field work and reporting standards is required for financial audits conducted in accordance with GAGAS. Auditors are advised to refer to the entire text of both GAGAS and the AICPA field work and reporting standards and the related Statements on Auditing Standards to obtain a comprehensive understanding of all the requirements for financial audits conducted in accordance with GAGAS. See paragraph 4.01a. Chapter 1 - Use and Application of GAGAS; Stating Compliance with GAGAS in the Auditors' Report; 1.11 When auditors are required to follow GAGAS or are representing to others that they followed GAGAS, they should follow all applicable GAGAS requirements and should refer to compliance with GAGAS in the auditors' report as set forth in paragraphs 1.12 and 1.13; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Stating Compliance with GAGAS in the Auditors' Report; 1.12: Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS audits and attestation engagements, as appropriate. [Footnote not shown.]; a. Unmodified GAGAS compliance statement: Stating that the auditor performed the audit or attestation engagement in accordance with GAGAS. Auditors should include an unmodified GAGAS compliance statement in the audit report when they have (1) followed all applicable unconditional and presumptively mandatory GAGAS requirements, or (2) have followed all unconditional requirements and documented justification for any departures from applicable presumptively mandatory requirements, and have achieved the objectives of those requirements through other means; b. Modified GAGAS compliance statement: Stating either that (1) the auditor performed the audit or attestation engagement in accordance with GAGAS, except for specific applicable requirements that were not followed or, (2) because of the significance of the departure(s) from the requirements, the auditor was unable to and did not perform the audit or attestation engagement in accordance with GAGAS. Situations when auditors use modified compliance statements include scope limitations, such as restrictions on access to records, government officials, or other individuals needed to conduct the audit. When auditors use a modified GAGAS statement, they should disclose in the report the applicable requirement(s) not followed, the reasons for not following the requirement(s), and how not following the requirements affected, or could have affected, the audit and the assurance provided; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Stating Compliance with GAGAS in the Auditors' Report; 1.13: When auditors do not comply with any applicable requirements, they should (1) assess the significance of the noncompliance to the audit objectives, (2) document the assessment, along with their reasons for not following the requirement, and (3) determine the type of GAGAS compliance statement. [Footnote not shown.] The auditors' determination will depend on the significance of the requirements not followed in relation to the audit objectives; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Relationship between GAGAS and Other Professional Standards; 1.14: Auditors may use GAGAS in conjunction with professional standards issued by other authoritative bodies. Auditors may also cite the use of other standards in their audit reports, as appropriate. If the auditor is citing compliance with GAGAS and inconsistencies exist between GAGAS and other standards cited, the auditor should use GAGAS as the prevailing standard for conducting the audit and reporting the results; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Types of GAGAS Audits and Attestation Engagements; 1.19: In some audits and attestation engagements, the standards applicable to the specific audit objective will be apparent...However, some engagements may have multiple or overlapping objectives...In cases in which there is a choice between applicable standards, auditors should evaluate users' needs and the auditors' knowledge, skills, and experience in deciding which standards to follow; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Professional Services Other Than Audits (Nonaudit Services) Provided by Audit Organizations; 1.33: GAGAS do not cover professional services other than audits or attestation engagements (nonaudit services). Therefore, auditors must not report that the nonaudit services were conducted in accordance with GAGAS. When performing nonaudit services for an entity for which the audit organization performs a GAGAS audit or attestation engagement, audit organizations should communicate, as appropriate, with requestors and those charged with governance to clarify that the scope of work performed does not constitute an audit under GAGAS; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Independence; 3.02: In all matters relating to the audit work, the audit organization and the individual auditor, whether government or public, must be free from personal, external, and organizational impairments to independence, and must avoid the appearance of such impairments of independence; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Independence; 3.03: Auditors and audit organizations must maintain independence so that their opinions, findings, conclusions, judgments, and recommendations will be impartial and viewed as impartial by objective third parties with knowledge of the relevant information. Auditors should avoid situations that could lead objective third parties with knowledge of the relevant information to conclude that the auditors are not able to maintain independence and thus are not capable of exercising objective and impartial judgment on all issues associated with conducting the audit and reporting on the work; Must: [Empty]; Should: [Empty]. Chapter 3 - General Standards; Independence; 3.04: When evaluating whether independence impairments exist either in fact or appearance with respect to the entities for which audit organizations perform audits or attestation engagements, auditors and audit organizations must take into account the three general classes of impairments to independence--personal, external, and organizational. [Footnote not shown.] If one or more of these impairments affects or can be perceived to affect independence, the audit organization (or auditor) should decline to perform the work--except in those situations in which an audit organization in a government entity, because of a legislative requirement or for other reasons, cannot decline to perform the work, in which case the government audit organization must disclose the impairment(s) and modify the GAGAS compliance statement...; Must: [Empty]; Should: [Empty]. Chapter 3 - General Standards; Independence; 3.05: When auditors use the work of a specialist, [footnote not shown] auditors should assess the specialist's ability to perform the work and report results impartially as it relates to their relationship with the program or entity under audit. If the specialist's independence is impaired, auditors should not use the work of that specialist; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Personal Impairments; 3.07: Auditors participating on an audit assignment must be free from personal impairments to independence. [Footnote not shown.] Personal impairments of auditors result from relationships or beliefs that might cause auditors to limit the extent of the inquiry, limit disclosure, or weaken or slant audit findings in any way. Individual auditors should notify the appropriate officials within their audit organizations if they have any personal impairment to independence...; Must: [Empty]; Should: [Empty]. Chapter 3 - General Standards; Organizational Independence; Organizational Independence When Performing Nonaudit Services; Nonaudit Services That Would Not Impair Independence if Supplemental Safeguards Are Implemented; 3.28: Services that do not impair the audit organization's independence with respect to the entities they audit so long as they comply with supplemental safeguards include the following: a. providing basic accounting assistance limited to services such as preparing draft financial statements that are based on management's chart of accounts and trial balance and any adjusting, correcting, and closing entries that have been approved by management; preparing draft notes to the financial statements based on information determined and approved by management; (If the audit organization has prepared draft financial statements and notes and performed the financial statement audit, the auditor should obtain documentation from management in which management acknowledges the audit organization's role in preparing the financial statements and related notes and management's review, approval, and responsibility for the financial statements and related notes in the management representation letter...); Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Professional Judgment; 3.31: Auditors must use professional judgment in planning and performing audits and attestation engagements and in reporting the results; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Professional Judgment; 3.38: Auditors should document significant decisions affecting the audit objectives, scope, and methodology; findings; conclusions; and recommendations resulting from professional judgment; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Competence; 3.40: The staff assigned to perform the audit or attestation engagement must collectively possess adequate professional competence for the tasks required; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Technical Knowledge and Competence; 3.43: The staff assigned to conduct an audit or attestation engagement under GAGAS must collectively possess the technical knowledge, skills, and experience necessary to be competent for the type of work being performed before beginning work on that assignment. The staff assigned to a GAGAS audit or attestation engagement should collectively possess; a. knowledge of GAGAS applicable to the type of work they are assigned and the education, skills, and experience to apply this knowledge to the work being performed; b. general knowledge of the environment in which the audited entity operates and the subject matter under review; c. skills to communicate clearly and effectively, both orally and in writing; and; d. skills appropriate for the work being performed. For example, staff or specialist skills in; (1) statistical sampling if the work involves use of statistical sampling; (2) information technology if the work involves review of information systems; (3) engineering if the work involves review of complex engineering data; (4) specialized audit methodologies or analytical techniques, such as the use of complex survey instruments, actuarial-based estimates, or statistical analysis tests, as applicable; or; (5) specialized knowledge in subject matters, such as scientific, medical, environmental, educational, or any other specialized subject matter, if the work calls for such expertise; Must: [Empty]; Should: [Empty]. Chapter 3 - General Standards; Additional Qualifications for Financial Audits and Attestation Engagements; 3.44: Auditors performing financial audits should be knowledgeable in generally accepted accounting principles (GAAP), the American Institute of Certified Public Accountants (AICPA) generally accepted auditing standards for field work and reporting and the related Statements on Auditing Standards (SAS), and the application of these standards. Also, if auditors use GAGAS in conjunction with any other standards, they should be knowledgeable and competent in applying those standards. Auditors engaged to perform financial audits or attestation engagements should be licensed certified public accountants or persons working for a licensed certified public accounting firm or a government audit organization. [Footnote not shown.]; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Continuing Professional Education; 3.46: Auditors performing work under GAGAS, including planning, directing, performing field work, or reporting on an audit or attestation engagement under GAGAS, should maintain their professional competence through continuing professional education (CPE). Therefore, each auditor performing work under GAGAS should complete, every 2 years, at least 24 hours of CPE that directly relates to government auditing, the government environment, or the specific or unique environment in which the audited entity operates. For auditors who are involved in any amount of planning, directing, or reporting on GAGAS assignments and those auditors who are not involved in those activities but charge 20 percent or more of their time annually to GAGAS assignments should also obtain at least an additional 56 hours of CPE (for a total of 80 hours of CPE in every 2-year period) that enhances the auditor's professional proficiency to perform audits or attestation engagements. Auditors required to take the total 80 hours of CPE should complete at least 20 hours of CPE in each year of the 2-year period; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Continuing Professional Education; 3.49: External specialists assisting in performing a GAGAS assignment should be qualified and maintain professional competence in their areas of specialization but are not required to meet the GAGAS CPE requirements described. However, auditors who use the work of external specialists should assess the professional qualifications of such specialists and document their findings and conclusions. Internal specialists who are part of the audit organization and perform as a member of the audit team should comply with GAGAS, including the CPE requirements; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Quality Control and Assurance; External Peer Review; 3.63: Auditors who are using another audit organization's work should request a copy of the audit organization's latest peer review report and any letter of comment, and the audit organization should provide these documents when requested...; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Introduction; 4.01: This chapter establishes field work standards and provides guidance for financial audits conducted in accordance with generally accepted government auditing standards (GAGAS). This chapter identifies the American Institute of Certified Public Accountants (AICPA) field work standards and prescribes additional standards for financial audits performed in accordance with GAGAS; a. For financial audits, GAGAS incorporate the AICPA field work and reporting standards and the related statements on auditing standards (SAS) unless specifically excluded or modified by GAGAS; b. Under AICPA standards and GAGAS, auditors must plan and perform the audit to obtain sufficient appropriate audit evidence so that audit risk will be limited to a low level that is, in his or her professional judgment, appropriate for expressing an opinion on the financial statements. The high, but not absolute, level of assurance that is intended to be obtained by auditors is expressed in the auditor's report as obtaining reasonable assurance about whether the financial statements are free of material misstatement (whether caused by error or fraud). Absolute assurance is not attainable because of the nature of audit evidence and the characteristics of fraud. Therefore, an audit conducted in accordance with generally accepted auditing standards may not detect a material misstatement; Must: [Empty]; Should: [Check]. Chapter 4 - Field Work Standards for Financial Audits; AICPA Field Work Standards; 4.03 The three AICPA generally accepted standards of field work are as follows: [Footnote not shown.]; [Documentation of compliance with the field work requirements in the AICPA standards and the related statements on auditing standards (SAS) is required for financial audits conducted in accordance with GAGAS. These AICPA standards and SAS contain requirements in addition to the requirements in 4.03 a-c below. Use of a checklist for the AICPA standards may be helpful for auditors to ensure compliance with these standards.]; Must: [Check]; Should: [Check]. Chapter 4 - Field Work Standards for Financial Audits; AICPA Field Work Standards; a. The auditor must adequately plan the work and must properly supervise any assistants; Must: [Empty]; Should: [Check]. Chapter 4 - Field Work Standards for Financial Audits; AICPA Field Work Standards; b. The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures; Must: [Empty]; Should: [Check]. Chapter 4 - Field Work Standards for Financial Audits; AICPA Field Work Standards; c. The auditor must obtain sufficient appropriate audit evidence by performing audit procedures to afford a reasonable basis for an opinion regarding the financial statements under audit; Must: [Empty]; Should: [Check]. Chapter 4 - Field Work Standards for Financial Audits; Additional Government Auditing Standards; 4.04: GAGAS establish field work standards for financial audits in addition to the requirements contained in the AICPA standards. Auditors should comply with these additional standards when citing GAGAS in their audit reports. The additional government auditing standards relate to: a. auditor communication during planning (see paragraphs 4.05 through 4.08); b. previous audits and attestation engagements (see paragraph 4.09); c. detecting material misstatements resulting from violations of provisions of contracts or grant agreements, or from abuse (see paragraphs 4.10 through 4.13); d. developing elements of a finding (see paragraphs 4.14 through 4.18); and; e. audit documentation (see paragraphs 4.19 through 4.24); Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Auditor Communication During Planning; 4.05: Under AICPA standards and GAGAS, auditors should communicate with the audited entity their understanding of the services to be performed for each engagement and document that understanding through a written communication. [Footnote not shown.] GAGAS broaden the parties included in the communication and the items for the auditors to communicate; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Auditor Communication During Planning; 4.06: Under GAGAS, when planning the audit, auditors should communicate certain information in writing to management of the audited entity, those charged with governance, [footnote not shown] and to the individuals contracting for or requesting the audit. When auditors perform the audit pursuant to a law or regulation or they conduct the work for the legislative committee that has oversight of the audited entity, auditors should communicate with the legislative committee. In those situations where there is not a single individual or group that both oversees the strategic direction of the entity and the fulfillment of its accountability obligations or in other situations where the identity of those charged with governance is not clearly evident, auditors should document the process followed and conclusions reached for identifying the appropriate individuals to receive the required auditor communications. Auditors should communicate the following additional information under GAGAS: a. The nature of planned work and level of assurance to be provided related to internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements; b. Any potential restriction on the auditors' reports, in order to reduce the risk that the needs or expectations of the parties involved may be misinterpreted; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Auditor Communication During Planning; 4.08: If an audit is terminated before it is completed and an audit report is not issued, auditors should document the results of the work to the date of termination and why the audit was terminated...; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Previous Audits and Attestation Engagements; 4.09: Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a material effect on the financial statements. When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Detecting Material Misstatements Resulting from Violations of Provisions of Contracts or Grant Agreements, or from Abuse; 4.10: Auditors should design the audit to provide reasonable assurance of detecting misstatements that result from violations of provisions of contracts or grant agreements and could have a direct and material effect on the determination of financial statement amounts or other financial data significant to the audit objectives; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Detecting Material Misstatements Resulting from Violations of Provisions of Contracts or Grant Agreements, or from Abuse; 4.11: If specific information comes to the auditors' attention that provides evidence concerning the existence of possible violations of provisions of contracts or grant agreements that could have a material indirect effect on the financial statements, the auditors should apply audit procedures specifically directed to ascertaining whether such violations have occurred When the auditors conclude that a violation of provisions of contracts or grant agreements has or is likely to have occurred, they should determine the effect on the financial statements as well as the implications for other aspects of the audit; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Detecting Material Misstatements Resulting from Violations of Provisions of Contracts or Grant Agreements, or from Abuse; 4.13: If during the course of the audit, auditors become aware of abuse that could be quantitatively or qualitatively material to the financial statements, auditors should apply audit procedures specifically directed to ascertain the potential effect on the financial statements or other financial data significant to the audit objectives...; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Developing Elements of a Finding; 4.14:... When auditors identify deficiencies, auditors should plan and perform procedures to develop the elements of the findings that are relevant and necessary to achieve the audit objectives...; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Audit Documentation; 4.19: Under AICPA standards and GAGAS, auditors must prepare audit documentation in connection with each audit in sufficient detail to provide a clear understanding of the work performed (including the nature, timing, extent, and results of audit procedures performed), the audit evidence obtained and its source, and the conclusions reached. [Footnote not shown.] Under AICPA standards and GAGAS, auditors should prepare audit documentation that enables an experienced auditor, [footnote not shown] having no previous connection to the audit, to understand: a. the nature, timing, and extent of auditing procedures performed to comply with GAGAS and other applicable standards and requirements; b. the results of the audit procedures performed and the audit evidence obtained; c. the conclusions reached on significant matters; and; d. that the accounting records agree or reconcile with the audited financial statements or other audited information; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Audit Documentation; 4.20 Under GAGAS, auditors also should document, before the audit report is issued, evidence of supervisory review of the work performed that supports findings, conclusions, and recommendations contained in the audit report; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Audit Documentation; 4.21: When auditors do not comply with applicable GAGAS requirements due to law, regulation, scope limitations, restrictions on access to records, or other issues impacting the audit, the auditors should document the departure from the GAGAS requirements and the impact on the audit and on the auditors' conclusions. This applies to departures from both mandatory requirements and presumptively mandatory requirements where alternative procedures performed in the circumstances were not sufficient to achieve the objectives of the standard...; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Audit Documentation; 4.23 ...Subject to applicable laws and regulations, auditors should make appropriate individuals, as well as audit documentation, available upon request and in a timely manner to other auditors or reviewers to satisfy these objectives...; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Additional Considerations for GAGAS Financial Audits; Consideration of Fraud and Illegal Acts; 4.27: Under both the AICPA standards [footnote not shown] and GAGAS, auditors should plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. [Footnote not shown.]...; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Additional Considerations for GAGAS Financial Audits; Consideration of Fraud and Illegal Acts; 4.28: Under both the AICPA standards [footnote not shown] and GAGAS, auditors should design the audit to provide reasonable assurance of detecting material misstatements resulting from illegal acts that could have a direct and material effect on the financial statements. [Footnote not shown.] If specific information comes to the auditors' attention that provides evidence concerning the existence of possible illegal acts [footnote not shown] that could have a material indirect effect on the financial statements, the auditors should apply audit procedures specifically directed to ascertaining whether an illegal act has occurred. When an illegal act has or is likely to have occurred, auditors should determine the effect on the financial statements as well as the implications for other aspects of the audit; Must: [Check]; Should: [Empty]. Chapter 4 - Field Work Standards for Financial Audits; Additional Considerations for GAGAS Financial Audits; Ongoing Investigations or Legal Proceedings; 4.29: ...When investigations or legal proceedings are initiated or in process, auditors should evaluate the impact on the current audit. In some cases, it may be appropriate for the auditors to work with investigators and/or legal authorities, or withdraw from or defer further work on the audit engagement or a portion of the engagement to avoid interfering with an investigation; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; AICPA Reporting Standards; 5.03: The four AICPA generally accepted standards of reporting [footnote not shown] are as follows: [Documentation of compliance with the reporting requirements in the AICPA standards and the related statements on auditing standards (SAS) is required for financial audits conducted in accordance with GAGAS. These AICPA standards and SAS contain requirements in addition to the requirements in 5.03 a-d below. Use of a checklist for the AICPA standards may be helpful for auditors to ensure compliance with these standards.]; Must: [Check]; Should: [Check]. Chapter 5 - Reporting Standards for Financial Audits; Additional Considerations for GAGAS Financial Audits; AICPA Reporting Standards; a. The auditor must state in the auditor's report whether the financial statements are presented in accordance with generally accepted accounting principles (GAAP); Must: [Empty]; Should: [Check]. Chapter 5 - Reporting Standards for Financial Audits; Additional Considerations for GAGAS Financial Audits; AICPA Reporting Standards; b. The auditor must identify in the auditor's report those circumstances in which such principles have not been consistently observed in the current period in relation to the preceding period; Must: [Empty]; Should: [Check]. Chapter 5 - Reporting Standards for Financial Audits; Additional Considerations for GAGAS Financial Audits; AICPA Reporting Standards; c. When the auditor determines that informative disclosures are not reasonably adequate, the auditor must so state in the auditor's report; Must: [Empty]; Should: [Check]. Chapter 5 - Reporting Standards for Financial Audits; Additional Considerations for GAGAS Financial Audits; AICPA Reporting Standards; d. The auditor must either express an opinion regarding the financial statements, taken as a whole, or state that an opinion cannot be expressed, in the auditor's report. When the auditor cannot express an overall opinion, the auditor should state the reasons therefor in the auditor's report. In all cases where an auditor's name is associated with financial statements, the auditor should clearly indicate the character of the auditor's work, if any, and the degree of responsibility the auditor is taking in the auditor's report; Must: [Empty]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; 5.04: GAGAS establish reporting standards for financial audits in addition to the standards contained in the AICPA standards. Auditors should comply with these additional standards when citing GAGAS in their audit reports. The additional government auditing standards relate to: a. reporting auditors' compliance with GAGAS (see paragraphs 5.05 and 5.06); b. reporting on internal control and compliance with laws, regulations, and provisions of contracts or grant agreements (see paragraphs 5.07 through 5.09); c. reporting deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse (see paragraphs 5.10 through 5.22); d. communicating significant matters in the auditors' report (see paragraphs 5.23 through 5.25); e. reporting on the restatement of previously-issued financial statements (see paragraphs 5.26 through 5.31); f. reporting views of responsible officials (see paragraphs 5.32 through 5.38); g. reporting confidential or sensitive information (see paragraphs 5.39 through 5.43); and; h. distributing reports (see paragraph 5.44); Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Auditors' Compliance with GAGAS; 5.05: When auditors comply with all applicable GAGAS requirements, they should include a statement in the auditors' report that they performed the audit in accordance with GAGAS...; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting on Internal Control and Compliance with Laws, Regulations, and Provisions of Contracts or Grant Agreements; 5.07: When providing an opinion or a disclaimer on financial statements, auditors must also report on internal control over financial reporting and on compliance with laws, regulations, and provisions of contracts or grant agreements; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting on Internal Control and Compliance with Laws, Regulations, and Provisions of Contracts or Grant Agreements; 5.08: Auditors should include either in the same or in separate report(s) a description of the scope of the auditors' testing of internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements. If the auditors issue separate reports, they should include a reference to the separate reports in the report on financial statements. Auditors should state in the reports whether the tests they performed provided sufficient, appropriate evidence to support an opinion on the effectiveness of internal control over financial reporting and on compliance with laws, regulations, and provisions of contracts or grant agreements. The internal control reporting standard under GAGAS differs from the objective of an examination of internal control in accordance with the AICPA Statement on Standards for Attestation Engagements (SSAE), which is to express an opinion on the design or the design and operating effectiveness of an entity's internal control, as applicable. To form a basis for expressing such an opinion, the auditor must plan and perform the examination to obtain reasonable assurance about whether the entity maintained, in all material respects, effective internal control as of a point in time or for a specified period of time; Must: [Empty]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting on Internal Control and Compliance with Laws, Regulations, and Provisions of Contracts or Grant Agreements; 5.09: When auditors report separately (including separate reports bound in the same document) on internal control over financial reporting and compliance with laws and regulations and provisions of contracts or grant agreements, they should state in the financial statement audit report that they are issuing those additional reports. They should include a reference to the separate reports[54] and also state that the reports on internal control over financial reporting and compliance with laws and regulations and provisions of contracts or grant agreements are an integral part of a GAGAS audit and important for assessing the results of the audit. If auditors issued or intend to issue a management letter, they should refer to that management letter in the reports; [54] This requirement applies to financial statement audits described in paragraph 1.22a. It does not apply to other types of financial audits described in paragraph 1.22b; Must: [Empty]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Deficiencies in Internal Control, Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse; 5.10: For financial audits, including audits of financial statements in which auditors provide an opinion or disclaimer, auditors should report, as applicable to the objectives of the audit, and based upon the audit work performed, (1) significant deficiencies in internal control, identifying those considered to be material weaknesses; (2) all instances of fraud and illegal acts unless inconsequential; and (3) violations of provisions of contracts or grant agreements and abuse that could have a material effect on the financial statements. [Footnote not shown.]; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Deficiencies in Internal Control; 5.11: For all financial audits, auditors should report the following deficiencies in internal control: a. Significant deficiency: a deficiency in internal control, or combination of deficiencies, that adversely affects the entity's ability to initiate, authorize, record, process, or report financial data reliably in accordance with GAAP such that there is more than a remote [footnote not shown] likelihood that a misstatement of the entity's financial statements that is more than inconsequential [footnote not shown]will not be prevented or detected. [Footnote not shown.]; b. Material weakness: a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Deficiencies in Internal Control; 5.13: Auditors should include all significant deficiencies in the auditors' report on internal control over financial reporting and indicate those that represent material weaknesses. If (1) a significant deficiency is remediated before the auditors' report is issued and (2) the auditors obtain sufficient, appropriate evidence supporting the remediation of the significant deficiency, then the auditors should report the significant deficiency and the fact that it was remediated before the auditors' report was issued; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Deficiencies in Internal Control; 5.14 Determining whether and how to communicate to officials of the audited entity internal control deficiencies that have an inconsequential effect on the financial statements is a matter of professional judgment. Auditors should document such communications; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse; 5.15 Under AICPA standards and GAGAS, auditors have responsibilities for detecting fraud and illegal acts that have a material effect on the financial statements and determining whether those charged with governance are adequately informed about fraud and illegal acts. GAGAS include additional reporting standards. When auditors conclude, based on sufficient, appropriate evidence, that any of the following either has occurred or is likely to have occurred, they should include in their audit report the relevant information about; a. fraud and illegal acts [footnote not shown] that have an effect on the financial statements that is more than inconsequential,; b. violations of provisions of contracts or grant agreements that have a material effect on the determination of financial statement amounts or other financial data significant to the audit, and; c. abuse that is material, either quantitatively or qualitatively...; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse; 5.16: When auditors detect violations of provisions of contracts or grant agreements or abuse that have an effect on the financial statements that is less than material but more than inconsequential, they should communicate those findings in writing to officials of the audited entity. Determining whether and how to communicate to officials of the audited entity fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that is inconsequential is a matter of professional judgment. Auditors should document such communications; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Findings Directly to Parties Outside the Audited Entity; 5.18: Auditors should report known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly to parties outside the audited entity in the following two circumstances. [Footnote not shown.]; a. When entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties; b. When entity management fails to take timely and appropriate steps to respond to known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that (1) is likely to have a material effect on the financial statements and (2) involves funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the entity's failure to take timely and appropriate steps directly to the funding agency; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Findings Directly to Parties Outside the Audited Entity; 5.19: The reporting in paragraph 5.18 is in addition to any legal requirements to report such information directly to parties outside the audited entity. Auditors should comply with these requirements even if they have resigned or been dismissed from the audit prior to its completion; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Findings Directly to Parties Outside the Audited Entity; 5.20: Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate assertions by management of the audited entity that it has reported such findings in accordance with laws, regulations, and funding agreements. When auditors are unable to do so, they should report such information directly as discussed in paragraph 5.18; Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Findings Directly to Parties Outside the Audited Entity; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Presenting Findings in the Auditors' Report; 5.21: In presenting findings such as deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse, auditors should develop the elements of the findings to the extent necessary to achieve the audit objectives...; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Presenting Findings in the Auditors' Report; 5.22 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as applicable, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures, as appropriate. If the results cannot be projected, auditors should limit their conclusions appropriately; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting on Restatement of Previously-Issued Financial Statements; 5.26: AICPA Professional Standards, AU Section 561, "Subsequent Discovery of Facts Existing at the Date of the Auditor's Report," establish standards and provide guidance for situations when auditors become aware of new information that could have affected their report on previously-issued financial statements. [Footnote not shown.] Under AU Section 561, if auditors become aware of new information that might have affected their opinion on previously-issued financial statement(s), then the auditors should advise entity management to determine the potential effect(s) of the new information on the previously-issued financial statement(s) as soon as reasonably possible. Such new information may lead management to conclude that previously-issued financial statements were materially misstated and to restate and reissue the misstated financial statements. In such circumstances, auditors should advise management to make appropriate disclosure of the newly discovered facts and their impact on the financial statements to those who are likely to rely on the financial statements. [Footnote not shown.]; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting on Restatement of Previously-Issued Financial Statements; 5.27: Under GAGAS, auditors should advise management to make appropriate disclosures when the auditors believe that the following conditions exist: (1) it is likely that previously-issued financial statements are misstated and (2) the misstatement is or reasonably could be material. Under GAGAS, auditors also should perform the following procedures related to restated financial statements:[65]; [65] These additional GAGAS requirements also apply to other financial information on which auditors opine, such as schedules of expenditures of federal awards; a. evaluate the timeliness and appropriateness of management's disclosure and actions to determine and correct misstatements in previously-issued financial statements (see paragraph 5.28),; b. report on restated financial statements (see paragraphs 5.29 and 5.30), and; c. report directly to appropriate officials when the audited entity does not take the necessary steps (see paragraph 5.31); Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Evaluate the Timeliness and Appropriateness of Management's Disclosure and Actions to Determine and Correct Misstatements in Previously-Issued Financial Statements; 5.28: Auditors should evaluate the timeliness and appropriateness of management's disclosure to those who are likely to rely on the financial statements and management's actions to determine and correct misstatements in previously-issued financial statements in accordance with AU Sections 561.06 through 561.08. Under GAGAS, auditors also should evaluate whether management; a. acted in an appropriate time frame after new information was available to (1) determine the financial statement effects of the new information and (2) notify those who are likely to rely on the financial statements; b. disclosed the nature and extent of the known or likely material misstatements on Web pages where management has published the auditors' report on the previously-issued financial statements; and; c. disclosed the following information in the entity's restated financial statements: (1) the nature and cause(s) of the misstatement(s) that led to the need for restatement, (2) the specific amount(s) of the material misstatement(s), and (3) the related effect(s) on the previously-issued financial statement(s) (e.g., year(s) being restated, specific financial statement(s) affected and line items restated, actions the agency's management took after discovering the misstatement), and (4) the impact on the financial statements as a whole (e.g., change in overall net position, change in the audit opinion) and on key information included in the Management Discussion & Analysis; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Report on Restated Financial Statements; 5.29: When management restates financial statements, auditors should perform audit procedures sufficient to reissue or update the auditors' report on the restated financial statements regardless of whether the restated financial statements are separately issued or presented on a comparative basis with those of a subsequent period. [Footnote not shown.] Auditors should include the following in an explanatory paragraph in the reissued or updated auditors' report: a. a statement disclosing that the previously-issued financial statements have been restated; b. a statement that (1) the previously-issued auditors' report (identified by report date) is not to be relied on because the previously-issued financial statements were materially misstated and (2) the previously-issued auditors' report is replaced by the auditors' report on the restated financial statements; c. a reference to the note(s) to the restated financial statements that discusses the restatement; and; d. if applicable, a reference to the report on internal control containing a discussion of any significant internal control deficiency identified by the auditors as having failed to prevent or detect the misstatement and any corrective action taken by management to address the deficiency; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Evaluate the Timeliness and Appropriateness of Management's Disclosure and Actions to Determine and Correct Misstatements in Previously-Issued Financial Statements; 5.30: Management's failure to include appropriate disclosures, as discussed in paragraph 5.28c, in restated financial statements may have implications for the audit. In addition, auditors should include the omitted disclosures in the auditors' report, if practicable; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Report Directly to Appropriate Officials When the Audited Entity Does Not Take the Necessary Steps; 5.31: Auditors should notify those charged with governance if entity management (1) does not act in an appropriate time frame after new information was available to determine the financial statement effects of the new information and take the necessary steps to timely inform those who are likely to rely on the financial statements and the related auditors' reports of the situation or (2) does not restate with reasonable timeliness the financial statements under circumstances in which auditors believe they need to be restated. Auditors should inform those charged with governance that the auditors will take steps to prevent further reliance on the auditors' report and advise them to notify oversight bodies and funding agencies that rely on the financial statements. If those charged with governance do not notify appropriate oversight bodies and funding agencies, then the auditors should do so. [Footnote not shown.]; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Views of Responsible Officials; 5.32: If the auditors' report discloses deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse, auditors should obtain and report the views of responsible officials concerning the findings, conclusions, and recommendations, as well as planned corrective actions; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Views of Responsible Officials; 5.34: When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments, or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments and provide a copy of the summary to the responsible officials to verify that the comments are accurately stated; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Views of Responsible Officials; 5.35: Auditors should also include in the report an evaluation of the comments, as appropriate...; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Views of Responsible Officials; 5.37: When the audited entity's comments are inconsistent or in conflict with findings, conclusions, or recommendations in the draft report, or when planned corrective actions do not adequately address the auditors' recommendations, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported with sufficient, appropriate evidence; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Views of Responsible Officials; 5.38: If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors may issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Confidential or Sensitive Information; 5.39: If certain pertinent information is prohibited from public disclosure or is excluded from a report due to the confidential or sensitive nature of the information, auditors should disclose in the report that certain information has been omitted and the reason or other circumstances that makes the omission necessary; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Confidential or Sensitive Information; 5.42: Considering the broad public interest in the program or activity under review assists auditors when deciding whether to exclude certain information from publicly available reports. When circumstances call for omission of certain information, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Reporting Confidential or Sensitive Information; 5.43: When audit organizations are subject to public records laws, auditors should determine whether public records laws could impact the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate...; Must: [Check]; Should: [Empty]. Chapter 5 - Reporting Standards for Financial Audits; Additional Government Auditing Standards; Distributing Reports; 5.44: Distribution of reports completed under GAGAS depends on the relationship of the auditors to the audited organization and the nature of the information contained in the report. If the subject of the audit involves material that is classified for security purposes or contains confidential or sensitive information, auditors may limit the report distribution. Auditors should document any limitation on report distribution. The following discussion outlines distribution for reports completed under GAGAS: [One of the following will apply depending on the type of audit organization.]; a. Audit organizations in government entities should distribute audit reports to those charged with governance, to the appropriate officials of the audited entity, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations, and to others authorized to receive such reports; b. Internal audit organizations in government entities may follow the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing. Under GAGAS and IIA standards, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should: (1) assess the potential risk to the organization, (2) consult with senior management and/or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report; c. Public accounting firms contracted to perform an audit under GAGAS should clarify report distribution responsibilities with the engaging organization. If the contracted firm is to make the distribution, it should reach agreement with the party contracting for the audit about which officials or organizations will receive the report and the steps being taken to make the report available to the public; Must: [Check]; Should: [Empty]. [End of table] Specific Requirements for Attestation Engagements: GAGAS incorporate the AICPA general standard on criteria, and the field work and reporting standards and the related Statements on Standards for Attestation Engagements (SSAE). The requirements listed in this professional requirements tool for attestation engagements represent the supplemental GAGAS requirements for attestation engagements. In addition to the requirements contained in this tool, documentation of compliance with the requirements in the AICPA general standard on criteria and the field work and reporting standards is required for attestation engagements conducted in accordance with GAGAS. Auditors are advised to refer to the entire text of the both GAGAS and the AICPA general standard on criteria, and the field work and reporting standards and the related Statements on Standards for Attestation Engagements to obtain a comprehensive understanding of all the requirements for attestation engagements conducted in accordance with GAGAS. See paragraph 6.01. Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Stating Compliance with GAGAS in the Auditors' Report; 1.11: When auditors are required to follow GAGAS or are representing to others that they followed GAGAS, they should follow all applicable GAGAS requirements and should refer to compliance with GAGAS in the auditors' report as set forth in paragraphs 1.12 and 1.13; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Stating Compliance with GAGAS in the Auditors' Report; 1.12: Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS audits and attestation engagements, as appropriate. [Footnote not shown.]; a. Unmodified GAGAS compliance statement: Stating that the auditor performed the audit or attestation engagement in accordance with GAGAS. Auditors should include an unmodified GAGAS compliance statement in the audit report when they have (1) followed all applicable unconditional and presumptively mandatory GAGAS requirements, or (2) have followed all unconditional requirements and documented justification for any departures from applicable presumptively mandatory requirements, and have achieved the objectives of those requirements through other means; b. Modified GAGAS compliance statement: Stating either that (1) the auditor performed the audit or attestation engagement in accordance with GAGAS, except for specific applicable requirements that were not followed or, (2) because of the significance of the departure(s) from the requirements, the auditor was unable to and did not perform the audit or attestation engagement in accordance with GAGAS. Situations when auditors use modified compliance statements include scope limitations, such as restrictions on access to records, government officials, or other individuals needed to conduct the audit. When auditors use a modified GAGAS statement, they should disclose in the report the applicable requirement(s) not followed, the reasons for not following the requirement(s), and how not following the requirements affected, or could have affected, the audit and the assurance provided; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Stating Compliance with GAGAS in the Auditors' Report; 1.13: When auditors do not comply with any applicable requirements, they should (1) assess the significance of the noncompliance to the audit objectives, (2) document the assessment, along with their reasons for not following the requirement, and (3) determine the type of GAGAS compliance statement. [Footnote not shown.] The auditors' determination will depend on the significance of the requirements not followed in relation to the audit objectives; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Relationship between GAGAS and Other Professional Standards; 1.14: Auditors may use GAGAS in conjunction with professional standards issued by other authoritative bodies. Auditors may also cite the use of other standards in their audit reports, as appropriate. If the auditor is citing compliance with GAGAS and inconsistencies exist between GAGAS and other standards cited, the auditor should use GAGAS as the prevailing standard for conducting the audit and reporting the results; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Types of GAGAS Audits and Attestation Engagements; 1.19: In some audits and attestation engagements, the standards applicable to the specific audit objective will be apparent...However, some engagements may have multiple or overlapping objectives...In cases in which there is a choice between applicable standards, auditors should evaluate users' needs and the auditors' knowledge, skills, and experience in deciding which standards to follow; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Attestation Engagements; 1.23: Attestation engagements can cover a broad range of financial or nonfinancial objectives and may provide different levels of assurance about the subject matter or assertion depending on the users' needs. Attestation engagements result in an examination, a review, or an agreed-upon procedures report on a subject matter or on an assertion about a subject matter that is the responsibility of another party. The three types of attestation engagements are: a. Examination: Consists of obtaining sufficient, appropriate evidence to express an opinion on whether the subject matter is based on (or in conformity with) the criteria in all material respects or the assertion is presented (or fairly stated), in all material respects, based on the criteria; b. Review: Consists of sufficient testing to express a conclusion about whether any information came to the auditors' attention on the basis of the work performed that indicates the subject matter is not based on (or not in conformity with) the criteria or the assertion is not presented (or not fairly stated) in all material respects based on the criteria. As stated in the AICPA SSAE, auditors should not perform review-level work for reporting on internal control or compliance with laws and regulations; c. Agreed-Upon Procedures: Consists of specific procedures performed on a subject matter; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Professional Services Other Than Audits (Nonaudit Services) Provided by Audit Organizations; 1.33: GAGAS do not cover professional services other than audits or attestation engagements (nonaudit services). Therefore, auditors must not report that the nonaudit services were conducted in accordance with GAGAS. When performing nonaudit services for an entity for which the audit organization performs a GAGAS audit or attestation engagement, audit organizations should communicate, as appropriate, with requestors and those charged with governance to clarify that the scope of work performed does not constitute an audit under GAGAS; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Independence; 3.02: In all matters relating to the audit work, the audit organization and the individual auditor, whether government or public, must be free from personal, external, and organizational impairments to independence, and must avoid the appearance of such impairments of independence; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Independence; 3.03: Auditors and audit organizations must maintain independence so that their opinions, findings, conclusions, judgments, and recommendations will be impartial and viewed as impartial by objective third parties with knowledge of the relevant information. Auditors should avoid situations that could lead objective third parties with knowledge of the relevant information to conclude that the auditors are not able to maintain independence and thus are not capable of exercising objective and impartial judgment on all issues associated with conducting the audit and reporting on the work; Must: [Empty]; Should: [Empty]. Chapter 3 - General Standards; Independence; 3.04: When evaluating whether independence impairments exist either in fact or appearance with respect to the entities for which audit organizations perform audits or attestation engagements, auditors and audit organizations must take into account the three general classes of impairments to independence--personal, external, and organizational. [Footnote not shown.] If one or more of these impairments affects or can be perceived to affect independence, the audit organization (or auditor) should decline to perform the work--except in those situations in which an audit organization in a government entity, because of a legislative requirement or for other reasons, cannot decline to perform the work, in which case the government audit organization must disclose the impairment(s) and modify the GAGAS compliance statement...; Must: [Empty]; Should: [Empty]. Chapter 3 - General Standards; Independence; 3.05: When auditors use the work of a specialist, [footnote not shown] auditors should assess the specialist's ability to perform the work and report results impartially as it relates to their relationship with the program or entity under audit. If the specialist's independence is impaired, auditors should not use the work of that specialist; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Personal Impairments; 3.07: Auditors participating on an audit assignment must be free from personal impairments to independence. [Footnote not shown.] Personal impairments of auditors result from relationships or beliefs that might cause auditors to limit the extent of the inquiry, limit disclosure, or weaken or slant audit findings in any way. Individual auditors should notify the appropriate officials within their audit organizations if they have any personal impairment to independence...; Must: [Empty]; Should: [Empty]. Chapter 3 - General Standards; Professional Judgment; 3.31: Auditors must use professional judgment in planning and performing audits and attestation engagements and in reporting the results; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Professional Judgment; 3.38: Auditors should document significant decisions affecting the audit objectives, scope, and methodology; findings; conclusions; and recommendations resulting from professional judgment; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Competence; 3.40: The staff assigned to perform the audit or attestation engagement must collectively possess adequate professional competence for the tasks required; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Technical Knowledge and Competence; 3.43: The staff assigned to conduct an audit or attestation engagement under GAGAS must collectively possess the technical knowledge, skills, and experience necessary to be competent for the type of work being performed before beginning work on that assignment. The staff assigned to a GAGAS audit or attestation engagement should collectively possess; a. knowledge of GAGAS applicable to the type of work they are assigned and the education, skills, and experience to apply this knowledge to the work being performed; b. general knowledge of the environment in which the audited entity operates and the subject matter under review; c. skills to communicate clearly and effectively, both orally and in writing; and; d. skills appropriate for the work being performed. For example, staff or specialist skills in; (1) statistical sampling if the work involves use of statistical sampling; (2) information technology if the work involves review of information systems; (3) engineering if the work involves review of complex engineering data; (4) specialized audit methodologies or analytical techniques, such as the use of complex survey instruments, actuarial-based estimates, or statistical analysis tests, as applicable; or: (5) specialized knowledge in subject matters, such as scientific, medical, environmental, educational, or any other specialized subject matter, if the work calls for such expertise; Must: [Empty]; Should: [Empty]. Chapter 3 - General Standards; Additional Qualifications for Financial Audits and Attestation Engagements; 3.44: Auditors performing financial audits should be knowledgeable in generally accepted accounting principles (GAAP), the American Institute of Certified Public Accountants (AICPA) generally accepted auditing standards for field work and reporting and the related Statements on Auditing Standards (SAS), and the application of these standards. Also, if auditors use GAGAS in conjunction with any other standards, they should be knowledgeable and competent in applying those standards. Auditors engaged to perform financial audits or attestation engagements should be licensed certified public accountants or persons working for a licensed certified public accounting firm or a government audit organization. [Footnote not shown.]; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Additional Qualifications for Financial Audits and Attestation Engagements; 3.45: Similarly, for attestation engagements, GAGAS incorporate the AICPA attestation standards. Auditors should be knowledgeable in the AICPA general attestation standard related to criteria, the AICPA attestation standards for field work and reporting, and the related Statements on Standards for Attestation Engagements (SSAE), and they should be competent in applying these standards and SSAE to the task assigned. Also, if auditors use GAGAS in conjunction with any other standards, they should be knowledgeable and competent in applying those standards; Chapter 3 - General Standards; Continuing Professional Education; 3.46: Auditors performing work under GAGAS, including planning, directing, performing field work, or reporting on an audit or attestation engagement under GAGAS, should maintain their professional competence through continuing professional education (CPE). Therefore, each auditor performing work under GAGAS should complete, every 2 years, at least 24 hours of CPE that directly relates to government auditing, the government environment, or the specific or unique environment in which the audited entity operates. For auditors who are involved in any amount of planning, directing, or reporting on GAGAS assignments and those auditors who are not involved in those activities but charge 20 percent or more of their time annually to GAGAS assignments should also obtain at least an additional 56 hours of CPE (for a total of 80 hours of CPE in every 2-year period) that enhances the auditor's professional proficiency to perform audits or attestation engagements. Auditors required to take the total 80 hours of CPE should complete at least 20 hours of CPE in each year of the 2-year period; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Continuing Professional Education; 3.49 External specialists assisting in performing a GAGAS assignment should be qualified and maintain professional competence in their areas of specialization but are not required to meet the GAGAS CPE requirements described. However, auditors who use the work of external specialists should assess the professional qualifications of such specialists and document their findings and conclusions. Internal specialists who are part of the audit organization and perform as a member of the audit team should comply with GAGAS, including the CPE requirements; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Quality Control and Assurance; External Peer Review; 3.63: Auditors who are using another audit organization's work should request a copy of the audit organization's latest peer review report and any letter of comment, and the audit organization should provide these documents when requested...; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; AICPA General and Field Work Standards for Attestation Engagements; 6.03: The AICPA general standard related to criteria is as follows: The practitioner [auditor] must have reason to believe that the subject matter is capable of evaluation against criteria that are suitable and available to users. [Documentation of compliance with the AICPA general standard related to criteria is required for attestation engagements conducted in accordance with GAGAS. These AICPA standards and SSAE contain requirements in addition to the requirements in 6.03 above. Use of a checklist for the AICPA standards may be helpful for auditors to ensure compliance with these standards.]; Must: [Empty]; Should: [Check]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; AICPA General and Field Work Standards for Attestation Engagements; 6.04: The two AICPA field work standards for attestation engagements are as follows: [Documentation of compliance with the field work requirements in the AICPA standards and the related statements on standards for attestation engagements (SSAE) is required for attestation engagements conducted in accordance with GAGAS. These AICPA standards and SSAE contain requirements in addition to the requirements in 6.04 a-b below. Use of a checklist for the AICPA standards may be helpful for auditors to ensure compliance with these standards.]; Must: [Check]; Should: [Check]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; AICPA General and Field Work Standards for Attestation Engagements; a. The practitioner [auditor] must adequately plan the work and must properly supervise any assistants; Must: [Empty]; Should: [Check]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; AICPA General and Field Work Standards for Attestation Engagements; b. The practitioner [auditor] must obtain sufficient evidence to provide a reasonable basis for the conclusion that is expressed in the report; Must: [Empty]; Should: [Check]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; 6.05: GAGAS establish attestation engagement field work standards in addition to the requirements contained in the AICPA standards. Auditors should comply with these additional standards when citing GAGAS in their attestation engagement reports. The additional government auditing standards relate to; a. auditor communication during planning (see paragraphs 6.06 through 6.08); b. previous audits and attestation engagements (see paragraph 6.09); c. internal control (see paragraphs 6.10 through 6.12); d. fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that could have a material effect on the subject matter (see paragraphs 6.13 and 6.14); e. developing elements of a finding (see paragraphs 6.15 through 6.19); and; f. documentation (see paragraphs 6.20 through 6.26); Must: [Check]; Empty: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Auditor Communication During Planning. 6.06: Under AICPA standards and GAGAS, auditors should establish an understanding with the entity regarding the services to be performed for each engagement. Auditors also should obtain written acknowledgment or other evidence of the entity's responsibilities for the subject matter or the written assertion as it relates to the objectives of the engagement. GAGAS broaden the parties included in the communications during planning and contain additional items in the communications; Must: [Check]; Empty: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Auditor Communication During Planning; 6.07: Under GAGAS, when planning the engagement, auditors should communicate certain information, including their understanding of the services to be performed for each engagement, in writing to entity management, those charged with governance, [footnote not shown] and to the individuals contracting for or requesting the engagement. When auditors perform the engagement pursuant to a law or regulation or they conduct the work for the legislative committee that has oversight of the entity, auditors should communicate with the legislative committee. In those situations where there is not a single individual or group that both oversees the strategic direction of the entity and the fulfillment of its accountability obligations or in other situations where the identity of those charged with governance is not clearly evident, the auditors should document the process followed and conclusions reached for identifying the appropriate individuals to receive the required auditor communications. Auditors should communicate the following additional information under GAGAS: a. the nature, timing, and extent of planned testing and reporting; b. the level of assurance the auditor will provide; and; c. any potential restriction on the auditors' reports, in order to reduce the risk that the needs or expectations of the parties involved may be misinterpreted; Must: [Check]; Empty: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Auditor Communication During Planning; 6.08: If an engagement is terminated before it is completed and a report is not issued, auditors should document the results of the work to the date of termination and why the engagement was terminated...; Must: [Check]; Empty: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Previous Audits and Attestation Engagements; 6.09: Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a material effect on the subject matter. When planning the engagement, auditors should ask entity management to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter of the attestation engagement being undertaken, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current engagement objectives; Must: [Check]; Empty: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Internal Control; 6.10: In planning examination-level attestation engagements, auditors should obtain a sufficient understanding of internal control that is material to the subject matter in order to plan the engagement and design procedures to achieve the objectives of the attestation engagement; Must: [Check]; Empty: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Internal Control; 6.11: In planning an examination-level attestation engagement, auditors should obtain an understanding of internal control as it relates to the subject matter to which the auditors are attesting. The subject matter may be financial or nonfinancial...; Must: [Check]; Empty: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, or Abuse That Could Have a Material Effect on the Subject Matter; 6.13 :The auditors' responsibility with regard to fraud, [footnote not shown] illegal acts, violations of provisions of contracts or grant agreements, or abuse for attestation engagements performed in accordance with GAGAS is as follows: Must: [Check]; Empty: [Check]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, or Abuse That Could Have a Material Effect on the Subject Matter; a. Examination-level engagements: In planning, auditors should design the engagement to provide reasonable assurance of detecting fraud, illegal acts, or violations of provisions of contracts or grant agreements that could have a material effect on the subject matter of the attestation engagement. Thus, auditors should assess the risk and possible effects of material fraud, illegal acts, or violations of provisions of contracts or grant agreements on the subject matter of the attestation engagement. When risk factors are identified, auditors should document the risk factors identified, the auditors' response to those risk factors individually or in combination, and the auditors' conclusions; b. Review-level and agreed-upon-procedures-level engagements: If during the course of the engagement, information comes to the auditors' attention indicating that fraud, illegal acts, or violations of provisions of contracts or grant agreements that could have a material effect on the subject matter may have occurred, auditors should perform procedures as necessary to (1) determine if fraud, illegal acts, or violations of provisions of contracts or grant agreements are likely to have occurred and, if so, (2) determine their effect on the results of the attestation engagement. Auditors are not expected to provide assurance of detecting potential fraud, illegal acts, or violations of provisions of contracts or grant agreements for these types of engagements unless it is specified in the procedures; c. For all levels of attestation engagements: If during the course of the engagement, auditors become aware of abuse that could be quantitatively or qualitatively material, auditors should apply procedures specifically directed to ascertain the potential effect on the subject matter or other data significant to the engagement objectives....; Must: [Check]; Empty: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Developing Elements of a Finding; 6.15:...When auditors identify deficiencies, auditors should plan and perform procedures to develop the elements of the findings that are relevant and necessary to achieve the engagement objectives....; Must: [Check]; Empty: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Documentation; 6.20: Under GAGAS, auditors must prepare attest documentation in connection with each engagement in sufficient detail to provide a clear understanding of the work performed (including the nature, timing, extent, and results of engagement procedures performed); the evidence obtained and its source; and the conclusions reached....; Must: [Empty]; Empty: [Check]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Documentation; 6.21: Auditors should prepare attest documentation in sufficient detail to enable an experienced auditor, [footnote not shown] having no previous connection to the attestation engagement, to understand from the documentation the nature, timing, extent, and results of procedures performed and the evidence obtained and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. Auditors should prepare attest documentation that contains support for findings, conclusions, and recommendations before they issue their report; Must: [Check]; Empty: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Documentation; 6.22: Auditors also should document the following for attestation engagements performed under GAGAS: a. the objectives, scope, and methodology of the attestation engagement; b. the work performed to support significant judgments and conclusions, including descriptions of transactions and records examined;[74]. [74] Auditors may meet this requirement by listing file numbers, case numbers, or other means of identifying specific documents they examined. They are not required to include copies of documents they examined as part of the audit documentation, nor are they required to list detailed information from those documents; c. evidence of supervisory review, before the engagement report is issued, of the work performed that supports findings, conclusions, and recommendations contained in the engagement report; and; d. the auditors' consideration that the planned procedures be designed to achieve objectives of the attestation engagement when (1) evidence obtained is dependent on computerized information systems, (2) such evidence is material to the objective of the engagement, and (3) the auditors are not relying on the effectiveness of internal control over those computerized systems that produced the evidence. Auditors should document (1) the rationale for determining the nature, timing, and extent of planned procedures; (2) the kinds and competence of available evidence produced outside a computerized information system, or plans for direct testing of data produced from a computerized information system; and (3) the effect on the attestation engagement report if evidence to be gathered does not afford a reasonable basis for achieving the objectives of the engagement; Must: [Check]; Empty: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Documentation; 6.23 When auditors do not comply with applicable GAGAS requirements due to law, regulation, scope limitations, restrictions on access to records, or other issues impacting the engagement, the auditors should document the departure, the impact on the engagement and on the auditors' conclusions. This applies to departures from mandatory requirements and presumptively mandatory requirements where alternative procedures performed in the circumstances were not sufficient to achieve the objectives of the standard....; Must: [Check]; Empty: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Documentation; 6.25...Subject to applicable laws and regulations, auditors should make appropriate individuals, as well as attest documentation, available upon request and in a timely manner to other auditors or reviewers to satisfy these objectives....; Must: [Check]; Empty: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Considerations for GAGAS Attestation Engagements; Ongoing Investigations or Legal Proceedings; 6.29:...When investigations or legal proceedings are initiated or in process, auditors should evaluate the impact on the current engagement. In some cases, it may be appropriate for the auditors to work with investigators and/or legal authorities, or withdraw from or defer further work on the engagement or a portion of the engagement to avoid interfering with an investigation; Must: [Check]; Empty: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; AICPA Reporting Standards for Attestation Engagements; 6.30: The four AICPA reporting standards that apply to all levels of attestation engagements are as follows: [Footnote not shown.]; [Documentation of compliance with the reporting requirements in the AICPA standards and the related statements on standards for attestation engagements (SSAE) is required for attestation engagements conducted in accordance with GAGAS. These AICPA standards and SSAE contain requirements in addition to the requirements in 6.30 a-d below. Use of a checklist for the AICPA standards may be helpful for auditors to ensure compliance with these standards.]; a. The practitioner [auditor] must identify the subject matter or the assertion being reported on and state the character of the engagement in the report; b. The practitioner [auditor] must state the practitioner's [auditor's] conclusion about the subject matter or the assertion in relation to the criteria against which the subject matter was evaluated in the report; c. The practitioner [auditor] must state all of the practitioner's [auditor's] significant reservations about the engagement, the subject matter, and, if applicable, the assertion related thereto in the report; d. The practitioner [auditor] must state in the report that the report is intended for use by specified parties under the following circumstances: (1) When the criteria used to evaluate the subject matter are determined by the practitioner [auditor] to be appropriate only for a limited number of parties who either participated in their establishment or can be presumed to have an adequate understanding of the criteria; (2) When the criteria used to evaluate the subject matter are available only to specified parties; (3) When reporting on subject matter and a written assertion has not been provided by the responsible party; (4) When the report is on an attest engagement to apply agreed-upon procedures to the subject matter; Must: [Empty]; Should: [Check]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; 6.31: GAGAS establish reporting standards for attestation engagements in addition to the requirements contained in the AICPA standards. Auditors should comply with these additional standards when citing GAGAS in their attestation engagement reports. The additional government auditing standards relate to; a. reporting auditors' compliance with GAGAS (see paragraph 6.32); b. reporting deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse (see paragraphs 6.33 through 6.43); c. reporting views of responsible officials (see paragraphs 6.44 through 6.50); d. reporting confidential or sensitive information (see paragraphs 6.51 through 6.55); and; e. distributing reports (see paragraph 6.56); Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Reporting Auditors' Compliance with GAGAS; 6.32: When auditors comply with all applicable GAGAS requirements, they should include a statement in the attestation report that they performed the engagement in accordance with GAGAS...GAGAS do not prohibit auditors from issuing a separate report conforming only to the requirements of other standards; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Reporting Deficiencies in Internal Control, Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse; 6.33: For attestation engagements, auditors should report, as applicable to the objectives of the engagement, and based upon the work performed, (1) significant deficiencies in internal control, identifying those considered to be material weaknesses; (2) all instances of fraud and illegal acts unless inconsequential; and (3) violations of provisions of contracts or grant agreements and abuse that could have a material effect on the subject matter of the engagement; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Deficiencies in Internal Control; 6.34: For all attestation engagements, auditors should report the following deficiencies in internal control: a. Significant deficiency: a deficiency in internal control, or combination of deficiencies, that adversely affects the entity's ability to initiate, authorize, record, process, or report data reliably in accordance with the applicable criteria or framework such that there is more than a remote [footnote not shown] likelihood that a misstatement of the subject matter that is more than inconsequential [footnote not shown] will not be prevented or detected; b. Material weakness: a significant deficiency or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the subject matter will not be prevented or detected; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Deficiencies in Internal Control; 6.35: Determining whether and how to communicate to entity officials internal control deficiencies that have an inconsequential effect on the subject matter is a matter of professional judgment. Auditors should document such communications; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse; 6.36: Under GAGAS, when auditors conclude, based on sufficient, appropriate evidence, that any of the following either has occurred or is likely to have occurred, they should include in their report the relevant information about; a. fraud and illegal acts [footnote not shown] that have an effect on the subject matter that is more than inconsequential,; b. violations of provisions of contracts or grant agreements that have a material effect on the subject matter, and: c. abuse that is material to the subject matter, either quantitatively or qualitatively....; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse; 6.37: When auditors detect violations of provisions of contracts or grant agreements or abuse that have an effect on the subject matter that is less than material but more than inconsequential, they should communicate those findings in writing to entity officials. Determining whether and how to communicate to entity officials fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that is inconsequential is a matter of professional judgment. Auditors should document such communications; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Reporting Findings Directly to Parties Outside the Entity; 6.39: Auditors should report known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly to parties outside the audited entity in the following two circumstances. [Footnote not shown.]; a. When entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties; b. When entity management fails to take timely and appropriate steps to respond to known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that (1) is likely to have a material effect on the subject matter and (2) involves funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the entity's failure to take timely and appropriate steps directly to the funding agency; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Reporting Findings Directly to Parties Outside the Entity; 6.40: The reporting in paragraph 6.39 is in addition to any legal requirements to report such information directly to parties outside the entity. Auditors should comply with these requirements even if they have resigned or been dismissed from the engagement prior to its completion; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Reporting Findings Directly to Parties Outside the Entity; 6.41: Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate assertions by entity management that it has reported such findings in accordance with laws, regulations, and funding agreements. When auditors are unable to do so, they should report such information directly as discussed in paragraph 6.39; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Presenting Findings in the Auditors' Report; 6.42: In presenting findings such as deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, and abuse, auditors should develop the elements of the findings to the extent necessary to achieve the engagement objectives....; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Presenting Findings in the Auditors' Report; 6.43: Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as applicable, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures, as appropriate. If the results cannot be projected, auditors should limit their conclusions appropriately; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Reporting Views of Responsible Officials; 6.44: If the attestation engagement report discloses deficiencies in internal control, fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse, auditors should obtain and report the views of responsible officials concerning the findings, conclusions, and recommendations, as well as planned corrective actions; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Reporting Views of Responsible Officials; 6.46: When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments, or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments and provide a copy of the summary to the responsible officials to verify that the comments are accurately stated; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Reporting Views of Responsible Officials; 6.47: Auditors should also include in the report an evaluation of the comments, as appropriate....; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Reporting Views of Responsible Officials; 6.49: When the entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, or when planned corrective actions do not adequately address the auditors' recommendations, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported with sufficient, appropriate evidence; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Reporting Views of Responsible Officials; 6.50: If the entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors may issue the report without receiving comments from the entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Reporting Confidential or Sensitive Information; 6.51: If certain pertinent information is prohibited from public disclosure or is excluded from a report due to the confidential or sensitive nature of the information, auditors should disclose in the report that certain information has been omitted and the reason or other circumstances that make the omission necessary; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Reporting Confidential or Sensitive Information; 6.54: Considering the broad public interest in the program or activity under review assists auditors when deciding whether to exclude certain information from publicly available reports. When circumstances call for omission of certain information, auditors should evaluate whether this omission could distort the engagement results or conceal improper or illegal practices; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Reporting Confidential or Sensitive Information; 6.55 When audit organizations are subject to public records laws, auditors should determine whether public records laws could impact the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate....; Must: [Check]; Should: [Empty]. Chapter 6 - General, Field Work, and Reporting Standards for Attestation Engagements; Additional Government Auditing Standards; Distributing Reports; 6.56: Distribution of reports completed under GAGAS depends on the relationship of the auditors to the entity and the nature of the information contained in the report. If the subject matter or the assertion involves material that is classified for security purposes or contains confidential or sensitive information, auditors may limit the report distribution. Auditors should document any limitation on report distribution. The following discussion outlines distribution for reports completed under GAGAS: [One of the following will apply depending on the type of audit organization.]; a. Audit organizations in government entities should distribute reports to those charged with governance, to the appropriate entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on engagement findings and recommendations, and to others authorized to receive such reports; b. Internal audit organizations in government entities may follow the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing. Under GAGAS and IIA standards, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should: (1) assess the potential risk to the organization, (2) consult with senior management and/or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report; c. Public accounting firms contracted to perform an engagement under GAGAS should clarify report distribution responsibilities with the engaging organization. If the contracting firm is to make the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public; Must: [Check]; Should: [Empty]. [End of table] Specific Requirements for Performance Audits: Chapter 1 - Use and Application of GAGAS; Stating Compliance with GAGAS in the Auditors' Report; 1.11: When auditors are required to follow GAGAS or are representing to others that they followed GAGAS, they should follow all applicable GAGAS requirements and should refer to compliance with GAGAS in the auditors' report as set forth in paragraphs 1.12 and 1.13; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Stating Compliance with GAGAS in the Auditors' Report; 1.12: Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS audits and attestation engagements, as appropriate. [Footnote not shown.]; a. Unmodified GAGAS compliance statement: Stating that the auditor performed the audit or attestation engagement in accordance with GAGAS. Auditors should include an unmodified GAGAS compliance statement in the audit report when they have (1) followed all applicable unconditional and presumptively mandatory GAGAS requirements, or (2) have followed all unconditional requirements and documented justification for any departures from applicable presumptively mandatory requirements, and have achieved the objectives of those requirements through other means; b. Modified GAGAS compliance statement: Stating either that (1) the auditor performed the audit or attestation engagement in accordance with GAGAS, except for specific applicable requirements that were not followed or, (2) because of the significance of the departure(s) from the requirements, the auditor was unable to and did not perform the audit or attestation engagement in accordance with GAGAS. Situations when auditors use modified compliance statements include scope limitations, such as restrictions on access to records, government officials, or other individuals needed to conduct the audit. When auditors use a modified GAGAS statement, they should disclose in the report the applicable requirement(s) not followed, the reasons for not following the requirement(s), and how not following the requirements affected, or could have affected, the audit and the assurance provided; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Stating Compliance with GAGAS in the Auditors' Report; 1.13: When auditors do not comply with any applicable requirements, they should (1) assess the significance of the noncompliance to the audit objectives, (2) document the assessment, along with their reasons for not following the requirement, and (3) determine the type of GAGAS compliance statement. [Footnote not shown.] The auditors' determination will depend on the significance of the requirements not followed in relation to the audit objectives; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Relationship between GAGAS and Other Professional Standards; 1.14: Auditors may use GAGAS in conjunction with professional standards issued by other authoritative bodies. Auditors may also cite the use of other standards in their audit reports, as appropriate. If the auditor is citing compliance with GAGAS and inconsistencies exist between GAGAS and other standards cited, the auditor should use GAGAS as the prevailing standard for conducting the audit and reporting the results; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Types of GAGAS Audits and Attestation Engagements; 1.19: In some audits and attestation engagements, the standards applicable to the specific audit objective will be apparent....However, some engagements may have multiple or overlapping objectives....In cases in which there is a choice between applicable standards, auditors should evaluate users' needs and the auditors' knowledge, skills, and experience in deciding which standards to follow; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Types of GAGAS Audits and Attestation Engagements; Professional Services Other Than Audits (Nonaudit Services) Provided by Audit Organizations; 1.33: GAGAS do not cover professional services other than audits or attestation engagements (nonaudit services). Therefore, auditors must not report that the nonaudit services were conducted in accordance with GAGAS. When performing nonaudit services for an entity for which the audit organization performs a GAGAS audit or attestation engagement, audit organizations should communicate, as appropriate, with requestors and those charged with governance to clarify that the scope of work performed does not constitute an audit under GAGAS; Must: [Empty]; Should: [Check]. Chapter 1 - Use and Application of GAGAS; Independence; 3.02: In all matters relating to the audit work, the audit organization and the individual auditor, whether government or public, must be free from personal, external, and organizational impairments to independence, and must avoid the appearance of such impairments of independence; Must: [Empty]; Should: [Check]. Chapter 1 - Use and Application of GAGAS; Independence; 3.03: Auditors and audit organizations must maintain independence so that their opinions, findings, conclusions, judgments, and recommendations will be impartial and viewed as impartial by objective third parties with knowledge of the relevant information. Auditors should avoid situations that could lead objective third parties with knowledge of the relevant information to conclude that the auditors are not able to maintain independence and thus are not capable of exercising objective and impartial judgment on all issues associated with conducting the audit and reporting on the work; Must: [Empty]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Independence; 3.04: When evaluating whether independence impairments exist either in fact or appearance with respect to the entities for which audit organizations perform audits or attestation engagements, auditors and audit organizations must take into account the three general classes of impairments to independence--personal, external, and organizational. [Footnote not shown.] If one or more of these impairments affects or can be perceived to affect independence, the audit organization (or auditor) should decline to perform the work--except in those situations in which an audit organization in a government entity, because of a legislative requirement or for other reasons, cannot decline to perform the work, in which case the government audit organization must disclose the impairment(s) and modify the GAGAS compliance statement....; Must: [Empty]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Independence; 3.05: When auditors use the work of a specialist, [footnote not shown] auditors should assess the specialist's ability to perform the work and report results impartially as it relates to their relationship with the program or entity under audit. If the specialist's independence is impaired, auditors should not use the work of that specialist; Must: [Check]; Should: [Empty]. Chapter 1 - Use and Application of GAGAS; Independence; Personal Impairments; 3.07: Auditors participating on an audit assignment must be free from personal impairments to independence. [Footnote not shown.] Personal impairments of auditors result from relationships or beliefs that might cause auditors to limit the extent of the inquiry, limit disclosure, or weaken or slant audit findings in any way. Individual auditors should notify the appropriate officials within their audit organizations if they have any personal impairment to independence....; Must: [Empty]; Should: [Empty]. Chapter 3 - General Standards; Professional Judgment; 3.31: Auditors must use professional judgment in planning and performing audits and attestation engagements and in reporting the results; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Professional Judgment; 3.38: Auditors should document significant decisions affecting the audit objectives, scope, and methodology; findings; conclusions; and recommendations resulting from professional judgment; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Competence; 3.40: The staff assigned to perform the audit or attestation engagement must collectively possess adequate professional competence for the tasks required; Must: [Empty]; Should: [Check]. Chapter 3 - General Standards; Competence; Technical Knowledge and Competence; 3.43: The staff assigned to conduct an audit or attestation engagement under GAGAS must collectively possess the technical knowledge, skills, and experience necessary to be competent for the type of work being performed before beginning work on that assignment. The staff assigned to a GAGAS audit or attestation engagement should collectively possess; a. knowledge of GAGAS applicable to the type of work they are assigned and the education, skills, and experience to apply this knowledge to the work being performed; b. general knowledge of the environment in which the audited entity operates and the subject matter under review; c. skills to communicate clearly and effectively, both orally and in writing; and; d. skills appropriate for the work being performed. For example, staff or specialist skills in; (1) statistical sampling if the work involves use of statistical sampling; (2) information technology if the work involves review of information systems; (3) engineering if the work involves review of complex engineering data; (4) specialized audit methodologies or analytical techniques, such as the use of complex survey instruments, actuarial-based estimates, or statistical analysis tests, as applicable; or; (5) specialized knowledge in subject matters, such as scientific, medical, environmental, educational, or any other specialized subject matter, if the work calls for such expertise; Must: [Empty]; Should: [Empty]. Chapter 3 - General Standards; Competence; Continuing Professional Education; 3.46: Auditors performing work under GAGAS, including planning, directing, performing field work, or reporting on an audit or attestation engagement under GAGAS, should maintain their professional competence through continuing professional education (CPE). Therefore, each auditor performing work under GAGAS should complete, every 2 years, at least 24 hours of CPE that directly relates to government auditing, the government environment, or the specific or unique environment in which the audited entity operates. For auditors who are involved in any amount of planning, directing, or reporting on GAGAS assignments and those auditors who are not involved in those activities but charge 20 percent or more of their time annually to GAGAS assignments should also obtain at least an additional 56 hours of CPE (for a total of 80 hours of CPE in every 2-year period) that enhances the auditor's professional proficiency to perform audits or attestation engagements. Auditors required to take the total 80 hours of CPE should complete at least 20 hours of CPE in each year of the 2-year period; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Competence; Continuing Professional Education; 3.49: External specialists assisting in performing a GAGAS assignment should be qualified and maintain professional competence in their areas of specialization but are not required to meet the GAGAS CPE requirements described. However, auditors who use the work of external specialists should assess the professional qualifications of such specialists and document their findings and conclusions. Internal specialists who are part of the audit organization and perform as a member of the audit team should comply with GAGAS, including the CPE requirements; Must: [Check]; Should: [Empty]. Chapter 3 - General Standards; Quality Control and Assurance; External Peer Review; 3.63: Auditors who are using another audit organization's work should request a copy of the audit organization's latest peer review report and any letter of comment, and the audit organization should provide these documents when requested....; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Planning; 7.06: Auditors must adequately plan and document the planning of the work necessary to address the audit objectives; Must: [Empty]; Should: [Check]. Chapter 7 - Field Work Standards for Performance Audits; Planning; 7.07: Auditors must plan the audit to reduce audit risk to an appropriate level for the auditors to provide reasonable assurance that the evidence is sufficient and appropriate to support the auditors' findings and conclusions. This determination is a matter of professional judgment. In planning the audit, auditors should assess significance and audit risk and apply these assessments in defining the audit objectives and the scope and methodology to address those objectives. [Footnote not shown.]...; Must: [Empty]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Planning; 7.10:...Auditors should design the methodology to obtain sufficient, appropriate evidence to address the audit objectives, reduce audit risk to an acceptable level, and provide reasonable assurance that the evidence is sufficient and appropriate to support the auditors' findings and conclusions....; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Planning; 7.11: Auditors should assess audit risk and significance within the context of the audit objectives by gaining an understanding of the following: a. the nature and profile of the programs and the needs of potential users of the audit report (see paragraphs 7.13 through 7.15); b. internal control as it relates to the specific objectives and scope of the audit (see paragraphs 7.16 through 7.22); c. information systems controls for purposes of assessing audit risk and planning the audit within the context of the audit objectives (see paragraphs 7.23 through 7.27); d. legal and regulatory requirements, contract provisions or grant agreements, potential fraud, or abuse that are significant within the context of the audit objectives (see paragraphs 7.28 through 7.35); and; e. the results of previous audits and attestation engagements that directly relate to the current audit objectives (see paragraph 7.36); Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Planning; 7.12: During planning, auditors also should; a. identify the potential criteria needed to evaluate matters subject to audit (see paragraphs 7.37 and 7.38); b. identify sources of audit evidence and determine the amount and type of evidence needed given audit risk and significance (see paragraphs 7.39 and 7.40); c. evaluate whether to use the work of other auditors and experts to address some of the audit objectives (see paragraphs 7.41 through 7.43); d. assign sufficient staff and specialists with adequate collective professional competence and identify other resources needed to perform the audit (see paragraphs 7.44 and 7.45); e. communicate about planning and performance of the audit to management officials, those charged with governance, and others as applicable (see paragraphs 7.46 through 7.49); and; f. prepare a written audit plan (see paragraphs 7.50 and 7.51); Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Planning; Nature and Profile of the Program and User Needs; 7.13: Auditors should obtain an understanding of the nature of the program or program component under audit and the potential use that will be made of the audit results or report as they plan a performance audit. The nature and profile of a program include; a. visibility, sensitivity, and relevant risks associated with the program under audit; b. age of the program or changes in its conditions; c. the size of the program in terms of total dollars, number of citizens affected, or other measures; d. level and extent of review or other forms of independent oversight; e. program's strategic plan and objectives; and; f. external factors or conditions that could directly affect the program; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Planning; Internal Control; 7.16: Auditors should obtain an understanding of internal control [footnote not shown] that is significant within the context of the audit objectives. For internal control that is significant within the context of the audit objectives, auditors should assess whether internal control has been properly designed and implemented. For those internal controls that are deemed significant within the context of the audit objectives, auditors should plan to obtain sufficient, appropriate evidence to support their assessment about the effectiveness of those controls. Thus, when obtaining an understanding of internal control significant to the audit objectives, auditors should also determine whether it is necessary to evaluate information systems controls. (See paragraphs 7.23 through 7.27 for additional discussion on evaluating the effectiveness of information systems controls.); Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Planning; Information Systems Controls; 7.24:...When information systems controls are determined to be significant to the audit objectives, auditors should then evaluate the design and operating effectiveness of such controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives. [Footnote not shown.]; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Planning; Information Systems Controls; 7.27 Auditors should determine which audit procedures related to information systems controls are needed to obtain sufficient, appropriate evidence to support the audit findings and conclusions. The following factors may assist auditors in making this determination: [7.27 a-c do not contain auditor requirements.]; d. Evaluating the effectiveness of information systems controls as an audit objective: When evaluating the effectiveness of information systems controls is directly a part of an audit objective, auditors should test information systems controls necessary to address the audit objectives. For example, the audit may involve the effectiveness of information systems controls related to certain systems, facilities, or organizations; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Planning; Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements, Fraud, or Abuse; Legal and Regulatory Requirements, Contracts, and Grants; 7.28: Auditors should determine which laws, regulations, and provisions of contracts or grant agreements are significant within the context of the audit objectives and assess the risk that violations of those laws, regulations, and provisions of contracts or grant agreements could occur. Based on that risk assessment, the auditors should design and perform procedures to provide reasonable assurance of detecting instances of violations of legal and regulatory requirements or violations of provisions of contracts or grant agreements that are significant within the context of the audit objectives; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Planning; Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements, Fraud, or Abuse; Fraud; 7.30: In planning the audit, auditors should assess risks of fraud [footnote not shown] occurring that is significant within the context of the audit objectives. Audit team members should discuss among the team fraud risks, including factors such as individuals' incentives or pressures to commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could allow individuals to commit fraud. Auditors should gather and assess information to identify risks of fraud that are significant within the scope of the audit objectives or that could affect the findings and conclusions....; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Planning; Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements, Fraud, or Abuse; Fraud; 7.31: When auditors identify factors or risks related to fraud that has occurred or is likely to have occurred that they believe are significant within the context of the audit objectives, they should design procedures to provide reasonable assurance of detecting such fraud. Assessing the risk of fraud is an ongoing process throughout the audit and relates not only to planning the audit but also to evaluating evidence obtained during the audit; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Planning; Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements, Fraud, or Abuse; Fraud; 7.32: When information comes to the auditors' attention indicating that fraud that is significant within the context of the audit objectives may have occurred, auditors should extend the audit steps and procedures, as necessary, to (1) determine whether fraud has likely occurred and (2) if so, determine its effect on the audit findings....; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Planning; Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements, Fraud, or Abuse; Abuse; 7.34: If during the course of the audit, auditors become aware of abuse that could be quantitatively or qualitatively significant to the program under audit, auditors should apply audit procedures specifically directed to ascertain the potential effect on the program under audit within the context of the audit objectives....; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Planning; Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements, Fraud, or Abuse; Ongoing Investigations or Legal Proceedings; 7.35...When investigations or legal proceedings are initiated or in process, auditors should evaluate the impact on the current audit. In some cases, it may be appropriate for the auditors to work with investigators and/or legal authorities, or withdraw from or defer further work on the audit or a portion of the audit to avoid interfering with an investigation; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Planning; Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements, Fraud, or Abuse; Previous Audits and Attestation Engagements; 7.36: Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, performance audits, or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Planning; Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements, Fraud, or Abuse; Identifying Audit Criteria; 7.37: Auditors should identify criteria. Criteria represent the laws, regulations, contracts, grant agreements, standards, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated. Auditors should use criteria that are relevant to the audit objectives and permit consistent assessment of the subject matter; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Planning; Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements, Fraud, or Abuse; Identifying Sources of Evidence and the Amount and Type of Evidence Required; 7.39: Auditors should identify potential sources of information that could be used as evidence. Auditors should determine the amount and type of evidence needed to obtain sufficient, appropriate evidence to address the audit objectives and adequately plan audit work; 7.40 If auditors believe that it is likely that sufficient, appropriate evidence will not be available, they may revise the audit objectives or modify the scope and methodology and determine alternative procedures to obtain additional evidence or other forms of evidence to address the current audit objectives. Auditors should also evaluate whether the lack of sufficient, appropriate evidence is due to internal control deficiencies or other program weaknesses, and whether the lack of sufficient, appropriate evidence could be the basis for audit findings....; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Planning; Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements, Fraud, or Abuse; Using the Work of Others; 7.41: Auditors should determine whether other auditors have conducted, or are conducting, audits of the program that could be relevant to the current audit objectives....; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Planning; Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements, Fraud, or Abuse; Using the Work of Others; 7.42...If auditors use the work of other auditors, they should perform procedures that provide a sufficient basis for using that work. Auditors should obtain evidence concerning the other auditors' qualifications and independence and should determine whether the scope, quality, and timing of the audit work performed by the other auditors is adequate for reliance in the context of the current audit objectives....; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Planning; Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements, Fraud, or Abuse; Using the Work of Others; 7.43....If auditors intend to use the work of specialists, they should obtain an understanding of the qualifications and independence of the specialists...Evaluating the professional qualifications of the specialist involves the following: a. the professional certification, license, or other recognition of the competence of the specialist in his or her field, as appropriate; b. the reputation and standing of the specialist in the views of peers and others familiar with the specialist's capability or performance; c. the specialist's experience and previous work in the subject matter; and; d. the auditors' prior experience in using the specialist's work; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Planning; Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements, Fraud, or Abuse; Assigning Staff and Other Resources; 7.44: Audit management should assign sufficient staff and specialists with adequate collective professional competence to perform the audit. ...Staffing an audit includes, among other things: a. assigning staff and specialists with the collective knowledge, skills, and experience appropriate for the job,; b. assigning a sufficient number of staff and supervisors to the audit,; c. providing for on-the-job training of staff, and; d. engaging specialists when necessary; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements, Fraud, or Abuse; Assigning Staff and Other Resources; 7.45: If planning to use the work of a specialist, auditors should document the nature and scope of the work to be performed by the specialist, including; a. the objectives and scope of the specialist's work,; b. the intended use of the specialist's work to support the audit objectives,; c. the specialist's procedures and findings so they can be evaluated and related to other planned audit procedures, and; d. the assumptions and methods used by the specialist; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements, Fraud, or Abuse; Communicating with Management, Those Charged with Governance, and Others; 7.46: Auditors should communicate an overview of the objectives, scope, and methodology, and timing of the performance audit [footnote not shown] and planned reporting (including any potential restrictions on the report) to the following, as applicable: a. management of the audited entity, including those with sufficient authority and responsibility to implement corrective action in the program or activity being audited; b. those charged with governance; [footnote not shown] and; c. the individuals contracting for or requesting audit services, such as contracting officials, grantees; and; d. when auditors perform the audit pursuant to a law or regulation or they conduct the work for the legislative committee that has oversight of the audited entity, auditors should communicate with the legislative committee; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements, Fraud, or Abuse; Communicating with Management, Those Charged with Governance, and Others; 7.47: In situations in which those charged with governance are not clearly evident, auditors should document the process followed and conclusions reached for identifying those charged with governance; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements, Fraud, or Abuse; Communicating with Management, Those Charged with Governance, and Others; 7.48: Determining the form, content, and frequency of the communication is a matter of professional judgment, although written communication is preferred. Auditors may use an engagement letter to communicate the information. Auditors should document this communication; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements, Fraud, or Abuse; Communicating with Management, Those Charged with Governance, and Others; 7.49: If an audit is terminated before it is completed and an audit report is not issued, auditors should document the results of the work to the date of termination and why the audit was terminated....; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements, Fraud, or Abuse; Preparing the Audit Plan; 7.50: Auditors must prepare a written audit plan for each audit. Auditors should update the plan, as necessary, to reflect any significant changes to the plan made during the audit; Must: [Empty]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Legal and Regulatory Requirements, Provisions of Contracts or Grant Agreements, Fraud, or Abuse; Supervision; 7.52: Audit supervisors or those designated to supervise auditors must properly supervise audit staff; Must: [Empty]; Should: [Check]. Chapter 7 - Field Work Standards for Performance Audits; Obtaining Sufficient, Appropriate Evidence; 7.55: Auditors must obtain sufficient, appropriate evidence to provide a reasonable basis for their findings and conclusions; Must: [Empty]; Should: [Check]. Chapter 7 - Field Work Standards for Performance Audits; Obtaining Sufficient, Appropriate Evidence; 7.56:...Appropriateness is the measure of the quality of evidence that encompasses its relevance, validity, and reliability in providing support for findings and conclusions related to the audit objectives. In assessing the overall appropriateness of evidence, auditors should assess whether the evidence is relevant, valid, and reliable. Sufficiency is a measure of the quantity of evidence used to support the findings and conclusions related to the audit objectives. In assessing the sufficiency of evidence, auditors should determine whether enough evidence has been obtained to persuade a knowledgeable person that the findings are reasonable; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Obtaining Sufficient, Appropriate Evidence; 7.57: In assessing evidence, auditors should evaluate whether the evidence taken as a whole is sufficient and appropriate for addressing the audit objectives and supporting findings and conclusions....; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Obtaining Sufficient, Appropriate Evidence; Appropriateness; 7.61: Testimonial evidence may be useful in interpreting or corroborating documentary or physical information. Auditors should evaluate the objectivity, credibility, and reliability of the testimonial evidence....; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Obtaining Sufficient, Appropriate Evidence; Appropriateness; 7.64: When auditors use information gathered by officials of the audited entity as part of their evidence, they should determine what the officials of the audited entity or other auditors did to obtain assurance over the reliability of the information....; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Obtaining Sufficient, Appropriate Evidence; Appropriateness; 7.65: Auditors should assess the sufficiency and appropriateness of computer-processed information regardless of whether this information is provided to auditors or auditors independently extract it....; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Obtaining Sufficient, Appropriate Evidence; Sufficiency; 7.66...In determining the sufficiency of evidence, auditors should determine whether enough appropriate evidence exists to address the audit objectives and support the findings and conclusions; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Obtaining Sufficient, Appropriate Evidence; Sufficiency; Overall Assessment of Evidence; 7.68: Auditors should determine the overall sufficiency and appropriateness of evidence to provide a reasonable basis for the findings and conclusions, within the context of the audit objectives. Auditors should perform and document an overall assessment of the collective evidence used to support findings and conclusions, including the results of any specific assessments conducted to conclude on the validity and reliability of specific evidence; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Obtaining Sufficient, Appropriate Evidence; Sufficiency; Overall Assessment of Evidence; 7.70: When assessing the sufficiency and appropriateness of evidence, auditors should evaluate the expected significance of evidence to the audit objectives, findings, and conclusions, available corroborating evidence, and the level of audit risk....; a. Evidence is sufficient and appropriate when it provides a reasonable basis for supporting the findings or conclusions within the context of the audit objectives; b. Evidence is not sufficient or not appropriate when (1) using the evidence carries an unacceptably high risk that it could lead to an incorrect or improper conclusion, (2) the evidence has significant limitations, given the audit objectives and intended use of the evidence, or (3) the evidence does not provide an adequate basis for addressing the audit objectives or supporting the findings and conclusions. Auditors should not use such evidence as support for findings and conclusions; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Obtaining Sufficient, Appropriate Evidence; Overall Assessment of Evidence; 7.71:...When the auditors identify limitations or uncertainties in evidence that is significant to the audit findings and conclusions, they should apply additional procedures, as appropriate. Such procedures include; a. seeking independent, corroborating evidence from other sources; b. redefining the audit objectives or limiting the audit scope to eliminate the need to use the evidence; c. presenting the findings and conclusions so that the supporting evidence is sufficient and appropriate and describing in the report the limitations or uncertainties with the validity or reliability of the evidence, if such disclosure is necessary to avoid misleading the report users about the findings or conclusions (see paragraph 8.15 for additional reporting requirements when there are limitations or uncertainties with the validity or reliability of evidence); or; d. determining whether to report the limitations or uncertainties as a finding, including any related, significant internal control deficiencies; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Obtaining Sufficient, Appropriate Evidence; Developing Elements of a Finding; 7.72: Auditors should plan and perform procedures to develop the elements of a finding necessary to address the audit objectives. In addition, if auditors are able to sufficiently develop the elements of a finding, they should develop recommendations for corrective action if they are significant within the context of the audit objectives....; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Audit Documentation; 7.77: Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, [footnote not shown] having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed, the audit evidence obtained and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. Auditors should prepare audit documentation that contains support for findings, conclusions, and recommendations before they issue their report; Must: [Empty]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Audit Documentation; 7.78: Auditors should design the form and content of audit documentation to meet the circumstances of the particular audit. The audit documentation constitutes the principal record of the work that the auditors have performed in accordance with standards and the conclusions that the auditors have reached....; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Audit Documentation; 7.80: Under GAGAS, auditors should document the following: a. the objectives, scope, and methodology of the audit; b. the work performed to support significant judgments and conclusions, including descriptions of transactions and records examined;[92] and. [92] Auditors may meet this requirement by listing file numbers, case numbers, or other means of identifying specific documents they examined. They are not required to include copies of documents they examined as part of the audit documentation, nor are they required to list detailed information from those documents.]; c. evidence of supervisory review, before the audit report is issued, of the work performed that supports findings, conclusions, and recommendations contained in the audit report; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Audit Documentation; 7.81: When auditors do not comply with applicable GAGAS requirements due to law, regulation, scope limitations, restrictions on access to records, or other issues impacting the audit, the auditors should document the departure from the GAGAS requirements and the impact on the audit and on the auditors' conclusions. This applies to departures from both mandatory requirements and presumptively mandatory requirements when alternative procedures performed in the circumstances were not sufficient to achieve the objectives of the standard...; Must: [Check]; Should: [Empty]. Chapter 7 - Field Work Standards for Performance Audits; Audit Documentation; 7.83...Subject to applicable laws and regulations, auditors should make appropriate individuals, as well as audit documentation, available upon request and in a timely manner to other auditors or reviewers to satisfy these objectives....; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Reporting; 8.03: Auditors must issue audit reports communicating the results of each completed performance audit; Must: [Empty]; Should: [Check]. Chapter 8 - Reporting Standards for Performance Audits; Reporting; 8.04: Auditors should use a form of the audit report that is appropriate for its intended use and is in writing or in some other retrievable form....; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Reporting; 8.06: If an audit is terminated before it is completed and an audit report is not issued, auditors should follow the guidance in paragraph 7.49; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Reporting; 8.07: If after the report is issued, the auditors discover that they did not have sufficient, appropriate evidence to support the reported findings or conclusions, they should communicate with those charged with governance, the appropriate officials of the audited entity, and the appropriate officials of the organizations requiring or arranging for the audits, so that they do not continue to rely on the findings or conclusions that were not supported. If the report was previously posted to the auditors' publicly accessible website, the auditors should remove the report and post a public notification that the report was removed. The auditors should then determine whether to conduct additional audit work necessary to reissue the report with revised findings or conclusions; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; 8.08: Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; (3) a statement about the auditors' compliance with GAGAS; (4) a summary of the views of responsible officials; and (5) if applicable, the nature of any confidential or sensitive information omitted; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Objectives, Scope, and Methodology; 8.09: Auditors should include in the report a description of the audit objectives and the scope and methodology used for addressing the audit objectives....; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Objectives, Scope, and Methodology; 8.10:...Auditors should communicate audit objectives in the audit report in a clear, specific, neutral, and unbiased manner that includes relevant assumptions, including why the audit organization undertook the assignment and the underlying purpose of the audit and resulting report....; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Objectives, Scope, and Methodology; 8.11: Auditors should describe the scope of the work performed and any limitations, including issues that would be relevant to likely users, so that they could reasonably interpret the findings, conclusions, and recommendations in the report without being misled. Auditors should also report any significant constraints imposed on the audit approach by information limitations or scope impairments, including denials of access to certain records or individuals; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Objectives, Scope, and Methodology; 8.12: In describing the work conducted to address the audit objectives and support the reported findings and conclusions, auditors should, as applicable, explain the relationship between the population and the items tested; identify organizations, geographic locations, and the period covered; report the kinds and sources of evidence; and explain any significant limitations or uncertainties based on the auditors' overall assessment of the sufficiency and appropriateness of the evidence in the aggregate; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Objectives, Scope, and Methodology; 8.13: In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence gathering and analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives....Auditors should identify significant assumptions made in conducting the audit; describe comparative techniques applied; describe the criteria used; and, when sampling significantly supports the auditors' findings, conclusions, or recommendations, describe the sample design and state why the design was chosen, including whether the results can be projected to the intended population; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Reporting Findings; 8.14: In the audit report, auditors should present sufficient, appropriate evidence to support the findings and conclusions in relation to the audit objectives. . If auditors are able to sufficiently develop the elements of a finding, they should provide recommendations for corrective action if they are significant within the context of the audit objectives....; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Reporting Findings; 8.15 Auditors should describe in their report limitations or uncertainties with the reliability or validity of evidence if (1) the evidence is significant to the findings and conclusions within the context of the audit objectives and (2) such disclosure is necessary to avoid misleading the report users about the findings and conclusions. Auditors should describe the limitations or uncertainties regarding evidence in conjunction with the findings and conclusions, in addition to describing those limitations or uncertainties as part of the objectives, scope, and methodology....; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Reporting Findings; 8.16: Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as applicable, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value, or other measures, as appropriate. If the results cannot be projected, auditors should limit their conclusions appropriately; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Reporting Findings; 8.17:...When reporting on the results of their work, auditors should disclose significant facts relevant to the objectives of their work and known to them which, if not disclosed, could mislead knowledgeable users, misrepresent the results, or conceal significant improper or illegal practices; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Reporting Findings; 8.18 Auditors should report deficiencies [footnote not shown] in internal control that are significant within the context of the objectives of the audit, all instances of fraud, illegal acts [footnote not shown] unless they are inconsequential within the context of the audit objectives, significant violations of provisions of contracts or grant agreements, and significant abuse that have occurred or are likely to have occurred; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Deficiencies in Internal Control; 8.19: Auditors should include in the audit report (1) the scope of their work on internal control and (2) any deficiencies in internal control that are significant within the context of the audit objectives and based upon the audit work performed. When auditors detect deficiencies in internal control that are not significant to the objectives of the audit, they may include those deficiencies in the report or communicate those deficiencies in writing to officials of the audited entity unless the deficiencies are inconsequential considering both qualitative and quantitative factors. Auditors should refer to that written communication in the audit report, if the written communication is separate from the audit report. Determining whether or how to communicate to officials of the audited entity deficiencies that are inconsequential within the context of the audit objectives is a matter of professional judgment. Auditors should document such communications; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse; 8.21: When auditors conclude, based on sufficient, appropriate evidence, that fraud, illegal acts, significant violations of provisions of contracts or grant agreements, or significant abuse either has occurred or is likely to have occurred, they should report the matter as a finding; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Fraud, Illegal Acts, Violations of Provisions of Contracts or Grant Agreements, and Abuse; 8.22 When auditors detect violations of provisions of contracts or grant agreements, or abuse that are not significant, they should communicate those findings in writing to officials of the audited entity unless the findings are inconsequential within the context of the audit objectives, considering both qualitative and quantitative factors. Determining whether or how to communicate to officials of the audited entity fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that is inconsequential is a matter of the auditors' professional judgment. Auditors should document such communications; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Reporting Findings Directly to Parties Outside the Audited Entity; 8.24: Auditors should report known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse directly to parties outside the audited entity in the following two circumstances. [Footnote not shown.]; a. When entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties; b. When entity management fails to take timely and appropriate steps to respond to known or likely fraud, illegal acts, violations of provisions of contracts or grant agreements, or abuse that (1) is significant to the findings and conclusions, and (2) involves funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the entity's failure to take timely and appropriate steps directly to the funding agency; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Reporting Findings Directly to Parties Outside the Audited Entity; 8.25: The reporting in paragraph 8.24 is in addition to any legal requirements to report such information directly to parties outside the audited entity. Auditors should comply with these requirements even if they have resigned or been dismissed from the audit prior to its completion; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Reporting Findings Directly to Parties Outside the Audited Entity; 8.26: Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate assertions by management of the audited entity that it has reported such findings in accordance with laws, regulations, and funding agreements. When auditors are unable to do so, they should report such information directly as discussed in paragraph 8.24; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Conclusions; 8.27: Auditors should report conclusions, as applicable, based on the audit objectives and the audit findings....; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Recommendations; 8.28: Auditors should recommend actions to correct problems identified during the audit and to improve programs and operations when the potential for improvement in programs, operations, and performance is substantiated by the reported findings and conclusions. Auditors should make recommendations that flow logically from the findings and conclusions, are directed at resolving the cause of identified problems, and clearly state the actions recommended; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Reporting Auditors' Compliance with GAGAS; 8.30: When auditors comply with all applicable GAGAS requirements, they should use the following language, which represents an unmodified GAGAS compliance statement, in the audit report to indicate that they performed the audit in accordance with GAGAS....;We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Reporting Auditors' Compliance with GAGAS; 8.31: When auditors do not comply with all applicable GAGAS requirements, they should include a modified GAGAS compliance statement in the audit report. For performance audits, auditors should use a statement that includes either (1) the language in 8.30, modified to indicate the standards that were not followed or (2) language that the auditor did not follow GAGAS....; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Reporting Views of Responsible Officials; 8.33: When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments, or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments and provide a copy of the summary to the responsible officials to verify that the comments are accurately stated; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Reporting Views of Responsible Officials; 8.34: Auditors should also include in the report an evaluation of the comments, as appropriate....; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Reporting Views of Responsible Officials; 8.36: When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, or when planned corrective actions do not adequately address the auditors' recommendations, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported with sufficient, appropriate evidence; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Reporting Views of Responsible Officials; 8.37: If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors may issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Reporting Confidential or Sensitive Information; 8.38: If certain pertinent information is prohibited from public disclosure or is excluded from a report due to the confidential or sensitive nature of the information, auditors should disclose in the report that certain information has been omitted and the reason or other circumstances that makes the omission necessary; entity did not provide comments; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Reporting Confidential or Sensitive Information; 8.41: Considering the broad public interest in the program or activity under review assists auditors when deciding whether to exclude certain information from publicly available reports. When circumstances call for omission of certain information, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Reporting Confidential or Sensitive Information; 8.42 When audit organizations are subject to public records laws, auditors should determine whether public records laws could impact the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate....; Must: [Check]; Should: [Empty]. Chapter 8 - Reporting Standards for Performance Audits; Report Contents; Distributing Reports; 8.43: Distribution of reports completed under GAGAS depends on the relationship of the auditors to the audited organization and the nature of the information contained in the report. If the subject of the audit involves material that is classified for security purposes or contains confidential or sensitive information, auditors may limit the report distribution. Auditors should document any limitation on report distribution. The following discussion outlines distribution for reports completed under GAGAS: [One of the following will apply depending on the type of audit organization.]; a. Audit organizations in government entities should distribute audit reports to those charged with governance, to the appropriate officials of the audited entity, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations, and to others authorized to receive such reports; b. Internal audit organizations in government entities may follow the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing. Under GAGAS and IIA standards, the head of the internal audit organization should communicate results to parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should: (1) assess the potential risk to the organization, (2) consult with senior management and/or legal counsel as appropriate, and (3) control dissemination by indicating the intended users of the report; c. Public accounting firms contracted to perform an audit under GAGAS should clarify report distribution responsibilities with the engaging organization. If the contracted firm is to make the distribution, it should reach agreement with the party contracting for the audit about which officials or organizations will receive the report and the steps being taken to make the report available to the public; Must: [Check]; Should: [Empty]. [End of table] Footnotes: [1] U.S. Government Accountability Office, Government Auditing Standards, GAO-07-731G (Washington, D.C.: July 2007). GAO's Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office: 441 G Street NW, Room LM: Washington, DC 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Gloria Jarmon, Managing Director, jarmong@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548: