Financial Audit Manual
Volume 1
Updated May 2023
GAO-22-105894
COUNCIL OF THE INSPECTORS GENERAL
ON INTEGRITY AND EFFICIENCY
Page 1 GAO-22-105894 GAO/CIGIE Financial Audit Manual
June 2022
To Audit Officials, Federal Entity Chief Financial Officers, and Others Interested in Federal
Financial Auditing and Reporting
This letter transmits the U.S. Government Accountability Office (GAO) and the Council of the
Inspectors General on Integrity and Efficiency’s (CIGIE) revised Financial Audit Manual (FAM),
volumes 1 and 2. The FAM presents a methodology for performing financial statement audits of
federal entities in accordance with professional standards and consists of three volumes. FAM
volume 1 contains the audit methodology. FAM volume 2 provides detailed implementation
guidance. FAM volume 3 contains the Federal Financial Reporting Checklist, which has been
updated as of June 2022.
The current revision reflects changes in auditing financial statements in the U.S. government
since the last revisions of FAM volume 1 (issued in April 2020) and FAM volume 2 (issued in
March 2021). The revisions are primarily based on changes in (1) professional auditing
standards of the Auditing Standards Board of the American Institute of Certified Public
Accountants (Statements of Auditing Standards Nos. 134, 135, 137, 138, 140, and 141) and (2)
audit guidance in the Office of Management and Budget’s Bulletin No. 21-04, Audit
Requirements for Federal Financial Statements, issued on June 11, 2021. Users should also
consider any subsequently issued standards or guidance.
To help the FAM continue to meet the needs of the federal audit community and the public it
serves, GAO and CIGIE worked jointly to update the FAM. In May 2022, CIGIE distributed an
exposure draft of FAM volumes 1 and 2 for a comment period that ended May 31, 2022. All
comments we received were considered in the final FAM.
This revision supersedes previously issued versions of FAM volumes 1 and 2 and should be
used beginning with audits of fiscal year 2022 federal entity financial statements.
Should you need additional information, please contact us at [email protected].
Beryl H. Davis Hannibal “Mike” Ware
Managing Director Chair, Audit Committee
Financial Management and Assurance Council of the Inspectors General on
U.S. Government Accountability Office Integrity and Efficiency
Enclosures
Page 2 GAO-22-105894 GAO/CIGIE Financial Audit Manual
GAO Team
Project Team
Beryl H. Davis, Managing Director
Robert F. Dacey, Chief Accountant
Dawn B. Simpson, Director
Joshua Y. Marcus, Assistant Director
Carrie J. Morrison, Assistant Director
Lien T. To, Senior Auditor
Significant Contributors
Sharon O. Byrd, Audit Sampling Specialist
Lauren S. Fassler, Senior Attorney
CIGIE FAM Working Group Members
Kelly McFadden, Office of the Inspector General, U.S. Department of Justice
Anna Elias, Office of Inspector General, U.S. Agency for International Development
Sandra John, Office of Inspector General, U.S. Department of Homeland Security
Todd Jones, Office of Inspector General, U.S. Department of State
Financial Audit Manual Volume 1 – Summary of Significant Changes
Updated May 2023 GAO/CIGIE Financial Audit Manual Changes-1
Summary of Significant Changes
This summary lists significant changes from the June 2022 revision of FAM volume 1.
Change Description
Section or paragraph
reference
Replaced “legal letter” or “legal representation letter” with “legal
counsel response
.” Replaced “legal letter request” with “legal
counsel request
.” Replaced “legal letter materiality” with “legal
counsel materiality.”
Throughout
(primarily 230, 280,
550)
Deleted “taken” from “financial statements taken as a whole.”
Throughout
Added requirements related to changes in the terms of an audit
engagement.
215.24.25
Revised language in sample audit engagement letters.
215 A
Revised guidance for determining materiality level(s) to be applied,
in specific circumstances
, to particular classes of transactions,
account balances, or note disclosures.
230.08
Revised and added guidance related to the Federal Managers’
Financial Integrity Act of 1982 (FMFIA).
260.67.69, .72, .74
295 B.19
Reorganized section paragraphs.
280
Revised guidance related to litigation, claims, and assessments.
280.02.05
550.01.03
Revised guidance related to the Federal Financial Management
Improvement Act of 1996 (
FFMIA) and moved detailed guidance to
FAM 701 (volume 2).
295 B.19
350.23.26
360.05
Clarified guidance related to multiple-location audits.
295 C.08e
Revised and added guidance related to inquiry, observation,
inspection
, recalculation, and external confirmation.
295 I.02g, I.08b
350.10.12
470.08, .09, .14
475.02
Clarified guidance on IDEA inputs for monetary unit sampling.
480.23
495 D
Moved detailed guidance related to service organizations to
FAM 640 (volume 2).
310
Revised descriptions for commitment, expended authority, and
outlay.
395 E
Revised requirements and guidance based on Statement on Auditing
Standards
(SAS) No. 142, Audit Evidence.
410.01.03, 420.03,
440.04.05 , 470.08,
Glossary
Added guidance related to preliminary assessment of risks in the
testing phase.
470.01
Replaced “audit completion date” with “auditor’s report date.”
495 B.03
Updated selection methods flowcharts.
495 D
Financial Audit Manual Volume 1 – Summary of Significant Changes
Updated May 2023 GAO/CIGIE Financial Audit Manual Changes-2
Change Description
Section or paragraph
reference
Replaced “adequacy” with “appropriateness” when referring to audit
evidence.
530.06
Revised the Statement of Budgetary Resources section of the
further evaluation of audit risk template.
545 A
Deleted detailed guidance related to obtaining management
representations
that was already covered in FAM 1001 (volume 2)
and referred the auditor to FAM 1001 for additional guidance.
550.10
Added requirement to communicate to those charged with
governance
suspected noncompliance, and matters involving
identified or suspected noncompliance, with
contracts or grant
agreements.
550.16k, .16m
Added requirements related to comparative financial statements
and comparative information.
580.12, .13, .18, .20
Clarified guidance for inclusion of an alert in the auditor’s report on
compliance.
580.96
Revised guidance related to auditor’s report date, report release
date, and documentation completion date.
580.103.109
590.03
Added documentation requirements for circumstances in which
the auditor (1) performs new or additional audit procedures
,
or draws
new conclusions
, after the auditor’s report date or (2) modifies
existing audit documentation
, or adds new audit documentation,
after
the documentation completion date.
590.02, .04
Revised language in auditor’s report examples.
595 A, 595 B
Revised or added definitions or terminology for
appropriateness,
audit documentation, audit evidence, audit file,
audit plan,
auditor’s report date, comparative financial statements,
comparative information, documentation completion date,
engagement letter, internal control over financial reporting,
management’s specialists, materiality for the financial statements as
a whole,
nonstatistical sampling, notification letter, overall audit
strategy,
probable, reasonably possible, reimbursable activity,
remote, reporting phase, report release date, service auditor,
and
sufficiency (of audit evidence).
Glossary
Added or revised the following abbreviations:
U.S. GAAP, U.S. GAAS
, USSGL, and Yellow Book
Abbreviations
CONTENTS
Contents of FAM Volume 1 Audit Methodology
Updated May 2023 GAO/CIGIE Financial Audit Manual Contents-1
Contents of FAM Volume 1 Audit Methodology
100 INTRODUCTION
110 Overview of the FAM Methodology
200 PLANNING PHASE
210 Overview of the Planning Phase
215 Perform Preliminary Engagement Activities
220 Understand the Entity’s Operations
225 Perform Preliminary Analytical Procedures
230 Determine Materiality
235 Identify Significant Line Items, Accounts, and Assertions
240 Identify Significant Accounting Applications, Cycles, and Financial Management
Systems
245 Identify Significant Provisions of Applicable Laws, Regulations, Contracts, and
Grant Agreements
250 Identify Relevant Budget Restrictions
260 Identify Risk Factors
270 Determine Likelihood of Effective Information System Controls
275 Identify Relevant Operations Controls to Evaluate and Test
280 Plan Other Audit Procedures
285 Plan Locations to Test
290 Documentation
Appendixes to FAM 200
295 A Potential Inherent Risk Conditions
295 B Potential Control Environment, Entity Risk Assessment, Communication, and
Monitoring Deficiencies
295 C An Approach for Multiple-Location Audits
295 D Considerations for Performing Interim Substantive Testing
295 E Effect of Risk of Material Misstatement on Extent of Audit Procedures
295 F Types of Information System Controls
295 G Budget Controls
295 H List of General Laws
295 I Examples of Auditor Responses to Fraud Risks
295 J Steps in Assessing Information System Controls
300 INTERNAL CONTROL PHASE
310 Overview of the Internal Control Phase
320 Understand Information Systems
330 Identify Control Objectives
340 Identify and Understand Relevant Control Activities
350 Determine the Nature, Extent, and Timing of Tests of Controls and Compliance
with FFMIA
360 Perform Tests of Controls and Compliance with FFMIA
370 Assess Internal Control on a Preliminary Basis
Contents of FAM Volume 1 Audit Methodology
Updated May 2023 GAO/CIGIE Financial Audit Manual Contents-2
380 Other Considerations
390 Documentation
Appendixes to FAM 300
395 A Typical Relationships of Accounting Applications to Line Items/Accounts
395 B Financial Statement Assertions, Potential Misstatements, and Control Objectives
395 C Typical Control Activities
395 D Selected Statutes Relevant to Budget Execution
395 E Budget Execution Process
395 F Budget Control Objectives
395 G Specific Control Evaluation Worksheet
395 H Line Item Risk Analysis Form
400 TESTING PHASE
410 Overview of the Testing Phase
420 Design the Nature, Extent, and Timing of Further Audit Procedures
430 Design Tests
440 Perform Tests and Evaluate Results
450 Perform Sampling Control Tests
460 Perform Compliance Tests
470 Perform Substantive Procedures Overview
475 Perform Substantive Analytical Procedures
480 Perform Substantive Detail Tests
490 Documentation
Appendixes to FAM 400
495 A Determine Whether to Perform Substantive Analytical Procedures
495 B Example Procedures for Tests of Budget Information
495 C Guidance for Interim Testing
495 D Selection Methods
500 REPORTING PHASE
510 Overview of the Reporting Phase
520 Perform Overall Analytical Procedures
530 Reassess Materiality and Risks of Material Misstatement
540 Evaluate Effects of Misstatements on Financial Statements and Auditor’s Reports
545 Audit Exposure (Further Evaluation of Audit Risk)
545 A Further Evaluation of Audit Risk Template
550 Perform Other Reporting Phase Audit Procedures
560 Determine Whether Financial Statement Presentation Is in Accordance with U.S.
Generally Accepted Accounting Principles
570 Determine Compliance with GAO/CIGIE Financial Audit Manual
580 Draft Reports
590 Documentation
Contents of FAM Volume 1 Audit Methodology
Updated May 2023 GAO/CIGIE Financial Audit Manual Contents-3
Appendixes to FAM 500
595 A Example Unmodified Auditor’s Reports
595 B Example of Reporting Material Weakness or Significant Deficiency on Internal
Control over Financial Reporting
595 C Uncorrected Misstatements and Adjusting Entries
GLOSSARY
ABBREVIATIONS
SECTION 100
Introduction
Introduction
100 Contents of the Introduction
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 100-1
Contents of the Introduction
Introduction FAM
Overview of the FAM Methodology 110
Planning Phase FAM
Overview of the Planning Phase 210
Perform Preliminary Engagement Activities 215
Understand the Entity’s Operations 220
Perform Preliminary Analytical Procedures 225
Determine Materiality 230
Identify Significant Line Items, Accounts, and Assertions 235
Identify Significant Accounting Applications, Cycles, and Financial Management Systems 240
Identify Significant Provisions of Applicable Laws, Regulations, Contracts, and Grant Agreements 245
Identify Relevant Budget Restrictions 250
Identify Risk Factors 260
Determine Likelihood of Effective IS Controls 270
Identify Relevant Operations Controls to Evaluate and Test 275
Plan Other Audit Procedures 280
Plan Locations to Test 285
Documentation 290
Internal Control Phase FAM
Overview of the Internal Control Phase 310
Understand Information Systems 320
Identify Control Objectives 330
Identify and Understand Relevant Control Activities 340
Determine the Nature, Extent, and Timing of Tests of Controls and Compliance with FFMIA 350
Perform Tests of Controls and Compliance with FFMIA 360
Assess Internal Control on a Preliminary Basis 370
Other Considerations 380
Documentation 390
Testing Phase FAM
Overview of the Testing Phase 410
Design the Nature, Extent, and Timing of Further Audit Procedures 420
Design Tests 430
Perform Tests and Evaluate Results 440
Perform Sampling Control Tests 450
Perform Compliance Tests 460
Perform Substantive Procedures -- Overview 470
Perform Substantive Analytical Procedures 475
Perform Substantive Detail Tests 480
Documentation 490
Reporting Phase FAM
Overview of the Reporting Phase 510
Perform Overall Analytical Procedures 520
Reassess Materiality and Risks of Material Misstatement 530
Evaluate Effects of Misstatements on Financial Statements and Auditor’s Reports 540
Audit Exposure (Further Evaluation of Audit Risk) 545
Perform Other Reporting Phase Audit Procedures 550
Determine Whether Financial Statement Presentation is in Accordance with U.S. GAAP 560
Determine Compliance with GAO/CIGIE Financial Audit Manual 570
Draft Reports 580
Documentation 590
Introduction
110 Overview of the FAM Methodology
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 110-1
110 Overview of the FAM Methodology
.01 This introduction provides an overview of the methodology of the Government
Accountability Office (GAO) and the Council of the Inspectors General on
Integrity and Efficiency (CIGIE) for performing financial statement audits of
federal entities. It describes how the methodology in the Financial Audit Manual
(FAM) relates to relevant professional auditing and attestation standards and
Office of Management and Budget (OMB) audit guidance and outlines key issues
to be considered in using the methodology.
1
.02 The purposes of performing financial statement audits of federal entities include
providing decision makers (financial statement users) with assurance as to
whether the financial statements are reliable (presented fairly in all material
respects, in accordance with U.S. generally accepted accounting principles
(U.S. GAAP));
2
reporting deficiencies in internal control over financial reporting or, in certain
circumstances, providing an opinion on the effectiveness of internal control
over financial reporting; and
reporting on noncompliance with significant provisions of applicable laws,
regulations, contracts, and grant agreements (see FAM 245 for guidance on
identifying such provisions).
To achieve these purposes, the FAM approach to federal financial statement
audits involves four phasesplanning, internal control, testing, and reporting
which are outlined in the rest of this section. In broad terms, the auditor does the
following:
adequately plans the audit to obtain sufficient appropriate evidence;
understands the design of the entity’s internal control, determines
whether the controls were implemented as designed, assesses the risks
of material misstatement, designs appropriate tests of controls and
substantive procedures, and for the 24 Chief Financial Officers Act of
1990 (CFO Act) agencies, determines whether financial management
1
The OMB audit guidance in effect as of the publication date of this version of the FAM is OMB Bulletin No. 22-01,
Audit Requirements for Federal Financial Statements, issued on August 26, 2022. OMB audit guidance is periodically
updated, and the current version can be found on the OMB website at https://www.whitehouse.gov/omb/bulletins
(accessed on May 1, 2023).
2
The American Institute of Certified Public Accountants (AICPA) has recognized the Federal Accounting Standards
Advisory Board (FASAB) as the accounting standards-setting body for federal government entities under the AICPA's
Code of Professional Conduct. Thus, FASAB standards are recognized as U.S. GAAP for federal entities. Statement
of Federal Financial Accounting Standards (SFFAS) 34, The Hierarchy of Generally Accepted Accounting Principles,
Including the Application of Standards Issued by the Financial Accounting Standards Board, establishes the U.S.
GAAP hierarchy for federal reporting entities. SFFAS 34 recognizes that it is appropriate for certain federal reporting
entities to prepare and publish financial reports pursuant to the accounting and reporting standards issued by the
Financial Accounting Standards Board (FASB). SFFAS 34 provides that financial statements prepared in conformity
with accounting standards issued by FASB also may be regarded as in conformity with U.S. GAAP for such entities.
SFFAS 47,
Reporting Entity, allows consolidation entities (that is, the consolidated government-wide reporting entity
or consolidated component reporting entity) to consolidate component or subcomponent reporting entity financial
statements prepared in accordance with FASB under SFFAS 34 without conversion for any differences in accounting
policies among the audit organizations.
Introduction
110 Overview of the FAM Methodology
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 110-2
systems comply substantially with the three requirements of the Federal
Financial Management Improvement Act of 1996 (FFMIA):
º federal financial management systems requirements,
º applicable federal accounting standards, and
º the U.S. Standard General Ledger at the transaction level;
3
tests the significant assertions related to the financial statements, internal
control effectiveness, and compliance with significant provisions of
applicable laws, regulations, contracts, and grant agreements (see FAM
235.04 for further details); and
reports the results of audit procedures performed and performs other
audit procedures to complete the audit in accordance with generally
accepted government auditing standards (GAGAS).
The FAM audit phases are illustrated in the FAM methodology overview in the
contents and are summarized in the following pages of this section.
4
Planning Phase
.03 Although planning continues throughout the audit, the objectives of this phase
are to gain an understanding of the entity to be audited; to understand its
environment, including internal control; to identify significant areas for audit; and
to design effective and efficient audit procedures. To accomplish this, the
methodology includes guidance in the following:
a. performing preliminary engagement activities relating to (1) acceptance and
continuance of client relationships and audit engagements; (2) compliance
with relevant ethical requirements; and (3) establishing an understanding of
the terms of the engagement with management and, when appropriate, those
charged with governance, including establishing that certain preconditions for
an audit are present;
b. understanding the entity’s operations and its environment, including its
organization, management style, internal control, and internal and external
factors influencing its operating environment;
c. performing analytical procedures to assist in planning the audit;
d. identifying significant accounting applications, cycles, and financial
management systems; relevant budget restrictions; significant provisions of
applicable laws, regulations, contracts, and grant agreements; and relevant
internal controls;
e. determining the likelihood of effective information system (IS) controls;
f. identifying significant items, accounts, and assertions and using them in
planning the audit;
3
Testing for substantial compliance with FFMIA’s three financial management systems requirements is efficiently
accomplished, for the most part, as part of the work done in understanding entity systems in the internal control
phase of the audit.
4
The methodology presented is for a financial statement audit. If the auditor is to use the work of another auditor, see
FAM 600 sections.
Introduction
110 Overview of the FAM Methodology
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 110-3
g. determining materiality for the financial statements as a whole, including
performance materiality, which is the portion of materiality that the auditor
allocates to line items, accounts, or classes of transactions;
h. performing a preliminary risk assessment to determine the risk of material
misstatement due to error or fraud; and
i. establishing the overall audit strategy and developing an audit plan, including
entity field locations to test.
Based on evidence obtained throughout the audit, the auditor should monitor and
revise, if needed, preliminary assessments made during the planning phase for
risk of material misstatement and the likelihood of control effectiveness. The
auditor should revise audit procedures as needed.
Internal Control Phase
.04 This phase entails understanding, testing, and assessing internal control over
financial reporting to conclude on whether the following internal control
objectives have been achieved:
Reliability of financial reportingtransactions are properly recorded,
processed, and summarized to permit the preparation of the financial
statements in accordance with U.S. GAAP, and assets are safeguarded
against loss from unauthorized acquisition, use, or disposition.
Compliance with significant provisions of applicable laws,
regulations, contracts, and grant agreementstransactions are
executed in accordance with significant provisions of applicable laws,
including those governing the use of budget authority, regulations
contracts, and grant agreements, noncompliance with which could have a
material effect on the financial statements.
.05 According to OMB audit guidance, for those controls that have been suitably
designed and implemented, the auditor should perform sufficient tests of such
controls to conclude whether the controls are operating effectively (i.e.,
sufficient tests of controls to support a low level of assessed control risk).
OMB audit guidance does not require the auditor to express an opinion on
the effectiveness of internal control.
As required by GAGAS (2018) 6.42, if the auditor does not express an opinion on
internal control, the auditor should state in the report whether tests performed
provided sufficient, appropriate evidence to express an opinion on the
effectiveness of internal control over financial reporting.
GAO auditors
5
should design the audit to express an opinion on internal
control over financial reporting.
6
For audits that GAO performs, the internal
5
The FAM refers specifically to objectives for GAO auditors in various sections. Such objectives are optional for other
audit organizations.
6
If the auditor plans to report on internal control effectiveness, the AICPA’s Clarified Statement on Auditing Standards
(AU-C) 940 allows the auditor to express an opinion directly on internal control or on management’s assessment
about the effectiveness of internal control over financial reporting. However, when internal control is not effective
because one or more material weaknesses exist, the auditor is prohibited from expressing an opinion on
management’s assessment and should report directly on the effectiveness of internal control over financial reporting.
The example 1 auditor’s report in FAM 595 A illustrates expressing an opinion on internal control directly.
Introduction
110 Overview of the FAM Methodology
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 110-4
control testing described in the OMB audit guidance and in the FAM typically
is sufficient to provide an opinion on internal control effectiveness. Sufficiency
and appropriateness of audit evidence is a matter of auditor judgment.
.06 The FAM also provides guidance on evaluating internal controls related to
operating objectives that the auditor elects to evaluate. Such controls include
those related to safeguarding assets from waste or preparing statistical reports.
.07 To evaluate internal control, the auditor identifies and understands the
relevant controls and tests their effectiveness. Where the auditor determines
controls to be effective, the extent of substantive procedures can be reduced.
.08 The FAM also includes guidance on
assessing specific levels of control risk;
selecting controls to test;
determining the effectiveness of IS controls; and
testing controls, including coordinating control tests in the testing phase
for efficiency.
.09 Also, during the internal control phase, in regard to FFMIA, auditors should follow
OMB audit guidance, if applicable.
Testing Phase
.10 The objectives of this phase are to (1) obtain reasonable assurance about
whether the financial statements are presented fairly, in all material respects,
in accordance with U.S. GAAP; (2) determine whether the entity complied
with significant provisions of applicable laws, regulations, contracts, and grant
agreements; and (3) assess the effectiveness of internal control over financial
reporting through testing controls, often in coordination with other tests.
.11 To achieve these objectives, the FAM includes guidance on
designing and performing substantive, compliance, and control tests;
designing and evaluating audit samples;
correlating risk of material misstatement, audit risk, and materiality with
the nature, timing, and extent of substantive procedures; and
designing multipurpose tests that use a common sample to test several
different controls, specific accounts or transactions, and audit assertions.
Although the FAM distinguishes between internal control objectives related to reliability of financial reporting and to
compliance with significant provisions of applicable laws, regulations, contracts, and grant agreements, compliance
controls tested as part of federal financial statement audits are limited to controls over compliance with selected
significant provisions of laws, regulations, contracts, and grant agreements applicable to the entity that have a direct
effect on the determination of material amounts and disclosures in the entity’s financial statements. Consequently,
compliance controls in federal financial statement audits are considered to be the equivalent of financial reporting
controls for purposes of reporting on control effectiveness.
Introduction
110 Overview of the FAM Methodology
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 110-5
Reporting Phase
.12 This phase completes the audit based on the results of audit procedures
performed in the preceding phases. This involves developing the auditor’s report
on the entity’s
financial statements, required supplementary information (RSI) (including
management’s discussion and analysis (MD&A)), and other information
included in the annual report;
internal control over financial reporting;
financial management systems’ substantial compliance with the three FFMIA
requirements (for CFO Act agencies); and
compliance with significant provisions of applicable laws, regulations,
contracts, and grant agreements.
To assist in this process, the FAM includes guidance on forming an opinion on
the financial statements and conclusions on internal control, as well as reporting
findings. Included in FAM 595 A are two examples of auditor’s reports. The first
example shows when the auditor expresses an opinion on internal control, and
the second when the auditor issues a report on internal control.
Relationship to Applicable Standards
.13 This section describes the FAM’s relationship to applicable auditing
standards, OMB audit guidance, and other policy requirements. This section
is organized into three areas:
relevant auditing standards and OMB audit guidance,
audit guidance beyond the Government Auditing Standards (also known
as GAGAS or the Yellow Book) issued by the Comptroller General of the
United States, and
auditing standards and policies not addressed in this manual.
Relevant Auditing Standards and OMB Audit Guidance
.14 The FAM provides a framework for performing financial statement audits of
federal entities in accordance with GAGAS and OMB audit guidance. GAGAS
incorporates, by reference, U.S. generally accepted auditing standards (U.S.
GAAS) and attestation standards established by the Auditing Standards Board of
the American Institute of Certified Public Accountants (AICPA). The Yellow Book
is available at www.gao.gov
.
.15 The FAM is an audit methodology that both integrates the requirements of the
standards and provides implementation guidance based on practical
experience. The FAM is designed to achieve the following:
Effective audits, by considering compliance with GAGAS; significant
provisions of applicable laws, regulations, contracts and grant
agreements; and OMB audit guidance.
Efficient audits, by focusing audit procedures on areas of higher risk and
materiality and by providing an integrated approach designed to gather
audit evidence efficiently.
Introduction
110 Overview of the FAM Methodology
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 110-6
Quality control, through an agreed-upon framework that is documented
and that all personnel can follow.
Consistency of application, through a documented methodology.
.16 The FAM supplements GAGAS and OMB audit guidance and includes
references to the AICPA’s Clarified Statements on Auditing Standards (AU-C)
and Clarified Statements on Standards for Attestation Engagements (AT-C). The
AU-C references cited in the FAM are based on standards issued by the AICPA
through Statement on Auditing Standards (SAS) No. 141. These references may
differ from current references which are based on SASs issued subsequent to
SAS No. 141. The AICPA standards are incorporated by reference into GAGAS.
Audit Guidance beyond GAGAS
.17 In addition to complying with GAGAS, for audits to which OMB audit guidance
applies, the auditor should
perform sufficient tests of internal controls over financial reporting that
have been suitably designed and implemented to support a low level of
assessed control risk;
evaluate and test controls related to budget execution and compliance
with selected significant provisions of applicable laws, regulations,
contracts, and grant agreements;
understand the design of the entity’s process for complying with
31 U.S.C. § 3512 (c), (d) (commonly known as the Federal Managers’
Financial Integrity Act of 1982) and whether the design has been
implemented;
perform tests to report on the entity’s financial management systems’
substantial compliance with the three FFMIA requirements, as required by
OMB audit guidance (for CFO Act agencies);
test for compliance with significant provisions of applicable laws,
regulations, contracts, and grant agreements;
read the required supplementary information, including management’s
discussion and analysis, for conformity with Federal Accounting
Standards Advisory Board standards and OMB reporting guidance;
7
and
read the other information for conformity with OMB reporting guidance.
.18 Auditors may design procedures to consider and report whether
misstatements and internal control weaknesses could affect the achievement
of operations objectives or the accuracy of reports prepared by the entity.
.19 GAO auditors generally should design audits to express an opinion on the
entity’s internal control over financial reporting. When an auditor is engaged to
perform an audit of internal control over financial reporting that is integrated with
an audit of financial statements, it is referred to as an integrated audit. AU-C 940
7
The OMB reporting guidance in effect as of the publication date of this version of the FAM is OMB Circular No. A-
136, Financial Reporting Requirements, issued on June 3, 2022. OMB reporting guidance is updated annually and
the current version can be found on the OMB website at https://www.whitehouse.gov/omb/information-for-
agencies/circulars/ (accessed on May 1, 2023).
Introduction
110 Overview of the FAM Methodology
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 110-7
addresses integrated audits and certain requirements have been included in the
FAM, but auditors should refer to AU-C 940 as needed for more detailed
guidance.
Auditing Standards and Policies Not Addressed in the Manual
.20 The FAM supplements financial audit standards and policies that GAO and the
inspectors general (IG) have adopted. It is not intended to address all standards
or policies. For example, report processing is not addressed. Further, IGs may
use other methodologies that are equivalent to the FAM for conducting financial
statement audits in accordance with GAGAS, including AICPA auditing standards
and OMB audit guidance.
8
.21 Throughout the FAM, there are references to various laws, regulations, OMB
audit guidance, and other government requirements that are subject to
change periodically. Auditors should monitor any changes and ensure that
they are using the most updated versions.
Key Implementation Considerations
.22 In applying the FAM, the auditor considers
audit objectives;
exercise of professional judgment and professional skepticism;
form, content, and extent of audit documentation;
references to positions;
using the work of others;
compliance with policies in the FAM;
use of technical terms; and
reference to sections of the FAM.
These items are discussed in more detail below.
Audit Objectives
.23 For audits of entities not subject to OMB audit guidance, the auditor should
evaluate whether to conduct those audits in accordance with OMB audit
guidance to achieve the audits’ objectives. The FAM generally assumes that
the objectives of an audit are to express an opinion on the current-year
financial statements as part of a 2-year opinion on comparative financial
statements, to issue a report (or opinion) on internal control over financial
reporting, and to issue a report on compliance. When these are not the
objectives, the auditor uses judgment in applying the FAM guidance. In some
circumstances, the auditor may expect to issue a disclaimer on the current-
year financial statements because of scope limitations, including the
auditability of information. In these circumstances, the auditor may develop a
8
Under the CFO Act, as amended, an IG may perform the agency’s financial statements audit with OIG staff or
contract the audit to an independent external auditor (IPA firm). See FAM 670, IG Oversight of Audits Performed by
Contracted IPA Firms, for details.
Introduction
110 Overview of the FAM Methodology
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 110-8
multiyear plan in order to express a future opinion when the financial
statements are expected to become auditable.
Exercise of Professional Judgment and Professional Skepticism
.24 The auditor should exercise professional judgment in planning and
performing an audit of the financial statements (AU-C 200.18), including in
evaluating the quantity and quality of audit evidence, and thus its sufficiency
and appropriateness, in determining the audit opinion. Although the auditor
may find it necessary to rely on audit evidence that is persuasive rather than
conclusive to obtain reasonable assurance, the auditor must not be satisfied
with audit evidence that is less than persuasive. The auditor should tailor the
guidance in the FAM, if needed, to respond to specific situations encountered
during an audit. However, the auditor must, at a minimum, meet professional
standards. Proper application of professional judgment and skepticism may
result in more extensive audit work than described in the FAM. The auditor
should document these decisions.
.25 The auditor should plan and perform an audit with professional skepticism,
recognizing that circumstances may exist that cause the financial statements to
be materially misstated (AU-C 200.17). The auditor’s past experience, or a belief
that management and those charged with governance are honest and have
integrity, does not relieve the auditor of the need to maintain professional
skepticism (AU-C 200.A26 and 240.12). Professional skepticism includes
questioning contradictory audit evidence and the reliability of documents and
responses to inquiries (AU-C 200.A24). If the auditor believes that a document
may have been altered or is not authentic, then the auditor should investigate
further (AU-C 240.13).
.26 When exercising judgment, particularly when tailoring FAM guidance, the
component auditor should consider the needs of, and consult in a timely
manner with, the group auditors who plan to use the work being performed so
that the judgments exercised can satisfy the needs of both auditors. For
example, group auditors of a consolidated entity (such as the U.S.
government or an entire department or entity) are likely to plan to use the
work of component auditors of subsidiary entities (such as individual
departments and entities or bureaus and components of departments). This
coordination can result in more effective government audits and avoid
duplication of effort.
.27 Many aspects of a financial statement audit involve technical judgments. The
auditor is responsible for making these judgments. The audit organization
should have or contract for personnel with adequate technical expertise to
provide technical assistance to the auditor, including the following example
areas, as necessary:
a. quantifying materiality for the financial statements as a whole, performance
materiality, and using tolerable misstatement in determining the extent of
substantive sampling procedures (see FAM 230);
b. identifying risk factors to assess risks of material misstatement (see
FAM 260);
c. assessing the effectiveness of IS controls (see FAM 270);
Introduction
110 Overview of the FAM Methodology
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 110-9
d. specifying a minimum level of substantive assurance based on the assessed
risk of material misstatement, substantive analytical procedures, and
substantive detail tests (see FAM 470, 475, and 480);
e. determining whether selections are statistical samples (representative of, and
statistically projectable to, the population), nonstatistical samples
(representative of, but not statistically projectable to, the population), or
nonstatistical selections (not representative of, and not projectable to, the
population) (see FAM 430);
f. using audit sampling methods, such as monetary unit sampling, classical
variables estimation sampling, or classical probability proportional to size
sampling, for substantive or multipurpose testing (including nonstatistical
sampling) (see FAM 480);
g. using audit sampling for control testing, other than attribute sampling, and
using the tables in FAM 450 to determine sample size when not performing a
multipurpose test;
h. using audit sampling for compliance testing of significant provisions of
applicable laws, regulations, contracts, and grant agreements, other than
attribute sampling using the tables in FAM 460, to determine sample size
when not performing a multipurpose test; and
i. placing complete or partial reliance on analytical procedures, using
performance materiality to calculate the limit, which is the amount of
difference between the expected and recorded amounts that can be accepted
without further investigation (see FAM 475).
Form, Content, and Extent of Audit Documentation
.28 Each phase of the FAM methodology includes documentation requirements (see
FAM 290, 390, 490, and 590). In addition, the auditor should prepare
documentation that ensures the following:
The auditor should prepare audit documentation that is sufficient to
enable an experienced auditor, having no previous connection with the
audit, to understand (1) the nature, timing, and extent of the audit
procedures performed to comply with GAGAS; (2) the results of the audit
procedures performed and the audit evidence obtained; and (3)
significant findings or issues arising during the audit, the conclusions
reached thereon, and significant professional judgments made in
reaching those conclusions (AU-C 230.08).
In documenting the nature, timing, and extent of audit procedures
performed, the auditor should record (a) the identifying characteristics of
the specific items or matters tested, (b) who performed the audit work and
the date such work was completed, and (c) who reviewed the audit work
performed and the date and extent of such review (AU-C 230.09). For
GAO, see Financial Audit Practice Memo #6 (Supplemental Financial
Audit Manual Guidance Applicable Only to GAO Engagements) for further
information on GAO’s policies regarding audit documentation and
reviews.
The auditor should prepare audit documentation on a timely basis
(AU-C 230.07).
Introduction
110 Overview of the FAM Methodology
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 110-10
The auditor should adopt reasonable procedures to maintain the
confidentiality of client information (AU-C 230.19), such as physical
safeguards over hard copy client information and access restrictions to
information systems containing client information.
References to Positions
.29 Various sections of the FAM refer to consultation with audit management,
persons with the technical expertise to obtain approval or additional
guidance, or both. The auditor should document key consultations. Each
audit organization should have written evidence, in the audit documentation
or in its audit policy manual, of the specific positions of persons who will
perform these functions.
The following are references to positions at GAO; however, descriptions of
position responsibilities in relation to the audit are included so that the positions
or roles can be identified in other audit organizations. IGs performing audits or
using firms to perform audits in accordance with the FAM should clarify and
document the positions of the persons that the auditor should consult in various
circumstances.
a. The audit director (engagement partner or first partner) is responsible for the
quality of the financial statement audit and the audit report, reporting to the
assistant IG for the audit or, at GAO, to the managing director.
b. The assistant director is responsible for the operational conduct of the audit
and generally for preparation of the audit report. In public accounting firms,
the audit manager may have these responsibilities.
c. The reviewer (engagement quality control reviewer or second partner) is
responsible for providing negative assurance about the quality of the audit
and reports to the assistant IG for audit (or higher position) or, at GAO, is the
chief accountant or designee. The reviewer may consult with other personnel
as needed.
d. The audit sampling specialist is a statistician or other person the auditor
consults for technical expertise in areas such as audit sampling, audit sample
evaluation, and selecting entity field locations to test.
e. The IS controls auditor has technical expertise in information systems,
general controls, application controls, and information security. This person is
involved with the planning, directing, or performing of audit procedures
related to IS controls.
9
f. The information technology specialist possesses special skills or
knowledge in the information technology field that extend beyond the skills
and knowledge normally possessed by those working in specialized fields of
auditing, such as an IS controls auditor.
g. The technical accounting and auditing expert reports to the assistant IG
for audit or higher. At GAO, this is the chief accountant or other designated
expert. This expert advises on accounting and auditing professional matters
9
App. V of GAO, Federal Information System Controls Audit Manual (FISCAM), GAO-09-232G (Washington, D.C.:
February 2009), provides examples of the knowledge, skills, and abilities that an IS controls auditor should possess.
Introduction
110 Overview of the FAM Methodology
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 110-11
and government-related issues. This person also may be the reviewer or may
review reports on financial statements and reports that express opinions on
financial information for compliance with professional auditing standards.
h. The Office of the General Counsel (OGC) advises the auditor in
(1) identifying significant provisions of applicable laws and regulations to test;
(2) identifying budget restrictions; and (3) identifying and resolving legal
issues encountered during the financial statement audit, such as evaluating
potential instances of noncompliance.
10
i. The Special Investigator Unit investigates specific allegations involving
conflict-of-interest and ethics matters, contract and procurement irregularities,
official misconduct and abuse, and fraud in federal programs or activities. In
the offices of the IGs, this is the investigation unit; at GAO, it is the Forensic
Audits and Investigative Service team. The Special Investigator Unit provides
assistance to the auditor by (1) informing the auditor of relevant pending or
completed investigations of the entity and (2) investigating possible instances
of fraud, waste, and abuse.
Using the Work of Others
.30 The auditor should consider whether specialized skills are needed to perform
the audit. If specialized skills are needed, the auditor should seek the
assistance of a professional possessing such skills, who either may be a
member of the auditor’s staff or an outside professional. In such
circumstances, the auditor should have sufficient knowledge to communicate
the objectives of the other professional’s work; evaluate whether the specified
audit procedures will meet the auditor’s objectives; and evaluate the results of
the audit procedures applied as they relate to the nature, timing, and extent of
further planned audit procedures (AU-C 300.12). See FAM 600 for guidance
in using the work of others.
Compliance with Policies in the FAM
.31 The following terms are used throughout the FAM (all volumes) to describe
the degree of compliance with the standard or policy:
Must: Compliance is mandatory when the circumstances exist to which
the requirement is relevant. Most “musts” indicate unconditional
requirements that come directly from professional auditing standards,
while other instances of “must” are unique needs for the government
environment and, therefore, GAO/CIGIE determined them to be required.
Should: Compliance is mandatory when the circumstances exist to which
the requirement is relevant, except in rare circumstances when the
specific procedure to be performed would be ineffective in achieving the
intent of the requirement (AU-C 200.26). The auditor must document
(1) the justification for any departure and (2) how the alternative audit
procedures performed were sufficient to achieve the intent of the
10
Audit organizations obtain legal counsel in a variety of ways, and each audit organization’s OGC size and
configuration can vary. In that regard, the designation of OGC in the FAM could include legal counsel in IG offices
that employ or hire their own legal counsel as well as the entity’s legal counsel.
Introduction
110 Overview of the FAM Methodology
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 110-12
requirement or policy (AU-C 230.13). The documentation should be
approved by the reviewer.
11
Generally should: Compliance is strongly encouraged when the
circumstances exist to which this policy is relevant. The auditor should
discuss any departure with the assistant director (or equivalent, such as
the audit manager in a public accounting firm) and document such
discussions.
May, might, could: These terms are used in the FAM to provide further
explanation of and guidance for implementing audit requirements.
Compliance is optional. The auditor need not document compliance.
Use of Technical Terms
.32 The FAM uses many existing technical auditing terms and includes a
glossary of significant terms at the end of volume I.
Reference to Sections of the FAM
.33 When cited in audit documentation, correspondence, or other communication,
“FAM” may precede section or paragraph numbers. For example, this
paragraph is referred to as FAM 110.33.
11
Similar to the AICPA auditing standards, if the FAM states that a procedure or action is one that the auditor “should
consider,” determining whether to perform the procedure or action is required; however, performing the procedure or
action is not. Because this is a “should,” the auditor should document any reasons for not performing this procedure
and the alternative procedures performed to meet the objective. When the FAM lists factors that the auditor should
evaluate when making a judgment, the auditor is expected to use these factors to make an informed judgment.
However, the auditor may also consider other factors.
SECTION 200
Planning Phase
Planning Phase
200 Contents of the Planning Phase
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 200-1
Contents of the Planning Phase
Introduction FAM
Overview of the FAM Methodology 110
Planning Phase FAM
Overview of the Planning Phase 210
Perform Preliminary Engagement Activities 215
Understand the Entity’s Operations 220
Perform Preliminary Analytical Procedures 225
Determine Materiality 230
Identify Significant Line Items, Accounts, and Assertions 235
Identify Significant Accounting Applications, Cycles, and Financial Management Systems 240
Identify Significant Provisions of Applicable Laws, Regulations, Contracts, and Grant Agreements 245
Identify Relevant Budget Restrictions 250
Identify Risk Factors 260
Determine Likelihood of Effective IS Controls 270
Identify Relevant Operations Controls to Evaluate and Test 275
Plan Other Audit Procedures 280
Plan Locations to Test 285
Documentation 290
Internal Control Phase FAM
Overview of the Internal Control Phase 310
Understand Information Systems 320
Identify Control Objectives 330
Identify and Understand Relevant Control Activities 340
Determine the Nature, Extent, and Timing of Tests of Controls and Compliance with FFMIA 350
Perform Tests of Controls and Compliance with FFMIA 360
Assess Internal Control on a Preliminary Basis 370
Other Considerations 380
Documentation 390
Testing Phase FAM
Overview of the Testing Phase 410
Design the Nature, Extent, and Timing of Further Audit Procedures 420
Design Tests 430
Perform Tests and Evaluate Results 440
Perform Sampling Control Tests 450
Perform Compliance Tests 460
Perform Substantive Procedures -- Overview 470
Perform Substantive Analytical Procedures 475
Perform Substantive Detail Tests 480
Documentation 490
Reporting Phase FAM
Overview of the Reporting Phase 510
Perform Overall Analytical Procedures 520
Reassess Materiality and Risks of Material Misstatement 530
Evaluate Effects of Misstatements on Financial Statements and Auditor’s Reports 540
Audit Exposure (Further Evaluation of Audit Risk) 545
Perform Other Reporting Phase Audit Procedures 550
Determine Whether Financial Statement Presentation is in Accordance with U.S. GAAP 560
Determine Compliance with GAO/CIGIE Financial Audit Manual 570
Draft Reports 580
Documentation 590
Planning Phase
210 Overview of the Planning Phase
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 210-1
210 Overview of the Planning Phase
.01 The objective of the auditor is to plan the audit so that it will be performed in an
effective manner (American Institute of Certified Public Accountants’ Clarified
Statements on Auditing Standards (AU-C) 300.04). The auditor should develop
effective and efficient ways to obtain the sufficient appropriate evidence
necessary to report on the entity’s
financial statements, required supplementary information (RSI) (including
management’s discussion and analysis (MD&A)), and other information
included in the annual report;
internal control over financial reporting;
financial management systems’ substantial compliance with the three
requirements of the Federal Financial Management Improvement Act of 1996
(FFMIA) (for Chief Financial Officers Act of 1990 (CFO Act) agencies); and
compliance with significant provisions of applicable laws, regulations,
contracts, and grant agreements.
1
The nature, extent, and timing of planning vary based on factors, such as the
entity’s size and complexity, the auditor’s experience with the entity, and the
auditor’s knowledge of entity operations.
.02 The FAM methodology overview in the contents outlines the procedures
performed in the planning phase of a financial audit to develop an overall
strategy for the audit. The engagement partner and other key members of the
engagement team should be involved in planning the audit, including planning
and participating in the discussion among engagement team members (AU-C
300.05). The engagement partner may delegate portions of the planning and
supervision of the audit to other members of the team (AU-C 300.A4).
.03 The auditor should establish an overall audit strategy that sets the scope, timing,
and direction of the audit and that guides the development of the audit plan
(AU-C 300.07). Although concentrated in the planning phase, planning is an
iterative process performed throughout the audit. For example, findings from the
internal control phase directly affect planning the substantive audit procedures.
Also, the results of control and substantive tests may require changes in the audit
strategy or audit plan. Thus, the auditor should update and change the overall
audit strategy and audit plan, as necessary, during the course of the audit
(AU-C 300.10).
.04 The auditor should consider whether specialized skills are needed in performing
the audit. If specialized skills are needed, the auditor should seek the assistance
of a professional possessing such skills who either may be a member of the
auditor’s staff or an outside professional. In such circumstances, the auditor
should have sufficient knowledge to communicate the objectives of the other
professional’s work; evaluate whether the specified audit procedures will meet
the auditor’s objectives; and evaluate the results of the audit procedures applied
1
In the FAM, “applicable laws, regulations, contracts, and grant agreements” refers to those laws, regulations,
contracts, and grant agreements that are applicable to the audited entity.
Planning Phase
210 Overview of the Planning Phase
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 210-2
as they relate to the nature, timing, and extent of further planned audit
procedures (AU-C 300.12). See FAM 620 for guidance on the auditor's use of the
work of specialists in an audit. The engagement team and any specialists should,
collectively, have the appropriate competence and capabilities to perform the
audit in accordance with GAGAS and applicable legal and regulatory
requirements, and enable an auditor’s report that is appropriate in the
circumstances to be issued (AU-C 220.16).
.05 The auditor should plan the nature, timing, and extent of direction and
supervision of engagement team members and review of their work. The nature,
timing, and extent of the direction and supervision of the engagement team
members and review of their work vary, depending on many factors, including:
the size and complexity of the entity, the area of the audit (such as fraud and
accounting estimates), the assessed risks of material misstatement, and the
capabilities and competence of the individual team members performing the work
(AU-C 300.11 and AU-C 300.A18).
.06 The auditor should consider the needs of, and consult in a timely manner with,
other auditors who plan to use the work being performed, especially when
exercising significant professional judgment.
Planning Phase
215 Perform Preliminary Engagement Activities
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215-1
215 Perform Preliminary Engagement Activities
.01 The auditor should undertake the following activities at the beginning of the audit
(AU-C 300.06):
Perform procedures regarding acceptance and continuance of the client
relationships and the audit engagement, as required by AU-C 220.
Evaluate auditor’s compliance with relevant ethical requirements in
accordance with AU-C 220 and Government Auditing Standards, chapter 1,
Foundation and Principles for the Use and Application of Government
Auditing Standards.”
Establish an understanding of the terms of the engagement with
management
2
and, when appropriate, those charged with governance,
3
including establishing that certain preconditions for an audit are present, as
required by AU-C 210.
.02 In the federal environment, the “client” may include
the management of the entity to be audited, including senior executives and
financial managers;
the inspector general (IG), if the IG has contracted for the audit;
the members of a board or commission responsible for the entity;
the audit committee; or
a combination of these.
The auditor should identify and document who is the client and those charged
with governance for each federal audit. The client and those charged with
governance may include multiple entities from this list. See FAM 215.27 for
additional guidance on identifying those charged with governance.
.03 For most entities, the Congress (including its committees) has an oversight role,
but typically it is not specifically responsible for or involved in overseeing the
entity’s financial reporting process and is not considered to be part of the entity’s
internal control. In these circumstances, the Congress (including its committees)
is not considered to be part of those charged with governance or an oversight
body for purposes of financial statement audits. Auditors should follow their audit
organization’s protocols or other policies for communicating with the Congress or
its committees. The auditor may decide to include some of the items listed in
2
Management refers to the persons with executive responsibility for the conduct of the entity’s operations. For some
entities, management includes some or all of those charged with governance, for example, senior executives.
3
Those charged with governance refers to those who have the responsibility for overseeing the strategic direction of
the entity and obligations related to the accountability of the entity, including overseeing the entity’s financial reporting
process. Accordingly, for these purposes, those charged with governance are considered part of the entity’s internal
control and may be members of a board or commission, an audit committee, the secretary of a cabinet-level
department, or senior executives and financial managers responsible for the entity. Although Standards for Internal
Control in the Federal Government (known as the Green Book) uses “oversight body” (defined as “Those responsible
for overseeing management’s design, implementation, and operation of an internal control system (paragraph
OV2.14).”), the FAM uses “those charged with governance” throughout.
Planning Phase
215 Perform Preliminary Engagement Activities
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215-2
FAM 550.16 in the communication to the Congress or its committees, but the
auditor is not required to communicate these items.
.04 The auditor should communicate with management, those charged with
governance, and individuals contracting for or requesting the audit. When
auditors perform the audit pursuant to a law or regulation or they conduct the
work for the congressional committee that has oversight of the entity, the auditor
also should communicate with the congressional committee (GAGAS (2018)
6.06).
.05 Audits may be conducted under various legal authorities. For example, the audit
may be
mandated by law;
performed under an audit organization’s discretionary statutory legal
authority;
performed under contract authority to procure audit services; or
requested by a congressional committee(s), subcommittee(s), or member(s).
Acceptance and Continuance of Client Relationships and Audit
Engagements and Relevant Ethical Requirements
.06 The engagement partner should be satisfied that appropriate procedures
regarding the acceptance and continuance of client relationships and audit
engagements have been followed (AU-C 220.14). The audit organization
establishes these procedures as part of its system of quality control (AICPA
Professional Standards, Quality Control Section 10). The engagement partner
should also determine that the conclusions reached in performing the procedures
are appropriate (AU-C 220.14). The following information assists the
engagement partner in making this determination (AU-C 220.A7):
the integrity of the principal owners, key management, and those charged
with governance of the entity;
whether the engagement team is competent to perform the audit engagement
and has the necessary capabilities, including time and resources;
whether the audit organization and the engagement team can comply with
relevant ethical requirements (AU-C 200.16); and
significant findings or issues that have arisen during the current or previous
audit engagement and their implications for continuing the relationship.
.07 Relevant ethical requirements are those to which the engagement team and
engagement quality control reviewer are subject. These consist of generally
accepted government auditing standards (GAGAS), the American Institute of
Certified Public Accountants (AICPA) Code of Professional Conduct, and rules of
applicable state boards of accountancy and regulatory agencies (AU-C 220.09).
At the beginning of the engagement, the auditor should evaluate whether the
audit organization can comply with the legal and relevant ethical requirements in
performing the audit engagement (AU-C 300.06 and QC Section 10.27).
Throughout the audit engagement, the engagement partner and other members
of the engagement team should remain alert for evidence of noncompliance with
relevant ethical requirements by members of the engagement team (AU-C
Planning Phase
215 Perform Preliminary Engagement Activities
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215-3
220.11). If matters come to the engagement partner's attention that indicate that
members of the engagement team have not complied with relevant ethical
requirements, the engagement partner, in consultation with others in the audit
organization as appropriate, should determine that appropriate action has been
taken (AU-C 220.12).
.08 The engagement partner should form a conclusion on compliance with
independence requirements that apply to the audit engagement by
obtaining relevant information from the audit organization and, when
applicable, other audit organizations to identify and evaluate circumstances
and relationships that create threats to independence;
evaluating information on identified breaches, if any, of the audit
organization’s independence policies and procedures to determine whether
they create a threat to independence for the audit; and
taking appropriate action to eliminate such threats or reduce them to an
acceptable level by applying safeguards or, if considered appropriate, to
withdraw from the audit engagement when withdrawal is possible under
applicable law or regulation.
The engagement partner should promptly report to the audit organization any
inability to resolve the matter so that the organization may take appropriate
action. (AU-C 220.13 and GAGAS (2018) 3.27)
.09 In the federal environment, auditors may be appointed in accordance with law or
regulation, and as such, certain of the requirements and considerations regarding
the acceptance and continuance of client relationships and audit engagements
may not be relevant. Nonetheless, information gathered as a result of the
process described may be valuable in planning the audit, performing risk
assessments, and carrying out reporting responsibilities (AU-C 220.A8).
.10 The auditor’s consideration of client continuance and relevant ethical
requirements, including independence, occurs throughout the audit engagement
as conditions and changes in circumstances occur. Performing initial procedures
on both client continuance and evaluation of relevant ethical requirements
(including independence) at the beginning of the current audit engagement
means that they are completed prior to the performance of other significant
activities for the current audit engagement. For continuing audit engagements,
such initial procedures often begin shortly after (or in connection with) the
completion of the previous audit (AU-C 300.A8).
.11 For an initial audit engagement or reaudit engagement (financial statements
previously audited by a predecessor auditor), the auditor should request
management, or the organization that contracted the previous year’s audit (i.e.,
engaging party), to authorize the predecessor auditor to respond fully to the
auditor’s inquiries regarding matters that will assist the auditor in determining
whether to accept the engagement. If management refuses or limits the
response, the auditor should inquire about the reasons and consider the
implications in deciding whether to accept the engagement. The auditor should
also evaluate the predecessor auditor’s response, or consider the implications of
no response or a limited response, in determining whether to accept the
engagement (AU-C 210.11 through .12).
Planning Phase
215 Perform Preliminary Engagement Activities
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215-4
.12 The communication with the predecessor auditor may be either written or oral.
Matters subject to the auditor’s inquiry of the predecessor auditor may include
the following (AU-C 210.A33):
information that might bear on the integrity of management;
disagreements with management about accounting policies, auditing
procedures, or other similarly significant matters;
communications to those charged with governance regarding fraud and
noncompliance with significant provisions of applicable laws, regulations,
contracts, and grant agreements by the entity;
communications to management and those charged with governance
regarding significant deficiencies and material weaknesses in internal control;
the predecessor auditor’s understanding about the reasons for the change of
auditors; and
the predecessor auditor’s understanding of the nature of the entity’s
relationships and transactions with disclosure entities, related parties, and
public-private partnerships,
4
and significant unusual transactions.
.13 The auditor should document the following related to acceptance and
continuance of clients and audit engagements and relevant ethical requirements
(AU-C 220.25 and GAGAS (2018) 3.107):
conclusions reached regarding acceptance and continuance of the client
relationship and audit engagement;
any issues identified with respect to compliance with relevant ethical
requirements and how they were resolved, including any threats to
independence and the safeguards applied; and
conclusions on compliance with independence requirements that apply to the
audit engagement and any relevant discussions with the audit organization
that support the conclusions.
Preconditions for an Audit
.14 To establish whether the preconditions for an audit are present, the auditor
should determine whether the financial reporting framework to be applied in the
preparation of the financial statements is acceptable (AU-C 210.06a). An
applicable financial reporting framework (U.S. GAAP) provides the criteria for
management to present the financial statements of an entity, including the fair
presentation of those financial statements (AU-C 210.A2). The AICPA has
4
Under Federal Accounting Standards Advisory Board (FASAB) standards, organizations are considered to be
related parties if the existing relationship or one party to the existing relationship has the ability to exercise significant
influence over the other party’s policy decisions. In the federal government, there are additional relationships that
present risks similar to related parties, as defined by FASAB. These include disclosure entities and public-private
partnerships. Consequently, while the AICPA auditing standards address only related parties, the auditor should
apply audit procedures required for related parties to disclosure entities and public-private partnerships. Note that
FASAB and the Financial Accounting Standards Board (FASB) provide different definitions for related parties.
Procedures pertaining to disclosure entities and public-private partnerships do not apply to entities issuing financial
statements in accordance with FASB accounting standards.
Planning Phase
215 Perform Preliminary Engagement Activities
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215-5
designated the Federal Accounting Standards Advisory Board (FASAB) as the
source of U.S. generally accepted accounting principles (U.S. GAAP) for federal
reporting entities. Effective for periods beginning after September 30, 2017,
federal reporting entities, currently defined in Statement of Federal Financial
Accounting Concepts 2, will be defined in Statement of Federal Financial
Accounting Standards (SFFAS) 47, Reporting Entity. As permitted by SFFAS 34,
The Hierarchy of Generally Accepted Accounting Principles, Including the
Application of Standards Issued by the Financial Accounting Standards Board,
some federal entities, including government corporations, prepare financial
statements in accordance with standards promulgated by the Financial
Accounting Standards Board (FASB). For further information on the requirements
for applying the FASB standards, see SFFAS 34.
Factors that are relevant to the auditor’s determination of the acceptability of the
financial reporting framework to be applied in the preparation of the financial
statements include the following (AU-C 210.A4):
the nature of the entity (for example, whether it is a business enterprise, a
governmental entity, or a not-for-profit organization);
the purpose of the financial statements (for example, whether they are
prepared to meet the common financial information needs of a wide range of
users);
the nature of the financial statements (for example, whether the financial
statement are a complete set of financial statements or a single financial
statement); and
whether law or regulation prescribes the applicable financial reporting
framework (U.S. GAAP).
.15 Additionally, the auditor should obtain the agreement of management that it
acknowledges and understands its responsibilities in a financial statement audit,
including responsibility for
the preparation and fair presentation of the financial statements in
accordance with U.S. GAAP (or other applicable financial reporting
framework);
the design, implementation, and maintenance of internal control relevant to
the preparation and fair presentation of financial statements that are free from
material misstatement, whether due to fraud or error (AU-C 210.06b); and
compliance with provisions of laws, regulations, contracts, and grant
agreements applicable to the entity.
The auditor should also obtain the agreement of management that it
acknowledges and understands its responsibility to provide the auditor with
access to all information of which management is aware that is relevant to the
preparation and fair presentation of the financial statements, such as records,
documentation, and other matters;
additional information that the auditor may request from management for the
purpose of the audit; and
Planning Phase
215 Perform Preliminary Engagement Activities
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215-6
unrestricted access to persons within the entity from whom the auditor
determines it necessary to obtain audit evidence (AU-C 210.06b).
The example audit engagement letters in FAM 215 A include these and other
management responsibilities.
.16 Management’s agreement should be in writing and may be incorporated as part
of the audit engagement letter, as shown in the examples in FAM 215 A
(AU-C 210.10 and .A44). This agreement should generally be obtained from the
same officials whom the auditor will ask to sign the management representation
letter.
.17 If the preconditions for an audit, as discussed in FAM 215.14 through .15, are not
present, the auditor should discuss the matter with management. If the
preconditions for an audit have not been met, the auditor should not accept the
proposed audit engagement, unless required by law or regulation to do so
(AU-C 210.08). For federal financial statement audits, executive branch
departments, agencies, and other entities are required to prepare audited
financial statements under such laws as the Chief Financial Officers Act of 1990
(CFO Act), the Government Management Reform Act of 1994, or the
Accountability of Tax Dollars Act of 2002. Government corporations are required
to prepare audited financial statements under the Government Corporation
Control Act.
Agreement on the Terms of the Engagement
.18 The auditor should agree upon the terms of the engagement with management,
those charged with governance, or both, as appropriate (AU-C 210.09). When
the agreement on the terms of the engagement is only with those charged with
governance, the auditor is required to obtain management’s agreement that it
acknowledges and understands its responsibilities (AU-C 210.06 and .A21). The
auditor should document the agreed-upon terms in an audit engagement letter or
other suitable form of written agreement. The letter or written agreement should
include
the required elements and wording in AU-C 210.10, related to the objectives
and scope;
the responsibilities of both management and the auditor;
a statement that because of the inherent limitations of an audit and internal
control, an unavoidable risk exists that some material misstatements may not
be detected, even though the audit is properly planned and performed in
accordance with GAGAS;
identification of the applicable financial reporting framework for the
preparation of the financial statements (U.S. GAAP); and
expected form and content of reports, including a statement that
circumstances may arise in which a report may differ from its expected form
and content.
Additionally, the letter generally states that the auditor will conduct the audit in
accordance with GAGAS, and if applicable, Office of Management and Budget
(OMB) audit guidance. Those standards and OMB audit guidance require that
the auditor plans and performs the audit to obtain reasonable, rather than
Planning Phase
215 Perform Preliminary Engagement Activities
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215-7
absolute, assurance about whether financial statements are free of material
misstatement. Examples of an audit engagement letter are provided in
FAM 215 A.
.19 At a minimum, an audit includes obtaining an understanding of internal control
sufficient for planning the audit and determining the nature, timing, and extent of
audit procedures to be performed. Additional procedures may be required related
to testing the effectiveness of internal control if the audit is being conducted
under OMB audit guidance or if the auditor is providing an opinion on the
effectiveness of internal control over financial reporting. An auditor either
expresses an opinion on the effectiveness of internal control over financial
reporting or reports on the results of procedures performed, as discussed in FAM
580. The engagement letter or written agreement should include the auditor’s
responsibilities for testing and reporting on internal control over financial
reporting, including whether the auditor plans to express an opinion on the
effectiveness of internal control over financial reporting or report on the results of
procedures performed.
.20 The engagement letter or written agreement should include the auditor’s
responsibility for
testing and reporting on compliance with significant provisions of laws,
regulations, contracts, or grant agreements applicable to the entity and
performing other limited procedures;
testing and reporting on the entity’s financial management systems
substantial compliance with the three Federal Financial Management
Improvement Act of 1996 (FFMIA) requirements (for CFO Act agencies); and
applying certain limited procedures to any RSI, reading other information and
considering whether a material inconsistency exists between the other
information and the financial statements, and reporting the results.
.21 The letter may also communicate additional matters, such as the involvement of
others and fee and billing arrangements, although these may be addressed in
separate contractual documents.
.22 The engagement letter or written agreement is designed to avoid
misunderstandings between the entity to be audited, the IG if the audit is
contracted out by the IG, and the auditor. Where there is a contract, an
engagement letter may be unnecessary if all of the required elements in
AU-C 210.10 are included in the contract. If management is not a party to the
contract, the auditor should obtain management’s agreement with the terms of
the engagement, as discussed in FAM 215.18. If both an engagement letter and
a contract are prepared, the information that appears in these documents should
be consistent.
.23 The engagement letter or written agreement may provide that if management of
the entity to be audited does not agree with the terms of the audit reached
between the party contracting for the audit and the auditor, as documented in the
contract or engagement letter, entity management should promptly notify the
auditor. If management does not agree with the terms of the audit, the auditor
should promptly inform the party contracting for the audit.
.24 The auditor should not agree to a change in the terms of the audit engagement
when no reasonable justification for doing so exists (AU-C 210.14). If, prior to
Planning Phase
215 Perform Preliminary Engagement Activities
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215-8
completing the audit engagement, the auditor is requested to change the audit
engagement to an engagement for which the auditor obtains a lower level of
assurance, the auditor should determine whether reasonable justification for
doing so exists (AU-C 210.15). If the terms of the audit engagement are
changed, the auditor and management should agree on and document the new
terms of the engagement in an engagement letter or other suitable form of written
agreement (AU-C 210.16).
.25 Based on AU-C 210.17, if the auditor concludes that no reasonable justification
for a change of the terms of the audit engagement exists and is not permitted by
management to continue the original audit engagement, the auditor should
withdraw from the audit engagement when possible under applicable law or
regulation;
communicate the circumstances to those charged with governance; and
determine whether any obligation (e.g., legal, contractual, or ethical) exists to
report the circumstances to other parties.
Communicating with Those Charged with Governance
.26 The auditor should communicate clearly with those charged with governance.
Clear communication of specific matters required to be communicated is an
integral part of every audit. However, the auditor is not required to perform
procedures specifically to identify other significant matters to communicate with
those charged with governance (AU-C 260.05a and .A3).
.27 The auditor should determine the appropriate persons within the entity’s
governance structure with whom to communicate (AU-C 260.07). The
appropriate persons may vary depending on the matter to be communicated.
When the appropriate persons with whom to communicate are not clearly
identifiable, the auditor and the engaging party may need to discuss and agree
on the relevant persons within the entity’s governance structure with whom the
auditor will communicate (AU-C 260.A8). In situations where there is not a single
individual or group that both oversees the strategic direction of the entity and the
fulfillment of its accountability obligations, or in other situations where the identity
of those charged with governance is not clearly evident, the auditor should
document the process followed and conclusions reached for identifying
appropriate individuals to receive the required auditor communications.
.28 If the auditor communicates with a subgroup of those charged with governance,
such as an audit committee, or with an individual, the auditor should determine
whether it also needs to communicate with the governing body (AU-C 260.08).
AU-C 260.A10 through .A11 outline matters to consider when making this
judgment. When all of those charged with governance are involved with
managing the entity, the auditor should be satisfied that communication with
person(s) with management responsibilities adequately informs all of those with
whom the auditor would otherwise communicate in their governance capacity
(AU-C 260.09, .A10, and .A11).
.29 The auditor should communicate to those charged with governance (1) the
auditor’s responsibilities under GAGAS (see FAM 215.30 and .31); (2) an
overview of the planned scope and timing of the audit, including the significant
risks identified by the auditor (see FAM 215.32); (3) the nature of planned work
Planning Phase
215 Perform Preliminary Engagement Activities
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215-9
and level of assurance provided related to internal control over financial reporting
and compliance with significant provisions of applicable laws, regulations,
contracts, and grant agreements; and (4) the form, timing, and expected general
content of communications. These matters may be communicated either orally or
in writing. The auditor may use the engagement letter, contract, or other written
communication, such as the example letter in FAM 215 B, as part of this
communication (AU-C 260.10, .11, .15, and .A48). (Note: GAO auditors should
use the engagement letter.)
.30 The auditor should communicate with those charged with governance the
auditor’s responsibilities under GAGAS, including that
the auditor is responsible for forming and expressing an opinion about
whether the financial statements that have been prepared by management,
with the oversight of those charged with governance, are prepared, in all
material respects, in conformity with U.S. GAAP and
the audit of the financial statements does not relieve management or those
charged with governance of their responsibilities (AU-C 260.10).
If the entity includes other information in its annual report, such as in a
performance and accountability report (PAR), agency financial report (AFR), or
annual management report (AMR), the auditor should communicate with those
charged with governance the auditor’s responsibility with respect to such other
information, the procedures performed relating to the other information, and the
results (AU-C 720.15).
.31 The auditor may also communicate to those charged with governance the
auditor’s responsibilities that were communicated with management, as
discussed in FAM 215.18 through .20. Additionally, the auditor may communicate
the auditor’s responsibility for communicating significant matters as well as the
limitations on this responsibility discussed in FAM 215.26 (AU-C 260.A13).
.32 The auditor should communicate with those charged with governance an
overview of the planned scope and timing of the audit (AU-C 260.11). However, it
is important for the auditor not to compromise the effectiveness of the audit,
particularly when some or all of those charged with governance are involved with
managing the entity. For example, communicating the nature and timing of
detailed audit procedures may reduce the effectiveness of those procedures by
making them too predictable. AU-C 260.A19 through .A24 provide guidance on
communicating the planned scope and timing of the audit, including additional
matters that the auditor may discuss with those charged with governance.
As part of communicating the planned scope and audit timing with those charged
with governance, the auditor should communicate the significant risks identified
by the auditor. Such communication helps those charged with governance
understand those matters and why they require special audit consideration. The
communication about significant risks may assist those charged with governance
in fulfilling their responsibility to oversee the financial reporting process (AU-C
260.11 and .A20). See FAM 260.44 for a discussion of significant risks.
.33 The auditor should communicate significant findings and issues from the audit to
those charged with governance, as discussed in FAM 550.16 and FAM 580. This
communication should be in writing if, in the auditor’s professional judgment, oral
communication would not be adequate. Matters that arose during the audit that
Planning Phase
215 Perform Preliminary Engagement Activities
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215-10
were communicated to those charged with governance and satisfactorily
resolved do not need to be included in the communication. Factors that may
affect whether to communicate orally or in writing, the extent of detail or
summarization in the communication, and the formality of the communication are
discussed in AU-C 260.A48 through .A50 (AU-C 260.12, .13, .14, and .16).
.34 Management’s communication of these matters to those charged with
governance does not relieve the auditor of the responsibility to also communicate
with them. However, communication of these matters by management may affect
the form or timing of the auditor’s communication (AU-C 260.A2).
.35 The auditor’s clear communication of these matters helps establish the basis for
effective two-way communication. Matters that may contribute to the
effectiveness of two-way communication are included in AU-C 260.A44. As
discussed in FAM 550.19, the auditor should evaluate whether the two-way
communication between the auditor and those charged with governance has
been adequate for the purpose of the audit (AU-C 260.20).
.36 When matters in AU-C 260 discussed above are communicated in writing, the
auditor should describe in the communication the purpose of the auditor’s written
communication and state that the auditor’s written communication is not suitable
for any other purpose (AU-C 905.11).
.37 The auditor should communicate with those charged with governance on a timely
basis. AU-C 260.A51 through .A52 discuss factors relevant for determining the
timing of these communications (AU-C 260.19, .A51, and .A52).
.38 The auditor should document all required communications with those charged
with governance. If the communication was oral, the auditor should include in the
audit documentation when and to whom communication was made. If the
communication was written, the auditor should retain a copy of the
communication with the audit documentation. If, as part of its communication to
those charged with governance, management communicated some or all of the
matters the auditor is required to communicate, and as a result, the auditor did
not communicate these matters at the same level of detail as management, the
auditor should include a copy or summary of management’s communications
provided to those charged with governance in the audit documentation (AU-C
260.21).
Intent, Notification, and Commitment Letters
.39 The auditor’s internal procedures may provide for additional communication with
others in the form of an intent, notification, or commitment letter, as discussed
below. The auditor should send intent, notification, or commitment letters as
provided by the auditor’s protocols. The engagement letter may be able to be
used in place of certain of these letters.
.40 An intent letter is used by some auditors to acknowledge a congressional request
for any type of work. This letter may include
acknowledgment of a meeting with congressional staff to understand the
request;
indication of a survey of work or planning phase to understand the entity,
identify accounting or auditing issues, and determine the availability and
access to books and records, particularly for an initial engagement;
Planning Phase
215 Perform Preliminary Engagement Activities
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215-11
an estimated completion date for the planning phase;
the auditor team performing the audit; and
auditor contact names, phone numbers, and email addresses.
.41 A notification letter is used by some auditors to notify entities of new
engagements for any type of work. This letter may include
the source of work (mandate, request, or auditor’s statutory discretionary
authority);
objective(s) of the work;
entities and locations to be contacted;
the estimated start date;
the estimated date of entrance conference;
the auditor team performing the audit;
auditor contact names, phone numbers, and email addresses; and
engagement (job) code or other tracking number.
.42 A commitment letter is used by some auditors, either after a survey of work or the
planning phase has been completed, or to confirm a commitment to perform an
audit based on a congressional request, mandate, or auditor’s statutory
discretionary authority for any type of work. This letter may include
a confirmation of the auditor’s commitment to perform work and issue a
report;
an overview of the engagement approach, objective(s), and key aspects of
the work, including a separate survey of work or planning phase, if
conducted;
the planned report issuance date;
the auditor team performing the audit; and
auditor contact names, phone numbers, and email addresses.
.43 For an agreed-upon procedure engagement, as discussed in FAM 710.04, the
auditor may issue an engagement letter unless covered by contract or other
written communication. An example letter for agreed-upon procedure
engagements is presented in FAM 710 A.
Planning Phase
215 A Sample Audit Engagement Letter
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215 A-1
215 A Sample Audit Engagement Letter
.01 As discussed in FAM 215.18, the engagement letter documents the audit’s
objectives and scope, the roles and responsibilities of both management and the
auditor, and other matters. Example 1 presents a sample audit engagement letter
when the auditor plans to provide an opinion on the effectiveness of an entity’s
internal control. Example 2 presents a sample audit engagement letter when the
auditor plans to report on the entity’s internal control and will not provide an
opinion.
In both sample letters, the audited entity has a fiscal year ending September 30.
The auditor should modify the sample letters, as needed, for the specific
circumstances of each audit.
Planning Phase
215 A Sample Audit Engagement Letter
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215 A-2
Example 1 Auditor Provides an Opinion on Effectiveness of an
Entity’s Internal Control over Financial Reporting
[Auditor letterhead]
[Date]
[Address to entity management; those charged with governance; the inspector
general if the audit has been contracted out to a certified public accounting firm;
or others, such as congressional committees, as appropriate.]
Dear _________________:
Pursuant to the [cite legal or contract authority for audit], the [name of auditor] will
audit, for fiscal year [20X2
5
], the financial statements of the [full name of the entity
(entity abbreviation)]. The job code for this audit is [XXXXXX] [non-GAO auditors
should omit or modify identifier as appropriate]. We confirm our acceptance and our
understanding of this audit engagement by means of this letter. The objectives and
scope of our integrated audits are as follows:
1. Express an opinion on whether [entity’s] financial statements as of and for the fiscal
years ended [September 30, 20X2, and 20X1], are presented fairly, in all material
respects, in accordance with U.S. generally accepted accounting principles.
2. Express an opinion on whether [entity] maintained, in all material respects, effective
internal control over financial reporting as of [September 30, 20X2], based on the
criteria established under 31 U.S.C. § 3512 (c), (d), commonly known as the Federal
Managers’ Financial Integrity Act of 1982 (FMFIA) [or other appropriate criteria].
3. Report on the results of our tests of [entity’s] compliance with selected provisions of
applicable laws, regulations, contracts, and grant agreements for fiscal year [20X2].
4. Report whether [entity’s] financial management systems comply substantially with
the three requirements of the Federal Financial Management Improvement Act of
1996 (FFMIA) as of [September 30, 20X2]. [If applicable]
Upon completion of our audit, we will issue a written report consistent with these
objectives. Circumstances may arise in which our report may differ from its expected
form and content based on the results of our audit. Depending on the nature of these
circumstances, it may be necessary for us to modify our opinions or add emphasis-of-
matter or other-matter paragraphs to our auditor’s report.
The purpose of our report[s] on compliance with laws, regulations, contracts, and grant
agreements [and financial management systems’ substantial compliance with
FFMIA requirements, if applicable] solely will be to describe the scope of our testing of
compliance with selected provisions of applicable laws, regulations, contracts, and grant
agreements [and financial management systems’ substantial compliance with
FFMIA requirements, if applicable], and the results of that testing, and not to provide
an opinion on compliance with applicable laws, regulations, contracts, and grant
agreements [or on financial management systems’ substantial compliance with
FFMIA requirements, if applicable]. Accordingly, our report[s] on compliance with
laws, regulations, contracts, and grant agreements [and financial management
5
Note to auditor: 20X2 denotes the current year, and 20X1 denotes the prior year, under audit.
Planning Phase
215 A Sample Audit Engagement Letter
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215 A-3
systems’ substantial compliance with FFMIA requirements, if applicable] will not be
suitable for any other purpose.
[Modify the previous paragraph, as shown, if the auditor is engaged to provide an
opinion on compliance with applicable laws, regulations, contracts, and grant
agreements, or on the entity’s financial management systems’ substantial
compliance with FFMIA.]
Management’s Responsibilities
Our audit will be conducted on the basis that [entity’s] management acknowledges and
understands that it has responsibility for the following:
1. The preparation and fair presentation of [entity’s] financial statements, including
related notes, in accordance with U.S. generally accepted accounting principles.
2. Designing, implementing, and maintaining effective internal control over financial
reporting relevant to the preparation and fair presentation of financial statements that
are free from material misstatement, whether due to fraud or error.
3. Evaluating the effectiveness of [entity’s] internal control over financial reporting
based on the criteria established under FMFIA [or other appropriate criteria].
4. Its assessment about the effectiveness of internal control over financial reporting as
of [September 30, 20X2]. This includes providing management’s written
representation that it did not use the auditor’s procedures performed during the
integrated audits as part of the basis for its assessment on the effectiveness of
[entity’s] internal control over financial reporting.
5. Supporting its assessment about the effectiveness of [entity’s] internal control over
financial reporting with sufficient evaluations and documentation.
6. Complying with laws, regulations, contracts, and grant agreements applicable to
[entity].
7. Preparing, measuring, and presenting the required supplementary information (RSI)
in accordance with prescribed guidelines established in U.S. generally accepted
accounting principles.
8. Preparing and presenting other information included in [entity’s] [insert name of
annual report, e.g., agency financial report], and ensuring the consistency of that
information with the audited financial statements and RSI.
9. Designing, implementing, and maintaining effective internal controls to prevent and
detect fraud. This includes providing management’s written representation that it has
disclosed to the auditor the results of its assessment of the risk that the financial
statements may be materially misstated as a result of fraud.
10. Maintaining adequate accounting records, selecting and applying appropriate
accounting policies, and safeguarding U.S. government assets related to [entity’s]
operations.
11. [For entities that conform to FASB standards (see FAM 550.28 and .29)]
Evaluating whether there are conditions or events, considered in the aggregate, that
raise substantial doubt about [entity’s] ability to continue as a going concern for a
reasonable period of time.
12. Ensuring that [entity’s] financial management systems comply substantially with
FFMIA requirements [if applicable].
Planning Phase
215 A Sample Audit Engagement Letter
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215 A-4
In addition, [entity’s] management acknowledges and understands that it has the
responsibility to provide us with
1. access to all information, such as records, documentation, and other matters, of
which management is aware that is relevant to the (1) preparation and fair
presentation of the financial statements, including related notes; (2) measurement,
preparation, and presentation of the RSI; and (3) preparation and presentation of
other information;
2. additional information that we may request from management for the purpose of the
audit, including but not limited to
a. minutes of meetings, or summaries of actions of recent meetings for which
minutes have not been prepared, of the [Board of Directors or other similar
bodies of those charged with governance] and
b. any communications from the Office of Management and Budget (OMB) or the
Department of the Treasury’s Bureau of the Fiscal Service concerning
noncompliance with, or deficiencies in, financial reporting practices;
3. unrestricted access to and full cooperation of personnel within [entity] from whom
we determine it necessary to obtain audit evidence; and
4. any reports obtained from [entity]’s service organizations.
[Entity] management agrees to communicate to us
1. the discovery of any material misstatement that would affect the fair presentation of
its fiscal year [20X2] or prior fiscal year’s financial statements;
2. any deficiencies in the design or operation of internal control over financial reporting
as of [September 30, 20X2], including separately identifying any deficiencies
management believes to be significant deficiencies or material weaknesses;
6
3. a description of fraud or suspected fraud that affects [entity] and involves (1)
management, (2) employees who have significant roles in internal control over
financial reporting, or (3) others when the fraud could have a material effect on the
financial statements;
4. any instances of noncompliance or suspected noncompliance with laws, regulations,
contracts, and grant agreements applicable to [entity] whose effects should be
considered when preparing the financial statements;
5. any violations, or potential violations, of the Antideficiency Act for the years ended
[September 30, 20X2, and 20X1] and through the date of the management
representation letter. Potential violations are limited to those that, if true, could have
a material effect on the financial statements;
6
A deficiency in internal control exists when the design or operation of a control does not allow management or
employees, in the normal course of performing their assigned functions, to prevent, or detect and correct,
misstatements on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal
control over financial reporting that is less severe than a material weakness yet important enough to merit attention
by those charged with governance. A material weakness is a deficiency, or a combination of deficiencies, in internal
control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity’s
financial statements will not be prevented, or detected and corrected, on a timely basis.
Planning Phase
215 A Sample Audit Engagement Letter
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215 A-5
6. any known actual or possible litigation, claims, and assessments, including those
related to treaties and other international agreements, whose effects should be
considered when preparing the financial statements;
7. the identities of [entity’s] disclosure entities, related parties, and public-private
partnerships, and all the relationships and transactions related to them;
7
8. any events or transactions subsequent to the date of the financial statements, and
for which U.S. generally accepted accounting principles require adjustment or
disclosure;
9. whether, subsequent to [September 30, 20X2], there were any changes in internal
control over financial reporting or other conditions that might significantly affect
internal control over financial reporting, including any corrective actions taken with
regard to material weaknesses or significant deficiencies; and
10. any planned inclusion of our auditor’s reports and the audited financial statements in
documents prepared by [entity] and to provide a copy of any such documents prior
to issuance.
As part of our audit process, we will request from [entity] management written
confirmation concerning representations made to us in connection with the audit of the
financial statements, including internal control over financial reporting; compliance with
applicable laws, regulations, contracts, and grant agreements; and other related matters.
[Optional The auditor may choose to make management aware of other specific
required written management representations. Factors to consider include initial
audits, changes in senior management, or changes in required representations.]
Definition and Inherent Limitations of Internal Control over Financial Reporting
An entity’s internal control over financial reporting is a process effected by those charged
with governance, management, and other personnel. The objectives of internal control
over financial reporting are to provide reasonable assurance that (1) transactions are
properly recorded, processed, and summarized to permit the preparation of financial
statements in accordance with U.S. generally accepted accounting principles, and
assets are safeguarded against loss from unauthorized acquisition, use, or disposition,
and (2) transactions are executed in accordance with provisions of applicable laws,
including those governing the use of budget authority, regulations, contracts, and grant
agreements, noncompliance with which could have a material effect on the financial
statements.
Because of its inherent limitations, internal control over financial reporting may not
prevent, or detect and correct, misstatements due to fraud or error. We also caution that
projecting any evaluation of effectiveness to future periods is subject to the risk that
controls may become inadequate because of changes in conditions or that the degree of
compliance with the policies or procedures may deteriorate.
Auditor’s Responsibilities
We are responsible for conducting our audits in accordance with U.S. generally
accepted government auditing standards [and OMB audit guidance, if applicable].
Those standards require that we plan and perform the audits to obtain reasonable
assurance about whether (1) the financial statements as a whole are free from material
7
Note to auditor: Procedures related to disclosure entities and public-private partnerships do not apply to entities
issuing financial statements in accordance with FASB accounting standards.
Planning Phase
215 A Sample Audit Engagement Letter
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215 A-6
misstatement, whether due to fraud or error, and (2) effective internal control over
financial reporting was maintained in all material respects. Reasonable assurance is a
high level of assurance but is not absolute assurance and therefore is not a guarantee
that an audit of the financial statements or an audit of internal control over financial
reporting conducted in accordance with U.S. generally accepted government auditing
standards will always detect a material misstatement or a material weakness when it
exists.
The risk of not detecting a material misstatement resulting from fraud is higher
than for one resulting from error, as fraud may involve collusion, forgery, intentional
omissions, misrepresentations, or the override of internal control. Misstatements,
including omissions, are considered to be material if there is a substantial likelihood that,
individually or in the aggregate, they would influence the judgment made by a
reasonable user based on the financial statements.
8
We are required to be independent of [entity] and to meet our other ethical
responsibilities, in accordance with the relevant ethical requirements relating to our
audits.
In performing an audit of the financial statements and an audit of internal control over
financial reporting in accordance with U.S. generally accepted government auditing
standards, we will do the following:
1. Exercise professional judgment and maintain professional skepticism throughout the
audits.
2. Identify and assess the risks of material misstatement of the financial statements,
whether due to fraud or error, and design and perform audit procedures responsive
to those risks. Such procedures include examining, on a test basis, evidence
regarding the amounts and disclosures in the financial statements in order to obtain
audit evidence that is sufficient and appropriate to provide a basis for our opinion.
3. Obtain an understanding of internal control relevant to the financial statement audit in
order to design audit procedures that are appropriate in the circumstances.
4. Obtain an understanding of internal control over financial reporting relevant to the
audit of internal control over financial reporting, assess the risks that a material
weakness exists, and test and evaluate the design and operating effectiveness of
internal control over financial reporting based on the assessed risk. Our audit of
internal control will also consider [entity’s] process for evaluating and reporting on
internal control over financial reporting based on criteria established under FMFIA
[or other appropriate criteria]. We will not evaluate all internal controls relevant to
operating objectives as broadly established under FMFIA [or other appropriate
criteria], such as those controls relevant to preparing performance information and
ensuring efficient operations. We will limit our internal control testing to testing
controls over financial reporting. Our internal control testing will be for the purpose of
expressing an opinion on whether effective internal control over financial reporting
was maintained, in all material respects, as of [September 30, 20X2]. Consequently,
our audit may not identify all deficiencies in internal control over financial reporting
that are less severe than a material weakness.
8
Note to auditor: Statement of Federal Financial Accounting Concepts (SFFAC) 1 issued by FASAB provides a
slightly different definition of materiality. Since SFFACs are nonauthoritative, and in SFFAC 1, the board recognizes
differences from the audit definition, the FAM is based on the definition provided in AU-C 200.07.
Planning Phase
215 A Sample Audit Engagement Letter
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215 A-7
5. Evaluate the appropriateness of accounting policies used and the reasonableness of
significant accounting estimates made by management, as well as evaluate the
overall presentation of the financial statements.
6. Perform other procedures we consider necessary in the circumstances.
7. [For entities that conform to FASB standards (see FAM 550.28 and .29)]
Conclude, based on the audit evidence obtained, whether there are conditions or
events, considered in the aggregate, that raise substantial doubt about [entity’s]
ability to continue as a going concern for a reasonable period of time.
Because of the inherent limitations of an audit, together with the inherent limitations of
internal control, an unavoidable risk exists that some material misstatements in the
financial statements may not be detected, even though the audit is properly planned and
performed in accordance with U.S. generally accepted government auditing standards.
We will communicate all deficiencies of which we become aware. We are responsible for
communicating in writing to those charged with governance any significant deficiencies
and material weaknesses in internal control that come to our attention as a result of the
audit. If we identify deficiencies in [entity’s] internal control that we do not consider to be
material weaknesses or significant deficiencies, we will communicate these matters in
writing to management and, where appropriate, will report on them separately.
In accordance with U.S. generally accepted government auditing standards, we are
responsible for testing compliance with selected provisions of laws, regulations,
contracts, and grant agreements applicable to [entity] that have a direct effect on the
determination of material amounts in [entity’s] financial statements and performing
certain other limited procedures as part of our audits.
9
We will not test compliance with
all laws, regulations, contracts, and grant agreements applicable to [entity]. We caution
that noncompliance may occur and not be detected by these tests.
We are also responsible for (1) testing and reporting on whether [entity’s] financial
management systems comply substantially with the three FFMIA requirements [if
applicable] and (2) applying certain limited procedures to any RSI, reading other
information included in [entity’s] [insert name of annual report, e.g., agency financial
report] and considering whether a material inconsistency exists between the other
information and the financial statements, and reporting the results.
Audit Coordination and Other Matters
To use audit resources efficiently and expedite audit completion, we will work with
[entity] staff to obtain information needed for the audit. Assistance needed from [entity]
staff may include preparing schedules or analyses; locating, copying, and providing
selected documents; and participating in meetings. We will need draft financial
statements, including all information relevant to their preparation and fair presentation,
whether obtained from within or outside of the general and subsidiary ledgers (including
all information relevant to the preparation and fair presentation of note disclosures), and
any other information to be included in [entity’s] [insert name of annual report, e.g.,
agency financial report] in sufficient time for us to complete our audit in accordance
with the proposed timetable. We will discuss this assistance with [entity] staff and arrive
at mutually acceptable time frames.
9
Note to auditor: If applicable, include sentence to add tests of laws and regulations listed in OMB audit guidance that
the auditor deems applicable to the financial statements.
Planning Phase
215 A Sample Audit Engagement Letter
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215 A-8
We will conduct an entrance conference with [entity] staff on [or by] [date]. We plan to
issue our report on a mutually agreed-upon date. [Insert any additional details as
appropriate regarding report timing.] We will also provide periodic status reports on
our work upon your request. If we encounter problems that will affect the reporting date,
we will discuss them with you in a timely manner. We look forward to working with
[entity] and appreciate its cooperation in working with us to complete the audit in a
timely manner.
Pursuant to [include reference to audit reimbursement authority], our audit of
[entity] is performed on a reimbursable basis. The total cost to perform the fiscal year
[20X2] audit will depend on the nature of the issues we identify and the amount of staff
resources needed to complete the audit. [Consider including additional details as
appropriate for any contracted services to be reimbursed, such as those for
information systems controls or specialists.] We plan to submit a bill to you each
month reflecting the actual costs incurred.
This assignment will be conducted under my direction, with assistance from [name and
title of manager], who can be reached at [phone number] or by email at [email], and
[name and title of site auditor], who can be reached at [phone number] or by email at
[email].
The attached acknowledgment page should be signed by management [and the
addressee, if contracting party is other than management] and returned to us to
indicate your acknowledgment of, and agreement with, the terms and arrangements of
our audit of the financial statements and to indicate management’s acknowledgment and
understanding of our respective responsibilities.
Should this letter not represent your understanding of the nature of this engagement, or
should you have any questions or need further information, please contact me at [phone
number] or by email at [email].
We look forward to a successful engagement.
Sincerely yours,
[Auditor’s name and title]
cc: CFO of [entity]
Inspector General of [entity]
[Others, as applicable]
Planning Phase
215 A Sample Audit Engagement Letter
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215 A-9
Management’s Acknowledgment of the Audit Engagement Terms
On behalf of [entity] and its management, I acknowledge and agree to the (1) terms and
arrangements described above for the audit of [entity]’s financial statements, including
our respective responsibilities, and (2) auditor’s scope of work and related reporting on
[entity]’s
financial statements, required supplementary information (including management’s
discussion and analysis) [omit if not applicable], and other information to be
included in [entity’s] [insert name of annual report, e.g., agency financial report]
[omit if not applicable];
internal control over financial reporting;
financial management systems’ substantial compliance with the three requirements
of the Federal Financial Management Improvement Act of 1996 [omit if not
applicable]; and
compliance with laws, regulations, contracts, and grant agreements.
_______________________________________ _____________________
Signature Date
[Name and Title]
_______________________________________ _____________________
Signature Date
[Name and Title]
[NOTE: REQUIRED TO BE SIGNED BY MANAGEMENT. SIGNERS SHOULD
GENERALLY BE THE SAME OFFICIALS WHOM THE AUDITOR WILL REQUEST
SIGN THE MANAGEMENT REPRESENTATION LETTER. MAY INCLUDE
ADDITIONAL PARTIES INVOLVED WITH CONTRACTING FOR THE AUDIT.]
Planning Phase
215 A Sample Audit Engagement Letter
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215 A-10
Example 2 Auditor Does Not Provide an Opinion on Entity’s
Internal Control over Financial Reporting
[Auditor letterhead]
[Date]
[Address to entity management; those charged with governance; the inspector
general if the audit has been contracted out to a certified public accounting firm;
or others, such as congressional committees, as appropriate.]
Dear _________________:
Pursuant to the [cite legal or contract authority for audit], the [name of auditor] will
audit, for fiscal year [20X2
10
], the financial statements of the [full name of the entity
(entity abbreviation)]. The job code for this audit is [XXXXXX] [non-GAO auditors
should omit or modify identifier as appropriate]. We confirm our acceptance and our
understanding of this audit engagement by means of this letter. The objectives and
scope of our audits are as follows:
1. Express an opinion on whether [entity]’s financial statements as of and for the fiscal
years ended [September 30, 20X2, and 20X1], are presented fairly, in all material
respects, in accordance with U.S. generally accepted accounting principles.
2. Report any significant deficiencies and material weaknesses in internal control over
financial reporting for fiscal year [20X2] that come to our attention as a result of the
audit.
11
3. Report on the results of our tests of [entity’s] compliance with selected provisions of
applicable laws, regulations, contracts, and grant agreements for fiscal year [20X2].
4. Report whether [entity’s] financial management systems comply substantially with
the requirements of the Federal Financial Management Improvement Act of 1996
(FFMIA) as of [September 30, 20X2]. [If applicable.]
Upon completion of our audit, we will issue a written report consistent with these
objectives. Circumstances may arise in which our report may differ from its expected
form and content based on the results of our audit. Depending on the nature of these
circumstances, it may be necessary for us to modify our opinion or add emphasis-of-
matter or other-matter paragraphs to our auditor’s report.
The purpose of our report[s] on internal control and compliance with laws, regulations,
contracts, and grant agreements [and financial management systems’ substantial
compliance with FFMIA requirements, if applicable] solely will be to describe the
scope of our testing of internal control and compliance with selected provisions of
applicable laws, regulations, contracts, and grant agreements [and FFMIA
requirements, if applicable], and the results of that testing, and not to provide an
10
Note to auditor: 20X2 denotes the current year, and 20X1 denotes the prior year, under audit.
11
A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting
that is less severe than a material weakness, yet important enough to merit attention by those charged with
governance. A material weakness is a deficiency, or combination of deficiencies, in internal control over financial
reporting, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements
will not be prevented, or detected and corrected, on a timely basis. A deficiency in internal control exists when the
design or operation of a control does not allow management or employees, in the normal course of performing their
assigned functions, to prevent, or detect and correct, misstatements on a timely basis.
Planning Phase
215 A Sample Audit Engagement Letter
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215 A-11
opinion on the effectiveness of internal control over financial reporting or compliance
with applicable laws, regulations, contracts, and grant agreements [or on financial
management systems’ substantial compliance with FFMIA requirements, if
applicable]. Accordingly, our report[s] on internal control and compliance with laws,
regulations, contracts, and grant agreements [and financial management systems’
substantial compliance with FFMIA requirements, if applicable] will not be suitable
for any other purpose.
[Modify the previous paragraph, as shown, if the auditor is engaged to provide an
opinion on compliance with applicable laws, regulations, contracts, and grant
agreements, or on the entity’s financial management systems’ substantial
compliance with FFMIA.]
Management’s Responsibilities
Our audit will be conducted on the basis that [entity’s] management acknowledges and
understands that it has responsibility for the following:
1. The preparation and fair presentation of [entity’s] financial statements, including
related notes, in accordance with U.S. generally accepted accounting principles.
2. Designing, implementing, and maintaining effective internal control over financial
reporting relevant to the preparation and fair presentation of financial statements that
are free from material misstatement, whether due to fraud or error.
3. Complying with laws, regulations, contracts, and grant agreements applicable to
[entity].
4. Preparing, measuring, and presenting the required supplementary information (RSI)
in accordance with prescribed guidelines established in U.S. generally accepted
accounting principles.
5. Preparing and presenting other information included in [entity’s] [insert name of
annual report, e.g., agency financial report], and ensuring the consistency of that
information with the audited financial statements and the RSI.
6. Designing, implementing, and maintaining effective internal controls to prevent and
detect fraud. This includes providing management’s written representation that it has
disclosed to the auditor the results of its assessment of the risk that the financial
statements may be materially misstated as a result of fraud.
7. Maintaining adequate accounting records, selecting and applying appropriate
accounting policies, and safeguarding U.S. government assets related to [entity’s]
operations.
8. [For entities that conform to FASB standards (see FAM 550.28 and .29)]
Evaluating whether there are conditions or events, considered in the aggregate, that
raise substantial doubt about [entity’s] ability to continue as a going concern for a
reasonable period of time.
9. Ensuring that [entity’s] financial management systems comply substantially with
FFMIA requirements [if applicable].
In addition, [entity]’s management acknowledges and understands that it has the
responsibility to provide us with
Planning Phase
215 A Sample Audit Engagement Letter
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215 A-12
1. access to all information, such as records, documentation, and other matters, of
which management is aware that is relevant to the (1) preparation and fair
presentation of the financial statements, including related notes; (2) measurement,
preparation, and presentation of the RSI; and (3) preparation and presentation of
other information;
2. additional information that we may request from management for the purpose of the
audit, including but not limited to
a. minutes of meetings, or summaries of actions of recent meetings for which
minutes have not been prepared, of the [Board of Directors or other similar
bodies of those charged with governance] and
b. any communications from the Office of Management and Budget (OMB) or the
Department of the Treasury’s Bureau of the Fiscal Service concerning
noncompliance with, or deficiencies in, financial reporting practices;
3. unrestricted access to and full cooperation of personnel within [entity] from whom
we determine it necessary to obtain audit evidence; and
4. any reports obtained from [entity]’s service organizations.
[Entity] management agrees to communicate to us the following:
1. the discovery of any material misstatement that would affect the fair presentation of
its fiscal year [20X2] or prior fiscal year’s financial statements;
2. any deficiencies in the design or operation of internal control over financial reporting
as of [September 30, 20X2], including separately identifying any deficiencies
management believes to be significant deficiencies or material weaknesses;
3. a description of fraud or suspected fraud that affects [entity] and involves (1)
management; (2) employees who have significant roles in internal control over
financial reporting, or (3) others when the fraud could have a material effect on the
financial statements;
4. any instances of noncompliance or suspected noncompliance with laws, regulations,
contracts, and grant agreements applicable to [entity] whose effects should be
considered when preparing the financial statements;
5. any violations, or potential violations, of the Antideficiency Act for the years ended
[September 30, 20X2, and 20X1] and through the date of the management
representation letter. Potential violations are limited to those that, if true, could have
a material effect on the financial statements;
6. any known actual or possible litigation, claims, and assessments, including those
related to treaties and other international agreements, whose effects should be
considered when preparing the financial statements;
7. the identities of [entity’s] disclosure entities, related parties, and public-private
partnerships, and all the relationships and transactions related to them;
12
8. any events or transactions subsequent to the date of the financial statements, and
for which U.S. generally accepted accounting principles require adjustment or
disclosure;
12
Note to auditor: Procedures related to disclosure entities and public-private partnerships do not apply to entities
issuing financial statements in accordance with FASB accounting standards.
Planning Phase
215 A Sample Audit Engagement Letter
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215 A-13
9. whether, subsequent to [September 30, 20X2], there were any changes in internal
control over financial reporting or other conditions that might significantly affect
internal control over financial reporting, including any corrective actions taken with
regard to material weaknesses or significant deficiencies; and
10. any planned inclusion of our auditor’s reports and the audited financial statements in
documents prepared by [entity] and to provide a copy of any such documents prior
to issuance.
As part of our audit process, we will request from [entity] management written
confirmation concerning representations made to us in connection with the audit of the
financial statements, including internal control over financial reporting; compliance with
applicable laws, regulations, contracts, and grant agreements; and other related matters.
[Optional The auditor may choose to make management aware of other specific
required written management representations. Factors to consider include initial
audits, changes in senior management, or changes in required representations.]
Definition and Limitations of Internal Control over Financial Reporting
An entity’s internal control over financial reporting is a process effected by those charged
with governance, management, and other personnel. The objectives of internal control
over financial reporting are to provide reasonable assurance that (1) transactions are
properly recorded, processed, and summarized to permit the preparation of financial
statements in accordance with U.S. generally accepted accounting principles, and
assets are safeguarded against loss from unauthorized acquisition, use, or disposition,
and (2) transactions are executed in accordance with provisions of applicable laws,
including those governing the use of budget authority, regulations, contracts, and grant
agreements, noncompliance with which could have a material effect on the financial
statements.
Because of its inherent limitations, internal control over financial reporting may not
prevent, or detect and correct, misstatements due to fraud or error.
Auditor’s Responsibilities
We are responsible for conducting our audit in accordance with U.S. generally accepted
government auditing standards [and OMB audit guidance, if applicable]. Those
standards require that we plan and perform the audit to obtain reasonable assurance
about whether the financial statements as a whole are free from material misstatement,
whether due to error or fraud. Reasonable assurance is a high level of assurance but is
not absolute assurance and therefore is not a guarantee that an audit of the financial
statements conducted in accordance with U.S. generally accepted government auditing
standards will always detect a material misstatement when it exists.
The risk of not
detecting a material misstatement resulting from fraud is higher than for one resulting
from error, as fraud may involve collusion, forgery, intentional omissions,
misrepresentations, or the override of internal control. Misstatements, including
omissions, are considered to be material if there is a substantial likelihood that,
individually or in the aggregate, they would influence the judgment made by a
reasonable user based on the financial statements.
13
13
Note to auditor: Statement of Federal Financial Accounting Concepts (SFFAC) 1 issued by FASAB provides a
slightly different definition of materiality. Since SFFACs are nonauthoritative, and in SFFAC 1, the board recognizes
differences from the audit definition, the FAM is based on the definition provided in AU-C 200.07.
Planning Phase
215 A Sample Audit Engagement Letter
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215 A-14
We are required to be independent of [entity] and to meet our other ethical
responsibilities, in accordance with the relevant ethical requirements relating to our
audits.
In performing an audit of the financial statements in accordance with U.S. generally
accepted government auditing standards, we will do the following:
1. Exercise professional judgment and maintain professional skepticism throughout the
audits.
2. Identify and assess the risks of material misstatement of the financial statements,
whether due to fraud or error, and design and perform audit procedures responsive
to those risks. Such procedures include examining, on a test basis, evidence
regarding the amounts and disclosures in the financial statements in order to obtain
audit evidence that is sufficient and appropriate to provide a basis for our opinion.
3. Obtain an understanding of internal control relevant to the financial statement audit in
order to design audit procedures that are appropriate in the circumstances, but not
for the purpose of expressing an opinion on the effectiveness of the entity’s internal
control. In addition, we will not consider all internal controls relevant to operating
objectives as broadly established under 31 U.S.C. § 3512 (c), (d), commonly known
as the Federal Managers’ Financial Integrity Act of 1982 (FMFIA) [or other
appropriate criteria], such as those controls relevant to preparing performance
information and ensuring efficient operations. Our internal control work will not
necessarily identify all deficiencies in internal control, including those that might be
material weaknesses or significant deficiencies.
4. Evaluate the appropriateness of accounting policies used and the reasonableness of
significant accounting estimates made by management, as well as evaluate the
overall presentation of the financial statements.
5. Perform other procedures we consider necessary in the circumstances.
6. [For entities that conform to FASB standards (see FAM 550.28 and .29)]
Conclude, based on the audit evidence obtained, whether there are conditions or
events, considered in the aggregate, that raise substantial doubt about [entity’s]
ability to continue as a going concern for a reasonable period of time.
Because of the inherent limitations of an audit, together with the inherent limitations of
internal control, an unavoidable risk exists that some material misstatements in the
financial statements may not be detected, even though the audit is properly planned and
performed in accordance with U.S. generally accepted government auditing standards.
We will communicate all deficiencies in internal control of which we become aware. We
are responsible for communicating in writing to those charged with governance any
significant deficiencies and material weaknesses in internal control that come to our
attention as a result of the audit. Additionally, if we do not identify any material
weaknesses during our audit, we will indicate this in our written communication.
14
If we
identify deficiencies in [entity]’s internal control that we do not consider to be material
weaknesses or significant deficiencies, we will communicate these matters in writing to
management and, where appropriate, will report on them separately. In addition, if we
14
Note to auditor: In the event that no material weaknesses were identified during the audit, OMB audit guidance
requires the auditor to state, in the report on internal control over financial reporting, that no deficiencies in internal
control were identified during the audit that were considered to be material weaknesses.
Planning Phase
215 A Sample Audit Engagement Letter
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215 A-15
identify misstatements or new deficiencies, we will communicate them to [entity]
management on a timely basis.
In accordance with U.S. generally accepted government auditing standards, we are
responsible for testing compliance with selected provisions of laws, regulations,
contracts, and grant agreements applicable to [entity] that have a direct effect on the
determination of material amounts in [entity]’s financial statements and performing
certain other limited procedures as part of our audit. We will not test compliance with all
laws, regulations, contracts, and grant agreements applicable to [entity]. We caution
that noncompliance may occur and not be detected by these tests.
We are also responsible for (1) testing and reporting on whether [entity]’s financial
management systems comply substantially with the three FFMIA requirements [if
applicable] and (2) applying certain limited procedures to any RSI, reading other
information included in [entity’s] [insert name of annual report, e.g., agency financial
report] and considering whether a material inconsistency exists between the other
information and the financial statements, and reporting the results.
Audit Coordination and Other Matters
To use audit resources efficiently and expedite audit completion, we will work with
[entity] staff to obtain information needed for the audit. Assistance needed from [entity]
staff may include preparing schedules or analyses; locating, copying, and providing
selected documents; and participating in meetings. We will need draft financial
statements, including all information relevant to their preparation and fair presentation,
whether obtained from within or outside of the general and subsidiary ledgers (including
all information relevant to the preparation and fair presentation of note disclosures), and
any other information to be included in [entity’s] [insert name of annual report, e.g.,
agency financial report] in sufficient time for us to complete our audit in accordance
with the proposed timetable. We will discuss this assistance with [entity] staff and arrive
at mutually acceptable time frames.
We will conduct an entrance conference with [entity] staff on [or by] [date]. We plan to
issue our report on a mutually agreed-upon date. [Insert any additional details as
appropriate regarding report timing.] We will also provide periodic status reports on
our work upon your request. If we encounter problems that will affect the reporting date,
we will discuss them with you in a timely manner. We look forward to working with
[entity] and appreciate its cooperation in working with us to complete the audit in a
timely manner.
Pursuant to [include reference to audit reimbursement authority], our audit of
[entity] is performed on a reimbursable basis. The total cost to perform the fiscal year
[20X2] audit will depend on the nature of the issues we identify and the amount of staff
resources needed to complete the audit. [Consider including additional details as
appropriate for any contracted services to be reimbursed, such as those for
information systems controls or specialists.] We plan to submit a bill to you each
month reflecting the actual costs incurred.
This assignment will be conducted under my direction, with assistance from [name and
title of manager], who can be reached at [phone number] or by email at [email], and
[name and title of site auditor], who can be reached at [phone number] or by email at
[email].
The attached acknowledgment page should be signed by management [and the
addressee, if contracting party is other than management] and returned to us to
indicate your acknowledgment of, and agreement with, the terms and arrangements of
Planning Phase
215 A Sample Audit Engagement Letter
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215 A-16
our audit of the financial statements and to indicate management’s acknowledgment and
understanding of our respective responsibilities.
Should this letter not represent your understanding of the nature of this engagement, or
should you have any questions or need further information, please contact me at [phone
number] or by email at [email].
We look forward to a successful engagement.
Sincerely yours,
[Auditor’s name and title]
cc: CFO of [entity]
Inspector General of [entity]
[Others, as applicable]
Planning Phase
215 A Sample Audit Engagement Letter
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215 A-17
Management’s Acknowledgment of the Audit Engagement Terms
On behalf of [entity] and its management, I acknowledge and agree to the (1) terms and
arrangements described above for the audit of [entity]’s financial statements, including
our respective responsibilities, and (2) auditor’s scope of work and related reporting on
[entity]’s
financial statements, required supplementary information (including management’s
discussion and analysis) [omit if not applicable], and other information to be
included in [entity’s] [insert name of annual report, e.g., agency financial report]
[omit if not applicable];
internal control over financial reporting;
financial management systems’ substantial compliance with the three requirements
of the Federal Financial Management Improvement Act of 1996 [omit if not
applicable]; and
compliance with laws, regulations, contracts, and grant agreements.
_______________________________________ _____________________
Signature Date
[Name and Title]
_______________________________________ _____________________
Signature Date
[Name and Title]
[NOTE: REQUIRED TO BE SIGNED BY MANAGEMENT. SIGNERS SHOULD
GENERALLY BE THE SAME OFFICIALS WHOM THE AUDITOR WILL REQUEST
SIGN THE MANAGEMENT REPRESENTATION LETTER. MAY INCLUDE
ADDITIONAL PARTIES INVOLVED WITH CONTRACTING FOR THE AUDIT.]
Planning Phase
215 B Sample Letter to Those Charged With Governance
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 215 B-1
215 B Sample Letter to Those Charged with Governance
[Auditor letterhead]
[Date]
[Address to board or commission responsible for the entity, an audit committee,
secretary of a cabinet-level department, senior executives and financial managers,
or congressional committees in their role as those charged with governance.]
Dear _____________:
This letter is to inform you that we will soon begin [or have recently begun] our audit of
the fiscal year 20X2 financial statements of the [full name of the entity (entity
abbreviation)]. We [held or will hold] an entrance conference with officials of [entity]
on [date].
[If mandated:] We are responsible for conducting audits of the financial statements of
[entity] in accordance with [cite legal or contract authority]. [If requested:] As
requested in your letter of [date] [or as discussed with your staff], we will conduct an
audit of financial statements of [entity]. [If auditor’s statutory authority:] Under our
audit authority [cite legal or contract authority], we will conduct an audit of financial
statements of [entity]. We plan to issue our report by [date].
A copy of our [date] audit engagement letter to [entity or inspector general] is
attached.
15
This letter explains the nature of the engagement, our responsibilities as
auditors, and the responsibilities of [entity] management.
We will provide periodic status reports on our work upon your request. We will also notify
you when we will provide a draft report to [entity] for comment and can provide a copy
to you for informational purposes upon your request. Should this letter and the attached
engagement letter not represent your understanding of the nature of this engagement, or
should you have any questions, please contact me at [phone number] or by email at
[address], or [second auditor contact and title], at [phone number] or by email at
[address].
Sincerely yours,
[Auditor name and title]
Enclosure
15
Sample engagement letter from FAM 215 A.
Planning Phase
220 Understand the Entity’s Operations
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 220-1
220 Understand the Entitys Operations
.01 The objective of the auditor is to identify and assess the risks of material
misstatement, whether due to fraud or error, at the financial statement and
relevant assertion levels through understanding the entity and its environment,
including the entity’s internal control. This provides the basis for designing and
implementing responses to the assessed risks of material misstatement. In
planning the audit, the auditor gathers information to obtain an overall
understanding of the entity, including its origin and history, size and location,
organization, mission, business, strategies, inherent risks, fraud risks, control
environment, entity risk assessment from both internal and external sources,
information and communication, and monitoring.
Understanding the entity’s operations in the planning process enables the auditor
to identify and respond to risks of material misstatement at the assertion level
and to resolve accounting and auditing problems early in the audit. Based on an
appropriate understanding of the entity and its environment, including its internal
control, the auditor should assess the risks of material misstatement at the
financial statement and relevant assertion levels, as discussed in the planning
and internal control phases of the FAM, and then should respond to those
identified risks when designing the nature, extent, and timing of further audit
procedures to be performed in the internal control and testing phases of the
audit.
.02 The auditor should obtain an understanding of the entity and its environment that
in the auditor’s judgment, is sufficient to meet the objective in FAM 220.01,
including
a. the nature of the entity (AU-C 315.12b);
b. the legal and regulatory framework applicable to the entity and how the entity
is complying with the framework (AU-C 250.12);
c. the financial reporting framework applicable to the entity (U.S. GAAP),
including the use of accounting estimates and the entity’s relationships and
transactions with disclosure entities, related parties, and public-private
partnerships (AU-C 315.12a, 540.08, and 550.14 through .15);
d. the identification and assessment of the risks of material misstatement for
accounting estimates and the entity’s relationships and transactions with
disclosure entities, related parties, and public-private partnerships (AU-C
540.08 and 550.12 and FAM 220.07.08);
e. external factors affecting operations, including any industry factors
(AU-C 315.12a);
f. internal factors affecting operations, including the entity’s objectives and
strategies and those related business risks that may result in risks of material
misstatement (AU-C 315.12d);
g. measurement and review of the entity’s financial performance
(AU-C 315.12e); and
h. the entity's selection and application of accounting policies, including the
reasons for changes thereto. The auditor should evaluate whether the entity’s
accounting policies are appropriate for its business and consistent with the
Planning Phase
220 Understand the Entity’s Operations
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 220-2
applicable financial reporting framework (U.S. GAAP) and accounting policies
used in the relevant industry (AU-C 315.12c).
Additional guidance on obtaining an understanding of these areas is included in
AU-C 315, appendix A, and AU-C 315.A26 through .A49.
.03 As part of understanding the entity and its environment, the auditor should obtain
an understanding of the design of internal controls that are relevant to the audit
and determine whether they have been implemented. Internal control relevant to
the audit includes the design of each of the components of internal control
(control environment, entity risk assessment, information and communication,
control activities, and monitoring). See FAM 260.
.04 The auditor should obtain an understanding of the nature of the entity for
purposes of planning the audit. Elements include
origin and history of the entity;
mission and strategic goals of the entity;
size and locations of the entity;
organizational structure of the entity (centralized or decentralized), including
use of service organizations (see FAM 310.11 and FAM 640 for further
details on service organizations);
the way that the entity is structured and how it is financed, to enable the
auditor to understand the classes of transactions, account balances, and
disclosures to be expected in the financial statements (AU-C 315.12b.iv);
key members of management; and
the complexity of operations.
.05 The laws, regulations, contracts, and grant agreements applicable to the entity
constitute its legal and regulatory framework. The auditor should obtain a general
understanding of the framework, such as
the laws, regulations, contracts, and grant agreements that directly determine
the amounts and disclosures in the financial statements and
other laws, regulations, contracts, and grant agreements that might have a
fundamental effect on the entity’s operations.
The auditor should also obtain a general understanding of how the entity is
complying with the framework, such as
ensuring and documenting compliance;
preventing noncompliance; and
identifying, evaluating, and accounting for litigation, contract, and grant
agreement claims, or a combination of these. (AU-C 250.12 and .A8)
.06 For accounting estimates and relationships and transactions with disclosure
entities, related parties, and public-private partnerships, the auditor should obtain
an understanding of the items discussed in FAM 220.07 through .08.
.07 For accounting estimates, the auditor should obtain an understanding of the
following (AU-C 540.08):
Planning Phase
220 Understand the Entity’s Operations
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 220-3
The requirements of the applicable financial reporting framework relevant to
accounting estimates (U.S. GAAP), including related note disclosures.
How management identifies those transactions, events, and conditions that
may give rise to the need for accounting estimates to be recognized or
disclosed in the financial statements. In obtaining this understanding, the
auditor should make inquiries of management about changes in
circumstances that may give rise to new, or the need to revise existing,
accounting estimates.
How management makes the accounting estimates and the data on which
they are based, including
o the method(s) and model, if applicable, used in making the accounting
estimate;
o relevant controls;
o whether management has used a specialist;
o the assumptions underlying the accounting estimates;
o whether there has been or ought to have been a change from the prior
period in the method(s) or assumption(s) for making the accounting
estimates and, if so, why; and
o whether and, if so, how management has assessed the effect of
estimation uncertainty.
Additional requirements for accounting estimates are discussed in FAM 260
relating to risk assessment procedures and FAM 905 relating to substantive
testing.
.08 For relationships and transactions with disclosure entities, related parties, and
public-private partnerships, the auditor should inquire of management and others
within the entity regarding
the identity of the entity’s disclosure entities, related parties, and public-
private partnerships, including changes from the prior period;
the nature of the relationships (including ownership structure) between the
entity and these disclosure entities, related parties, and public-private
partnerships;
the business purpose of entering into a transaction with the disclosure entity,
related party, or public-private partnership, versus with an unrelated party;
and
whether the entity entered into, modified, or terminated any transactions with
these disclosure entities, related parties, and public-private partnerships
during the period and, if so, the type and business purposes of the
transactions (AU-C 550.14).
Additionally, the auditor should inquire of management and others within the
entity and perform other risk assessment procedures considered appropriate to
obtain an understanding of the relevant controls, if any, that management has
established to
Planning Phase
220 Understand the Entity’s Operations
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 220-4
identify, account for, and disclose the relationships and transactions with
disclosure entities, related parties, and public-private partnerships;
authorize and approve significant transactions and arrangements with
disclosure entities, related parties, and public-private partnerships; and
authorize and approve significant unusual transactions and arrangements
outside the normal course of business (AU-C 550.15).
Inquiries should include asking about any transactions with disclosure entities,
related parties, and public-private partnerships
that have not been authorized and approved in accordance with the entity’s
established policies or procedures regarding the authorization and approval
of such transactions and
for which exceptions to the entity’s established policies or procedures were
granted and the reasons for granting those exceptions (AU-C 550.15).
Additional requirements for disclosure entities, related parties, and public-private
partnerships are discussed in FAM 260 relating to risk assessment procedures,
FAM 280 relating to sharing of information and maintaining alertness, FAM 904
relating to substantive testing, and FAM 550 relating to conclusions.
.09 Unless all of those charged with governance are involved in managing the entity,
the auditor should inquire of those charged with governance regarding
their understanding of the entity’s relationships and transactions with
disclosure entities, related parties, and public-private partnerships that are
significant to the entity and
whether any of those charged with governance have concerns regarding
these relationships or transactions and, if so, the substance of those
concerns (AU-C 550.16).
.10 For relationships with disclosure entities, the auditor should also inquire of
management to obtain an understanding of the
nature and magnitude of relevant activity with these disclosure entities during
the period and
nature of the entity’s financial and nonfinancial risks, potential benefits, and
exposure to gains and losses from past or future operations of these
disclosure entities.
.11 For relationships with public-private partnerships, the auditor should also inquire
of management to obtain an understanding of the
purpose, objective, and rationale for the public-private partnership and the
relative benefits/revenues being received in exchange for the entity’s
monetary or nonmonetary consideration;
entity’s statutory authority for entering into the public-private partnership;
source and amounts of the funding of the public-private partnership over its
expected life;
operational and financial structure of the public-private partnership, including
the entity’s rights and responsibilities; and
Planning Phase
220 Understand the Entity’s Operations
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 220-5
contractual risks of loss the entity is undertaking within the public-private
partnership.
.12 The auditor should identify significant external and internal factors that affect the
entity’s operations as part of understanding the entity and its environment for
purposes of planning the audit.
External factors may include
source(s) of funds;
seasonal fluctuations;
current political climate; and
other external factors as discussed in AU-C 315.A30, such as general
economic conditions, interest rates, and inflation.
Internal factors may include
information technology structure, including the extent to which information
system processing is performed externally by a service organization;
increased workload from new or expanding programs;
qualifications and competence of key personnel; and
turnover of key personnel.
.13 The auditor should obtain an understanding of
the entity’s selection and application of accounting policies, including the
reasons for changes thereto, and whether they are appropriate for its
activities and consistent with U.S. GAAP, including changes in U.S. GAAP
that affect the entity, and
whether entity management appears to follow aggressive or conservative
accounting policies (AU-C 315.12c and .A166d).
An understanding of the entity’s selection and application of accounting policies
may encompass such matters as financial reporting standards and laws and
regulations that are new to the entity, including when and how the entity will
adopt such requirements (AU-C 315.A36). See AU-C 315.A36 for additional
matters the auditor’s understanding may encompass
.14 The auditor also should determine whether the entity is required to report any
unaudited RSI. This includes information on
the condition of heritage assets and stewardship land,
deferred maintenance of federal property, and
social insurance programs.
.15 The auditor should develop and document a high-level understanding of the
entity’s use of information systems and how these systems affect the generation
of financial statements and the RSI in the annual PAR or AFR. Because of the
technical nature of many IS controls, the auditor generally should obtain
assistance from an IS controls auditor in understanding the entity’s use of
information systems and in planning, directing, or performing audit procedures
related to assessing IS controls. The Federal Information System Controls Audit
Planning Phase
220 Understand the Entity’s Operations
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 220-6
Manual (FISCAM) may be used to develop this understanding and assess IS
controls. Additionally, an information technology specialist may assist the auditor
in understanding technical aspects of information systems and IS controls.
16
.16 The auditor may gather planning information through different methods
(observation, interviews, reading policy and procedure manuals, etc.) and from a
variety of sources, including
top-level entity management;
entity management responsible for significant programs;
the IG office and internal audit management (including any internal control
officer);
others in the audit organization concerning other completed, planned, or in-
progress assignments;
personnel in the Special Investigator Unit; and
entity legal representatives.
.17 The auditor may gather information from relevant reports and articles issued by
or about the entity, including
the entity’s prior PARs, AFRs, or annual reports;
other financial information;
Federal Managers’ Financial Integrity Act of 1982 (FMFIA) reports and
supporting documentation;
17
management or auditor reports about financial management systems’
substantial compliance with the three FFMIA requirements (for CFO Act
agencies only);
the entity’s budget and related reports on budget execution;
GAO reports (including those for performance audits);
IG and internal audit reports (including those for performance audits and
other work);
congressional hearings and reports;
consultants’ reports; and
material published about the entity in newspapers, magazines, internet sites,
and other publications.
16
An information technology specialist differs from an IS controls auditor. An information technology specialist
possesses special skills or knowledge in the information technology field that extend beyond the skills and knowledge
normally possessed by those working in specialized fields of auditing, such as IS controls auditing. Auditors and IS
controls auditors may decide to seek the assistance of an information technology specialist to complete various
aspects of the engagement.
17
FMFIA was repealed, but provisions remain codified at 31 U.S.C. § 3512(c), (d). These provisions are still
commonly referred to as FMFIA. Because of the common usage of the act’s name, the FAM will continue to refer to
FMFIA. However, auditors should correctly cite the applicable provisions in their reports. See FAM 595 A.
Planning Phase
220 Understand the Entity’s Operations
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 220-7
.18 Audit documentation from prior-year audits may contain useful information for
planning the current-year audit. The auditor should determine whether changes
have occurred since the previous audit that may affect its relevance to the
current audit (AU-C 315.10). The auditor should update any prior-year
information that is to be used as part of the current-year audit documentation so
that it reflects the current-year operations, environment, risks, and so forth.
If a different auditor performed the prior-year audit, the current-year auditor
should address the need for access to that audit documentation as part of the
current-year audit contract. As discussed in AU-C 510.A7, the extent, if any, to
which a predecessor auditor permits access to its audit documentation is a
matter of professional judgment.
Planning Phase
225 Perform Preliminary Analytical Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 225-1
225 Perform Preliminary Analytical Procedures
.01 Based on AU-C 315.06b, as part of the risk assessment procedures, the auditor
should perform preliminary analytical procedures to
understand the entity’s business, including current-year transactions and
events;
identify account balances, transactions, ratios, or trends that may signal risks
of material misstatement, including any risks related to fraud (see FAM 260);
and
determine the nature, extent, and timing of further audit procedures to be
performed.
.02 There may be situations in which the auditor may not be able to perform
preliminary analytical procedures; this often relates to the reliability of
comparative information. For example, in a first-year audit, comparative
information might be unreliable. Therefore, preliminary analytical procedures may
be limited. Additionally, for some accounts, it may be difficult to perform
preliminary analytical procedures on an interim basis because of the lack of
reliable information until year-end.
.03 The auditor generally should perform the following steps to achieve the
objectives of preliminary analytical procedures:
a. Develop expectations. The auditor develops expectations for account
balances based on plausible relationships that are reasonably expected to
exist. For example, as loan activity increases, the auditor would also expect
loans receivable balances to increase. If the loans receivable balances
decreased, the auditor should make inquiries to understand why. A decrease
could be caused by higher loan payoffs, write-offs, or some other logical
reason. However, the decrease could also have occurred because of an error
or fraud.
The financial data used in preliminary analytical procedures generally are
summarized at a high level, such as the level of financial statements. If
financial statements are not available, the auditor may use trial balances, the
budget, or financial summaries to determine expectations for the entity’s
financial position and results of operations. When preliminary analytical
procedures use data summarized at a high level, the results of these
procedures provide only a broad initial indication about whether a material
misstatement may exist. The auditor should consider the results of these
procedures along with other information gathered when identifying risks of
material misstatement.
b. Compare current-year amounts to expectations. Use of unaudited
comparative data may not allow the auditor to identify significant fluctuations,
particularly if an item consistently has been treated incorrectly, for example, if
all accruals were not recorded. Also, the auditor may identify fluctuations that
are not really fluctuations because of errors or omissions in unaudited
comparative data.
Key to effective preliminary analytical procedures is using information that is
comparable in terms of the time period presented and the presentation (i.e.,
Planning Phase
225 Perform Preliminary Analytical Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 225-2
same level of detail and consistent grouping of detailed accounts into
summarized amounts used for comparison).
The auditor may perform ratio analysis on current-year data and compare the
current year’s ratios with expectations based on those derived from prior
periods or budgets. The auditor does this to study the relationships among
components of the financial statements and to increase auditor knowledge of
the entity’s activities. The auditor uses ratios that are relevant indicators or
measures for the entity. Also, the auditor should consider any trends in the
entity-prepared performance indicators.
c. Identify significant fluctuations. The auditor identifies fluctuations, which
are differences between the recorded amounts and the amounts expected by
the auditor, based on comparative financial information and the auditor’s
knowledge of the entity. Fluctuations refer to both unexpected differences
between current-year amounts and comparative financial information as well
as the absence of expected differences.
The auditor generally should establish parameters for identifying significant
fluctuations. When setting these parameters, the auditor may consider the
amount of a fluctuation in terms of absolute size, the percentage difference,
or both. The amount and percentage used are usually based on materiality.
An example of a parameter is “All fluctuations in excess of $10 million and/or
15 percent of the expectation or other unusual fluctuations (such as debit
amounts in accounts having normally credit balances) will be considered
significant.”
d. Inquire about significant fluctuations. Fluctuations may result from errors
or fraud, from changes in operations, or from changes in the entity
organization that the auditor did not consider when determining expectations.
The auditor should discuss identified fluctuations with appropriate entity
personnel. This discussion should focus on whether the fluctuation could
result from error or fraud and whether the auditor adequately understands the
entity’s operations. In doing this, the auditor should consider the types of
errors or fraud that could have caused the fluctuations.
For preliminary analytical procedures, the auditor does not need to
corroborate the explanations as they will be tested later. However, the auditor
should determine whether the explanations obtained appear reasonable and
consistent. If the entity personnel indicate that the operations or organization
has changed, the auditor may adjust the expectations and then determine
whether there is still a significant fluctuation. The inability of appropriate entity
personnel to explain the cause of a fluctuation may indicate risk of material
misstatement due to control, fraud, or inherent risk.
.04 The auditor should consider the results of preliminary analytical procedures in
assessing the risks of material misstatement due to error or fraud (see FAM 260).
Planning Phase
230 Determine Materiality
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 230-1
230 Determine Materiality
.01 Materiality is one of several factors the auditor uses to determine the nature,
extent, and timing of procedures. Misstatements, including omissions, are
considered to be material if there is a substantial likelihood that, individually or in
the aggregate, they would influence the judgment made by a reasonable user
based on the financial statements.
18
Judgments about materiality are made in
light of surrounding circumstances and are affected by the size or nature of a
misstatement, or a combination of both. Judgments about materiality involve both
quantitative and qualitative considerations, such as the public accountability of
the entity under audit, various legal and regulatory requirements, and the visibility
and sensitivity of government programs. Judgments about matters that are
material to users of the financial statements are based on a consideration of the
common financial information needs of users as a group. The possible effect of
misstatements on specific individual users, whose needs may vary widely, is not
considered. (AU-C 320.02).
.02 When establishing the overall audit strategy, the auditor should determine
materiality for the financial statements as a whole (AU-C 320.10).
.03 Materiality is based on the concept that items of little importance, which would
not affect the judgment or conduct of a reasonable user, do not require auditor
investigation. Materiality has both quantitative and qualitative aspects. Even
though quantitatively immaterial, certain misstatements or omissions could be
qualitatively material.
.04 For example, intentional misstatements or omissions (fraud) usually are more
critical to the financial statement users than are unintentional errors of equal
amounts. This is because users generally consider an intentional misstatement
more serious than clerical errors of the same amount.
.05 U.S. generally accepted auditing standards (U.S. GAAS), as incorporated in
GAGAS, indicate that the auditor should use materiality in planning and
performing the audit; evaluating the effect of identified misstatements on the
audit, and the effect of uncorrected misstatements, if any, on the financial
statements; and forming the opinion in the auditor’s report (AU-C 320.05).
.06 The term materiality is used within several contexts in the FAM. The FAM uses
the following terms that relate to materiality:
Materiality for the financial statements as a whole is based on
professional judgment and is a preliminary estimate in relation to the financial
statements as a whole, primarily based on quantitative measures. It is used
to determine performance materiality, which in turn is used to determine
tolerable misstatement. These are then used to determine the risks of
material misstatement and the nature, extent, and timing of substantive audit
procedures. It is also used to identify significant provisions of applicable laws,
regulations, contracts, and grant agreements for compliance testing.
18
Statement of Federal Financial Accounting Concepts (SFFAC) 1, Objectives of Federal Financial Reporting, issued
by FASAB provides a slightly different definition of materiality. Since SFFACs are nonauthoritative, and in SFFAC 1,
the board recognizes differences from the audit definition, the FAM is based on the definition provided in AU-C
200.07.
Planning Phase
230 Determine Materiality
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 230-2
Performance materiality is the amount or amounts set by the auditor as a
portion of materiality that the auditor allocates to particular line items,
accounts, classes of transactions (such as disbursements), or note
disclosures. The auditor should determine performance materiality for
purposes of assessing the risks of material misstatement and determining the
nature, timing, and extent of further audit procedures (AU-C 320.11).
Performance materiality is set to reduce to an appropriately low level the
probability that the aggregate of uncorrected and undetected misstatements
in the financial statements exceeds materiality for the financial statements as
a whole (AU-C 320.09). The auditor usually sets this amount the same for all
line items or accounts as this amount is usually sufficient for testing (except
for specific circumstances and certain intragovernmental or offsetting
balances, as discussed in FAM 230.10).
Tolerable misstatement is the application of performance materiality to a
particular substantive sampling procedure. Tolerable misstatement is defined
in AU-C 530.05 as a monetary amount set by the auditor in respect of which
the auditor seeks to obtain an appropriate level of assurance that the
monetary amount set by the auditor is not exceeded by the actual
misstatement in the population. Based on the auditor’s judgment, the auditor
may set tolerable misstatement equal to or less than performance materiality,
as discussed in FAM 230.13, and may set different amounts of tolerable
misstatement for substantive sampling procedures of specific line items or
accounts or assertions.
Clearly trivial is the amount below which misstatements would not need to
be accumulated because the auditor expects that the accumulation of such
amounts clearly would not have a material effect on the financial statements.
Misstatements that are clearly trivial are those that are clearly
inconsequential, whether taken individually or in the aggregate and whether
judged by any criteria of size, nature, or circumstances (AU-C 450.A2 and
.A3). The clearly trivial amount set by the auditor should be substantially
below performance materiality so that the aggregate of many items at the
clearly trivial amount would not exceed tolerable misstatement. For example,
a threshold that is 5 percent (or less) of performance materiality may be
sufficiently low.
.07 The FAM also uses the term materiality in the reporting phase.
FMFIA materiality is the threshold that management establishes for
determining whether a matter meets OMB criteria for reporting matters under
FMFIA, as described in FAM 580.60 and .61.
Management representation letter materiality. See FAM 1001.07.
Legal counsel materiality. See FAM 1002.19 through .22.
.08 The following guidelines provide the auditor with a framework for determining
materiality. However, this framework is not a substitute for professional judgment.
The auditor may determine materiality outside of these guidelines. In such
circumstances, the audit director should discuss the basis for the determination
with the reviewer. The auditor should document materiality and the method of
determining materiality. The audit director should review and approve the
documentation.
Planning Phase
230 Determine Materiality
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 230-3
The auditor should determine materiality in relation to the element of the financial
statements that the auditor judges is most significant to the primary users of the
statements (the materiality benchmark). If, in the specific circumstances of the
entity, one or more particular classes of transactions, account balances, or note
disclosures exist for which there is a substantial likelihood that misstatements of
lesser amounts than materiality for the financial statements as a whole would
influence the judgment made by a reasonable user based on the financial
statements, the auditor also should determine the materiality level or levels to be
applied to those particular classes of transactions, account balances, or note
disclosures (AU-C 320.10).
The auditor generally uses preliminary information to estimate the materiality
benchmark. This may be prior yearsaudited financial statements or current-year
unaudited and unadjusted interim information. The auditor should revise
materiality for the financial statements as a whole (and, if applicable, the
materiality level or levels for particular classes of transactions, account balances,
or note disclosures) in the event of becoming aware of information during the
audit that would have caused the auditor to have determined a different amount
(or amounts) initially (AU-C 320.12).
To provide reasonable assurance that sufficient audit procedures are performed,
the auditor may estimate the materiality benchmark at the low end of the possible
materiality benchmark. If the auditor concludes that a lower materiality than that
initially determined for the financial statements as a whole (and, if applicable,
materiality level or levels for particular classes of transactions, account balances,
or note disclosures) is appropriate, the auditor should determine whether it is
necessary to revise performance materiality and whether the nature, timing, and
extent of the further audit procedures remain appropriate (AU-C 320.13).
.09 For capital-intensive entities, total assets may be an appropriate materiality
benchmark. For expenditure-intensive entities, total expenses may be an
appropriate materiality benchmark. Based on these concepts, the auditor
generally should use as the materiality benchmark the greater of total assets or
expenses. The materiality benchmark generally should be net of adjustments for
intragovernmental balances and offsetting balances (see discussion of these
adjustments in the next paragraph). The auditor may use other materiality
benchmarks, such as total liabilities; equity; revenues; appropriations; or, if
significant, line items.
If the statements are significantly different in magnitude, it may be appropriate to
use different benchmarks to avoid over- or underauditing. For example, if an
entity has a statement of social insurance with significantly large amounts
compared to the statement of net cost, and the auditor uses total expenses from
the statement of net cost as a benchmark, this could result in overauditing the
statement of social insurance. Therefore, the auditor may determine a separate
benchmark for the statement of social insurance.
The key is to use a materiality benchmark or benchmarks that the auditor
believes are most critical to the users of the financial statements. This requires
that the auditor understand users and the entity and the environment in which it
operates.
.10 In determining the materiality benchmark, the auditor should decide how to
handle significant intragovernmental balances (such as funds with the U.S.
Treasury, U.S. Treasury securities, and inter-entity balances) and offsetting
Planning Phase
230 Determine Materiality
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 230-4
balances (such as future funding sources that offset certain liabilities and
collections that are offset by transfers to other government entities) because of
their different risks. Further, combining all of the accounts may distort the
auditor’s judgment when designing the nature, extent, and timing of audit
procedures. Because these amounts were removed from the materiality
benchmark, as discussed in the previous paragraph, the auditor generally should
establish a separate materiality benchmark for significant intragovernmental or
offsetting balances.
For example, an entity that collects and remits funds on behalf of other entities
could have operating accounts that are small in comparison to the funds
processed on behalf of other entities. In this example, the auditor would
determine a separate materiality for auditing (1) the offsetting accounts, using the
balance of the offsetting accounts as the materiality benchmark, and (2) the rest
of the financial statements, using the materiality benchmark guidance in FAM
230.09.
.11 The auditor generally should set materiality at 3 percent of the materiality
benchmark. Although the auditor may use a mechanical means to compute
materiality, the auditor should use judgment in evaluating whether the computed
level is appropriate. The auditor also should consider adjusting the materiality
benchmark for the impact of items such as unrecorded liabilities, contingencies,
and other items that are not incorporated in the entity’s financial statements and
therefore are not reflected in the materiality benchmark but may be important to
the financial statement user.
.12 The audi
tor generally should set performance materiality at one-third of
materiality to allow for the precision of audit procedures. This guideline
recognizes that misstatements may occur throughout the entity’s various
accounts. The performance materiality represents the materiality used as a
starting point to design audit procedures for assertions in line items or accounts.
Doing so allows the auditor to detect an aggregate material misstatement in the
financial statements, as discussed in FAM 260.04. See FAM 545.02 for
consideration of this precision allowance when evaluating the effects of
misstatements on the financial statements for the purpose of reporting on the
financial statements. The auditor may set a separate performance materiality
level for a particular class of transactions, account balance, or note disclosure.
.13 The audi
tor generally sets tolerable misstatement for a specific test the same as
for the performance materiality. However, the auditor may set a tolerable
misstatement lower than the performance materiality for substantive sampling
procedures of specific line items and assertions (which increases the extent of
testing), particularly when
the population from which the audit sample is selected approximates or is
lower than the line item or account balance being tested or
the area tested is sensitive to the financial statement users or may be
qualitatively material.
.14 The materiality levels that the auditor sets should be used only by the auditor for
planning and performing the audit and should not be used by management.
Management should establish its own materiality for reporting purposes.
Planning Phase
235 Identify Significant Line Items, Accounts, and Assertions
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 235-1
235 Identify Significant Line Items, Accounts, and
Assertions
.01 The auditor should identify significant line items and accounts in the financial
statements and significant related financial statement assertions. These line
items and accounts include budget-related information, such as that presented in
the statement of budgetary resources; the reconciliation of the net cost of
operations to budget note; and disclosure of the components of net position. The
auditor should perform appropriate control and substantive tests for each
significant assertion for each significant line item and account. By identifying
significant line items, accounts, and the related assertions early in the planning
process, the auditor is more likely to design effective and efficient audit
procedures. Some insignificant line items, accounts, and assertions may not
warrant substantive audit tests if they are not significant in the aggregate.
However, some line items and accounts with zero or unusual balances may
warrant testing, particularly with regard to the completeness assertion.
.02 Financial statement assertions, as presented in AU-C 315, are management
representations that are embodied in financial statement components. Most of
the auditor’s work in forming an opinion on financial statements consists of
obtaining and evaluating sufficient appropriate evidence concerning the
assertions in the financial statements. The assertions can be either explicit or
implicit. The FAM classifies assertions into the following five broad categories:
1. Existence or occurrence: Transactions and events have occurred during
the given period, have been recorded in the proper accounts, and pertain to
the entity. An entity’s assets, liabilities, net position, and budgetary balances
exist at a given date and have been recorded in the proper accounts.
Projected revenues and expenditures in the sustainability financial
statements are valid.
2. Completeness: All transactions and events that should have been recorded
have been recorded in the proper period and accounts. All assets, liabilities,
net position, and budgetary balances that should have been recorded have
been recorded in the proper period and accounts, and are properly included
in the financial statements. Projections in the sustainability financial
statements include all estimated future revenues and expenditures at present
value that should have been included.
3. Rights and obligations: The entity holds or controls the rights to assets, and
liabilities are the obligations of the entity, at a given date. The entity holds or
controls the rights to budgetary resources, and budgetary obligations pertain
to the entity, at a given date.
4. Accuracy, valuation, and allocation: Amounts and other data relating to
recorded transactions and events have been appropriately recorded.
19
Assets, liabilities, net position, budgetary balances, and projections in the
sustainability financial statements have been included in the financial
19
Other data include information that is recorded along with the transaction amount and are necessary for the proper
recording of the transaction, such as transaction description, transaction date, trading partner, cost center, fund code,
and other accounting codes the entity uses.
Planning Phase
235 Identify Significant Line Items, Accounts, and Assertions
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 235-2
statements at appropriate amounts, and any resulting valuation or allocation
adjustments have been appropriately recorded.
5. Presentation and disclosure: Financial and other information in the
financial statements is appropriately aggregated or disaggregated and clearly
described. Note disclosures are appropriately measured and described and
are relevant and understandable in the context of the requirements of U.S.
GAAP. All note disclosures that should have been included in the financial
statements have been included. Disclosed transactions and events have
occurred and pertain to the entity.
AU-C 315 contains 12 assertions within two categories. See FAM 235.08 for a
comparison of the above five assertions to the 12 assertions in AU-C 315.
.03 The auditor should determine whether each line item or account in the financial
statements is significant. A significant item usually has one or more of the
following characteristics:
Its balance or activity equals or exceeds performance materiality.
A high risk of material misstatement (combined inherent and control risk, as
discussed in FAM 260.02) is associated with one or more assertions relating
to the line item or account. For example, a zero or unusually small balance
account may have a high risk of material misstatement with respect to the
completeness assertion.
Special audit concerns, such as legal or regulatory requirements, warrant
added consideration.
The auditor should determine whether any accounts considered individually
insignificant are significant in the aggregate.
.04 An assertion is significant (relevant) if misstatements in the assertion could
exceed performance materiality for the related line item, account, or note
disclosure. Additionally, in determining whether a particular assertion is relevant
to a significant account balance or note disclosure, the auditor should evaluate
(1) the nature of the assertion; (2) the volume of transactions or data related to
the assertion; and (3) the nature and complexity of the systems, including both
manual and information systems, the entity uses to process and control
information supporting the assertion (see FAM 270).
.05 Certain assertions for a specific line item or account, such as completeness and
disclosure, could be significant even though the recorded balance of the related
line item or account is not material. For example, (1) the completeness assertion
could be significant for an accrued payroll account with a high risk of material
understatement even if its recorded balance is zero and (2) the disclosure
assertion could be significant for a loss contingency even if no amount is required
to be recorded.
.06 Assertions are likely to vary in degree of significance, and some assertions may
be insignificant or irrelevant for a given line item or account. For example,
the completeness assertion for liabilities may be of greater significance than
the existence assertion for liabilities and
all assertions related to an account that is not significant (as defined in
FAM 235.03) are considered to be insignificant.
Planning Phase
235 Identify Significant Line Items, Accounts, and Assertions
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 235-3
.07 The auditor should document significant line items, accounts, and relevant
assertions in the Line Item Risk Analysis (LIRA) or other appropriate audit
planning documentation (see FAM 395 H). The auditor should also document
assertions related to budget-related balances and transactions included in the
financial statements in the LIRA or other audit documentation. FAM 395 F
provides detailed control objectives for budget-related information.
.08 AU-C 315.A133 identifies two categories of assertions: (1) classes of
transactions and events, and note disclosures, for the period under audit and (2)
account balances, and note disclosures, at the period end. Within these two
categories, AU-C 315 identified 12 assertions. The auditor may use these
assertions or may express them differently, provided all the aspects of the
assertions are addressed (AU-C 315.A132). Table 235.1 compares the
expanded assertions in AU-C 315 to the assertions in FAM 235.02.
Table 235.1: Comparison of AU-C 315 Assertions to FAM 235.02 Assertions
20
AU-C 315 assertions FAM 235.02 assertions
I. Assertions about classes of transactions and events, and note disclosures, for the
period under audit
1. Occurrence
Transactions and events
that have been recorded
or disclosed have
occurred, and such
transactions and events
pertain to the entity.
1. Existence or occurrenceTransactions and events
have occurred during the given period, have been
recorded in the proper accounts, and pertain to the
entity. An entity’s assets, liabilities, net position, and
budgetary balances exist at a given date and have been
recorded in the proper accounts. Projected revenues and
expenditures in the sustainability financial statements are
valid.
5. Presentation and disclosureFinancial and other
information in the financial statements is appropriately
aggregated or disaggregated and clearly described. Note
disclosures are appropriately measured and described
and are relevant and understandable in the context of the
requirements of U.S. GAAP. All note disclosures that
should have been included in the financial statements
have been included. Disclosed transactions and
events have occurred and pertain to the entity.
20
For each AU-C 315 assertion listed in the left column, the table lists the related FAM 235.02 assertion(s) in the right
column, with the corresponding aspects of the assertion(s) in bold font.
Planning Phase
235 Identify Significant Line Items, Accounts, and Assertions
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 235-4
AU-C 315 assertions FAM 235.02 assertions
I. Assertions about classes of transactions and events, and note disclosures, for the
period under audit
2. CompletenessAll
transactions and events
that should have been
recorded have been
recorded, and all related
disclosures that should
have been included in the
financial statements have
been included.
2. Completeness All transactions and events that
should have been recorded have been recorded in the
proper period and accounts. All assets, liabilities, net
position, and budgetary balances that should have been
recorded have been recorded in the proper period and
accounts and properly included in the financial
statements. Projections in sustainability financial
statements include all estimated future revenues and
expenditures at present value.
5. Presentation and disclosureFinancial and other
information in the financial statements is appropriately
aggregated or disaggregated and clearly described. Note
disclosures are appropriately measured and described
and are relevant and understandable in the context of the
requirements of U.S. GAAP. All note disclosures that
should have been included in the financial
statements have been included. Disclosed transactions
and events have occurred and pertain to the entity.
3. AccuracyAmounts
and other data relating
to recorded transactions
and events have been
recorded appropriately,
and related disclosures
have been appropriately
measured and described.
4. Accuracy, valuation, and allocationAmounts and
other data relating to recorded transactions and
events have been recorded appropriately. Assets,
liabilities, net position, budgetary balances, and
projections in sustainability financial statements have
been included in the financial statements at appropriate
amounts, and any resulting valuation or allocation
adjustments have been appropriately recorded.
5. Presentation and disclosureFinancial and other
information in the financial statements is appropriately
aggregated or disaggregated and clearly described. Note
disclosures are appropriately measured and
described and are relevant and understandable in the
context of the requirements of U.S. GAAP. All note
disclosures that should have been included in the
financial statements have been included. Disclosed
transactions and events have occurred and pertain to the
entity.
Planning Phase
235 Identify Significant Line Items, Accounts, and Assertions
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 235-5
AU-C 315 assertions FAM 235.02 assertions
I. Assertions about classes of transactions and events, and note disclosures, for the
period under audit
4. CutoffTransactions
and events have been
recorded in the correct
accounting period.
1. Existence or occurrenceTransactions and events
have occurred during the given period, have been
recorded in the proper accounts, and pertain to the entity.
An entity’s assets, liabilities, net position, and budgetary
balances exist at a given date and have been recorded in
the proper accounts. Projected revenues and
expenditures in sustainability financial statements include
all estimated future revenues and expenditures at present
value.
2. Completeness All transactions and events that
should have been recorded have been recorded in
the proper period and accounts. All assets, liabilities,
net position, and budgetary balances that should have
been recorded have been recorded in the proper period
and accounts and are properly included in the financial
statements. Projections in sustainability financial
statements include all estimated future revenues and
expenditures at present value.
5. Classification
Transactions and events
have been recorded in
the proper accounts.
1. Existence or occurrenceTransactions and events
have occurred during the given period, have been
recorded in the proper accounts, and pertain to the
entity. An entity’s assets, liabilities, net position, and
budgetary balances exist at a given date and have been
recorded in the proper accounts. Projected revenues and
expenditures in sustainability financial statements include
all estimated future revenues and expenditures at present
value.
2. Completeness All transactions and events that
should have been recorded have been recorded in
the proper period and accounts. All assets, liabilities,
net position, and budgetary balances that should have
been recorded have been recorded in the proper period
and accounts and are properly included in the financial
statements. Projections in sustainability financial
statements include all estimated future revenues and
expenditures at present value.
Planning Phase
235 Identify Significant Line Items, Accounts, and Assertions
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 235-6
AU-C 315 assertions FAM 235.02 assertions
I. Assertions about classes of transactions and events, and note disclosures, for the
period under audit
6. Presentation
Transactions and events
are appropriately
aggregated or
disaggregated and clearly
described, and related
disclosures are relevant
and understandable in
the context of the
requirements of the
applicable financial
reporting framework (U.S.
GAAP).
5. Presentation and disclosureFinancial and other
information in the financial statements is
appropriately aggregated or disaggregated, and
clearly described. Note disclosures are appropriately
measured and described and are relevant and
understandable in the context of the requirements of
U.S. GAAP. All note disclosures that should have been
included in the financial statements have been included.
Disclosed transactions and events have occurred and
pertain to the entity.
Planning Phase
235 Identify Significant Line Items, Accounts, and Assertions
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 235-7
AU-C 315 assertions FAM 235.02 assertions
II. Assertions about account balances, and note disclosures, at the period end
7. ExistenceAssets,
liabilities, and equity
interests exist.
1. Existence or occurrenceTransactions and events
have occurred during the given period, have been
recorded in the proper accounts, and pertain to the entity.
An entity’s assets, liabilities, net position, and
budgetary balances exist at a given date and have been
recorded in the proper accounts. Projected revenues and
expenditures in sustainability financial statements include
all estimated future revenues and expenditures at present
value.
8. Rights and obligations
The entity holds or
controls the rights to
assets, and liabilities are
the obligations of the
entity.
3. Rights and obligations The entity holds or controls
the rights to assets, and liabilities are the obligations
of the entity, at a given date. The entity holds or controls
the rights to budgetary resources, and budgetary
obligations pertain to the entity, at a given date.
9. CompletenessAll
assets, liabilities, and
equity interests that
should have been
recorded have been
recorded, and all related
disclosures that should
have been included in the
financial statements have
been included.
2. Completeness All transactions and events that should
have been recorded have been recorded in the proper
period and accounts. All assets, liabilities, net position,
and budgetary balances that should have been
recorded have been recorded in the proper period and
accounts and are properly included in the financial
statements. Projections in sustainability financial
statements include all estimated future revenues and
expenditures at present value.
5. Presentation and disclosureFinancial and other
information in the financial statements is appropriately
aggregated or disaggregated and clearly described. Note
disclosures are appropriately measured and described
and are relevant and understandable in the context of the
requirements of U.S. GAAP. All note disclosures that
should have been included in the financial statements
have been included. Disclosed transactions and events
have occurred and pertain to the entity.
Planning Phase
235 Identify Significant Line Items, Accounts, and Assertions
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 235-8
AU-C 315 assertions FAM 235.02 assertions
II. Assertions about account balances, and note disclosures, at the period end
10. Accuracy, valuation,
and allocation Assets,
liabilities, and equity
interests have been
included in the financial
statements at appropriate
amounts, and any
resulting valuation or
allocation adjustments
have been appropriately
recorded, and related
disclosures have been
appropriately measured
and described.
4. Accuracy, valuation, and allocationAmounts and
other data relating to recorded transactions and events
have been recorded appropriately. Assets, liabilities,
net position, budgetary balances, and projections in
sustainability financial statements have been included
in the financial statements at appropriate amounts,
and any resulting valuation or allocation adjustments
have been appropriately recorded.
5. Presentation and disclosureFinancial and other
information in the financial statements is appropriately
aggregated or disaggregated and clearly described. Note
disclosures are appropriately measured and
described and are relevant and understandable in the
context of the requirements of U.S. GAAP. All note
disclosures that should have been included in the
financial statements have been included. Disclosed
transactions and events have occurred and pertain to the
entity.
11. ClassificationAssets,
liabilities, and equity
interests have been
recorded in the proper
accounts.
1. Existence or occurrence – Transactions and events
have occurred during the given period, have been
recorded in the proper accounts, and pertain to the entity.
An entity’s assets, liabilities, net position, and
budgetary balances exist at a given date and have been
recorded in the proper accounts. Projected revenues
and expenditures in sustainability financial statements
include all estimated future revenues and expenditures at
present value.
2. Completeness All transactions and events that should
have been recorded have been recorded in the proper
period and accounts. All assets, liabilities, net position,
and budgetary balances that should have been recorded
have been recorded in the proper period and accounts
and are properly included in the financial statements.
Projections in sustainability financial statements include
all estimated future revenues and expenditures at present
value.
12. Presentation Assets,
liabilities, and equity
interests are
appropriately aggregated
or disaggregated and
clearly described, and
related disclosures are
relevant and
understandable in the
context of the
requirements of the
applicable financial
reporting framework
(U.S. GAAP).
5. Presentation and disclosureFinancial and other
information in the financial statements is
appropriately aggregated or disaggregated and
clearly described. Note disclosures are appropriately
measured and described and are relevant and
understandable in the context of the requirements of
U.S. GAAP. All note disclosures that should have been
included in the financial statements have been included.
Disclosed transactions and events have occurred and
pertain to the entity.
Planning Phase
240 Identify Significant Accounting Applications, Cycles, and Financial Management Systems
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 240-1
240 Identify Significant Accounting Applications, Cycles,
and Financial Management Systems
.01 In the planning and internal control phases, the auditor should identify controls
for each significant accounting application and cycle and assess the risk of
material misstatement for each significant assertion. See also FAM 310.10
through .11 and FAM 640 for further details on service organizations. For CFO
Act agencies, which are subject to FFMIA, the auditor also determines whether
the financial management systems comply substantially with (1) federal financial
management systems requirements, (2) federal accounting standards, and (3)
the U.S. Standard General Ledger (USSGL) at the transaction level. See FAM
701 for additional guidance on determining whether an agency’s financial
management systems comply substantially with the three requirements of FFMIA
and FAM 701 A for related example audit procedures.
An accounting application comprises the methods and records used to (1)
identify, assemble, analyze, classify, and record a particular type of transaction
or (2) report recorded transactions and maintain accountability for related assets
and liabilities. A cycle is a grouping of related accounting applications.
Accounting applications often include information system processing. Information
system processing is often performed by software programs hosted by
information systems, which are also commonly referred to as applications.
.02 An accounting application or cycle is generally significant if it processes
aggregate transactions in excess of performance materiality or if it supports a
significant line item or account balance in the financial statements. Each
significant line item or account is affected by input from one or more accounting
applications. Accounting applications are classified as (1) transaction related or
(2) line item/account related.
.03 A transaction-related accounting application consists of the methods and records
established to identify, assemble, analyze, classify, and record (in the general
ledger) a particular type of transaction. Transaction-related accounting
applications are sources of debits or credits. Typical transaction-related
accounting applications include billing, cash receipts, purchasing, cash
disbursements, and payroll. A line item/accountrelated accounting application
consists of the methods and records established to report recorded transactions
and maintain accountability for related assets and liabilities. Typical line
item/accountrelated accounting applications include cash balances, accounts
receivable, inventory, property and equipment, and accounts payable.
Planning Phase
240 Identify Significant Accounting Applications, Cycles, and Financial Management Systems
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 240-2
.04 An accounting system comprises the methods, records, and processes used to
identify, assemble, analyze, classify, record, and report an entity’s transactions
and to maintain accountability for the related assets and liabilities. The entity’s
accounting system may be viewed as consisting of logical groupings of
accounting applications.
The entity may group related accounting applications into organizational units or
financial management systems. Financial management systems are the financial
systems and the financial portions of mixed systems necessary to support
financial management, including automated and manual processes, procedures,
controls, data, hardware, software, and support personnel dedicated to operating
and maintaining system functions. For example, for the billing transaction-related
accounting application, the organizational unit (or units) responsible for billing
may use different manual processes and possibly different financial management
systems.
The auditor may group related accounting applications into cycles irrespective of
the organizational units or financial management systems involved. For instance,
the auditor may group the billing (transaction related), cash receipts (transaction
related), and accounts receivable (line item/account related) accounting
applications to form the revenue cycle.
.05 Grouping related accounting applications into cycles can aid the auditor in
preparing audit documentation and in designing audit procedures that are
effective, efficient, and relevant to the reporting objectives. The auditor should
prepare a cycle matrix or equivalent document that links each of the entity’s
accounts (in the chart of accounts) to a cycle, an accounting application, and a
financial statement line item. For each significant accounting application included
on the cycle matrix (or equivalent document), the auditor should obtain an
understanding of the information system processing included therein. This
understanding will form the basis for the auditor’s cycle memorandums, which
are described in FAM 320, and the auditor’s identification of relevant control
activities, as described in FAM 340.
.06 For each significant financial statement line item, the auditor should use the LIRA
form at FAM 395 H or equivalent audit documentation to identify the significant
transaction cycles (such as revenue, purchasing, and production) and the
significant accounting applications that affect these significant line items and
related assertions. For example, the auditor might determine that billing, cash
receipts, and accounts receivable are significant accounting applications that
affect accounts receivable (a significant line item). The LIRA form provides a
convenient way to document the specific risks of material misstatement by
assertion for significant line items so that they can be considered in determining
the nature, extent, and timing of audit procedures. If the auditor uses an
equivalent type of audit documentation, rather than the LIRA form, the auditor
should include the information discussed in FAM 395 H.
.07 Based on discussions with entity personnel and the auditor’s understanding of
the significant accounting applications, the auditor should determine which
financial management systems are significant. If the auditor decides that one or
more of the accounting applications making up a financial management system
are significant, that financial management system generally is significant for
evaluating the effectiveness of the entity’s internal control over financial
reporting.
Planning Phase
240 Identify Significant Accounting Applications, Cycles, and Financial Management Systems
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 240-3
If the auditor determines that a financial management system is significant for
evaluating the effectiveness of the entity’s internal control over financial
reporting, that financial management system generally is significant for
determining whether the system complies substantially with the three
requirements of FFMIA. In addition to financial management systems involved in
processing financial transactions and preparing financial statements, significant
financial management systems covered by FFMIA may also include systems
supporting financial planning, management reporting, and budgeting activities;
systems accumulating and reporting cost information; and the financial portion of
mixed systems, such as benefit payment, logistics, personnel, and acquisition
systems.
If the auditor determines that a financial management system that a service
organization maintains is significant for evaluating the effectiveness of the entity’s
internal control over financial reporting, then the auditor should follow the
guidance outlined in FAM 640.05 through .09.
.08 When a significant line item has more than one source of financial information,
the auditor should consider the various sources and determine which is best for
financial audit purposes. In choosing the source, the auditor should evaluate the
likelihood of misstatement and auditability. For audit purposes, the best source of
financial information sometimes may be operational information prepared outside
the accounting system. As such, the auditor may identify a financial management
system as significant because it is a source of information that the auditor will
use for substantive testing. For example, a financial management system that
contains subsidiary records for receivables, property, and payables typically
provides detailed information for testing and support for general ledger balances
if appropriate reconciliations are performed.
.09 The auditor may also identify accounting applications, cycles, or financial
management systems as significant based on qualitative considerations, such as
the public accountability of the entity under audit, various legal and regulatory
requirements, and the visibility and sensitivity of government programs.
.10 The auditor should obtain sufficient knowledge of the significant accounting
applications to understand the design of the procedures by which transactions
are initiated, recorded, processed, and reported from their occurrence to their
inclusion in the financial statements (see AU-C 315.19 and FAM 320).
Accounting applications often include information system processing. As
discussed in AU-C 315, the auditor should obtain an understanding of control
activities relevant to the audit, which are those control activities the auditor
deems necessary to understand in order to assess the risks of material
misstatement at the assertion level and design further audit procedures that
respond to assessed risks. See FAM 260 for further discussion on identifying risk
factors and FAM 340 for further discussion on identifying and understanding
relevant control activities.
.11 During the internal control phase, the auditor will determine whether the controls
identified were implemented as designed. As noted in FAM 310.02, according to
OMB audit guidance, for those controls that have been suitably designed and
implemented, the auditor should perform sufficient tests of such controls to
conclude whether the controls are operating effectively (i.e., sufficient tests of
controls to support a low level of assessed control risk). Thus, the auditor should
Planning Phase
240 Identify Significant Accounting Applications, Cycles, and Financial Management Systems
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 240-4
not elect to forgo control tests because it is more efficient to extend substantive
and compliance audit procedures.
.12 When significant accounting applications include control activities that are
dependent on information system processing, the auditor should assess IS
controls. A dependency on information system processing exists if a control
activity cannot reasonably be expected to achieve a specific control objective
without effective information system processing—either in the performance of the
control activity or in the production of information used in the performance of the
control activity.
.13 IS controls consist of those internal controls that depend on information system
processing and include general controls, application controls, and user controls.
Information system general controls (implemented at the entity-wide, system, and
application levels) are the structure, policies, and procedures that apply to all or a
large segment of an entity’s information systems. General controls help ensure
the proper operation of information systems by creating the environment for
effective operation of application controls. General controls include security
management, access (logical and physical), configuration management,
segregation of duties, and contingency planning controls. An effective information
system general control environment
provides a framework and continuing cycle of activity for managing risk,
developing security policies, assigning responsibilities, and monitoring the
adequacy of the entity’s computer-related controls (security management);
limits or detects access to computer resources, such as data, programs,
equipment, and facilities, thereby protecting them against unauthorized
modification, loss, or disclosure (logical and physical access);
prevents unauthorized changes to information system resources, such as
software programs and hardware configurations, and provides reasonable
assurance that systems are configured and operating securely and as
intended (configuration management);
includes policies, procedures, and an organizational structure to manage who
can control key aspects of computer-related operations (segregation of
duties); and
protects critical and sensitive data, and provides for critical operations to
continue without disruption or be promptly resumed when unexpected events
occur (contingency planning).
.14 Application controls, sometimes referred to as business process controls, are
those controls incorporated directly into information systems to help ensure the
validity, completeness, accuracy, and confidentiality of transactions and data
during information system processing. An effective application control
environment includes
general controls implemented at the application level (i.e., security
management, access controls, configuration management, segregation of
duties, and contingency planning);
controls over transaction data input, processing, and output as well as master
data maintenance;
Planning Phase
240 Identify Significant Accounting Applications, Cycles, and Financial Management Systems
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 240-5
interface controls over the timely, accurate, and complete processing of
information between information systems; and
controls over the data management systems.
.15 User controls are portions of controls that people perform when interacting with
information systems. The effectiveness of a user control typically depends on
information system processing or the reliability of the information that information
systems produce. A user control is considered both an IS control and a manual
control if it depends on information system processing. For example, the
effectiveness of a user control to review and follow up on exceptions typically
depends on the reliability of the exception report that the information system
produces through information system processing. A user control is considered a
manual control if it does not depend on information system processing. For
example, the effectiveness of a user control to manually reconcile information
that information systems produce may or may not depend on the reliability of
information used in the reconciliation, depending on the nature of the control.
Additionally, the effectiveness of a user control to monitor the effective
functioning of information systems and IS controls may or may not depend on the
reliability of information that the information systems produce.
.16 In the planning phase, the auditor should identify and document the control
activities included in the significant accounting applications that depend on
information system processing. Such control activities are often application and
user controls. The auditor should then identify and document the general controls
implemented at the entity-wide, system, and application levels that help ensure
the effective operation of the application and user controls included in the
significant accounting applications. Because of the technical nature of many IS
controls, the auditor generally should obtain assistance from an IS controls
auditor in planning, directing, or performing audit procedures related to assessing
IS controls. Additionally, an information technology specialist may assist the
auditor in understanding technical aspects of information systems and IS
controls.
.17 The auditor should use an appropriate methodology when identifying and
assessing IS controls and should document the basis for believing that the
methodology used is appropriate to satisfy these requirements. If the auditor
uses the same methodology for multiple audits, the audit organization may
prepare this document once and maintain a central file for reference on individual
audits.
GAO auditors should use FISCAM when assessing IS controls in a financial
statement audit. FISCAM is designed to meet these requirements, and GAO
believes that FISCAM is an appropriate methodology.
See FAM 295 J for a flowchart of steps generally followed in assessing IS
controls in a financial statement audit. Information system security controls are
also addressed in OMB Circular No. A-130, Managing Information as a Strategic
Resource; the National Institute of Standards and Technology’s (NIST) An
Introduction to Computer Security: The NIST Handbook; National Security
Agency guidance on Microsoft and other computer vendor web sites; and various
publications. OMB’s guidance on reporting under the Federal Information
Security Modernization Act of 2014 specifies NIST publications that agencies are
to use when evaluating information security.
Planning Phase
245 Identify Significant Provisions of Applicable Laws, Regulations, Contracts, and Grant
Agreements
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 245-1
245 Identify Significant Provisions of Applicable Laws,
Regulations, Contracts, and Grant Agreements
.01 AU-C 250 provides audit requirements related to laws and regulations, both
those that have a direct effect and those that have an indirect effect on the
financial statements. GAGAS (2018) 6.15 extends these requirements to the
auditor’s consideration of compliance with provisions of contracts and grant
agreements.
.02 A direct effect means that the provision specifies
the nature and/or dollar amount of transactions that may be incurred (such as
obligation, outlay, or borrowing restrictions);
the method used to record such transactions (such as revenue recognition
policies); or
the nature and extent of information to be reported or disclosed in the
financial statements (such as the statement of budgetary resources).
For example, an entity enabling statute may contain provisions that limit the
nature and amount of obligations or outlays and therefore have a direct effect on
determining amounts and disclosures in the financial statements. If a provision’s
effect on the financial statements is limited to contingent liabilities as a result of
noncompliance (typically for fines, penalties, and interest), such a provision does
not have a direct effect on determining financial statement amounts and note
disclosures. The concept of direct effect is also discussed in AU-C 250.
.03 The auditor should obtain sufficient appropriate audit evidence regarding material
amounts and disclosures in the financial statements that are determined by those
provisions of laws, regulations, contracts, and grant agreements generally
recognized to have a direct effect on their determination (AU-C 250.13 and
GAGAS 6.15).
.04 The auditor generally should use the General Compliance Checklist in FAM 802
or equivalent to determine which laws and regulations are significant for testing
compliance.
.05 In contrast, an indirect effect relates generally to the entity’s operating aspects
and not to directly affecting the determination of amounts or disclosures in the
financial statements. In other words, the effect may be limited to recording or
disclosing liabilities arising from noncompliance. Examples of provisions of
indirect laws and regulations include those related to environmental cleanup and
occupational safety and health.
.06 The auditor should identify the significant provisions of applicable laws,
regulations, contracts, and grant agreements. These provisions are those (1) for
which compliance can be objectively determined and (2) that have a direct effect
on the determination of material amounts and disclosures in the financial
statements as defined in FAM 245.07b. To aid the auditor in this process, the
FAM classifies provisions of laws and regulations into the following categories:
Transaction-based provisions are those for which compliance is
determined for individual transactions. For example, provisions of the Prompt
Planning Phase
245 Identify Significant Provisions of Applicable Laws, Regulations, Contracts, and Grant
Agreements
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 245-2
Payment Act require that late payments be individually identified and interest
paid on such late payments.
Quantitative-based provisions are those that require the
accumulation/summarization of quantitative information for measurement.
These provisions may contain minimum, maximum, or targeted amounts
(restrictions) for the accumulated/summarized information. For example,
provisions of the Comprehensive Environmental Response, Compensation,
and Liability Act of 1980 prohibit the U.S. Environmental Protection Agency
from exceeding certain spending limits on specific projects.
Procedural-based provisions are those that require the entity to implement
policies or procedures to achieve certain objectives. For example, provisions
of the Single Audit Act require the awarding entity to review certain financial
information about recipients.
During the planning phase, the auditor should attempt to identify the significant
provisions of contracts and grant agreements, recognizing that during this phase
the auditor may not be in position to identify all of the significant provisions of
contracts and grant agreements. However, as the audit progresses, the auditor
may become aware of significant provisions of contracts and grant agreements
and, as a result, perform transaction testing of these contracts and grant
agreements provisions. For example, the auditor may test the budgetary and
proprietary transactions associated with lease agreement provisions.
.07 For each significant provision, the auditor should identify and evaluate related
compliance controls and should test compliance with the provision. To identify
such significant provisions, the auditor should do the following:
a. Review the list of laws included in FAM 295 H. The auditor should also review
the list of laws, regulations, contracts, and grant agreements that the entity
has determined might be significant. In addition, the auditor should identify
any laws, regulations, contracts, or grant agreements (in addition to those
identified in FAM 295 H and by the entity) that have a direct effect on
determining amounts and disclosures in the financial statements. These
might include (1) new laws and regulations and (2) entity-specific laws and
regulations. The auditor’s Office of the General Counsel (OGC) assists the
auditor in identifying laws and regulations. The meaning of direct effect is
discussed in FAM 245.02.
b. Identify those provisions that are significant for each applicable law,
regulation, contract, or grant agreement. A provision is significant if
(1) compliance with the provision can be measured objectively and (2) it
meets one of the following criteria for determining that the provision has a
direct effect on determining material amounts and disclosures in the financial
statements:
Transaction-based provisions: The aggregate amount of transactions
that the entity processes is subject to the provision equals or exceeds
materiality.
Quantitative-based provisions: The quantitative information required by
the provision or by established restrictions equals or exceeds materiality.
Planning Phase
245 Identify Significant Provisions of Applicable Laws, Regulations, Contracts, and Grant
Agreements
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 245-3
Procedural-based provisions: The provision broadly affects all or a
segment of the entity’s operations that process transactions equal to or
exceeding materiality in the aggregate. For example, a provision may
require that the entity establish procedures to monitor the receipt of
certain information from grantees. In determining whether to test
compliance with this provision, the auditor should determine whether the
total amount of money granted equals or exceeds materiality.
c. Significant provisions of contracts and grant agreements may not be able to
be identified during planning. If so, the auditor should determine during
planning the approach for identifying and testing such provisions during later
phases of the audit. The provisions may be identified as part of substantive
testing of transactions and balances, when the auditor finds that material
amounts and note disclosures related to such transactions and balances are
determined by contracts or grant agreements. For example, a contract or
grant agreement generally contains certain information, such as the amount
or basis for determining the amounts to be paid and the timing of such
payments, that directly affects the amounts reported or disclosed in the
financial statements. To test such transactions and balances, the auditor may
determine that it is necessary to examine contracts or grant agreements to
obtain sufficient appropriate evidence supporting the transaction or balance.
In other instances, such as those related to the provision of routine goods
and services, the auditor may determine that it is not necessary to examine
contracts or grant agreements to obtain sufficient appropriate evidence
supporting the transaction or balance.
.08 For indirect laws, regulations, contracts, or grant agreements, the auditor should
perform the following procedures that may identify instances of noncompliance
that may have a material effect on the financial statements:
a. Inquire of management and, when appropriate, those charged with
governance regarding policies and procedures that prevent noncompliance
and whether the entity is in compliance with those provisions (AU-C 250.14a).
b. Consider instances of noncompliance that may be identified in performing
other audit procedures and determine if they could have a material effect on
the financial statements.
c. Review reports issued by other oversight bodies of the audited entity, such as
the IG’s office, for any reported instances of noncompliance and determine if
they could be material to the financial statements.
d. Inspect correspondence, if any, with relevant regulatory authorities
(AU-C-250.14b).
Unless possible instances of noncompliance with indirect laws, regulations,
contracts, or grant agreements come to the auditor’s attention during the audit,
no further procedures with respect to indirect laws, regulations, contracts, and
grant agreements are necessary. The auditor is not responsible for testing
compliance controls over or compliance with any indirect laws, regulations,
contracts, or grant agreements (AU-C 250.16).
.09 The auditor may test compliance with indirect laws, regulations, contracts, and
grant agreements. For example, if the auditor becomes aware that the entity has
operations similar to those of another entity that was recently in noncompliance
Planning Phase
245 Identify Significant Provisions of Applicable Laws, Regulations, Contracts, and Grant
Agreements
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 245-4
with environmental laws and regulations, the auditor may test for compliance with
such laws and regulations. The auditor may also test provisions of direct laws,
regulations, contracts, and grant agreements that do not meet the materiality
criteria in FAM 245.07b but that are deemed significant because they are
qualitatively material, such as laws and regulations that have generated
significant interest by the Congress, the media, or the public.
.10 In considering regulations to test for compliance, the auditor should consider
externally imposed requirements issued pursuant to the Administrative
Procedure Act. These would include regulations in the U.S. Code of Federal
Regulations as well as OMB circulars and bulletins to the extent issued under
direction of law. It would not include OMB circulars and bulletins to the extent
issued as a matter of policy or guidance under the entity’s general authority.
Internal policies, manuals, and directives may be the basis for internal controls
but are not regulations to consider for testing compliance. The auditor should
consult its OGC if the direction of law determination is not clear.
.11 The auditor should remain alert to the possibility that procedures applied during
other aspects of the audit might indicate actual or suspected noncompliance with
provisions of laws, regulations, contracts, or grant agreements (AU-C 250.15).
See FAM 460.06 for the procedures to perform for instances of noncompliance or
suspected noncompliance (whether direct or indirect).
Planning Phase
250 Identify Relevant Budget Restrictions
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 250-1
250 Identify Relevant Budget Restrictions
.01 The auditor should identify relevant budget restrictions, evaluate budget controls
(see FAM 295 G), and design compliance-related audit procedures relevant to
budget restrictions. Some key documents that may be obtained from the entity or
the auditor’s OGC are
the Antideficiency Act (ADA), as provided primarily in 31 U.S.C. chapters 13,
15. Provisions: 31 U.S.C. §§ 1341(a)(1)(A), (B); and 31 U.S.C. § 1517(a);
the Purpose Statute, as provided in 31 U.S.C. § 1301;
the Time Statute, as provided in 31 U.S.C § 1502;
OMB Circular No. A-11, Preparation, Submission and Execution of the
Budget, Part 4;
the Impoundment Control Act, as provided in 2 U.S.C. chapter 17B; and
the Federal Credit Reform Act (FCRA), as provided in 2 U.S.C. §§ 661-661f
(if the entity has activity subject to this law). Provisions: 2 U.S.C. § 661c(b),
(e).
Title 7 of GAO’s Policy and Procedures Manual for Guidance of Federal
Agencies and GAO’s Principles of Federal Appropriations Law (commonly known
as the Red Book) provide guidance on compliance with budget restrictions. The
USSGL within the Treasury Financial Manual provides guidance on budgetary
accounting.
.02 Information relating to the entity’s appropriation (or other budget authority) for the
period of audit includes
authorizing statute;
enabling statute;
appropriation act and supplemental appropriation act;
apportionments and budget execution reports (including OMB forms 132 and
133 and supporting documentation);
Impoundment Control Act reports regarding rescissions and deferrals, if any;
the OMB-approved system of funds control document; and
any other information that the auditor deems to be relevant to understanding
the entity’s budget authority, such as legislative history contained in
committee reports or conference reports.
Although legislative histories are not legally binding, they may help the auditor
understand the political environment surrounding the entity (e.g., why the entity
has undertaken certain activities and the objectives of these activities). SFFAS
43, Funds from Dedicated Collections: Amending SFFAS 27, Identifying and
Reporting Earmarked Funds, may also help the auditor identify revenues or other
financing sources of the federal entity.
.03 Through discussions with the auditor’s OGC and the entity, and by using the
above information and information prepared by management, the auditor should
identify all legally binding restrictions on the entity’s use of appropriated funds
Planning Phase
250 Identify Relevant Budget Restrictions
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 250-2
that are relevant to budget execution. This includes any restrictions on the
amount, purpose, or timing of obligations and outlays (i.e., relevant budget
restrictions). Additionally, the auditor should determine whether the entity has
established any legally binding restrictions in its fund control regulations. An
example of this would be the entity’s lowering the legally binding level for
compliance with the Antideficiency Act to the allotment level.
.04 The auditor should obtain advice from the auditor’s OGC on the implications if
the entity were to violate these relevant budget restrictions. In the internal control
phase, the auditor identifies the design of and tests the entity’s controls to
prevent or detect noncompliance with these relevant restrictions. The auditor
may evaluate controls over budget restrictions that are not legally binding but that
may be considered sensitive or important.
.05 During these discussions with the auditor’s OGC and the entity, the auditor
should determine whether any of these relevant budget restrictions relate to
significant provisions of applicable laws and regulations for purposes of testing
compliance.
.06 For an entity that does not receive appropriated funds, the auditor should identify
budget-related requirements that are legally binding on the entity. These
requirements, if any, are usually found in the statute that created the entity or its
programs (such as the authorizing and enabling statute) as well as any
subsequent amendments. Although budget information on these entities may be
included in the President’s budget submitted to the Congress, this information
usually is not legally binding. In general, certain budget-related restrictions (such
as provisions of the Antideficiency Act) apply to government corporations but not
to government-sponsored enterprises.
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-1
260 Identify Risk Factors
.01 The auditor should perform risk assessment procedures to provide a basis for the
identification and assessment of risks of material misstatement at the financial
statement and relevant assertion levels (AU-C 315.05). The risk assessment
procedures should include the following (AU-C 315.06):
inquiries of management and others within the entity who, in the auditor's
professional judgment, may have information that is likely to assist in
identifying risks of material misstatement due to fraud or error;
analytical procedures; and
observation and inspection.
Risk assessment procedures by themselves, however, do not provide sufficient
appropriate audit evidence on which to base the audit opinion (AU-C 315.05).
The auditor’s assessments of inherent risk and control risk affect the auditor’s
assessment of the risks of material misstatement. The risks of material
misstatement affect the nature, extent, and timing of other audit procedures,
including substantive procedures and control tests. This section describes (1) the
relationship of identified risk factors to the risk of material misstatement and the
impact on substantive procedures and control tests; (2) the process for
identifying these risk factors; and (3) the auditor’s consideration of the entity’s
process for reporting under FMFIA, both for internal control and for financial
management systems’ conformance with systems requirements, and formulating
the budget.
Audit Risk Components
.02 AU-C 200 provides guidance on audit risk and defines “audit risk” as the risk that
the auditor expresses an inappropriate audit opinion when the financial
statements are materially misstated. Audit risk is composed of the following risks
(see AU-C 200.14 and Standards for Internal Control in the Federal Government
(Green Book)
21
):
Inherent risk is the susceptibility of an assertion about a class of transaction,
account balance, or note disclosure to a misstatement that could be material,
either individually or when aggregated with other misstatements, before
consideration of any related controls.
Control risk is the risk that a misstatement that could occur in an assertion
about a class of transaction, account balance, or note disclosure and that
could be material, either individually or when aggregated with other
misstatements, will not be prevented, or detected and corrected, on a timely
basis by the entity’s internal control. That risk is a function of the
effectiveness of the design and operation of internal control in achieving the
entity’s objectives relevant to preparation and fair presentation of the entity’s
21
GAO, Standards for Internal Control in the Federal Government, GAO-14-704G (Washington, D.C.: September
2014).
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-2
financial statements. Some control risk will always exist because of the
inherent limitations of internal control.
Internal control consists of five components: (1) the control environment,
(2) entity risk assessment, (3) monitoring, (4) information and communication,
and (5) control activities (defined in FAM 260.10) and 17 related principles.
This section discusses the first three of the components and communication,
which is part of the fourth component. FAM 300, Internal Control Phase,
discusses the information systems and control activities.
Fraud risk is a part of audit risk, making up a portion of inherent and control
risk. Fraud risk consists of the risk of fraudulent financial reporting and the
risk of misappropriation of assets (Green Book 8.02). The auditor should
specifically assess and document the risks of material misstatement of the
financial statements due to fraud and should consider fraud risk in designing
audit procedures. The auditor may determine the risks of material fraud
concurrently with the consideration of inherent and control risk but should
form a separate conclusion on fraud risk. As the auditor obtains audit
evidence during the audit, the auditor should consider its potential effect on
the auditor’s assessment of fraud risk. FAM 290 includes documentation for
fraud risk.
Risk of material misstatement is the risk that the financial statements are
materially misstated prior to the audit. It is the auditor’s combined
assessment of inherent risk and control risk. The auditor may separately
assess inherent risk and control risk when determining the risk of material
misstatement. The auditor should assess the risk of material misstatement at
the relevant assertion level as a basis for further audit procedures. Although
this assessment is a judgment rather than a precise measurement of risk, the
auditor should have an appropriate basis for the assessment.
Detection risk is the risk that the procedures the auditor performs to reduce
audit risk to an acceptably low level will not detect a misstatement that exists
and that could be material, either individually or when aggregated with other
misstatements. Detection risk is a function of the effectiveness of an audit
procedure and of its application by the auditor. Detection risk relates to the
substantive procedures and is managed by the auditor’s response to the risk
of material misstatement.
Impact on Substantive Procedures
.03 To obtain reasonable assurance about whether the financial statements as a
whole are free from material misstatement, whether due to fraud or error, the
auditor should obtain sufficient appropriate audit evidence to reduce audit risk to
an acceptably low level and thereby enable the auditor to draw reasonable
conclusions on which to base the auditor’s opinion (AU-C 200.06 and .19).
.04 Audit assurance is the complement of audit risk and equals 100 percent minus
the allowable audit risk.
22
The audit organization should determine the audit
assurance to use, which may vary between audits based on risk. GAO auditors
22
Audit assurance is not the same as statistical confidence. Audit assurance is a combination of quantitative
measurement and auditor judgment.
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-3
should use an audit assurance of 95 percent. In other words, the GAO auditor, in
order to provide an opinion, should design the audit to achieve at least 95
percent audit assurance that the financial statements are not materially misstated
(5 percent audit risk). FAM 470 provides guidance on how to combine (1) the risk
of material misstatement and (2) detection risk for substantive procedures to
achieve the audit assurance required by the audit organization.
.05 The auditor may consider it necessary to achieve increased audit assurance if
the entity is politically sensitive or if the Congress has expressed concerns about
the entity’s financial reporting. In these cases, the reviewer should approve the
increased audit assurance.
.06 Based on the level of audit risk and the risks of material misstatement, including
the consideration of fraud risk, the auditor should determine the nature, extent,
and timing of substantive procedures necessary to achieve the acceptable level
of detection risk. For example, in response to a high risk of material
misstatement, the auditor may perform
additional substantive procedures that provide more appropriate evidence
(nature of procedures);
more extensive substantive procedures (extent of procedures), as discussed
in FAM 295 E; or
substantive procedures at or closer to the financial statement date (timing of
procedures).
Relationship to Control Assessment
.07 Internal control, as defined in AU-C 315.04, is a process effected by those
charged with governance, management, and other personnel that is designed to
provide reasonable assurance about the achievement of the entity’s objectives
with regard to the reliability of financial reporting, effectiveness and efficiency of
operations, and compliance with applicable laws and regulations (see also Green
Book OV1.01).
.08 Internal control over financial reporting, as defined in OMB audit guidance, is a
subset of the entity’s internal control and includes the following (GAGAS and
OMB audit guidance expand compliance to include contracts and grant
agreements.):
Reliability of financial reporting: Transactions are properly recorded,
processed, and summarized to permit the preparation of the financial
statements in accordance with U.S. GAAP, and assets are safeguarded
against loss from unauthorized acquisition, use, or disposition. (Note that
certain safeguarding controls are part of financial reporting controls,
although they are also operations controls. See FAM 310.05.07)
Compliance with laws, regulations, contracts, and grant agreements:
Transactions are executed in accordance with provisions of applicable laws,
including those governing the use of budget authority; regulations; contracts;
and grant agreements, noncompliance with which could have a material
effect on the financial statements. (Note that budget controls are part of
financial reporting controls as they relate to the statement of budgetary
resources and the reconciliation of the net cost of operations to budget note,
and they are also part of compliance controls in that they are used to manage
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-4
and control the use of appropriated funds and other forms of budget authority
in accordance with applicable law. These controls are described in more
detail in FAM 295 G.)
.09 Most controls relevant to the audit are likely to relate to financial reporting;
however, not all controls that relate to financial reporting are relevant to the audit.
In addition, some controls belong in more than one category of control. For
example, financial reporting controls include controls over the completeness and
accuracy of inventory records. Such controls are also necessary to provide
complete and accurate inventory records to allow management to analyze and
monitor inventory levels to better control operations and make procurement
decisions (operations controls).
.10 The five components of internal control relate to objectives that an entity strives
to achieve in each of the three categories: financial reporting (including
safeguarding), compliance, and operations controls. The components in
AU-C 315, Green Book OV2.04 and 2.09, and AU-C 940 are as follows:
Control environment sets the tone of an organization, influencing the control
consciousness of its people. It is the foundation for all other components of
internal control, providing discipline and structure.
Entity risk assessment is the entity’s identification, analysis, and
management of risks relevant to achievement of its objectives. This
assessment provides the basis for developing appropriate responses to risk.
Information
23
and communication systems support the identification,
capture, and exchange of information in a form and time frame that enable
people to carry out their responsibilities.
Monitoring of controls is a process to assess the effectiveness of internal
control performance over time. This consists of activities management
establishes and operates to assess the quality of performance over time and
promptly resolve the findings of audits and other reviews.
Control activities are the policies, procedures, techniques, and mechanisms
that help ensure that management directives are carried out and respond to
risks in the internal control system, which includes the entity’s information
system.
Inherent Risk Factors
.11 Inherent risk factors incorporate characteristics of an entity, a transaction, an
account, or an assertion that exist because of the
nature of the entity’s programs,
prior history of audit adjustments, or
nature of material transactions and accounts.
23
The information component of internal control, as defined in AU-C 315, is in the context of a financial statement
audit, whereas Standards for Internal Control in the Federal Government defines the information component in the
context of internal control overall.
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-5
The auditor may limit the assessment of inherent risk to significant programs,
transactions, or accounts. Inherent risks may relate to the entity overall or to
specific accounts and assertions. For each factor listed below, FAM 295 A lists
conditions that may indicate inherent risk.
a. Nature of the entity’s programs: The mission or business of an entity
includes the implementation of various programs or services. The
characteristics of these programs or services affect the entity’s susceptibility
to errors and fraud and sensitivity to changes in economic conditions. For
example, student loan guarantee programs may be more susceptible to
errors and fraud because of loans that third parties issue and service.
b. Prior history of significant audit adjustments: Significant audit
adjustments identified in previous financial statement audits or other audits
often identify inherent or control risks that may allow financial statement
misstatements. For example, the prior year’s audit may have identified the
necessity for recording a liability as the result of certain economic conditions.
The auditor could then focus on
determining whether similar conditions continue to exist;
understanding management’s response to such conditions (including
implementation of controls), if any; and
assessing the nature and extent of the related inherent and control risk.
c. Nature of material transactions and accounts: The nature of an entity’s
transactions and accounts has a direct relation to inherent risk. For example,
accounts involving subjective management judgments, such as loss
allowances, are usually of higher inherent risk than those involving more
objective determinations.
Information SystemsEffect on Inherent Risk
.12 Information systems do not affect the audit objectives for an account or a cycle.
However, information systems (or lack thereof) can introduce inherent risk factors
not present in a manual accounting system. The auditor should (1) consider each
of the following information system factors and (2) assess the overall impact of
information system processing on inherent risk. The impact of these factors
typically will be pervasive in nature. An IS controls auditor may assist the auditor
in considering these factors and making this assessment. More detail on
assessing information system risks and controls in a financial statement audit is
available in FISCAM, and a flowchart of steps is in FAM 295 J.
a. Uniform processing of transactions. Because information systems process
groups of identical transactions consistently, any misstatements arising from
erroneous computer programming will occur consistently in similar
transactions. However, the possibility of random processing errors is reduced
substantially with information system processing.
b. Automatic processing. The information system may automatically initiate
transactions or perform processing functions. Evidence of these processing
steps (and any related controls) may or may not be visible.
c. Increased potential for undetected misstatements. Computers use and
store information in electronic form and require less human involvement in
processing. This increases the potential for individuals to gain unauthorized
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-6
access to sensitive information and to alter data without visible evidence.
Because of the electronic form, changes to software programs and data may
not be readily detectible. Also, users may be less likely to challenge the
reliability of computer output than manual reports. As such, management
should evaluate security threats, which can be from internal or external
sources. External threats are particularly important for entities that depend on
telecommunications networks and the internet. Internal threats may come
from former or disgruntled employees (Green Book 11.13).
d. Existence, completeness, and volume of the audit trail. The audit trail is
the evidence that demonstrates how a specific transaction was initiated,
processed, recorded, and summarized. For example, the audit trail for a
purchase could include a purchase order; a receiving report; an invoice; an
invoice register (purchases summarized by day, month, account, or a
combination of these); and general ledger postings from the invoice register.
Some financial management systems are designed so that the audit trail
exists for only a short period (such as in online systems), only in an electronic
format, or only in summary form. Also, the information generated may be too
voluminous to allow effective manual review. For example, one posting to the
general ledger may result from the automated summarization of information
from hundreds of locations and thousands of documents.
e. Nature of information systems hardware and software. The nature of
information systems hardware and software can affect inherent risk, as
illustrated below.
The type of information system processing (online, batch oriented, or
distributed) presents different levels of inherent risk. For example, the
inherent risk of unauthorized transactions and data entry errors may be
greater for online processing than for batch-oriented processing.
Peripheral access devices or system interfaces can increase inherent
risk. For example, internet and dial-up access to a system increase the
system’s accessibility to additional persons and therefore increase the
risk of unauthorized access to computer resources.
Distributed networks enable multiple computer-processing units to
communicate with each other, increasing the risk of unauthorized access
to computer resources and possible data alteration. On the other hand,
distributed networks may decrease the risk of conflicting computerized
data between multiple processing units.
Software programs developed in-house may have higher inherent risk
than vendor-supplied software that has been thoroughly tested and is in
general commercial use.
Because of the nature of information systems hardware and software,
management should design control activities to limit user access to
information technology through authorization control activities, such as
providing a unique user identification or token to authorized users.
Management should also design other control activities to promptly
update access rights when employees change job functions or leave the
entity (Green Book 11.14).
f. Unusual transactions. As with manual systems, unusual information system
transactions increase inherent risk. Programs developed to process such
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-7
transactions may not be subject to the same procedures as programs
developed to process routine transactions.
Fraud Risks
.13 The auditor should identify and assess the risks of material misstatement due
to fraud (fraud risk) at the financial statement level and at the relevant assertion
level for classes of transactions, account balances, and note disclosures
(AU-C 240.25). The primary factor that distinguishes fraud from error is that the
action causing the misstatement in fraud is intentional. (See FAM 230 related to
materiality, including quantitative and qualitative considerations.)
.14 Two types of misstatements that are relevant to the auditor’s consideration of
fraud in an audit of financial statements are as follows (Green Book 8.02):
Misstatements resulting from fraudulent financial reporting are
intentional misstatements, including omissions of amounts or disclosures in
the financial statements, to deceive financial statement users. They could
involve intentional alteration of accounting records, misrepresentation of
transactions, intentional misapplication of accounting principles, or other
means.
Misstatements resulting from misappropriation of assets involve thefts of
an entity’s assets that result in misstatements in the financial statements.
They could involve theft of property, embezzlement of receipts, fraudulent
payments, or other means. (See FAM 310 for internal control over
safeguarding assets. Safeguarding controls relate to protecting assets
against loss from unauthorized acquisition, use, or disposition.)
.15 In considering misstatements resulting from misappropriation of assets, the
auditor should consider fraud risks associated with improper payments. Some of
the improper payments that entities make could involve fraud. The Payment
Integrity Information Act of 2019 (PIIA) (Pub. L. No. 116-117), codified in 31
U.S.C. §§ 3351-58, defines an improper payment as any payment that should not
have been made or that was made in an incorrect amount (including
overpayments and underpayments) under statutory, contractual, administrative,
or other legally applicable requirements. This includes any payment to an
ineligible recipient, any payment for an ineligible good or service, any duplicate
payment, any payment for a good or service not received (except for such
payments where authorized by law), and any payment that does not account for
credit for applicable discounts.
PIIA also provides that when an entity’s review is unable to discern whether a
payment was proper as a result of insufficient or lack of documentation, this
payment must also be considered an improper payment when identifying
programs that might be susceptible to significant improper payments and when
producing an estimate of annual improper payments for those identified
programs.
24
PIIA requires entity heads to review all programs and activities that they
administer at least once every 3 years and to identify those that might be
24
Significant improper payments are those that may have exceeded either (1) $10 million and 1.5 percent of program
outlays or (2) $100 million regardless of percentage of program outlays.
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-8
susceptible to significant improper payments. An entity must produce a
statistically valid (or otherwise OMB-approved) estimate of annual improper
payments for those identified programs and report those estimates in the
accompanying materials to the financial statements. For programs for which an
entity reports an estimate of improper payments, the entity head also reports
certain corrective actions, such as the entity’s plans to reduce and recover
improper payments and program-specific improper payment reduction targets.
OMB guidance on implementation of this act is included in OMB Circular No. A-
123, Appendix C.
.16 The auditor is not required to perform specific procedures to detect waste or
abuse, as the determination of waste and abuse is subjective. Waste is the act of
using or expending resources carelessly, extravagantly, or to no purpose. Waste
does not necessarily include abuse or illegal acts. Rather, waste relates primarily
to mismanagement, inappropriate actions, and inadequate oversight. Abuse is
distinct from fraud and illegal acts. Abuse involves behavior that is deficient or
improper (but not necessarily fraudulent or illegal) when compared with behavior
that a prudent person would consider reasonable and necessary business
practice given the facts and circumstances. Abuse also includes misuse of
authority or position for personal financial interests or those of an immediate or
close family member or business associate. Abuse does not necessarily involve
fraud or violations of provisions of laws, regulations, contracts, or grant
agreements.
Although the auditor is not required to perform procedures to detect waste or
abuse, the auditor may consider whether and how to communicate such matters
after becoming aware of them. The auditor may discover that the waste or abuse
represents potential fraud or noncompliance with provisions of laws, regulations,
contracts, and grant agreements that should be addressed following guidance in
FAM 540 (See GAGAS (2018) 6.20 through 6.24).
Characteristics of Fraud
.17 Three conditions generally are present when fraud occurs:
Incentive/pressureManagement, other employees, or external parties (for
example, for some improper payments) have an incentive or are under
pressure, which provides a motive to commit fraud.
OpportunityCircumstances exist, such as the absence of controls,
ineffective controls, or the ability of management to override controls, that
provide an opportunity to commit fraud.
Attitude/rationalizationIndividuals involved are able to rationalize
committing fraud. Some individuals possess an attitude, character, or ethical
values that allow them to knowingly and intentionally commit a dishonest act.
Generally, the greater the incentive or pressure, the more likely an individual
will be able to rationalize the acceptability of committing fraud. (Green Book
8.04)
.18 Management is in a unique position to perpetrate fraud because of
management’s ability to manipulate accounting records and prepare fraudulent
financial statements by overriding controls that otherwise appear to be operating
effectively. Although the level of risk of management override of controls will vary
from entity to entity, the risk is, nevertheless, present in all entities. Due to the
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-9
unpredictable way in which such override could occur, it is a risk of material
misstatement due to fraud and is thus a significant risk (AU-C 240.31).
Fraud Risk Factors
.19 Although fraud is usually concealed, the presence of fraud risk factors that
indicate incentive/pressure, opportunity, or attitude/rationalization might alert the
auditor to risks of material misstatement. While fraud risk may be greatest when
all three risk factors are present, one or more of these factors may indicate fraud
risk. Other information that internal and external parties provide can also be used
to identify fraud risks (Green Book 8.05). However, fraud risk factors do not
necessarily indicate that fraud exists. Examples of fraud risk factors, classified by
the two types of fraudulent misstatements and then by these three conditions,
follow.
a. Examples related to misstatements resulting from fraudulent financial
reporting:
Incentive/pressureIncentive exists for management to report reduced
program costs or costs that are consistent with budgeted amounts, or
excessive pressure exists to meet unrealistic deadlines, goals, or other
requirements.
OpportunityKey financial statement amounts are based on significant
estimates that involve subjective judgments or uncertainties that are
difficult to corroborate, or management is in a position to override controls
for processing adjustments or unusual transactions.
Attitude/rationalizationEmployees perceive that penalties exist for
reporting honest results, or employees consider requirements such as
performance targets unrealistic.
b. Examples related to misstatements resulting from misappropriation of assets:
Incentive/pressureEmployees who are disgruntled because of
impending layoffs have an incentive to misappropriate assets, or
employees under pressure to meet programmatic objectives, such as for
rapid benefit payments, increases the risk of fraudulent improper
payments.
OpportunityEmployees have access to assets that are small in size
and value or have the authority to disburse funds, or a program has
deficiencies in internal control related to fraudulent improper payments.
Attitude/rationalizationEmployees believe that management is
unethical, or individuals believe they are entitled to the entity’s assets.
Fraud risk factors represent inherent or control risk factors. As discussed in FAM
260.02, the auditor should evaluate fraud risk factors in assessing inherent and
control risk. FAM 295 A and FAM 295 B include additional examples of fraud risk
factors.
Information for Identifying Fraud Risks
.20 To obtain information about fraud risks, the auditor should inquire of
management about (AU-C 240.17.18)
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-10
a. any knowledge of actual, suspected, or alleged fraud affecting the entity
(including fraudulent improper payments);
b. management's assessment of the risk that the financial statements may be
materially misstated due to fraud, including the nature, extent, and frequency
of such assessments;
c. management’s process for identifying, responding to, and monitoring the risks
of fraud in the entity, including any specific risks of fraud that management
has identified or that have been brought to its attention, or classes of
transactions, account balances, or note disclosures for which a risk of fraud is
likely to exist (including information about any fraudulent improper payments
that the entity identified in making assessments related to PIIA) (Green Book
8.06);
d. management’s communication, if any, to employees regarding its views on
business practices and ethical behavior;
e. management’s communication, if any, to those charged with governance,
such as an audit committee (referred to as a financial management advisory
committee in some entities) or others with equivalent authority and
responsibility, regarding its processes for identifying and responding to the
risks of fraud in the entity; and
f. whether the entity has entered into any significant unusual transactions and,
if so, the nature, terms, and business purpose (or the lack thereof) of those
transactions and whether such transactions involved disclosure entities,
related parties, or public-private partnerships.
Inquiries of management and others within the entity should be made in person
when possible. In-person discussions are usually the most effective. The auditor
may also find it helpful to provide the interviewee with specific questions and
obtain written responses in advance of the discussion.
.21 In addition to inquiring of management, inquiring of others may provide a different
perspective or other important information. Accordingly, the auditor should
perform the following inquiries and related procedures:
a. Obtain information about instances of fraud (including any related to
fraudulent improper payments) that the IG reported, ordinarily by asking the
Special Investigator Unit to summarize how cases of reported fraud were
committed, and then ask management or the IG’s office whether related
controls have been strengthened.
b. Unless all of those charged with governance are involved in managing the
entity, the auditor should do the following:
Obtain an understanding of how those charged with governance exercise
oversight of management’s processes for identifying and responding to
the risks of fraud in the entity and the internal control that management
has established to mitigate these risks (AU-C 240.20 and Green Book
8.068.07). This may include understanding whether those charged with
governance have established a process for evaluating employees’
adherence to the organization’s standards of conduct and remediate any
deviations timely and consistently (Green Book 1.10).
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-11
Inquire of those charged with governance to determine their views about
the risks of fraud; whether they have knowledge of any actual, suspected,
or alleged fraud affecting the entity; and whether the entity has entered
into any significant unusual transactions. These inquiries are made, in
part, to corroborate the responses received from the inquiries of
management (AU-C 240.21).
Inquire of those charged with governance to determine how they identify
changes that could significantly impact the entity’s internal control system
and whether they can identify, on a timely basis, internal and external
conditions that have already occurred or are expected to occur (Green
Book 9.029.03).
Inquire of those charged with governance to determine whether
management performs an entity risk assessment to identify, analyze, and
respond to any new risks prompted by changes as part of analyzing and
responding to change. This may also include understanding how
management analyzes and responds to identified changes and related
risks in order to maintain an effective internal control system (Green Book
9.04 and 9.05).
c. Inquire of appropriate individuals within the internal audit function, if any, to
obtain their views about the risks of fraud; determine whether they have
knowledge of any actual, suspected, or alleged fraud affecting the entity;
whether they have performed any procedures to identify or detect fraud
during the reporting period; whether management has satisfactorily
responded to any findings resulting from these procedures; and whether they
are aware that the entity has entered into any significant unusual transactions
(AU-C 240.19). See FAM 645 if the auditor plans to use the work of the
internal audit function in obtaining audit evidence.
d. Inquire of other personnel to determine if they have knowledge of any actual,
suspected, or alleged fraud affecting the entity (AU-C 240.18). The auditor
should use judgment to determine whom to ask and the extent of inquiries.
For example, the auditor may inquire of employees with varying levels of
authority, operating personnel not directly involved in the financial reporting
process, employees familiar with complex or unusual transactions or with
improper payments, and in-house legal counsel.
When responses to inquiries of management, those charged with governance, or
others are inconsistent or otherwise unsatisfactory (for example, vague or
implausible), the auditor should further investigate the inconsistencies or
unsatisfactory responses (AU-C 240.14).
.22 The auditor also should perform the following procedures:
a. Obtain and review the entity’s (1) plan to identify improper payments and
(2) report on improper payments (or information about any findings), if any,
that resulted from the entity’s review under PIIA.
b. Evaluate whether preliminary analytical procedures identified any unusual or
unexpected relationships that indicate fraud risks. To the extent that they are
not already included, the analytical procedures, and evaluation thereof,
should include procedures relating to revenue accountsfor example, trend
analysisto identify unusual or unexpected relationships that might indicate
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-12
fraudulent financial reporting of revenue (see FAM 225 related to preliminary
analytical procedures) (AU-C 240.22).
c. Consider whether other informationsuch as information that resulted from
previous audits; the brainstorming meeting(s); and inherent risks identified at
the account, transaction, or assertion levelsindicate fraud risks
(AU-C 240.23 and 940.17).
Responding to Assessed Fraud Risks
.23 The auditor should respond to the assessed risks of material misstatement due
to fraud at the financial statement and assertion levels, as discussed in FAM
260.23 through .27, AU-C 240.28 and .30, and AU-C 940.17. The nature and
significance of these fraud risks, as well as programs and controls that address
identified fraud risks, influence the auditor’s response. The auditor should use
professional judgment in determining the appropriate response for the
circumstances and exercise professional skepticism in gathering and evaluating
audit evidence. The response should (1) affect the overall conduct of the audit
(see FAM 260.25); (2) address fraud risks that relate to management override of
controls (see FAM 260.26); and (3) for any of these risks that relate to specific
financial statement account balances or classes of transactions and related
assertions, involve the nature, extent, and timing of audit procedures (see FAM
260.27). If it is not practicable, as part of a financial statement audit, to design
audit procedures that sufficiently respond to the fraud risks, the auditor may
request assistance from the Special Investigator Unit and evaluate the effect of
omitting these procedures on the scope of the audit and the audit report.
.24 In some instances, the audit strategy and audit plan could, for reasons other than
responding to fraud risk, include procedures and personnel and supervisory
assignments that are sufficient for responding to a fraud risk. In those instances,
the auditor may conclude that no further response is required. For example, with
respect to timing, audit procedures could be planned as of the date that the
reporting period ends, both as a response to a fraud risk and for other reasons.
.25 In determining the overall responses to address the assessed risks of material
misstatement due to fraud at the financial statement level, the auditor should do
the following:
a. Assign and supervise staff, taking into account the knowledge, skill, and
ability of personnel to be given significant engagement responsibilities and
the auditor’s assessment of the risks of material misstatement due to fraud
for the engagement (AU-C 240.29a). For example, the auditor may assign a
fraud specialist or more experienced staff member or may increase
supervision in response to identified fraud risks (also see FAM 270 related to
IS controls auditors).
b. Evaluate whether the entity’s selection and application of accounting policies,
particularly those related to subjective measurements and complex
transactions, may be indicative of fraudulent financial reporting resulting from
management’s effort to manage earnings or a bias that may create a material
misstatement (AU-C 240.29b).
c. Incorporate an element of unpredictability in the selection of the nature,
timing, and extent of audit procedures (AU-C 240.29c). For example, perform
substantive procedures on selected account balances and assertions not
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-13
otherwise tested due to their materiality or risk, adjust the timing of audit
tests, use a different method to select items for testing, or perform
procedures at different locations or at locations on an unannounced basis
(AU-C 240.A42). Statistical sampling selection usually provides an element of
unpredictability as to the specific items tested (see FAM 480). Generally, the
auditor should not inform entity personnel of specific audit procedures prior to
performing them, as personnel may take actions to further conceal any
fraudulent activity. However, the auditor will usually make arrangements to
conduct audit work at specific sites in advance, and will instruct entity
personnel to locate certain documentation so that the auditor may test it upon
arrival.
.26 The auditor should perform procedures to specifically address the risk that
management can perpetrate fraud by overriding controls as follows
(AU-C 240.32):
a. Examination of journal entries and other adjustmentsTest the
appropriateness of journal entries recorded in the general ledger and other
adjustments made in the preparation of the financial statements, including
entries posted directly to financial statement drafts. These include
reclassifications, consolidating entries, and other journal entries and
adjustments. In designing and performing audit procedures for such tests, the
auditor should
obtain an understanding of the financial reporting process and the
controls over journal entries and other adjustments and the suitability of
design and implementation of such controls;
inquire of individuals involved in the financial reporting process about
inappropriate or unusual activity related to the processing of journal
entries and other adjustments;
consider fraud risk indicators, the nature and complexity of accounts, and
unusual entries processed;
select journal entries and other adjustments made at the end of the
reporting period for testing; and
consider the need to test journal entries and other adjustments
throughout the period.
See AU-C 240.A47 through .A50 and .A56 for additional guidance.
b. Review of accounting estimatesReview accounting estimates for biases
and evaluate whether the circumstances producing the bias, if any, represent
a risk of material misstatement due to fraud. In preparing financial
statements, management is responsible for making judgments or
assumptions that affect significant accounting estimates and for monitoring
the reasonableness of these estimates on an ongoing basis. The auditor
should evaluate whether the judgments and decisions made by management
in making accounting estimates included in the financial statements, even if
they are individually reasonable, indicate a possible bias on the part of the
entity’s management that may represent a risk of material misstatement due
to fraud. If so, the auditor should reevaluate the accounting estimates taken
as a whole.
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-14
The auditor also should perform a retrospective review of management
judgments and assumptions related to significant accounting estimates
reflected in the prior year’s financial statements, focusing on highly sensitive
or subjective aspects, to determine whether they indicate possible bias by
management. For example, significant changes in allowances for
uncollectible accounts that may be tied to performance measures in an effort
to improve collections.
c. Evaluation of business purpose for significant unusual transactions
Evaluate whether the business purpose (or the lack thereof) of significant
unusual transactions suggests that they may have been entered into to
engage in fraudulent financial reporting or to conceal misappropriation of
assets. The procedures should include the following (AU-C 240.32c):
reading the underlying documentation and evaluating whether the terms
and other information about the transaction are consistent with
explanations from inquiries and other audit evidence about the business
purpose (or the lack thereof) of the transaction;
determining whether the transaction has been authorized and approved in
accordance with the entity’s established policies and procedures; and
evaluating whether significant unusual transactions that the auditor has
identified have been properly accounted for and disclosed in the financial
statements.
Fraud risk indicators include the following (AU-C 240.A54):
the form of these transactions appears overly complex (for example, the
transactions involve multiple entities within a consolidated group or
multiple unrelated third parties);
management has not discussed the nature of and accounting for these
transactions with those charged with governance, and inadequate
documentation exists;
management is placing more emphasis on the need for a particular
accounting treatment than on the economic substance of the transaction;
transactions involve disclosure entities, related parties, or public-private
partnerships, including special purpose entities, have not been properly
reviewed or approved by those charged with governance;
transactions involve disclosure entities, related parties, or public-private
partnerships or relationships or transactions with such entities previously
undisclosed to the auditor (see FAM 904);
transactions involve other parties that do not have the substance or
financial strength to support the transactions without assistance from the
entity or any disclosure entity, related party, or public-private partnership
of the entity; and
transactions occur with a party that falls outside the definitions of a
related party, disclosure entity, or public-private partnership (as defined
by the applicable financial reporting framework (U.S. GAAP)), with either
party able to negotiate terms that may not be available for other, more
clearly independent parties on an arm’slength basis.
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-15
d. Determine necessity of other proceduresDetermine whether other audit
procedures, in addition to those discussed above, are needed to address the
risks of management override (AU-C 240.33).
.27 For fraud risks related to specific financial statement account balances or classes
of transactions and related assertions, the specific response will depend on the
types of risks and the specific balances or classes and assertions, but it generally
should involve both substantive procedures and control tests. The response
should involve one or more of the following (AU-C 240.A43):
a. Nature of audit proceduresfor example, obtaining related evidence from
independent external sources rather than internal sources.
b. Extent of audit proceduresfor example, increasing sample sizes.
c. Timing of audit proceduresfor example, performing substantive procedures
at or near the end of the reporting period rather than at an interim date.
FAM 295 I provides additional examples of responses.
Understand and Assess Internal Control Components
.28 The auditor should obtain an understanding of internal control relevant to the
audit. Although most controls relevant to the audit are likely to relate to financial
reporting, not all controls that relate to financial reporting are relevant to the
audit. It is a matter of the auditor’s professional judgment whether a control,
individually or in combination with others, is relevant to the audit (AU-C 315.13).
When obtaining an understanding of controls that are relevant to the audit, the
auditor should evaluate the design of those controls and determine whether they
have been implemented by performing procedures in addition to inquiry of the
entity’s personnel (AU-C 315.14). The auditor should obtain an understanding of
and assess the five components of internal control (control environment, entity
risk assessment, information and communication, monitoring, and control
activities) relevant to the audit. The auditor should then identify the existence of
risk factors for each of these components. See further discussion below.
Process for Identifying Risk Factors
.29 In the planning phase, the auditor should (1) identify conditions that significantly
increase inherent and control risk and (2) conclude whether any identified control
risks preclude the effectiveness of specific control activities in significant
accounting applications. The auditor should consider the results of the
assessment of the risk of material misstatement due to fraud along with other
information gathered in the process of identifying the risks of material
misstatements (AU-C 315.09).The auditor should also consider whether
information obtained from the auditor’s client acceptance or continuance process
is relevant to identifying risks of material misstatement (AU-C 315.07). If the
engagement partner has performed other engagements for the entity, the
engagement partner should consider whether information obtained is relevant to
identifying risks of material misstatement (AU-C 315.08).The auditor should
identify specific inherent risks; fraud risks; and control environment, entity risk
assessment, communication, and monitoring deficiencies based on information
obtained in the planning phase, primarily from understanding the entity’s
operations, including significant information system processing performed
outside the entity and preliminary analytical procedures.
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-16
See FAM 260.47 through .63 for additional discussions of control environment,
entity risk assessment, communication, monitoring, and the auditor’s
responsibility for understanding each of these components. See FAM 290.06 for
documentation requirements related to understanding each component.
.30 Factors to consider in identifying risks and deficiencies are listed in this section.
These factors are general in nature and require the auditor’s judgment in
determining (1) the extent of procedures (testing) to identify the risks and
deficiencies and (2) the impact of such risks and deficiencies on the entity and its
financial statements. Because this risk consideration requires auditors to
exercise significant audit judgment, it should be performed by experienced audit
personnel. In addition, specific conditions that may indicate inherent or fraud
risks or control environment, entity risk assessment, communication, or
monitoring deficiencies are in FAM 295 A and FAM 295 B, respectively. These
sections are designed to aid the auditor in identifying these risks and deficiencies
but are not all inclusive. The auditor should evaluate any other factors and
conditions deemed relevant.
.31 The auditor should evaluate the degree of estimation uncertainty associated with
accounting estimates as part of identifying risk factors (AU-C 540.10). The
auditor should determine whether, in the auditor’s professional judgment, any of
those accounting estimates that have been identified as having high estimation
uncertainty give rise to significant risks (see FAM 260.44) (AU-C 540.11). As part
of the auditor’s risk assessment procedures, the auditor should review the
outcome of accounting estimates included in the prior period financial statements
or, when applicable, their subsequent reestimation for the purpose of the current
period. The nature and extent of the auditor’s review takes account of the nature
of the accounting estimates and whether the information obtained from the
review would be relevant to identifying and assessing risks of material
misstatement of accounting estimates made in the current period financial
statements. However, the review is not intended to call into question the auditor’s
professional judgments made in the prior periods that were based on information
available at the time (AU-C 540.09).
.32 The auditor may evaluate the implications of these risk factors on related
operations controls. For example, inherent risk may be associated with a material
liability for loan guarantees because it is subject to significant management
judgment. In light of this inherent risk, the entity should have strong operations
controls to monitor the entity’s exposure to losses from loan guarantees.
Potential deficiencies in such operations controls could significantly affect the
ultimate program cost. Therefore, the auditor may identify operations control
deficiencies, including the need for operations controls in a particular area that
may be further evaluated, as discussed in FAM 275.
.33 Service organization reports, which are discussed further in FAM 310, FAM 640,
and AU-C 402, may be prepared by auditors for service organizations (also
called service auditors) performing services for user entities that are relevant to
those user entities’ internal control over financial reporting. The auditor may find
these reports useful for performing risk assessments and planning other audit
procedures.
.34 If applicable to the entity, the auditor should obtain an understanding of the
entity’s process for compliance with FMFIA, including FMFIA implementing
guidance in OMB Circular No. A-123, Management’s Responsibility for
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-17
Enterprise Risk Management and Internal Control (see FAM 260.67–.73), and
whether the process has been implemented. The auditor should also obtain an
understanding of the budget formulation process (see FAM 260.81).
Brainstorming About the Risks of Material Misstatement
.35 As required by AU-C 315.11, the engagement partner (typically the audit director)
and other key engagement team members should brainstorm (discuss) the
susceptibility of the entity’s financial statements to material misstatement and the
application of the applicable financial reporting framework (U.S. GAAP) to the
entity’s facts and circumstances. The objective of this discussion is for the
engagement team members to gain a better understanding of the potential for
material misstatement of the financial statements resulting from fraud or error in
the specific areas assigned to them, and to understand how the results of the
audit procedures that they perform may affect other aspects of the audit,
including decisions about the nature, extent, and timing of further audit
procedures.
These discussions provide an opportunity for more experienced team members
to share insights based on their knowledge of the entity and for the team
members to exchange information about the business risks related to the entity.
Depending on the circumstance of the audit, multiple discussions may be held to
facilitate the ongoing exchange of this information among team members. The
purpose of these discussions is to share information obtained throughout the
audit that may affect the auditor’s risk assessments or related audit procedures.
.36 As required by AU-C 240.15, this discussion should include an exchange of
ideas, or brainstorming, among the engagement team members about how and
where the entity’s financial statements (including the individual statements and
note disclosures) might be susceptible to material misstatement due to fraud,
how management could perpetrate and conceal fraudulent financial reporting,
and how assets of the entity could be misappropriated. During the discussion,
engagement team members should set aside beliefs that they may have that
management and those charged with governance are honest and have integrity,
and should, in particular, also address
known external and internal factors affecting the entity that may create an
incentive or pressure for management or others to commit fraud, provide the
opportunity for fraud to be perpetrated, and indicate a culture or environment
that enables management or others to rationalize committing fraud;
the risk of management override of controls;
consideration of circumstances that might be indicative of earnings
management or manipulation of other financial measures and the practices
that might be followed by management to manage earnings or other financial
measures that could lead to fraudulent financial reporting;
the importance of maintaining professional skepticism throughout the audit
regarding the potential for material misstatement due to fraud (see
FAM 110.25); and
how the auditor might respond to the susceptibility of the entity’s financial
statements to material misstatement due to fraud (AU-C 240.15).
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-18
.37 During the brainstorming, the auditor should include specific consideration of the
susceptibility of the financial statements to material misstatement due to error or
fraud that could result from the entity’s relationships and transactions with
disclosure entities, related parties, and public-private partnerships (AU-C
550.13). The auditor may discuss matters such as (1) the nature and extent of
these relationships and transactions; (2) the records or documents that may
indicate the existence of these relationships or transactions; and (3) how
disclosure entities, related parties, and public-private partnerships may be
involved in fraud. See AU-C 550.A7 through .A8 for additional matters that may
be discussed.
.38 Key members of the engagement team should be involved in this discussion;
however, it is not necessary for all team members to have a comprehensive
knowledge of all aspects of the audit. The auditor should use professional
judgment to determine the meeting participants (including any specialists), the
number of meetings, how and when the meetings should occur, and the extent of
the discussion. The roles, experience, and information needs of the engagement
team are factors that influence the extent of the discussion.
.39 The engagement partner should determine which matters to communicate to any
engagement team members not involved in the discussion (AU-C 315.11 and
240.15). For example, if separate discussions are held with the key staff at
various locations for a multilocation audit, it is not necessary for all members of
the engagement team to be informed of all the decisions reached in the
discussion.
Identify Risks of Material Misstatement
.40 To provide a basis for designing and performing further audit procedures, the
auditor should identify and assess the risks of material misstatement at the (1)
financial statement level and (2) the relevant assertion level for classes of
transactions, account balances, and disclosures (AU-C 315.26). The auditor
should
identify risks throughout the process of obtaining an understanding of the
entity and its environment, including relevant controls that relate to the risks,
by considering the classes of transactions, account balances, and disclosures
(including the quantitative and qualitative aspects of such disclosures) in the
financial statements;
assess the identified risks and evaluate whether they relate more pervasively
to the financial statements as a whole and potentially affect many assertions;
relate the identified risks to what can go wrong at the relevant assertion level,
taking account of relevant controls that the auditor intends to test; and
consider the likelihood of misstatement, including the possibility of multiple
misstatements, and whether the potential misstatement could result in a
material misstatement (AU-C 315.27).
The auditor should identify and document risks of material misstatement due to
error or fraud at the financial statement and assertion levels, as discussed in
AU-C 315 and 240, after considering (1) knowledge obtained about the entity
(obtained in previous steps in the planning phase); (2) the risk factors discussed
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-19
in this section, AU-C 315, AU-C 240, FAM 295 A, and FAM 295 B; and (3) other
relevant factors.
For fraud risks (including any related to fraudulent improper payments, disclosure
entities, related parties, and public-private partnerships), the auditor should
evaluate the information obtained in the procedures described in FAM 260.20
through .22, in the context of the fraud risk factors that generally are present
when fraud occursincentive/pressure, opportunity, and attitude/rationalization.
Although fraud risk factors may not necessarily indicate the existence of fraud,
they have often been present in circumstances in which frauds have occurred
and therefore may indicate risks of material misstatement due to fraud (AU-C
240.24). AU-C 240 requires additional responses to fraud risks, as discussed in
FAM 260.23 through .27.
The auditor should document these risks and deficiencies and their impact on
proposed audit procedures in the audit strategy (see FAM 290). The auditor also
should summarize and document any inherent or fraud risks or control
environment deficiencies that affect the specific line item on the LIRA form or
equivalent (see FAM 290 and FAM 395 H).
.41 For each risk factor identified, the auditor should document the nature and extent
of the risk or deficiency; the condition(s) that gave rise to that risk or deficiency;
and the specific cycles, accounts, line items, and related assertions affected (if
not pervasive). For example, the auditor may identify a risk of material
misstatement in the valuation of the net receivables line item due to (1) the
materiality of the receivables and potential allowance, (2) the subjectivity of
management’s judgment related to the loss allowance (inherent risk), and (3)
management’s history of aggressively challenging any proposed adjustments to
the valuation of the receivables (control environment weakness). The auditor
should also document other considerations that may mitigate the effects of
identified risks and deficiencies. In documenting these considerations, the auditor
should evaluate whether the entity’s controls sufficiently address identified risk of
material misstatement due to fraud and the risk of management override of other
controls (AU-C 940.16). For example, the use of a lockbox (a control activity)
may mitigate inherent risks associated with the completeness of cash receipts.
.42 The auditor also should document, in the audit strategy, any risks of material
misstatement that relate pervasively to the financial statements as a whole that
potentially affect many relevant assertions. These may relate to the overall
effectiveness of the control environment, entity risk assessment, communication,
and monitoring, including whether deficiencies preclude the effectiveness of
specific control activities. The focus should be on management’s overall attitude,
awareness, and actions, including the ability to override existing controls, rather
than on specific conditions related to a control environment, entity risk
assessment, communication, or monitoring factor. The auditor should use this
assessment when determining the risks of material misstatement for specific
accounts and assertions.
When developing responses to these types of risks of material misstatement at
the overall financial statement level, the auditor should consider matters such as
the knowledge, skill, and ability of personnel assigned significant engagement
responsibilities; whether certain aspects of the engagement require a specialist;
and the appropriate level of supervision of audit staff. AU-C 330.A1 discusses the
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-20
auditor’s overall responses to address the assessed risks of material
misstatement at the financial statement level.
.43 When identifying and assessing the risks of material misstatement due to fraud,
the auditor should, based on a presumption that risks of fraud exist in revenue
recognition, evaluate which types of revenue, revenue transactions, or assertions
give rise to such risks. If the auditor concludes that the presumption is not
applicable in the circumstances of the engagement and, accordingly, has not
identified revenue recognition as a risk of material misstatement due to fraud, the
auditor should document the reasons for that conclusion (see FAM 290.06m)
(AU-C 240.26 and 240.46).
.44 The auditor should determine which of the risks identified require special audit
consideration. These risks are defined as “significant risks” in AU-C 315. In
exercising this judgment, the auditor should exclude the effects of identified
controls related to the risk (AU-C 315.28). In exercising professional judgment
about which risks are significant risks, the auditor should consider at least
a. whether the risk is a risk of fraud;
b. whether the risk is related to recent significant economic, accounting, or other
developments and therefore requires specific attention;
c. the complexity of transactions;
d. whether the risk involves significant transactions with disclosure entities,
related parties, or public-private partnerships;
e. the degree of subjectivity in the measurement of financial information related
to the risk, especially those measurements involving a wide range of
measurement uncertainty; and
f. whether the risk involves significant unusual transactions (AU-C 315.29).
The auditor should treat identified transactions with disclosure entities, related
parties, and public-private partnerships that are also significant unusual
transactions as giving rise to significant risks (AU-C 550.20). The auditor should
treat those assessed risks of material misstatement due to fraud as significant
risks. If the auditor has determined that a significant risk exists, the auditor
should obtain an understanding of the entity’s related controls, including control
activities, relevant to that risk, and based on that understanding, evaluate
whether such controls have been suitably designed and implemented to mitigate
such risks (AU-C 240.27 and 315.30). The results of these procedures assist the
auditor in developing an effective audit approach, as discussed in FAM 300 and
400.
.45 In respect of some risks, the auditor may judge that it is not possible or
practicable to obtain sufficient appropriate audit evidence only from substantive
procedures. Such risks may relate to the inaccurate or incomplete recording of
routine and significant classes of transactions or account balances, the
characteristics of which often permit highly automated processing with little or no
manual intervention. In such cases, the entity’s controls over such risks are
relevant to the audit, and the auditor should obtain an understanding of them
(AU-C 315.31).
.46 The auditor’s assessment of the risks of material misstatement at the assertion
level may change during the course of the audit as additional audit evidence is
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-21
obtained. In circumstances in which the auditor obtains audit evidence from
performing further audit procedures or if new information is obtained, either of
which is inconsistent with the audit evidence on which the auditor originally
based the assessment, the auditor should revise the assessment and modify the
further planned audit procedures accordingly (AU-C 315.32). For fraud, the
auditor’s risk assessment should be ongoing throughout the audit (AU-C 240.25).
Accordingly, communications among the engagement team members about the
risks of material misstatement due to fraud should continue throughout the audit,
particularly upon discovery of new facts (AU-C 240.15).
Control Environment
.47 The control environment is the foundation for an internal control system. It
provides the discipline and structure, which affect the overall quality of internal
control. It influences how objectives are defined and how control activities are
structured. Those charged with governance and management establish and
maintain an environment throughout the entity that sets a positive attitude toward
internal control. The underlying principles for this component are as follows
(Green Book):
Those charged with governance and management should demonstrate a
commitment to integrity and ethical values.
Those charged with governance should oversee the entity’s internal control
system.
Management should establish an organizational structure, assign
responsibility, and delegate authority to achieve the entity’s objectives.
Management should demonstrate a commitment to recruit, develop, and
retain competent individuals.
Management should evaluate performance and hold individuals accountable
for their internal control responsibilities.
The auditor should obtain and document an understanding of the control
environment and the underlying principles. In connection with this understanding,
the auditor should incorporate the elements of AU-C 315, which are discussed
below.
.48 The control environment includes the governance and management functions
and the attitudes, awareness, and actions of those charged with governance and
management concerning the entity’s internal control and its importance in the
entity (AU-C 315.A79). Based on AU-C 315.A80 and the Green Book, elements
of the control environment that may be relevant when obtaining an understanding
of the control environment include the following:
integrity, ethical values, and standards of conduct;
commitment to competence;
participation by those charged with governance;
management’s philosophy and operating style;
organizational structure;
assignment of authority and responsibility;
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-22
human resource policies and practices;
management’s control methods over budget formulation and execution;
management’s control methods over compliance with applicable laws,
regulations, contracts, and grant agreements;
documentation of the internal control system;
succession and contingency plans and preparation; and
enforcing accountability and considering excessive pressure.
.49 The auditor should obtain and document an understanding of the control
environment sufficient to assess the risk of material misstatement and to plan the
audit. As part of obtaining this understanding, the auditor should evaluate
whether (1) management, with the oversight of those charged with governance,
has created and maintained a culture of honesty and ethical behavior and (2) the
strengths in the control environment collectively provide an appropriate
foundation for the other components of internal control and whether those other
components are not undermined by deficiencies in the control environment
(AU-C 315.15). The auditor should evaluate the design of the control
environment and determine whether it has been implemented. In doing this, the
auditor determines whether the control environment enhances or mitigates the
effectiveness of specific control activities (Green Book 10.03). In making this
determination, the auditor should evaluate the following factors and their effect
on internal control. For each factor listed below, FAM 295 B lists conditions that
may indicate control environment deficiencies.
a. Integrity, ethical values, and standards of conduct. Control effectiveness
cannot rise above the integrity and ethical values of those who create,
administer, and monitor the controls. Management’s integrity and ethical
values are essential elements of the control environment, affecting the
design, administration, and monitoring of the other components. Integrity and
ethical behavior result when the entity’s leaders have high ethical and
behavioral standards and properly communicate them and reinforce them in
practice. The standards include management’s actions to remove or reduce
incentives and temptations that might prompt personnel to engage in
dishonest, illegal, or unethical acts. Management also establishes a process
for evaluating employees’ adherence to the organization’s standards of
conduct and remediates any deviations timely and consistently (Green Book
1.10).
The communication of entity values and behavioral standards to personnel
may take place through policy statements and codes of conduct and by
example. Those charged with governance and management set the tone at
the top and throughout the organization by their example, which is
fundamental to an effective internal control system. Without a strong tone at
the top to support an internal control system, the entity’s risk identification
may be incomplete, risk responses may be inappropriate, control activities
may not be designed or implemented effectively, information and
communication may falter, and results of monitoring may not be understood
or acted upon to remediate deficiencies (Green Book 1.021.05).
b. Commitment to competence. Competence is the knowledge and skills
necessary to accomplish tasks required by an individual’s job. Commitment to
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-23
competence includes management’s consideration of the competence levels
for various jobs and the requisite skills, knowledge, and abilities, which are
gained largely from professional experience, training, and certifications.
Management establishes expectations of competence for key roles, and other
roles at management’s discretion, to help the entity achieve its objectives.
Management considers standards of conduct, assigned responsibility, and
delegated authority when establishing expectations (Green Book 4.024.04).
It is supplemented by effective human resources policies and practices, as
discussed below.
c. Participation by those charged with governance. Those charged with
governance are responsible for overseeing the financial reporting process,
including internal control over financial reporting. This includes providing
management with input for remediation and oversight of deficiencies in the
internal control system as appropriate (Green Book 2.112.13). For a federal
entity, those charged with governance may be members of a board or
commission, an audit committee, the secretary of a cabinet-level department,
OMB, the Department of the Treasury, or senior executives and financial
managers responsible for the entity (Green Book 2.05). They oversee the
entity’s operations, provide constructive criticism to management, and where
appropriate make oversight decisions so that the entity achieves its
objectives in alignment with the entity’s integrity and ethical values (Green
Book 2.02 and 2.07). Capabilities expected of all members of those charged
with governance include integrity and ethical values, leadership, critical
thinking, and problem-solving abilities (Green Book 2.06). The effectiveness
of those charged with governance is influenced by their authority and role in
monitoring an entity’s financial reporting process.
d. Management’s philosophy and operating style. Management’s philosophy
and operating style encompass a broad range of beliefs, concepts, and
attitudes. Such characteristics may include management’s approach to taking
and monitoring operational/program risks; attitudes and actions toward
financial reporting; emphasis on meeting financial and operating goals; and
attitude toward information processing, accounting, personnel, and internal
control.
e. Organizational structure. An entity’s organizational structure provides the
overall framework for planning, executing, directing, controlling, and
assessing the organization’s operations in achieving its objectives. The
organizational structure assigns authority and responsibility within the entity.
An organizational structure includes the form and nature of an entity’s
organizational units, including the data processing organization, and related
management functions and reporting relationships, which are defined at all
levels of the organization and provide methods of communication that can
flow down, across, up, and around the structure. Management periodically
evaluates the organizational structure so that it meets the entity’s objectives
and has adapted to any new objectives for the entity, such as a new law or
regulation (Green Book 3.023.05).
f. Assignment of authority and responsibility. An entity’s policies or
procedures for assigning authority for operating activities and for delegating
responsibility affect the understanding of established reporting relationships
and responsibilities. These responsibilities are assigned to discrete units to
enable the organization to operate in an efficient manner, comply with
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-24
applicable laws and regulations, and reliably report quality information.
Management determines the level of authority and delegates that authority
only to the extent required to achieve the entity’s objectives. As part of
delegating authority, management establishes the key roles and evaluates
the delegation for proper segregation of duties within the unit and in the
organizational structure (Green Book 3.063.08, 10.02, 10.03, 12.03, and
12.04). This factor includes policies relating to appropriate business
practices, knowledge and experience of key personnel, and resource
allocations. It also includes policies and communications to enable personnel
to understand the entity’s objectives, how they contribute to these objectives,
and how and for what they will be held accountable. Management should
periodically review policies, procedures, and related control activities for
continued relevance and effectiveness in achieving the entity’s objectives or
addressing related risks (Green Book 12.05).
g. Human resource policies and practices. Human resource policies and
practices affect an entity’s ability to employ sufficient competent and
trustworthy personnel to accomplish its goals and objectives. Such policies
and practices include hiring, training, evaluating, promoting, compensating,
mentoring, retaining, and assisting employees in performing their assigned
responsibilities by giving them the necessary resources (Green Book 4.05).
h. Management’s control methods over budget formulation and execution.
Management’s budget control methods affect the authorized use of
appropriated funds. Budget formulation is discussed in more detail in FAM
260.81, and controls over budget execution (budget controls) are addressed
in more detail in FAM 300.
i. Management’s control methods over compliance with laws, regulations,
contracts, and grant agreements. Such methods have a direct effect on an
entity’s compliance with applicable laws, regulations, contracts, and grant
agreements. Compliance controls are addressed in more detail in FAM 300.
j. Documentation of the internal control system. Management develops and
maintains documentation of its internal control system to meet organizational
needs by establishing and communicating the who, what, when, where, and
why of internal control execution to personnel through its policies. The extent
of documentation needed to support the design, implementation, and
operating effectiveness of the five components of internal control is a matter
of management judgment (Green Book 3.093.12 and 12.02).
k. Succession and contingency plans and preparation. Management
defines succession and contingency plans for key roles to help the entity
continue achieving its objectives. Succession plans address the entity’s need
to replace competent personnel over the long term, whereas contingency
plans address the entity’s need to respond to sudden personnel changes that
could compromise the internal control system. The importance of a key role in
the internal control system and the impact to the entity of its vacancy dictate
the formality and depth of the contingency plan (Green Book 4.064.08).
l. Enforcing accountability and considering excessive pressure.
Management enforces accountability for individuals in performing their
internal control responsibilities. Management holds personnel accountable
through mechanisms such as performance appraisals and disciplinary
actions. Management also holds service organizations accountable for their
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-25
assigned internal control responsibilities. Management communicates to the
service organization the objectives of the entity and their related risks, the
entity’s standards of conduct, the role of the service organization in the
organizational structure, the assigned responsibilities and authorities of the
role, and the expectations of competence for its role that will enable the
service organization to perform its internal control responsibilities.
Management, with oversight from those charged with governance, takes
corrective action as necessary to enforce accountability for internal control in
the entity (Green Book 5.025.06). Management is responsible for evaluating
pressure on personnel to help personnel fulfill their assigned responsibilities
in accordance with the entity’s standards of conduct. Management adjusts
excessive pressures on personnel in the entity. Pressure can appear in an
entity because of goals management established to meet objectives or
cyclical demands of various processes the entity performs (Green Book 5.07
5.08).
Entity Risk Assessment
.50 Management assesses the risks the entity faces from both external and internal
sources. This assessment provides the basis for developing appropriate risk
responses. The underlying principles for this component are as follows (Green
Book):
Management should define objectives clearly to enable the identification of
risks and define risk tolerances.
Management should identify, analyze, and respond to risks related to
achieving the defined objectives.
Management should consider the potential for fraud when identifying,
analyzing, and responding to risks.
Management should identify, analyze, and respond to significant changes
that could impact the internal control system.
The auditor should obtain and document an understanding of the entity risk
assessment and the underlying principles. In connection with this understanding,
the auditor should incorporate the elements of AU-C 315, which are discussed
below.
.51 Entity risk assessment is an entity’s process for identifying, analyzing, and
responding to (1) risks relevant to achieving the objectives of reliable financial
reporting (including safeguarding of assets) and compliance with laws (including
those governing the use of budget authority), regulations, contracts, and grant
agreements and (2) significant changes that could impact the internal control
system. For example, the entity’s risk assessment may address how the entity
analyzes significant estimates recorded in the financial statements or how it
considers the possibility of unrecorded transactions (AU-C 315.A90). Risks may
arise due to both internal and external circumstances, such as
changes in the operating or statutory environment;
new personnel who may have a different focus on internal control;
the ability of management to override established controls;
new or significantly changed information systems;
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-26
rapid growth of programs, which can strain controls;
new technology, which may change risks;
new programs or activities, which may introduce new control risks;
restructurings or budget cutbacks, which may include downsizing and
changes in supervision and segregation of duties;
adoption of new accounting principles, which may affect risks in preparing
financial statements; or
changes in economic conditions (AU-C 315.A91).
.52 The auditor should obtain and document an understanding of the entity’s risk
assessment process sufficient for assessing the risk of material misstatement
and planning the audit. The auditor should evaluate the design of the entity’s risk
assessment process and determine whether it has been implemented. In doing
this, the auditor should understand whether the entity has a process for
(1) identifying risks relevant to the entity and its objectives of financial reporting
(including safeguarding and its service organizations) and its compliance with
budget and other laws, regulations, contracts, and grant agreements;
(2) estimating the significance of the risks; (3) assessing the likelihood of their
occurrence; and (4) deciding about actions to address those risks (AU-C 315.16
and Green Book 7.017.09 and 10.02). This also includes understanding
whether management defines objectives clearly in specific and measurable terms
to enable the design of internal control for related risks to be understood at all
levels of the entity. Within the objectives, management defines the risk
tolerances, which are the acceptable levels of variation in performance relative to
the achieving objectives. Depending on the category of objectives, risk
tolerances may be expressed as operations objectives, nonfinancial reporting
objectives, financial reporting objectives, or compliance objectives (Green Book
6.026.10).
.53 If the entity has established a risk assessment process, the auditor should obtain
an understanding of it and the results thereof. If the auditor identifies risks of
material misstatement that management failed to identify, the auditor should
evaluate whether an underlying risk existed that the auditor expects would have
been identified by the entity’s risk assessment process. If such a risk exists, the
auditor should obtain an understanding of why that process failed to identify it
and evaluate whether the process is appropriate to its circumstances, or
determine if a significant deficiency or material weakness exists in internal control
regarding the entity’s risk assessment process (AU-C 315.17).
.54 If the entity has not established a risk assessment process or has an ad hoc
process, the auditor should discuss with management whether business risks
relevant to financial reporting objectives have been identified and how they have
been addressed. The auditor should evaluate whether the absence of a
documented risk assessment process is appropriate in the circumstances or
determine whether it represents a significant deficiency or material weakness in
the entity’s internal control (AU-C 315.18).
Information and Communication Factors
.55 These factors involve the quality information management and personnel
communicate and use to support the internal control system. Effective
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-27
information and communication are vital for an entity to achieve its objectives.
Entity management needs access to relevant and reliable communication related
to internal as well as external events. The underlying principles for this
component are as follows (Green Book):
Management should use quality information to achieve the entity’s objectives.
Management should internally communicate the necessary quality
information to achieve the entity’s objectives.
Management should externally communicate the necessary quality
information to achieve the entity’s objectives.
The auditor should obtain and document an understanding of information and
communication and the underlying principles. In connection with this
understanding, the auditor should obtain an understanding of the information
system, including the related business processes relevant to financial reporting,
including the following areas (AU-C 315.19):
a. The classes of transactions in the entity’s operations that are significant to the
financial statements.
b. The procedures within both information technology and manual systems by
which those transactions are initiated, authorized, recorded, processed,
corrected as necessary, transferred to the general ledger, and reported in the
financial statements.
c. The related accounting records supporting information and specific accounts
in the financial statements that are used to initiate, authorize, record, process,
and report transactions, including correcting information and determining how
information is transferred to the general ledger (the records may be in either
manual or electronic form).
d. How the information system captures events and conditions, other than
transactions, that are significant to the financial statements.
e. The financial reporting process used to prepare the entity’s financial
statements, including significant accounting estimates and note disclosures.
f. Controls surrounding journal entries, including nonstandard journal entries
used to record nonrecurring, unusual transactions or adjustments.
This understanding of the information system relevant to financial reporting
should include relevant aspects of that system relating to information disclosed in
the financial statements that is obtained from within or outside of the general and
subsidiary ledgers (AU-C 315.19). See FAM 320 for discussion on understanding
information systems.
Further, the auditor should obtain an understanding of how the entity
communicates financial reporting roles and responsibilities and significant
matters relating to financial reporting, including (a) communications between
management and those charged with governance and (b) external
communications, such as those with regulatory authorities (AU-C 315.20).
.56 Communication includes providing an understanding of individual roles and
responsibilities pertaining to internal control over financial reporting. It includes
the extent to which personnel understand how their activities relate to the work of
others and the means of reporting exceptions to an appropriate higher level
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-28
within the entity. Management communicates quality information down and
across reporting lines to enable personnel to perform key roles in achieving
objectives, addressing risks, and supporting the internal control system. Open
communication channels provide a means to report exceptions to the appropriate
people, including management and those charged with governance (Green Book
14.0214.06).
Management considers a variety of factors, such as audience, nature of
information, availability, cost, and legal or regulatory requirements, in selecting
an appropriate method of communication. Communication takes such forms as
websites, emails, policy manuals, accounting and financial reporting manuals,
and memorandums. Communication also may be electronic, oral, and through
the actions of management in demonstrating acceptable behavior (Green Book
14.0714.08). Laws and regulations may require entities to establish separate
lines of communication, such as whistleblower and ethics hotlines, for
communicating confidential information. Management informs employees of
these separate reporting lines, how they operate, how they are to be used, and
how the information will remain confidential (Green Book 14.06).
.57 The auditor should obtain and document an understanding of the entity’s
communication process sufficient for assessing the risk of material misstatement
and planning the audit. The auditor should evaluate the design of the entity’s
communication process and determine whether it has been implemented. In
doing this, the auditor should obtain sufficient knowledge of the means the entity
uses to communicate roles and responsibilities for, and significant matters
relating to, financial reporting, including safeguarding of assets and compliance
with laws (including those governing the use of budget authority), regulations,
contracts, and grant agreements. This would also include communications
between management and those charged with governance and external
communications (AU-C 315.20).
Management communicates with, and obtains quality information from, external
parties using established reporting lines so that external parties can help the
entity achieve its objectives and address related risks. Open two-way external
reporting lines allow for this communication. Information communicated to
management and those charged with governance includes significant matters
relating to risks, changes, or issues that impact the entity’s internal control
system (Green Book 15.0215.06 and 13.02).
Monitoring Factors
.58 Internal control monitoring assesses the quality of performance over time and
promptly resolves the findings of audits and other reviews. Corrective actions are
a necessary complement to control activities in order to achieve objectives. The
underlying principles for this component are as follows (Green Book):
Management should establish and operate monitoring activities to monitor the
internal control system and evaluate the results.
Management should remediate identified internal control deficiencies on a
timely basis.
The auditor should obtain and document an understanding of monitoring and the
underlying principles. In connection with this understanding, the auditor should
incorporate the elements of AU-C 315, which are discussed below.
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-29
As discussed in AU-C 315, the auditor should obtain an understanding of the
major activities that the entity uses to monitor internal control over financial
reporting, including those related to those control activities relevant to the audit,
and how the entity initiates remedial actions to address deficiencies in its controls
(AU-C 315.23). The auditor should obtain an understanding of the sources of the
information used in the entity’s monitoring activities and the basis upon which
management considers the information to be sufficiently reliable for the purpose
(AU-C 315.25).
.59 Monitoring is the process by which management and those charged with
governance assess the effectiveness of internal control performance over time.
This may include establishing a baseline; ongoing activities, such as regular
management and supervision, to determine that a control was performed
correctly and evaluating the results; or communications from external parties,
such as regulator comments that may indicate areas in need of improvement
(Green Book 16.02–16.03).
Monitoring may include separate evaluations, such as FMFIA and FFMIA
assessments and IG or internal auditor work, or a combination of ongoing
activities and separate evaluations. See FAM 260.67 through .73 and .75 through
.77 for discussion of the FMFIA and FFMIA processes, respectively. Ongoing
monitoring is built into the entity’s operations, is performed continually, and
responds to change. Separate evaluations are used periodically and may provide
feedback on the effectiveness of ongoing monitoring. Separate evaluations also
include audits and other evaluations that may involve the review of control design
and direct testing of internal control. Management evaluates and documents the
results of ongoing monitoring and separate evaluations to identify internal control
issues (Green Book 16.0416.09).
.60 The auditor should obtain and document an understanding of the entity’s
monitoring process sufficient for assessing the risk of material misstatement and
planning the audit. The auditor should evaluate the design of the entity’s
monitoring process and determine whether it has been implemented. By doing
this, the auditor should gain sufficient knowledge of the major types of activities
the entity uses to monitor internal control over financial reporting, including
safeguarding and compliance with laws (including those governing the use of
budget authority), regulations, contracts, and grant agreements, and how
monitoring is used to initiate corrective actions.
.61 If the entity has an internal audit function, the auditor should obtain an
understanding of the nature of the internal audit function’s responsibilities, how
the internal audit function fits in the entity’s organizational structure, and the
activities performed or to be performed (AU-C 315.24). The internal audit function
is often an important part of monitoring. Internal audit (1) provides information
about the functioning of internal control, focusing considerable attention on
evaluating the effectiveness of internal control; (2) communicates information
about strengths and deficiencies in internal control; and (3) provides
recommendations for improving internal control. If the internal audit function is
part of the entity’s monitoring controls, the auditor should understand the design
and implementation of the internal audit function as a monitoring control.
Understanding an internal audit function includes considering its authority and
reporting relationships, the qualifications of its staff, and its resources. For
information on using the work of internal auditors, see FAM 645.
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-30
.62 Monitoring activities may include using information from communications from
external parties that may indicate problems or highlight areas in need of
improvement. For example, management may use information from the IG’s
office to aid in monitoring. The IG’s office (a) conducts audits and investigations
relating to programs and operations; (b) provides oversight and coordination,
including recommending policies for programs and operations; and (c) keeps the
entity head and the Congress informed about problems and deficiencies,
including the progress of corrective actions. If using information from the IG’s
office is part of the entity’s monitoring controls, the auditor should understand the
design and implementation of this as a monitoring control (Green Book 16.10).
.63 Effective monitoring includes evaluating any internal control deficiencies
identified and remediating those deficiencies timely. This may be accomplished
through establishing reporting lines to the appropriate internal and external
parties on a timely basis to enable prompt evaluation of those issues. For
example, personnel may communicate these issues internally to the person in
the key role responsible for the internal control or associated process and, when
appropriate, to at least one level of management above that individual.
Depending on the nature of the issues, personnel may consider reporting certain
issues to those charged with governance. Management determines based on the
type of internal control deficiency the appropriate corrective actions to remediate
the internal control deficiency on a timely basis (Green Book 17.01–17.05). This
includes completing and documenting the corrective actions on a timely basis.
These corrective actions include resolution of audit findings (Green Book 17.06).
Control Activities
.64 Control activities are the actions management establishes through policies and
procedures to achieve objectives and respond to risks in the internal control
system, which includes the entity’s information system. The underlying principles
for this component are as follows:
management should design the entity’s control activities to achieve objectives
and respond to risks,
management should design the entity’s information system and related
control activities to achieve objectives and respond to risks, and
management should implement control activities through policies. (Green
Book)
The auditor should obtain and document an understanding of control activities
and the underlying principles. In connection with this understanding, the auditor
should incorporate the elements of AU-C 315, which are discussed below.
As discussed in AU-C 315, the auditor should obtain an understanding of control
activities relevant to the audit, which are those control activities the auditor
judges it necessary to understand in order to assess the risks of material
misstatement at the assertion level and design further audit procedures that
respond to assessed risks. An audit does not require an understanding of all the
control activities related to each significant class of transactions, account
balance, and disclosure in the financial statements or to every assertion relevant
to them. However, the auditor should obtain an understanding of the process of
reconciling detailed records to the general ledger for material account balances
(AU-C 315.21). In understanding the entity’s control activities, the auditor should
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-31
obtain an understanding of how the entity has responded to risks arising from
information technology (AU-C 315.22). See FAM 340 for further discussion on
identifying and understanding relevant control activities.
Information Systems’ Effect on the Control Environment, Entity
Risk Assessment, Communication, and Monitoring
.65 Information systems affect the effectiveness of control activities, the control
environment, entity risk assessment, communication, and monitoring. For
example, controls that normally would be performed by separate individuals in
manual systems may be concentrated in one software program, or application,
and pose a potential segregation-of-duties issue. See AU-C 315.A60 through
.A68 for further discussion of the effect of information systems on internal control.
.66 The auditor should obtain and document an understanding of the control
environment related to the entity’s information system sufficient for assessing the
risk of material misstatement and planning the audit. The auditor should evaluate
the design of the control environment related to entity’s information system and
determine whether it responds to the entity’s objectives and risks and has been
implemented (Green Book 11.02). In doing this, the auditor should evaluate the
following information system factors in making an overall assessment of the
control environment, entity risk assessment, communication, and monitoring. An
IS controls auditor may assist the auditor in considering these factors.
a. Management’s attitudes and awareness with respect to information
systems. Management’s interest in and awareness of information system
functions (including those performed for the entity by other organizations) is
important in establishing an organization-wide consciousness of control
issues. Management may demonstrate its interest and awareness by
considering the risks and benefits of software programs;
communicating policies regarding information system functions and
responsibilities;
overseeing policies and procedures for developing, modifying,
maintaining, and using computers, and for controlling access to programs
and files;
considering the risks of material misstatement, including fraud risk,
related to information systems;
responding to previous recommendations or concerns;
quickly and effectively planning for, and responding to, information
system processing crises; and
using reliable computer-generated information for key operating
decisions.
b. Organization and structure of the information systems function. The
organizational structure of the information systems function affects the control
environment. Centralized structures often have a single computer-processing
organization and use a single set of system and software programs, enabling
tighter management control over information systems. In decentralized
structures, each computer center generally has its own computer-processing
organization, software programs, and system software, which may result in
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-32
differences in policies and procedures and various levels of compliance at
each location.
c. Clearly defined assignment of responsibilities and authority. Appropriate
assignment of responsibility according to typical information system functional
areas can affect the control environment. Factors to consider include
how the position of Chief Information Officer fits into the organizational
structure;
whether duties are appropriately segregated within the information
systems function, such as those of operators and programmers, since
lack of segregation typically affects all systems;
the extent to which management external to the information systems
function is involved in major systems development decisions; and
the extent to which information system policies, standards, and
procedures are documented, understood, followed, and enforced.
d. Management’s ability to identify and to respond to potential risk.
Information system processing, by its nature, introduces additional risk
factors. The entity should be aware of these risks and should develop
appropriate policies and procedures to respond to any information system
issues that might occur. The auditor may evaluate
the methods for monitoring incompatible functions and for enforcing
segregation of duties and
management’s mechanism for identifying and responding to unusual or
exceptional conditions timely.
Federal Managers’ Financial Integrity Act of 1982
25
.67 FMFIA requires executive agencies to establish internal controls that reasonably
ensure that
a. obligations and costs comply with applicable law;
b. all assets are safeguarded against waste, loss, unauthorized use, and
misappropriation; and
c. revenues and expenditures applicable to agency operations are recorded and
accounted for properly so that accounts and reliable financial and statistical
reports may be prepared and accountability of the assets may be maintained.
The Comptroller General issues standards for internal control in the federal
government pursuant to FMFIA. GAO’s Standards for Internal Control in the
Federal Government (Green Book) provides the overall framework for
establishing and maintaining an effective internal control system and provides
25
FMFIA was repealed, but provisions remain codified at 31 U.S.C. § 3512(c), (d). These provisions are still
commonly referred to as FMFIA. Because of the common usage of the act’s name, the FAM will continue to refer to
FMFIA. However, auditors should correctly cite the applicable provisions in their reports. See FAM 595 A.
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-33
management criteria for designing, implementing, and operating an effective
internal control system.
26
.68 FMFIA also requires executive agencies to evaluate and report on whether the
agencies’ internal control systems comply with the requirements described in
FAM 260.67. OMB Circular No. A-123, Management’s Responsibility for
Enterprise Risk Management and Internal Control, provides implementation
guidance for complying with this requirement. The circular defines management’s
responsibilities related to internal control and the process for assessing and
reporting on the effectiveness of internal control over operations, reporting, and
compliance.
.69 If applicable to the entity, the auditor should obtain an understanding of the
entity’s process for assessing and reporting on the effectiveness of internal
control based on criteria established under FMFIA (referred to as the FMFIA
process) and whether the process has been implemented. The auditor should
then determine whether this understanding affects the auditor’s risk assessment.
.70 The effectiveness of the FMFIA process typically is a good indicator of
management’s (1) philosophy and operating style, (2) assignment of authority
and responsibility, and (3) control methods for monitoring and follow-up. The
FMFIA process also may be the basis for management’s assessment about the
effectiveness of internal control over financial reporting and about the entity’s
financial management systems’ substantial compliance with FFMIA
requirements.
.71 To obtain an understanding of the FMFIA process, the auditor generally should
perform the following procedures. If the entity does not issue its own FMFIA
report, the auditor generally should perform the following procedures with respect
to information the entity contributes to the FMFIA report in which the entity is
included.
Read the following:
o FMFIA reports for the current and prior years to identify any changes;
o important documentation prepared by the entity to support the current-
year FMFIA report and related management assertions in the
Management’s Discussion and Analysis (MD&A);
o any IG reports on the FMFIA process;
o OMB’s most recent annual letter concerning FMFIA reporting; and
o management’s description of the FMFIA process.
Discuss the FMFIA process with appropriate entity management (including
management’s opinion of the quality of the process), specifically
o how the FMFIA process is organized;
o who is assigned to manage the process, including the staffing level,
experience and qualifications of assigned personnel, and reporting
responsibilities; and
26
GAO, Standards for Internal Control in the Federal Government, GAO-14-704G (Washington, D.C.: September
2014).
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-34
o how the process finds and evaluates deficiencies.
Identify the entity’s actions on previously reported deficiencies and examine
its documentation that demonstrates the results/effectiveness of those
actions.
Determine whether the audit finds different issues from those identified in the
FMFIA process (if so, see FAM 580.85 for reporting on FMFIA).
.72 The auditor should consider whether management procedures and supporting
documentation are designed to provide management with reasonable assurance
that FMFIA objectives have been achieved. The auditor’s consideration is based
on the auditor’s understanding of the procedures discussed in FAM 260.71 rather
than the results of extensive tests. Factors the auditor may consider include
evidence of efforts to rectify previously identified material weaknesses;
management’s commitment of resources to the FMFIA process, as reflected
in the skills, objectivity, and number of personnel assigned to manage the
process;
extent to which management’s methodology and assessment process,
including testing and documentation, conform to the guidance in OMB
Circular No. A-123 and related appendixes;
contractor or internal auditor involvement (if any);
the process used to identify and screen material weaknesses as FMFIA
reports are consolidated and moved up the entity’s hierarchy;
the sources that identify material weaknesses, since items identified by
management personnel, rather than information from IG, GAO, or other
external reports, demonstrate that the process can detect and report
deficiencies;
the extent to which management’s FMFIA reports are consistent with the
auditor’s findings; and
risk factors in FAM 295 B.19.
.73 The auditor should document the understanding of the FMFIA process and its
implementation. Based on this understanding, the auditor should determine
whether this understanding affects the auditor’s risk assessment. The auditor
should consider any material weaknesses identified in the FMFIA report in
determining the risks of material misstatement.
The auditor is not required to test the effectiveness of the FMFIA process.
However, the auditor may determine that it is appropriate to test management’s
FMFIA work to reduce audit risk. The auditor’s determination, based on testing,
that FMFIA is an effective control may reduce but cannot completely eliminate
the need for the auditor to perform substantive procedures for related line items,
accounts, and relevant assertions. FAM 360 discusses control testing, and FAM
370 discusses the preliminary assessments of control risk and the risk of material
misstatement.
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-35
Internal Control over Financial Reporting
.74 The auditor should obtain an understanding of the entity’s process for assessing
the effectiveness of its internal control over financial reporting. Management is
responsible for the design, implementation, and maintenance of internal control
over financial reporting. An entity should have a reasonable basis supporting
management assertions on the effectiveness of internal control over financial
reporting. As discussed in the Green Book, an effective internal control system
has
each of the five components of internal control designed, implemented, and
operating effectively and
the five components operating together in an integrated manner.
In order to obtain an understanding of the entity’s system of internal control over
financial reporting, the auditor may perform the following procedures:
Determine whether the entity established and organized an appropriate
internal control over financial reporting management team.
Determine whether the entity documented its methodology and plan for its
internal control over financial reporting process, including an entity risk
assessment.
Review documentation from the entity’s prior assessments of internal control
over financial reporting.
In obtaining an understanding, the auditor should consider whether management
procedures and supporting documentation are designed to provide management
with reasonable assurance about the effectiveness of the entity’s internal control
over financial reporting. This consideration should include risk factors in FAM 295
B.20.
The auditor should consider any material weaknesses identified by
management’s assessment of internal control over financial reporting in
determining the risks of material misstatement. FAM 270 discusses determining
the likelihood of effective IS controls, FAM 360 discusses control testing, and
FAM 370 discusses the preliminary assessments of control risk and the risk of
material misstatement.
Federal Financial Management Improvement Act of 1996
.75 As part of its FFMIA work, management determines whether its financial
management systems adhere to the guidance found in OMB Circular No. A-123,
appendix D, Management of Financial Management Systems Risk and
Compliance, and the Treasury Financial Manual, volume 1, part 6, chapter 9500,
Revised Federal Financial Management System Requirements. Under FFMIA,
the auditor of CFO Act agencies must report whether the financial management
systems comply substantially with the three requirements of the act. OMB issues
guidance for agencies and auditors when addressing compliance with FFMIA.
FAM 701 contains additional guidance for auditors.
.76 During the planning phase, the auditor should understand the design of
management’s process for determining whether the entity’s financial
management systems were in substantial compliance to report under FFMIA.
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-36
OMB Circular No. A-123 and the Treasury Financial Manual provide criteria for
assessing FFMIA compliance. The auditor generally should read management’s
documentation to determine whether to rely on the entity’s work. If reliance is
planned, see FAM 645. See FAM 350 for additional planning of audit procedures
related to FFMIA.
.77 If the entity previously had an assessment made of its financial management
systems’ substantial compliance with these requirements that resulted in finding
lack of substantial compliance, the auditor should understand the systems
deficiencies identified and the potential risks of material misstatement to line
items, accounts, and related assertions. The auditor also should read the
remediation plan required by FFMIA and note whether the plan appears feasible
and likely to remedy the deficiencies.
Federal Information Security Modernization Act of 2014
.78 The Federal Information Security Modernization Act of 2014 (FISMA) amended
the Federal Information Security Management Act of 2002. FISMA requires
federal agencies to periodically test, evaluate, and report on the effectiveness of
their information security policies, procedures, and practices as part of
developing and implementing an entity-wide information security program.
FISMA requires agencies to use NIST standards when performing certain
functions. OMB reporting guidance for FISMA specifies the applicable NIST
standards and other NIST publications to be used.
.79 FISMA requires agencies to perform an independent evaluation and submit an
annual report regarding major information security incidents to OMB, the
Department of Homeland Security, and GAO. These annual reports should
include (1) threats and threat actors, vulnerabilities, and impacts; (2) agency risk
assessments of affected systems before, and the status of compliance of the
systems with security requirements at the time of, major incidents; (3) detection,
response, and remediation actions; (4) the total number of incidents, including
system implementation levels and locations of affected incidents; and (5) a
description of the number of individuals affected by, and the information exposed
by, major incidents involving a breach of personally identifiable information.
Agencies are also required to have their information security programs evaluated
each year by their IG or by an independent external auditor. An external auditor
may be engaged by an IG or, if the agency does not have an IG, by the agency.
Management may rely on testing performed as part of the independent
evaluation when making its own assessment.
.80 The auditor should read the most recent FISMA report to assess the implications
of any reported threats, incidents, and vulnerabilities on the risks of material
misstatement for related line items, accounts, and relevant assertions. The
auditor may assess whether the procedures performed for FISMA reporting can
be relied upon as part of the financial statement audit for purposes of planning
and conducting other audit procedures. Likewise, it may be possible for the
auditor to use procedures performed as part of the financial statement audit to
fulfill the FISMA requirements for certain systems, depending on the timing,
nature, and extent of the work.
Planning Phase
260 Identify Risk Factors
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 260-37
Budget Formulation
.81 The auditor should obtain an overall understanding of the design of the budget
formulation process. The auditor does this to understand better how
misstatements and internal control deficiencies may affect the budget formulation
process. Based on discussions with entity management responsible for the
budget formulation process and review of budget documents, the auditor should
understand the design of
the entity’s process for developing and summarizing the budget;
the nature and sufficiency of instructions and training provided to individuals
responsible for developing the budget;
the extent to which individuals involved in approving budget requests are also
involved in the budget formulation process;
the general extent to which the budget is based on historical information;
the reliability of information on which the budget is based;
the extent to which the budget formulation system is integrated with the
budget execution system; and
the correlation between information developed in the budget formulation
process and the allotments and suballotments, if applicable, in the budget
execution system.
.82 The auditor is not required to test the effectiveness of the budget formulation
process, unless the auditor determines in the internal control phase that testing
the effectiveness of the budget formulation process is an efficient and effective
means of reducing the risk of material misstatement and the extent of substantive
procedures.
Planning Phase
270 Determine Likelihood of Effective IS Controls
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 270-1
270 Determine Likelihood of Effective IS Controls
.01 As discussed in FAM 240.12 through .17, when significant accounting
applications include control activities, such as application and user controls, that
depend on information system processing, the auditor should assess IS controls
using an appropriate methodology. IS controls consist of those internal controls
that depend on information system processing and include general controls,
application controls, and user controls. Because of the technical nature of many
IS controls, the auditor generally should obtain assistance from an IS controls
auditor in understanding the entity’s use of information systems and in planning,
directing, or performing audit procedures related to assessing IS controls.
Additionally, an information technology specialist may assist the auditor in
understanding technical aspects of information systems and IS controls.
.02 In the planning phase, the auditor should identify and document the general
controls implemented at the entity-wide, system, and application levels that help
ensure the effective operation of application and user controls included in the
significant accounting applications. The auditor should understand the design of
the general controls identified to the extent necessary to conclude tentatively
whether these controls are likely to be effective. As discussed in FAM 240.13,
general controls help ensure the proper operation of information systems by
creating the environment for effective operation of application controls. The
auditor may coordinate work done to meet the provisions of FISMA (44 U.S.C. §§
3551-3558) with work done as part of the financial statement audit. See FAM 295
J for a flowchart of steps for assessing IS controls during a financial statement
audit. Also see FISCAM and other applicable guidance.
The procedures performed to determine the likelihood of effective IS controls
build on those procedures performed to gain an understanding of the entity’s
operations, including the design of its internal controls, and assess the effects of
information systems on inherent risk and the control environment, entity risk
assessment, information and communication, and monitoring. As discussed in
AU-C 315.13 through .25, the auditor should obtain an understanding of each of
the five components of internal controlcontrol environment, entity risk
assessment, information and communication, monitoring, and control activities
sufficient for assessing the risks of material misstatement of the financial
statements whether due to error or fraud, and for determining the nature, extent,
and timing of further audit procedures. This understanding should include
relevant information system aspects.
.03 Financial management systems are used extensively in the federal government.
Many of these systems share programs, data files, and hardware with one
another and are connected to the larger corporate network that they depend on
for services such as authentication and monitoring. In addition to producing
financial and accounting information, these systems typically generate other
information and reports used in management decision-making.
If the auditor determines that a financial management system maintained by a
service organization is significant, then the auditor should follow the guidance
outlined in FAM 640.05 through .09.
.04 If the general controls identified are likely to be effective, the auditor should
consider other specific IS controls in determining whether control objectives are
achieved in the internal control phase. As discussed in AU-C 315.A76, evaluating
Planning Phase
270 Determine Likelihood of Effective IS Controls
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 270-2
the design of a control involves considering whether the control, individually or in
combination with other controls, is capable of effectively preventing, or detecting
and correcting, material misstatements. See FAM 350.
.05 If the general controls identified are not likely to be effective, the auditor should
obtain a sufficient understanding of control risks arising from information systems
to
identify types of potential misstatements,
consider factors that affect the risks of material misstatement,
design tests of controls and substantive procedures, and
develop appropriate findings.
.06 Also, in the internal control phase, the auditor generally should understand the
design effectiveness of manual controls in achieving control objectives, including
manual reviews or reconciliations, that may mitigate deficiencies in IS controls. If
IS controls are not likely to be effective because of poor general controls and if
manual controls do not achieve the control objectives, the auditor should
understand the design of any application-level IS controls that are intended to
achieve the control objectives to develop recommendations for improving internal
controls.
.07 As discussed in FAM 260.45 and AU-C 315.31, .A156, and .A157, when routine
business transactions are subject to highly automated processing with little or no
manual intervention, it may not be possible to obtain sufficient appropriate audit
evidence only from substantive procedures. For example, the auditor may
determine this to be the case when a significant amount of information is
electronically initiated, authorized, recorded, processed, or reported only in
electronic form, such as in an integrated system (see AU-C 315.A158 for
additional examples). In such cases, the auditor should, through testing of IS
controls, obtain evidential matter about the effectiveness of both the design and
operation of controls to reduce the assessed level of the risks of material
misstatement. If the auditor determines that IS controls are not effective, the
auditor should consider whether sufficient appropriate audit evidence has been
obtained and the effect on the audit opinion.
Planning Phase
275 Identify Relevant Operations Controls to Evaluate and Test
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 275-1
275 Identify Relevant Operations Controls to Evaluate and
Test
.01 In a financial statement audit, the auditor draws a conclusion about the
effectiveness of financial reporting (including safeguarding and budget) and
compliance (including budget) controls. For operations controls, the auditor
may evaluate certain operations controls considered relevant (see FAM
275.02 through .07) and
should evaluate and test operations controls that are relied on in performing
audit procedures (see FAM 275.08).
Relevant Operations Controls
.02 Relevant operations controls are based on the needs of the auditor. The auditor
should determine whether the evaluation of relevant operations controls will
(1) be included in the financial audit, (2) become a separate audit, or (3) not be
performed though any deficiencies noted will be reported to entity management
and the IG. In making this determination, the auditor may consider the following
factors:
the significance of the operations controls to the entity’s operations,
the time required to identify and test the operations controls,
available resources,
the needs of those charged with governance, and
congressional interest.
.03 The auditor should document the operations controls identified for testing, the
procedures performed, and the results.
.04 In the planning phase and throughout the audit, the auditor may identify
significant areas where the entity would be expected to have operations controls.
The auditor may become aware of these areas, as well as potential deficiencies
in operations controls, through
prior audit work;
documenting an understanding of entity operations;
assessing the risks of material misstatement and deficiencies in financial
reporting and compliance controls;
other audit planning procedures, including any reviews of the FMFIA
documentation that the entity prepared;
understanding the cause of misstatements noted; or
observing activities during fieldwork.
.05 In obtaining an understanding of the entity’s operations, the auditor typically
would have identified areas that are critical to the operations. For each of these
areas, the entity should have effective operations controls. Also, in planning the
audit, the auditor may identify operations controls that could be evaluated in
Planning Phase
275 Identify Relevant Operations Controls to Evaluate and Test
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 275-2
conjunction with planned audit and other procedures. For example, in a test of
inventory purchases the auditor may evaluate whether management considered
appropriate order quantities for each inventory purchase selected to avoid a
buildup of excess inventory.
.06 The auditor may identify specific risks of material misstatement and control
deficiencies in planning and performing the audit and in determining the causes
of misstatements requiring audit adjustments. The auditor should evaluate the
implications of those risks and deficiencies on the entity’s operations controls if
the effectiveness of a financial reporting or compliance control depends on
the effectiveness of the operations control;
the auditor plans to rely on this control during the audit; or
the auditor is required to test the control following OMB audit guidance.
For example, misstatements in inventory records may indicate deficiencies in
operations controls whose effectiveness depends on accurate inventory records.
This would include the operations controls for maintaining proper inventory
levels, including those for detecting theft or loss.
.07 The auditor may find opportunities to recommend improvements to operations
controls and may choose to test the effectiveness of other operations controls.
Such opportunities could come to light while visiting the entity’s various locations
and performing audit procedures.
Operations Controls Relied on in the Audit
.08 If any contemplated audit procedure relies on operations controls, the auditor
should identify and test such controls. For example, assume that an auditor is
using substantive analytical procedures, based on entity-generated “per unit”
statistics, to test the reasonableness of certain operating costs. The auditor plans
to compare such per unit statistics with published costs incurred by similar
operations. The auditor should identify and test the entity’s operations controls
and other types of controls, as appropriate, over the production of these internal
statistics.
As discussed in FAM 495 A.20 through .22, if the reliability of internally
generated data used in substantive tests, such as substantive analytical
procedures, depends on the effectiveness of IS controls, the auditor should
perform additional procedures before relying on the data. The auditor should test,
as appropriate, the relevant general controls and the specific application level
controls over the data, the data in the report, or both.
Planning Phase
280 Plan Other Audit Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 280-1
280 Plan Other Audit Procedures
.01 The auditor generally should plan for performing procedures in the following
areas during other phases of the audit.
The auditor should also consider the implementation guidance in volume 2 of the
FAM as applicable. Volume 2 includes areas such as using the work of others,
determining compliance with FFMIA and other laws, performing agreed-upon
procedures, and substantive testing.
Litigation, Claims, and Assessments
.02 The auditor should make inquiries of the entity’s legal counsel and perform other
audit procedures regarding litigation, claims, and assessments. This is necessary
to assess potential liabilities and contingencies. Entity management and legal
counsel may need significant time to gather and report necessary information,
including the potential need for inquiries of Department of Justice legal counsel
on a case-specific basis. Additionally, for initial audits and changes in personnel,
the auditor may discuss with management why a response from the entity’s legal
counsel is needed as part of a financial statement audit. See FAM 1002 for
additional guidance.
.03 Based on AU-C 501.17 and .A43, the auditor should design and perform audit
procedures to identify litigation, claims, and assessments involving the entity that
may give rise to a risk of material misstatement, including
inquiring of management and, when applicable, others within the entity,
including in-house legal counsel, which may include discussing their policies
and procedures for identifying, evaluating, and accounting for litigation,
claims, and assessments;
obtaining from management a description and evaluation of litigation, claims,
and assessments that existed at the date of the financial statements being
reported on and during the period from the date of the financial statements to
the date the information is furnished, including identification of those matters
referred to legal counsel;
reviewing minutes of meetings of those charged with governance; documents
obtained from management concerning litigation, claims, and assessments;
and correspondence between the entity and its legal counsel; and
reviewing legal expense accounts and invoices from external legal counsel.
.04 Based on AU-C 501.19 and .20, the auditor should seek direct communication
with the entity’s in-house legal counsel regarding the entity’s litigation, claims,
and assessments.
27
The auditor should do so through a legal counsel request
prepared by management and sent by the auditor requesting that the entity’s in-
house legal counsel communicate directly with the auditor.
27
In the federal government, in-house legal counsel generally has primary responsibility for the entity’s legal matters
and thus is most knowledgeable about the entity’s litigation, claims, and assessments.
Planning Phase
280 Plan Other Audit Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 280-2
In addition to the direct communication with the entity’s in-house legal counsel,
the auditor should, when the entity’s external legal counsel is responsible for the
entity’s litigation, claims, and assessments, seek direct communication with the
entity’s external legal counsel through a legal counsel request similar to the
request made to the in-house legal counsel.
28
The legal counsel response(s) may be limited to matters that are considered
individually or collectively material to the financial statements, such as when the
entity and the auditor have reached an understanding on the limits of materiality
for this purpose and management has communicated such understanding to the
legal counsel (AU-C 501.A57). See FAM 1002 B for an example legal counsel
request and FAM 1002 C for an example legal counsel response.
.05 During planning, the auditor also should apply any additional requirements in
OMB audit guidance related to legal counsel requests and responses. For
example, OMB audit guidance indicates that the interim and updated responses
from legal counsel for specified entities are to be submitted to specified parties
by specific dates that the Department of the Treasury establishes.
Management Representations
.06 As discussed in FAM 550, the auditor should obtain a representation letter from
entity management, and when appropriate, those charged with governance, on
specific matters at the completion of the audit. Particularly for first-year audits,
when standards change, and when management changes, the auditor may find it
useful to discuss representations with management early in the audit to identify
and resolve any difficulties related to obtaining these representations at the end
of the audit. These representations include
the effectiveness of internal control over financial reporting;
compliance with laws, regulations, contracts, and grant agreements;
management’s materiality thresholds for reporting; and
for CFO Act agencies, whether financial management systems comply
substantially with FFMIA requirements.
Additionally, the auditor should prepare a summary of uncorrected misstatements
(including prior period misstatements that affect the current financial statements)
and attach it to the representation letter. FAM 595 C provides an example of a
summary of uncorrected misstatements. The representation letter should state
management’s belief that the effects of the misstatements are immaterial to the
financial statements as a whole, both individually and in the aggregate.
During planning, the auditor should also apply any additional requirements in
OMB audit guidance related to management representations. For example, OMB
audit guidance indicates that the auditor should provide and discuss with
management a draft representation letter as early as possible in the audit and
update the letter for circumstances found throughout the audit. Additional
guidance on management representations is provided in AU-C 580, AU-C 940,
AT-C 205, AT-C 215, AT-C 315, and FAM 1001.
28
In the federal government, the main legal counsel outside of the entity is the Department of Justice.
Planning Phase
280 Plan Other Audit Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 280-3
Relationships and Transactions with Disclosure Entities, Related
Parties, and Public-Private Partnerships
.07 Throughout the planning phase, the auditor should perform procedures to (1)
obtain an understanding of the entity’s relationships and transactions with
disclosure entities, related parties, and public-private partnerships (see FAM
220.08.11); (2) consider the susceptibility of the financial statements to material
misstatement due to fraud or error that could result from such relationships and
transactions (see FAM 260.37); and (3) identify the risks of material
misstatement (see FAM 260.40 and .44).
29
The identity of the entity’s disclosure
entities, related parties, and public-private partnerships and other relevant
information should be distributed to all members of the engagement team (AU-C
550.19).
Throughout the audit, engagement team members should remain alert when
inspecting records or documents for arrangements or other information that may
indicate the existence of additional relationships or transactions with disclosure
entities, related parties, and public-private partnerships that management has not
previously identified or disclosed to the auditor (AU-C 550.17). Also see FAM 904
for additional procedures the auditor should perform and FAM 550 for concluding
on relationships and transactions with disclosure entities, related parties, and
public-private partnerships.
The auditor generally should (1) inquire about the population of entities that
management considered when evaluating the existence of a disclosure entity
and the method used to assess whether an entity meets the requirements for
disclosure and (2) for any disclosure entities identified by management, inquire of
the methods for determining the information that should be disclosed in the
financial statements, which is based on both qualitative and quantitative
materiality and the following factors (SFFAS 47):
relevance to reporting objectives;
nature and magnitude of the potential risks/exposures or benefits associated
with the relationship;
complexity of the relationship;
extent to which the information interests, or may be expected to interest, a
wide audience; and
extent to which there are no alternative sources of reliable information.
Required Supplementary Information
.08 Per U.S. GAAP, certain information is to be included with the entity’s financial
statements and to be labeled as RSI. Although this information is not a part of the
basic financial statements, FASAB considers this information to be an essential
part of financial reporting for placing the basic financial statements in appropriate
operational, economic, or historical context (AU-C 730.04). Some examples of
29
Procedures related to disclosure entities and public-private partnerships do not apply to entities issuing financial
statements in accordance with FASB accounting standards.
Planning Phase
280 Plan Other Audit Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 280-4
RSI include the MD&A, information regarding social insurance per SFFAS 17,
and information regarding the Statement of Custodial Activity per SFFAS 7.
For RSI, the auditor should perform the following (AU-C 730.05):
Inquire of management about the methods of preparing the information,
including
o whether it has been measured and presented in accordance with the
prescribed guidelines,
o whether methods of measurement or presentation have been changed
from those used in the prior period and the reasons for any such
changes, and
o whether there were any significant assumptions or interpretations
underlying the measurement or presentation of the information.
Compare the information for consistency with (also see FAM 520 for applying
analytical procedures)
o management’s responses to the auditor’s inquiries,
o the basic financial statements, and
o other knowledge obtained during the audit of the basic financial
statements.
Obtain written representations from management
o that it acknowledges its responsibility for RSI;
o about whether RSI is measured and presented in accordance with
prescribed guidelines;
o about whether the methods of measurement or presentation have
changed from those used in the prior period and, if so, the reasons for
such changes; and
o about any significant assumptions or interpretations underlying the
measurement or presentation of RSI—refer to FAM 1001 A for
management representation letter example.
OMB also provides reporting guidance on RSI. See FAM 550.21 through .22 for
information on concluding on RSI and FAM 580.38 regarding how the auditor
reports on the work performed in this area.
Other Information Included with the Financial Statements
.09 Per U.S. GAAP and OMB reporting guidance, certain information is to be
included with the entity’s financial statements and to be labeled as other
information. Other information is financial or nonfinancial information (other than
the basic financial statements, RSI, and auditor’s report) included in an entity’s
annual report (AU-C 720.12).
For other information, the auditor should perform the following:
Through discussion with management, determine and obtain management’s
written acknowledgment regarding which document(s) comprise the annual
report and the entity’s planned manner and timing of the issuance of such
document(s) (AU-C 720.13a).
Planning Phase
280 Plan Other Audit Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 280-5
Make appropriate arrangements with management to obtain in a timely
manner and, if possible, prior to the date of the auditor’s report, the final
version of the document(s) comprising the annual report (AU-C 720.13b).
When some or all of the documents determined to be part of the annual
report will not be available until after the date of the auditor’s report on the
financial statements, request management to provide a written representation
that the final version of the documents will be provided to the auditor when
available, and prior to the documentsissuance by the entity, such that the
auditor can complete the required procedures (AU-C 720.13c).
If the auditor becomes aware that the entity did not provide the auditor with
the final version of documents determined to be part of the annual report prior
to the issuance of those documents to third parties, the auditor should take
appropriate action (AU-C 720.14), which may include
o obtaining those documents from management and performing the
required procedures, as discussed below, as soon as practical;
o communicating the matter to those charged with governance, if
applicable; and
o considering the need to obtain legal advice (AU-C 720.A25).
Communicate with those charged with governance the auditor’s responsibility
with respect to the other information, any procedures performed relating to
the other information, and the results (AU-C 720.15).
Read the other information and consider whether a material inconsistency
exists between the other information and the financial statements. As the
basis for this consideration, to evaluate their consistency, the auditor should
compare selected amounts or other items in the other information (that are
intended to be the same as, to summarize, or to provide greater detail about
the amounts or other items in the financial statements) with such amounts or
other items in the financial statements. While reading the other information,
the auditor should remain alert for indications that (1) a material inconsistency
exists between the other information and the auditor’s knowledge obtained in
the audit and (2) a material misstatement of fact exists or the other
information is otherwise misleading. The auditor is not responsible for
searching for omitted information for the completeness of the other
information. (AU-C 720.16.18)
See FAM 550.23 through .26 for information on concluding on other information
and FAM 580.39 regarding how the auditor reports on the work performed in this
area.
Supplementary Information
.10 If the auditor is engaged to report on whether supplementary information, such
as consolidating statements, is fairly stated, in all material respects, in relation to
the financial statements as a whole, the auditor should follow the requirements in
AU-C 725.
Planning Phase
280 Plan Other Audit Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 280-6
Opening Balances
.11 AU-C 510 provides guidance on the audit procedures the auditor should perform
related to opening balances in an engagement in which the financial statements
for the prior period were not audited or were audited by a predecessor auditor
(initial audit engagement). This includes engagements to audit financial
statements that have been previously audited by a predecessor auditor (reaudit
engagement).
During the planning phase, the auditor should request that entity management
authorize the predecessor auditor, if any, to allow a review of its audit
documentation and respond fully to inquiries by the auditor. The auditor uses this
information to assist in planning and performing the audit. The auditor should
plan audit procedures to obtain sufficient appropriate audit evidence about
whether (a) opening balances, including note disclosures that existed at the
beginning of the period, contain misstatements that materially affect the current
year’s financial statements and (b) appropriate accounting policies reflected in
the opening balances have been consistently applied in the current period’s
financial statements or changes thereto are appropriately accounted for and
adequately presented and disclosed in accordance with the applicable financial
reporting framework (U.S. GAAP).
See AU-C 510 for the specific requirements to be satisfied related to performing,
concluding on, and reporting on opening balances for initial audit engagements
and reaudit engagements.
Other Planning Issues
.12 Auditors should evaluate whether the audited entity has taken appropriate
corrective action to address findings and recommendations from previous
engagements that could have a material effect on the financial statements or
other financial data significant to the audit objectives. When planning the audit,
auditors should ask entity management to identify previous audits, attestation
engagements, and other studies that directly relate to the objectives of the audit,
including whether related recommendations have been implemented. Auditors
should use this information in assessing risk of material misstatement and
determining the nature, timing, and extent of further audit procedures, including
determining the extent to which testing the implementation of the corrective
actions is applicable to the current audit objectives.
.13 The auditor should determine whether any findings and recommendations from
the prior-year financial audit need follow-up that would not otherwise be
evaluated in the current-year procedures, such as findings at locations that would
not otherwise be tested. The auditor should determine whether to test the
implementation of the recommendation or to repeat the finding.
Additional Audit Guidance
.14 During planning, the auditor also should apply additional requirements in OMB
audit guidance. For example, OMB audit guidance indicates that certain agreed-
upon procedures are to be applied to entity payroll offices and the related reports
are to be submitted to the Office of Personnel Management by a specific date.
FAM 710 provides guidance on agreed-upon procedures reporting.
Planning Phase
285 Plan Locations to Test
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 285-1
285 Plan Locations to Test
.01 Most entities conduct operations, perform accounting functions, and retain
records at multiple locations. During planning, the auditor should evaluate the
effect of these multiple locations on the audit approach and generally should
consult with an audit sampling specialist when testing involves the selection of
locations. The auditor should develop an understanding of the respective
locations, including significant accounts and accounting systems and
cycles/accounting applications. This understanding may be obtained virtually, in
person, or both and either centrally or in combination from multiple field locations,
as appropriate. When planning locations to test, the auditor should evaluate
whether certain locations warrant more extensive testing than others, based on
the following factors:
a. Materiality or significance of locations to the overall entity. More material
locations, particularly those individually generating transactions or account
balances that exceed performance materiality; those with significant
cycles/accounting applications; and those with significant information systems
centers, or a combination of these, may indicate the need for more extensive
testing.
b. The results, if location specific, of the preliminary analytical procedures
applied during planning. The auditor should follow up on unusual results,
possibly including testing specific locations with unusual results.
c. The results and the extent of audit procedures applied in prior years by
the auditor or others, including the time since significant procedures
were performed. Problems noted in prior audits, if not corrected, could
indicate areas of concern for the current audit; the applicability of prior
evidence ordinarily diminishes with the passage of time.
d. The auditor’s preliminary assessment of overall inherent risk at each
location, including the nature of operations, sensitivity to economic
conditions, and key management turnover. Locations at which inherent
risk is high generally warrant more extensive testing than those where
inherent risk is low. In addition, the inherent risk may be different for different
accounts and assertions at each location.
e. The auditor’s preliminary assessment of control risk, including the
control environment, entity risk assessment, communication, and
monitoring. Locations at which control risk (particularly concerning the
control environment, entity risk assessment, information and communication,
and monitoring) is high warrant more extensive testing than those where
control risk is low. In addition, at lower-risk locations, the auditor first might
evaluate whether testing entity-level controls, including controls in place to
provide assurance that appropriate controls exist throughout the entity,
provides the auditor with sufficient appropriate evidence.
f. The auditor’s assessment of the risk of material misstatement due to
fraud. Locations at which the auditor has assessed a greater risk of material
misstatement due to fraud warrant more extensive testing than those where
the auditor has assessed a lower risk of material misstatement due to fraud.
Planning Phase
285 Plan Locations to Test
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 285-2
g. The auditor’s assessment of the risk of material misstatement. Locations
at which risk of material misstatement is high warrant more extensive testing
than locations where risk of material misstatement is low.
h. The extent to which accounting records are centralized. A high degree of
centralization may enable the auditor to conduct the majority of work on the
central location, with only limited work on other locations.
i. The extent of uniformity of control systems (including IS controls)
throughout the entity. The number of locations tested is a function of the
uniformity of significant control systems. For example, if there are two major
procurement control systems, the auditor generally should test each system
to a sufficient extent. Where locations develop or modify systems, the auditor
may test more locations than for those entities using centrally developed
systems that cannot be changed locally.
j. The extent of work performed by other auditors. The auditor may use
work performed by other auditors to reduce or eliminate testing selected
locations or to assist in testing locations not selected. (See FAM 620, 630,
640, and 645.)
k. Special reporting or entity requirements. The auditor should test sufficient
locations to meet special needs, such as the need for separate-location
reports.
.02 The auditor should plan the general nature of audit procedures to be performed
for each location. The extent of testing may vary between locations, depending
on tolerable misstatement, control risk, risk of material misstatement, and other
factors. Using common audit programs, audit documentation formats, and
indexes for the various locations tested makes it easier to plan, review the audit
documentation, and combine the results of all locations or funds to improve
effectiveness and efficiency. The auditor should vary the nature, timing, and
extent of testing controls at locations or business units from year to year.
.03 The auditor should obtain an understanding of the design of the procedures for
combining the locations’ financial information to prepare the entity’s financial
statements. The auditor should understand and test these procedures during the
audit, including controls for adjustments, reclassifications, and eliminations.
.04 One approach to stratifying locations, selecting locations to test, and selecting
individual audit samples for multiple-location audits is presented in FAM 295 C.
This method assumes that increased testing is not required for any location
because of the factors in FAM 285.01. Other methods of selecting locations for
testing may be used with the approval of the reviewer. For example, selecting
fewer locations but more items to test for each location may be appropriate in
some instances. Although other methods generally involve more testing than the
method described in FAM 295 C, the efficiencies of performing additional work
on fewer locations may be higher.
.05 The auditor should document the planned locations to test in the audit strategy,
audit plans, or equivalent documents.
Planning Phase
290 Documentation
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 290-1
290 – Documentation
.01 Based on AU-C 230.08, the auditor should prepare audit documentation that is
sufficient to enable an experienced auditor, having no previous connection with
the audit, to understand
the nature, timing, and extent of the audit procedures performed to comply
with GAGAS, including the Statements on Auditing Standards and applicable
attestation standards, and applicable legal and regulatory requirements;
the results of the audit procedures performed and the audit evidence
obtained; and
significant findings or issues arising during the audit, the conclusions reached
thereon, and significant professional judgments made in reaching those
conclusions.
AU-C 230.A4 describes factors that the auditor should consider in determining
the form, content, and extent of audit documentation.
.02 In the FAM, each phase of the audit contains a separate section that describes
audit documentation requirements. The auditor should document relevant
information as described in FAM 290 and update these documents to respond to
any changes in circumstances during the course of the audit. The auditor should
document any significant changes made during the audit engagement to the
overall audit strategy or the audit plan and the reasons for such changes (AU-C
300.14c). Information that is likely to be useful in future audits may be
documented in a permanent file.
.03 The auditor should document the understanding of the terms of the
engagement established with the client, including the understandings reached
with management and those charged with governance as described in FAM 215.
This documentation may consist of copies of engagement letters, contracts, and
other written agreements and should document management’s agreement with
its responsibilities in a financial statement audit.
.04 In the entity profile or an equivalent document, the auditor should document the
information useful for understanding the entity and its operations (FAM 220). The
auditor should document key elements of the understanding obtained regarding
each of the aspects of the entity and its environment identified in FAM 220.02 to
assess the risks of material misstatement of the financial statements, including
the sources of information from which the understanding was obtained
(AU-C 315.33b). However, the auditor generally should document internal control
separately, as discussed in FAM 290.06 and in FAM 390. The auditor may
include the information in the entity profile in the audit strategy.
In this profile, the auditor generally should briefly document such elements as the
entity’s origin, history, mission, size, locations, organization, and key members of
management; the legal and regulatory framework; the applicable financial
reporting framework (U.S. GAAP); complexity of operations; external and internal
factors affecting operations; use of information systems; and accounting policies.
The auditor generally should limit the information in the entity profile to that which
is relevant to planning the audit. This information may include documents
prepared by the entity, such as historical information or the mission of the entity.
Planning Phase
290 Documentation
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 290-2
If these and other documents were prepared in prior years, the auditor should
update them for any changes each year.
.05 The auditor should document the results of brainstorming discussions about
the susceptibility of the entity’s financial statements to material misstatement due
to error or fraud (FAM 260). The auditor should document these discussions,
including how and when the discussion occurred, the subject matter discussed,
the engagement team members who participated, and significant decisions
reached (AU-C 240.43a and 315.33a).
.06 In establishing the overall audit strategy that sets the scope, timing, and
direction of the audit and that guides the development of the audit plan, as
discussed in AU-C 300.07 through .08, the auditor should (1) identify the
characteristics of the engagement that define its scope; (2) ascertain the
reporting objectives of the engagement in order to plan the timing of the audit
and the nature of the communications required; (3) consider the factors that in
the auditor’s professional judgment, are significant in directing the engagement
team’s efforts; (4) consider the results of preliminary engagement activities and,
when applicable, whether knowledge gained on other engagements performed
by the engagement partner for the entity is relevant; and (5) ascertain the nature,
timing, and extent of resources necessary to perform the engagement. The audit
strategy should include or refer to information on the following areas:
a. Conclusions reached regarding acceptance and continuance of the
client relationship and audit engagement (FAM 215).
b. Results of the prior year’s audit.
c. Accounting and auditing standards.
Accounting standards, including whether the financial reporting
framework to be applied in the preparation of the financial statements
(U.S. GAAP) is acceptable (FAM 215).
Auditing standards and guidance applicable to the engagement (e.g.,
U.S. GAGAS), including any
o interpretive publications, which consist of, among other things,
auditing interpretations of U.S. GAAS, auditing guidance included in
AICPA Audit and Accounting Guides, and AICPA Auditing Statements
of Position (AU-C 200.14 and .27), and
o other auditing publications (AU-C 200.28).
d. Preliminary analytical procedures and the results of those procedures
(FAM 225). The auditor should document the following information:
Data used and the sources of these data for current-year amounts and for
developing expected amounts, including
o the amounts of the financial items;
o the dates or periods covered by the data;
o whether the data are audited or unaudited;
o the person from whom the data were obtained (if applicable); and
o the source of the information, such as general ledger trial balances,
prior-year audit documentation, or prior-year financial statements.
Planning Phase
290 Documentation
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 290-3
Parameters for identifying significant fluctuations from expectations.
Explanations for fluctuations from expectations identified and sources of
those explanations, including the name(s) and title(s) of the person(s)
from whom the explanations were obtained.
The auditor’s conclusion and consideration of the impact of the results of
preliminary analytical procedures on the audit strategy.
e. Amount and basis for materiality determination [materiality for the
financial statements as a whole, performance materiality, tolerable
misstatement, clearly trivial, FMFIA, management representation letter,
and legal counsel response] and any revisions to materiality as the
audit progresses (FAM 230). This should include, if applicable, the
materiality level or levels for particular classes of transactions, account
balances, or note disclosures (AU-C 320.14).
f. Methodology used to assess IS controls (FAM 240). The auditor also
should document the basis for believing that the methodology is appropriate.
As discussed in FAM 240.17, GAO auditors should use FISCAM as GAO
believes that it is an appropriate methodology. If the auditor uses the same
methodology for multiple audits, the audit organization may prepare this
document once and maintain a central reference file for individual audits.
g. Significant provisions of applicable laws and regulations (FAM 245).
h. Approach for identifying and testing significant provisions of contracts
and grant agreements (FAM 245).
i. Relevant budget restrictions (FAM 250).
j. Audit assurance (FAM 260). The auditor should document the audit
assurance used and the auditor’s justification for it. If the audit assurance
used is 95 percent, the auditor may reference the FAM.
k. Assessment of inherent risk and the risk factors considered in the
assessment (FAM 260).
l. Understanding of the design of each component of internal control
control environment, entity risk assessment, information and
communication, and monitoringto assess the risks of material
misstatement of the financial statements, including whether an
ineffective control environment precludes the effectiveness of specific
control activities (FAM 260). The auditor should document key elements of
the understanding of the design of the control environment, entity risk
assessment, information and communication, and monitoring to assess the
risks of material misstatement. See FAM 340 for discussion on understanding
the control activities component. In addition, the auditor should document the
sources of information from which the understanding was obtained,
procedures performed to assess risks of material misstatement (AU-C
315.33b), and conclusions reached on whether the component was
implemented as designed. For CFO Act agencies, the auditor generally
should document the entity’s basis for its determination of substantial
compliance of its financial management systems with FFMIA requirements.
(FAM 390 discusses documentation of the auditor’s understanding of the
design of control activities for assessing the risks of material misstatement.)
Planning Phase
290 Documentation
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 290-4
m. Risk of material misstatement (FAM 260). The auditor should document
the identified and assessed risks of material misstatement at the financial
statement level and at the relevant assertion level (AU-C 315.33c).
Risks of material misstatement due to error (FAM 260). The auditor
should document risks of material misstatement due to error identified at
the financial statement level (those that relate pervasively to the financial
statements as a whole) and the auditor’s overall responses. The auditor
should also document risks of material misstatement due to error
assessed at the relevant assertion level and should link them with specific
line items and accounts. For each risk identified, the auditor should
document the (1) nature and extent of the risk; (2) condition(s) that gave
rise to that risk; and (3) specific cycles, accounts, line items, and related
assertions affected (if the risk is not pervasive). The auditor should also
determine which of the risks identified require special audit consideration
(significant risks). (FAM 490 discusses documentation of substantive
audit procedures to respond to the risks of material misstatement.)
Risks of material misstatement due to fraud (FAM 260). The auditor
should document risks of material misstatement due to fraud, which are
considered significant risks, identified at the financial statement level and
at the assertion level for specific line items and accounts (AU-C 240.43b).
(Also see FAM 290.09.) Specifically, the auditor should document
o specific fraud risks (categorized by type of misstatement and by
incentive/pressure, opportunity, and attitude/rationalization) that were
identified and the assessment of those risks;
o if the auditor concludes that no risks of material misstatement due to
fraud relating to revenue recognition exists, the reasons supporting
that conclusion;
o consideration of the risk of management override of controls; and
o the auditor’s response to the assessed fraud risks—the overall
responses to the assessed risks of material misstatement due to fraud
at the financial statement level and the nature, timing, and extent of
audit procedures, and the linkage of those procedures with the
assessed risks of material misstatement due to fraud at the assertion
level (AU-C 240.44a). (See FAM 590.)
n. Significant risks and risks for which substantive procedures alone do
not provide sufficient appropriate audit evidence (FAM 260). The auditor
should document the risks identified and related controls about which the
auditor has obtained an understanding (AU-C 315.33d), as described in
FAM 260.44 through .45.
o. Effects of information systems (FAM 270). The auditor should document,
either separately or as part of the assessments above,
a basic understanding of the design of IS controls relevant to the entity’s
financial management, including the significance of information system
processing to the entity, and whether the controls have been
implemented as designed (FAM 220);
the IS controls included in the significant accounting applications,
including the general controls implemented at the entity-wide, system,
Planning Phase
290 Documentation
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 290-5
and application levels that help ensure the proper operation of the
application and user controls (FAM 240);
the inherent risks arising from information systems (FAM 260.12);
the impact of information systems on the design of the control
environment, entity risk assessment, information and communication, and
monitoring (FAM 260.65–.66); and
tentative conclusions on the likelihood that IS controls are effective (FAM
270).
Due to the technical nature of many IS controls, the auditor generally should
obtain assistance from an IS controls auditor in understanding the entity’s use
of information systems and in planning, directing, or performing audit
procedures related to assessing IS controls. When the auditor prepares
documentation of the above information, the auditor generally should obtain
concurrence from an IS controls auditor. The director and assistant director,
as part of their reviews of the audit strategy, should concur with the tentative
conclusions on the likelihood that IS controls are effective. If the auditor
determines that IS controls are not likely to be effective, the auditor should
document supporting evidence and generally should report these findings as
discussed in FAM 580. Due to the sensitive nature of security issues related
to information systems, the auditor may include the details of these issues in
a nonpublic report.
p. Operations controls to be tested, if any (FAM 275).
q. Other planned audit procedures (FAM 280).
r. Planned interim testing (FAM 295 D). This information includes the basis
for concluding that the use of interim testing is appropriate.
s. Locations to test (FAM 285). This information includes
the locations selected;
the basis for selections;
the nature and timing of procedures planned for each location;
the determination of the number of items for testing and the allocation of
those items among the selected locations (this may be initially discussed
and estimated and later refined when the items are selected, particularly
for a statistical sample); and
other procedures applied.
t. Staffing and review requirements. This information includes
engagement team members and specialists, who, collectively, have the
appropriate competence and capabilities to perform the audit in
accordance with GAGAS and enable an auditor’s report that is
appropriate in the circumstances (GAGAS (2018) 4.02 and AU-C 220.16)
and
the nature, timing, and extent of direction and supervision of engagement
team members and review of their work (AU-C 300.11).
Planning Phase
290 Documentation
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 290-6
u. Compliance with relevant ethical requirements (FAM 215). This
information includes
any issues identified and how they were resolved,
any threats to independence and the safeguards applied, and
conclusions on compliance with independence requirements that apply to
the audit engagement and any relevant discussions with the audit
organization that support the conclusion.
v. Audit timing, including milestones and the estimated date of the
auditor’s report.
w. Extent of assistance from entity personnel.
x. Parties identified as those charged with governance (FAM 215).
.07 The cycle matrix or equivalent links each of the entity’s accounts in the trial
balance to a cycle, an accounting application, and a financial statement line item
(FAM 240.05).
.08 The LIRA or equivalent contains the audit plan for each significant line item and
identifies significant line items, assertions, and cycles/accounting applications
(FAM 235 and FAM 240) and the related risks of material misstatement at the
relevant assertion level, as discussed in AU-C 315.26 through .27. The auditor
should also summarize and document the specific risks of material misstatement,
other than pervasive risks, including the inherent, fraud, and control risk factors,
for use in determining the nature, extent, and timing of audit procedures.
.09 Fraud risk assessments (FAM 260) include
the brainstorming meeting(s) about potential fraud risks (see FAM 290.05);
the procedures performed to obtain information about, identify, and assess
fraud risks;
any other significant procedures performed or other significant matters
related to the auditor’s consideration of fraud (and any significant abuse);
the effect of fraud risk on the audit strategy; and
changes to fraud risk assessment during the audit.
.10 As discussed in AU-C 300.09, the auditor should develop an audit plan that
includes a description of the following items:
The nature and extent of planned risk assessment procedures sufficient to
assess the risks of material misstatement, as discussed in FAM 260 (AU-C
300.09a) (included in portions of the audit strategy, LIRA, and Specific
Control Evaluation (SCE) worksheets or equivalent documents prepared
following the FAM).
The nature, extent, and timing of planned further audit procedures at the
relevant assertion level for each material class of transactions, account
balance, and note disclosure, as discussed in FAM 350 and 420 (AU-C
300.09b). The plan for further audit procedures reflects the auditor’s decision
on whether to test the operating effectiveness of controls and the nature,
extent, and timing of planned substantive procedures (included in the LIRA
Planning Phase
290 Documentation
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 290-7
and related specific audit plans for each specific area of the audit prepared
following the FAM).
Other planned audit procedures to be carried out for the engagement to
comply with GAGAS, including U.S. GAAS for these audits (AU-C 300.09c).
For example, including an overview in the audit strategy with details in related
audit plans for specific areas of the audit.
The audit completion checklist (see FAM 1003) also summarizes documentation
of the auditor’s compliance with GAGAS and the FAM.
.11 Other auditor considerations may arise where other auditors plan to use the work
being performed, as discussed in FAM 630, especially in areas where the auditor
makes decisions based on significant auditor judgment. In these cases, the
auditor should consider the needs of, and consult with, other auditors in a timely
manner. If the auditor plans to deviate from a policy or procedure expressed by
use of “should” in the FAM, the auditor should provide an opportunity for the
other auditors to review the documentation of the explanations for these
deviations and the alternative procedures performed to achieve the requirement.
.12 As audit work is performed, the auditor may become aware of possible control
deficiencies; significant deficiencies; material weaknesses; noncompliance with
provisions of applicable laws, regulations, contracts, and grant agreements; and
misstatements, fraud, abuse, or other matters that should be communicated to
the entity under audit, to the IG if the auditor is a contractor, and to those
charged with governance. A structured method to document these issues aids in
communicating them to the engagement team, entity management, and others
soon after their discovery.
The auditor may document elements of potential findings, such as the nature of
the condition and, if appropriate, the applicable criteria, cause, potential effect,
and any recommendations for improvement throughout the audit. These
elements and related reporting are discussed in GAGAS (2018) 6.25 through
6.28 and in FAM 580.80 through .82. The auditor may discuss these matters with
entity management as the conditions are identified to inform management timely
and to provide assurance that information is accurate and complete, rather than
waiting until the exit conference.
Planning Phase
295 A Potential Inherent Risk Conditions
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 A-1
295 A Potential Inherent Risk Conditions
.01 The specific conditions listed below may indicate the presence of inherent risks,
some of which may also be fraud risks. Some of these may affect many accounts
and assertions; others may affect only one account or assertion. Although it is
not all inclusive, this section assists the auditor in considering each of the
inherent risk factors described in FAM 260.11 and the fraud risk factors
described in FAM 260.19 relating to industry conditions, operating conditions,
financial stability, and susceptibility of assets to misappropriation. The auditor
should evaluate any other relevant factors and conditions.
.02 Nature of the Entity’s Programs and Operations
a. Programs are significantly affected by new/changing laws and regulations,
economic factors, environmental factors, or a combination of these.
b. Contentious or difficult accounting issues are associated with the
administration of a significant program(s).
c. Major uncertainties or contingencies, including long-term commitments, relate
to a particular program(s).
d. New (in existence less than 2 years) or changing (undergoing substantial
modification or reorganization) programs lack written policies or procedures,
lack adequate resources, have inexperienced managers, and generally have
considerable confusion associated with them.
e. Programs that are being phased out (being eliminated within 1 or 2 years)
lack adequate resources, personnel motivation, and/or interest.
f. Significant programs have a history of improper administration, affecting
operating activities.
g. Significant programs have a history of inadequate financial management
causing management to resort to extensive, costly, time-consuming, ad hoc
efforts to prepare financial statements by the required deadline.
h. Management faces significant pressure to obtain additional funding
necessary to stay viable and maintain levels of service considering the
financial or budgetary position of a program, including the need for funds to
finance major research and development or capital expenditures.
i. Management faces significant pressure to “use or lose” appropriated funds in
order to sustain future funding levels.
j. Partisan politics between competing political parties or factions or constituent
groups create conflict and a lack of stability within the entity or its programs.
k. Unusually rapid growth occurs in a program.
l. Economic conditions are deteriorating among the group served by the entity.
m. Responsibilities for significant sensitive assets or proprietary information
(national security, tax, health, etc.).
.03 History of Significant Audit Adjustments
a. The underlying cause of significant audit adjustments continues to exist.
.04 Nature of Material Transactions and Accounts
Planning Phase
295 A Potential Inherent Risk Conditions
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 A-2
a. New types of transactions exist.
b. Significant transactions with related parties, disclosure entities, and public-
private partnerships, and/or significant unusual transactions, exist.
c. Classes of transactions or accounts are
difficult to audit;
subject to significant management judgments (such as estimates);
susceptible to manipulation, loss, or misappropriation;
susceptible to inappropriate application of an accounting policy; and
susceptible to problems with realization or valuation.
d. Accounts have complex underlying calculations or accounting principles.
e. Accounts have underlying activities, transactions, or events that are operating
under severe time constraints.
f. Significant interagency transactions or revenue sources create incentives to
shift costs or otherwise manipulate accounting transactions.
g. Accounts have activities, transactions, or events that involve the handling of
unusually large cash receipts, cash payments, or wire transfers.
h. Inventory or equipment have characteristics such as small size, high value,
high demand, marketability, or lack of ownership identification that make
them easily converted to cash (for example, pharmaceutical inventory or
military equipment with high street values).
i. Assets such as food stamps, benefits vouchers, commodities, supplies, or
materials are easily converted to cash.
j. Assets such as cars, computers, and telephones are susceptible to personal,
nonprogram/nongovernment use.
k. Many payments are sent to post office boxes.
l. Large numbers of payments are sent to outside recipients, as in the cases of
grants, medical care reimbursements, or other federal financial assistance.
Planning Phase
295 B Potential Control Environment, Entity Risk Assessment, Communication, and
Monitoring Deficiencies
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 B-1
295 B Potential Control Environment, Entity Risk
Assessment, Communication, and Monitoring Deficiencies
.01 The specific conditions listed below may indicate risks of material misstatement
because of control environment, entity risk assessment, communication, and
monitoring deficiencies as well as potential fraud risk. The auditor may use this
section when separately evaluating the design of the control environment, entity
risk assessment, communication, and monitoring components described in
FAM 260.47 through .63. The auditor also may evaluate any other relevant
factors and conditions. Appendix B of AU-C 315 provides additional guidance for
understanding these components of internal control. The auditor may also refer
to GAO’s Standards for Internal Control in the Federal Government
(GAO-14-704G, September 2014) for additional and more detailed examples of
internal control components. The auditor may evaluate these factors for the
entire entity or by location.
Control Environment
.02 Communication and Enforcement of Integrity and Ethical Values (Green
Book 1.01 through 1.10)
a. Management and those charged with governance have not established,
exhibited, and communicated throughout the entity an appropriate “tone at
the top,” including explicit guidance about what is right and wrong.
b. Management and those charged with governance have not established a
formal code of conduct or other policies regarding acceptable practices,
conflicts of interest, or expected standards of ethical behavior.
c. Employees do not understand what behavior is acceptable or unacceptable,
or what to do if they encounter improper behavior.
d. Management covers up bad news rather than making full disclosure as
quickly as possible.
e. Management does not quickly address signs that problems exist.
f. Management and employees feel pressure to cut corners or not follow
established controls.
g. High decentralization leaves top management unaware of actions taken at
lower organizational levels and thereby reduces the chances of management
detecting errors and fraud.
h. Everyday dealings with employees, auditors, the public, oversight groups,
and others are not generally based on honesty and fairness (for example,
overpayments received or supplier underpayments are ignored or efforts are
made to find ways to reject legitimate claims).
i. Penalties for improper behavior are insignificant or unpublicized and thus lose
their value as deterrents.
j. Management has displayed a loose attitude toward internal control, for
example, by not providing guidance on when intervention is allowed or not
investigating and documenting deviations from controls.
Planning Phase
295 B Potential Control Environment, Entity Risk Assessment, Communication, and
Monitoring Deficiencies
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 B-2
k. Management and employees feel pressure to meet performance targets or
deadlines that are unrealistic.
l. Management is under undue pressure from the administration to attain an
unmodified opinion on the financial statements, despite significant internal
control deficiencies.
m. Management displays lack of candor in dealing with those charged with
governance, oversight committee staff, recipients of the entity’s services, or
auditors regarding decisions that could have an impact on the entity.
n. Management does not respond to internal and external auditors’
recommendations to strengthen internal control.
o. Management has strained relationships with the IG, its current or
predecessor external auditors, or both.
p. Management does not encourage and consider employee suggestions.
.03 Commitment to Competence (Green Book 4.01 through 4.04)
a. Management has not analyzed jobs to determine the knowledge and skills
needed.
b. Employees do not seem to have the knowledge and skills they should have to
do their jobs, based on the level of judgment necessary.
c. Supervision of employees does not compensate for lack of knowledge and
skills in their specific jobs.
d. Inexperienced or incompetent accounting personnel are responsible for
transaction processing.
e. The number of supervisors is inadequate or supervisors are inaccessible.
f. Key financial staff members have excessive workloads.
.04 Management’s Philosophy and Operating Style (Green Book 1.02 through
1.05)
a. Management lacks concern about internal control and the environment in
which specific controls function.
b. Management demonstrates an aggressive approach to risk taking.
c. Management demonstrates an aggressive approach to accounting policies.
For example, management makes significant changes in allowances for
uncollectible accounts that may be tied to performance measures in an effort
to improve collections.
d. Management has a history of completing significant or unusual transactions
near year-end, including transactions with disclosure entities, related parties,
and public-private partnerships.
e. Management makes numerous adjusting journal entries, especially at year-
end.
f. The process for preparing the financial statements is complex and includes
many reclassifications and last-minute changes.
Planning Phase
295 B Potential Control Environment, Entity Risk Assessment, Communication, and
Monitoring Deficiencies
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 B-3
g. Management is reluctant to (1) consult auditors/consultants on accounting
issues, (2) adjust the financial statements for misstatements, or (3) make
appropriate disclosures.
h. Management displays a significant disregard for regulatory, legal, or oversight
requirements or for IG, GAO, congressional authorities, or others charged
with governance.
i. Top-level management lacks the financial experience/background necessary
for the positions held.
j. Management is slow to respond to crisis situations in either operating or
financial areas.
k. Management uses unreliable and inaccurate information to make business
decisions.
l. Unexpected reorganization or replacement of management staff or
consultants occurs frequently.
m. Management and personnel in key areas (such as accounting, information
systems, and internal auditing) have a high turnover.
n. Individual members of top management are unusually closely identified with
specific major projects.
o. Management has publicly disclosed overly optimistic information on
performance of programs and activities.
p. Financial estimates consistently prove to be significantly overstated or
understated.
q. Obtaining adequate audit evidence is difficult due to a lack of documentation
and evasive or unreasonable responses to inquiries.
r. Financial arrangements/transactions are unduly complex.
s. There is a lack of adequate interaction between senior management and
operating management, particularly those in geographically dispersed
locations.
t. Management attitude toward information systems and accounting functions is
that these are necessary “bean counting” functions rather than a vehicle for
exercising control over the entity’s activities or making better decisions.
u. Management is motivated to engage in fraudulent financial reporting because
of substantial political pressure that creates undue concern about reporting
positive financial accomplishments.
v. Management is dominated, either entity-wide or at a specific component, by a
single person or small group without compensating controls, such as effective
oversight by those charged with governance.
w. One or more individuals with no apparent executive position(s) within the
entity appear(s) to exercise substantial influence over its affairs or over
individual departments or programs (for example, a major political donor or
fundraiser).
Planning Phase
295 B Potential Control Environment, Entity Risk Assessment, Communication, and
Monitoring Deficiencies
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 B-4
x. Management has significant grantee, cooperative agreement, or contractor
relationships for which there appears to be no clear programmatic or
governmental justification.
y. Management appears more concerned with an unmodified opinion on the
financial statements than fixing significant deficiencies in its systems.
z. Management has difficulty meeting reporting deadlines.
.05 Organizational Structure (Green Book 3.02 through 3.05)
a. The organizational structure is inappropriate for the entity’s size and
complexity. General types of organizational structures include
federal centralized (managed and controlled on a day-to-day basis by a
centralized system),
federal decentralized (managed and controlled on a day-to-day basis by
field offices or staffs),
participant administered (managed and controlled on a day-to-day basis
by a nonfederal organization), and
other (managed and controlled on a day-to-day basis by some
combination of the above or by other means).
b. The structure inhibits segregation of duties for initiating transactions,
recording transactions, and maintaining custody over assets.
c. Management has difficulty determining the organization or individual(s) that
control(s) the entity, parts of the entity, or particular programs.
d. Recent changes in the management structure disrupt the organization.
e. Operational responsibilities do not coincide with the divisional structure.
f. Delegation of responsibility and authority is inappropriate.
g. A lack of definition and understanding of delegated authority and
responsibility exists at all levels of the organization.
h. Policies and procedures are established at inappropriate levels.
i. A high degree of manual activity or spreadsheet use is required in capturing,
processing, and summarizing data to prepare financial statements.
j. A single person or a small group dominates activities.
k. Entity officials could obtain financial or other benefits based on decisions
made or actions taken in an official capacity.
.06 Assignment of Authority and Responsibility (Green Book 3.06 through 3.08)
a. The entity’s policies regarding the assignment of responsibility and the
delegation of authority for matters such as organizational goals and
objectives; operating functions; and regulatory requirements, including
responsibility for information systems and authorizations for changes, are
inadequate.
b. Appropriate control-related standards and procedures are lacking.
Planning Phase
295 B Potential Control Environment, Entity Risk Assessment, Communication, and
Monitoring Deficiencies
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 B-5
c. The number of people, particularly in information systems and accounting
functions, with requisite skill levels relative to the size and complexity of the
operations is inadequate.
d. Delegated authority is inappropriate in relation to the assigned
responsibilities.
e. An appropriate system of authorization and approval of transactions (for
example, in purchasing, grants, and federal financial assistance) is lacking.
f. Policies regarding physical safeguards over cash, investments, inventory,
and fixed assets are inadequate.
.07 Human Resource Policies and Practices (Green Book 4.05)
a. Human resource policies for hiring and retaining capable people are
inadequate.
b. Policies and procedures for hiring, promoting, transferring, retiring, and
terminating personnel are inadequate.
c. Training programs do not adequately offer employees the opportunity to
improve their performance or encourage their advancement.
d. Written job descriptions and reference manuals are inadequate or
inadequately maintained.
e. Communication of human resource policies and procedures at field locations
is inadequate.
f. Policies on employee supervision are inappropriate or obsolete.
g. Management does not take remedial actions in response to departures from
approved policies and procedures.
h. Employee promotion criteria and performance evaluations are inadequate in
relation to the code of conduct.
i. Management does not adequately screen job applicants who will have
access to assets susceptible to misappropriation.
j. Training regarding controls over payments to others, such as those for
benefits, grants, and federal financial assistance, is inadequate.
k. Employees performing key control functions do not take vacations.
l. Management does not reassign work of key employees on vacation.
.08 Management’s Control Methods over Budget Formulation and Execution
a. Management provides little or no guidance material and instructions to those
preparing the budget information.
b. Management and employees do not understand the budget review, approval,
and revision processes.
c. Management demonstrates little concern for reliable budget information.
d. Management participation in directing and reviewing the budget process is
inadequate.
Planning Phase
295 B Potential Control Environment, Entity Risk Assessment, Communication, and
Monitoring Deficiencies
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 B-6
e. Management is not involved in determining when, how much, and for what
purpose obligations and outlays can be made.
f. Management has not developed adequate planning and reporting systems
that set forth management’s plans and the results of actual performance.
g. Employees use inadequate methods to identify the status of actual
performance and exceptions from planned performance and communicate
them to the appropriate levels of management.
h. The entity has reported noncompliance, including violations of the
Antideficiency Act, and purpose, time, or other budget-related restrictions.
.09 Management’s Control Methods over Compliance with Laws, Regulations,
Contracts, and Grant Agreements
a. Management is unaware of the applicable laws, regulations, contracts, and
grant agreements and potential problems.
b. A mechanism to inform management of the existence of illegal acts does not
exist.
c. Management neglects to react to identified instances of noncompliance with
laws, regulations, contracts, and grant agreements.
d. Management is reluctant to discuss its approach toward compliance and the
reasonableness of that approach.
e. Recurring public complaints have been received through “hotline” allegations.
f. FMFIA reports; congressional reports; consultants’ reports; and prior
audits/evaluations by GAO, the IG, the internal auditor, or others disclose
repeated instances of noncompliance or compliance control deficiencies.
g. Management is reluctant to provide evidential matter necessary to evaluate
whether noncompliance with laws, regulations, contracts, and grant
agreements has occurred.
h. Management is not responsive to changes in legislative or regulatory bodies’
requirements.
i. Policies and procedures for complying with applicable laws, regulations,
contracts, and grant agreements are weak.
j. Policies on matters such as acceptable business practices, conflicts of
interest, and codes of conduct are weak.
k. Management does not have an effective legal counsel.
.10 Participation by Those Charged with Governance (Green Book 2.02, 2.05,
and 2.06)
a. Those charged with governance demonstrate little concern about controls
and how and when management addresses internal and external auditors’
recommendations.
b. Those charged with governance have little involvement in and provide little
scrutiny of activities.
c. Little interaction occurs between those charged with governance and the IG
and internal and external auditors.
Planning Phase
295 B Potential Control Environment, Entity Risk Assessment, Communication, and
Monitoring Deficiencies
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 B-7
d. Those charged with governance demonstrate little concern for compliance
with applicable laws, regulations, contracts, and grant agreements.
.11 Succession and Contingency Plans and Preparation (Green Book 4.06
through 4.08)
a. Management does not have defined succession and contingency plans for
key roles.
b. Management’s succession plan does not define key roles.
c. Management has not chosen succession candidates.
d. Management does not provide training to succession candidates before they
assume the key roles.
e. Management does not assess whether the service organization can fulfill
assigned responsibilities of key roles in the entity or whether the service
organization can continue in these key roles.
f. Management has not defined contingency plans for assigning responsibilities
if a key role in the entity is vacated.
.12 Enforce Accountability and Consider Excessive Pressure (Green Book 5.01
through 5.08)
a. Management does not enforce accountability of individuals performing their
internal control responsibilities.
b. Management does not have performance appraisals or provide disciplinary
actions.
c. Management provides incentives that are not aligned with the entity’s
standards of conduct.
d. Management does not hold service organizations accountable for their
assigned internal control responsibilities.
e. Management does not communicate the objectives of the entity and their
related risks, the entity’s standards of conduct, the role of the service
organization in the organizational structure, the assigned responsibilities and
authorities of the role, and the expectations of competence for its role that will
enable the service organization to perform its internal control responsibilities.
f. Management does not take corrective actions to enforce accountability for
internal control in the entity.
g. Management does not adjust excessive pressures on personnel in the entity.
h. Management does not evaluate pressure on personnel to help personnel
fulfill their assigned responsibilities in accordance with the entity’s standards
of conduct.
Entity’s Risk Assessment Process
.13 Defining Objectives (Green Book 6.02 through 6.07)
a. Management has not defined or communicated its overall objectives to
employees or those charged with governance, such as oversight committees.
Planning Phase
295 B Potential Control Environment, Entity Risk Assessment, Communication, and
Monitoring Deficiencies
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 B-8
b. Management does not have a strategic plan, or the strategic plan is not
consistent with the entity’s objectives.
c. The strategic plan does not address high-level resource allocations and
priorities.
d. The strategic plan, budgets, objectives, or a combination of these are
inconsistent.
e. Management has not defined activity-level objectives for all significant
activities, or the objectives are inconsistent with each other or with the overall
objectives.
f. Objectives do not include measurement criteria.
.14 Identifying, Analyzing, and Responding to Risks (Green Book 7.01 through
7.09)
a. Management does not have a formal risk assessment process.
b. For financial reporting purposes, management has not identified risks
relevant to the preparation of the financial statements in accordance with U.S.
GAAP. Risks relevant to reliable financial reporting also relate to specific
events or transactions. See AU-C 315.A166, appendix B, for examples of
circumstances that could cause risks relevant to financial reporting to arise or
change, such as (1) changes in the operating environment; (2) new
personnel; (3) new or revamped information systems; (4) rapid growth; (5)
new technology; (6) new programs, activities, business models, or products;
(7) restructuring or reorganization; (8) expanded or new foreign operations;
and (9) new accounting pronouncements.
c. Management has not adequately identified risks to the entity’s ability to
comply with applicable laws, regulations, contracts, and grant agreements,
including maintaining effective controls over compliance.
d. Management has not adequately identified risks to the entity’s ability to
prevent and detect fraud.
e. Management has not adequately identified risks to achieving the entity’s
objectives arising from external sources, including economic conditions, the
President, the Congress, OMB, and the media.
f. Management has not adequately identified risks arising from internal sources,
such as risks to human resources (ability to retain key people) or information
systems (adequacy of backup systems in the event of systems failure).
g. Once risks are identified, management has not adequately analyzed the risks
to estimate their significance, including considering the magnitude of impact,
likelihood of occurrence, and nature of the risks.
h. Once risks are identified and analyzed, management has not adequately
designed specific actions to respond to the risks.
.15 Identifying, Analyzing, and Responding to Significant Changes (Green
Book 9.01 through 9.05)
a. The mechanisms for identifying and communicating events, activities, and
conditions that affect operations or financial reporting objectives are
insufficient.
Planning Phase
295 B Potential Control Environment, Entity Risk Assessment, Communication, and
Monitoring Deficiencies
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 B-9
b. Accounting systems, information systems, or both are not modified in
response to changing conditions.
c. No consideration is given to designing new or alternative controls in response
to changing conditions.
d. Management is unresponsive to changing conditions.
Communication
.16 Internal Communication (Green Book 14.01 through 14.08)
a. The system for communicating policies and procedures is ineffective.
b. Formal or informal job descriptions do not adequately delineate specific
duties, responsibilities, reporting relationships, and constraints.
c. Channels of communication for reporting suspected improprieties are
inappropriate.
d. Management fails to display and communicate an appropriate attitude
regarding internal control.
e. Management is not effectively communicating and supporting the entity’s
accountability for public resources and ethics, especially regarding matters
such as acceptable business practices, conflicts of interest, and codes of
conduct.
f. Management is not receptive to employee suggestions of ways to enhance
productivity and quality or control.
g. Communication across the organization (for example, between procurement
and program activities) is inadequate to enable staff members to discharge
their responsibilities effectively.
.17 External Communication (Green Book 15.01 through 15.09)
a. Channels of communication with suppliers, contractors, recipients of program
services, customers, and other external parties are not open and effective for
communicating information on changing needs.
b. The entity’s website is not used effectively as a communication tool.
c. Outside parties have not been made aware of the entity’s ethical standards.
d. Management does not appropriately follow up on information received in
communications from program service recipients, vendors, regulators, or
other external parties.
e. Management has not established an open two-way line of communication
with external parties to allow quality information to be sent and received.
Monitoring of Controls
.18 Ongoing Monitoring (Green Book 16.04 through 16.08)
a. Management is not sufficiently involved in reviewing the entity’s performance
or its controls.
Planning Phase
295 B Potential Control Environment, Entity Risk Assessment, Communication, and
Monitoring Deficiencies
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 B-10
b. Management control methods are inadequate for investigating unusual or
exceptional situations and for taking appropriate and timely corrective action.
c. The entity does not have an effective hotline for reporting fraud, violations of
laws and regulations, and control deficiencies.
d. The entity does not have an effective internal audit function.
e. Management’s follow-up action is untimely or inappropriate in response to
communications from external parties, including complaints, notification of
errors in transactions with parties, and notification of inappropriate employee
behavior.
f. Management does not review whether periodic comparisons of amounts
recorded in the accounting system with physical assets are performed on a
timely basis and whether any differences are resolved timely.
g. Management does not monitor whether reviews to prevent large numbers of
duplicate payments and other improper payments are performed on a timely
basis.
h. Management does not effectively monitor that policies for developing and
modifying accounting systems and control activities are reviewed on
systematic basis to obtain reasonable assurance of operating effectiveness.
i. Management does not monitor the legal (or other appropriate) department’s
oversight of compliance with the entity’s code of conduct, which may include
employees’ periodic acknowledgment of compliance.
j. Management does not adequately monitor whether significant activities that
have been outsourced to contractors or information systems components
maintained by contractors are reviewed on a timely basis.
.19 Separate Evaluations under FMFIA and FFMIA
a. Management displays a disregard for complying with FMFIA or FFMIA, or
both.
b. Management displays a combative attitude toward the FMFIA or FFMIA
process, or both.
c. Employees without appropriate skills manage the FMFIA or FFMIA process,
or both.
d. Management did not establish an organizational structure to effectively
implement, direct, and oversee the FMFIA or FFMIA process, or both. OMB
Circular No. A-123 requires that entities establish a senior management
council and a senior assessment team or equivalent structures. The oversight
of the assessment process may also be incorporated into existing offices or
functions within the organization that currently monitor the effectiveness of
the organization’s internal control.
e. Management did not effectively
evaluate controls at the entity level or consider the components of internal
control based on criteria established under FMFIA (OMB Circular No. A-
123 and Green Book) or
Planning Phase
295 B Potential Control Environment, Entity Risk Assessment, Communication, and
Monitoring Deficiencies
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 B-11
assess whether its financial management systems comply substantially
with the requirements of FFMIA based on guidance provided in OMB
Circular No. A-123, appendix D.
f. Management did not include deficiencies identified in its assessments or
identified by the auditor that should have been reported in its FMFIA or
FFMIA reports.
.20 Management’s Assessment of Internal Control over Financial Reporting
a. Management did not use a reasonable approach to determine the scope of
the assessment. The scope of the assessment would include identifying
significant financial reports and key processes, controls, transactions, or a
combination of these.
b. Management did not adequately evaluate and document the key processes
and controls, including documentation of decisions on determining the scope,
materiality, testing methodology, and other significant decisions related to this
assessment.
c. Management did not use a reasonable approach to determine what, when,
where, and how to test the key controls, and the tests and results were not
properly documented.
d. Management did not use the results of its testing to support its conclusion on
whether internal controls over financial reporting were designed,
implemented, and operating effectively.
e. Management’s assurance statement did not appropriately describe any scope
limitations and was not consistent with the evidence gathered during the
testing process, including information gathered during the financial statement
audit.
f. Management does not have a process in place for prompt and proper
implementation of corrective actions to resolve deficiencies in internal
controls, including material weaknesses.
g. Auditors note deficiencies were not included in management’s assessment of
internal control over financial reporting.
.21 Reporting Deficiencies (Green Book 17.02 through 17.04)
a. The entity does not have a mechanism for capturing and reporting identified
internal control deficiencies from both internal and external sources resulting
from ongoing monitoring or separate evaluations.
b. The entity does not report deficiencies to the person with direct responsibility
and to a person at least one level higher or to more senior management.
c. Management does not correct deficiencies timely.
d. Management does not investigate underlying causes of problems.
e. Management does not follow up to determine whether the necessary
corrective action has been taken.
Planning Phase
295 B – Potential Control Environment, Entity Risk Assessment, Communication, and
Monitoring Deficiencies
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 B-12
.22 The Effectiveness of Other Auditors
30
a. Auditors are responsible for making operating decisions or for controlling
other original accounting work subject to audit.
b. Audit management personnel are inexperienced for the tasks assigned.
c. Auditors have minimal training, including little or no participation in formal
courses and seminars and inadequate on-the-job training.
d. Auditors have inadequate resources to conduct audits and investigations
effectively.
e. Audits are not focused on areas of highest exposure to the entity.
f. Standards against which the auditor’s work is measured are minimal or
nonexistent.
g. Performance reviews of audit staff are nonexistent or irregular.
h. The audit planning process is nonexistent or inadequate, including little or no
concentration on significant matters and little or no consideration of the
results of prior audits and current developments.
i. Supervision and review procedures are nonexistent or inadequate, including
little involvement in the planning process, in the monitoring progress, and in
reviewing conclusions and reports.
j. Audit documentation, such as audit strategy, audit plans/procedures,
evidence of work performed, and support for audit findings, is incomplete.
k. An inadequate mechanism is used to keep the entity head, the Congress,
and others charged with governance informed about problems, deficiencies,
and the progress of corrective action.
l. Audit coverage over payments made by others, such as state or local
governments, for benefits, grants, and federal financial assistance is
inadequate.
m. The auditor does not adequately review IS controls, including general and
application controls.
n. The auditor does not use appropriate tools, such as audit software and audit
sampling.
o. The audit organization does not have an adequate quality control system,
including monitoring.
p. The audit organization does not have a peer review every 3 years.
30
The term other auditors refers to auditors other than the audit organization performing the entity’s financial
statement audit as group auditor. These “other” auditors may be part of the entity’s monitoring controls. See FAM 630
and 645 for further discussion of using the work of other auditors.
Planning Phase
295 C An Approach for Multiple-Location Audits
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 C-1
295 C An Approach for Multiple-Location Audits
.01 This section provides one approach for stratifying the locations and selecting
audit samples for multiple-location audits. This method assumes that the auditor
has determined that it is not practical to make a centralized selection and that the
auditor identifies locations to be tested each year because of specific risks of
material misstatement (inherent or control risks). Other methods of selecting
locations for testing may be used with the approval of the reviewer. The auditor
generally should consult with an audit sampling specialist when selecting
locations.
Stratifying the Locations
.02 Unless the auditor uses a monetary unit sampling (MUS) method that
automatically stratifies the population by the dollar amount of transactions, the
auditor stratifies the locations by separating them into an appropriate number of
relatively homogeneous groups or strata. Stratification can improve the efficiency
of the audit sample result through reducing the uncertainty of the estimate by
grouping items together that are expected to behave similarly with respect to the
audit measure (usually misstatements). Stratification can also be used to provide
items of special interest additional coverage in the audit sample. The stratification
may be based on relative size or qualitative factors, such as risk of material
misstatement. Criteria for stratifying may include estimates of one or more of the
following relative factors:
the dollar amount of assets;
the dollar amounts of revenue and expenses incurred or processed at the
location;
the number of personnel, where payroll costs are significant;
the dollar amount of appropriations;
a concentration of specific items (such as a stratum consisting of significant
inventory storage locations, of which those selected will undergo only
inventory procedures);
the nature and extent of inherent and control risk, including fraud risk and
sensitive matters or the turnover of key management; and
special reporting requirements, such as separate reports, special disclosures,
or supplementary schedules.
.03 For example, the auditor may stratify locations, based on the amount of total
assets, into the following strata: (1) individually material locations (top stratum),
(2) relatively significant locations (intermediate stratum), and (3) relatively
insignificant locations (bottom stratum). If an entity has 100 locations and if the
auditor determines that total assets is the relevant criterion for stratifying
locations, the first three columns of table FAM 295 C.1 may represent an
acceptable stratification.
Planning Phase
295 CAn Approach for Multiple-Location Audits
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 C-2
Selecting Locations
.04 The auditor may select locations for testing using one of the following methods
for each stratum:
MUS or classical variables sampling method using a multistage approach.
Another audit sampling method the auditor expects will be representative.
The auditor generally should consult with an audit sampling specialist if
classical variables sampling or another sampling method is used.
Nonstatistical selection method when the auditor determines that it is
effective to select locations using auditor’s judgment. With this method, the
auditor cannot project the results of the tested locations to the entity as a
whole. Thus, the auditor should apply substantive analytical procedures,
other substantive tests, or both to the locations not tested, unless those
locations are immaterial in total to the entity as a whole.
These methods are described in more detail in FAM 480.
.05 Table FAM 295 C.1 illustrates a possible MUS sample for each stratum, using
performance materiality of $3 million, no expected misstatement, and 95 percent
assurance. For an MUS sample, the sampling interval would be $1 million, and
the preliminary estimate of the sample size would be 100 ($100 million divided by
$1 million). FAM 400 provides additional information on calculating the amounts
in the table and the various selection methods.
Table FAM 295 C.1: Example of MUS Sampling
Stratum
Number of
locations Assets
Preliminary
estimate of
sample size
a
Actual number
of locations
tested
b
Top 5 $70,000,000 70 5
Intermediate 85 29,000,000 29 29
Bottom 10 1,000,000 1 1
Total 100 $100,000,000 100 35
a
The preliminary estimate of sample size is computed by dividing the total balance by the sampling
interval of $1,000,000. See FAM 400 for additional information concerning audit sampling.
b
The actual number of items tested in the top stratum may be fewer than the preliminary estimate
of sample size because a top stratum selection may include more than one sample item. For
example, if the implicit sampling interval is $1,000,000, a $10 million selection would include 10
sample items.
Testing the Items
.06 The auditor determines the number of items to be tested at each location and
then selects and tests those items. For each line item/account, the auditor
determines the total number of items to be tested, based on the applicable
selection method and population, tolerable misstatement, and the level of
assurance desired, as described in FAM 480 and FAM 495 D.
Planning Phase
295 C An Approach for Multiple-Location Audits
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 C-3
.07 The auditor may perform analytical and other procedures, as applicable, for both
the locations selected and those not selected. The auditor generally should
perform supplemental analytical procedures, including comparisons of locations
with each other, with other years’ information, and with nonfinancial measures for
all locations, regardless of the selection method.
FAM 400 provides guidance on substantive and supplemental analytical
procedures. Specific matters noted during the auditfor example, cutoff
misstatements at one or more locationsmay warrant increased or different
audit procedures at locations not previously selected for testing.
.08 In evaluating the result of an audit sample, the auditor should estimate the
effects, both quantitative and qualitative, on the financial statements as a whole
of any misstatements noted, as discussed in FAM 480 and FAM 540. In testing
selected locations, in addition to the issues concerning evaluation of audit
samples in those sections, the auditor, using professional judgment, generally
should apply the following additional procedures upon finding misstatements or
control deviations:
a. Determine if apparent misstatements are, in fact, misstatements that have not
been corrected at some level in the entity.
b. Ask management to identify the cause of the misstatements and whether
similar misstatements are likely to have occurred at locations not tested.
c. Assess management’s identification of cause.
d. Determine whether the misstatements indicate that there is a control
deficiency. If so, determine whether the control deficiency applies only to the
location tested or to all locations. Determine whether control deficiencies
indicate a need to change the control risk assessment, risk of material
misstatement, or substantive procedures, either for the location or overall.
e. Obtain evidence to test management’s evaluation of whether the same or
similar types of misstatement exist at other locations, including locations not
tested. If the evidence is highly persuasive that the misstatement does not
exist at other locations and the audit director concurs, the auditor may treat
the effect on the entity the same as that on the location. See FAM 480.35 for
a discussion of deciding whether evidence is highly persuasive.
If the misstatement is not isolated to the location, ask management to
investigate whether there is evidence that the incidence rate throughout the
entity is different from the incidence rate in the location tested. If such
evidence exists, the auditor generally should obtain evidence of the incidence
rate throughout the entity and determine the effect on the entity’s financial
statements. If no such evidence exists, the auditor should project the
misstatement identified in the location tested to the entire entity in
determining the potential amount of misstatement that exists in the financial
statements. The audit sampling specialist generally should review these
projections.
.09 The auditor should evaluate the sufficiency of audit procedures applied. The
auditor should use professional judgment and should identify all relevant factors
to determine whether the audit objectives are met in the specific circumstances.
Planning Phase
295 D Considerations for Performing Interim Substantive Testing
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 D-1
295 D – Considerations for Performing Interim Substantive
Testing
.01 The auditor may decide to perform significant substantive tests of line
items/accounts as of a date before the date of the financial statements. (Note:
interim substantive testing is generally performed on statement of net cost line
items/accounts.) If the auditor performs interim tests, the auditor should also
apply further substantive procedures or substantive procedures combined with
tests of controls that cover the period between the interim testing date and the
date of the financial statements, often referred to as the roll-forward period, and
provide a reasonable basis for extending audit conclusions from the interim date
to period end.
31
.02 Because evidence obtained as of the year-end provides more assurance than
evidence obtained as of an interim date, risk of material misstatement generally
increases as the length of the roll-forward period increases. The auditor should
evaluate the risk of material misstatement (inherent, control, and fraud risk) in
determining whether substantive or control tests of the roll-forward period can be
designed to provide a reasonable basis for extending the audit conclusions from
the interim testing date to year-end.
Although it is not necessary to obtain audit evidence about the operating
effectiveness of controls to have a reasonable basis for extending audit
conclusions from an interim date to year-end, the auditor should evaluate
whether performing only substantive procedures to cover the remaining period is
sufficient. If the auditor concludes that substantive procedures alone would not
be sufficient to cover the remaining period, tests of the operating effectiveness of
relevant controls should be performed or the substantive tests should be
performed as of year-end.
.03 By performing interim tests before year-end, the auditor may be able to
more quickly identify and address significant risks of material misstatement,
including audit and accounting issues, such as problem areas and complex or
unusual transactions, enabling the entity to either correct misstatements or
the auditor to modify the audit strategy and audit plan/procedures;
complete the audit and issue the audit report earlier; and
improve staff utilization and enable a smaller number of staff members to
perform the audit by allocating the total audit hours over a longer period
before the report issuance date.
.04 Interim testing of a line item/account or an assertion with a high risk of material
misstatement typically involves greater detection risk than performing all
substantive testing of line items/accounts/assertions as of year-end. However, in
some cases, the auditor may be able to perform interim tests depending on the
auditor’s assessment of the factors in FAM 295 D.06.
31
The auditor may also perform audit procedures on September 30 interim amounts to be included in the
consolidated financial statements of the U.S. government for federal entities with different year-ends.
Planning Phase
295 D Considerations for Performing Interim Substantive Testing
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 D-2
.05 If the auditor finds control deviations in the tests of controls during interim tests,
the auditor uses professional judgment, considering the nature, cause, and
estimated effects of the deviations, to determine whether to revise the preliminary
risk assessments, audit strategy, and audit plan/procedures, including decisions
regarding the nature, extent, and timing of substantive procedures.
.06 In determining whether to apply interim testing, the auditor should consider the
following factors.
The assessment of risk of material misstatement. The auditor should
evaluate the risk of material misstatement during the roll-forward period,
including relevant factors such as business conditions that may make
management more susceptible to pressures, providing a rationale for
misstating the financial statements. As the risk of material misstatement
increases, the auditor generally increases the extent of the procedures
applied to the roll-forward period or year-end, possibly making interim testing
much more costly than only testing the year-end balances.
The anticipated comparability of risk of material misstatement and the
nature of the line item/account balances from the interim testing date to
year-end. The auditor may more easily extend the audit conclusions from the
interim date to the year-end date if the risk of material misstatement does not
increase from the interim date to the year-end date and if the line
item/account balances consist of similar types of items at both dates.
(For balance sheet accounts) The amount of the line item/account
balance at the interim testing date in relation to the expected year-end
balance. A significant increase in the line item/account balance between
interim and year-end dates would diminish the auditor’s ability to extend the
audit conclusions to the year-end. In addition, applying substantive interim
tests to a large line item/account balance may be inefficient if the year-end
balance is much lower than the balance at the interim date.
The length of the roll-forward period. The longer the roll-forward period,
the more difficult it is to control the increased risk of material misstatement.
The auditor generally should not use a roll-forward period longer than 3
months for assertions in account balances with significant activity during the
roll-forward period. However, the auditor may use a longer roll-forward period
in certain situations, depending on the auditor’s assessment of the
anticipated activity during the roll-forward period as discussed below.
The predictability of transaction activity during the roll-forward period.
Interim testing generally decreases in effectiveness and efficiency as the
level of transaction activity during the roll-forward period differs from
expectations, for example, if there are large or unusual transactions during
this period or expected transactions did not occur.
The ease with which audit procedures can be applied to test the
transactions or controls during the roll-forward period. As the difficulty of
such procedures increases, the efficiency of interim testing generally
decreases.
The availability of information to test roll-forward period activity using
substantive analytical procedures, detail tests, tests of controls, or a
Planning Phase
295 D Considerations for Performing Interim Substantive Testing
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 D-3
combination of procedures. If sufficient information is not available, interim
testing is not appropriate.
The timing of the audit, staffing and scheduling requirements, and
reporting deadlines. Tight deadlines or staff availability for performing audit
procedures at the year’s end may necessitate interim testing.
.07 The auditor should document in the LIRA, or equivalent, the line items/accounts
(and assertions, where applicable) to which interim substantive testing is applied.
The auditor should document the basis for concluding that the use of interim
testing is appropriate in the audit strategy.
.08 If interim testing is planned, see FAM 495 C for guidance for interim testing.
Planning Phase
295 E Effect of Risk of Material Misstatement on Extent of Audit Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 E-1
295 E Effect of Risk of Material Misstatement on Extent of
Audit Procedures
.01 The concepts of materiality and risk interrelate and sometimes are confused. The
auditor determines materiality based on the users’ perceived concerns and
needs. The auditor also assesses risk of material misstatement based on, for
instance, knowledge of the entity; its business (purpose); applicable laws,
regulations, contracts, and grant agreements; and internal control.
.02 The auditor uses both materiality and risk in (1) determining the nature, extent,
and timing of audit procedures and (2) evaluating the results of audit procedures.
The evaluation of risk usually does not affect materiality. However, risk affects
the extent of testing needed. The higher the auditor's assessment of risk of
material misstatement, the higher the required level of substantive assurance
from the audit procedures. The discussion of consideration of risk in planning
begins at FAM 260.02. Use of risk in determining sample size is discussed in
FAM 470.
.03 As an example, assume that the auditor is testing accounts receivable using
MUS techniques described in FAM 480. Pertinent data for this test are
accounts receivable total $2.5 million,
tolerable misstatement is $100,000, and
no misstatements are expected.
If the auditor assesses risk of material misstatement as low, the sample size
would be 25 items. If the auditor assesses the risk of material misstatement as
high, the sample size would be 75 items. The increase in risk tripled the sample
size with the same tolerable misstatement.
Planning Phase
295 F Types of Information System Controls
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 F-1
295 F Types of Information System Controls
.01 As discussed in FAM 240.10, the auditor should obtain sufficient knowledge of
the significant accounting applications to understand the design of the
procedures by which transactions are initiated, recorded, processed, and
reported from their occurrence to their inclusion in the financial statements (see
AU-C 315.19 and FAM 320). When significant accounting applications include
control activities that depend on information system processing, the auditor
should assess IS controls using an appropriate methodology. Because of the
technical nature of many IS controls, the auditor generally should obtain
assistance from an IS controls auditor in understanding the entity’s use of
information systems and planning, directing, or performing audit procedures
related to assessing IS controls.
In the planning phase, the auditor should identify and document the control
activities included in the significant accounting applications that are dependent
on information system processing. Such control activities are often application
and user controls. The auditor should then identify the general controls
implemented at the entity-wide, system, and application levels that help ensure
the effective operation of the application and user controls included in the
significant accounting applications.
As discussed in FAM 270.02, the auditor should understand the design of the
general controls identified to the extent necessary to conclude tentatively
whether these controls are likely to be effective. If they are likely to be effective,
the auditor should test IS controls using an appropriate methodology.
Additionally, an information technology specialist may assist the auditor in
understanding technical aspects of information systems and IS controls. See
FAM 360. See also FAM 310.10 through .11 and FAM 640 for further details on
service organizations.
.02 IS controls consist of those internal controls that are dependent on information
system processing and can be classified into three types:
general controls,
application controls, and
user controls.
General Controls
.03 General controls (implemented at the entity-wide, system, and application levels)
are the structure, policies, and procedures that apply to all or a large segment of
an entity’s information systems, including financial management systems.
General controls help ensure the proper operation of information systems by
creating the environment for effective operation of application controls. Ineffective
general controls may prevent application controls from operating effectively and
allow misstatements to occur and not be detected. General controls include the
following:
a. Security management is the foundation of a security-control structure and is
a reflection of senior management’s commitment to addressing security risks.
Security management programs should provide a framework and continuous
cycle of activity for managing risk, developing and implementing effective
Planning Phase
295 F Types of Information System Controls
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 F-2
security policies, assigning responsibilities, and monitoring the adequacy of
the entity’s IS controls. Without a well-designed security management
program, security controls may be inadequate; responsibilities may be
unclear, misunderstood, or improperly implemented; and controls may be
inconsistently applied. Such conditions may lead to insufficient protection of
sensitive or critical resources and disproportionately high expenditures for
controls over low-risk resources.
b. Logical and physical access controls limit access or detect inappropriate
access to computer resources (data, programs, equipment, and facilities),
thereby protecting these resources against unauthorized modification, loss,
and disclosure. Logical access controls require users to authenticate
themselves (through the use of one or more authentication tokens such as
passwords, smart cards, biometric data, etc.) and limit the files and other
resources that authenticated users can access and the actions that they can
execute. Physical access controls involve restricting physical access to
computer resources and protecting them from intentional or unintentional loss
or impairment.
c. Configuration management involves the identification and management of
security features for all hardware, software, and firmware
32
components of an
information system at a given point and systematically controls changes to
that configuration during the system’s life cycle. Configuration management
controls that are designed and implemented effectively prevent unauthorized
or untested changes to critical information system resources at each system
sublevel (i.e., network, operating systems, and infrastructure applications)
and provide reasonable assurance that systems are securely configured and
operated as intended.
In addition, configuration management controls that are designed and
implemented effectively provide reasonable assurance that software
programs and changes to software programs go through a formal,
documented systems development process that identifies all changes to the
baseline configuration. To reasonably assure that changes to applications are
necessary, work as intended, and do not result in the loss of data or program
integrity, such changes should be authorized, documented, tested, and
independently reviewed.
d. Segregation of duties includes having policies, procedures, and an
organizational structure to manage who can control key aspects of computer-
related operations and thereby prevents unauthorized actions or
unauthorized access to assets or records. Segregation of duties involves
segregating work responsibilities so that one individual does not control all
critical stages of a process. Effective segregation of duties is achieved by
splitting responsibilities between two or more individuals or organizational
units. In addition, dividing duties this way diminishes the likelihood that errors
and wrongful acts will go undetected because the activities of one group or
individual will serve as a check on the activities of the other.
e. Contingency planning protects critical and sensitive data and provides for
critical operations to continue without disruption or be promptly resumed
32
Firmware is a program or programs recorded in permanent or semipermanent computer memory.
Planning Phase
295 F Types of Information System Controls
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 F-3
when unexpected events occur. Contingency planning involves protecting
against losing the capability to process, retrieve, and protect electronically
maintained information. Effective contingency planning is achieved by having
procedures for protecting information resources and minimizing the risk of
unplanned interruptions and a plan to recover critical operations should
interruptions occur. In addition, recovery plans should be tested periodically
in disaster simulation exercises to determine whether they will work as
intended.
FISCAM has detailed guidance on evaluating and testing general controls. See
FAM 240 and FAM 270 for additional discussion of general controls.
.04 General controls are established at the entity-wide, system, and application
levels.
In evaluating general controls at the entity-wide or system level, the auditor
and the IS controls auditor may evaluate overall access control. For instance,
the IS controls auditor may evaluate the entity’s use of security access
software that provides authentication services to multiple systems, including
its proper implementation.
When evaluating general controls at the application level, the auditor and the
IS controls auditor may evaluate access controls that limit access to particular
applications and related computer files, such as restricting access to payroll
applications and related files (such as the employee master file and payroll
transaction files) to authorized users.
Finally, the auditor and the IS controls auditor may evaluate the security built
into the application itself to further restrict access. This security is usually
accomplished through menus and other restrictions programmed into the
application software. Thus, a payroll clerk may have access to payroll
applications but may be restricted from access to a specific function, such as
reviewing or updating payroll data on payroll department employees.
.05 The effectiveness of general controls is a significant factor in determining the
effectiveness of application controls and certain user controls. Without effective
general controls, application controls may be rendered ineffective by
circumvention or modification. For example, the production and review of an
exception report of unmatched items can be an effective application control.
However, this control would be ineffective if the general controls permitted
unauthorized program modifications such that certain items would be
inappropriately excluded from the report.
Application Controls
.06 Application controls are controls that are incorporated directly into software
programs, or applications, to help ensure the validity, completeness, accuracy,
and confidentiality of transactions and data during information system
processing. Application controls, sometimes referred to as business process
controls, include controls over
input,
processing,
output,
Planning Phase
295 F Types of Information System Controls
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 F-4
master data,
application interfaces, and
data management system interfaces.
The effectiveness of application controls depends on the effectiveness of entity-
wide and system-level general controls. Deficiencies in entity-wide and system-
level general controls can permit unauthorized changes to business process
applications and data that can circumvent or impair the effectiveness of
application controls. An effective application control environment includes
general controls implemented at the application level (i.e., security
management, access controls, configuration management, segregation of
duties, and contingency planning);
controls over transaction data input, processing, and output as well as master
data maintenance;
interface controls over the timely, accurate, and complete processing of
information between information systems; and
controls over the data management systems.
.07 FISCAM uses control categories that complement the methodology used in the
FAM. Most of the following categories relate to the financial statement assertions.
Validity controls. This category relates to the assertion of existence or
occurrence. Validity controls provide reasonable assurance (1) that all
recorded transactions actually occurred (are real), relate to the organization,
and were properly approved in accordance with management’s authorization
and (2) that output contains only valid data. A transaction is valid when it has
been authorized (for example, buying from a particular supplier) and when
the master data relating to that transaction are reliable (for example, the
name, bank account, and other details on that supplier). Validity includes the
concept of authenticity, including prevention or detection of duplicate
transactions. Examples of validity controls are one-for-one checking and
matching.
Completeness controls. This category relates to the assertion of
completeness and deals with whether all valid transactions are recorded.
Completeness controls provide reasonable assurance that all transactions
that occurred are input into the system, accepted for processing, processed
once and only once by the system, and properly included in output.
Completeness controls include the following key elements:
o transactions are completely input;
o valid transactions are accepted by the system;
o rejected transactions are identified, corrected, and reprocessed; and
o all transactions accepted by the system are processed completely.
The most common completeness controls in applications are batch totals,
sequence checking, matching, duplicate checking, reconciliations, control
totals, and exception reporting. Reconciliations not only help detect
misstatements relating to transaction completeness, but also identify the
Planning Phase
295 F Types of Information System Controls
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 F-5
cutoff and summarization misstatements associated with both the existence
or occurrence and completeness assertions.
Accuracy controls. This category relates to the assertion of valuation or
allocation, which deals with whether transactions are recorded at correct
amounts. This control category, however, is not limited to valuation and also
includes controls designed to properly classify transactions. Accuracy
controls should provide reasonable assurance that transactions are properly
recorded, with the correct amounts/data, and on a timely basis (in the proper
period); key data elements input for transactions are accurate; data elements
are processed accurately by applications that produce reliable results; and
output is accurate.
Accuracy control techniques include programmed edit checks (e.g.,
validations, reasonableness checks, dependency checks, existence checks,
format checks, mathematical accuracy, range checks, etc.); batch totals; and
check digit verification.
Confidentiality controls. These controls should provide reasonable
assurance that application data and reports and other output are protected
against unauthorized access. Examples of confidentiality controls include
restricted physical and logical access to sensitive business process
applications, data files, transactions, and output and adequate segregation of
duties. Confidentiality controls also include restricted access to data
reporting/extraction tools as well as copies or extractions of data files.
Availability controls. These controls should provide reasonable assurance
that application data and reports and other relevant business information are
readily available to users when needed. These controls are principally
addressed in application-level general controls (especially contingency
planning).
User Controls
.08 User controls are portions of controls that are performed by people interacting
with information systems. The effectiveness of a user control typically depends
on information system processing or the reliability of information that information
systems produce. A user control is considered both an IS control and a manual
control if it depends on information system processing. For example, the
effectiveness of a user control to review and follow up on exceptions typically
depends on the reliability of the exception report that the information system
produces through information system processing.
A user control is considered a manual control if it does not depend on information
system processing. For example, the effectiveness of a user control to manually
reconcile information that information systems produce may or may not depend
on the reliability of the information used in the reconciliation, depending on the
nature of the control. Additionally, the effectiveness of a user control to monitor
the effective functioning of information systems and IS controls may or may not
depend on the reliability of information that information systems produce.
If the auditor expects the effectiveness of a user control to reduce the risk of
material misstatement, the auditor should understand the design of and test any
related controls that support achieving the control objective of the user control.
Planning Phase
295 F Types of Information System Controls
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 F-6
The extent to which it is necessary to assess related IS controls depends on the
design of the user control and its control objective.
For example, if the user control is the review of an exception report, the auditor
would obtain an understanding of the design of and test the application controls
directly related to the production of the exception report, as well as the general
and other application controls upon which the reliability of the information in the
exception report depends. This testing would include controls over the design
and proper functioning of the business processes that generate the exception
report and the reliability of the data used to generate the exception report. In
addition, the auditor would test the effectiveness of the user control (i.e.,
management review and follow-up on the items in the exception report).
If the user control is a manual reconciliation of information that information
systems produce, the auditor should obtain an understanding of the sources of
the information being reconciled and how such information is produced to
evaluate the design of the user control. Depending on the design of the manual
reconciliation and its control objective, the auditor may or may not need to
assess the application and general controls related to producing the information
being reconciled. For example, the auditor may not need to assess the
application or general controls related to producing the information being
reconciled if the control objective is to provide an independent check on the
validity, accuracy, and completeness of the information systemprocessed data
and the manual reconciliation is effectively designed to achieve this objective.
.09 In certain circumstances, user controls may be manual controls used to monitor
the proper functioning of information systems and IS controls. For example, a
user control to manually check the completeness and accuracy of information
system processed transactions against manually prepared source records would
be considered a manual control. However, it is important to note that the
effectiveness of this manual control would be dependent on the effectiveness of
the manual controls over the reliability of the manually prepared source records.
Planning Phase
295 G Budget Controls
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 G-1
295 G Budget Controls
.01 Budget controls are management’s policies and procedures for managing and
controlling the use of appropriated funds and other forms of budget authority.
Budget controls are part of the internal controls covered in OMB audit guidance.
During planning, the auditor should understand the design of budget controls and
determine whether they have been implemented as part of assessing the risk of
material misstatement as discussed in FAM 250 and 260.
.02 Certain controls may achieve both financial reporting and other control
objectives. Accordingly, for efficiency, the auditor may coordinate obtaining an
understanding of budget controls with obtaining an understanding of financial
reporting, compliance, and relevant operations controls.
.03 Budget authority is authority provided by law to allow federal entities to enter
into financial obligations that will result in immediate or future outlays involving
government funds. The Congress provides an entity with budget authority and
may place restrictions on the amount, purpose, and timing of the obligation or
outlay of such authority.
.04 There are four basic forms of budget authority:
Appropriations. The most common form of budget authority, appropriations
are statutory authority that permits federal entities to incur obligations and to
make payments from the Treasury for specified purposes. Appropriations do
not represent cash actually set aside in the Treasury for purposes specified in
the appropriation acts. Appropriations represent amounts that entities may
obligate during the period specified in the appropriation acts. Periods can be
single year, multiyear, or no year.
Borrowing authority. This is statutory authority that permits federal entities
to borrow money and then to obligate against amounts borrowed. The
amount to be borrowed may be definite or indefinite in nature, and the
purposes for which the borrowed funds are to be used are stipulated by the
authorizing statute.
Contract authority. This is statutory authority that permits obligations to be
incurred in advance of appropriations or in anticipation of receipts to be
credited to a revolving fund or other account (offsetting collections). Contract
authority is unfunded. Subsequent funding by an appropriation or by
offsetting collections is needed to liquidate the obligations incurred under the
contract authority.
Offsetting receipts and collections authority. This is statutory authority
that permits federal entities to obligate and expend the proceeds of offsetting
receipts and collections. Offsetting receipts and collections are of a business-
market-oriented nature and may include intragovernmental transactions, such
as reimbursements for materials or services provided to other government
entities. If, pursuant to law, they are credited to appropriations or fund
expenditure accounts and are available for obligation without further
congressional action, they are referred to as offsetting collections.
.05 Although the Congress provides budget authority to some federal entities
annually in the appropriations act process, the Congress provides other federal
entities with budget authority through laws other than annual appropriations acts,
Planning Phase
295 G Budget Controls
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 G-2
or through permanent authorities that permit the entity to spend budget authority
without further congressional action.
.06 For additional information and terminology on the federal budget process, consult
GAO’s A Glossary of Terms Used in the Federal Budget Process
(GAO-05-734SP, September 2005).
Planning Phase
295 H List of General Laws
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 H-1
295 H List of General Laws
.01 The auditor should determine whether the significant provisions in the following
laws have a direct effect on determining material amounts and disclosures in the
financial statements (see FAM 245.03). The auditor generally should use the
General Compliance Checklist in FAM 802 or equivalent to determine which of
these legal provisions are significant for testing compliance. Following each listed
law is the section in the FAM that contains the compliance summary for internal
control testing and audit procedures for that law.
a. Antideficiency Act (ADA), as provided primarily in 31 U.S.C. chapters 13,
15. Provisions: 31 U.S.C. §§ 1341(a)(1)(A), (B); and 31 U.S.C. § 1517(a).
See FAM 803.
b. Federal Credit Reform Act of 1990 (FCRA), as provided in 2 U.S.C. §§ 661-
661f. Provisions: 2 U.S.C. § 661c(b), (e). See FAM 804.
c. Federal Debt Collection Authorities, as provided in 31 U.S.C. chapter 37.
Provisions: 31 U.S.C. § 3711; 31 U.S.C. § 3717(a), (b), (c), (e), (f); and 31
U.S.C. § 3719. See FAM 805.
d. Prompt Payment Act (PPA), as provided in 31 U.S.C. chapter 39.
Provisions: 31 U.S.C. § 3902(a), (b), (f); and 31 U.S.C. § 3904. See
FAM 806.
e. Pay and Allowance System for Civilian Employees, as provided primarily
in 5 U.S.C. chapters 51-59. Provisions: 5 U.S.C. § 5332; 5 U.S.C. § 5343; 5
U.S.C. § 5376; and 5 U.S.C. § 5383. See FAM 807.
f. Civil Service Retirement Act (CSRA), as provided in 5 U.S.C. chapter 83.
Provisions: 5 U.S.C. chapter 83, subchapter III. See FAM 808.
g. Federal Employees Health Benefits Act (FEHBA), as provided in 5 U.S.C.
chapter 89. Provisions: 5 U.S.C. chapter 89. See FAM 809.
h. Federal Employees' Compensation Act (FECA), as provided in 5 U.S.C.
chapter 81. Provisions: 5 U.S.C. chapter 81, subchapter I. FAM 810.
i. Federal EmployeesRetirement System Act (FERSA), as provided in 5
U.S.C. chapter 84. See FAM 811.
Planning Phase
295 I Examples of Auditor Responses to Fraud Risks
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 I-1
295 I Examples of Auditor Responses to Fraud Risks
.01 As discussed in FAM 260, the auditor’s response to assessed fraud risks should
(1) have an overall effect on the conduct of the audit; (2) address fraud risks that
relate to management override of controls; and (3) for any fraud risks that relate
to specific financial statement account balances or classes of transactions and
related assertions, involve the nature, extent, or timing of audit procedures. This
section provides examples of auditor responses in this third categorychanging
the nature, extent, or timing of audit procedures.
Examples of Auditor Responses (to Fraud Risks) Involving the
Nature, Extent, or Timing of Audit Procedures
.02 Examples of auditor responses to fraud risks involving the nature, extent, or
timing of audit procedures include the following:
a. Inquiring of management and other personnel involved in areas having fraud
risks, such as risks related to any improper payments, to obtain their insights
about those risks and whether and how controls mitigate those risks.
b. Inquiring of management regarding management’s understanding of and
response to the fraud risks that may exist at the entity’s service organizations.
c. Inquiring of those charged with governance to obtain their insights about
those risks and whether and how controls mitigate those risks.
d. Inquiring of additional members of management, such as program directors
or center directors, or other nonaccounting personnel to assist in identifying
issues and corroborating other evidential matter.
e. Using data-mining or other computer-assisted audit techniques, such as
Interactive Data Extraction and Analysis (IDEA), to gather more extensive
evidence about data contained in significant accounts. Such techniques can
be used to select audit sample items from electronic files, locate items with
specific characteristics (to perform substantive analytical procedures or make
a nonstatistical selection), or test an entire population.
f. Inspecting, or observing physical counts of, tangible assets (such as property,
plant, and equipment) and certain inventories, for which other procedures
may otherwise have been sufficient.
g. Conducting surprise or unannounced procedures, such as inventory
inspections or cash counts on unexpected dates or at unexpected locations.
h. Inquiring of major suppliers or customers in addition to obtaining written
confirmations, requesting confirmations of specific individuals within an
organization, or requesting confirmation of additional or different information.
i. Where a specialist’s work is particularly significant (see FAM 620 and AU-C
620), performing additional procedures related to some or all of the
specialist’s methods, assumptions, or findings to evaluate whether the
findings are unreasonable, or engaging another specialist to do that.
j. Performing additional or more focused tests of budget to actual variances and
their underlying causes.
k. Performing targeted tests of the timing of cost/expense recognition.
Planning Phase
295 I Examples of Auditor Responses to Fraud Risks
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 I-2
l. Requesting that physical inventory counts be made on or closer to year-end.
m. If fraud risks relate to an interim period, performing audit tests that are
focused on transactions that occurred in that interim period (or throughout the
reporting period).
n. Testing a larger audit sample of disbursement transactions for validity.
o. Performing substantive analytical procedures that are more detailed by
location, program, month, or other category (for example, analyzing specific
credit lines in an allowance for loan losses, rather than the portfolio as a
whole), or that use more precise techniques (for example, regression
analysis).
p. Discussing with other auditors who are auditing the financial statements of
one or more entity components the extent of work necessary to address fraud
risks resulting from intragovernmental transactions and activity among those
components.
Additional Examples of Auditor Responses to Fraud Risks Related
to Misstatements Arising from Fraudulent Financial Reporting
.03 The following paragraphs provide additional examples of auditor responses to
fraud risks related to misstatements arising from fraudulent financial reporting in
the areas of (1) management’s estimates, (2) revenue recognition, and (3)
inventory quantities. These example responses involve the nature, extent, and
timing of audit procedures.
Management’s Estimates
.04 Fraud risks may relate to management’s development of accounting estimates.
These risks may affect various accounts and assertions, such as valuation and
completeness of liabilities related to insurance and credit programs, pensions,
postretirement benefits, and environmental cleanup. These risks may also relate
to significant changes in assumptions for recurring estimates. Further, because
estimates are based on both subjective and objective factors, bias may exist in
the subjective factors.
.05 Examples of procedures that the auditor may perform in response to fraud risks
related to management estimates include the following:
a. Gathering additional information about the entity and its environment to assist
in more extensively evaluating the reasonableness of management’s
estimates and underlying judgments and assumptions, focusing on more
sensitive or subjective aspects.
b. Performing a more extensive retrospective review of management judgments
and assumptions applied in estimates made for prior periods. This could
encompass analyzing each significant judgment and assumption in light of
the events that occurred subsequently. The auditor may then identify (with
management’s assistance) reasons for any differences and whether these
reasons apply to current period estimates.
c. Using the work of a specialist to evaluate management’s estimate, or
developing an independent estimate to compare to management’s estimate.
Planning Phase
295 I Examples of Auditor Responses to Fraud Risks
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 I-3
Revenue Recognition
.06 Revenue recognition is affected by the particular facts and circumstances and
sometimesfor example, for certain government corporationsby accounting
principles that vary by type of operations. Hence, where revenue is (or is
expected to be) material, the auditor should understand the criteria for revenue
recognition that the entity uses and should design audit procedures based on the
entity’s operations and its environment, including the composition of revenue,
specific attributes of the revenue transactions, and any other specific entity
considerations.
.07 Examples of procedures that the auditor may perform in response to fraud risks
related to improper revenue recognition include the following:
a. Performing substantive analytical procedures related to revenue that are
based on more precisely developed expectations, such as comparing
revenue between the current year and expectations by location, program, and
month, or that establish the limit (see FAM 475.04–.05) at a lower percentage
of tolerable misstatement. Audit techniques such as regression analysis may
be helpful in performing these procedures.
b. Inquiring of entity personnel, including its general counsel, about any
revenue-related transactions near the end of the reporting period and their
knowledge of any unusual terms or conditions that may be related to those
transactions.
c. Confirming with customers and other appropriate parties the relevant contract
terms and the absence of side agreements that may influence the appropriate
accounting.
d. Physically observing goods being shipped or readied for shipment (or returns
awaiting processing) at one or more locations at the end of the reporting
period and performing appropriate sales and inventory cutoff procedures.
e. Expanding tests of general and application controls related to revenue
transactions that are electronically initiated, processed, and recorded.
Inventory Quantities
.08 Examples of procedures that the auditor may perform in response to fraud risks
related to inventory quantities include the following:
a. Reviewing the entity’s inventory records to identify locations, items, or issues
that warrant attention during or after the physical inventory count. As a result
of this review, the auditor may decide to observe inventory counts at some
locations on an unannounced basis or to request that physical inventory
counts be made at all locations on the same date on, or closer to, year-end.
b. Performing additional inventory inspection procedures, such as more
rigorously examining the contents of boxed items; the manner in which the
inventory is stacked (to identify hollow squares or other issues) or labeled;
andusing the work of a specialist, if neededthe purity, grade, and
concentration of inventory substances, such as specialty chemicals.
c. Performing additional tests of physical inventory count sheets or tags, and
retaining copies of these documents to minimize the risk of subsequent
alteration or inappropriate extension and summarization of the inventory.
Planning Phase
295 I Examples of Auditor Responses to Fraud Risks
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 I-4
d. Performing additional procedures focused on the quantities included in the
priced inventory to further test the count quantitiessuch as comparing
quantities for the current period with those for prior periods by inventory
category, location, or other criteria, or comparing count quantities with
perpetual records.
e. Using computer-assisted audit techniques (such as IDEA) to test the
extension and summarization of the physical inventory countssuch as
sorting by tag number to test tag controls or by item number to test for item
omission or duplicationand to test for unusual quantities and cost amounts.
f. Establishing the limit (see FAM 475.04.05) at a lower percentage of
tolerable misstatement when performing substantive analytical procedures
related to inventories.
Additional Examples of Auditor Responses to Fraud Risks Related
to Misstatements Arising from Misappropriation of Assets
.09 Additional examples of auditor responses to fraud risks related to misstatements
arising from misappropriation of assets involving the nature, extent, and timing of
audit procedures include the following:
a. Using information on improper payments, including information from entity
review of programs and activities under PIIA, to develop and perform audit
procedures focused on specific vulnerable areas.
b. Expanding the extent of participant-eligibility testing for benefit programs to
encompass unannounced visits to intake centers or work sites to test the
existence and identity of participants, to observe benefit payment distribution
to identify “ghost” or deceased participants, or to use confirmation requests to
test the existence of program participants. The auditor may also use data
mining to search for duplicate payments; ineligible, ghost, or deceased
participants; and other issues.
c. Obtaining a more comprehensive understanding of internal controls for
assets that are highly susceptible to misappropriation, in order to identify
relevant controls to prevent and detect a misappropriation; expanding the
tests of those controls; and physically inspecting those assets at or near the
end of the reporting period.
d. Assigning higher inherent risk to locations that have higher fraud risks (when,
for example, large quantities of assets that are particularly susceptible to
such risks are present), and modifying substantive procedures at those
locations.
e. Establishing the limit (see FAM 475.04.05) at a lower percentage of
tolerable misstatement when performing substantive analytical procedures
related to assets that are particularly susceptible to misappropriation.
Planning Phase
295 J Steps in Assessing Information System Controls
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 J-1
295 J Steps in Assessing Information System Controls
.01 As discussed in FAM 270, the following flowcharts illustrate steps the auditor and
the IS controls auditor generally follow in understanding and assessing IS
controls in a financial statement audit. However, the engagement team may
decide to test the effectiveness of the general controls even if they are not likely
to be effective (see fig. 1) or review application controls even though general
controls are not effective (see fig. 2), in order to make recommendations on how
to fix weak controls.
Figure 1: Steps in Assessing Information System (IS) Controls in a Financial Statement
Audit
Usually done by auditor in consultation
with IS controls auditor
Usually done by IS controls auditor
in consultation with auditor
Planning Phase
295 J Steps in Assessing Information System Controls
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 295 J-2
Figure 2: Steps for Each Significant Application in Assessing Information System (IS)
Controls in a Financial Statement Audit
Usually done by auditor in consultation
with IS controls auditor
Usually done by IS controls auditor
in consultation with auditor
SECTION 300
Internal Control Phase
Internal Control Phase
300 Contents of the Internal Control Phase
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 300-1
Contents of the Internal Control Phase
Introduction FAM
Overview of the FAM Methodology 110
Planning Phase FAM
Overview of the Planning Phase 210
Perform Preliminary Engagement Activities 215
Understand the Entity’s Operations 220
Perform Preliminary Analytical Procedures 225
Determine Materiality 230
Identify Significant Line Items, Accounts, and Assertions 235
Identify Significant Accounting Applications, Cycles, and Financial Management Systems 240
Identify Significant Provisions of Applicable Laws, Regulations, Contracts, and Grant Agreements 245
Identify Relevant Budget Restrictions 250
Identify Risk Factors 260
Determine Likelihood of Effective IS Controls 270
Identify Relevant Operations Controls to Evaluate and Test 275
Plan Other Audit Procedures 280
Plan Locations to Test 285
Documentation 290
Internal Control Phase FAM
Overview of the Internal Control Phase 310
Understand Information Systems 320
Identify Control Objectives 330
Identify and Understand Relevant Control Activities 340
Determine the Nature, Extent, and Timing of Tests of Controls and Compliance with FFMIA 350
Perform Tests of Controls and Compliance with FFMIA 360
Assess Internal Control on a Preliminary Basis 370
Other Considerations 380
Documentation 390
Testing Phase FAM
Overview of the Testing Phase 410
Design the Nature, Extent, and Timing of Further Audit Procedures 420
Design Tests 430
Perform Tests and Evaluate Results 440
Perform Sampling Control Tests 450
Perform Compliance Tests 460
Perform Substantive Procedures -- Overview 470
Perform Substantive Analytical Procedures 475
Perform Substantive Detail Tests 480
Documentation 490
Reporting Phase FAM
Overview of the Reporting Phase 510
Perform Overall Analytical Procedures 520
Reassess Materiality and Risks of Material Misstatement 530
Evaluate Effects of Misstatements on Financial Statements and Auditor’s Reports 540
Audit Exposure (Further Evaluation of Audit Risk) 545
Perform Other Reporting Phase Audit Procedures 550
Determine Whether Financial Statement Presentation is in Accordance with U.S. GAAP 560
Determine Compliance with GAO/CIGIE Financial Audit Manual 570
Draft Reports 580
Documentation 590
Internal Control Phase
310 Overview of the Internal Control Phase
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 310-1
310 Overview of the Internal Control Phase
.01 In the internal control phase, the auditor continues the risk assessment
procedures begun in the planning phase. The auditor expands the understanding
of the entity’s internal control gained during the planning phase of the audit in
FAM 200 for all types of controls and, for financial reporting controls, assesses
control risk and risk of material misstatement separately for each significant
financial statement assertion in each significant cycle or accounting application.
(See contents.) The auditor should
understand and document the design of each of the five components of
internal control and whether the controls are implemented to prevent, or
detect and correct, misstatements;
plan the nature, extent, and timing of tests of controls;
perform control tests for internal controls that have been designed and
implemented effectively to support a low assessed level of control risk; and
assess control risk and the risk of material misstatement on a preliminary
basis.
The auditor uses the results of this internal control work to
determine the nature, extent, and timing of further audit procedures (sampling
control, compliance, and substantive testing discussed in FAM 400);
update the evaluation of internal control as further evidence is obtained
throughout the audit;
determine any effects on the risk of material misstatement and the related
sufficiency of other audit procedures (discussed in FAM 400 and 500); and
use the audit evidence obtained during the internal control and testing phases
to form an opinion or report on internal control over financial reporting
(discussed in FAM 500).
.02 According to Office of Management and Budget (OMB) audit guidance, for those
controls that have been suitably designed and implemented, the auditor should
perform sufficient tests of such controls to conclude whether the controls are
operating effectively (i.e., sufficient tests of controls to support a low level of
assessed control risk). Thus, the auditor should not elect to forgo control tests
because it is more efficient to extend substantive and compliance audit
procedures.
.03 Management, with oversight by those charged with governance or other
oversight bodies, sets objectives to meet the entity’s mission, strategic plan, and
goals and requirements of applicable laws and regulations. Management groups
objectives into one or more of the three categories of objectives: operations,
reporting, and compliance.
Operations objectives relate to program operations that achieve an entity’s
mission. Reporting objectives relate to the preparation of reports for use by the
entity, its stakeholders, or other external parties. Reporting objectives may be
grouped further into the following subcategories: external financial reporting
objectives, external nonfinancial reporting objectives, and internal financial
reporting objectives and nonfinancial reporting objectives. Compliance objectives
Internal Control Phase
310 Overview of the Internal Control Phase
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 310-2
relate to compliance with applicable laws, regulations, contracts, and grant
agreements. Entity management is responsible for establishing and maintaining
internal control over financial reporting to provide reasonable assurance that the
entity’s objectives will be met. In a financial statement audit, the auditor evaluates
those internal controls designed to provide reasonable assurance that the
following objectives are met.
Reliability of financial reporting: Transactions are properly recorded,
processed, and summarized to permit the preparation of the financial
statements in accordance with U.S. generally accepted accounting principles
(U.S. GAAP), and assets are safeguarded against loss from unauthorized
acquisition, use, or disposition.
Compliance with significant provisions of applicable laws, regulations,
contracts, and grant agreements: Transactions are executed in
accordance with significant provisions of applicable laws, including those
governing the use of budget authority, regulations, contracts, and grant
agreements, noncompliance with which could have a material effect on the
financial statements.
.04 The auditor should determine whether such internal control provides reasonable
assurance that misstatements, losses, or noncompliance, material in relation to
the financial statements, would be prevented, or detected and corrected, during
the period under audit. If the auditor intends to opine on internal control, the
auditor should form a separate conclusion on internal control over financial
reporting as of the end of the period. Additionally, the auditor may test certain
operations controls, as discussed in the planning phase (FAM 275).
.05 Internal control over safeguarding assets is a process, implemented by
management and other personnel, designed to provide reasonable assurance
regarding the prevention, or prompt detection and correction, of unauthorized
acquisition, use, or disposition of entity assets that could have a material effect
on the financial statements (AU-C 940.29d). Safeguarding controls consist of
(1) controls that prevent, or detect and correct, unauthorized access (direct or
indirect) to assets and (2) segregation of duties.
The auditor should understand the design of certain safeguarding controls as
part of financial reporting controls. These controls relate to protecting assets from
loss arising from handling the related assets and resulting in misstatements in
processing transactions. FAM 395 C includes a list of typical control activities.
The auditor need not evaluate safeguarding controls related to the loss of assets
arising from management’s business decisions. Such a loss may occur from
incurring expenditures for equipment or material that might prove to be
unnecessary, which is part of operations controls.
.06 Just as safeguarding controls are a subset of operations, reporting, and
compliance controls, budget controls are a subset of financial reporting and
compliance controls. Budget controls that provide reasonable assurance that
budgetary transactions, such as obligations and outlays, are properly recorded,
processed, and summarized to permit the preparation of the financial statements,
primarily the statement of budgetary resources, in accordance with U.S. GAAP,
are financial reporting controls. Budget controls are generally also compliance
controls in that they provide reasonable assurance that transactions are
executed in accordance with laws governing the use of budget authority. Some
Internal Control Phase
310 Overview of the Internal Control Phase
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 310-3
budget controls may be compliance controls only, for example, controls over
allotments to prevent Antideficiency Act violations.
.07 If the auditor’s understanding is that the control has been designed and
implemented effectively, the auditor should test the following types of controls:
Financial reporting controls (including certain safeguarding and budget
controls) for each significant assertion in each significant cycle/accounting
application (identified in FAM 240).
Compliance controls for each significant provision of applicable laws,
regulations, contracts, and grant agreements identified for testing (see FAM
245), including budget controls for each relevant budget restriction (see
FAM 250).
Operations controls (1) for data relied on in performing financial audit
procedures or (2) selected for testing by the engagement team.
.08 The auditor is not required to test controls that have not been designed and
implemented effectively. Thus, internal controls that are not effective in design
(based on work performed during the planning phase of the current year) do not
need to be tested. If the auditor determined in a prior year that a control in a
particular accounting application was ineffective and if management indicates
that the control has not improved, the auditor need not test it in the current year.
On the other hand, if controls have been determined to be designed and
implemented effectively, the auditor should perform sufficient tests of their
effectiveness to support a low assessed level of control risk.
.09 If the auditor expects to disclaim an opinion because of scope limitations, the
auditor may limit internal control work to updating the understanding of the
design of controls and whether they have been implemented. The auditor may do
this by inquiring as to whether previously identified control weaknesses have
been corrected. In the year the auditor expects to issue an opinion on the
financial statements, the auditor should perform sufficient work on internal control
to support the opinion.
.10 In gaining an understanding of an entity’s internal control, including internal
control related to information systems, along with the related business processes
relevant to financial reporting and communication related to services that a
service organization provides, the auditor should obtain evidence about the
design of relevant controls and whether they have been implemented. In
obtaining evidence about whether controls have been implemented, the auditor
should determine whether the entity is using them, rather than merely having
them written in a manual, for example. This differs from determining a control’s
operating effectiveness, which is concerned with how the control was applied; the
consistency with which it was applied; and by whom and by what means it was
applied, including, when applicable, whether the person performing the control
has the necessary authority and competence to perform it effectively (AU-C
330.10a).
Internal Control Phase
310 Overview of the Internal Control Phase
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 310-4
.11 The auditor should obtain an understanding of how the entity uses the services of
a service organization in the entity’s operations for assessing risk and planning
other audit procedures,
1
including the following (AU-C 402.09):
the nature of the services provided by the service organization and the
significance of those services to the entity, including their effect on the entity’s
internal control;
the nature and materiality of the transactions processed or accounts or
financial reporting processes effected by the service organization;
the degree of interaction between the activities of the service organization
and those of the entity; and
the nature of the relationship between the entity and the service organization,
including the relevant contractual terms for the activities undertaken by the
service organization.
The auditor should evaluate the design and implementation of relevant controls
at the entity that relate to the services provided by the service organization,
including those that are applied to the transactions processed by the service
organization (AU-C 402.10). If performing an audit of internal control over
financial reporting, the auditor should consider the activities of the service
organization when determining the evidence required to support the auditor’s
opinion on the effectiveness of the entitys internal control over financial reporting
(AU-C 940.88).
In addition, the auditor should inquire of management of the entity about whether
the service organization has reported to the entity, or whether the entity is
otherwise aware of, any fraud; noncompliance with provisions of laws,
regulations, contracts, or grant agreements; or uncorrected misstatements
affecting the financial statements of the entity. The auditor should evaluate how
such matters, if any, affect the nature, timing, and extent of the auditor’s further
audit procedures, including the effect on the auditor’s conclusions and auditor's
report (AU-C 402.19).
See FAM 640 for additional requirements and guidance regarding service
organizations.
.12 If the auditor is not providing an opinion on internal control, the auditor should
evaluate whether the audit evidence is sufficient to achieve the audit objectives
related to internal control described in OMB audit guidance.
If the auditor is not providing an opinion on internal control or is disclaiming an
opinion on internal control, the auditor should evaluate whether the scope of the
work is sufficient to meet the audit objective related to compliance with significant
provisions of applicable laws, regulations, contracts, and grant agreements. If the
scope is not sufficient, the auditor should report a scope limitation as discussed
in FAM 580.97 through .98.
.13 In the internal control phase, the auditor should perform and document the
following procedures:
Understand the entity’s design of the information systems for financial
1
In this section, “auditor” refers to the “user auditor” and “entity” refers to “user entity” as defined in AU-C 402.
Internal Control Phase
310 Overview of the Internal Control Phase
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 310-5
reporting; compliance with applicable provisions of laws, regulations,
contracts, and grant agreements; and relevant operations (see FAM 320).
Identify control objectives by assertion (see FAM 330).
Identify and understand relevant control activities that effectively achieve the
control objectives by assertion (see FAM 340).
Determine whether control activities have been implemented, and determine
the nature, extent, and timing of tests of control activities and compliance with
the Federal Financial Management Improvement Act of 1996 (FFMIA) (see
FAM 350).
Perform tests of controls and compliance with FFMIA (see FAM 360).
Sampling control tests, if necessary, are performed in the testing phase (see
FAM 450).
On a preliminary basis, based on the evidence obtained, assess (1) the
effectiveness of financial reporting, compliance, and relevant operations
controls; (2) control risk; and (3) the risk of material misstatement (see FAM
370). The risk of material misstatement includes inherent and control risk and
is discussed in FAM 370.09.
Consider partial-year controls and planned changes in controls (see FAM
380).
Document the understanding and testing of controls (see FAM 390).
Internal Control Phase
320 Understand Information Systems
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 320-1
320 Understand Information Systems
.01 The auditor should obtain an understanding of the design of the entity’s
information systems (whether automated or manual), including the processes
relevant to financial reporting, for processing and reporting of
accounting, budget, compliance, and operations data and
maintaining accountability for the related assets, liabilities, equity, and
budgetary resources.
2
These systems include procedures established to initiate, authorize, record,
process, and report entity transactions (as well as events and conditions) to
maintain accountability and to monitor compliance. Information systems are part
of the information and communication component of internal control. The
communication portion of this component is in FAM 260.
The auditor should obtain sufficient knowledge of each type of system to
understand the information reflected in FAM 320.03 through .07 in a manner that
is appropriate to the entity’s circumstances. This includes obtaining an
understanding of how transactions originate within the entity’s business
processes, as discussed in AU-C 315.A98. It also includes understanding
procedures for preparing financial statements and note disclosures (including
year-end journal entries and reclassifications) and understanding how
misstatements may occur. The auditor should identify the points within the
entity’s processes at which a misstatement, including a misstatement due to
fraud, could arise that individually or in combination with other misstatements,
would be material (for example, points at which information is initiated,
transferred, or otherwise modified) (AU-C 940.29b).
If the auditor has determined that a service organization maintains any of the
significant financial management systems, then the auditor should follow the
guidance outlined in FAM 640.05 through .09.
Because of the technical nature of many IS controls, the auditor generally should
obtain assistance from an information systems (IS) controls auditor in
understanding the entity’s use of information systems and in planning, directing,
or performing audit procedures related to assessing IS controls. Additionally, an
information technology specialist may assist the auditor in understanding
technical aspects of information systems and IS controls. The auditor may also
coordinate with or leverage work of the Federal Information Security
Modernization Act of 2014 auditor/evaluator in understanding entity’s IS control
environment. The auditor should document the understanding of these systems
in cycle memorandums, or other equivalent narratives, and may prepare or
obtain related flowcharts. FAM 340 and 350 discuss identifying and documenting
controls that are designed to mitigate inherent risk.
2
As indicated in FAM 260.67 through .73, the Federal Managers’ Financial Integrity Act report and its supporting
documentation may be used as a starting point for understanding and evaluating internal control. The auditor may
use management’s documentation of systems and internal control, including OMB Circular No. A-123 work, where
appropriate. The auditor may use management’s tests of controls as part of the auditor’s tests of controls, if such
tests were executed by competent individuals independent of the controls. (See FAM 640 and FAM 645 for further
information.)
Internal Control Phase
320 Understand Information Systems
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 320-2
Walk-throughs of Information Systems
.02 The auditor generally should perform sufficient system walk-throughs to confirm
the understanding of significant information about such systems and discuss any
system changes with management. FAM 350.07 discusses walk-throughs to
confirm the auditor’s understanding of controls. In a walk-through of an
accounting system, the auditor traces one or more transactions from initiation
through all processing to inclusion in the general ledger, observing the
processing in operation, making inquiries of entity staff, and inspecting related
documents.
Walk-throughs are important for understanding the transaction process and for
determining appropriate audit procedures. The auditor should perform walk-
throughs for all significant accounting applications. Walk-throughs of budget,
accounting, compliance, and operations systems provide evidence about the
functioning of such systems. The auditor should document these walk-throughs.
The auditor should incorporate the information technology aspects of each
system into the audit documentation and may include additional flowcharts,
narratives, and checklists.
Accounting System(s)
.03 For each significant cycle and accounting application identified for significant line
items and assertions in FAM 240, the auditor should obtain an understanding of
and should document the design of
procedures by which transactions are initiated, authorized, recorded,
processed, summarized, and reported in the financial statements;
nature and type of related records, journals, ledgers, feeder systems, and
source documents and the accounts involved;
processing involved from the initiation of transactions to their inclusion in the
financial statements, including the nature of computer files and the manner in
which they are accessed, updated, and deleted;
process for resolving the incorrect processing of transactions, for example,
such an understanding might include how the entity determines whether
suspense items are cleared out of an automated suspense file on a timely
basis and how system overrides or bypasses to controls are processed and
accounted for;
processes for reconciling transaction detail to the general ledger and
correcting reconciling items as needed;
processes by which the information systems capture events and conditions,
other than classes of transactions, that are significant to the financial
statements; and
processes used to prepare the entity’s financial statements and budget
execution information, including significant accounting estimates, note
disclosures, and information system processing. Because of its importance to
financial reporting and to the integrated audit, the auditor should evaluate the
period-end financial reporting process (AU-C 940.24). These processes
include
Internal Control Phase
320 Understand Information Systems
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 320-3
o procedures used to enter transaction totals into the general ledger;
o procedures related to the selection and application of accounting policies;
o procedures used to initiate, authorize, record, and process journal entries
in the general ledger;
o procedures used to record recurring and nonrecurring adjustments to the
financial statements;
o procedures for preparing financial statements (AU-C 940.24); and
o procedures used to combine and consolidate general ledger data.
As part of evaluating the period-end financial reporting process, the auditor
should assess
o the inputs, procedures performed, and outputs of the processes the entity
uses to produce its financial statements;
o the extent of information system processing in the period-end financial
reporting process;
o who participates from management;
o the locations involved in the period-end financial reporting process;
o the types of adjusting and consolidating entries; and
o the nature and extent of the oversight of the process by management and
those charged with governance (AU-C 940.25).
.04 When the auditor is required to report on compliance with FFMIA, the auditor’s
understanding of these processes can help the auditor determine whether the
financial management systems comply substantially with federal financial
management systems requirements, federal accounting standards, and the U.S.
Standard General Ledger (USSGL) at the transaction level. If the entity is likely to
receive an unmodified opinion and to have no identified material weaknesses in
internal control, the auditor should test significant information that the entity
provides to support its assertion about the substantial compliance of its financial
management systems. The auditor may perform this testing in conjunction with
control tests (see FAM 350).
Budget Accounting System(s)
.05 Through discussions with appropriate entity personnel, the auditor should
understand and document the design of the entity’s processes for
developing and requesting apportionments from OMB;
establishing and allocating allotments within the entity, including
reprogramming of allotments;
establishing and recording commitments, if applicable;
establishing, recording, and monitoring obligations (such as undelivered
orders, which include contracts and purchase orders);
establishing and recording expended authority (delivered orders);
establishing and recording outlays;
Internal Control Phase
320 Understand Information Systems
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 320-4
monitoring supplemental appropriations;
recording deobligations when the entity has made a formal decision to cancel
or reduce an obligation, supported by any necessary documentation that has
been fully executed (e.g., SF-30 for contract amendments).
recording transactions in and adjustments to expired accounts; and
monitoring canceled (closed) accounts.
Compliance System(s)
.06 The compliance system includes the entity’s policies and procedures to monitor
compliance with provisions of laws, regulations, contracts, and grant agreements
applicable to the entity. Through discussions with appropriate entity personnel,
the auditor should understand and document the design of the entity’s process
for
identifying and documenting all laws, regulations, contracts, and grant
agreements applicable to the entity;
monitoring changes in applicable laws, regulations, contracts, and grant
agreements and responding on a timely basis;
establishing policies and procedures for complying with provisions of
applicable laws, regulations, contracts, and grant agreements and clearly
documenting and communicating these policies and procedures to
appropriate personnel;
ensuring that an appropriate number of competent individuals at appropriate
levels within the entity monitor the entity’s compliance with applicable laws,
regulations, contracts, and grant agreements; and
investigating, resolving, communicating, and reporting any noncompliance
with provisions of applicable laws, regulations, contracts, and grant
agreements.
Operations System(s)
.07 Through discussions with appropriate entity personnel, the auditor should
understand and document the design of entity systems in which the operations
controls to be evaluated and tested operate. The auditor should test operations
controls relied on in performing financial audit procedures, such as using entity-
prepared data for substantive tests. For example, if the auditor intends to
evaluate and test an operations control that depends on certain statistical
information that will be used in a substantive analytical procedure, the auditor
should understand how the statistical information is developed. See FAM 275.08
for examples of the auditor using entity-prepared reports for substantive tests
and discussions of tests of related controls over the report data, such as
operational controls.
Internal Control Phase
330 Identify Control Objectives
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 330-1
330 Identify Control Objectives
.01 In designing their systems, entities identify control objectives for each type of
control that if achieved would provide the entity with reasonable assurance that
individual and aggregate misstatements (whether caused by error or fraud),
losses, or noncompliance material to the financial statements would be
prevented, or detected and corrected. For social insurance and nonmonetary
information in the financial statements, such as physical units of heritage assets,
the objectives would relate to controls that would provide reasonable assurance
that misstatements, losses, or noncompliance that would be considered material
by users of the information would be prevented, or detected and corrected.
These control objectives can be classified as follows:
Financial reporting controls to prevent, or detect and correct,
misstatements in significant financial statement assertions. These include
safeguarding controls to safeguard assets against loss from unauthorized
acquisition, use, or disposition and segregation-of-duties controls to
prevent one person from controlling multiple aspects of a transaction,
allowing that person to both cause and conceal misstatements whether due
to error or fraud.
Budget controls to provide reasonable assurance that the entity (1) properly
records, processes, and summarizes transactions to permit the preparation of
the statement of budgetary resources and reconciliation of net cost to budget
note in accordance with U.S. GAAP and (2) executes transactions in
accordance with budget authority.
Compliance controls to comply with significant provisions of applicable
laws, regulations, contracts, and grant agreements.
Operations controls to achieve the performance desired by management for
planning, productivity, quality, economy, efficiency, or effectiveness of the
entity’s operations.
FAM 330.02 through .11 describes the process for identifying control objectives.
Financial Reporting Controls
.02 The auditor should evaluate and test financial reporting controls for each
significant assertion in each significant financial statement line item or account,
including related note disclosures if the auditor has determined that controls have
been designed and implemented effectively. (See FAM 235.02 for a discussion of
financial statement assertions.) The first step in identifying control objectives for
financial reporting controls is to consider the types of misstatements that might
occur in each significant assertion in each significant line item or account. One or
more potential misstatements can occur in each financial statement assertion.
For example, for the existence or occurrence assertion, potential misstatements
can occur in four areas.
Occurrence/validity: Recorded transactions and events did not actually
occur or do not pertain to the entity.
Cutoff: Transactions and events are recorded in the current period, but
occurred in a different period.
Internal Control Phase
330 Identify Control Objectives
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 330-2
Summarization: Transactions are summarized improperly, resulting in an
overstated total.
Existence: Recorded assets, liabilities, net position, and budgetary balances
do not exist at a given date. Projected revenues or expenditures in the
sustainability financial statements are not valid.
For each potential misstatement in each assertion, there are one or more control
objectives that if achieved would prevent, or detect and correct, the potential
misstatement. These potential misstatements and control objectives provide the
auditor with the primary basis for assessing the effectiveness of an entity’s
control activities.
Identifying Potential Misstatements and Control Objectives
.03 As discussed in FAM 240, the auditor identifies the significant accounting
applications that provide the source of significant entries to each significant line
item or account. Each significant line item or account is affected by input from
one or more accounting applications. Accounting applications are classified as
(1) transaction related or (2) line item/account related. For example, as illustrated
in FAM 395 A, sources of significant entries to cash typically include the cash
receipts (transaction related), cash disbursements (transaction related), payroll
(transaction related), and cash (line item/account related) accounting
applications, while sources of significant entries to accounts receivable typically
include the billing (transaction related), cash receipts (transaction related), and
accounts receivable (line item/account related) accounting applications. The
auditor should identify the accounting applications in the cycle matrix and Line
Item Risk Analysis (LIRA) form, or equivalent documentation.
.04 The auditor should understand how potential misstatements in significant
accounting applications could affect the related line item or account at an
assertion level. For example, an overstatement of cash receipts typically results
in (1) an overstatement of the cash account (by overstating the debit to cash) and
(2) an understatement of accounts receivable (by overstating the credit to
accounts receivable).
To illustrate this concept using the assertions, a misstatement in the existence or
occurrence assertion for cash receipts typically results in misstatements in (1) the
existence or occurrence assertion for the cash account and (2) the completeness
assertion for accounts receivable.
.05 To understand the effect of potential misstatements as discussed above, the
auditor may consult table 330.1 regarding transaction-related accounting
application assertions as they affect line item/account assertions.
Internal Control Phase
330 Identify Control Objectives
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 330-3
Table 330.1: Transaction-Related Accounting Application Assertions and
Line Item/Account Assertions Affected
Transaction-related
accounting
application assertion Line item/account assertions affected
Occurrence
Existence, if the application increases
the line item/account balance
Completeness, if the application
decreases the line item/account
balance
Completeness
Completeness, if the application
increases the line item/account
balance
Existence, if the application decreases
the line item/account balance
Accuracy
Accuracy
.06 For each potential misstatement in the accounting application, the auditor should
identify related control objectives (and ultimately related controls) that could
prevent, or detect and correct, the potential misstatement. FAM 395 B includes a
list of potential misstatements that could occur in each assertion in an accounting
application and related control objectives. The auditor exercises judgment in
determining which potential misstatements and control objectives to use. The
auditor should tailor the list included in FAM 395 B to the accounting application
and to the entity and should supplement the list with additional objectives or
subobjectives, as appropriate.
.07 If the auditor performs procedures that are documented by line item or account, a
given accounting application might be addressed two or more times. For example
(see FAM 395 A), the purchasing accounting application typically would be
addressed in evaluating controls relating to the inventory, property, liabilities,
expense, and obligation accounts. To avoid duplication, the auditor may use a
Specific Control Evaluation (SCE) worksheet or equivalent to document the
procedures discussed in FAM 330.03 through .06. The SCE worksheet groups
potential misstatements and control objectives by accounting application (within
each cycle), providing a format for performing and documenting the evaluation
and testing of internal controls efficiently. See FAM 395 G for an example of an
SCE worksheet. Sample forms for preparing the LIRA form and SCE worksheet
electronically are available at https://www.gao.gov/financial_audit_manual
.
Internal Control Phase
330 Identify Control Objectives
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 330-4
Safeguarding Controls
.08 Safeguarding controls related to preventing, or detecting and correcting,
unauthorized access (direct or indirect) to assets are often critical to the
effectiveness of controls over liquid (easily sold or traded) and readily marketable
assets (such as cash, inventories, or property) that are highly susceptible to theft,
loss, or misappropriation in material amounts. These controls are also important
when there is an increased risk of fraud. Before selecting specific control
activities to test, the auditor should determine whether safeguarding controls
over assets are relevant and consider materiality of the assets.
If the auditor determines that (1) an asset is highly liquid or marketable and
(2) material amounts are susceptible to theft, loss, or misappropriation, the
auditor should include control objectives for safeguarding such assets and
understand whether safeguarding controls over assets have been designed and
implemented effectively and, if so, should test safeguarding controls over assets.
On the other hand, if the asset is not liquid or marketable or amounts readily
susceptible to theft, loss, or misappropriation are not material, the auditor might
not need to understand and test safeguarding controls over assets. The auditor
may evaluate safeguarding controls over assets in connection with other financial
reporting controls.
The auditor should test safeguarding controls related to segregation of duties
controls as discussed in FAM 360.09 through .10.
Budget Controls
.09 The objectives of budget controls are to provide reasonable assurance that the
entity (1) properly records, processes, and summarizes transactions to permit the
preparation of the statement of budgetary resources and reconciliation of net cost
to budget note in accordance with U.S. GAAP and (2) executes transactions in
accordance with budget authority. FAM 395 F presents a list of budget control
objectives, organized by steps in the budget process. In addition, FAM 395 D
presents a list of selected statutes relevant to the budget, and FAM 395 E
describes budget steps of interest to the auditor in evaluating an entity’s budget
controls. The auditor may document budget control objectives in a separate SCE
worksheet for budget controls or in a memo, or incorporate them in an SCE
worksheet with related financial reporting controls.
Compliance Controls
.10 The objective of compliance controls is to provide reasonable assurance that
the entity complies with significant provisions of applicable laws, regulations,
contracts, and grant agreements. The auditor should identify compliance control
objectives for the related provision identified for testing and may document these
objectives in a separate SCE worksheet for compliance controls or in a memo, or
incorporate them in an SCE worksheet with related financial reporting controls.
Operations Controls
.11 The objectives of operations controls are to provide reasonable assurance that
the entity effectively and efficiently meets its mission. The auditor should identify
control objectives for any operations controls identified for testing and may
document operations control objectives in a separate SCE worksheet for
Internal Control Phase
330 Identify Control Objectives
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 330-5
operations controls or in a memo, or incorporate them into an SCE worksheet
with related financial reporting controls.
The auditor should test operations controls relied on in performing financial audit
procedures, and any others selected for testing by the engagement team, if any.
See FAM 275.08 and FAM 495 A.20 through .22 for examples of the auditor
using entity-prepared reports for substantive tests, such as substantive analytical
procedures, and discussions of tests of related controls over the report data,
such as operations controls.
Internal Control Phase
340 Identify and Understand Relevant Control Activities
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 340-1
340 Identify and Understand Relevant Control Activities
.01 For each control objective, based on discussions with entity personnel and the
results of other procedures performed, the auditor should identify the control
activities for achieving the specific control objective.
3
These control activities may
be designed by management and may include control activities designed and
implemented by a service organization used by the entity.
The auditor should determine whether the control activities identified depend on
information system processing. A dependency on information system processing
exists if a control activity cannot reasonably be expected to achieve a specific
control objective without effective information system processingeither in the
performance of the control activity or in the production of information used in the
performance of the control activity. Because of the technical nature of many IS
controls, the auditor generally should obtain assistance from an IS controls
auditor in understanding the entity’s use of information systems and in planning,
directing, or performing audit procedures related to assessing IS controls. For
example, an IS controls auditor may assist the auditor in identifying and
understanding the design of application controls and general controls
implemented at the entity-wide, system, and application levels that help ensure
the effective operation of the control activities that depend on information system
processing. Additionally, an information technology specialist may assist the
auditor in understanding technical aspects of information systems and IS
controls. The auditor should refer to FAM 640 if the audited entity uses a service
organization.
Basic Understanding of the Design of Control Activities
.02 The auditor should obtain a sufficient understanding of the design of the
identified control activities to determine whether they are likely to achieve the
control objectives, assuming an effective control environment, entity risk
assessment, information and communication, monitoring, appropriate
segregation of duties, and effective general controls. The purpose of this
assumption is for the auditor to identify any deficiencies in the specific control
activities of the entity that the auditor should report, as discussed in FAM 580,
and recommend that the entity correct. Often only multiple control activities,
together with other components of internal control (control environment, entity
risk assessment, information and communication, and monitoring), will be
sufficient to address a risk.
Factors to Consider
.03 When evaluating whether controls are likely to achieve the control objectives, the
factors that the auditor should consider include directness, selectivity, manner of
application, and follow-up. In determining whether control objectives are
achieved, the auditor should consider both manual and IS controls, if they are
likely to be effective (see FAM 270).
3
FAM 395 C presents a list of typical control activities that an entity may establish to help prevent, or detect and
correct, misstatements in financial statement assertions.
Internal Control Phase
340 Identify and Understand Relevant Control Activities
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 340-2
.04 Directness refers to the extent to which a control activity relates to a control
objective. The more direct the relationship, the more effective that activity may be
in achieving the objective. For example, management reviews of inventory
reports that summarize the inventory by storage facility may be less effective in
preventing, or detecting and correcting, misstatements in the existence assertion
for inventory than a periodic physical inventory, which is more directly related to
the existence assertion.
.05 Selectivity refers to the magnitude of the amount, or the significance of other
criteria or distinguishing characteristics, that a specific control will identify as an
exception condition. Examples of selectivity thresholds are (1) a requirement for
additional approvals of all payments to vendors in excess of $25,000 and
(2) management reviews of all payments to vendors not on an entity’s approved
vendor list. When determining whether a control is likely to be effective, the
auditor should evaluate the likelihood that items that do not meet the selectivity
threshold could, in the aggregate, result in material misstatements of financial
statements; material noncompliance with budget authority; material
noncompliance with significant provisions of applicable laws, regulations,
contracts, and grant agreements; or significant ineffective or inefficient use of
resources.
The auditor also should evaluate the appropriateness of the specified criteria
used to identify items in a management or exception report. For example, IS
input controls (such as the matching of vendor invoices with receiving reports
and purchase orders) that require exact matches of data from different sources
before a transaction is accepted for processing may be more effective than
controls that accept transactions that fall within a broader range of values. On the
other hand, controls based on exception reports that are limited to selected
information or use more selective criteria may be more effective than lengthy
reports that contain excessive information.
.06 Manner of application refers to the way in which an entity places a specific
control into operation. The manner of application can influence the effectiveness
of a specific control. When determining the effectiveness of controls, the auditor
should evaluate the following:
Frequency of application. This refers to the regularity with which controls
are applied. Generally, the more frequently a control is applied, the greater
the likelihood that it will be effective.
Authority and competence of personnel. This refers to whether the person
performing a control possesses the necessary authority and competence to
perform it effectively (AU-C 330.10a.iii). If the person has less experience and
skills or does not have the appropriate authority, it is less likely that the
control will be effective. Also, the effective application of a control is generally
adversely affected if the technique (1) is performed by an employee who has
an excessive volume of work or (2) is not performed carefully.
.07 Follow-up refers to the procedures performed when a control identifies an
exception condition. A control’s effectiveness depends on the effectiveness of
follow-up procedures. To be effective, an entity needs to (1) apply these
procedures on a timely basis, (2) determine whether control exceptions represent
misstatements, and (3) correct all misstatements noted. For example, as a
control, an accounting system may identify and put exception transactions into a
suspense file or account. Lack of timely follow-up procedures by the entity to
Internal Control Phase
340 – Identify and Understand Relevant Control Activities
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 340-3
(1) reconcile and review the suspense file or account and (2) correct items in the
suspense file or account would render the control ineffective.
.08 When evaluating whether controls are likely to be effective, the auditor should
evaluate whether the controls also are applied effectively to adjustments or
corrections made to the financial records. Such adjustments or corrections may
occur at the transaction level, or during summarization of the transactions, or
may be posted directly to the general ledger accounts. Further, the auditor
should also evaluate the design and implementation of controls applied to the
financial statement preparation process.
.09 Based on the understanding of the design of control activities and the
determination of whether they are likely to achieve the control objectives, the
auditor should assess control risk to decide whether to test controls. If control risk
is high for a relevant assertion because the control activities for the related
accounting application are not effective in design or not likely to be effective in
implementation (based on prior years’ testing of the control activities and the
results of procedures performed in the current year to understand the controls,
including management’s indication that the controls have not improved from the
prior year), the auditor does not need to test the operating effectiveness of the
controls in the current year.
According to OMB audit guidance, for those controls that have been suitably
designed and implemented, the auditor should perform sufficient tests of such
controls to conclude whether the controls are operating effectively (i.e., sufficient
tests of controls to support a low level of assessed control risk). Thus, the auditor
should not elect to forgo control tests because it is more efficient to extend
substantive and compliance audit procedures. Further, as discussed in FAM
350.04, the auditor generally should test only the control activities that are
necessary to achieve the objective.
Internal Control Phase
350 Determine the Nature, Extent, and Timing of Tests of Controls and Compliance with
FFMIA
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 350-1
350 Determine the Nature, Extent, and Timing of Tests of
Controls and Compliance with FFMIA
.01 For each control objective, the auditor should
identify specific and relevant control activities to potentially test (FAM 350.04
.06);
perform walk-throughs to determine whether those control activities have
been implemented (FAM 350.07);
document those control activities in the SCE worksheet or equivalent
(FAM 350.08); and
determine the nature, extent, and timing of tests of controls (FAM 350.09–
.22).
.02 As noted in FAM 310.02, according to OMB audit guidance, for those controls
that have been suitably designed and implemented, the auditor should perform
sufficient tests of such controls to conclude whether the controls are operating
effectively (i.e., sufficient tests of controls to support a low level of assessed
control risk). Thus, the auditor should not elect to forgo control tests because it is
more efficient to extend substantive and compliance audit procedures.
.03 For Chief Financial Officers (CFO) Act agencies, the auditor also should
determine the nature, extent, and timing of tests for determining whether the
entity’s financial management systems are in substantial compliance with federal
financial management systems requirements (these requirements are
established by the Department of the Treasury and published in the Treasury
Financial Manual (TFM), volume 1, chapter 9500); federal accounting standards
(U.S. GAAPsee FAM 560); and the USSGL at the transaction level in order to
report in accordance with FFMIA (FAM 350.23–.26).
Substantial compliance includes the ability of the financial management systems
to routinely provide reliable and timely financial information for managing day-to-
day operations as well as to produce reliable financial statements, maintain
effective internal control, and comply with legal and regulatory requirements.
Implementing FFMIA’s requirements helps to ensure that agencies use financial
management systems that provide reliable, timely, and consistent information.
Agencies that can (1) prepare financial statements and other required financial
budget reports using information generated by their financial management
system(s); (2) provide reliable and timely financial information for managing
current operations; (3) account for their assets reliably, so that they can be
properly protected from loss, misappropriation, or destruction; and (4) do all three
in a way that is consistent with U.S. GAAP and the USSGL are substantially
compliant with the three FFMIA requirements. See FAM 701 for further guidance
on determining financial management systems’ substantial compliance with
FFMIA requirements.
Identify Relevant Control Activities to Potentially Test
.04 For each control objective identified in FAM 330, the auditor should identify the
control activity, or combination of control activities, that is likely to (1) achieve the
Internal Control Phase
350 Determine the Nature, Extent, and Timing of Tests of Controls and Compliance with
FFMIA
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 350-2
control objective and (2) improve the efficiency of control tests. Control activities
may include entity-level control activities and transaction control activities. The
auditor should identify and test those entity-level controls that are important to
the auditor’s conclusion about whether the entity has effective internal control
over financial reporting (AU-C 940.22). Testing of entity-level controls as it
relates to the other four components of internal control (control environment,
entity risk assessment, information and communication, and monitoring) is
discussed in FAM 360.19. Per AU-C 940.A34, the auditor’s evaluation of entity-
level controls can result in increasing or decreasing the testing that the auditor
otherwise would have performed on other controls.
In identifying control activities to test, the auditor should consider (1) the extent of
any inherent risk
4
and weaknesses in the entity’s control environment, risk
assessment, information and communication, or monitoring,
5
including those
related to information systems (documented as appropriate in the LIRA form,
audit strategy, or equivalents (see FAM 260)), and (2) the tentative determination
of the likelihood that IS controls will be effective (see also FAM 270).
The auditor generally should test only the control activities necessary to achieve
the objective (i.e., key controls). For example, the entity may have several
controls that are equally effective in achieving an objective. In such a case, the
auditor generally should test the control activity that is efficient to test,
considering such factors as (1) the extent to which a control achieves several
control objectives and thereby reduces the number of controls that would
ordinarily need to be tested; (2) the time that will be required to test the control;
and (3) control dependencies, particularly for IS controls (see FAM 340.01). The
auditor may also, based on risk, test different control activities from year to year
in a recurring audit, but it does not change the auditor’s responsibility to identify
the control activity, or combination of control activities, in the current-year audit
that are necessary to achieve the control objective.
.05 For those control objectives for which the auditor preliminarily determines that
control activities have been suitably designed and implemented to achieve the
control objective, the auditor should test the selected control activities, as
discussed in FAM 360 and FAM 450. The auditor may test all or only certain
control activities (because others are not likely to be effective) related to a control
objective.
If, in any phase of the audit, the auditor determines that a control activity selected
for testing is, in fact, ineffective in design or operation in achieving the control
objective, the auditor may discontinue testing of that control activity and should
report the identified deficiencies in internal control, as discussed in FAM 580.
.06 Before testing controls the auditor believes will be effective, the auditor may
complete the LIRA form or equivalent tentatively, assuming that such controls are
effective.
4
Assertions that have high inherent risk normally require stronger or more extensive controls to prevent, or detect and
correct, misstatements than assertions without such risk.
5
Control environment, entity risk assessment, information and communication, and monitoring weaknesses may
result in ineffective control activities. If so, the auditor should still understand the design of specific control activities
and determine whether they have been implemented, as discussed in FAM 340.02.
Internal Control Phase
350 Determine the Nature, Extent, and Timing of Tests of Controls and Compliance with
FFMIA
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 350-3
Perform Walk-throughs to Determine Whether Control Activities
Have Been Implemented
.07 Before performing control tests, the auditor should perform one or more walk-
throughs of each control activity identified in FAM 350.04 to determine whether
the control activities are functioning in the manner understood by the auditor.
These walk-throughs are designed to confirm the auditor’s understanding of the
design and implementation of the control activities as part of the auditor’s risk
assessment process and differ from those performed to confirm the auditor’s
understanding of the information systems (see FAM 320.02). These walk-
throughs include a mix of observation, inspection, and inquiry (see FAM 350.09
.16) with personnel responsible for applying or maintaining each control activity.
Through these walk-throughs and the system walk-throughs discussed in FAM
320.02, the auditor should determine whether each control activity has, in fact,
been implemented. If a control activity has not been implemented, the auditor
should consider whether other control activities are likely to achieve the related
control objective(s) (compensating controls). If such other control activities are
properly designed and implemented, the auditor should update the SCE
accordingly.
Document Control Activities to Be Tested
.08 The auditor should document the control activities to be tested in the SCE
worksheet or equivalent (see an illustration in FAM 395 G). FAM 360.19
discusses documentation of controls to test for the other components of internal
control (control environment, entity risk assessment, information and
communication, and monitoring). The auditor may list (and evaluate) control
activities that satisfy more than one control objective only once and refer to these
controls, when applicable, on subsequent occasions. For each control activity to
be tested, the auditor should determine whether the control is an IS control, as
discussed in FAM 240 and FAM 295 F. The auditor generally should obtain
concurrence from an IS controls auditor on the auditor’s identification of IS
controls that will be tested.
Determine the Nature of Control Tests
.09 To obtain sufficient, appropriate evidence of the effectiveness of specific control
activities as well as for other components of internal control (see FAM 360.19),
the auditor should determine the combination of control tests (observation,
inquiry, or inspection) to be performed. No one specific control test is always
necessary, applicable, or equally effective in every circumstance. In designing
and performing tests of controls, the auditor should perform other audit
procedures in combination with inquiry to obtain sufficient, appropriate audit
evidence regarding the operating effectiveness of controls, including how the
controls were applied at relevant times during the period under audit; the
consistency with which they were applied; and by whom or by what means they
were applied, including, when applicable, whether the person performing the
control possesses the necessary authority and competence to perform the
control effectively. The auditor should determine whether the controls to be
tested depend upon other controls and, if so, whether it is necessary to obtain
audit evidence supporting the operating effectiveness of those controls (AU-C
330.10). For example, when the auditor decides to test the effectiveness of a
Internal Control Phase
350 Determine the Nature, Extent, and Timing of Tests of Controls and Compliance with
FFMIA
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 350-4
user review of exception reports detailing sales in excess of authorized credit
limits, the user review and related follow-up is the control that is of direct
relevance to the auditor. In addition to obtaining audit evidence to support the
completeness and accuracy of the exception reports, in this example, it may be
necessary to obtain audit evidence supporting the general information technology
controls (AU-C 330.A33). See FAM 340.03 for the factors to consider when
evaluating whether controls are likely to achieve the control objective. In
determining the types of tests to apply, the auditor should determine the tests
that are effective and efficient. Specific types of control tests and methods to
apply them are discussed in the following paragraphs.
.10 Observation. The auditor conducts observation tests, which include looking at a
process or procedure being performed by others (for example, the auditor’s
observation of inventory counting by the entity’s personnel or the performance of
control activities) (AU-C 500.A52). Observation generally provides highly reliable
evidence that a control activity is properly applied when the auditor is there to
observe it. However, it provides no evidence that the control was in operation at
any other time. Consequently, the auditor generally should supplement
observation tests with corroborative evidence obtained from other tests (such as
inquiry and inspection) about the operation of controls at other times.
.11 Inquiry. The auditor conducts inquiry tests by seeking information, both financial
and nonfinancial, from knowledgeable persons within the entity or outside the
entity (AU-C 500.A62). The auditor makes either oral or written inquiries of entity
personnel involved in the application of specific control activities to determine
what they do or how they perform a specific control activity. Such inquiries are
typically open ended. Evidence obtained from inquiry alone is not sufficient.
Thus, the auditor should supplement inquiry with other types of control tests
observation or inspection (which may include reperformance). Combining
inquiry with inspection typically provides more assurance than inquiry combined
only with observation. The reliability of evidence obtained from inquiry depends
on various factors, including the following:
The competence, experience, knowledge, independence, and integrity of the
person of whom the inquiry was made. The reliability of evidence is enhanced
when the person possesses these attributes.
Whether the evidence is general or specific. Evidence that is specific is
usually more reliable than evidence that is general.
The extent of corroborative evidence obtained. Evidence obtained from
several entity personnel is usually more reliable than evidence obtained from
only one person.
Whether the evidence was provided orally or in writing. Generally, evidence
provided in writing is more reliable than evidence provided orally.
.12 Inspection. The auditor conducts inspection tests by examining an asset (either
by being physically present or using remote observation tools) or examining
records or documents, whether internal or external or in paper form, electronic
form, or other media (AU-C 500.A51), for evidence (such as the existence of
initials or signatures) that a control activity was applied. System documentation,
such as operations manuals, flowcharts, and job descriptions, may provide
evidence of control design but do not provide evidence that controls are
Internal Control Phase
350 Determine the Nature, Extent, and Timing of Tests of Controls and Compliance with
FFMIA
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 350-5
implemented and operating effectively. To use system documentation as part of
the evidence of effective control activities, the auditor should obtain additional
evidence on how the controls were applied.
Inspection is generally a reliable source of audit evidence, and because evidence
of performance is documented, this type of test can be performed at any time.
However, since documentary evidence generally does not provide evidence
concerning how effectively the control was applied, the auditor generally should
supplement inspection tests with observation and/or inquiry of persons applying
the control. For example, the auditor generally should supplement inspection of
initials on documents with observation, inquiry, or both of the individual(s) who
initialed the documents to understand the procedures they followed before
initialing the documents. The auditor may also reperform the control being tested
to determine if it was properly applied.
.13 The auditor should select the type of control tests based on (1) the nature of the
control to be tested and (2) the timing of the test and period covered by the
control.
.14 The nature of the control influences the type of evidence that is available. For
example, if the control provides documentary evidence, the auditor may inspect
the documentation. For other controls, documentation may not be available or
relevant. In these circumstances, the auditor may obtain evidence about the
effectiveness of the control’s operation through (1) direct observation of the
control being applied during the audit period, (2) inquiry of the individual(s)
involved about applying the control at other times during the audit period, and (3)
review of entity policies and procedures.
.15 The timing of the control test and the period covered by the control influence
the control test. The auditor should obtain evidence relating to the audit period.
Unless it is documentary evidence, the auditor generally should obtain the
evidence during the audit period, when sufficient corroborative evidence is most
likely to be available. When the evidence relates to only a specific point in time,
such as evidence obtained from observation, the auditor should obtain additional
evidence that the control activity was effective during the entire audit period. For
example, the auditor may observe the control in operation during the audit period
and use inquiry and inspection of procedures manuals to determine that the
control was in operation during the entire audit period. FAM 380.01 provides
guidance concerning situations when new controls are implemented during the
year. If the auditor tests controls after the audit period, the auditor should
determine if any changes occurred between the end of the audit period and the
time of the test. See FAM 350.21 for further discussion of interim testing of
controls.
.16 When selecting a particular control test from among equally effective tests, the
auditor should select the most efficient test. When statistical sampling is
considered necessary, the auditor should consider performing multipurpose
testing to enhance audit efficiency (see FAM 430 and FAM 450).
Determine the Extent of Control Tests
.17 For each control activity considered necessary to achieve the control objectives
and determined to be suitably designed and implemented, the auditor should test
the control activity to determine whether it is operating effectively to achieve the
Internal Control Phase
350 Determine the Nature, Extent, and Timing of Tests of Controls and Compliance with
FFMIA
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 350-6
control objectives. Relevant financial reporting, budget, compliance, and
operations controls generally should be tested to the same level of assurance.
.18 After selecting the nature of control tests to be performed, the auditor should
determine the extent of control tests (including IS controls). This determination is
based on the
information gathered in developing an understanding of internal control
(including the nature of the control, the nature and availability of evidence,
and how frequently the control is performed),
extent to which audit evidence is obtained from tests of other controls related
to the relevant assertion, and
auditor’s determination of the amount of additional evidence needed.
As the planned level of assurance increases, the auditor should seek more
reliable or more extensive audit evidence. The extent of testing is also discussed
in FAM 360 and FAM 450.
.19 As discussed in FAM 350.14, for controls that do not leave documentary
evidence of existence or application, the auditor may test their effectiveness by
observation, inquiry, or both. However, the appropriate extent of observation and
inquiry is not readily quantifiable and is therefore a matter of the auditor’s
judgment.
.20 Testing the operating effectiveness of controls is different from obtaining an
understanding of and evaluating the design and implementation of controls.
However, the same types of audit procedures are used. The auditor may
therefore decide it is efficient to test the operating effectiveness of controls at the
same time the auditor is evaluating their design and implementation (AU-C
330.A22), such as while performing walk-throughs as discussed in FAM 320.02
and 350.07.
Further, although some risk assessment procedures may not have been
specifically designed as tests of controls, they may nevertheless provide audit
evidence about the operating effectiveness of the controls and consequently
serve as tests of controls. For example, the auditor’s risk assessment procedures
may have included inquiries about management’s use of budgets, observing
management’s comparison of monthly budgeted and actual expenses, and
inspecting reports pertaining to the investigation of variances between budgeted
and actual amounts (AU-C 330.A23).
Determine the Timing of Control Tests
.21 The auditor should determine when to perform control tests. For efficiency, the
auditor may perform most control testing on an interim basis that covers 9 or 10
months of the audit period and perform a roll-forward and limited testing for the
remaining audit period. The auditor should obtain evidence about significant
changes to those controls subsequent to the interim period and determine the
additional audit evidence to be obtained for the remaining period (AU-C 330.12).
Another approach is for the auditor to determine the actual population of
transactions for the audit period through an interim date and estimate the
transactions for the remaining audit period. A statistical sample can then be
drawn that covers the entire audit period, with the bulk of testing completed
Internal Control Phase
350 Determine the Nature, Extent, and Timing of Tests of Controls and Compliance with
FFMIA
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 350-7
during the interim period and the remaining items tested immediately after year-
end. The auditor generally should overestimate the remaining items in the
population so every item will have a chance of selection. An underestimate by
the auditor would leave some items out of the population subject to audit
sampling, although they may be tested in other ways.
.22 Management may implement changes to the entity’s controls to make them more
effective or efficient or to address deficiencies prior to the period end. If while
performing an integrated audit, the auditor determines that the new controls
achieve the related objectives and have been in effect for a sufficient period to
permit the auditor to assess their design and operating effectiveness, the auditor
does not need to test the design and operating effectiveness of the superseded
controls for purposes of expressing an opinion on internal control over financial
reporting. If the operating effectiveness of the superseded controls is important to
the auditor’s control risk assessment in the financial statement audit, the auditor
should test the design and operating effectiveness of those superseded controls,
as appropriate (AU-C 940.A80).
Determine the Nature, Extent, and Timing of Tests of Compliance
with FFMIA
.23 For CFO Act agencies, which are subject to FFMIA, the auditor determines
whether agency financial management systems comply substantially with the
three FFMIA requirements. The auditor should plan and perform audit work in
sufficient detail to enable the auditor to determine the degree to which agency
financial management systems comply with the FFMIA requirements and
whether that degree of compliance is substantial. See FAM 701 for further
guidance on determining substantial compliance with FFMIA.
.24 Because of the overlapping scope and nature of FFMIA assessments and
financial statement audits, the auditor may use the work performed as part of the
financial statement audit in determining substantial compliance with FFMIA.
Specifically, many control and substantive tests performed in a financial
statement audit may also provide evidence regarding compliance with FFMIA
and generally should be performed concurrently (multipurpose testing).
.25 The auditor may limit the scope of work performed to support the FFMIA
assessment with respect to those requirements for which there is sufficient
evidence that the systems do not comply substantially with FFMIA (e.g.,
continuation of previously reported lack of substantial compliance with FFMIA).
.26 When limiting the scope of work performed, the auditor may obtain sufficient
information to describe instances of lack of substantial compliance and make
recommendations of remedial actions, as required by FFMIA, by (1) gaining an
understanding of the design of the systems and controls, (2) performing control
and substantive testing as part of the financial statement audit, and (3) reading
management-developed documentation about systems’ compliance with FFMIA.
However, if the auditor is concerned that it may be difficult to convince
management of the systems’ lack of substantial compliance without specific
tests, the auditor generally should perform the testing needed for this purpose.
Internal Control Phase
360 Perform Tests of Controls and Compliance with FFMIA
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 360-1
360 – Perform Tests of Controls and Compliance with FFMIA
.01 The auditor should test the operating effectiveness of those control activities that
the auditor determined are designed and implemented effectively (FAM 360.06–
.18). As part of testing control activities, the auditor should also test segregation-
of-duties (FAM 360.09.10) and IS controls (FAM 360.11–.18).
.02 The auditor should test the operating effectiveness of controls related to the
remaining components of internal controlcontrol environment, entity risk
assessment, information and communication, and monitoringto support the
auditor’s assessment of the effectiveness of internal control over financial
reporting (FAM 360.19).
.03 The auditor should evaluate the results of control tests performed through the
internal control phase (FAM 360.20–.21).
.04 Based on the results of control tests performed through the internal control phase
and the results of sampling control tests in the testing phase (see FAM 450), the
auditor should evaluate the components of internal control over financial
reporting (FAM 360.22).
.05 For CFO Act agencies, the auditor should design and conduct tests of the
financial management systems’ substantial compliance with the three FFMIA
requirements, if the auditor determines that such tests are necessary (see FAM
350.03 and 350.23–.26). After testing, the auditor may make a preliminary
conclusion as to whether the entity’s financial management systems comply
substantially with the three FFMIA requirements (see FAM 360.23).
Perform Tests of Controls
.06 When planning control tests, the auditor should select sufficient items for control
testing to support a low level of assessed control risk. For controls that do not
operate frequently, such as those that operate only once or twice a year (e.g.,
controls over the year-end closing process), the auditor may determine that it is
necessary to test all of the items in the population (i.e., all occurrences of the
control performance during the audit period). If the auditor does not plan to test
all of the items in the population, the auditor generally should use one of two
methods to select items for control testing: (1) statistical sampling (intended to be
representative of and projected to the population) or (2) nonstatistical selection
(not representative of and not projectable to the population).
6
Control tests that
involve nonstatistical selection are discussed below and sampling control tests
are discussed in FAM 450.
Control Tests That Involve Nonstatistical Selection
.07 Performing control tests that involve nonstatistical selection may provide
sufficient evidence, along with other sources of evidence, that a control is
operating effectively during the year and may be the most efficient way to test.
For example, some controls may operate biweekly or weekly, such as controls
over payroll processing that operate 26 or 52 times a year. For these controls,
6
Nonstatistical sampling is generally not used in tests of controls.
Internal Control Phase
360 Perform Tests of Controls and Compliance with FFMIA
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 360-2
statistical sampling may not be efficient or even feasible given the small number
of items in the population from which to select the sample. For these less
frequently operating controls, the effect of other sources of evidence is often
greater than it is for controls that operate more frequently.
Table 360.1 provides guidance on the number of items to select when testing
small populations associated with less frequently operating controls. For larger
populations, such as controls that operate daily, the auditor generally should
perform statistical sampling to obtain evidence of control effectiveness (see FAM
430 and 450).
Table 360.1: Testing Small Populations
Control frequency
and population size
Number of
items to test
Quarterly (4) 2
Monthly (12) 2-4
Semimonthly (24) 3-8
Weekly (52) 5-9
.08 In nonstatistical selection, the auditor selects items for control testing based on
the auditor’s judgment. The auditor can test the selected items using any type of
test or combination of tests (i.e., observation, inquiry, inspection, or a
combination of these, although inquiry alone is not sufficient). For example, the
auditor may determine that inquiries of entity personnel regarding the specific
procedures performed in a control and inspection of documents evidencing
performance of those procedures together provide sufficient evidence of the
control’s operating effectiveness.
Test Segregation-of-Duties Controls
.09 Segregation-of-duties controls are designed to reduce the opportunities for any
person to be in a position both to perpetrate and to conceal misstatements,
especially fraud, in the normal course of duties. Typically, an entity achieves
adequate segregation of duties by establishing controls (such as segregating
asset custody from recordkeeping functions) to prevent any person from having
uncontrolled access to both assets and related records.
.10 The auditor should test segregation-of-duties controls and may use the following
procedures as appropriate:
a. Identify the assets to be controlled through the segregation of duties.
b. Identify the individuals who have authorized access (direct or indirect) to the
assets. An individual with direct access is authorized to handle the assets
directly (such as during the processing of cash receipts). An individual with
indirect access is authorized to prepare documents that cause the release or
transfer of assets (such as preparing the necessary forms to request a cash
disbursement or transfer of inventory).
c. For each individual with authorized access to assets, determine whether
there are sufficient asset access controls. Asset access controls are those
controls that are designed to provide assurance that actions taken by
Internal Control Phase
360 Perform Tests of Controls and Compliance with FFMIA
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 360-3
individuals with authorized access to assets are reviewed and approved by
other individuals. For example, an approval of an invoice for payment
generally provides asset access controls (relating to cash) over those
individuals authorized to prepare supporting documentation for the
transaction. If information systems provide access to assets, the auditor
should design tests of IS controls to identify (1) individuals (including
information systems personnel) who may use the computer to obtain access
and (2) asset access controls over such individuals. See FAM 360.11 through
.18 for tests of IS controls.
d. For individuals with authorized access to assets over which asset access
controls are insufficient, determine whether such individuals can affect any
recording of transactions in the accounting records. If so, segregation of
duties is insufficient, unless such access to accounting records is controlled.
For example, the person who processes cash receipts may also be able to
record entries in the accounting records. Such a person may be in a position
to manipulate the accounting records to conceal a shortage in the cash
account, unless another individual reviews all accounting entries that the
person made (or should have been made).
In an IS accounting system, access to assets frequently provides access to
records. For example, generation of a check may automatically record a
related accounting entry. In such circumstances, a lack of asset access
controls would result in inadequate segregation of duties, and the auditor
should determine whether other controls would mitigate the effects of this
lack of asset access control.
Test IS Controls
.11 In the planning phase, the auditor identifies and documents the control activities
included in the significant accounting applications that depend on information
system processing. Such controls are often application and user controls. The
auditor then identifies and documents the general controls implemented at the
entity-wide, system, and application levels that help ensure the effective
operation of application and user controls included in the significant accounting
applications. See FAM 240 for the specific requirements. The auditor also
obtains an understanding of the design of the general controls identified to
conclude tentatively whether IS controls are likely to be effective. See FAM 270
for the specific requirements. In the internal control phase, the auditor identifies
the specific internal control activities that are likely to achieve the identified
control objectives. See FAM 330, 340, and 350 for the specific requirements.
As discussed in FAM 330.07, the auditor may use an SCE worksheet or
equivalent to document the procedures discussed in FAM 330.03 through .06.
The SCE worksheet groups potential misstatements and control objectives by
accounting application (within each cycle), providing a format for performing and
documenting the evaluation and testing of internal controls efficiently. For each of
the specific control activities to be evaluated and tested, as documented on the
SCE worksheet or equivalent document, the auditor should distinguish which are
IS controls. IS controls included on the SCE worksheet or equivalent document
are often application and user controls. FAM 295 F provides more detail on the
three types of information system controlsgeneral controls, application
controls, and user controls. As discussed in FAM 295 F, the effectiveness of user
Internal Control Phase
360 Perform Tests of Controls and Compliance with FFMIA
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 360-4
controls typically depends on information system processing or the reliability of
information that information systems produce.
The auditor should also identify other IS controls (application controls and
general controls implemented at the entity-wide, system, and application levels)
upon which the effectiveness of the IS controls included on the SCE worksheet
depends. The auditor should understand the design of all controls documented
on the SCE worksheet, as well as the design of any other IS controls upon which
the effectiveness of the IS controls identified on the SCE worksheet depends. As
the auditor learns more about the design and implementation of the control
activities included in the significant accounting applications that depend on
information system processing and identifies the control activities that are most
likely to achieve the control objectives, the auditor may identify other general
controls implemented at the entity-wide, system, and application levels that help
ensure the effective operation of the IS controls on the SCE worksheet. As a
result, the general controls identified during the internal control phase may differ
from those identified during the planning phase.
The auditor should identify and test the general controls and application controls
upon which the effectiveness of each IS control identified on the SCE worksheet
depends. For example, if the IS control is the review of an exception report, the
auditor would identify and test the application controls directly related to the
production of the exception report, as well as the general and other application
controls upon which the reliability of the information in the exception report
depends. This testing would include controls over the design and proper
functioning of the business processes that generate the exception report and the
reliability of the data used to generate the exception report. In addition, the
auditor would test the effectiveness of the user control (i.e., management review
and follow-up on the items in the exception report).
As discussed in FAM 350.04, the auditor generally should test only the control
activities necessary to achieve the objective. For example, the entity may have
several controls that are equally effective in achieving an objective. In such a
case, the auditor generally should test the control activity that is efficient to test,
considering such factors as (1) the extent to which a control achieves several
control objectives and thereby reduces the number of controls that would
ordinarily need to be tested; (2) the time that will be required to test the control;
and (3) control dependencies, particularly for IS controls. A control dependency
exists when the effectiveness of an internal control depends on the effectiveness
of other internal controls. For example, when a dependency on information
system processing exists, a control activity cannot reasonably be expected to
achieve a specific control objective without effective information system
processingeither in the performance of the control activity or in the production
of information used in the performance of the control activity.
An IS controls auditor may assist the auditor in identifying and understanding the
design of application controls and general controls implemented at the entity-
wide, system, and application levels that help ensure the effective operation of
the control activities that depend on information system processing. The auditor
may also, based on risk, test different control activities from year to year in a
recurring audit, but it does not change the auditor’s responsibility to identify the
control activity, or combination of control activities, in the current-year audit that
are necessary to achieve the control objective.
Internal Control Phase
360 Perform Tests of Controls and Compliance with FFMIA
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 360-5
The auditor should document conclusions on the effectiveness of IS controls
during the audit period. Because of the technical nature of many IS controls, the
auditor generally should obtain assistance from an IS controls auditor in
understanding the entity’s use of information systems and in planning, directing,
or performing audit procedures related to assessing IS controls. Additionally, an
information technology specialist may assist the auditor in understanding
technical aspects of information systems and IS controls.
.12 If the auditor identifies IS controls on the SCE, the auditor should evaluate the
effectiveness of related
general controls at the entity-wide and system levels;
general controls at the application level; and
specific application controls, such as business process application controls,
interface controls, data management system controls, and user controls,
unless the IS controls that achieve the control objectives are general controls.
If controls are not effective, see FAM 310.08 and FAM 340.09.
.13 The auditor should determine whether entity-wide and system-level general
controls are designed, implemented, and operating effectively by
identifying applicable general controls;
determining how those controls function, and whether they have been
implemented; and
evaluating and testing the effectiveness of the identified controls.
The auditor generally should use knowledge obtained in the planning phase. The
auditor should document the understanding of general controls and should
conclude on whether such controls are designed, implemented, and operating
effectively.
Test General Controls at the Entity-Wide and System Levels
.14 The auditor may test general controls through a combination of procedures,
including observation, inquiry, or inspection (which includes a review of
documentation on systems and procedures and may include reperformance)
using appropriate test software. Although statistical sampling is generally not
used to test general controls, the auditor may use statistical sampling to test
certain controls, such as those involving approvals.
.15 If general controls are not designed, implemented, or operating effectively, the
auditor will generally be unable to obtain satisfaction that application controls are
effective.
7
In such instances, the auditor should (1) determine and document the
nature and extent of risks resulting from ineffective general controls, (2) identify
and test any manual controls that achieve the control objectives that the IS
controls in the SCE worksheet or equivalent document were unable to achieve,
and (3) see FAM 580 for classifying and reporting control deficiencies.
If manual controls do not achieve the control objectives, the auditor should
7
See GAO, Federal Information System Controls Audit Manual (FISCAM), GAO-09-232G (Washington, D.C.:
February 2009), for further information.
Internal Control Phase
360 Perform Tests of Controls and Compliance with FFMIA
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 360-6
determine whether any specific IS controls are designed to achieve the
objectives. If not, the auditor should develop appropriate findings principally to
provide recommendations to improve internal control. If specific IS controls are
designed to achieve the objectives, but are in fact ineffective because of poor
general controls, testing would typically not be necessary, except to support
findings.
Test General Controls at the Application Level
.16 If the auditor reaches a favorable conclusion on general controls at the entity-
wide and system levels, the auditor should evaluate and test the effectiveness of
general controls for those software programs, or applications, within which
application controls or user controls are to be tested. Because of the technical
nature of many IS controls, the auditor generally should obtain assistance from
an IS controls auditor in assessing these controls.
.17 If general controls are not operating effectively within the application, application
controls and user controls generally will be ineffective.
8
In such instances, the
engagement team should discuss the nature and extent of risks resulting from
ineffective general controls. The auditor should determine whether to proceed
with the evaluation of application controls and user controls.
Test Application Controls and User Controls
.18 The auditor, generally with IS controls auditor assistance, should perform tests of
those application controls and user controls necessary to achieve the control
objectives where the entity-wide, system, and application-level general controls
were determined to be effective.
Perform Tests of the Components of Internal Control
.19 The auditor should test the operating effectiveness of controls related to the five
components of internal control to support the auditor’s assessment of the
effectiveness of internal control over financial reporting. This includes identifying
and testing those entity-level controls that are important to the auditor’s
conclusion about whether the entity has effective internal control over financial
reporting (AU-C 940.22). Per AU-C 940.A34, the auditor’s evaluation of entity-
level controls can result in increasing or decreasing the testing that the auditor
otherwise would have performed on other controls.
In the planning phase, the auditor assessed the design and implementation of
the control environment, entity risk assessment, monitoring, and communication
(part of the information and communication component) components of internal
control (FAM 260). In the internal control phase, the auditor should test the
operating effectiveness of these components, including entity-level controls,
generally by a combination of observation, inquiry, and inspection (see FAM
350.09350.16). The auditor’s assessment of the design and implementation of
control activities and information systems (part of the information and
communication component) components is discussed in FAM 350.07 and 320,
8
Refer to FISCAM for further information.
Internal Control Phase
360 Perform Tests of Controls and Compliance with FFMIA
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 360-7
respectively. The auditor’s tests of operating effectiveness of control activities
and information systems are discussed in FAM 360.06 through 360.18.
Evaluate the Results of Control Tests
.20 The auditor should investigate and understand the reasons for any deviations
from controls noted during control tests completed through the internal control
phase. The auditor may find, for example, that significant subpopulations were
not subject to controls or that controls were not applied during a specific period
during the year. In such instances, the auditor may determine whether controls
are effective for at least some parts of the population. For example, an otherwise
effective control may not have been applied effectively in 1 month because of
personnel turnover. For all but that month, the auditor may assess controls as
effective and reduce related substantive testing. For the 1 month that controls
were not effective, the auditor may increase substantive testing, if these tests are
sufficient to reduce detection risk. The auditor also should determine whether
other controls achieve the related control objective(s). Additionally, the auditor
should gather sufficient evidence to report the control deficiency, as discussed in
FAM 580.
.21 The auditor should consider whether controls tested in the internal control phase
and planned control tests in the testing phase (FAM 450) are likely to provide
sufficient evidence about whether controls are effectively designed, implemented,
and operating. For example, performing control tests that involve nonstatistical
selection may provide sufficient evidence that a control is operating effectively for
the items tested. However, since the auditor cannot project the results of
nonstatistical selection to the population, the auditor should evaluate the results
of the nonstatistical selection in conjunction with other sources of evidence to
form an overall conclusion on the effectiveness of the controls tested. Other
sources of evidence may include
an understanding of the entity and its environment (FAM 220),
inherent risk assessments (FAM 260),
walk-throughs performed to confirm an understanding of information systems
(FAM 320.02) and the design and implementation of control activities (FAM
350.07),
competence of entity personnel,
the auditor’s past experience,
knowledge about other balances, and
information obtained during interim substantive testing (FAM 420 and FAM
470).
If, after evaluating the results of control tests and other sources of evidence, the
auditor concludes that sufficient evidence has not been obtained regarding the
effectiveness of the controls tested, the auditor should perform additional control
testing, for example, by selecting additional items to test or by performing
sampling control tests (see FAM 430 and 450).
Internal Control Phase
360 Perform Tests of Controls and Compliance with FFMIA
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 360-8
Evaluate the Effectiveness of the Entity’s Internal Control over
Financial Reporting
.22 Based on the results of control tests performed through the internal control phase
and sampling control tests performed in the testing phase (see FAM 450), the
auditor should evaluate the effectiveness of the entity’s internal control over
financial reporting and determine whether (1) each of the five components of
internal control is designed, implemented, and operating effectively and (2) the
five components are operating together in an integrated manner to achieve the
entity’s financial reporting objectives (AU-C 940.23).The auditor assesses the
five components and 17 related principles in the Standards for Internal Control in
the Federal Government (known as the Green Book). In general, all components
and principles are relevant for establishing an effective internal control system.
See FAM 260 for discussion of the five components and 17 related principles of
internal control. In rare circumstances, there may be an operating or regulatory
situation in which management has determined that a principle is not relevant for
the entity to achieve its objectives and address related risks. If management
determines that a principle is not relevant, management should support that
determination with documentation that includes the rationale of how, in the
absence of that principle, the associated component could be designed,
implemented, and operating effectively.
Perform Tests of Compliance with FFMIA
.23 The auditor may make preliminary conclusions as to whether the entity’s financial
management systems comply substantially with federal financial management
systems requirements, federal accounting standards (U.S. GAAP), and the
USSGL at the transaction level. However, the auditor should not form a final
conclusion as to compliance, especially with accounting standards, until the
auditor completes substantive procedures (see FAM 470).
Internal Control Phase
370 Assess Internal Control on a Preliminary Basis
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 370-1
370 Assess Internal Control on a Preliminary Basis
.01 Based on the evaluation of the design and implementation of internal control, and
the results of control tests completed through the internal control phase, the
auditor should preliminarily assess the effectiveness of internal control during the
period (for a report on internal control and for determining the risk of material
misstatement used to determine the nature, extent, and timing of further audit
procedures) and as of the end of the period (if the auditor is expressing an
opinion on internal control as of that point in time). Assessing the effectiveness of
IS controls is discussed in FAM 370.03 through .05. Assessing the effectiveness
of each type of controlfinancial reporting (including safeguarding assets and
segregation of duties), budget, compliance, and operationsis discussed in FAM
370.06 through .13.
.02 To assess the effectiveness of internal control, the auditor determines whether
internal control provides reasonable assurance that control objectives are
achieved. Internal control only provides reasonable assurance that
misstatements, losses, or noncompliance, material in relation to the financial
statements, would be prevented, or detected and corrected, during the period
under audit. For each control objective that is not achieved, the auditor should
obtain sufficient (1) information to determine whether the deficiency is a material
weakness, significant deficiency, or other control deficiency and to report any
deficiencies in the auditor’s report or separate report to management (see
FAM 580) and (2) evidence to support the preliminary assessment of the
effectiveness of internal control and the risk of material misstatement.
Information System Results
.03 Because of the technical nature of many IS controls, the auditor generally should
obtain assistance from an IS controls auditor in assessing these controls. Based
on the procedures performed, the auditor and IS controls auditor should discuss
conclusions on the effectiveness of IS controls and reach agreement. The auditor
should (1) incorporate the conclusions into the audit documentation for each IS
control tested and (2) perform tests on the manual aspects of application controls
(e.g., manual follow-up on items in an exception report).
.04 If the auditor determines that IS controls are effective, the auditor may also ask
the IS controls auditor to identify any IS controls within the software programs, or
applications, tested that the auditor did not previously identify using the above
procedures. For example, such IS controls might achieve control objectives not
otherwise achieved through manual controls or might be more efficient or
effective to test than manual controls.
The IS controls auditor may assist the auditor in determining the efficiency and
effectiveness of searching for and testing additional IS controls. The auditor
should document these decisions, including a description of the expected nature,
extent, and timing of the IS controls auditor’s work.
.05 The auditor and IS controls auditor should work together to document the
procedures for evaluating and testing the effectiveness of IS controls and the
results of this work.
Internal Control Phase
370 Assess Internal Control on a Preliminary Basis
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 370-2
Financial Reporting Controls
.06 Based on audit procedures performed but before sampling control tests,
9
if any,
the auditor generally should form a preliminary conclusion about (1) the
effectiveness of financial reporting controls as of the end of the periodwhen the
auditor is providing an opinion on internal controland (2) the assessed level of
control risk and the risk of material misstatement during the period for each
significant assertion in each significant line item or account. The risk of material
misstatement is the risk that prior to the application of substantive audit
procedures, a material misstatement exists in a financial statement assertion.
The risk of material misstatement consists of the risks that (1) a financial
statement assertion is susceptible to material misstatement (inherent risk) and
(2) such material misstatement, either individually or when aggregated with other
misstatements, is not prevented, or detected and corrected, on a timely basis by
the entity’s internal control (control risk). The auditor uses professional judgment
in assessing inherent risk, control risk, and the risk of material misstatement.
.07 Preliminary assessment of control risk. For each significant assertion in
each significant line item or account, the auditor should assess control risk at one
of three levels:
Low: The auditor believes that controls will prevent, or detect and correct, on
a timely basis any aggregate misstatements in excess of performance
materiality that could occur in the assertion.
Moderate: The auditor believes that controls will more likely than not
prevent, or detect and correct, on a timely basis any aggregate
misstatements in excess of performance materiality that could occur in the
assertion.
High: The auditor believes that controls will more unlikely than likely
prevent, or detect and correct, on a timely basis any aggregate
misstatements in excess of performance materiality that could occur in the
assertion.
.08 In assessing control risk in a line item/account assertion, the auditor generally
should consider the aggregate magnitude of misstatements that might not be
prevented, or detected and corrected, in significant accounting applications that
affect the line item or account. For example, the cash receipts, cash
disbursements, and payroll accounting applications typically affect the cash
account. Accordingly, the auditor should evaluate the risk that aggregate
misstatements could arise from a combination of those accounting applications
and not be prevented, or detected and corrected, by controls.
.09 Preliminary assessment of the risk of material misstatement. In assessing
the risk of material misstatement, the auditor should evaluate the likelihood that a
material misstatement would occur (inherent risk) and not be prevented or
detected on a timely basis by the entity’s internal control (control risk). The
auditor should base this preliminary assessment of the risk of material
9
The auditor may assess the risk of material misstatement on a preliminary basis at an earlier point in the audit, if
preferred. This may be particularly appropriate for a recurring audit where the auditor has an understanding of the
design of the control environment, entity risk assessment, information and communication, and monitoring
components of internal control.
Internal Control Phase
370 Assess Internal Control on a Preliminary Basis
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 370-3
misstatement on the auditor’s assessment of inherent risk and control risk. For
each significant assertion in each significant account, the auditor should
assess the risk of material misstatement at one of three levels:
Low: Based on the evaluation of inherent risk and control risk, but prior to the
application of substantive audit procedures, the auditor believes that any
aggregate misstatements in the assertion do not exceed performance
materiality.
Moderate: Based on the evaluation of inherent risk and control risk, but prior
to the application of substantive audit procedures, the auditor believes that it
is more likely than not that any aggregate misstatements in the assertion do
not exceed performance materiality.
High: Based on the evaluation of inherent risk and control risk, but prior to
the application of substantive audit procedures, the auditor believes that it is
more unlikely than likely that any aggregate misstatements in the assertion
do not exceed performance materiality. As a result, the auditor should obtain
most, if not all, audit evidence from substantive procedures.
.10 The minimum substantive assurance from substantive procedures varies directly
with the risk of material misstatement. In other words, as the risk of material
misstatement increases, so does the minimum substantive assurance level.
FAM 470 discusses the assurance level in more detail. The auditor should
document the preliminary assessment of control risk and the risk of material
misstatement in the LIRA form or equivalent.
Budget Controls
.11 When forming conclusions on the effectiveness of internal control related to
budget execution, the auditor should evaluate the impact of any uncorrected
misstatements noted in the proprietary accounts and should determine any
impact on the budgetary amounts. If the budgetary amounts are also misstated,
the auditor should determine whether these misstatements indicate deficiencies
in internal control related to budget execution. If audit evidence indicates that
internal control might not provide reasonable assurance that the entity executed
transactions in accordance with budget authority, the auditor should discuss the
legal implications with the Office of the General Counsel (OGC) and document
the conclusions.
Compliance Controls
.12 Based on the results of compliance control tests and other audit procedures, the
auditor should
conclude whether the entity’s internal control provides reasonable assurance
that the entity complied with the significant provisions of applicable laws,
regulations, contracts, and grant agreements, noncompliance with which
could have a material effect on the financial statements, and
report deficiencies in compliance controls that come to the auditor’s attention
(see FAM 580).
If compliance controls are effective in preventing, or detecting and correcting,
noncompliance with significant provisions of applicable laws, regulations,
contracts, and grant agreements during the period, the extent of compliance
Internal Control Phase
370 Assess Internal Control on a Preliminary Basis
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 370-4
testing can be less than if such controls were not effective, as discussed in FAM
460.
Operations Controls
.13 If the results of control tests indicate that operations controls were not effective
during the period, the auditor should not place reliance on those controls when
designing other audit procedures. See FAM 580 regarding reporting deficiencies.
Reevaluation of Control Risk and the Risk of Material Misstatement
.14 After completing the testing phase, discussed in FAM 400, the auditor should
reevaluate the preliminary assessment of control risk and the risk of material
misstatement for financial reporting controls and control effectiveness for budget,
compliance, and operations controls. If the test results are contrary to the
preliminary assessment (e.g., control risk assessed at low, but the controls being
tested were not operating effectively), the auditor should reevaluate the
adequacy of the audit procedures performed and perform additional procedures
as necessary.
Internal Control Phase
380 Other Considerations
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 380-1
380 Other Considerations
Partial-Year Controls
.01 The auditor should test controls for the particular time or throughout the period
for which the auditor intends to rely on those controls (AU-C 330.11). In certain
situations, such as when new controls are implemented during the year, the
auditor may elect to test controls only for the period during which the new
controls were operating. In such situations, the extent of control testing should
remain similar but be concentrated over the period that the new controls were in
place.
For any portion of the audit period for which financial reporting, budget, and
compliance controls were not tested, the auditor should design compliance and
substantive procedures as if these controls were ineffective. However, the auditor
should evaluate whether substantive procedures alone can mitigate the risk of
material misstatement or provide sufficient appropriate audit evidence for this
period, as discussed in AU-C 330.08.
Planned Changes in Controls
.02 The auditor may become aware of an entity’s plans to implement new accounting
or control systems after the audit period ends. Even though new systems or
controls are planned, the auditor should evaluate IS controls over the systems in
operation to conclude on whether they are designed, implemented, and operating
effectively through the end of the audit period to
assess the risk of material misstatement;
determine the nature, extent, and timing of further audit procedures;
provide support for the report or opinion on internal controls; and
recommend any improvements to the current system that should be
considered in designing the new systems or controls.
During the current audit, the auditor may review controls designed into the new
system and generally should bring any identified deficiencies to the attention of
entity management.
Internal Control Phase
390 Documentation
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 390-1
390 – Documentation
.01 In addition to preparing an audit plan with control testing audit procedures and
other documentation relevant to the internal control phase, the auditor should
prepare the documents described in FAM 390 or their equivalent.
.02 The auditor may prepare written guidance for the rest of the engagement team,
either within or accompanying the audit procedures, to explain possible
exceptions, their nature, and why they might be important. This also may help the
auditor focus on key matters, more readily determine which exceptions are
important, and identify significant exceptions.
.03 The auditor also should document the results of the audit procedures performed
and the audit evidence obtained.
.04 As the audit work is performed, the auditor may become aware of possible
significant deficiencies or other matters that should be communicated to the
entity, including those charged with governance. The auditor should document
and communicate these as described in FAM 290.12, 580, and 590.
Cycle Memorandums and Flowcharts
.05 The auditor should document the understanding gained of each of the five
components of internal control (control environment, entity risk assessment,
information and communication, control activities, and monitoring), including
information system processing. The auditor should prepare sufficient
documentation to clearly describe the accounting system. The auditor should
include in this documentation evidence about implementation of the controls. For
each significant cycle, the auditor should prepare a cycle memorandum or
equivalent. Also, the auditor may prepare a flowchart of the cycle and component
accounting application(s).
Flowcharts provide a good mechanism for documenting the process and the flow
of transactions through the system. However, the auditor generally should avoid
extreme detail, which makes the charts confusing and hard to follow. Complex
systems, particularly those involving information technology, may be difficult to
understand without a flowchart. To the extent required as described above, the
auditor should use the following documents or equivalents to document relevant
accounting systems information for financial reporting controls:
A cycle memorandum
identifies the cycle transactions, each significant accounting application, and
each significant financial management system included in the cycle;
documents the auditor’s understanding of the information system processing
included in the significant accounting applications, including the
organizational units and financial management systems involved;
describes relationships with other cycles;
identifies financial statement line items, relevant assertions, and general
ledger accounts included in the cycle;
describes the operating policies and procedures relating to the processing of
cycle transactions (see FAM 320.03 and .05); and
Internal Control Phase
390 Documentation
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 390-2
identifies major internal controls (overview only).
10
For CFO Act agencies, the auditor may include in the cycle memorandum
information on FFMIA requirements considered to this point, such as systems
requirements and the USSGL.
Flowcharts complement the related cycle memorandum and summarize the
significant transaction flows in terms of
input and report documents,
processing steps,
files used,
organizational units involved,
information systems, and
interfaces with other cycles and accounting applications.
Although the auditor may have gathered information on control activities when
preparing flowcharts, the auditor should document these control activities in the
SCE worksheet or equivalent. Major controls may be included in the flowchart.
.06 The auditor should document the understanding of relevant compliance and
operations control systems in a memorandum and may prepare a flowchart
addressing each point discussed in FAM 320.06 through .07.
SCE Worksheet
.07 The auditor should document the evaluation of specific control activities in the
SCE worksheet or equivalent. The auditor should document control tests in the
control test audit plan and in accompanying documents. The auditor should also
document any IS control tests, as discussed in FAM 370.05. FAM 395 G
presents an example of a completed SCE worksheet.
Updating the LIRA Form
.08 The auditor should update the LIRA form or equivalent by completing the internal
control phase columns, as illustrated in FAM 395 H. The LIRA form should also
include the results of risk assessment procedures and evaluation of the design
and implementation of controls for risks for which the auditor has judged that it is
not possible or practicable to obtain sufficient appropriate audit evidence only
from substantive procedures, as discussed in FAM 260.45 and AU-C 315.31 and
AU-C 315.A156 through .A159.
10
Specific relevant control activities for significant assertions are documented later in the SCE worksheet or
equivalent, after related control objectives have been identified (see FAM 330 and 340).
Internal Control Phase
395 A Typical Relationships of Accounting Applications to Line Items/Accounts
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 A-1
395 A Typical Relationships of Accounting Applications to Line Items/Accounts
This section illustrates the typical relationships between accounting applications and line items or accounts. For example, sources of
significant accounting entries to cash typically include the cash receipts, cash disbursements, payroll, and cash accounting applications.
For each significant line item or account, the auditor should develop an understanding of how potential misstatements in significant
accounting applications could affect the significant assertions of the related line item or account. In turn, the auditor should identify the
control objectives and relevant control techniques to achieve those objectives. The relationship between accounting applications and line
item assertions is discussed in FAM 330.04 through .07.
Line Items / Accounts
Cash or
FBWT
Accounts
Receivable Inventory Property Liabilities Revenue Expenses Obligations
Transaction-related accounting applications
Billing X X
Cash Receipts X X X
Purchasing X X X X X
Cash Disbursements X X X X X X
Payroll X X X X
Line item/account-related accounting applications
Cash X
Accounts Receivable X
Inventory X
Property X
Liabilities X
Obligations X
Internal Control Phase
395 B Financial Statement Assertions, Potential Misstatements, and Control Objectives
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 B-1
395 B Financial Statement Assertions, Potential
Misstatements, and Control Objectives
This section lists potential misstatements that could occur in each financial statement assertion
within an accounting application, together with related control objectives. The auditor may tailor
this information to the accounting application and to the entity and may add other control
objectives or subobjectives. The assertion, potential misstatement, and control objective
illustrated in this section may be used in preparing the first, fourth, and fifth columns of the SCE
worksheet, which is illustrated in FAM 395 G. However, this section is provided as a reference
and does not require completion as a form.
Assertion Potential misstatement Control objective
Existence or
occurrence
Transaction related
Occurrence/validity:
1. Recorded transactions and
events did not actually occur
or do not pertain to the
entity.
1a. Recorded transactions, events, and
related processing procedures are
authorized by federal laws, regulations,
contracts, grant agreements, and
management policy.
1b. Appropriate individuals approve
recorded transactions and events in
accordance with management’s general
or specific criteria.
1c. Recorded transactions and events
actually occurred and pertain to the
entity.
1d. Transactions and events are recorded in
the proper accounts.
Cutoff:
2. Transactions and events are
recorded in the current
period but occurred in a
different period.
2. Transactions and events recorded in the
current period actually occurred in the
current period.
Summarization:
3. Transactions are
summarized improperly,
resulting in an overstated
total.
3. The summarization of recorded
transactions is not overstated.
Internal Control Phase
395 B Financial Statement Assertions, Potential Misstatements, and Control Objectives
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 B-2
Assertion Potential misstatement Control objective
Existence or
occurrence
Line item/account related
Existence:
4. Recorded assets, liabilities,
net position, and budgetary
balances do not exist at a
given date. Projected
revenues or expenditures in
the sustainability financial
statements are not valid.
4a. Recorded assets, liabilities, net position,
and budgetary balances exist at a given
date.
4b. Assets, liabilities, net position, and
budgetary balances are recorded in the
proper accounts.
4c. Recorded assets, liabilities, net position,
and budgetary balances of the entity, at
a given date, are supported by
appropriate detailed records that are
accurately summarized and reconciled
to the account balance.
4d. Projected revenues and expenditures in
the sustainability financial statements
are valid.
4e. Access to assets, critical forms, records,
and processing and storage areas is
permitted only in accordance with laws,
regulations, and management policy.
Completeness Transaction related
Transaction completeness:
5. Valid transactions and
events are not recorded or
are recorded in the incorrect
accounts.
5. All valid transactions and events are
recorded in the proper accounts.
Cutoff:
6. Transactions and events
occurred in the current
period but are recorded in a
different period.
6. All transactions and events that
occurred in the current period are
recorded in the current period.
Summarization:
7. Transactions are
summarized improperly,
resulting in an understated
total.
7. The summarization of recorded
transactions is not understated.
Line item/account related
Account completeness:
8. Assets, liabilities, net
position, and budgetary
balances of the entity exist
but are not recorded in the
8a. All assets, liabilities, net position, and
budgetary balances that should have
been recorded have been recorded in
the proper period and accounts, and are
Internal Control Phase
395 B Financial Statement Assertions, Potential Misstatements, and Control Objectives
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 B-3
Assertion Potential misstatement Control objective
proper period or accounts,
or are omitted from the
financial statements.
Projections in the
sustainability financial
statements do not include
all estimated future
revenues and expenditures
at present value that should
have been included.
properly included in the financial
statements.
8b. Projections in the sustainability financial
statements include all estimated future
revenues and expenditures at present
value that should have been included.
Accuracy,
valuation, and
allocation
Transaction related
Accuracy:
9. Amounts and other data
11
relating to recorded
transactions or events have
not been appropriately
recorded.
9. Amounts and other data relating to
recorded transactions and events have
been appropriately recorded.
Line item/account related
Accuracy, Valuation, and
Allocation:
10. Assets, liabilities, net
position, budgetary
balances, or projections in
the sustainability financial
statements have been
included in the financial
statements at inappropriate
amounts. Resulting
valuation or allocation
adjustments have not been
appropriately recorded.
10. Assets, liabilities, net position,
budgetary balances, and projections in
the sustainability financial statements
have been included in the financial
statements at appropriate amounts, and
any resulting valuation or allocation
adjustments have been appropriately
recorded.
Measurement:
11. Revenues and expenses
included in the financial
statements are measured
improperly.
11. Revenues and expenses included in the
financial statements are measured
properly.
11
Other data includes information that is recorded along with the transaction amount and is necessary for the proper
recording of the transaction, such as transaction description, transaction date, trading partner, cost center, fund code,
and other accounting codes that the entity uses.
Internal Control Phase
395 B Financial Statement Assertions, Potential Misstatements, and Control Objectives
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 B-4
Assertion Potential misstatement Control objective
Rights and
obligations
Line item/account related
Ownership:
12. Recorded assets are owned
by others because of sale,
consignment, or other
contractual arrangements.
12. The entity owns (i.e., has valid title to)
recorded assets.
Rights:
13. The entity does not hold or
control the rights to
recorded assets or
budgetary resources
because of liens, pledges,
or other restrictions.
13. The entity holds or controls the rights to
recorded assets and budgetary
resources at a given date.
Obligations:
14. The entity does not have an
obligation for recorded
liabilities at a given date.
Budgetary obligations do
not pertain to the entity.
14a. Liabilities are the entity’s obligations at a
given date.
14b. Budgetary obligations pertain to the
entity.
Presentation
and disclosure
Line item/account related
Presentation:
15. Financial or other
information in the financial
statements is not
appropriately aggregated or
disaggregated or is not
clearly described.
15. Financial and other information in the
financial statements is appropriately
aggregated or disaggregated and is
clearly described.
Consistency:
16. The current period financial
statement components are
based on accounting
principles different from
those used in the prior
periods presented.
16. The financial statement components are
based on accounting principles that are
applied consistently from period to
period.
Disclosure:
17. Note disclosures are not
appropriately measured or
described or are not
relevant and
understandable in the
context of the requirements
of U.S. GAAP. Not all note
disclosures that should have
been included in the
17. Note disclosures are appropriately
measured and described and are
relevant and understandable in the
context of the requirements of U.S.
GAAP. All note disclosures that should
have been included in the financial
statements have been included.
Disclosed transactions and events have
occurred and pertain to the entity.
Internal Control Phase
395 B Financial Statement Assertions, Potential Misstatements, and Control Objectives
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 B-5
Assertion Potential misstatement Control objective
financial statements have
been included. Disclosed
transactions and events did
not actually occur or pertain
to the entity.
Transaction related
Segregation of duties:
12
18. The entity is exposed to loss
of assets and various
potential misstatements,
including certain of those
above, as the result of
inadequate segregation of
duties.
18. Persons do not have uncontrolled
access to both assets and records; they
are not assigned duties to put them in a
position that would allow them to both
commit and conceal errors or fraud.
12
Segregation-of-duties controls are a type of safeguarding control and are designed to reduce the opportunities for
any person to be in a position to both perpetrate and conceal misstatements, especially fraud, in the normal course of
duties. Typically, an entity achieves adequate segregation of duties by establishing controls (such as segregating
asset custody from recordkeeping functions) to prevent any person from having uncontrolled access to both assets
and related records. The lack of segregation-of-duties controls may be pervasive and affect several assertions. The
auditor should test segregation-of-duties controls as discussed in FAM 360.09 through .10.
Internal Control Phase
395 C - Typical Control Activities
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 C-1
395 C Typical Control Activities
Authorization
.01 Authorization controls are designed to provide reasonable assurance that
(1) transactions, (2) events from which they arise, and (3) procedures under
which they are processed are authorized in accordance with laws, regulations,
contracts, grant agreements, and management policy. Typical authorization
controls include
documented policies establishing events or transactions that the entity is
authorized to engage in by law, regulation, contract, grant agreement, or
management policy;
documented policies and procedures for processing transactions in
accordance with laws, regulations, contracts, grant agreements, or
management policy; and
master files that include only authorized employees, customers, or suppliers.
Approval
.02 Approval controls are designed to provide reasonable assurance that appropriate
individuals approve recorded transactions and events in accordance with
management’s general or specific criteria. Typical approval controls occur when
the following occurs:
Transactions and events are approved by persons having the authority to do
so (such as the specific approval of purchases by the procurement officer or
other designated individual with procurement authority) in accordance with
established policies and procedures.
Transactions are compared with predetermined expectations (invoice terms
are compared with agreed-upon prices, input is checked for valid data type
for a particular field, etc.), and exceptions are reviewed by someone
authorized to approve them.
Transactions are compared with approved master files (such as approved
customer credit limits or approved vendors) before approval or acceptance,
and exceptions are reviewed by someone authorized to approve them or
correct the situation.
Key records are matched before a transaction or event is approved (such as
the matching of purchase order, receiving report, and vendor invoice records
before an invoice is approved for payment).
Before acceptance, changes to data in existing files are independently
approved, evidenced by either documentary or online approval of input before
processing.
Segregation of Duties
.03 Segregation-of-duties controls are designed to reduce the opportunities for
someone to both cause and conceal errors or fraud. Typically, an entity achieves
adequate segregation of duties by establishing controls (such as segregating
Internal Control Phase
395 C - Typical Control Activities
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 C-2
asset custody from recordkeeping functions) to prevent any person from having
uncontrolled access to both assets and records. See FAM 330.08 and 360.09
through .10 for additional discussions of segregation-of-duties controls.
Design and Use of Documents and Records
.04 Controls over the design and use of records help provide reasonable assurance
that transactions and events are recorded. Such controls typically include the
following:
Prenumbered forms are used to record all of an entity’s transactions, and
accountability is maintained for the sequence of all numbers used. (For
example, prenumbered billing documents, vouchers, purchase orders, etc.,
are accounted for in numerical sequence when they are used, and any
numbers missing from the sequence are investigated.)
Receiving reports, inspection documents, purchase orders, and other
information are matched with billing notices, such as vendor invoices, or other
documents used to record delivered orders and related liabilities to provide
assurance that all and only valid transactions are recorded.
Transaction documents (such as vendor invoices or shipping documents) are
stamped with the date and tracked (through periodic supervisory reviews) to
provide assurance that transactions are recorded.
Source documents are canceled after processing (for example, invoices are
stamped, perforated, or written on after they are paid) to provide assurance
that the same documents will not be reused and will not result in the entity
recording transactions more than once. Also, only original documents are
used to process transactions.
Safeguards over Access to and Use of Assets and Records
.05 Access controls are designed to protect assets and records against physical
harm, theft, loss, misuse, or unauthorized alteration. These controls restrict
unauthorized access to assets and records. The auditor should determine
whether to evaluate segregation of duties of persons who have authorized
access to assets and records based on FAM 330.08. Typical access controls
include the following:
Cash receipt totals are recorded before cash is deposited.
Secured facilities (locked rooms, fenced areas, vaults, etc.) are used. Access
to critical forms and equipment (such as check-signing machines and
signature stamps) is limited to authorized personnel.
Access to information system programs and data files is restricted to
authorized personnel. (For example, manual records, computer terminals,
and backup files are kept in secured areas to which only authorized persons
can gain access. Access is restricted by logical access controls.)
Assets and records are protected against physical harm. (For example,
intruder alarms, security guards, fire walls, a sprinkler system, etc., are used
to prevent intentional or accidental destruction of assets and records.)
Incoming and outgoing assets are counted, inspected, and received or
disposed/transferred/sold only on the basis of proper authorization (such as a
Internal Control Phase
395 C - Typical Control Activities
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 C-3
purchase order, contract, or shipping order) in accordance with established
procedures.
Procedures provide reasonable assurance that current files can be recovered
in the event of a computer failure. (For example, the entity has implemented a
backup and recovery plan, such as using on-premises or off-premises file
backup, off-site storage of duplicate programs and operating procedures, and
standby arrangements to use a second processing facility if the entire data
center is destroyed.)
Access to critical forms and records is restricted. (For example, secured
conditions are established and maintained for manual records and media
used to access assets, such as blank checks or forms for the release of
inventory.)
Independent Checks
.06 Controls are designed to provide independent checks of the validity, accuracy,
and completeness of processed data. Procedures that are typical of this category
of controls include the following:
Calculations, extensions, additions, and accounting classifications are
independently reviewed. (For example, arithmetic on vouchers is
independently recomputedeither manually or by computerized systems
and transactions and accounting classifications are subsequently reviewed.)
Assets on hand are periodically inspected and counted, and the results are
compared with asset records. (For example, inventories are inspected and
physically counted at the end of each year and compared with inventory
records.)
Subsidiary ledgers and records are reconciled to general ledgers.
The entity promptly follows up on complaints from vendors, customers,
employees, and others.
Management reviews performance reports. (For example, the warehouse
manager reviews performance reports on the accuracy and timeliness of
fulfilling shipping orders and recording them in the sales processing system.)
Data from different sources are compared for accuracy and completeness.
(For example, the cash journal entry is compared with the authenticated bank
deposit slip and with the detailed listing of cash receipts prepared
independently when mail was opened, and units billed are compared with
units shipped.)
Actual operating results (such as personnel cost or capital expenditures for a
particular organizational component or an entity as a whole) are compared
with approved budgets, and variances are explained.
Valuation Controls of Recorded Amounts
.07 Controls in this category are designed to provide reasonable assurance that
assets, liabilities, net position, budgetary resources, and projections in the
sustainability financial statements are included in the financial statements at
appropriate amounts. Typical valuation controls are as follows:
Internal Control Phase
395 C - Typical Control Activities
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 C-4
The condition and marketability of assets is periodically evaluated. (For
example, inventory is periodically reviewed for physical damage,
deterioration, or obsolescence, or receivables are evaluated for collectability.)
Recorded data are compared with information from an independent third
party. (For example, recorded cash is reconciled to bank statements, and
suppliers’ accounts are reconciled to monthly statements from suppliers.)
Assessed values (such as independent appraisals of assets) are compared
with the accounting records.
Budgetary balances are reconciled to audited proprietary balances. (For
example, the receipt of goods or services, recorded as expenses in
proprietary accounts, decreases undelivered orders balances in budgetary
accounts.)
Methodologies, assumptions, and data used in deriving the sustainability
financial statements are reviewed for reasonableness.
Summarization of Accounting Data
.08 Controls in this category are designed to provide reasonable assurance that
transactions are accurately summarized and that any adjustments are valid.
Typical controls in this category include the following:
The sources of summarized data (such as ledgers, journals, and other
records) are compared with the underlying subsidiary records, documents, or
both before the data are accepted for inclusion in summarized records and
reports. (For example, when Fund Balance with Treasury (FBWT) in the
general ledger is reconciled to the balance from Treasury, any necessary
journal entries are compared to source documents, and the summaries of
journal entries are compared to the individual journal entries before the
summarized entries are posted to the general ledger.)
Procedures are followed to check the completeness and accuracy of data
summarization, and exceptions are reviewed and resolved by authorized
persons. (For example, batch totals are compared with appropriate journals,
hash totals are compared at the beginning and end of processing, and totals
passed from one system or software program/application to another are
compared.)
Rights and Obligations Controls
.09 Controls in this category are designed to provide reasonable assurance that (1)
the entity owns recorded assets, with the ownership supported by appropriate
documentation; (2) the entity holds or controls the rights to its assets and
budgetary resources at a given date; (3) recorded liabilities reflect the entity’s
obligations at a given date; and (4) budgetary obligations pertain to the entity at a
given date. Procedures that are typical of this category of controls include the
following:
Policies and procedures are documented (such as policy, procedures, and
training manuals, together with organization charts) for initiating transactions
and for identifying and monitoring those transactions and accounts warranting
attention with respect to ownership.
Internal Control Phase
395 C - Typical Control Activities
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 C-5
Policies and procedures are documented for initiating and monitoring
transactions and accounts related to obligations.
Significant transactions require the approval of senior management.
Reported results and balances are compared with plans and authorizations.
Presentation and Disclosure Controls
.10 Controls in this category are designed to provide reasonable assurance that (1)
financial and other information in the financial statements is appropriately
aggregated or disaggregated and is clearly described, (2) financial statement
components are based on accounting principles that are applied consistently
from period to period, (3) note disclosures are appropriately measured and
described and are relevant and understandable in the context of the
requirements of U.S. GAAP, (4) all note disclosures that should have been
included in the financial statements have been included, and (5) disclosed
transactions and events have occurred and pertain to the entity. Procedures that
are typical of this category of controls include the following:
Policies and procedures are documented for the accumulating and disclosing
of financial information in the financial statements by appropriate personnel.
Responsibility is assigned to specific individuals.
Policies and procedures are documented for the preparation of financial
statements by authorized personnel having sufficient experience and
expertise to comply with U.S. GAAP.
Policies and procedures are documented (such as policy and procedures
manuals, together with organization charts) for properly classifying and
clearly describing financial information in the financial statements.
Reports are periodically compared with underlying documents and evaluated
by supervisory personnel. Procedures are implemented to detect and correct
misstatements and to evaluate recorded balances.
A written chart of accounts containing a description of each account is used,
such as the USSGL. Journal entries are prepared, reviewed, compared with
supporting details where necessary, and approved each accounting period,
including year-end closing.
Appropriate processing procedures are used, including control totals, batch
totals, edit checks, or other computerized controls. Written cutoff and closing
schedules are also used.
The same chart of accounts is used for both budgeting and reporting, and
variances between actual and planned results are analyzed.
Internal Control Phase
395 D Selected Statutes Relevant to Budget Execution
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 D-1
395 D Selected Statutes Relevant to Budget Execution
.01 Antideficiency Act: This statute places limitations on the obligation and
expenditure of government funds. Expenditures and obligations may not exceed
the amounts available in the related appropriation or fund accounts. Unless
expressly allowed by law, amounts may not be obligated before they are
appropriated. Additionally, the amount of obligations and expenditures may not
exceed the amount of the apportionments received. (See 31 U.S.C. §§ 1341-
1342, 1351, and 1517 for further information.) Also, see FAM 803.
.02 P
urpose statute: This statute states that appropriations may be obligated and
expended only for the purposes stated in the appropriation. (See 31 U.S.C. §
1301 for further information.)
.03 Tim
e statute: This statute states that appropriations may be obligated or
expended only during the period of availability specified by law. (See 31 U.S.C.
§1502 for further information.)
One-year (annual) or multiple-year (multiyear) appropriations often are referred
to as fixed accounts. These accounts are available for obligation for a definite
period of time. Multiple-year appropriations may also cover periods different than
the fiscal year, such as July 1 of one fiscal year through September 30 of the
next fiscal year—a period of 15 months. This type of multiple-year authority is
sometimes referred to as forward funding.
No-year authority or accounts are budgetary resources that are available for
obligation for an indefinite period of time, usually until the purposes for which
they were provided are carried out. A no-year appropriation is usually identified
by words of futurity such as “to remain available until expended.”
.04 Appropriation acts: The entity’s appropriations may contain other budgetary
restrictions on the appropriations provided.
Internal Control Phase
395 E Budget Execution Process
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 E-1
395 E Budget Execution Process
.01 The steps of a simplified budget process are illustrated in the following table.
General phases Events
Accounting
recognition
Formulation Budget submission None
Approval Granting budget authority Appropriations
Execution
Delegation of authority Apportionment
Allotment
Use of authority
Commitment
Obligation
Expended authority
Outlay
Expiration
Cancellation
.02 The design of the budget execution process is of interest to the auditor when
testing the statement of budgetary resources and reconciliation of net cost of
operations to budget note and when evaluating an entity’s internal control relating
to budget execution.
13
Congress provides an entity with an appropriation (or other budget
authority), which is authority provided by law to enter into obligations that
13
For additional information on budget execution, see OMB Circular No. A-11, Preparation, Submission, and
Execution of the Budget, part 4. OMB circulars are updated periodically, and the current version can be found on the
OMB website at https://www.whitehouse.gov/omb/information-for-agencies/circulars/ (accessed on May 1, 2023).
Another useful document is GAO, A Glossary of Terms Used in the Federal Budget Process, GAO-05-734SP
(Washington, D.C.: September 2005). The USSGL and related accounting in the TFM can be found at
https://tfm.fiscal.treasury.gov/v1/supplements/ussgl.html (accessed on May 1, 2023).
Internal Control Phase
395 E Budget Execution Process
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 E-2
result in immediate or future outlays (2 U.S.C. § 622(2)).
The Secretary of the Treasury issues warrants, which establish the amount
of moneys authorized to be withdrawn from the central accounts that
Treasury maintains.
OMB makes an apportionment, which is a distribution of amounts available
for obligation. Apportionments divide amounts available for obligation by
specific periods (usually quarters), activities, projects, objects, or a
combination thereof. The amounts apportioned limit the amount of obligations
that may be incurred.
The entity head (or other authorized employee) makes an allotment, which is
an authorization to subordinates to incur obligations within a specified
amount. The total amount allotted by an entity may not exceed the amount
apportioned by OMB. The entity, through its fund control regulations,
establishes allotments at a legally binding level for complying with the
Antideficiency Act. Suballotments and allowances are further administrative
divisions of funds, usually at a more detailed level (i.e., suballotments are
divisions of allotments established as needed).
The entity may make a commitment, which is an administrative reservation
of an allotment or of other funds in anticipation of their obligation.
Commitments are not required by law or regulation nor are they formal/official
uses of budget authority. Rather, entities use commitments for financial
planning and control over obligations and the use of budget authority.
The entity incurs an obligation. An obligation, as defined in OMB Circular
No. A-11, is a binding agreement that will result in outlays, immediately or in
the future. GAO’s Federal Budget Glossary
14
defines obligation as a definite
commitment that creates a legal liability of the government for the payment of
goods and services ordered or received, or a legal duty on the part of the
United States that could mature into a legal liability by virtue of actions on the
part of the other party beyond the control of the United States. Payment may
be made immediately or in the future. An agency incurs an obligation, for
example, when it places an order, signs a contract, awards a grant,
purchases a service, or takes other actions that require the government to
make payments to the public or from one government account to another.
The entity should comply with legal requirements before recording obligations
against appropriation accounts (title 7 of GAO’s Policy and Procedures
Manual for Guidance of Federal Agencies). These legal requirements include
determining whether the purpose, the amount, and the timing of when the
obligation was incurred are in accordance with the appropriation. Additionally,
there are legal requirements concerning the documentary evidence
necessary for recording an obligation.
The reconciliation of net cost of operations to budget note reconciles the
budgetary resources obligated for an entity’s programs and operations, which
are shown on the statement of budgetary resources and determined using
14
GAO, A Glossary of Terms Used in the Federal Budget Process, GAO-05-734SP (Washington, D.C.: September
2005).
Internal Control Phase
395 E Budget Execution Process
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 E-3
budgetary accounting with the net cost of operations shown on the statement
of net cost, which is determined using proprietary accounting.
The entity records expended authority when the budget authority has been
used, such as by the receipt and acceptance of goods or services ordered.
15
The entity records an outlay, which, as used in the President’s budget,
congressional budget documents, and the statement of budgetary resources,
refers to payments (cash disbursements) made to liquidate obligations. The
statement of budgetary resources reconciles obligations incurred net of
offsetting collections to net outlays.
The entity records a deobligation, which is the entity’s cancellation or
downward adjustment (i.e., reduction) of previously incurred obligations. The
entity should not cancel or reduce an obligation until it has made a formal
decision to do so, supported by any necessary documentation that has been
fully executed (e.g., SF-30 for contract amendments). There may be specific
statutory or other requirements concerning deobligation. For example,
transactions authorized by the Economy Act are limited by the statutory
requirement that the amount obligated by the ordering appropriation is
required to be deobligated to the extent that the agency or unit filling the
order has not incurred obligations before the end of the period of availability
of the ordering appropriation. Additionally, there are stewardship reasons for
timely deobligating funds.
When appropriations are deobligated before the expiration of the period of
availability, the deobligated amount is available for incurring new obligations
for an authorized use. This means that annual appropriated funds may be
reobligated in the fiscal year in which the funds were appropriated, while
multiyear or no-year appropriated funds may be reobligated in the same or
subsequent fiscal years. When appropriations are deobligated after the
expiration of the period of availability, the deobligated amount is not available
to incur a new obligation unless specifically authorized; however, the
deobligated amount is available to cover appropriate adjustments to
obligations in the expired account. Deobligated no-year funds are generally
available for obligation on the same basis as if they had never been
obligated.
The appropriation account expires when, according to time restrictions
contained in the appropriation, the appropriation is no longer available for
15
In the normal flow of business, when obligations are incurred, a credit to “undelivered orders” or “unexpended
obligations - unpaid” is recorded (USSGL account 4801) with a debit to commitments (USSGL account 4700 or
4720). When the budget authority has been used, such as by the receipt of goods or services ordered, the obligation
is debited (USSGL account 4801) with a credit to “delivered orders-unpaid” or “expended authority - unpaid” (USSGL
account 4901). At this time, a proprietary accounting entry is also made to debit expenditures (usually USSGL
account 6100) with a credit to accounts payable (USSGL account 2110). When the obligation is paid and the outlay is
made, the transaction is credited to “delivered orders - paid” or “expended authority - paid” (USSGL account 4902). At
this time, a proprietary accounting entry is also made to debit accounts payable (USSGL account 2110) with a credit
to FBWT (USSGL account 1010). For additional transaction details, see TFM’s U.S. Standard General Ledger
Accounting Transactions supplement.
Internal Control Phase
395 E Budget Execution Process
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 E-4
new obligations.
16
Adjustments may be made for valid obligations that were
either (1) recorded at an estimated amount that differs from the actual
amount
17
or (2) incurred before the authority expired but not recorded.
Adjustments may be recorded for 5 years after the appropriation expires. For
both expired accounts and closed accounts, the entity’s obligations and
expenditures may not exceed the related budget authority. See OMB Circular
No. A-11, part 4, for additional guidance on these types of adjustments and
transactions.
Examples of valid adjustments to expired accounts within the 5-year period
include adjustments for
º canceled orders or orders for which delivery is no longer likely,
º refunds received in the current period that relate to recovery of erroneous
payments or accounting errors,
º legal and valid obligations that were previously unrecorded, and
º differences between the estimated and actual obligation amounts.
After the 5-year period, the budget authority for the expired accounts is
canceled and the expired accounts are closed.
18
No further adjustments or
outlays may be made in those closed accounts. Payments for any
unliquidated obligations in closed accounts may be made from unexpired
appropriations that have the same general purpose (but are limited in
aggregate to 1 percent of the current-year appropriation). For both expired
accounts and closed accounts, the entity’s obligations and expenditures may
not exceed the related budget authority. See OMB Circular No. A-11, part 4,
for additional guidance on these types of adjustments and transactions.
16
Unobligated amounts are debited and moved to “allotments expired authority” with a credit to USSGL account
4650. For no-year appropriations (i.e., those available for obligation for an indefinite period), the appropriation
account does not expire. Consistent with 31 U.S. C. § 1555, the appropriation account is closed, and any remaining
balance (whether obligated or unobligated) in that account is canceled (and thus no longer available for obligation or
expenditure for any purpose) if (1) the entity head or the President determines that the purposes for which the
appropriation was made has been carried out and (2) no disbursement has been made against the appropriation for 2
consecutive fiscal years.
17
Amounts of commitments, obligations, and expended authority may differ for a particular item acquired.
Commitments are made at “initial” estimates, obligations at “later” estimates, and expended authority at “actual”
amounts.
18
Expired authority (USSGL account 4650) is debited and moved to “canceled authority” by a credit to USSGL
account 4350. At this time, a proprietary entry is made to debit and reduce “unexpended appropriations” (USSGL
account 3106) and to credit and reduce FBWT (USSGL account 1010).
Internal Control Phase
395 F Budget Control Objectives
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 F-1
395 F Budget Control Objectives
.01 This section lists budget control objectives by steps in the budget process. The
auditor may use these control objectives for the audit of the statement of
budgetary resources and the reconciliation of net cost of operations to budget
note, the evaluation of financial reporting controls, or the evaluation of
compliance controls. The auditor may evaluate the design of many of these
controls when evaluating the design of controls over expenses, disbursements,
and liabilities. When testing control effectiveness, the auditor may test these
controls at the same time, which is referred to as multipurpose testing.
a. Appropriations (or other forms of budget authority). The recorded
appropriation (or other form of budget authority) is the same as that made
available in the appropriation or other appropriate statutes, including
restrictions on amount, purpose, and timing.
b. Apportionments. The recorded apportionments agree with the OMB
apportionments (as indicated on the apportionment schedules), and the total
amount apportioned does not exceed the total amount appropriated.
19
c. Allotments/suballotments. The total amount allotted does not exceed the
total amount apportioned.
d. Commitments. The auditor may not be concerned with controls over
budgetary commitments because commitments are not required by law or
regulation nor are they formal/official uses of budget authority. Controls over
budgetary commitments are a type of operations control.
The auditor generally should evaluate the design of controls over
commitments if the entity relies on controls over commitments to achieve the
control objectives relating to obligations. If the auditor evaluates the design of
controls over commitments, the auditor generally should use the same control
objectives as used for obligations and expenditures, as discussed below. The
auditor should test the operation of those controls that are designed and
implemented effectively.
e. Obligation transactions. The control objectives relating to obligation
transactions are as follows:
Validity/occurrence. Obligations recorded are valid. An obligation is
valid only if it meets these criteria:
o The obligation has been incurred and represents a valid obligation.
This is usually evidenced by appropriate supporting documentation,
such as a purchase order or contract.
The auditor may look for instances of “block obligating” or “block
dumping,” which occur when an entity records obligations to “reserve”
funds even though the goods or services have not been ordered. This
is most likely to occur near the expiration of an appropriation and
19
OMB apportionments may, as a result of impoundments (rescissions or deferrals), be less than the amount of the
apportionments requested by the entity. The auditor generally should notify OGC of any impoundments that come to
the auditor’s attention. OMB may also approve different amounts available than those requested by time period,
activity, project, or object class.
Internal Control Phase
395 F Budget Control Objectives
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 F-2
usually occurs in large dollar services and equipment contracts. The
auditor may look for such signs as large, even-amount obligations
near the end of the fiscal year for annual appropriations or during the
last year of a multiyear appropriation account.
o The purpose of the obligation is one for which the appropriation was
made.
o The obligation was incurred within the time that the appropriation was
made available for new obligations.
o The obligation did not exceed the amount allotted or appropriated by
statute nor was it incurred before the appropriation became law,
unless otherwise provided by law.
o The obligation complies with any other legally binding restrictions,
such as obligation ceilings or earmarks, identified in the planning
phase.
o The obligation has not subsequently been deobligated or canceled.
The entity should not cancel or reduce an obligation until it has made
a formal decision to do so, supported by any necessary
documentation that has been fully executed (e.g., SF-30 for contract
amendments). There may be specific statutory or other requirements
concerning deobligation. For example, transactions authorized by the
Economy Act are limited by the statutory requirement that the amount
obligated by the ordering appropriation is required to be deobligated
to the extent that the agency or unit filling the order has not incurred
obligations before the end of the period of availability of the ordering
appropriation.
o For adjustments to obligations in expired accounts, objectives are as
follows:
i. If the adjustment represents a “contract change,” as defined in
OMB Circular No. A-11, refer to the entity’s reporting and approval
requirements in that circular.
ii. The adjustment represents a valid increase or decrease to the
entity’s budgetary obligation, supported by any necessary
documentation that has been fully executed (e.g., SF-30 for
contract amendments).
iii. The adjustment does not cause the entity to exceed the amount
allotted or appropriated by statute.
iv. The adjustment is recorded during the period when the account is
available for adjustments (5 years) and was made for a valid
obligation incurred before the authority expired.
v. New obligations are not to be recorded in expired accounts.
Completeness. All obligation transactions are recorded.
Accuracy. Obligations are accurately recorded based on the entity’s
budgetary obligation for the payment of goods and services ordered or
Internal Control Phase
395 F Budget Control Objectives
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 F-3
received and other unliquidated obligations.
20
The entity’s budgetary
obligation is not the same as an entity’s accounting liability, which is a
probable future outflow or other sacrifice of resources as a result of past
transactions or events (e.g., receipt of goods or services). The entity’s
budgetary obligation is reported on the statement of budgetary resources,
whereas its accounting liability is reported on the balance sheet.
Cutoff. Obligations are recorded in the proper period.
Classification. Obligations are recorded in the proper appropriation or
fund accounts (also by program and by object, if applicable), including the
proper appropriation year if the account is multiyear. Examples of
programmatic account classifications are school lunch program and
nutrition education and training. Examples of object account
classifications are salaries, rent, and travel.
f. Expended authority transactions. Control objectives relating to expended
authority transactions, as defined in FAM 395 E, are generally the same as
those for obligation transactions.
Validity/occurrence. For all expended authority transactions, recorded
expended authority transactions have occurred. This occurrence is
usually evidenced by appropriate supporting documentation, such as
invoices and receiving reports. Accrual of liabilities based on incurred but
unbilled contractor costs alone is not sufficient evidence of validity (i.e., it
may not meet the purpose, time, and amount provisions of an
appropriation). For expended authority transactions (or adjustments to
expended authority transactions) in expired accounts, the entity
objectives are that
o the expended authority transaction does not cause the entity to
exceed the amount appropriated by statute,
o the expended authority transaction is recorded during the period when
the account is available for adjustments (5 years), and
o the expenditure is not made out of a closed account.
Completeness. All expended authority transactions and adjustments are
recorded.
Accuracy and valuation. Expended authority transactions and
adjustments are recorded at the correct amount.
Cutoff. Expended authority transactions and adjustments are recorded in
the proper period.
Classification. Expended authority transactions and adjustments are
recorded in the proper appropriation or fund accounts (also by program
20
Other unliquidated obligations include legal duties on the part of the United States that could mature into legal
liabilities by virtue of actions on the part of the other party beyond the control of the United States. For example, in a
GAO legal decision, an entity that, at the time of grant award, accepted a legal duty to cover the benefits of new
participants at the time of a grant award was required to record its maximum amount of liability because the amount
of payment was under the control of the grantee. See Obligational Practices of the Corporation for National and
Community Service, B-300480, Apr. 9, 2003; Corporation for National and Community Service: Amount of
Obligations, B-300480.2, June 6, 2003.
Internal Control Phase
395 F Budget Control Objectives
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 F-4
and by object, if applicable), including the proper appropriation year if the
account is multiyear.
g. Outlay transactions. Control objectives that relate to outlay transactions and
may be tested while auditing cash disbursements are as follows:
Validity/occurrence. Outlays are supported by evidence such as
contractor invoices, receiving reports, and intragovernmental payment
and collection reports. The outlay is recorded against an obligation made
during the period of availability of the appropriation (not made out of a
closed account). The outlay is also for a purpose for which the
appropriation was provided and in an amount not exceeding the
obligation, as adjusted, authorizing the outlay. Use of “first-in, first-out” or
other arbitrary means to liquidate obligations based on outlays is not
generally acceptable unless supporting evidence demonstrates that in
fact these estimating techniques reasonably represent the manner in
which costs are incurred. (Note: Internal control over outlays and related
liquidation of obligations may provide safeguards against improper
payments, such as erroneous, duplicative, or fraudulent contractor
billings.)
Completeness. All outlays and adjustments are recorded.
Accuracy and valuation. Outlays and adjustments are recorded at the
correct amounts.
Classification. Outlays are recorded in the proper accounts (both by
program and by object, if applicable), including the proper appropriation
year if the account is multiyear. This is evidenced by “matching” the
outlay to the underlying obligation.
Cutoff. Outlays and adjustments are recorded in the proper period.
h. Obligation and expended authority balances. Control objectives relating to
obligation and expended authority balances as of a point in time are as
follows:
Summarization. Recorded balances of obligation and expended
authority accounts as of a given date are supported by appropriate
detailed records that are accurately summarized and reconciled to the
appropriation or fund account balance, by year, for each account.
Existence. Recorded account balances exist and are supported by valid
obligations and expended authority transactions.
Compliance. Total undelivered orders (i.e., the value of goods and
services ordered and obligated that have not been received) and other
unliquidated obligations plus total expended authority transactions do not
exceed the amount of the appropriation or other statutory limitations (such
as obligation ceilings or earmarks) that may exist by appropriation period.
These other statutory limitations may limit the amount of obligations that
can be incurred by program or object classification.
In addition, total payments of unliquidated obligations that relate to closed
accounts do not exceed the limits described in OMB Circular No. A-11
(for annual accounts, 1 percent of the account’s current year
appropriation; for multiyear accounts, 1 percent of all appropriations that
Internal Control Phase
395 F Budget Control Objectives
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 F-5
are available for obligation for the same purpose, which is a single,
cumulative limit).
i. Appropriation account balances. The control objective relating to
appropriation account balances as of a point in time is as follows:
Cutoff/completeness/existence. Fixed appropriation accounts are
identified by fiscal year after the end of the period in which they are
available for obligation until they are closed (31 U.S.C. § 1553(a)).
Fixed appropriation accounts are closed on September 30 of the fifth
fiscal year after the end of the period that they are available for obligation.
Any remaining balance (whether obligated or unobligated) in the account
is canceled and is no longer available for obligation or expenditure for any
purpose (31 U.S.C. § 1552(a)). For example, at the end of fiscal year
2017, the entity has accounts only for fixed appropriations that expired at
the end of fiscal years 2013, 2014, 2015, 2016, and 2017. Accounts for all
fixed appropriations that expired prior to these dates have been closed,
and their remaining balances have been canceled as of the end of fiscal
year 2017.
Appropriation accounts that are available for obligation for an indefinite
period are closed if (1) the entity head or the President determines that
the purposes for which the appropriation was made have been carried out
and (2) no disbursement has been made against the appropriation for 2
consecutive fiscal years (31 U.S.C. § 1555).
j. Outlay account balances. Control objectives relating to outlay account
balances appearing in the statement of budgetary resources for the fiscal
year are as follows:
Summarization. Recorded balances of outlay accounts for the fiscal year
are supported by appropriate detailed records that are accurately
summarized for each account.
Existence. Recorded account balances exist and are supported by valid
outlay transactions.
k. Recording of cash receipts related to closed appropriation accounts.
This control is to be evaluated only if these amounts are expected to exceed
performance materiality. The control objective is as follows:
Compliance. Collections authorized or required to be credited to an
appropriation account but not received before the account is closed are
deposited in the Treasury as miscellaneous receipts (31 U.S.C. §
1552(b)).
Budget Control Objectives under the Federal Credit Reform Act
.02 The Federal Credit Reform Act (FCRA) contains provisions regarding the
recording and reporting of activity related to direct loans, loan guarantees, and
modifications of these items for budget accounting purposes. Definitions of these
and other FCRA terms are provided in paragraph .03 below. For transactions and
account balances related to these types of activities, the auditor generally should
use the budget control objectives listed in FAM 395 F and supplement them with
the following budget control objectives related to FCRA. Additional guidance on
FCRA accounting for budget purposes is included in OMB Circular No. A-11.
Internal Control Phase
395 F Budget Control Objectives
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 F-6
Also, see Federal Financial Accounting and Auditing Technical Releases No. 3,
Auditing Estimates for Direct Loan and Loan Guarantee Subsidies Under the
Federal Credit Reform Act (as amended), and No. 6, Preparing Estimates for
Direct Loan and Loan Guarantee Subsidies Under the Federal Credit Reform
Act.
a. Obligation transactions. Obligation transactions include direct loan
obligations, loan guarantee commitments, and modifications that change the
cost of an outstanding direct loan or loan guarantee (modifications do not
include changes to outstanding direct loans or loan guarantees that are within
the terms of existing contracts or through other existing authorities). The
supplemental control objective relating to obligation transactions under FCRA
is as follows:
Valuation. When funds are obligated for a direct loan or loan guarantee,
the estimated cost shall be based on the “current” assumptions,
21
adjusted to incorporate the terms of the loan contract, for the fiscal year in
which the funds are obligated.
o The cost of a direct loan is recorded at the net present value, at the
time when the loan is disbursed, of estimated cash flows for
i. loan disbursements;
ii. principal repayments;
iii. interest payments; and
iv. other payments by or to the government over the life of the loan,
including fees, penalties, and other recoveries, as well as
adjustments for estimated prepayments, delinquencies, and
defaults.
These estimated cash flows include the effects of the timing and are
discounted using the appropriate rate as described below.
Administrative costs and any incidental effects on governmental
receipts and outlays are not included in the cost of the direct loan
(2 U.S.C. § 661a(5)(A), (B)).
o The cost of a loan guarantee is recorded at the net present value, at
the time when the related guaranteed loan is disbursed, of the cash
flows for
i. estimated amounts and timing of payments by the government for
defaults, delinquencies, interest subsidies, or other payments,
excluding administrative costs, and
ii. estimated amounts and timing of payments to the government for
origination and other fees, penalties, and recoveries.
These estimated cash flows are discounted using the appropriate rate
as described below. Administrative costs and any incidental effects on
governmental receipts and outlays are excluded (2 U.S.C. §
21
The term current has the same meaning as in section 250(c)(9) of the Balanced Budget and Emergency Deficit
Control Act of 1985.
Internal Control Phase
395 F Budget Control Objectives
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 F-7
661a(5)(A), (C)).
o The cost of a modification is recorded at the difference between the
current estimated net present value of the remaining cash flows under
the existing direct loan or guarantee contract and the estimated net
present value of the remaining cash flows under the modified contract.
The cash flows for each of these calculations are discounted at the
rate for modifications described below (2 U.S.C. § 661a(5)(D)).
o The discount rate used to estimate the net present values described
above is the average interest rate on marketable Treasury securities
of similar maturity to the cash flows of the direct loan or loan
guarantee for which the estimate is being made (2 U.S.C. §
661a(5)(E)).
b. Expended authority transactions. Expended authority transactions include
transactions that occur when loans are disbursed. Supplemental control
objectives relating to expended authority transactions under FCRA are as
follows:
Valuation. Expended authority transactions are recorded at the proper
amount. The same specific criteria for the amounts of FCRA obligations
are also applicable to expended authority transactions.
Cutoff. Expended authority transactions are recorded in the proper
period. Expended authority transactions for the cost of loans or
guarantees are recorded in the fiscal year in which the direct or
guaranteed loan is disbursed or when a modification occurs (2 U.S.C. §
661c(d)(2)).
Classification/presentation and disclosure. Amounts are recorded in
the proper account and reported appropriately for:
o Differences in subsequent years between original estimated costs and
reestimated costs are recorded in a separately identified subaccount
in the credit program account and shown as a change in program
costs and a change in net interest (2 U.S.C. § 661c(f)).
o Funding for the administrative costs of a direct loan or loan guarantee
program is recorded in separately identified subaccounts within the
same budget account as the program’s cost (2 U.S.C. § 661c(g)).
o Cash disbursements for direct loan obligations or loan guarantee
commitments made on or after October 1, 1991, are made out of the
financing account (2 U.S.C. § 661a(7)).
c. Obligation and expended authority balances. The supplemental control
objective relating to obligation and expended authority balances under FCRA
as of a point in time is as follows:
Limitation. Total obligations and total expended authority transactions do
not exceed the appropriation amount or other statutory limitations that
may exist by appropriation period. Specifically, see the following:
o Direct loan obligations made on or after October 1, 1991, do not
exceed the available appropriation or other budget authority.
Internal Control Phase
395 F Budget Control Objectives
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 F-8
o Modifications made to direct loan obligations or direct loans do not
exceed the available appropriation or other budget authority. (Note:
Prior to performing any control or compliance tests, the auditor should
discuss with OGC the applicability of this budget restriction to direct
loans and direct loan obligations that were outstanding prior to
October 1, 1991.)
o Obligations for new loan guarantee commitments made on or after
October 1, 1991, do not exceed the available appropriation or other
budget authority.
o Modifications made to loan guarantee commitments or outstanding
loan guarantees do not exceed the available appropriation or other
budget authority. (Note: Prior to performing any control or compliance
tests, the auditor should discuss with OGC the applicability of this
budget restriction to loan guarantees or loan guarantee commitments
that existed prior to October 1, 1991.)
d. Cash receipts. The control objective for cash receipts under FCRA is as
follows:
Classification. Cash receipts are recorded in the proper account for:
o Cash receipts related to direct loans obligated or loan guarantees
committed prior to October 1, 1991, are recorded in the liquidating
accounts (2 U.S.C. § 661f(b)).
o Cash receipts related to direct loan obligated or loan guarantees
committed on or after October 1, 1991, are recorded in the financing
account (2 U.S.C. § 661a(7)).
.03 Definitions used in FCRA are as follows:
a. Direct loans are disbursements of funds by the government to nonfederal
borrowers under contracts that require the repayment of such funds with or
without interest. Direct loans also include the purchase of, or participation in,
loans made by other lenders. Direct loans do not include the acquisition of
federally guaranteed loans in satisfaction of default claims or the price
support loans of the Commodity Credit Corporation (2 U.S.C. § 661a(1)).
b. Direct loan obligations are binding agreements by a federal agency to
make direct loans when specified conditions are fulfilled by the borrowers
(2 U.S.C. § 661a(2)).
c. Loan guarantees are any guarantees, insurance, or other pledges with
respect to the payment of all or a part of the principal or interest on any debt
obligations of nonfederal borrowers to nonfederal lenders, but do not include
the insurance of deposits, shares, or other withdrawable accounts in financial
institutions (2 U.S.C. § 661a(3)).
d. Loan guarantee commitments are binding agreements by a federal agency
to make loan guarantees when specified conditions are fulfilled by borrowers,
lenders, or any parties to guarantee agreements (2 U.S.C. § 661a(4)).
e. Cost is defined as the estimated long-term cost to the government of a direct
loan or loan guarantee, calculated on a net present value basis, or
modification thereof, excluding administrative costs and any incidental effects
on governmental receipts or outlays (2 U.S.C. § 661a(5)). These calculations
Internal Control Phase
395 F Budget Control Objectives
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 F-9
are described in further detail under the valuation control objective for
obligations in FAM 395 F.
f. Credit program accounts are the budget accounts associated with each
program account into which appropriations to cover the costs of direct loans
or loan guarantee programs are made and from which such costs are
disbursed to the financing accounts (2 U.S.C. § 661a(6)).
g. Financing accounts are the nonbudget accounts associated with each credit
program account that hold balances, receive the cost payment from the credit
program account, and include all other cash flows to and from the
government resulting from direct loan obligations or loan guarantee
commitments made on or after October 1, 1991 (2 U.S.C. § 661a(7)).
h. Liquidating accounts are the budget accounts that include all cash flows to
and from the government resulting from direct loan obligations or loan
guarantee commitments made prior to October 1, 1991. These accounts are
shown on a cash basis (2 U.S.C. § 661a(8)).
i. Modifications are government actions that alter the estimated cost of an
outstanding direct loan (or direct loan obligation) or loan guarantee (or loan
guarantee commitment) from the current estimate of cash flows (2 U.S.C. §
661c(9)). These include the sale of loan assets, with or without recourse, and
the purchase of guaranteed loans. They also include the actions resulting
from new statutes, or from the exercise of administrative discretion under
existing law, that directly or indirectly alter the estimated cost of outstanding
direct loans (or direct loan obligations) or loan guarantees (or loan guarantee
commitments).
For example, a policy change affecting the repayment period or interest rate
for a group of existing loans would be a modification. Changes within the
terms of existing contracts or through other existing authorities are not
modifications under FCRA. In addition, “work outs” of individual loans, such
as a change in the amount or timing of payments to be made, are not
modifications. The effects of these changes are included in the annual
reestimates of the estimated net present value of the obligations.
Reestimates are generally made annually to adjust the net present value of
direct loans and loan guarantee obligations for changes in the estimated
amounts of items such as defaults and in the timing of payments. Permanent
indefinite authority has been provided for reestimates.
Internal Control Phase
395 G Specific Control Evaluation Worksheet
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 G-1
395 GSpecific Control Evaluation Worksheet
.01 The auditor should use the SCE worksheet or equivalent to document the
evaluation of the design and implementation of the control activities in the
internal control phase and the results of testing in the testing phase. This section
illustrates an SCE worksheet for the cash receipts accounting application for a
hypothetical entity, “XYZ Entity” (XYZ).
.02 The auditor should prepare an SCE worksheet or equivalent for each significant
accounting application. The auditor generally should use the SCE worksheet to
document the evaluation of compliance (including budget) and operations
controls. The worksheet may be completed for financial reporting controls as
follows:
In column 1, list each assertion that is relevant to the accounting application.
While all five financial statement assertions described in FAM 235 are
relevant to line item/account-related accounting applications, only the
occurrence, completeness, and accuracy assertions are relevant to
transaction-related accounting applications, as illustrated in FAM 395 B.
Therefore, these assertions would be relevant to the cash receipts
transaction-related accounting application.
In columns 2 and 3, list the significant line items or accounts that the
accounting application affects, which is obtained from the LIRA (see FAM
240). For example, cash receipts typically affect cash and accounts
receivable. Document the assertions for each line item or account identified
that relate to each accounting application assertion (see FAM 330).
In columns 4 and 5, respectively, for each relevant assertion listed in column
1, identify the potential misstatements (inherent risks) that could occur in the
accounting application and the related control objectives, based primarily on
the list of potential misstatements and control objectives included in FAM 395
B. The auditor may tailor this list to the accounting application and the entity.
In addition, the auditor may add additional objectives or subobjectives.
22
In column 6, list control activities selected for testing that achieve each
control objective identified. FAM 395 C illustrates typical control activities to
achieve financial reporting control objectives.
In column 7, indicate whether each control activity is either (a) an IS control,
(b) a manual control, or (c) both an IS control and a manual control. Because
of the technical nature of many IS controls, the auditor generally should
obtain assistance from an IS controls auditor in understanding the entity’s use
of information systems and in planning, directing, or performing audit
procedures related to assessing IS controls. Additionally, an information
technology specialist may assist the auditor in understanding technical
aspects of information systems and IS controls. As noted in FAM 350.08, the
22
On the SCE worksheet, the auditor may commingle the documentation of compliance (including budget) operations
controls and safeguarding controls with that of financial reporting controls to the extent relevant, list this
documentation separately in a section within the SCE worksheet, or present each of these types of controls in a
separate SCE worksheet. To complete the SCE worksheet for these controls, the auditor begins by inserting relevant
control objectives in column 5 and completing columns 6 through 12.
Internal Control Phase
395 G Specific Control Evaluation Worksheet
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 G-2
auditor generally should obtain concurrence from an IS controls auditor on
the auditor’s identification of IS controls. IS controls consist of those internal
controls that depend on information system processing and include general
controls, application controls, and user controls. A user control can be either
(a) a manual control or (b) both an IS control and a manual control. A user
control is considered both an IS control and a manual control if it depends on
information system processing. Conversely, a user control is considered a
manual control if it does not depend on information system processing.
Manual controls do not depend on information system processingeither in
the performance of the control activity or in the production of information used
in the performance of the control activity. See FAM 295 F for additional
information on the types of IS controls.
In column 8, based on procedures performed in the internal control phase,
conclude as to whether the control activity is designed and implemented
effectively. Additionally, as noted in FAM 360.11, the auditor should also
identify other IS controls (application controls and general controls
implemented at the entity-wide, system, and application levels) upon which
the effectiveness of the IS controls included on the SCE worksheet depends.
IS controls auditors will often need to assist the auditor in assessing the
design and implementation of controls designated as IS controls on the SCE
worksheet. As part of this assessment, the auditor assesses the design and
implementation of other IS controls upon which the effectiveness of the IS
controls included on the SCE worksheet depends.
In column 9, reference the audit documentation supporting the conclusion on
whether the control activity is designed and implemented effectively.
In column 10, based on the results of the internal control and testing phase
audit procedures, enter a conclusion regarding the operating effectiveness of
each control activity. IS controls auditors will often need to assist the auditor
in assessing the operating effectiveness of controls designated as IS controls
on the SCE worksheet. As part of this assessment, the auditor assesses the
operating effectiveness of other IS controls upon which the effectiveness of
the IS controls included on the SCE worksheet depends.
In column 11, conclude on whether each control objective has been
achieved. This conclusion will need to consider the impact of mixed results on
the effectiveness of listed individual control activities for achieving a control
objective (e.g., one of the four control activities for achieving a control
objective may have been ineffective, however; the combination of all control
activities achieved the control objective).
In column 12, reference the audit procedures in the detailed control testing
audit plan that were designed to test each effective control determined to be
relevant.
.03 The auditor should include the overall assessment of financial reporting controls
by assertion in the LIRA form or equivalent document, as illustrated in
FAM 395 H. If the results of testing indicate that the preliminary assessment of
control effectiveness based on the design of the control was not appropriate, the
auditor should document the revised assessment in the SCE worksheet or other
document, such as the audit summary memo, and the LIRA form or equivalent
document.
Internal Control Phase
395 G Specific Control Evaluation Worksheet
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 G-3
ENTITY: XYZ
DATE OF FIN. STMTS: 9/30/xx
ACCOUNTING APPLICATION: Cash Receipts
SPECIFIC CONTROL EVALUATION
FILE: __________
INTERNAL CONTROL
PHASE SIGN-OFFS
Preparer & Date:
Primary Review & Date:
TESTING PHASE SIGN-OFFS
Preparer & Date:
Primary Review & Date:
ACCOUNTING APPLICATION: CASH RECEIPTS
ACCOUNTING
APPLICATION
ASSERTION
RELEVANT ASSERTIONS IN
RELATED GROUPS OF
ACCOUNTS
23
POTENTIAL
MISSTATEMENT
IN ACCOUNTING
APPLICATION
ASSERTION
INTERNAL CONTROL
OBJECTIVES (ICO)
INTERNAL
CONTROL
ACTIVITIES (ICA)
Type of ICA:
IS,
Manual (M), or
Both IS and
Manual (B)
INTERNAL CONTROL
PHASE
TESTING
PHASE
Is the ICA
Designed and
Implemented
Effectively?
Audit
Doc.
Ref.
24
Is the ICA
Operating
Effectively?
Is the ICO
Achieved?
Audit Plan
Testing
Step
25
Cash Accts. Rec.
(1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12)
Existence or
occurrence
Existence Completeness Occurrence/validity:
1. Receipt is
recorded, but
cash is not
received.
1a. Recorded cash
receipts and cash
receipt processing
procedures are
authorized by
federal laws,
regulations,
contracts, grant
agreements, and
management’s
1a. Receipts
processing is
governed by
documented
procedures for
accepting,
obtaining,
reviewing, and
approving
receipts.
M Y Y Y
23
The third column is for use when the effects of the accounting application on the line items are different. For example, misstatements in the existence or occurrence assertion for cash receipts typically result in
misstatements in the existence assertion for cash and in the completeness assertion for accounts receivable (see FAM 330.04.05).
24
In this column, the auditor references the audit documentation supporting the conclusion.
25
In this column, the auditor references the audit procedures in the control testing audit plan (and information systems audit plan, as applicable) that were designed to test each effective control determined to be relevant.
Such tests will involve inquiry, observation, inspection, or a combination thereof.
Internal Control Phase
395 G Specific Control Evaluation Worksheet
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 G-4
ACCOUNTING APPLICATION: CASH RECEIPTS
ACCOUNTING
APPLICATION
ASSERTION
RELEVANT ASSERTIONS IN
RELATED GROUPS OF
ACCOUNTS
23
POTENTIAL
MISSTATEMENT
IN ACCOUNTING
APPLICATION
ASSERTION
INTERNAL CONTROL
OBJECTIVES (ICO)
INTERNAL
CONTROL
ACTIVITIES (ICA)
Type of ICA:
IS,
Manual (M), or
Both IS and
Manual (B)
INTERNAL CONTROL
PHASE
TESTING
PHASE
Is the ICA
Designed and
Implemented
Effectively?
Audit
Doc.
Ref.
24
Is the ICA
Operating
Effectively?
Is the ICO
Achieved?
Audit Plan
Testing
Step
25
Cash Accts. Rec.
(1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12)
policy.
1b. Appropriate
individuals approve
recorded receipts in
accordance with
management’s
general or specific
criteria.
1b. A supervisor
reviews receipts
processing to
provide
reasonable
assurance that
procedures are
followed.
M Y Y Y
1c. Recorded receipts
represent amounts
actually received by
the entity.
1c1. Recorded cash
receipts are
matched with
the appropriate
supporting
documentation.
M Y Y Y
1c2. Entries to the
accounting
records are
reviewed and
approved by
supervisory
personnel.
M Y N
1d. Receipts are
recorded in the
proper accounts.
1d. Same as ICA 1c2
above.
M Y Y Y
Internal Control Phase
395 G Specific Control Evaluation Worksheet
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 G-5
ACCOUNTING APPLICATION: CASH RECEIPTS
ACCOUNTING
APPLICATION
ASSERTION
RELEVANT ASSERTIONS IN
RELATED GROUPS OF
ACCOUNTS
23
POTENTIAL
MISSTATEMENT
IN ACCOUNTING
APPLICATION
ASSERTION
INTERNAL CONTROL
OBJECTIVES (ICO)
INTERNAL
CONTROL
ACTIVITIES (ICA)
Type of ICA:
IS,
Manual (M), or
Both IS and
Manual (B)
INTERNAL CONTROL
PHASE
TESTING
PHASE
Is the ICA
Designed and
Implemented
Effectively?
Audit
Doc.
Ref.
24
Is the ICA
Operating
Effectively?
Is the ICO
Achieved?
Audit Plan
Testing
Step
25
Cash Accts. Rec.
(1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12)
Cutoff:
2. Receipts are
recorded in the
current period,
but the cash is
received in a
different period.
2. Cash receipts
recorded in the
current period are
actually received in
the current period.
2. Entity personnel
reconcile
recorded receipts
to cash receipts
listings and bank
deposit reports
before posting.
B Y
Y
Y
Summarization:
3. Receipt
transactions are
summarized
improperly,
resulting in an
overstated total.
3. The summarization
of receipt
transactions is not
overstated.
3a. Entity personnel
reconcile receipt
data in the
general ledger to
subsidiary cash
ledgers and
records.
B Y Y Y
3b. Batch totals of
input documents
are automatically
reconciled to
output registers,
journals, reports,
or file updates.
B Y Y
Internal Control Phase
395 G Specific Control Evaluation Worksheet
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 G-6
ACCOUNTING APPLICATION: CASH RECEIPTS
ACCOUNTING
APPLICATION
ASSERTION
RELEVANT ASSERTIONS IN
RELATED GROUPS OF
ACCOUNTS
23
POTENTIAL
MISSTATEMENT
IN ACCOUNTING
APPLICATION
ASSERTION
INTERNAL CONTROL
OBJECTIVES (ICO)
INTERNAL
CONTROL
ACTIVITIES (ICA)
Type of ICA:
IS,
Manual (M), or
Both IS and
Manual (B)
INTERNAL CONTROL
PHASE
TESTING
PHASE
Is the ICA
Designed and
Implemented
Effectively?
Audit
Doc.
Ref.
24
Is the ICA
Operating
Effectively?
Is the ICO
Achieved?
Audit Plan
Testing
Step
25
Cash Accts. Rec.
(1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12)
Completeness Completeness Existence Transaction
completeness:
4. Cash is
received, but
receipt is not
recorded or is
recorded in the
incorrect
account.
4. All receipts of cash
are recorded in the
proper accounts.
4a. Cash receipts are
listed by the
central mailroom
staff and
independently
reconciled to
deposits and
accounting
summaries,
providing
adequate
segregation of
duties. Collections
and complaints
are handled by
others.
M Y Y Y
4b. Supervisory
reviews of the
processing of
cash receipts.
M Y Y
4c. Same as ICA 1c2
above.
M Y Y
Internal Control Phase
395 G Specific Control Evaluation Worksheet
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 G-7
ACCOUNTING APPLICATION: CASH RECEIPTS
ACCOUNTING
APPLICATION
ASSERTION
RELEVANT ASSERTIONS IN
RELATED GROUPS OF
ACCOUNTS
23
POTENTIAL
MISSTATEMENT
IN ACCOUNTING
APPLICATION
ASSERTION
INTERNAL CONTROL
OBJECTIVES (ICO)
INTERNAL
CONTROL
ACTIVITIES (ICA)
Type of ICA:
IS,
Manual (M), or
Both IS and
Manual (B)
INTERNAL CONTROL
PHASE
TESTING
PHASE
Is the ICA
Designed and
Implemented
Effectively?
Audit
Doc.
Ref.
24
Is the ICA
Operating
Effectively?
Is the ICO
Achieved?
Audit Plan
Testing
Step
25
Cash Accts. Rec.
(1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12)
Cutoff:
5. Cash is
received in the
current period,
but receipt is
recorded in a
different period.
5. Cash receipts
actually received in
the current period
are recorded in
current the period.
5. Same as ICA 2
above.
B Y Y Y
Summarization:
6. Receipt
transactions are
summarized
improperly,
resulting in an
understated
total.
6. The summarization
of cash receipt
transactions is not
understated.
6. Same as ICAs 3a
and 3b above.
B Y Y Y
Internal Control Phase
395 G Specific Control Evaluation Worksheet
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 G-8
ACCOUNTING APPLICATION: CASH RECEIPTS
ACCOUNTING
APPLICATION
ASSERTION
RELEVANT ASSERTIONS IN
RELATED GROUPS OF
ACCOUNTS
23
POTENTIAL
MISSTATEMENT
IN ACCOUNTING
APPLICATION
ASSERTION
INTERNAL CONTROL
OBJECTIVES (ICO)
INTERNAL
CONTROL
ACTIVITIES (ICA)
Type of ICA:
IS,
Manual (M), or
Both IS and
Manual (B)
INTERNAL CONTROL
PHASE
TESTING
PHASE
Is the ICA
Designed and
Implemented
Effectively?
Audit
Doc.
Ref.
24
Is the ICA
Operating
Effectively?
Is the ICO
Achieved?
Audit Plan
Testing
Step
25
Cash Accts. Rec.
(1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12)
Accuracy,
valuation, and
allocation
Accuracy Accuracy Accuracy:
7. Receipt
transactions
have not been
appropriately
recorded.
7. Receipt transactions
have been
appropriately
recorded.
7a. Recorded receipts
are compared
with bank
statements by
persons who have
no other receipts
processing
responsibilities.
M
Y
Y
Y
7b. Supervisor
reviews and
approves
reconciliations of
recorded receipts
to bank
statements.
M Y Y
Internal Control Phase
395 G Specific Control Evaluation Worksheet
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 G-9
ACCOUNTING APPLICATION: CASH RECEIPTS
ACCOUNTING
APPLICATION
ASSERTION
RELEVANT ASSERTIONS IN
RELATED GROUPS OF
ACCOUNTS
23
POTENTIAL
MISSTATEMENT
IN ACCOUNTING
APPLICATION
ASSERTION
INTERNAL CONTROL
OBJECTIVES (ICO)
INTERNAL
CONTROL
ACTIVITIES (ICA)
Type of ICA:
IS,
Manual (M), or
Both IS and
Manual (B)
INTERNAL CONTROL
PHASE
TESTING
PHASE
Is the ICA
Designed and
Implemented
Effectively?
Audit
Doc.
Ref.
24
Is the ICA
Operating
Effectively?
Is the ICO
Achieved?
Audit Plan
Testing
Step
25
Cash Accts. Rec.
(1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12)
Segregation of duties:
26
8. Persons are
prevented from
having uncontrolled
access to both cash
receipts and
records.
8a. Management
reviews roles and
responsibilities to
ensure no
individual has
uncontrolled
access (direct or
indirect) to both
cash receipts and
records.
M
Y Y
Y
Laws, regulations, contracts, and grant
agreements:
27
9. [Based on the
description of the
provision, document
the control
objective.]
M Y Y Y
26
Segregation-of-duties controls are a type of safeguarding control and are often crucial to the effectiveness of controls, particularly over liquid, readily marketable assets that are highly susceptible to theft, loss, or
misappropriation. If there is inadequate segregation of duties, the auditor should identify the specific affected account assertions in columns 2 and 3.
27
The auditor may commingle compliance controls (including budget) with financial reporting controls to the extent relevant, list them separately in this section, or present each of these types of controls in a separate SCE
worksheet (see FAM 800 for examples of compliance SCE worksheets for laws and regulations). If the auditor chooses to list the compliance controls separately in this section, the auditor begins by inserting relevant
control objectives and documents the effectiveness of the design and operation of the control activities in achieving the control objectives.
Internal Control Phase
395 H - Line Item Risk Analysis Form
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 H-1
395 HLine Item Risk Analysis Form
.01 The auditor should use the LIRA form or equivalent to summarize, for significant
line items, specific risks of material misstatement to determine the nature, extent,
and timing of further audit procedures. The auditor should document any
significant risks, usually in the audit strategy, and evaluate them when designing
audit procedures but need not document them in the LIRA form. The auditor
should prepare a LIRA form or equivalent for each significant line item and
identify the significant accounts and related assertions.
.02 The auditor may complete the form as the related phases of the audit are
performed as follows:
Planning Phase:
In column 1, list each significant account name, and in column 2, the account
balance, as discussed in FAM 235. The auditor generally groups accounts
and applications together that share the same risks of material misstatement.
Insignificant accounts may be listed following the significant accounts. This
would allow the auditor to add all account balances to the line item total and
demonstrate that such balances are insignificant. In such cases, the cycle
matrix is not necessary.
In column 3, list each financial statement assertion (see FAM 235).
In columns 4 through 6, summarize any specific inherent, fraud, or control
risk factors that relate to the account and assertion from the audit strategy
(see FAM 260). The control risk factors include consideration of the entity-
level controls (control environment, entity risk assessment process,
monitoring, service organizations, and information and communication) (see
Green Book 10.09).
In column 7, list any mitigating factor(s) that may reduce the assessment of
control risk, risk of material misstatement, or both (see FAM 260.41).
In column 8, list the significant cycles and accounting applications that affect
each assertion.
Internal Control Phase:
In column 9, indicate the assessment of the effectiveness of the related
control activities for the assertion for each cycle and accounting application
as either effective or ineffective. This assessment is obtained from the related
SCE worksheet.
In column 10, assess the control risk for each assertion as either low,
moderate, or high (see FAM 370.07) and document the assessment. This
assessment is based on information included in columns 5 through 7 and
column 9.
In column 11, assess the risk of material misstatement for each assertion as
either low, moderate, or high (see FAM 370.09) and document the
assessment. This assessment is based on the auditor’s assessment of
inherent risk (column 4) and control risk (column 10), along with any
mitigating factors (column 7).
Internal Control Phase
395 H - Line Item Risk Analysis Form
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 H-2
Testing Phase:
In column 12, identify the timing of audit procedures performed as either
interim (I) or final (F) (see FAM 420).
In column 13, briefly describe the nature and extent of audit procedures
performed (see FAM 420).
In column 14, provide a reference to the audit procedure step number(s) in
the testing audit plan.
.03 If the results of testing indicate that the preliminary assessment of the risk of
material misstatement was not appropriate, the auditor should document the
revised assessment in the LIRA form and provide a summary of the factors
contributing to the revised assessment in a memorandum, as appropriate.
.04 The auditor may also document insignificant line items and accounts in the LIRA
form rather than in the cycle matrix. Regardless, the auditor should document
that all accounts have been considered in the audit.
Internal Control Phase
395 HLine Item Risk Analysis Form
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 H-3
ENTITY: XYZ
DATE OF FINANCIAL STATEMENTS: 9/30/xx
LINE ITEM: Accounts Receivable - Net
LINE ITEM RISK ANALYSIS FORM
FILE: _____________
PREPARER & DATE _______________________
REVIEWER & DATE _______________________
PLANNING PHASE INTERNAL CONTROL PHASE TESTING PHASE
Line Item Financial
Statement
Assertions
Inherent Risk
Factors
Fraud Risk
Factors
Control
Risk
Factors
Mitigating
Factors
Cycle/
Accounting
Application
Effectiveness
of Control
Activities
Control
Risk
Risk of
Material
Misstatement
Timin
g I/F
Nature &
Extent
Audit
Plan
Testing
Step
Name Balance
(1) (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14)
Accounts
Receivable
-Net
$876,000,00
0
Existence or
occurrence
No significant
inherent risk
factors
identified.
No
significant
fraud risk
factors
identified.
No
significant
control risk
factors
identified.
No
mitigating
factors
identified.
Sales/billing Effective Low Low F Confirm
balances and
test
reconciliation of
subsidiary
ledger to the
general ledger.
AR
Testing
Plan
III-5 to
III-7
Sales
returns
Effective
Cash
receipts
Effective
Accounts
receivable
Effective
Completeness No significant
inherent risk
factors
identified.
No
significant
fraud risk
factors
identified.
No
significant
control risk
factors
identified.
No
mitigating
factors
identified.
Sales/billing Effective Low Low F Perform
analytical
procedures.
Test cutoff.
AR
Testing
Plan
III-8 to
III-12
Sales
returns
Effective
Cash
receipts
Effective
Accounts
receivable
Effective
Internal Control Phase
395 HLine Item Risk Analysis Form
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 H-4
Accuracy,
valuation, and
allocation
The
bankruptcy
filing by a
major debtor
and the
financial
difficulties of
several other
debtors in the
current
economic
environment
give rise to
an inherent
risk.
No
significant
fraud risk
factors
identified.
No
significant
control risk
factors
identified.
No
mitigating
factors
identified.
Sales/
billing
Effective Low Moderate F Confirm
balances (see
Existence), test
the accuracy of
the aging,
analytically
review bad
debts and
allowance, and
examine
evidence of
collectability for
selected
accounts
receivable.
Discuss with
management
collectability
from troubled
debtors.
AR
Testing
Plan
III-13 to
III-18
Sales return Effective
Cash
receipts
Effective
Accounts
receivable
Effective
Rights and
obligations
No significant
inherent risk
factors
identified.
No
significant
fraud risk
factors
identified.
No
significant
control risk
factors
identified.
No
mitigating
factors
identified.
Accounts
receivable
Effective Low Low F Identify
accounts
receivable from
related parties
or major
debtors.
Review
confirmations
for indication of
guarantees or
encumbrances.
AR
Testing
Plan
III-19 to
III-22
Presentation
and disclosure
No significant
inherent risk
factors
identified.
No
significant
fraud risk
factors
identified.
No
significant
control risk
factors
identified.
No
mitigating
factors
identified.
Accounts
receivable
Effective Low Low F
Determine
appropriatenes
s of note
disclosures
using the
Federal
Financial
Reporting
Checklist (FAM
Volume 3).
Summarize and
test credit risk
AR
Testing
Plan
III-23 to
III-25,
IV-16
Internal Control Phase
395 HLine Item Risk Analysis Form
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 395 H-5
note
disclosures.
Review
accounting
principles used.
Line Item
Total
$876,000,000
SECTION 400
Testing Phase
Testing Phase
400 Contents of the Testing Phase
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 400-1
Contents of the Testing Phase
Introduction FAM
Overview of the FAM Methodology 110
Planning Phase FAM
Overview of the Planning Phase 210
Perform Preliminary Engagement Activities 215
Understand the Entity’s Operations 220
Perform Preliminary Analytical Procedures 225
Determine Materiality 230
Identify Significant Line Items, Accounts, and Assertions 235
Identify Significant Accounting Applications, Cycles, and Financial Management Systems 240
Identify Significant Provisions of Applicable Laws, Regulations, Contracts, and Grant Agreements 245
Identify Relevant Budget Restrictions 250
Identify Risk Factors 260
Determine Likelihood of Effective IS Controls 270
Identify Relevant Operations Controls to Evaluate and Test 275
Plan Other Audit Procedures 280
Plan Locations to Test 285
Documentation 290
Internal Control Phase FAM
Overview of the Internal Control Phase 310
Understand Information Systems 320
Identify Control Objectives 330
Identify and Understand Relevant Control Activities 340
Determine the Nature, Extent, and Timing of Tests of Controls and Compliance with FFMIA 350
Perform Tests of Controls and Compliance with FFMIA 360
Assess Internal Control on a Preliminary Basis 370
Other Considerations 380
Documentation 390
Testing Phase FAM
Overview of the Testing Phase 410
Design the Nature, Extent, and Timing of Further Audit Procedures 420
Design Tests 430
Perform Tests and Evaluate Results 440
Perform Sampling Control Tests 450
Perform Compliance Tests 460
Perform Substantive Procedures -- Overview 470
Perform Substantive Analytical Procedures 475
Perform Substantive Detail Tests 480
Documentation 490
Reporting Phase FAM
Overview of the Reporting Phase 510
Perform Overall Analytical Procedures 520
Reassess Materiality and Risks of Material Misstatement 530
Evaluate Effects of Misstatements on Financial Statements and Auditor’s Reports 540
Audit Exposure (Further Evaluation of Audit Risk) 545
Perform Other Reporting Phase Audit Procedures 550
Determine Whether Financial Statement Presentation is in Accordance with U.S. GAAP 560
Determine Compliance with GAO/CIGIE Financial Audit Manual 570
Draft Reports 580
Documentation 590
Testing Phase
410 Overview of the Testing Phase
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 410-1
410 Overview of the Testing Phase
.01 Based on AU-C 500.06, audit evidence is information used by the auditor in
arriving at the conclusions on which the auditor’s reports are based. Audit
evidence is information to which audit procedures have been applied and
consists of information that corroborates or contradicts assertions in the financial
statements. During the testing phase of the audit, the auditor gathers sufficient
appropriate audit evidence to report on
the entity’s financial statements;
the entity’s internal control;
whether the entity’s financial management systems are in substantial
compliance with the three requirements of Federal Financial Management
Improvement Act of 1996 (FFMIA) (for Chief Financial Officers Act of 1990
(CFO Act) agencies); and
the entity’s compliance with significant provisions of applicable laws,
regulations, contracts, and grant agreements.
.02 The auditor should evaluate information to be used as audit evidence by taking
into account
the relevance and reliability of the information, including its source, and
whether such information corroborates or contradicts assertions in the
financial statements (AU-C 500.07).
The relevance of the information to be used as audit evidence relates to the
logical connection with, or bearing upon, the auditor’s purposes (AU-C 500.A19).
The reliability of audit evidence depends on the nature and source of the audit
evidence and the circumstances under which it is obtained (AU-C 500.A22). The
reliability of information to be used as audit evidence is affected to varying
degrees by its accuracy, completeness, authenticity, and susceptibility to
management bias (AU-C 500.A27). Contradictory information may be relevant
even when the source of that information is less reliable than the source of
corroborative information (AU-C 500.A37).
.03 The auditor’s evaluation of the information to be used as audit evidence should
include
evaluating whether the information is sufficiently precise and detailed for the
auditor’s purposes and
obtaining audit evidence about the accuracy and completeness of the
information, as necessary (AU-C 500.08).
Testing Phase
410 Overview of the Testing Phase
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 410-2
.04 Audit sampling is often used in audit testing.
1
The auditor uses professional
judgment,
2
as well as knowledge of sampling methods, in applying audit
sampling. When designing an audit sample, the auditor should consider the
purpose of the audit procedure and the characteristics of the population from
which the sample will be drawn (AU-C 530.06). FAM 400 provides a framework
for applying audit sampling to financial audits but is not a comprehensive
discussion. Additional background and guidance on audit sampling is provided in
the American Institute of Certified Public Accountants’ (AICPA) audit guide, Audit
Sampling.
The auditor generally should consult with an audit sampling specialist for
assistance in designing and evaluating audit samples and in evaluating the costs
and benefits when deciding the appropriate type of audit sampling to use, unless
the auditor determines only basic statistical concepts are applied.
.05 During this phase, the auditor performs activities for each type of test to
determine the nature, extent, and timing of further audit procedures
(FAM 420);
design tests (FAM 430); and
perform tests and evaluate results (FAM 440).
.06 The types of procedures performed in the testing phase are as follows:
Sampling control tests that may be performed by the auditor to obtain
evidence about achieving specific control objectives. If the auditor obtains
sufficient evidence regarding the effectiveness of controls through control
tests performed in the internal control phase (see FAM 360), sampling control
tests are not necessary. Further guidance on sampling control tests is in FAM
450.
Compliance tests are performed by the auditor to obtain evidence about
compliance with significant provisions of applicable laws, regulations,
contracts, and grant agreements. Further guidance on compliance tests is in
FAM 460.
Substantive procedures are performed by the auditor to obtain evidence
that provides reasonable assurance about whether the financial statements
and related assertions are free of material misstatement. Further guidance on
substantive procedures is in FAM 470, FAM 475, and FAM 480.
.07 Audit documentation of the nature, extent, and timing of procedures performed
during this test phase, as well as conclusions reached, is discussed in FAM 490.
1
Audit testing can be performed using either audit sampling or nonstatistical selection. Audit sampling methods
involve selecting individual items from a population with the objective of reaching a conclusion on all the items in the
population. Audit sampling can be either statistical (intended to be representative of and statistically projected to the
population) or nonstatistical (intended to be representative of but not statistically projectable to the population).
Nonstatistical selection involves selecting items to reach a conclusion only on the items tested.
2
All decisions should be documented and supported.
Testing Phase
420 Design the Nature, Extent, and Timing of Further Audit Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 420-1
420 Design the Nature, Extent, and Timing of Further Audit
Procedures
Design Further Audit Procedures
.01 As discussed in FAM 200 (Planning Phase) and FAM 300 (Internal Control
Phase), the auditor performs risk assessments in planning procedures for
obtaining audit evidence about control effectiveness and about assertions in
account balances and classes of transactions. Obtaining audit evidence is a
cumulative process.
.02 If information to be used as audit evidence has been prepared using the work of
management’s specialists (those with expertise in a field other than accounting or
auditing, such as actuarial calculations, valuations, or engineering data), see
FAM 625.
.03 The auditor should design and implement overall responses to address the
assessed risks of material misstatement at the financial statement level
(AU-C 330.05). The auditor should design and perform further audit procedures
whose nature, extent, and timing are based on, and are responsive to, the
assessed risks of material misstatement at the relevant assertion level and in a
manner that is not biased toward obtaining audit evidence that may be
corroborative or toward excluding audit evidence that may be contradictory.
When evaluating audit evidence with respect to the assessed risks of material
misstatement, the auditor maintains professional skepticism, including when
considering information that may be used as audit evidence and what procedures
would be appropriate in the circumstances (AU-C 330.06 and AU-C 500.A68). In
designing the further audit procedures to be performed, the auditor should
a. consider the reasons for the assessed risk of material misstatement at the
relevant assertion level for each class of transactions, account balance, and
note disclosure, including
the likelihood of material misstatement due to the particular
characteristics of the relevant class of transactions, account balance, or
note disclosure (the inherent risk) and
whether the risk assessment takes account of relevant controls (the
control risk), thereby requiring the auditor to obtain audit evidence to
determine whether the controls are operating effectively (that is, the
auditor intends to rely on the operating effectiveness of controls in
determining the nature, timing, and extent of substantive procedures),
and
b. obtain more persuasive audit evidence the higher the auditor’s assessment of
risk (AU-C 330.07).
The design of specific audit procedures is further discussed in FAM 430;
sampling control tests in FAM 450; compliance tests in FAM 460; FFMIA tests in
FAM 701 and 701 A; and substantive procedures in FAM 470, FAM 475, and
FAM 480.
Testing Phase
420 Design the Nature, Extent, and Timing of Further Audit Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 420-2
Determine the Nature of Tests
.04 Further audit procedures consist of tests of controls and substantive procedures.
The auditor should determine the nature of sampling control tests, compliance
tests, and substantive procedures that will achieve the audit objectives.
.05 Substantive procedures are classified as either substantive analytical procedures
or detail tests. Substantive analytical procedures involve comparing the recorded
test amount with the auditor’s expectation of the recorded amount and
investigating any significant differences between these amounts. Further
information on substantive analytical procedures is in FAM 475.
.06 The higher the auditor’s assessment of risk of material misstatement, the more
reliable and relevant the audit evidence from substantive procedures needs to
be. The auditor should determine the nature of the population and the objectives
of the test procedures.
Determine the Extent of Tests
.07 For each type of test, the auditor should determine the extent of tests to be
performed. The extent of sampling control tests is a function of the auditor’s
preliminary assessment of the risk of material misstatement, tolerable rate of
deviation, and the rate of control deviations expected.
3
The extent of compliance
tests is a function of the effectiveness of compliance controls. The extent of
substantive procedures is a function of the risk of material misstatement,
expected misstatement, and tolerable misstatement.
Determine the Timing of Tests
.08 If substantive procedures are performed at an interim date, the auditor should
cover the remaining period by performing (a) substantive procedures, combined
with tests of controls for the intervening period, or (b) if the auditor determines
that it is sufficient, further substantive procedures only, that provide a reasonable
basis for extending the audit conclusions from the interim date to the period-end
(AU-C 330.23). As discussed in FAM 295 D, the auditor may conduct tests
before the date of the financial statements (interim testing) or conduct all tests as
of the date of the financial statements. FAM 495 C provides guidance on interim
testing, tests of the period between the interim date and the date of the financial
statements (the roll-forward period), and related documentation.
3
The rate of control deviations expected is an anticipation of the deviation rate in the entire population.
Testing Phase
430 Design Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 430-1
430 Design Tests
.01 After considering the risk of material misstatement discussed in FAM 420, the
auditor should design specific tests to be performed. To realize efficiencies in
tests that involve audit sampling, the auditor can perform several tests on a
common sample (multipurpose testing).
4
The auditor generally should minimize
the number of separate sampling applications performed on the same population
by attempting to effectively achieve as many objectives as possible using the
items selected for testing.
.02 When designing control, compliance, and detail tests, the auditor should
determine the means of selecting items for testing that are effective in meeting
the purpose of the audit procedure (AU-C 330.25). Items can be selected using
either audit sampling methods or nonstatistical selection. Audit sampling
methods involve selecting individual items from a population with the objective of
reaching a conclusion on all the items in the population. Audit sampling can be
either statistical (intended to be representative of and statistically projected to the
population) or nonstatistical (intended to be representative of but not statistically
projectable to the population). Nonstatistical selection involves selecting items to
reach a conclusion only on the items tested.
For control tests, the auditor generally should use nonstatistical selection (FAM
360) or statistical sampling (FAM 450). For compliance tests, the auditor
generally should use statistical sampling (FAM 460). For detail tests, the auditor
may use any of the selection methods (i.e., nonstatistical selection, statistical
sampling, and nonstatistical sampling) discussed in FAM 480, as appropriate.
.03 When determining the selection method to use during a multipurpose test, the
auditor generally should use the selection method appropriate for substantive
detail tests in the particular situation. This selection method is usually the most
efficient because generally sampling control and compliance tests may be based
on any type of audit sample.
For example, the auditor may use a statistical sample of property additions to
(a) substantively test the amount of additions and (b) test financial reporting
controls over property acquisition. If a substantive test would require 135 sample
items selected using monetary unit sampling (MUS) and if the test of financial
reporting controls would require 45 sample items, the auditor may either test
controls relating to all 135 sample items or select a separate sample of 45
sample items from the general population for control testing.
.04 In using multipurpose testing, the auditor may have begun substantive
procedures before determining whether the test of controls supports the auditor’s
assessed level of control risk. Therefore, an auditor planning to use multipurpose
testing will have made a preliminary judgment that there is an acceptably low risk
that the rate of deviations from the prescribed control in the population exceeds
the tolerable rate of deviations the auditor is willing to accept without altering the
4
In addition to number of sampling applications, many factors influence efficiency, such as sample size, number of
locations it is necessary to visit to achieve audit objectives, nature of the audit procedures, extent of review required,
and whether rework can be avoided by designing easy-to-follow procedures.
Testing Phase
430 Design Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 430-2
planned assessed level of control risk (see the AICPA’s audit guide, Audit
Sampling).
It should be noted that multipurpose tests may not be efficient if conducted during
the first 2 years of a new audit. This is because the auditor may not be as aware
of the operating effectiveness of the controls in place at an entity in a new audit,
and the rate of deviation may be higher than expected.
Testing Phase
440 Perform Tests and Evaluate Results
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 440-1
440 Perform Tests and Evaluate Results
.01 The auditor should perform the planned tests as designed in FAM 420 and FAM
430 and should evaluate the results of each type of test separately, without
respect to whether the items were chosen as part of a multipurpose test.
Guidance on performing and evaluating the results is presented for each type of
test in the following sections:
FAM 450 Sampling Control Tests
FAM 460 Compliance Tests
FAM 470 Substantive Procedures
.02 The auditor should evaluate (a) the results of the audit sample, including
sampling risk, and (b) whether the use of audit sampling has provided a
reasonable basis for conclusions about the population that has been tested (AU-
C 530.14)
If the results of tests are different from what was expected during design of the
tests, the auditor may want to expand the audit sample to test additional items;
however, this is usually not appropriate. In a well-designed audit sample, the
expanded sample will not usually materially change the sample results. For MUS
and attribute samples, unless the auditor plans for the expansion of the sample in
advance,
5
expansion of the sample is generally not appropriate. See the AICPA’s
audit guide, Audit Sampling, for further guidance. The auditor should consult with
the audit sampling specialist before expanding any samples (see FAM 450.20,
FAM 460.02, and FAM 480.29).
.03 The auditor should evaluate the effect of the findings of the substantive
procedures performed in the audit of financial statements on the effectiveness of
internal control over financial reporting. This should include, at a minimum, the
following:
The risk assessments in connection with the selection and application of
substantive procedures, especially those related to fraud.
Findings with respect to illegal acts and transactions with disclosure entities,
related parties, and public-private partnerships.
Indications of management bias in making accounting estimates and in
selecting accounting principles.
Misstatements detected by substantive procedures. The extent of such
misstatements might alter the auditor’s judgment about the effectiveness of
controls. The absence of misstatements detected by substantive procedures,
however, does not provide audit evidence that controls related to the relevant
assertion being tested are effective (AU-C 330.16).
.04 In evaluating information to be used as audit evidence, the auditor should
consider whether the results of audit procedures provide a basis for concluding
5
Usually, this is covered by selecting a larger audit sample than needed. If the auditor believes a larger audit sample
is necessary, the auditor generally should consult with an audit sampling specialist.
Testing Phase
440 Perform Tests and Evaluate Results
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 440-2
on the sufficiency and appropriateness of audit evidence obtained (AU-C
500.09).
.05 The auditor should determine whether modifications or additions to audit
procedures are necessary to resolve inconsistencies in, or doubts about the
reliability of, audit evidence, including when
audit evidence obtained from one source is inconsistent with that obtained
from another source or
the results of an audit procedure are inconsistent with the results of another
audit procedure (AU-C 500.10).
Evaluate the Risk of Material Misstatement
.06 Evaluating the risk of material misstatement due to errors or fraud is a
cumulative, ongoing process throughout the audit (as discussed in FAM 260).
During testing, the auditor may become aware of additional fraud risk factors or
other conditions that may affect the auditor’s evaluation of the risk of material
misstatement, such as
discrepancies in the accounting records,
conflicting or missing evidential matter, or
problematic or unusual relationships between management and the entity
being audited.
In response to fraud risk factors or other conditions, the auditor should evaluate
whether to perform additional or different audit procedures (see FAM 540.21
.23), including consultation with the Special Investigator Unit and Office of the
General Counsel (OGC).
Testing Phase
450 Perform Sampling Control Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 450-1
450 – Perform Sampling Control Tests
.01 The auditor should design and perform tests of controls to obtain sufficient
appropriate audit evidence about the operating effectiveness of relevant controls
if
the auditor’s assessment of the risks of material misstatement at the relevant
assertion level includes an expectation that the controls are operating
effectively (that is, the auditor intends to rely on the operating effectiveness of
controls in determining the nature, timing, and extent of substantive
procedures) or
substantive procedures alone do not provide sufficient appropriate audit
evidence at the relevant assertion level (AU-C 330.08).
In designing and performing tests of controls, the auditor should obtain more
persuasive audit evidence the greater the reliance the auditor places on the
effectiveness of a control (AU-C 330.09).
According to Office of Management and Budget (OMB) audit guidance, for those
controls that have been suitably designed and implemented, the auditor should
perform sufficient tests of such controls to conclude whether the controls are
operating effectively (i.e., sufficient tests of controls to support a low level of
assessed control risk). Thus, the auditor should not elect to forgot control tests
because it is more efficient to extend substantive and compliance audit
procedures.
.02 The auditor may test controls that provide documentary evidence of their
existence and application by inspecting this evidence. If the auditor cannot obtain
sufficient evidence by performing control tests in the internal control phase (see
FAM 360), the auditor may obtain more evidence by inspecting individual items
selected using audit sampling procedures in the testing phase.
For efficiency, the auditor may use a single statistical sample to test a
combination of controls, compliance, and balances (test of details) (i.e.,
multipurpose testing). Alternatively, the auditor may design a statistical sample to
test controls alone. In this case, the auditor should use attribute sampling,
selected either randomly or systematically where appropriate, as described
beginning in FAM 450.06.
.03 When planning sampling control tests, the auditor should determine a sample
size sufficient to reduce sampling risk to an acceptably low level (AU-C 530.07).
The auditor should determine
the objectives of the test (including what constitutes a deviation),
the population (including sampling unit and time frame),
the method of selecting the statistical sample, and
the sample design and resulting sample size.
The auditor should include the sampling plan in the audit documentation. See
FAM 495 D for example documentation.
Testing Phase
450 Perform Sampling Control Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 450-2
Document Objectives of the Tests
.04 The auditor should document the objectives of each control test. In designing
statistical samples for control tests, the auditor should plan to evaluate operating
effectiveness in terms of the rate of deviations in units or dollars from prescribed
controls. This involves defining (1) the specific control to be tested and (2) what
constitutes an error, exception, or control failure. The auditor should define
control deviations in terms of control activities not followed. For example, the
auditor may define a deviation in cash disbursements as “invoice not approved
and initialed by an authorized individual.”
For financial reporting control tests, the objective is to support the preliminary
assessment of control risk as either moderate or low. For compliance and
operations control tests, the objective is to support the preliminary assessment of
the control as effective. In addition, for financial reporting and compliance control
tests, the objective is obtaining evidence to support the auditor’s report on
internal control.
Define the Population
.05 In defining the population, the auditor should identify the whole set of items on
which the auditor needs to reach a conclusion and from which the statistical
sample will be drawn. This includes
describing the population,
conducting data reliability tests to determine whether the population is
complete and valid,
determining the source document or the transaction documents to be tested,
and
defining the period covered by the test.
When multiple locations are involved, the auditor should determine whether to
use one population of all or several locations, or whether to use separate
populations. The auditor may be able to use one population if the controls at
each location are components of one overall control system. In making this
decision, the auditor may evaluate such factors as
the extent of uniformity of the controls and their applications at each location,
whether significant changes can be made to the controls or their applications
at the local level,
the amount and nature of centralized oversight or control over local
operations, and
whether there could be a need for separate conclusions for each location.
If the auditor concludes that the locations are separate populations, the auditor
should select separate statistical samples at each location and evaluate the
results of each statistical sample separately.
Choose Method of Selection
.06 The auditor should select items for the statistical sample in such a way that the
auditor can reasonably expect the sample to be representative of the relevant
Testing Phase
450 Perform Sampling Control Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 450-3
population and likely to provide the auditor with a reasonable basis for
conclusions about the population (AU-C 530.08). For tests of controls, attribute
sampling achieves this objective. Attribute sampling requires random or
systematic, if appropriate, selection of sample items without considering the
transactions dollar amount or other special characteristics. The auditor may also
use computer software, such as IDEA, to make random selections.
Determine Sample Size
.07 To determine the sample size, the auditor uses professional judgment to
determine four factors:
tolerable rate of deviation of the population to be tested (maximum rate of
deviations from the prescribed control that the auditor is willing to accept
without altering the preliminary control risk);
expected rate of deviation of the population to be tested (expected error rate);
the desired level of assurance (complement of risk of overreliance) that the
tolerable rate of deviation is not exceeded by the actual rate of deviation in
the populationthe auditor may decide the desired level of assurance based
on the extent to which the auditor’s risk assessment takes into account
relevant controls (AU-C 530.A13); and
confidence level.
Once the auditor determines these factors, the auditor may use computer
software (such as IDEA) to determine sample size and to select statistical
samples for testing. The auditor may also use tables I and II in figure 450.1 to
determine sample size and to evaluate test results for controls that operate more
frequently than weekly.
6
6
Tables I and II assume a population over 5,000 items. If the population is smaller, the auditor may ask the audit
sampling specialist to calculate a reduced sample size and to evaluate the results. The effect is generally small
unless the sample size per the table is more than 10 percent of the population.
Testing Phase
450 Perform Sampling Control Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 450-4
Figure 450.1: Sample Sizes and Acceptable Numbers of Deviations
90 percent confidence level
Table I
Tolerable rate of deviation
of 5 percent
Table II
Tolerable rate of deviation
of 10 percent
(Use for determining
sample sizes in
all cases)
(Use for evaluating sample
results only if preliminary
assessment of control risk is
low and deviations exceed
those in table I)
Sample
size
Acceptable
number
of deviations
Sample
size
Acceptable number
of deviations
45 0 45 1
78 1 78 4
105 2 105 6
132 3 132 8
158 4 158 10
The auditor may use table I to determine the sample sizes necessary to support
the preliminary assessments of controls in all cases and to conclude on the
effectiveness of the controls. The auditor may use table II to evaluate sample
results only when the preliminary assessment of financial reporting control risk is
low and the number of deviations found exceeds the acceptable number of
deviations from table I.
The AICPA has other examples in its guidance, and the table factors are within
the range of the AICPA examples and are statistically valid. If an auditor chooses
to use factors other than tables I and II, the auditor generally should consult with
the audit sampling specialist.
.08 Tables I and II are based on a 90 percent confidence level. The auditor generally
uses this confidence level for sampling control tests because the auditor
generally obtains additional satisfaction on controls through other audit tests,
such as substantive procedures, inquiry, observation, and walk-throughs.
.09 Tables I and II are each based on different tolerable rates of deviation. Table I is
based on a tolerable rate of deviation of 5 percent, and table II is based on a
tolerable rate of deviation of 10 percent. Each table shows various sample sizes
and the maximum number of deviations that may be detected in each statistical
sample to rely on the controls at the determined control risk level. See FAM
450.12 through .15 for a discussion of the evaluation of test results.
.10 For financial reporting controls, if the preliminary assessment of control risk is low
or moderate, the auditor may use table I to determine sample size. For
compliance and operations controls, the auditor may use table I to determine
sample size.
.11 The auditor may use the sample size indicated for zero acceptable deviations (45
items) if the auditor expects no deviations. If no deviations are expected, this
sample size will be the most efficient for assessing control effectiveness. If no
deviations are found, this statistical sample will be sufficient to support the
Testing Phase
450 Perform Sampling Control Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 450-5
assessment of control risk. However, the auditor may use a larger sample size if
control deviations are expected to occur but are not expected to exceed the
acceptable number of deviations in table I.
Evaluate Test Results
.12 Deviations from controls may be caused by factors such as changes in key
personnel, significant seasonal fluctuations in the volume of transactions, and
human error. If deviations from controls upon which the auditor intends to rely are
detected, the auditor should investigate the nature and cause of the deviations.
The investigation should include making specific inquiries to understand these
matters and their potential consequences. The auditor should evaluate their
possible effect on the purpose of the audit procedure and on other areas of the
audit. The auditor should also determine whether (a) the tests of controls that
have been performed provide an appropriate basis for reliance on the controls,
(b) additional tests of controls (such as compensating controls) are necessary,
and (c) the potential risks of misstatement need to be addressed using
substantive procedures (AU-C 330.17 and 530.12). In addition, the auditor
should determine whether any misstatements detected from the performance of
substantive procedures (see FAM 470, 475, and 480) alter the auditor’s judgment
as to the effectiveness of related controls.
Financial Reporting Controls
.13 To evaluate sample results, the auditor considers the sample size, the number of
deviations, and the confidence level. The auditor may use software (such as
IDEA), the tables above, or other tables to evaluate results.
7
If the auditor used
table I to determine sample size, and deviations exceed the acceptable number
for the sample size, the auditor should follow the guidance below in deciding how
to revise the preliminary assessment of control risk.
Low control risk. If the preliminary assessment of control risk is low and
if deviations are noted that exceed the acceptable number for table I, but not
table II, the auditor may reassess control risk as moderate. For example, if
the original statistical sample was 45 items, the auditor may reassess control
risk as moderate if there is not more than one deviation. If the auditor finds
more than one deviation with a sample size of 45 items, the auditor should
conclude that the controls being tested are not operating effectively and
should reassess control risk as high. Based on this revised assessment, the
auditor would change the risk of material misstatement and would reconsider
the nature, extent, and timing of substantive procedures.
Moderate control risk. If the preliminary assessment of control risk is
moderate and if control deviations exceed the acceptable number for table I,
the auditor should conclude that control risk is high. The preliminary
assessment of control risk is based on the assumption that the controls
operate as designed. If the preliminary assessment of control risk is moderate
and if control tests indicate that the control is not operating as designed
7
Using the AICPA guidance, the auditor computes the deviation rate and the upper limit at the desired confidence
level (usually the same confidence level used to determine sample size). If the upper limit of deviations is less than
the tolerable rate of deviation, the results support the control risk assessment. If not, the auditor should increase the
assessed control risk when designing substantive procedures.
Testing Phase
450 Perform Sampling Control Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 450-6
(because deviations exceed the acceptable number in table I), the auditor
should conclude that the control is ineffective and revise the control risk
assessment to high. Based on the revised assessment, the auditor would
change the risk of material misstatement and would reconsider the nature,
extent, and timing of substantive procedures.
Compliance Controls
.14 If the auditor used table I to determine sample size and deviations exceed the
acceptable number for the sample sizes shown in the table, the auditor should
conclude that the compliance control is not effective. The auditor also should
determine whether any deviations noted ultimately resulted in noncompliance
with a significant provision of an applicable budget-related or other law,
regulation, contract, or grant agreement. Based on the revised assessment, the
auditor would change the risk of noncompliance and would reconsider the nature,
extent, and timing of tests of compliance.
Operations Controls
.15 If the auditor used table I to determine sample size and deviations exceed the
acceptable number for the sample sizes shown in the table, the auditor should
conclude that the operations control is not effective.
Other Considerations
.16 The auditor should perform audit procedures, appropriate to the purpose, on
each item selected (AU-C 530.09). If the designed audit procedure is not
applicable to the selected sample item, the auditor should perform the procedure
on a replacement item (AU-C 530.10). An example of when it is necessary to
perform the procedure on a replacement item is when a voided check is selected
while testing for evidence of payment authorization. If the auditor is satisfied that
the check has been properly voided such that it does not constitute a deviation,
an appropriately chosen replacement is examined (AU-C 530.A18). Consult with
the audit sampling specialist to select replacement items.
.17 If the auditor is unable to apply the designed audit procedures, or suitable
alternative procedures, to a selected item, the auditor should treat that item as a
deviation from the prescribed control (in the case of tests of controls) or a
misstatement (in the case of tests of details; see FAM 480) (AU-C 530.11).
In some circumstances, the auditor may not be able to apply the planned audit
procedures to selected sample items because, for example, the entity might not
be able to locate supporting documentation. The auditor's treatment of
unexamined items will depend on their effect on the auditor’s evaluation of the
statistical sample. If the auditor’s evaluation of the sample results would not be
altered by considering those unexamined items to be misstated, it may not be
necessary to examine the items, for example, if the aggregate amount of the
unexamined items, if treated as misstatements or deviations, would not cause
the auditor’s assessment of the amount of the misstatement or deviation in the
population to exceed tolerable misstatement or tolerable rate of deviation,
respectively. However, when this is not the case, the auditor should perform
alternative procedures that provide sufficient appropriate audit evidence to form a
conclusion about the sample item and use the results of these procedures in
assessing the sample results. If alternative procedures cannot be satisfactorily
Testing Phase
450 – Perform Sampling Control Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 450-7
performed in these cases, the auditor is required to treat the items as
misstatements or deviations, as appropriate, in evaluating the results of the
statistical sample. AU-C 240, Consideration of Fraud in a Financial Statement
Audit, also requires the auditor to consider whether the reasons for the auditor’s
inability to examine the items have implications with regard to assessing risks of
material misstatement due to fraud, the assessed level of control risk that the
auditor expects to be supported, or the degree of reliance on management
representations. (AU-C 530.A19)
.18 If, during the testing of sample items, the number of deviations exceeds the
acceptable number of deviations in table I or II (as applicable), the auditor should
conclude that controls are not operating effectively and decide whether to stop
further testing. In making this decision, the auditor should determine whether
there are reasons for continuing to test the remaining sample items. For
example, the engagement team may need to determine whether additional
information (such as an estimate of the population rate of occurrence) is needed
to report control deficiencies as described in FAM 580. An interval estimate may
help the auditor decide whether the deficiency is a material weakness, other
significant deficiency, or other control deficiency.
.19 The auditor should determine which elements of the finding (condition, cause,
criteria, possible effect, and recommendation or suggestion) need to be
developed. The auditor may decide to include an interval estimate in the report.
The auditor should consult with engagement team management and the audit
sampling specialist as applicable in deciding whether to complete the testing of
the statistical sample.
.20 If the auditor finds an unacceptable number of deviations in the original statistical
sample and the auditor believes the use of a larger sample size may result in an
acceptable number of deviations, the auditor generally should consult with the
audit sampling specialist before selecting additional sample items. The auditor
should not use a revised sample size and evaluate additional sample items
based on tables I or II or on the formulas used by certain audit software, such as
IDEA.
.21 The auditor should project the results of statistical sampling to the population
(AU-C 530.13). The auditor generally should consult with the audit sampling
specialist when projecting the rate of sample control deviations to a population
for disclosure in a report. If the auditor has used attribute sampling, the auditor
should project the deviation rate as a percentage of transactions. If the auditor
has used MUS (as part of multipurpose testing), the auditor should project the
deviations to the population as a net upper error limit (see FAM 480).
Testing Phase
460 Perform Compliance Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 460-1
460 – Perform Compliance Tests
.01 The type of provision of a law, regulation, contract, or grant agreement and the
assessment of the effectiveness of compliance controls affect the nature and
extent of compliance testing. Based on the three categories of provisions (as
discussed in FAM 245.06), the auditor should perform the applicable compliance
tests discussed below.
The auditor should perform audit procedures, appropriate to the purpose, on
each item selected (AU-C 530.09). If the designed audit procedure is not
applicable to the selected sample item, the auditor should perform the procedure
on a replacement item (AU-C 530.10).
Transaction-Based Provisions
.02 To test transaction-based provisions, the auditor should use statistical sampling
to select specific transactions for compliance testing. The auditor may use the
same statistical sample to perform control tests (e.g., financial reporting,
compliance, or operations) and substantive tests, as appropriate (see FAM 430
for discussion of multipurpose testing). If the selection is solely for compliance
testing, the auditor generally should use a random attribute sample (see FAM
450.06). To determine sample size, the auditor should make judgments as to
confidence level, tolerable rate of deviation, and expected population deviation
rate. The auditor should determine confidence level based on compliance control
risk.
For example, if the auditor determines that compliance controls are effective, the
auditor may use an 80 percent confidence level, or if ineffective, a 95 percent
confidence level. Tolerable rate of deviation is the rate of transactions not in
compliance that could exist in a population without causing the auditor to believe
the noncompliance rate is too high. GAO auditors generally use a 5 percent
tolerable rate of deviation. Since the auditor will assess the impact of all identified
noncompliance, many auditors use zero as the expected population deviation
rate. Using the above factors yields the sample sizes in table 460.1.
Table 460.1: Compliance Controls, Confidence Level, and Minimum Sample
Size
Compliance controls
Confidence level (percentage)
Minimum sample size
a
Effective
80
32
Not effective
95
58
a
This statistical sample has a tolerable rate of deviation of 5 percent, expected population deviation
rate of zero, and a population of more than 5,000 items. If the population is smaller, the auditor may
ask the audit sampling specialist to calculate a reduced sample size and evaluate the results.
Since the auditor usually reports compliance on an entity-wide basis, the auditor
may use these sample sizes on an entity-wide basis. Evaluation of test results is
discussed in FAM 460.06. The auditor should test the entire statistical sample,
even if instances of noncompliance are detected. If the auditor assessed
Testing Phase
460 Perform Compliance Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 460-2
compliance controls on a preliminary basis as effective and the results of testing
indicated that this assessment is not appropriate, the auditor generally should
consult with the audit sampling specialist to determine the appropriate sample
size and selection procedures. If the auditor decides to expand the original
statistical sample (instead of reselecting an entirely new sample), the auditor
should select additional items needed to increase the sample size using the
random number used to select the original statistical sample. The audit sampling
specialist generally should evaluate results when the auditor expands a test.
Quantitative-Based Provisions
.03 Effective compliance controls provide reasonable assurance that the
accumulation (or summarization) of transactional information is accurate,
complete, and within authorized limits. If compliance controls do not provide such
reasonable assurance, the auditor should test the accumulated information
directly for existence, completeness, and summarization. Such tests may be
performed on either statistical samples or nonstatistical selections. The auditor
should design tests to detect misstatements that exceed either an auditor-
determined percentage of the total amount of the accumulated information or the
amount of the restriction stated in the provision, if any. GAO auditors generally
use 5 percent of the total amount of the accumulated information as the tolerable
misstatement for this test.
The auditor may discontinue such tests if significant misstatements in the
accumulated information are noted that would preclude compliance. The test for
compliance is the comparison of the accumulated information with any
restrictions on the amounts stated in the identified provision. See FAM 245.06 for
a description of these restrictions.
.04 If the auditor determines that provisions of applicable budget-related laws and
regulations are significant, and if related budget and, consequently, compliance
controls are ineffective, the auditor should test the accumulated or summarized
information directly for the following potential misstatements in budget execution
information:
Occurrence/validity. Recorded amounts are not valid. (See FAM 395 F for
occurrence/validity criteria for obligations, expended authority, and outlays.)
Completeness. Not all amounts that should have been recorded are
recorded.
Cutoff. Obligations, expended authority, and outlays are not recorded in the
proper period.
Accuracy. Obligations, expended authority, and outlays are not recorded at
the proper amounts.
Classification. Obligations, expended authority, and outlays are not
recorded in the proper account by program and by object, if applicable,
including the proper appropriation year if the account has multiple years.
(Examples of program and object classifications are provided in FAM 395 F.)
Testing Phase
460 Perform Compliance Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 460-3
Summarization. Transactions are not properly summarized to the respective
account totals.
An example of audit procedures to test for these misstatements is included in
FAM 495 B.
Procedural-Based Provisions
.05 In testing compliance controls relating to a procedural-based provision, the
auditor should obtain sufficient evidence to conclude whether the entity
performed the procedure and therefore complied with the provision. An example
of a procedural-based provision could be when an entity is required to obtain
certain information from grantees. In this case, the auditor would obtain evidence
of whether such information was received and therefore whether the entity
complied with the provision. If compliance control tests do not provide sufficient
evidence to determine compliance, the auditor should perform additional
procedures, as necessary, to obtain such evidence.
Evaluating Test Results
.06 For any suspected instances of noncompliance noted in connection with the
procedures described above or other audit procedures, the auditor should do the
following:
a. Obtain (1) an understanding of the nature of the noncompliance and the
circumstances in which it occurred and (2) further information to evaluate the
possible effect on the financial statements (AU-C 250.17).
b. Investigate the nature and cause of any deviations or misstatements
identified and evaluate their possible effect on the purpose of the audit
procedure and on other areas of the audit (AU-C 530.12).
c. Discuss the matter with management (at a level above those involved with
the suspected noncompliance, if possible) and, when appropriate, those
charged with governance. If management or, as appropriate, those charged
with governance do not provide sufficient information that supports that the
entity is in compliance with significant provisions of applicable laws,
regulations, contracts, and grant agreements, and in the auditor’s
professional judgment the effect of the suspected noncompliance may be
material to the financial statements, the auditor should consider the need to
obtain legal advice (AU-C 250.18). If sufficient information about suspected
noncompliance cannot be obtained, the auditor should evaluate the effect of
the lack of sufficient appropriate audit evidence on the auditor’s opinion (AU-
C 250.19).
d. If the auditor suspects that management or those charged with governance
are involved in noncompliance, communicate the matter to the next higher
level of authority at the entity, if it exists. When no higher authority exists, or if
the auditor believes that the communication may not be acted upon or is
unsure about the person to whom to report, the auditor should consider the
need to obtain legal advice (AU-C 250.23).
e. Discuss such suspected instances of noncompliance with OGC and, when
appropriate, the Special Investigator Unit and conclude whether
noncompliance has occurred and the implications of any noncompliance.
Testing Phase
460 Perform Compliance Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 460-4
f. Identify the deficiency in compliance controls that did not prevent or detect
and correct the noncompliance, if it was not previously identified during
compliance control testing.
g. Report any material weaknesses and significant deficiencies in compliance
controls and determine the effect, if any, on the report (or opinion) on internal
control (see FAM 580).
h. Determine the implications of any instances of noncompliance on the
financial statements.
i. Determine the implications of any instances of noncompliance in relation to
other aspects of the audit, including the auditor’s risk assessment and the
reliability of management’s representations (AU-C 250.20).
j. Report instances of noncompliance, as appropriate (see FAM 580.91–.99).
Testing Phase
470 Perform Substantive Procedures Overview
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 470-1
470 – Perform Substantive Procedures Overview
.01 In the internal control phase, the auditor performs a preliminary assessment of
control risk and the risk of material misstatement for each significant assertion
within each significant line item or account based on the evaluation of the design
and implementation of internal control and the results of control tests completed
through the internal control phase (see FAM 370). In the testing phase, the
auditor plans and performs further audit procedures to respond to the risk of
material misstatement.
The preliminary assessment of control risk and the risk of material misstatement
should be updated for any control tests completed in the testing phase using
audit sampling procedures (see FAM 450). If the auditor plans to perform
multipurpose testing (see FAM 430), and thus will not have completed control
tests prior to performing substantive procedures, the auditor should plan and
perform substantive procedures based on the preliminary assessment of risk in
the internal control phase.
Based on the assessed risk of material misstatement, the auditor should design
and perform substantive procedures for relevant assertions related to each
material class of transactions (such as payroll or nonpayroll expenditures), line
items (such as Fund Balance with Treasury (FBWT)), and account balances
(such as individual FBWT accounts). However, irrespective of the assessed risks
of material misstatement, the auditor should design and perform substantive
procedures for all relevant assertions related to each material class of
transactions, account balance, and note disclosure (AU-C 330.18). Additionally, if
the auditor has determined that an assessed risk of material misstatement at the
relevant assertion level is a significant risk, the auditor should perform
substantive procedures that are specifically responsive to that risk. When the
approach to a significant risk consists only of substantive procedures, those
procedures should include tests of details (AU-C 330.22).
.02 The auditor’s objective during substantive procedures is to determine whether
assertions are materially misstated and to form an opinion about whether the
financial statements as a whole are presented fairly, in all material respects, in
accordance with U.S. generally accepted accounting principles (U.S. GAAP). To
determine if assertions are misstated, the auditor should design substantive
procedures to detect each of the potential misstatements in assertions that were
developed in the internal control phase (see FAM 330).
The auditor’s substantive procedures also should include audit procedures
related to the financial statement closing processes, such as
agreeing or reconciling information in the financial statements with the
underlying accounting records, including agreeing or reconciling information
in the note disclosures, whether such information is obtained from within or
outside of the general ledger and subsidiary ledgers (AU-C 330.21a), and
examining material journal entries and other adjustments made during the
course of preparing the financial statements (AU-C 330.21b).
In addition, the auditor should determine whether efficiencies can be achieved by
using the concepts of directional testing, as discussed in FAM 470.15 through
.21.
Testing Phase
470 Perform Substantive Procedures Overview
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 470-2
.03 As discussed in FAM 260.02, detection risk is the risk that the auditor will not
detect a material misstatement that exists in an assertion. Substantive audit
assurance is the complement of detection risk and equals 100 percent minus
detection risk. The auditor should determine the substantive audit assurance
needed based on the risk of material misstatement. The higher the risk of
material misstatement, the more substantive audit assurance the auditor needs.
Audit assurance relates to the entire audit and can be achieved using a
combination of control tests and substantive tests. The auditor performs control
tests to assess the risk of material misstatement. Based on the assessed risk of
material misstatement, the auditor determines the substantive audit assurance
needed to achieve the desired level of audit assurance for the entire audit. For a
desired audit assurance of 95 percent, GAO auditors generally use the minimum
substantive audit assurance indicated in table 470.1 for each risk level.
Table 470.1: Risk of Material Misstatement and Minimum Substantive Audit
Assurance
Desired audit assurance of 95 percent
Assessed risk of material
misstatement based on control tests
Minimum substantive audit
assurance (percentage)
Low
63
Moderate
86
High
95
Types of Substantive Procedures
.04 There are two types of substantive procedures: (1) substantive analytical
procedures and (2) tests of details. To achieve the substantive audit assurance
as discussed above, the auditor may use either of these tests or a combination of
the two. The type of test to use and the amount of reliance to place on each type
of procedure is a matter of the auditor’s professional judgment, including
considerations of audit effectiveness and efficiency. To determine an appropriate
mix of substantive procedures, the auditor may use the audit matrix in FAM
470.11.
Substantive Analytical Procedures
.05 Substantive analytical procedures involve the auditor comparing a recorded
amount with an expectation of that amount and subsequently investigating any
significant differences to conclude on the recorded amount. Analytical
procedures involve the auditor analyzing plausible relationships among both
financial and nonfinancial data. A basic premise is that plausible relationships
among data may reasonably exist and continue in the absence of errors, fraud,
or changes in circumstances (see AU-C 520).
Testing Phase
470 Perform Substantive Procedures Overview
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 470-3
.06 The auditor may perform substantive analytical procedures at one of three levels
for an assertion:
Complete. The auditor relies solely on substantive analytical procedures for
all of the assurance required from substantive procedures. The procedure is
so persuasive that the auditor believes that it is highly likely to detect any
aggregate misstatements that exceed performance materiality. Complete
assurance from substantive analytical procedures requires procedures that
are extremely effective and persuasive to serve as the sole source of audit
evidence for achieving the audit objective. This level of effectiveness or
persuasiveness is very difficult to achieve when risk of material misstatement
is high. Therefore, relying completely on analytical procedures for substantive
audit assurance in these situations is rare, particularly for balance sheet
accounts.
Partial. The auditor relies on a combination of analytical procedures and
tests of details to obtain an appropriate level of substantive audit assurance.
For partial assurance, the auditor believes that the analytical procedures
more likely than not will detect any aggregate misstatements that exceed
performance materiality.
None. The auditor does not rely on analytical procedures for audit
assurance, and the auditor will obtain substantive audit assurance from tests
of details. In this situation, the auditor may perform supplemental analytical
procedures to increase understanding of account balances and transactions
but not to provide any additional audit assurance. These procedures are
similar in scope to those that the auditor performs on an overall basis at the
financial statement level (see FAM 520).
.07 To determine whether to perform complete or partial substantive analytical
procedures, the auditor should evaluate the effectiveness, or persuasiveness and
efficiency, of such procedures. In so doing, the auditor may use the factors
discussed in FAM 495 A.
Test of Details
.08 Tests of details are procedures applied to individual items that the auditor selects
for testing and include the following:
External confirmation of a transaction or balance (such as accounts
receivable or payable) or the related terms (such as the terms of payment) by
obtaining and evaluating direct written response to the auditor from a third
party (the confirming party), either in paper form or by electronic or other
medium (for example, through the auditor’s direct access to information held
by a third party) (AU-C 505.06). The auditor should consider whether external
confirmation procedures are to be performed as substantive audit procedures
(AU-C 330.19). The auditor should use external confirmation procedures for
accounts receivable, except when one or more of the following is applicable:
(a) the overall account balance is immaterial; (b) external confirmation
procedures for accounts receivable would be ineffective; or (c) the auditor’s
assessed level of risk of material misstatement at the relevant assertion level
is low, and the other planned substantive procedures address the assessed
risk (AU-C 330.20). The auditor should include in the audit documentation the
basis for any determination not to use external confirmation procedures for
Testing Phase
470 Perform Substantive Procedures Overview
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 470-4
accounts receivable when the account balance is material (AU-C 330.32).
See AU-C 505 for procedures related to external confirmations.
Observation, which includes looking at a process or procedure being
performed by others (for example, the auditors observation of inventory
counting by the entity’s personnel) (AU-C 500.A52).
Inspection by examining an asset (either by being physically present or
using remote observation tools) or examining records or documents, whether
internal or external or in paper form, electronic form, or other media (AU-C
500.A51), to determine whether a balance is properly stated, such as
examining invoices for expenses and the purchase of inventory and property.
Recalculation by testing the mathematical accuracy of information (AU-C
500.A56). This includes testing the mathematical accuracy of entity records
by footing, cross-footing, or recalculating amounts and tracing journal
postings, subsidiary ledger balances, and other details to corresponding
general ledger accounts. For example, the auditor may recalculate unit cost
extensions in an inventory list, foot the list, and trace the total to the general
ledger amount. Recalculation may be performed manually or using
automated tools and techniques (AU-C 500.A56).
.09 The different types of detail tests are often used in combination to provide
sufficient substantive audit assurance about an assertion. For example, to test
the valuation/accuracy of accounts receivable, the auditor might confirm
balances, recalculate the aging schedule, inspect documents supporting the
aging and specific delinquent accounts, and discuss collectability with
management. On the other hand, a single detail test might provide audit
assurance about more than one of the five financial statement assertions. For
example, an inspection of inventory may provide evidence about existence,
valuation/accuracy, and presentation and disclosure.
.10 The minimum extent of detail testing to be performed is based on the risk of
material misstatement and the assurance obtained from substantive analytical
procedures, as illustrated in the audit matrix in table 470.2.
Determining Mix of Substantive Procedures
.11 In determining an appropriate mix of substantive analytical procedures and detail
tests, the auditor generally should use the audit matrix in table 470.2, which
illustrates the integration of such tests for each level of risk of material
misstatement, when the auditor is using a desired audit assurance of 95 percent
for the entire audit. For example, the auditor should design tests to achieve a
substantive audit assurance of 86 percent for an account or line item in which the
assessed risk of material misstatement based on control tests is moderate. To
achieve a substantive audit assurance of 86 percent for an account or line item in
which partial reliance is placed on analytical procedures, the auditor should
design detail tests to achieve a minimum substantive audit assurance of 77
percent.
Testing Phase
470 Perform Substantive Procedures Overview
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 470-5
Table 470.2: Audit Matrix for Desired Audit Assurance of 95 Percent
Assessed risk of material misstatement based on control tests
Substantive audit assurance (from table 470.01) (percentage)
Substantive audit assurance from analytical procedures
a
Minimum substantive audit assurance from
detail tests (percentage)
Low 63 Complete 0
Partial 50
None 63
Moderate 86 Complete 0
Partial 77
None 86
High 95 Complete 0
Partial 92
None 95
a
Complete assurance from analytical procedures means that procedures are extremely effective and persuasive
to serve as the sole source of audit evidence for achieving the audit objective. This level of effectiveness or
persuasiveness is very difficult to achieve when risk of material misstatement is high. Therefore, relying
completely on analytical procedures for substantive audit assurance in these situations is rare, particularly for
balance sheet accounts. See FAM 470.06.
.12 Additional factors to consider in determining an appropriate mix of substantive
analytical procedures and detail tests include the following:
a. The nature and significance of the assertion being tested. Analytical
procedures are generally more likely to be effective for assertions related to
accounts that reflect the audit period’s activity, such as accounts included in
the statement of net cost, than for accounts related to balance sheet
accounts or other cumulative balances. Significant assertions generally
require more or higher-quality audit evidence that may not be available from
analytical procedures.
b. The nature of the risk of material misstatement. The auditor should design
substantive procedures that address the specific type and level of risk of
material misstatement for each assertion. For example, for certain loss claim
liabilities, the auditor may design detail tests to search subsequent claim
payments for potential liabilities in testing the completeness assertion, while
the auditor may use analytical procedures to test the related valuation
assertion by evaluating the average amounts per claim.
c. The availability of different types of evidence. Using evidence that can be
readily obtained may be more efficient. For example, in federal government
audits, the auditor may use budgets and other information in performing
analytical procedures.
d. The quality of the types of evidence available. The higher the quality of a
type of evidence, the greater the level of assurance the auditor may derive
from it (see FAM 470.14).
Testing Phase
470 Perform Substantive Procedures Overview
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 470-6
e. The anticipated effectiveness of substantive analytical procedures. The
auditor should use detail tests if substantive analytical procedures are not
expected to be effective.
.13 When determining the types of substantive procedures to use, the auditor should
choose the mix of effective procedures that are efficient in combination with
sampling control tests and compliance tests.
.14 When considering a procedure’s relative effectiveness, the auditor should
evaluate the expected quality of the evidence. The quality of evidence obtained
in substantive procedures depends highly on the circumstances under which it is
obtained. Some generalizations about evidence are as follows:
a. Evidence obtained from independent third parties provides a higher level of
assurance than evidence obtained from sources in the entity.
b. Evidence obtained directly by the auditor through confirmation, observation,
inspection, or recalculation provides a higher level of assurance than
evidence obtained indirectly, such as through inquiry.
c. Documentary evidence provides a higher level of assurance than oral
representations.
d. Evidence obtained at or near the balance sheet date concerning an asset or
liability balance provides a higher level of assurance than evidence obtained
before or after the balance sheet date, because the audit risk generally
increases with the length of the intervening period.
e. The lower the control risk associated with an entity’s internal control, the
higher the assurance concerning the information subject to that internal
control.
Directional Testing
.15 In planning tests, the auditor may use the relationships between recorded
amounts to help achieve efficiencies. For example, in double-entry accounting, a
misstatement in one account affects at least one other related account. This
relationship allows the auditor to test more than one account with a single test.
Additionally, the relationship between budgetary and proprietary accounts may
allow for efficiencies in testing, for example, for undelivered orders and delivered
ordersunpaid for budgetary accounts and expenses and accounts payable for
proprietary accounts.
.16 As stated, in double-entry accounting, a misstatement in one account affects at
least one other related account. For example, a misstatement of accrued payroll
typically results in a misstatement of payroll expense. In this example,
substantive procedures performed on accrued payroll usually will detect any
misstatements in both accrued payroll and payroll expense. In designing
substantive procedures after considering risk of material misstatement and
developing an understanding of each related account, the auditor should
determine the effect of tests on related accounts. For example, a test of revenue
for completeness may provide substantive evidence about the completeness of
accounts receivable.
Where the entity uses double-entry accounting, the auditor may (1) design an
overall audit strategy that tests certain accounts substantively for either existence
or completeness (the two assertions most affected by testing related accounts)
Testing Phase
470 Perform Substantive Procedures Overview
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 470-7
and (2) rely on such tests to detect misstatements in the related accounts. For
example, the auditor may test (1) assets and expenses directly for existence and
(2) liabilities, equity, and revenue for completeness, thereby indirectly testing the
related accounts for existence or completeness, as applicable. This logic is called
a directional testing approach.
.17 In some instances, the auditor may supplement a directional testing approach to
address a specific risk of material misstatement. For example, if cutoff is a
significant risk, the auditor may test both existence and completeness assertions
in a test of cutoff as of the balance sheet date. During initial financial statement
audits, the auditor generally should test both existence and completeness
directly, when those assertions are significant, because the cumulative
knowledge about the interaction of accounts may be limited.
.18 The audit assurance that can be obtained from directional testing is diminished in
balance-sheet-only audits if related accounts are not also tested and in audits of
entities having single-entry accounting systems (since double-entry account
interrelationships do not exist). In these instances, the auditor should test both
existence and completeness directly when those assertions are significant.
.19 The auditor may combine the testing of budgetary and proprietary accounts when
appropriate. For example, the auditor may combine tests of outlays on the
statement of budgetary resources with tests of cash disbursements used to test
net costs.
.20 If an entity has budget accounting records but does not maintain separate
proprietary accounting records, or the proprietary records are incomplete, the
auditor should directly test expended authority produced by the budget system
and the items necessary to reconcile the budget to the proprietary accounts.
.21 Also, if (1) relevant budget restrictions relate to significant quantitative-based
provisions of laws and regulations and (2) budget controls are not effective, the
auditor should test the accumulated or summarized information directly (see
FAM 460.03–.04).
Testing Phase
475 Perform Substantive Analytical Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 475-1
475 – Perform Substantive Analytical Procedures
.01 This FAM section provides guidance on the application of substantive analytical
procedures. These procedures consist of evaluations of financial information
made through analysis of plausible relationships among both financial and
nonfinancial data. Analytical procedures also encompass the investigation of
identified fluctuations and relationships that are inconsistent with other relevant
information or deviate significantly from predicted amounts (AU-C 520.04).
The auditor develops an expectation or estimate of the recorded amount based
on an analysis and understanding of relationships between the recorded
amounts and other data. This expectation is then used to form a conclusion on
the recorded amount. A basic premise underlying analytical procedures is that
plausible relationships among data may reasonably be expected to exist and
continue unless conditions have changed or the data are misstated. The reasons
that make relationships plausible are an important consideration because data
sometimes appears to be related when it is not, which may lead the auditor to
erroneous conclusions. In addition, the presence of an unexpected relationship
may provide important evidence when appropriately scrutinized (AU-C 520.A6).
(For further information, refer to AU-C 520 or the AICPA audit guide, Analytical
Procedures.)
.02 Scanning account detail and recalculation are two other audit procedures related
to substantive analytical procedures. Scanning consists of searching for unusual
items in the detail of account balances. Scanning is an appropriate tool for
investigating the cause of a significant fluctuation, but it is not a substantive
analytical procedure on its own. The auditor should investigate unusual items
identified through scanning to obtain substantive audit assurance about the
cause of the fluctuation. For example, the auditor identifies an unusual fluctuation
in the property balance when performing other substantive procedures. In
scanning a detail listing of vehicles, the auditor may find an auto valued at
$600,000, which appears unusually high. Further investigation finds that the
decimal point was misplaced when the data was entered, and the vehicle should
be recorded at $6,000.
The auditor may also independently calculate an estimate of an account balance,
which is sometimes referred to as recalculation or an overall test of
reasonableness. These recalculations are considered substantive analytical
procedures. When making recalculations, the auditor should assess the reliability
of the data used and should follow the steps used for performing substantive
analytical procedures. An example is recalculating the amount of depreciation
expense on equipment using the accounting method, useful life, and date an
asset was placed into service.
.03 The risk of forming the incorrect conclusion on the account balance tested may
be higher for substantive analytical procedures than for detail tests because of
the extensive use of the auditor’s professional judgment. Accordingly, quality
control is of critical importance. To help maintain quality in these procedures,
experienced engagement team personnel usually perform, or closely supervise
and review, the assessment of the reliance to place on procedures, design of
procedures, and formulation of conclusions as a result of procedures.
Testing Phase
475 Perform Substantive Analytical Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 475-2
Designing and Performing Substantive Analytical Procedures
.04 When determining whether performing substantive analytical procedures will be
effective and efficient as a substantive test, see FAM 495 A for guidance. In
designing and performing substantive analytical procedures, as discussed in
AU-C 520.05, the auditor should do the following:
a. Determine the suitability of particular substantive analytical procedures for
given assertions, taking into account the assessed risks of material
misstatement and tests of details, if any, for these assertions.
b. Evaluate the reliability of data from which the auditor’s expectati
on of
r
ecorded amounts or ratios is developed, taking into account the sourc
e,
c
omparability, and nature and relevance of information available and controls
over preparation.
c. Develop an expectation of recorded amounts or ratios and evaluate whether
the expectation is sufficiently precise (taking into account whether substantiv
e
anal
ytical procedures are to be performed alone or in combination with tests
of details) to identify a misstatement that individually or when aggregated with
other
misstatements, may cause the financial statements to be materially
misstated.
d. Determine the amount of any difference of recorded amounts from expected
v
alues that is acceptable without further investigation and compar
e the
r
ecorded amounts, or ratios developed from recorded amounts, with th
e
ex
pectations. This is also referred to as the limit. The determination of th
e
l
imit is a matter of the auditor’s judgment, although some guidelines ar
e
provided in FAM 475.05.
e. Obtain explanations from management for differences that exceed the limi
t,
s
ince such differences are significant. Obtain appropriate audit evidenc
e to
corroborate management’s explanations for significant differences
(AU-C 520.07). This is discussed further in FAM 475.08 through .11.
f. Determine whether the explanations and corroborating evidence provi
de
sufficient evidence for the desired level of substantive audit assurance. If
unabl
e to obtain a sufficient level of substantive audit assurance from
substantive analytical procedures, the auditor should perform additional
procedures, as discussed in FAM 475.12 through .17, and evaluate whether
the difference represents a misstatement (AU-C 520.07).
g. Evaluate whether the assessment of risk of material misstatement remains
appropriate, particularly in light of any misstatements identified. Revis
e the
as
sessment of risk of material misstatement, if necessary, and consider
the
effects on the extent of detail tests.
h. Document on the Summary of Uncorrected Misstatements (as discussed in
FAM 540.07–.10) the amount of any misstatements detected by substantiv
e
analytical procedures and their estimated effects. Note that the amount of any
misstatement does not include the amount of the limit, which is the amount o
f
the di
fference between the recorded amount and the expectation that does
not require explanation.
i. Conclude on the reasonableness of the recorded amount.
Testing Phase
475 Perform Substantive Analytical Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 475-3
j. Include documentation of work performed, results, and conclusions. See
FAM 490.
The auditor may consider testing the operating effectiveness of controls, if any,
over the entity’s preparation of information used by the auditor in performing
substantive analytical procedures. When such controls are effective, the auditor
may have greater confidence in the reliability of the information and therefore in
the results of analytical procedures (AU-C 520.A19).
Establishing the Limit
.05 As discussed above, the limit is the amount of the difference between the
expected and recorded amounts that can be accepted without further
investigation. The auditor generally should use the following guidelines in
establishing the limit for each level of reliance on analytical procedures for
substantive audit assurance:
Complete reliance. The limit is 20 percent or less of performance materiality.
Partial reliance. The limit is 30 percent or less of performance materiality.
No reliance. Substantive analytical procedures are not needed.
Auditors should document the basis for the limit used.
Investigating Significant Differences
Causes of Significant Differences
.06 Differences between the expectation and the recorded amount relate to either
factors not included in the model (such as specific unusual transactions or
changes in accounting policies), a lack of preciseness of the model, or
misstatements (either errors or fraud). The auditor’s objective in investigating
significant differences is to determine whether they represent misstatements or
one of the other factors.
Amount of Difference to Be Explained
.07 When obtaining explanations, the auditor should discuss with management the
model and assumptions used to develop the expectation. Management will then
be in a better position to provide the auditor with a relevant explanation. If the
amount of the difference exceeds the limit, the auditor should ask management
to provide an explanation for the entire difference between the recorded amount
and the expectation. However, the auditor may decide to stop if the explanation
covers the portion of the difference that exceeds the limit (see fig. 475.1). If the
difference does not exceed the limit, an explanation is not required. The auditor
should identify and corroborate all significant factors that cause the expectation
to differ from the actual amount, regardless of whether the factors increase or
decrease the difference.
Testing Phase
475 Perform Substantive Analytical Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 475-4
Figure 475.1: Explanations When Recorded Amount Exceeds Limit
Recorded amount
Minimum to explain
Limit
May not need explanation
Expectation
Corroboration of Explanations
.08 The relevance and reliability of corroborating evidence may vary significantly.
Therefore, the extent of corroboration of explanations is left to the auditor’s
professional judgment. Corroboration may consist of examining supporting
documentation or corroborating explanations from personnel in the accounting
department and personnel in the appropriate operating department
knowledgeable about the entity’s operations.
The auditor should quantify and address the direction and magnitude of the event
that caused the fluctuation and corroborate explanations received. The auditor
should determine whether sufficient corroborating evidence has been obtained
based on the guidelines for complete and partial assurance discussed in
FAM 470.06. In evaluating explanations, the auditor should also determine
whether the difference is caused by error or fraud.
Example of an Adequate Explanation for a Significant Fluctuation
.09 Assume that the auditor assessed performance materiality to be $25 million.
Additionally, assume that the auditor has determined, after evaluating the risk of
material misstatement, to perform a substantive analytical procedure with a limit
of $5 million. The auditor estimated interest expense at $80 million by multiplying
the average loan balance of $1 billion by an average interest rate of 8 percent.
Both of these averages were computed through a simple average of beginning-
of-year and end-of-year amounts. The recorded amount of interest expense, $95
million, is higher than the estimated amount by $15 million and exceeds the limit
by $10 million.
.10 An explanation from management that we borrowed more money this year and
interest rates are higher than last year” would not be adequate, as it explains why
interest is likely to be higher but not how much higher (it corroborates direction,
not amount). The auditor should ask management to quantify the explanation by
indicating when interest rates changed and when amounts borrowed changed.
The auditor should then corroborate the information provided.
.11 An example of an adequate explanation follows.
Management determined that interest rates increased during the year and then
fell and were computed to average 9 percent based on the attached monthly
weighted average. Additionally, $100 million was borrowed and repaid during the
year, and the additional borrowings were outstanding for 6 months. Therefore,
the average loan balance was actually $50 million higher and the average
interest rate was 1 percent higher than the figures used in the original estimate.
Testing Phase
475 Perform Substantive Analytical Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 475-5
Therefore, 97 percent of the interest expense in excess of the expectation can be
explained as follows (in thousands):
$1,000,000
X
1%
=
$10,000
50,000
X
9%
=
4,500
Amount of difference explained $14,500
The auditor examined correspondence from lenders and loan statements to
corroborate these explanations. The auditor was satisfied that these covered the
significant factors and that it was not necessary to obtain an explanation for the
remaining $.5 million, or 3 percent difference. The auditor concluded that interest
expense is not misstated and no amounts are posted to the Summary of
Uncorrected Misstatements.
Course of Action in the Event of Inadequate Explanations or Corroborating
Evidence
.12 If management’s explanation and corroborating evidence do not adequately
explain the fluctuation sufficiently to provide either complete or partial assurance,
the auditor should perform additional substantive procedures or treat the
difference as a misstatement. These procedures may consist of
increasing the effectiveness of the substantive analytical procedures by
making the expectation more precise to obtain the desired assurance or
performing tests of details and placing no reliance on the ineffective
substantive analytical procedures.
.13 The auditor should determine the effectiveness and efficiency of the above
options. Deciding whether to perform additional substantive procedures is a
matter of the auditor’s professional judgment. The auditor should perform
additional procedures to provide adequate assurance that aggregate
misstatements that exceed performance materiality have been identified.
.14 To increase the persuasiveness or effectiveness of an analytical procedure, the
auditor may make the expectation more precise by
building a more sophisticated model by identifying more key factors and
relationships,
disaggregating the data (such as using monthly instead of annual data),
8
or
using more reliable data or obtaining greater confidence in the data’s
reliability by corroborating the data to a greater extent.
Measuring the precision of the expectation and the impact of changing each of
these factors on the procedure’s effectiveness is difficult. The auditor may
consult with an expert in this field.
8
If data are disaggregated, the limit is still applied on an annual basis.
Testing Phase
475 Perform Substantive Analytical Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 475-6
Performing Supplemental Analytical Procedures
.15 If detail tests are used to test the account balance because adequate
explanations cannot be obtained or corroborated, the auditor still should obtain
an overall understanding of the current-year financial statements when applying
overall analytical procedures at the financial statement level. See FAM 520.
.16 Additionally, if analytical procedures originally performed as a substantive test do
not provide the necessary assurance, the auditor may use those procedures to
supplement an understanding of the account balances or transactions after
performing detail tests.
.17 When the auditor places no reliance on substantive analytical procedures, all
assurance is provided by detail tests. In this situation, the auditor may use
supplemental analytical procedures to increase the auditor’s understanding of the
account balances and transactions after performing the detail tests. When using
supplemental analytical procedures, the auditor uses professional judgment to
determine which fluctuations to obtain explanations for and which explanations to
corroborate.
Testing Phase
480 Perform Substantive Detail Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 480-1
480 – Perform Substantive Detail Tests
Population to Be Tested
.01 In defining the population, the auditor should identify the whole set of items on
which the auditor needs to reach a conclusion and from which the audit sample
will be drawn. This includes describing the population; conducting data reliability
tests to determine whether the population is complete and valid; determining the
source document or the transaction documents to be tested; and defining the
period covered by the test. The auditor should analyze the population for
characteristics such as large or unusual balances, duplicate items, and abnormal
balances. In designing detail tests, the assertion tested affects the choice of the
population (an account balance or a portion of an account balance) from which
items are selected. For example, the existence assertion deals with whether
recorded assets or liabilities exist as of a given date and whether recorded
transactions have occurred during a given period. To detail test the existence
assertion, the auditor should test the recorded account balance by
selecting items from those that compose the account balance and
testing those items to evaluate whether including them in the account balance
is proper.
For example, to test an expense account for existence, the auditor may select
from a detailed general ledger individual expense amounts included in the
balance and then examine invoices that support the expense amounts. It would
be inappropriate to select invoices directly and then trace invoice amounts to
inclusion in the general ledger balance.
.02 For the existence assertion, the auditor should determine if the population agrees
with or is reconciled to the recorded amount of the account balance being tested.
The auditor should test reconciling items, if any. If this is not done, the auditor
can conclude only on the population tested and not on the recorded population.
.03 Conversely, the completeness assertion deals with whether all transactions and
accounts that are expected to be in the financial statements are included. To
detail test the completeness assertion, the auditor should select from an
independent population of items that are expected to be recorded in the account.
The auditor should (1) select items from a source that is likely to contain all the
items that are expected to be recorded and (2) determine whether they are
included in the recorded balance.
For example, to test completeness of recorded revenue, the auditor may select
shipments from a shipping log (which is believed to be reasonably complete),
trace them to recorded revenue amounts, and then test whether the
summarization of those amounts was included in the general ledger revenue
balance.
To test completeness of recorded accounts payable, the auditor may select
payments made subsequent to year-end plus invoices on hand but not yet paid.
The auditor may then trace transactions for which the receipt of goods or
services occurred before year-end for inclusion in year-end accounts payable.
For those transactions where the receipt occurred after year-end, the auditor
should test for exclusion from accounts payable.
Testing Phase
480 Perform Substantive Detail Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 480-2
Selection Methods for Detail Tests
.04 The auditor may apply detail tests to any of the following:
all items composing the population,
a nonstatistical selection of items, or
an audit sample of items composing the population.
Flowchart 1 in FAM 495 D illustrates the process of deciding the selection
method.
.05 Detail testing of all items composing the population is generally most
appropriate for populations consisting of a small number of large items. For
example, several large accounts receivable or investments might compose an
entire balance.
.06 Detail testing of a nonstatistical selection is appropriate where the auditor
knows enough about the population to identify a relatively small number of items
of interest, usually because they are likely to be misstated or otherwise have a
high risk of material misstatement.
While the dollar amount is frequently the characteristic that indicates that an item
is of interest, other relevant characteristics might include an unusual nature (such
as an item identified on an exception report); an association with certain entities
(such as balances due from high-risk, financially troubled entities); or a
relationship to a particular period or event (such as transactions immediately
before and after the year-end).
The auditor should evaluate the effects of any misstatements found in the
nonstatistical selection. However, unlike audit sampling, the results of procedures
applied to items selected under nonstatistical selection apply only to the selected
items. It is incorrect for the auditor to project the results to the portion of
the population that was not tested. Accordingly, the auditor should apply
appropriate substantive analytical procedures, other substantive procedures, or
both to the remaining items, unless those items are immaterial in total or the
auditor has already obtained enough assurance that there is a low risk of
material misstatement in the untested population through other audit procedures.
.07 Detail testing of an audit sample of items composing the population is
necessary when the auditor cannot efficiently obtain sufficient assurance (based
on the assessed risk of material misstatement and other substantive procedures,
including analytical procedures) about the population from nonstatistical
selections. AU-C 530 indicates that audit samples may be either statistical or
nonstatistical.
The auditor should select items for the audit sample in such a way that the
auditor can reasonably expect the sample to be representative of the relevant
population and likely to provide the auditor with a reasonable basis for
conclusions about the population (AU-C 530.08). The auditor should select the
audit sample so that each item in the population has an opportunity to be
selected. In random sampling, each item has an equal chance of selection. For
MUS, each monetary unit (dollar) has an equal chance of selection. For classical
variables sampling, each item in a stratum has an equal chance of selection.
Based on the results of procedures performed on the audit sample, the auditor
should conclude on the entire population.
Testing Phase
480 Perform Substantive Detail Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 480-3
.08 The auditor may use a nonstatistical selection for part of the population and an
audit sample for the remainder of the population. For example, the auditor may
make a nonstatistical selection of all inventory items with a book amount greater
than $10 million, and select an audit sample for the remainder of the population.
The auditor is able to conclude on the entire population by combining the results
of the nonstatistical selection with the results of the audit sample.
.09 The auditor should document (usually in audit procedures) whether a selection is
intended to be an audit sample (representative of the population) or a
nonstatistical selection (not representative of the population). If it is a
nonstatistical selection, the auditor also should document the basis for
concluding that enough work has been done to obtain sufficient assurance that
the items not tested are free from aggregate material misstatement.
Audit Sampling
.10 The following paragraphs provide an overview of audit sampling, primarily with
respect to the existence and valuation assertions. Similar concepts and methods
apply to the completeness assertion, except that the population to be tested
differs, as discussed in FAM 480.01 through .03.
.11 The auditor generally should consult with the audit sampling specialist when
using sampling, including selection of audit sampling methods, selection of
sample items, and evaluation of audit sample results.
.12 In statistical sampling, the auditor uses probability theory to determine sample
size, select the sample, and evaluate the results to reach a conclusion about the
population. Statistical sampling permits the auditor to objectively determine
sample size (based on subjective decisions about risk and materiality),
objectively select the sample items, and objectively evaluate the results. Thus, by
using statistical sampling, the auditor determines objectively whether enough
work has been performed. When using statistical sampling, the auditor should
determine a sample size sufficient to reduce sampling risk to an acceptably low
level (AU-C 530.07).
Because of these advantages, when an audit sample is necessary, the auditor
generally should use statistical sampling. Software such as IDEA allows the
auditor to quickly perform the calculations necessary for statistical sampling.
.13 In nonstatistical sampling, the auditor considers statistical concepts but does
not explicitly use them to determine sample size, select the sample,
9
or evaluate
results. Unlike statistical sampling, which allows the auditor to objectively
evaluate sample results, the auditor using nonstatistical sampling will only be
able to subjectively evaluate sample results, such as making a judgment about
whether the potential misstatement in the population could be material.
9
The principal techniques of selecting a nonstatistical sample are the use of random selection and haphazard
selection to select sample items (AU-C 530.A17). Since a haphazard sample is not the same as a statistical sample,
the auditor using a haphazard sample cannot calculate precision at a given confidence level. However, AICPA
guidance indicates that the auditor may use the haphazard sample to make a judgment of what a statistical sample
might have shown. For example, the auditor may use the haphazard sample to make a judgment as to the
misstatement in areas that are not very significant. Even though the judgment will not be a statistical projection, it
may assist the auditor in determining whether the possible misstatement could be material.
Testing Phase
480 Perform Substantive Detail Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 480-4
The decision whether to use a statistical or nonstatistical sampling approach is a
matter of professional judgment. AICPA guidance states that this choice is often
a cost-benefit consideration;
10
however, sample size is not a valid criterion to use
in deciding between statistical and nonstatistical sampling approaches. An
auditor who applies nonstatistical sampling exercises professional judgment to
relate the same factors used in statistical sampling in determining the appropriate
sample size. Ordinarily, this would result in a sample size comparable with the
sample size resulting from an efficient and effectively designed statistical sample,
considering the same sampling parameters (AU-C 530.A14).
.14 In audit sampling, the auditor should select the sample from all the items that
compose the population so that each item has an opportunity for selection. In
statistical sampling, the auditor can determine the probability of selection. For
example, the auditor may select sample items from a list of all accounts
receivable balances that is reconciled to the related general ledger account
balances. Selecting sample items from file drawers is not a valid selection
method for any type of audit sampling, unless the auditor has determined that the
file drawers contain all items composing the population.
.15 For statistical samples, the auditor generally should select sample items using
either random or MUS methods. The auditor may use computer software to
select the statistical samples.
.16 Sample size is a function of the size of the population, the auditor’s assessment
of the risk of material misstatement, desired confidence level (based on the
amount of substantive audit assurance that the auditor requires from detail tests,
tolerable misstatement, expected misstatement in the population, and other
factors discussed in FAM 230.13), and the sample selection method (AU-C
530.A13).
.17 Once the auditor decides that a statistical sample is necessary, the choice of
sampling method is a matter of professional judgment, in consultation with the
audit sampling specialist as applicable, about the most efficient method for
achieving the audit objectives. Statistical sampling methods available for
substantive procedures are
MUS (see FAM 480.21–.22),
classical variables sampling (see FAM 480.27–.28), and
classical probability proportional to size (PPS) sampling—evaluating a PPS
s
ample using a classical variables sampling approach (see FAM 480.29–.30).
The auditor may use attribute sampling for tests of controls and for tests of
compliance with significant provisions of applicable laws, regulations, contracts,
and grant agreements. For example, the auditor may select an MUS sample of
expenditure transactions for testing and include testing the sample for approvals,
for entry into the general ledger, and for compliance with applicable provisions of
the Prompt Payment Act. It should be noted that multipurpose tests may not be
10
For example, it may not be efficient to use statistical sampling when the population is not in electronic format.
Another example of when it may be difficult to apply statistical sampling is when the auditor plans to use audit
sampling to test a physical inventory count and the entity does not maintain perpetual inventory records. Because
either statistical or nonstatistical sampling can provide sufficient audit evidence, the auditor chooses between them
after considering their relative efficiency and effectiveness in the circumstances.
Testing Phase
480 Perform Substantive Detail Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 480-5
efficient if they are conducted during the first 2 years of a new audit, as the
auditor may not be as aware of the operating effectiveness of the controls in
place at an entity in a new audit and the rate of deviation may be higher than
expected. In order to use MUS for a multipurpose test, there should be at least
45 unique transactions selected to meet the minimum control sample size
requirements in FAM 450.
Classical variables sampling often results in smaller sample sizes. Multistage
samples may reduce time and travel costs. The auditor generally should consult
with the audit sampling specialist before using this sampling method.
.18 Each of these statistical sampling methods yields a projected (likely)
misstatement and an upper limit at the desired confidence level. In addition,
classical PPS and classical variables sampling both yield a two-sided confidence
interval (MUS yields an upper limit). The auditor should choose the appropriate
method based on the test objectives and efficiency.
.19 When deciding the statistical sampling method, the auditor should determine
whether the monetary amounts of the individual items composing the population
are available (for example, on a detail listing or in a computer file); the expected
amount of misstatements; and the relative efficiency of each appropriate
sampling method. Flowchart 2 in FAM 495 D summarizes the process for
choosing the statistical sampling method once the auditor has decided that a
statistical sample is necessary. The subsequent pages of the flowchart indicate
the steps that the auditor generally should perform for each statistical sampling
method. Example audit documentation for attribute sampling, MUS, and classical
variables sampling can also be found in FAM 495 D.
.20 If the dollar amounts of the individual items composing the population are known,
the auditor should use MUS, classical PPS, or classical variables sampling. If
dollar amounts of individual items are not known, see FAM 480.31–.33.
Statistical Sample Selection
MUS
.21 MUS is a type of statistical sampling that the auditor generally should use when
the monetary amounts of individual items in the population are known,
the primary objective is to test for overstatement of the population (see below
for testing a population related to the line item),
the auditor expects that the total monetary amount of misstatement in the
population is not large,
11
and
11
This expectation affects the efficiency of the sample, not its effectiveness. GAO auditors who use IDEA to calculate
sample size (based on the hypergeometric probability distribution) use classical variables sampling when they expect
that more than 30 percent of the sampling units contain misstatements. When GAO auditors expect that 10 percent or
fewer of the sampling units contain misstatements, GAO auditors use MUS. When GAO auditors expect that 10 to 30
percent of the sampling units contain misstatements, they consult with the audit sampling specialist. The auditor, in
consultation with the audit sampling specialist, generally should determine whether to use classical PPS to evaluate
the sample to obtain a smaller precision, if a large misstatement rate is found. Other auditors, in consultation with
Testing Phase
480 Perform Substantive Detail Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 480-6
the amount of misstatement in an individual item cannot exceed the selected
amount.
12
MUS works best in populations where the total misstatement is not large and
where the objective is to test for overstatement of a population. When the
objective is to test for understatement of a line item, the auditor often is able to
define a related population to test for overstatement. For example, to test for
understatement of accounts payable, the auditor may select an MUS sample of
subsequent disbursements. See also FAM 480.31–.33.
.22 When the total misstatement in the population is not large, MUS will yield the
smallest sample size for a given population, tolerable misstatement, and desired
confidence level when all statistical sampling methods are considered. If the
auditor expects that the population contains a large amount of misstatement, the
auditor generally should use classical variables sampling (see FAM 480.27.28).
Computation of MUS Size
.23 When the auditor uses IDEA to calculate the MUS size, the inputs are
total value of sample population,
confidence level,
tolerable error (tolerable misstatement), and
expected error (expected misstatement).
.24 The auditor should perform audit procedures, appropriate to the purpose, on
each item selected (AU-C 530.09). If the audit procedure is not applicable to the
selected item, the auditor should perform the procedure on a replacement item
(AU-C 530.10).
.25 If the auditor is unable to apply the designed audit procedures, or suitable
alternative procedures, to a selected item, the auditor should treat that item as a
deviation from the prescribed control (in the case of tests of controls; see
FAM 450) or a misstatement (in the case of tests of details) (AU-C 530.11). If this
is the case, see further explanation at FAM 450.17.
.26 If additional sample items are not selected during the initial sample and it is
necessary to select additional and or replacement items, the auditor generally
should consult with the audit sampling specialist to determine how to select the
additional sample items. Selection of these additional items may be more
complex and less efficient than if they were chosen during the initial sample.
their audit sampling specialists as applicable, may use different rules in deciding when to use MUS versus classical
variables sampling.
12
This means, for example, that an item that has a selected amount of $1,000 cannot be misstated by more than
$1,000. This is not an issue in testing existence (overstatement) or valuation (overstatement). However, it might be
an issue in testing completeness (understatement) or valuation (understatement). Thus, if understatements larger
than the selected amount are expected, the auditor generally should use classical variables sampling.
Testing Phase
480 Perform Substantive Detail Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 480-7
Classical Variables Sampling
.27 Classical variables sampling is a type of statistical sampling that may be used
when the auditor expects that one or more conditions exist in the population,
such as
the dollar amount of misstatement in the population is large (see footnote 3),
individual misstatements may exceed the selected amount of sampling units,
significant understatements cannot be identified using other tests,
there are no book amounts for each sampling unit, or
the auditor cannot add the dollar amounts in the population (see flowchart 2
in FAM 495 D).
.28 Classical variables sampling is useful because it frequently results in smaller
sample sizes in higher misstatement situations than those that would be obtained
using MUS. Because applying this method is somewhat complex, the auditor
generally should consult with the audit sampling specialist before using it. Both
this method and classical PPS sampling discussed below require knowledge of
the population to determine sample size. In many audits, the auditor learns about
the population over several audits and may use this knowledge to refine the
sampling methodologies to improve efficiency.
Classical PPS Sampling
.29 Classical PPS sampling is a type of statistical sampling that the auditor generally
should use when testing for overstatement of the defined population and
expecting a large misstatement rate. Since there is no exact way to determine
sample size, the auditor uses MUS to calculate sample size (proportional to
size). However, since classical PPS sampling is used when there are large
misstatement rates, the auditor should use a conservative (high) estimate of the
expected misstatement to avoid needing to subsequently expand the sample size
to obtain a sufficient sample size.
.30 Classical PPS sampling yields a valid measure of projected misstatement and
precision and is easier to design and evaluate than classical variables sampling.
Thus, in higher misstatement situations, the auditor may choose to use classical
PPS sampling if there are no reasons for using classical variables sampling other
than an expected high misstatement rate.
Sampling When Dollar Amounts Are Not Known
.31 The auditor cannot use MUS if the dollar amounts of individual items in the
population are not known. The auditor may use classical variables sampling, but
this method has some difficulties. There is no way to accurately calculate the
sample size without the individual dollar amounts, and the method is inefficient
unless the auditor finds a large misstatement rate. Auditors usually encounter
lack of individual dollar amounts when testing the completeness assertion and
selecting from a population independent of the population being tested, such as a
shipment from a shipping log (see FAM 480.01–.03). One approach may be for
the auditor to select a random or systematic sample of the individual items. For
example, the auditor may randomly select items from a shipping log to test the
Testing Phase
480 Perform Substantive Detail Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 480-8
completeness/cutoff assertion for revenue and accounts receivable that
shipments have been billed in the proper period.
.32 For this type of test, the sample size may be approximated from the total (dollar)
amount of either the population from which the auditor is sampling (the total
dollars of the shipping log if the log has amounts), or the amount of the
population that the auditor is testing (the total recorded revenue). Because this
method is less efficient than MUS, the auditor generally should use a preliminary
estimate of sample size that exceeds the sample size that would result from
using MUS, for example, at least a 25 percent increase in sample size.
13
.33 The auditor generally should consult with the audit sampling specialist to
determine whether to use classical variables sampling and to perform the
evaluation. In using attribute sampling for substantive tests, the auditor generally
should use the upper limit of the misstatement rate to make a conservative
estimate of the dollar amount of misstatement in the population. If the upper limit
is less than materiality, the auditor has evidence that the population is free of
material misstatement.
Evaluation of Sample Results
.34 Evaluation of sampling results, including sampling risk (AU-C 530.14), should
involve the following:
projecting the results of the statistical sample to the population (AU-C 530.13)
(for nonstatistical samples, making a judgment about the potential effect of
any deviations or misstatements in the population);
calculating either (1) the upper limit on misstatement in the population or (2)
an interval estimate of misstatement or of the population audited value, at the
desired confidence level (for nonstatistical samples, considering the risk of
further misstatement);
determining any qualitative aspects of the deviations/misstatements;
bringing deviations/misstatements to management’s attention;
asking management to correct factual misstatements;
investigating the nature and cause of any deviations or misstatements
identified and evaluating their possible effect on the purpose of the audit
procedure and on other areas of the audit (AU-C 530.12);
concluding as to whether the population is free from material misstatement,
after management’s adjustments, if any; and
evaluating the effect of misstatements on the financial statements as a whole.
The auditor usually completes the first two steps above with software such as
IDEA. The auditor generally should perform the evaluation in consultation with
the audit sampling specialist.
.35 The effects of any misstatements detected in a statistical sample are projected to
the population. The auditor should project all misstatements unless highly
persuasive evidence is obtained that a misstatement is not representative of the
13
The 25 percent is a rough estimate that is used because the auditor cannot calculate the correct sample size.
Testing Phase
480 Perform Substantive Detail Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 480-9
entire population. If the evidence is highly persuasive that a misstatement is not
representative of the population, the auditor should
perform procedures to test that the same type of misstatement does not exist
elsewhere in the population;
evaluate the misstatement that is not representative;
evaluate the statistical sample, excluding the misstatement that is not
representative; and
obtain the approval of the audit director that the evidence is highly
persuasive.
The projected misstatement amount is included in the Summary of Uncorrected
Misstatements, the evaluation of which is discussed in FAM 540.
.36 At the conclusion of the test, the auditor also should determine whether the
assessment of risk of material misstatement remains appropriate, particularly in
light of any misstatements identified. If the preliminary risk of material
misstatement assessment was not appropriate, the auditor should consult with
the reviewer to determine whether the extent of substantive procedures is
adequate.
.37 When understated amounts are detected in any statistical sample designed
primarily to test the existence assertion (i.e., designed to test primarily for
overstatement), the auditor generally should consult with the audit sampling
specialist in evaluating the sample results.
Calculating the Projected Misstatement for MUS
.38 If the auditor does not use software to evaluate statistical sample results, the
auditor should calculate projected misstatement as follows. If the sample item
has a recorded amount that equals or exceeds the sampling interval, the
projected misstatement is the actual amount of the misstatement identified for
that item. For any other misstatement detected, the projected misstatement is
computed by
dividing the amount of misstatement by the recorded amount of the sample
item and
multiplying the result by the amount of the sampling interval.
The sum of all projected misstatements represents the aggregate projected
misstatement for the statistical sample. For example, assume the following two
misstatements are detected in a statistical sample for which the sampling interval
is $300,000: (1) a $50,000 misstatement detected in a $500,000 item (which
exceeds the amount of the sampling interval) results in a projected misstatement
of $50,000 and (2) a $100 misstatement in a $1,000 sample item represents a 10
percent misstatement, which results in a projected misstatement of $30,000 (10
percent of the $300,000 sampling interval). In this example, the aggregate
projected misstatement is $80,000.
Evaluating a MUS as a Classical PPS Sample
.39 If a MUS results in a large number of misstatements, it is likely that the
evaluation based on using the calculating method illustrated above would
indicate that the upper limit of misstatement in the population exceeds materiality
Testing Phase
480 Perform Substantive Detail Tests
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 480-10
(IDEA indicates the number of misstatements that would yield acceptable
results). However, if there are a large number of misstatements,
14
the auditor, in
consultation with the audit sampling specialist, generally should evaluate the
sample using classical PPS sampling. This evaluation is complex and cannot be
done directly using IDEA.
Evaluating the Results of a Classical Variables Sample
.40 The auditor generally should consult with the audit sampling specialist in
evaluating the results of a classical variables sample.
Evaluating the Results of Other Samples
.41 When the auditor detects misstatements in an audit sample for which guidance
on evaluation is not described above, the auditor generally should consult with
the audit sampling specialist.
Effects of Misstatements on the Financial Statements
.42 The auditor should evaluate the quantitative and qualitative effects of all
misstatements detected in the audit in relation to the financial statements as a
whole. FAM 540 and 545 provide guidance on this evaluation.
14
As a general rule, this means 10 misstatements if the sample size is from 75 to 100, 10 percent if the sample size is
from 100 to 300, and 30 if the sample size is over 300. Minimum sample size for classical PPS sampling is 75.
Testing Phase
490 Documentation
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 490-1
490 – Documentation
.01 The auditor should include in the audit documentation the (a) overall responses
to address the assessed risks of material misstatement at the financial statement
level and the nature, extent, and timing of further audit procedures performed; (b)
the linkage of those procedures with the assessed risks at the relevant assertion
level; and (c) the results of the audit procedures, including the conclusions when
such conclusions are not otherwise clear (AU-C 330.30).
15
The auditor should
also specifically identify the procedures used to obtain substantive audit
assurance for an account balance, for example, when the auditor relies on detail
tests for complete substantive audit assurance and performs supplemental
analytical procedures to increase the auditor’s understanding of the account
balances and transactions. The auditor may document the procedures
performed, results, and conclusions in summary memos by cycle area.
.02 In order to focus on key matters and identify significant exceptions, the auditor
generally should document in the planning audit documentation the audit
objectives, procedures to be performed, possible exceptions, and why they may
be important.
.03 The auditor also should document, usually in the applicable audit plan with the
audit procedures, whether a selection is intended to be a (1) statistical sample
(representative of, and statistically projectable to, the population), (2)
nonstatistical sample (representative of, but not statistically projectable to, the
population), or (3) nonstatistical selection (not representative of, and not
projectable to, the population). If it is a nonstatistical selection, the auditor should
document the assessment of the risk of material misstatement for the items not
tested as part of the selection and the basis for concluding that enough work has
been done to obtain sufficient assurance that the items not tested are free from
aggregate material misstatement.
.04 As audit work is performed, the auditor may become aware of possible material
weaknesses, significant deficiencies, other control deficiencies, identified or
suspected noncompliance, or other matters. The auditor should document and
communicate these issues, as described in FAM 580 and 590.
.05 The auditor should document the elements included in FAM 495 D, which include
the items below. (GAO auditors generally should use FAM 495 D and provide it
to the auditing sampling specialist).
a. For tests involving audit sampling, the auditor should document the following:
the sampling method used;
the sample size and the method of determining it;
how the sample was selected;
a list of items tested;
the audit procedures performed; and
15
In cases where the auditor is relying on professional judgment, the auditor’s decisions should be documented and
supported.
Testing Phase
490 Documentation
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 490-2
the results of tests, including evaluations of sample results, and
conclusions.
b. For substantive analytical procedures, the auditor should document the
following:
the model used to develop the expectation and the basis for the model,
including the expectation referred to in FAM 475.04 and the factors
considered in its development when that expectation or those factors are
not otherwise readily determinable from the audit documentation
(AU-C 520.08a);
the data used and the data sources;
the auditor’s assessment of the reliability of the data used and procedures
performed to establish or increase the amount of reliability, if applicable;
the amount of the limit and the criteria for establishing the limit;
results of the comparison referred to in FAM 475.04 of the recorded
amounts, or ratios developed from recorded amounts, with the
expectations (AU-C 520.08b), including management’s explanations for
significant fluctuations, sources of these explanations, and corroborating
evidence obtained;
any additional auditing procedures performed relating to the investigation
of fluctuations or relationships that are inconsistent with other relevant
information or that differ from expected values by a significant amount
and the results of such additional procedures (AU-C 520.08c); and
conclusions regarding findings, including treatment of any misstatements
detected and assessment of any other effects of these misstatements.
c. The auditor should document interim testing procedures (see FAM 495 C for
documentation guidance).
d. The auditor should document individual and total misstatements on the
Summary of Uncorrected Misstatements. See FAM 540 and FAM 595 C.
e. For audit procedures related to the inspection of significant contracts and
grant agreements, the auditor should include abstracts or copies of those
contracts and grant agreements in the audit documentation (AU-C 230.10).
Determining whether an inspected contract or grant agreement is significant
is a matter of auditor judgment. In making this determination, the auditor may
find it necessary to consult with OGC to gain a better understanding of the
contract or grant agreement.
If a contract or grant agreement is deemed to be significant, the auditor
should include information about the contract or grant agreement in the audit
documentation. At a minimum, the audit documentation should include
abstracts or copies of significant contracts and grant agreements examined if
they are needed to allow an experienced auditor to understand the work
performed and conclusions reached. The following considerations may help
guide the auditor in determining whether a contract or grant agreement is
significant and whether to obtain and maintain an abstract or copy in the audit
documentation:
Testing Phase
490 Documentation
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 490-3
Risk Matters arising from contracts or grant agreements that an auditor
considers to be a significant risk. Factors in making that determination
include complexity, uniqueness, congressional or public interest, and
whether it is outside the normal course of business.
Materiality Individual or classes of contracts or grant agreements that
are individually or collectively material, considering both quantitative and
qualitative materiality. If there is a class of similar contracts or grant
agreements, the auditor may determine that only examples of such
contracts or grant agreements or abstracts summarizing the class are
necessary to include in the audit documentation. Factors in making this
determination include transactions and balances recorded under a
contract or grant agreement that are material to the financial statements,
and contracts or grant agreements that are significant or fundamental to
the operations of the entity.
Disclosure Matters or transactions arising from contracts or grant
agreements that could be disclosed in the financial statements, notes,
required supplementary information, and other information.
Internal control over financial reporting Internal controls over financial
reporting that the auditor has determined are key, especially those
performed by service organizations.
Auditor’s report Issues or transactions arising from contracts and grant
agreements that the auditor has determined to be significant and included
in the auditor’s report as emphasis-of-matters or other-matters.
f. For accounting estimates, the auditor should document the following
(AU-C 540.22):
with significant risk, the basis for the auditor’s conclusions about the
reasonableness of accounting estimates and their disclosure and
indicators of possible management bias, if any.
Testing Phase
495 ADetermine Whether to Perform Substantive Analytical Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 A-1
495 A Determine Whether to Perform Substantive Analytical
Procedures
.01 When determining whether performing substantive analytical procedures will be
effective and efficient as a substantive test, the auditor should evaluate the
a. nature of the account balance, the audit objective (including the assertions
being tested), and the assessed risk of material misstatement (FAM 495
A.02–.04);
b. expected availability and reliability of explanations for fluctuations and related
corroborating evidence (FAM 495 A.05);
c. plausibility and predictability of the relationship (FAM 495 A.06–.13);
d. availability and reliability of data (FAM 495 A.14–.22); and
e. preciseness of the expectation (FAM 495 A.23–.25).
This FAM section provides additional guidance to the auditor in these areas.
Nature of the Account Balance, the Audit Objective, and the
Assessed Risk of Material Misstatement
.02 Analytical procedures are usually more effective for testing accounts that
accumulate transactions for the period, such as statement of net cost accounts,
than for testing balance sheet accounts. This is because balance sheet amounts
are more difficult to predict as they are as of a specific point in time. Additionally,
net cost statement amounts generally have relationships with other data, such as
cost of sales as a percentage of sales, interest expense as a function of the debt
balance and interest rates, or sales revenue as a function of the number of units
shipped and the average sales price. Analytical procedures are usually less
effective for testing amounts that are subject to management discretion or are
unpredictable, such as repairs or miscellaneous expenses.
.03 The auditor should use the audit objective, including relevant assertions, and the
assessed risk of material misstatement to determine whether substantive
analytical procedures will be effective. The auditor can obtain three levels of
substantive assurance from analytical procedurescomplete, partial, or none.
The effectiveness and the amount of assurance that an individual procedure
provides are matters of the auditor’s professional judgment and are difficult to
measure.
.04 When the risk of material misstatement is high, the auditor will rarely be able to
place complete reliance on analytical procedures for substantive assurance,
particularly for balance sheet accounts. Therefore, in these cases, the auditor
should design analytical procedures that are extremely effective and persuasive,
if they are to serve as the sole source of audit evidence for achieving the audit
objective.
Explanations for Fluctuations and Corroborating Evidence
.05 Explanations for fluctuations and related, reliable corroborating evidence may not
be readily available. This evidence is essential when the auditor uses analytical
procedures as a substantive test. The auditor could consider the relative ease of
Testing Phase
495 ADetermine Whether to Perform Substantive Analytical Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 A-2
obtaining explanations for significant differences and relevant, reliable
corroborating evidence when determining whether analytical procedures will be
effective.
Plausibility and Predictability of the Relationship
.06 Relationships between the amount being tested (the recorded amount) and the
other data are an essential component of substantive analytical procedures. The
auditor should identify relationships that are good indicators of the account
balance, that is, the relationship between the recorded amount and the other
data is plausible and predictable.
Plausibility
.07 If one set of data provides a reasonable basis for predicting another set of data,
the relationship between the two sets of data is plausible. As the plausibility of
the relationship increases, so does the effectiveness of analytical procedures as
a substantive test.
.08 For example, there is a plausible relationship between payroll expense, the
average number of employees, and the average pay rate. This relationship
generally is effective for the auditor to use in developing an expectation for
payroll expense of salaried employees. Alternatively, there is not usually a
plausible relationship between revenue and interest expense. Therefore, this
relationship would not be used for developing an expectation.
Predictability
.09 The more predictable the relationship is, the more effective the substantive
analytical procedure will be. Relationships are more predictable in a stable
environment. As relationships become more complex because of increases in the
number and type of contributing factors, related amounts become more difficult to
effectively and efficiently predict.
.10 For example, payroll expense generally is very predictable if there is little
employee turnover during the period, if all employees receive the same
percentage raise at the same time, and if all employees are salaried. Payroll
expense becomes more difficult to predict if any of these factors changes, such
as high turnover resulting in a different mix of employee pay, a wide range of
raises awarded at different times, or a mix of hourly and salaried employees.
Therefore, to effectively estimate payroll expense, the auditor may need to use a
more complex relationship that considers these factors.
.11 The relationships may be between the recorded amount and either prior-year or
current-year data, using financial or nonfinancial data, including underlying
business factors. For example, the auditor may determine an expectation for (1)
current-year interest expense using current-year audited, long-term debt
amounts and interest rate information or (2) estimating budgetary gross outlays
based on known relationships with related audited proprietary accounts, such as
operating expenses, payables, and capital acquisitions, and comparing this
amount to the balance reported on the statement of budgetary resources. When
using current-year relationships, the auditor should test the data used to
develop the expectation by a method other than a substantive analytical
procedure that uses a relationship with the recorded amount.
Testing Phase
495 ADetermine Whether to Perform Substantive Analytical Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 A-3
.12 The auditor should develop a rationale for using prior-year amounts as the only
basis for the expectation. The auditor should document why, in the auditor’s
professional judgment, the prior-year amountand any adjustments to that
amounthas a plausible and predictable relationship with the current-year
recorded amount. The auditor could consider testing any adjustments to the prior
amount, such as for the effects of inflation. Additionally, the auditor should
determine whether the prior-year amount is reliable. The easiest way to
determine this is if the prior-year amount is audited.
.13 For an example of prior-year relationship, assume that the payroll raises for the
current year were authorized at 5 percent and that the number and salary mix of
employees have remained relatively stable. In this example, the auditor may
reasonably expect current-year payroll expense to be 5 percent higher than the
prior year’s payroll expense. However, the auditor would need to test the
reliability of the percentage pay increase and the assumptions regarding the
number and mix of employees.
Data Considerations
Availability of Data
.14 Data needed to perform analytical procedures may not be readily available. The
auditor generally should determine when data will be available and the relative
ease of obtaining relevant, reliable data when determining whether analytical
procedures will be efficient and effective.
Reliability of Data
.15 The more reliable data are, the more effective analytical procedures will be as a
substantive test. In assessing the reliability of data, which is a matter of the
auditor’s professional judgment, the auditor should evaluate
the source of the data, including whether the data are audited or unaudited;
conditions under which the data were developed and gathered, including
related internal controls; and
other knowledge the auditor may have about the data.
Sources of Data
.16 Data obtained from an independent source outside the entity are generally more
reliable than data obtained from inside the entity. However, the auditor should
determine if the outside information is comparable to the item being tested. This
issue of comparability is important if the auditor is using industry statistics.
.17 Data obtained from entity sources are more reliable if the sources are
independent of the accounting function and if the data are not subject to
manipulation by personnel in the accounting function. If multiple data sources are
used, the auditor should determine the reliability of all sources used.
Audited versus Unaudited Data
.18 The auditor should determine whether the data are audited or unaudited because
audited data are more reliable than unaudited data. (See FAM 600 on using the
work of others.)
Testing Phase
495 ADetermine Whether to Perform Substantive Analytical Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 A-4
.19 Unaudited data are not reliable unless the auditor performs procedures to
establish their reliability. These procedures could consist of either evaluation and
tests of controls over data production or tests of the data. The extent of such
procedures is a matter of professional judgment and should be documented. For
example, interest rates from an entity’s loan register may be used to estimate
interest income. The reliability of this information may be established by including
the interest rate on loan confirmations that are sent to the borrowers or by
reviewing original loan documents.
Conditions under Which the Data Were Gathered
.20 Another consideration for internal data is whether the data were developed under
a reliable system with adequate financial reporting or operations controls. The
auditor may test operations controls to assess the reliability of the data used for
substantive analytical procedures. The extent of this testing is a matter of the
auditor’s professional judgment.
.21 If the system used to develop internal data is computerized rather than manual,
the auditor should perform additional procedures before relying on the data. The
auditor should test either (1) the general controls and the specific application
controls over the information system that generated the report or (2) the data in
the report.
.22 An auditor may test operations controls when using entity-prepared statistics for
a substantive analytical procedure. For example, the auditor may use Air Force
statistics to test the reasonableness of its Airlift Servicesaircraft operating costs.
The auditor may compare the per hour fuel and maintenance costs for Airlift
Services’ cargo and passenger aircraft with the “block hour” costs that major
airlines incur for similar aircraft, as published in Aviation Week and Space
Technology. The auditor would first determine if the industry statistics are
comparable, for example, if the statistics are for the same or similar types of
aircraft and if the types of items included in maintenance costs are similar. The
auditor may then identify and test the internal controls over the production of
these operating statistics.
Preciseness of the Expectation
.23 The auditor should develop an expectation of the account balance that is precise
enough to provide the desired substantive assurance. When determining how
precise the expectation should be, the auditor should determine the proper
balance between effectiveness and efficiency. Any work to make the expectation
more precise than the desired level of assurance is unnecessary.
.24 If the audit objective cannot be achieved with the original expectation, the auditor
may be able to perform additional procedures to make the expectation more
precise. The preciseness of the expectation and changes in this preciseness are
difficult to measure in quantifiable terms, unless the auditor uses regression
analysis in performing the analytical procedures. The auditor generally should
consult with the audit sampling specialist before using regression analysis.
.25 Factors that influence the expectation’s preciseness follow:
The identification and use of key factors when building the model based
on the relationships the auditor identifies. The expectation generally
becomes more precise as additional key factors are identified.
Testing Phase
495 ADetermine Whether to Perform Substantive Analytical Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 A-5
The reliability of the data used to develop the expectation. The
expectation becomes more precise as the reliability of the data increases.
The degree of disaggregation of the data. The expectation becomes more
precise as the disaggregation of the data increases.
Testing Phase
495 BExample Procedures for Tests of Budget Information
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 B-1
495 B Example Procedures for Tests of Budget Information
.01 This section includes examples of procedures that auditors may perform in
testing budget information for the statement of budgetary resources and
reconciliation of net cost of operations to budget.
.02 In addition, if budget controls are ineffective and quantitative provisions of
budget-related laws and regulations are significant, the auditor generally should
perform audit procedures sufficient to detect material misstatements in the types
of budget information listed in FAM 460.04. Tolerable misstatement for use in
determining sample sizes is discussed in FAM 460.03.
Testing Obligations and Expended Authority Transactions
.03 The following are examples of procedures that the auditor may use to test
obligation
16
and expended authority transactions for these misstatements.
Validity, accuracy/valuation, and classification assertions:
a. Select obligations recorded as of the end of the audit period and expended
authority transactions recorded during the audit period.
b. Determine if each selected item is a valid obligation or expended authority
transaction based on the criteria set forth in FAM 395 F.
c. Determine if each selected item is recorded at the accurate amount (value).
d. Determine if each selected item is properly classified in the appropriation or
fund account (also by program and by object, if applicable), including the
proper appropriation year.
e. Test upward and downward adjustments of obligations. Determine whether
selected adjustments are supported by formal decisions and any necessary
documentation that has been fully executed (e.g., SF-30 for contract
amendments). If any of these adjustments relate to closed accounts,
determine whether the adjustments comply with the requirements for closing
appropriation accounts under 31 U.S.C. §§ 1551-1558. See FAM 395 E for
guidance on the budget execution process.
16
An obligation, as defined in OMB Circular No. A-11, is a binding agreement that will result in outlays, immediately or
in the future. GAO’s Federal Budget Glossary (GAO-05-734SP) defines obligation as a definite commitment that
creates a legal liability of the government for the payment of goods and services ordered or received, or a legal duty
on the part of the United States that could mature into a legal liability by virtue of actions on the part of the other party
beyond the control of the United States. Payment may be made immediately or in the future. An agency incurs an
obligation, for example, when it places an order, signs a contract, awards a grant, purchases a service, or takes other
actions that require the government to make payments to the public or from one government account to another. As a
general rule, absent a specific statutory authority, the amount of the obligation is the maximum liability to the federal
government. An entity’s budgetary obligation is not the same as its accounting liability, which is a probable future
outflow or other sacrifice of resources as a result of past transactions or events (e.g., receipt of goods or services).
The entity’s budgetary obligation is reported on the statement of budgetary resources whereas its accounting liability
is reported on the balance sheet.
Testing Phase
495 BExample Procedures for Tests of Budget Information
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 B-2
Completeness and cutoff assertions:
f. Select obligations and expended authority transactions recorded during the
period between the balance sheet date and a date near the auditor’s report
date.
g. Examine open purchase orders, unpaid invoices, and contracts as of a date
near the auditor’s report date.
h. Select items representing payments by the Department of the Treasury or
cash disbursements by the entity during the audit period. Substantive detail
test selections of expenses and additions to inventory, property, and prepaid
accounts may be used for this purpose if the populations from which they are
selected are complete.
i. For each selection, determine whether the obligation or expended authority
transaction is recorded in the proper period. If transactions are not recorded,
or are recorded in the incorrect period, determine the effects of this
misstatement on budget amounts, the evaluation of budget controls, and the
risk of material misstatement.
j. If the selected obligation or expended authority transaction relates to the
audit period and is recorded in that period, determine if it is recorded at the
proper amount and properly classified in the appropriation or fund account
(also by program and by object, if applicable), including the proper
appropriation year.
Summarization assertion:
k. Test the footing of the detail of the obligation account balance recorded as of
the end of the audit period and expended authority accounts recorded during
the audit period.
l. Reconcile the total of these details to the recorded totals for obligation and
expended authority accounts as of the end of the audit period. Audit software
is often an effective tool for footing the transactions recorded in the accounts
and for selecting items for testing.
.04 The auditor generally should coordinate the audit procedures discussed above
for testing expended authority transactions with the audit of other financial
statement amounts. For example, if appropriate, the auditor may coordinate tests
of accounts payable for completeness with the selection of subsequent
obligations and expended authority transactions described above.
Testing Outlay Transactions
.05 The following are examples of procedures that the auditor may use to test outlay
transactions. The auditor generally should coordinate these audit procedures
with the audit of the other financial statement amounts, chiefly cash
disbursements.
Validity and classification assertions:
a. Select outlays recorded during the audit period. Determine if an invoice and a
receiving report support each selected outlay. Determine the obligation that
was liquidated by the outlay.
Testing Phase
495 BExample Procedures for Tests of Budget Information
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 B-3
b. Examine the support for the obligation and determine if the invoice billed for
goods or services is related to or properly “matches” the obligation and, in
turn, the appropriation.
c. Obtain the accounting data for the matched obligation, including appropriation
and year. Match these data to the type of services paid for by the selected
outlay. Determine if the related appropriation authorizes payment for the
services billed and paid.
Testing Phase
495 C Guidance for Interim Testing
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 C-1
495 C Guidance for Interim Testing
Misstatements in Interim Balances
.01 If the auditor detects unexpected misstatements when assessing the risks of
material misstatement at an interim date, the auditor should evaluate whether the
related assessment of risk and the planned nature, timing, or extent of
substantive procedures covering the remaining period need to be modified
(AU-C 330.24). (See FAM 295 D for a discussion of factors in deciding whether
to use interim substantive testing.) The auditor should determine the effects of
misstatements by evaluating relevant factors, including
a. the nature and cause of the misstatement;
b. the estimated effects on the overall line item/account balance;
c. whether the entity has subsequently corrected the misstatement; and
d. the impact of the misstatement on other parts of the audit.
.02 The auditor should discuss financial statement misstatements with entity
management. Based on the nature and cause of the misstatements detected, the
auditor should determine, and obtain supporting evidence on, whether the
misstatements are likely to occur in the remainder of the line items or account
balances at the interim testing date and at year-end. See FAM 480.35 for a
discussion of the need to project all misstatements unless evidence is highly
persuasive that a misstatement is isolated and the audit director approves.
17
The auditor should request that entity management correct such misstatements
in the population. Based on the following guidance, the auditor should use
professional judgment to determine the extent to which interim testing can be
relied upon, in conjunction with substantive procedures in the roll-forward period,
to provide sufficient appropriate evidence on the year-end line item/account
balance under the following circumstances:
a. If the misstatements are not material when projected to the entire population
(projected misstatements plus an allowance for further misstatements is less
than tolerable misstatement) and are expected to be representative of the
misstatements of the year-end balance, the auditor may rely upon the results
of the interim testing.
b. If the auditor has obtained highly persuasive evidence that the misstatements
are isolated (generally by nature, cause, or extent), the auditor may be able
to rely upon unaffected parts of the interim testing and apply procedures at
year-end to test only those financial statement assertions associated with the
misstatements.
For example, in interim testing of inventory, the auditor might determine that
the misstatements concern only the valuation of inventory. Accordingly, the
auditor may rely upon other parts of the interim testing, such as those for the
17
The auditor cannot assume that an instance of fraud or error is an isolated occurrence. Therefore, the consideration
of how the detection of a misstatement affects the assessed risks of material misstatement is important in
determining whether the assessment remains appropriate (AU-C 330.A76).
Testing Phase
495 C Guidance for Interim Testing
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 C-2
accuracy of the physical count and cutoff, and perform detail valuation testing
and related procedures at year-end.
c. If the misstatements are material or pervasive, the auditor should determine
(1) whether to place any reliance on the interim testing, (2) the effect on the
risk of material misstatement, and (3) the nature and extent of substantive
procedures to be performed on the line item/account balance as of the
balance sheet date.
.03 For any misstatements found during interim testing, the auditor uses professional
judgment to evaluate, in a manner appropriate for the circumstances, the effects
on the year-end balance.
Testing the Roll-Forward Period
.04 Because the auditor reports on the financial statements as of year-end, not the
interim test date, the auditor should perform further substantive procedures or
substantive procedures combined with tests of controls (if the auditor concludes
that substantive procedures alone would not be sufficient to cover the remaining
period). The auditor should perform procedures to provide the auditor with a
reasonable basis for extending the audit conclusions from the interim date to
year-end. The auditor should perform substantive procedures of the roll-forward
period activity to the year-end balance.
For example, after interim testing of the loans receivable balance as of June 30,
the auditor may examine supporting documents for selected debits and credits to
the balance during the roll-forward period of July 1 through September 30. The
auditor may also apply analytical procedures to compare the amount of roll-
forward activity, on a month-by-month basis, with expectations based on results
for preceding months or similar periods of preceding years.
.05 The auditor should determine the nature and extent of substantive procedures
based on the assessment of risk of material misstatement and tolerable
misstatement. In some instances, the auditor may determine that a specific risk
of material misstatement warrants additional or different substantive procedures
at year-end, such as cutoff tests. If risk of material misstatement is moderate or
low, the auditor generally should determine whether the internal controls as of
the interim testing date were in place and were operating effectively during the
roll-forward period. The auditor may refer to the results of tests of financial
reporting controls, which cover the entire year under audit for significant systems.
.06 When the auditor reports on the effectiveness of controls as of a specific date
and obtains evidence about the operating effectiveness of controls at an interim
date, the auditor should determine what additional evidence concerning the
operation of the controls for the remaining period is necessary (AU-C 940.40).
The additional evidence necessary to update the results of testing from an
interim date to the entity’s period-end depends on the following factors:
a. the specific control tested prior to the as-of date, including the risks
associated with the control, the nature of the control, and the results of those
tests;
b. the sufficiency of the evidence of operating effectiveness obtained at an
interim date;
c. the length of the remaining period; and
Testing Phase
495 C Guidance for Interim Testing
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 C-3
d. the possibility that there have been any significant changes in internal control
subsequent to the interim date.
Documentation
.07 The auditor should document
a. line items/accounts and assertions to which interim testing is applied;
b. the basis for using interim testing;
c. audit procedures used to test interim balances and the roll-forward period
(including tests of controls, findings, and conclusions);
d. effects of any misstatements found during interim testing and during roll-
forward testing; and
e. conclusions on the line items as of and for the year.
Testing Phase
495 D Selection Methods
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 D-1
495 D – Selection Methods
Selection Methods Flowcharts and Example Audit Documentation
.01 This section contains selection methods flowcharts (FAM 495 D-2–D-6) and
example audit documentation (FAM 495 D-7–D-19).
.02 Flowchart 1 (FAM 495 D-2) assists the auditor in determining the selection
method for substantive tests. Selection methods are either (1) statistical sampling
(representative of, and statistically projectable to, the population), (2)
nonstatistical sampling (representative of, but not statistically projectable to, the
population), or (3) nonstatistical selection (not representative of, and not
statistically projectable to, the population). If the auditor decides to use statistical
sampling or nonstatistical sampling, the auditor generally should consult with the
audit sampling specialist, including for selection of sampling methods, selection
of sample items, and evaluation of sampling results.
.03 Flowchart 2 (FAM 495 D-3) helps the auditor determine the type of statistical
sampling to use. The choices are (1) attribute sampling, (2) MUS, and (3)
classical variables sampling.
When testing for overstatement in the defined population and expecting a large
misstatement rate, the auditor may use classical PPS sampling. See FAM 480.29
through .30 and FAM 480.39 for further information.
.04 The remaining flowcharts are to assist the auditor in performing
attribute sampling at FAM 495 D-4 (flowchart 3),
MUS at FAM 495 D-5 (flowchart 4), and
classical variables sampling at FAM 495 D-6 (flowchart 5).
.05 Examples of audit documentation for sampling are provided for
attribute sampling at FAM 495 D-7 through D-10,
MUS at FAM 495 D-11 through D-15, and
classical variables sampling at FAM 495 D-16 through D-19.
Testing Phase
495 D Selection Methods
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 D-2
Flowchart 1: Determining the Selection Method for Substantive Tests
Testing Phase
495 D Selection Methods
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 D-3
Flowchart 2: Determining Which Type of Statistical Sampling to Use
a
For GAO, large means more than 30 percent of sampling units are expected to contain misstatements. When GAO auditors expect that 10 percent or
fewer of the sampling units contain misstatements, GAO auditors use monetary unit sampling. When GAO auditors expect that 10 to 30 percent of the
sampling units contain misstatements, they consult with the audit sampling specialist.
Testing Phase
495 D Selection Methods
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 D-4
Flowchart 3: Testing Using Attribute Sampling
Testing Phase
495 D Selection Methods
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 D-5
Flowchart 4: Testing Using Monetary Unit Sampling
Testing Phase
495 D Selection Methods
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 D-6
Flowchart 5: Testing Using Classical Variables Sampling
Testing Phase
495 D Selection Methods
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 D-7
Example Audit Documentation for Attribute Sampling
Entity:
Period ended:
During Planning At End of Test
Initials
Date
Initials
Date
Prepared by:
Reviewed by:
SECTION I Definition of Control Techniques and Sampling Method for Attribute Sampling
Cycle:
Application:
Control activities (from SCE worksheets):
Sampling method: [ ] Random using IDEA/other audit software
Documentation reference to IDEA/other audit software output:
[ ] Other explain:
Testing Phase
495 D Selection Methods
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 D-8
SECTION II Definition of Population and Attributes to Test for Attribute Sampling
Population is:
Population size: units
Attributes to test:
Document(s) to examine:
When this period is less than the entire period
under audit or where the population being
tested is less than the population in the
financial statements, describe briefly (and
cross-reference to) procedures for obtaining
satisfaction about the remainder of the
population:
List steps needed to achieve satisfaction that
the selection is from a population equivalent
to the defined population:
Testing Phase
495 D Selection Methods
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 D-9
SECTION III Determination of Sample Size and Evaluation of Sample Results for Attribute Sampling
Control
activity
number
Deviation definitions (each
will constitute a deviation)
a
Preliminary assessment of control risk (see SCEs)
Sample size
(per FAM Figure 450.1, IDEA, or other source)
Acceptable number of deviations
Number of deviations found
Is result acceptable?
b,c
A B C D E
a
Insert deviation definitions and data for columns A through C for each control technique before selection of sample.
b
Results are acceptable if column D is less than column C. When results are unacceptable, complete section IV.
c
If the attribute sample was selected through MUS as part of multipurpose testing and all items in the MUS sample are tested for attributes,
then auditors should use IDEA’s MUS evaluation module instead of FAM Figure 450.1 to evaluate the results.
Method of testing for more than one control activity:
[ ] Use largest sample size for all key controls (generally because same documents are tested)
[ ] Use different sample sizes for different controls (using random numbers in order selected)
Testing Phase
495 D Selection Methods
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 D-10
SECTION IV Explain Unacceptable Results and Other Control Deviations for Attribute Sampling
Deviation Possible cause
Cycles, assertions, and
accounts that could be
affected
Further action
taken
Conclusion/revised
risk of material
misstatement*
SECTION V Overall Conclusions about Risk of Material Misstatement
*Where the preliminary assessment of the risk of material misstatement is low, the risk may be assessed as moderate if the number of
deviations found does not exceed the acceptable number of deviations in table II of FAM Figure 450.1 for the same sample size.
Testing Phase
495 D Selection Methods
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 D-11
Example Audit Documentation for MUS
Entity:
Period ended:
During Planning At End of Test
Initials
Date
Initials
Date
Prepared by:
Reviewed by:
SECTION I Define Objectives and Method of Testing for MUS
Line Item:
Assertion:
Test:
Testing Phase
495 D Selection Methods
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 D-12
SECTION II Define Population for MUS
Population is:
Population size: monetary units (dollars)
Logical unit (balance or transaction that
includes the selected dollar:
Direction of test:
Starting from (source):
Testing to (documents to be examined):
When this period is less than the entire period
under audit or where the population being
tested is less than the population in the
financial statements, describe briefly (and
cross-reference to) procedures performed to
determine that the remainder of the
population does not contain a risk of material
misstatement:
List steps needed to achieve satisfaction that
the selection is from a population equivalent
to the defined population:
Population analyzed (see FAM 480.01) by: [ ] Review of printout of population
[ ] Review of manual listing of population
[ ] IDEA/other audit software stratification
[ ] Other computer-assisted method describe:
Testing Phase
495 D Selection Methods
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 D-13
SECTION III Determine Sample Size and Interval for MUS
a. Total population (from Section II): __________________________________________________________________________
b. Risk of material misstatement from the LIRA: _________________________________________________________________
c. Amount of substantive audit assurance required (from audit matrix): _______________________________________________
d. Substantive assurance from analytical procedures that relate to the assertion tested: _________________________________
e. Other substantive tests of detail that relate to the assertion: _____________________________________________________
f. Minimum substantive audit assurance from detail tests: _________________________________________________________
g. For MUS using IDEA/other audit software: 1. Confidence level: _______________________________________________ %
2. Tolerable error (tolerable misstatement): $ ____________________________
3. Expected error (expected misstatement): $ ____________________________
h. Interval based on these factors is: $ ________________________________________________________________________
Random start or seed is: _________________________________________________________________________________
i. Sample size based on these factors is: ______________________________________________________________________
Audit documentation reference to: [ ] Software output (IDEA/other audit software) ___________________________
[ ] Manual computation ______________________________________________
Testing Phase
495 D Selection Methods
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 D-14
SECTION IV
Evaluation of Substantive Tests for MUS
(If many errors are found and the sample size is 75 or greater, the auditor generally should consult with the audit sampling
specialist to evaluate and document as classical PPS.)
Known Substantive Misstatements
Misstatement
number
(A) (B) (C)
Nature of
misstatement Possible cause
Book
amount
Audited
amount
Misstatement
amount (A–B)
Items greater than sampling interval
1
2
3
Total*
(D)
Misstatement as a
percentage of book
amount* (C/A)
Should misstatement
be projected? If not,
explain:
Items less than sampling interval
1
2
3
Total*
Testing Phase
495 D Selection Methods
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 D-15
*Calculated amounts may be omitted if calculation was made using IDEA.
Note 1: When sampling from a different population for understatement of a primary population (such as when sampling subsequent
disbursements to test completeness of recorded accounts payable), in computing “misstatement as a percentage of book amountthe
“book amount” is the subsequent disbursement (not the recorded payable). The audited amount is the amount that was either correctly
accrued or not correctly accrued. For example, assume the auditor finds a $10,000 subsequent disbursement that was omitted
improperly from accounts payable as of the balance sheet date. The “book amount” is $10,000 and the “audited amount” is zero, thus
the “misstatement as a percentage of book amount” is 100 percent. The “book amount” is based on the source of selection, not
necessarily what is recorded in the financial statements.
Note 2: If IDEA/other audit software selects an item twice and it is misstated, include the item twice in this listing.
Compute projected misstatements
(Omit steps E through H if computed by IDEA)
(E)
Number of equivalent complete misstatements in sample from column D on previous page (excluding
misstatements found in 100% of examined items see Note 1 on previous page: _______________________
(F)
Sampling interval __________________________________________________________________________
(G)
Projected misstatements (E x F) ______________________________________________________________
(H)
Misstatements found in 100% of examined items _________________________________________________
(I)
Total projected misstatement (G + H) (or from IDEA output) ________________________________________
(If from IDEA, document reference to IDEA output) _______________________________________________
Conclusion
Are we satisfied that book amount is free from material misstatement? [ ] Yes [ ] No [ ] Not enough evidence
If No or Not enough evidence, what will we do? Explain below:
________________________________________________________________________________________
________________________________________________________________________________________
Testing Phase
495 D Selection Methods
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 D-16
Example Audit Documentation for Classical Variables Sampling
Entity:
Period ended:
During Planning At End of Test
Initials
Date
Initials
Date
Prepared by:
Reviewed by:
SECTION I Definition Objectives and Method of Testing for Classical Variables Sampling
Line Item:
Assertion:
Test:
Description of 100$ examined items:
Testing Phase
495 D Selection Methods
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 D-17
SECTION II Define Population for Classical Variables Sampling
Population is:
Population size: Dollars
Number of items
Direction of test:
Starting from (source):
Testing to (documents to be examined):
When this period is less than the entire period
under audit or where the population being
tested is less than the population in the
financial statements, describe briefly (and
cross-reference to) procedures for obtaining
satisfaction about the remainder of the
population:
List steps needed to achieve satisfaction that
the selection is from a population equivalent
to the defined population:
Population analyzed by:
[ ] Review of printout of population
[ ] Review of manual listing of population
[ ] IDEA/other audit software stratification
[ ] Other computer-assisted method describe:
Testing Phase
495 D Selection Methods
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 D-18
SECTION III Determine Sample Size for Classical Variables Sampling
a. Confidence level _______________________________________________________________________ %
b. Tolerable misstatement $ __________________________________________________________________
c. Precision for total population $ ______________________________________________________________
d. Strata definitions:
Stratum From To Number of Items Dollars
1
2
3
4
5
6
7
8
9
10
e. Sample size based on these factors is: ________________________________________________________
Audit documentation reference to:
[ ] IDEA/other audit software __________________________________________________________________
[ ] Other calculation _________________________________________________________________________
[ ] Pilot sample estimate _____________________________________________________________________
Testing Phase
495 D Selection Methods
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 495 D-19
SECTION IV Evaluation of Substantive Tests for Classical Variables Sampling
a. Evaluation method audit documentation reference to:
[ ] IDEA/other audit software ________________________________________________________________
[ ] Other calculation _______________________________________________________________________
[ ] Spreadsheet __________________________________________________________________________
b. Estimating technique
[ ] Direct projection
[ ] Difference estimation
[ ] Separate ratio
[ ] Combined ratio
[ ] Combined regression
[ ] Other ________________________________________________________________________________
c. Point estimate $ __________________________________________________________________________
Confidence interval
From $ ______________ to $ ________________ at ________________ % confidence level
Conclusion
Are we satisfied that book amount is free from material misstatement? [ ] Yes [ ] No [ ] Not enough evidence
If No or Not enough evidence, what will we do? Explain below:
________________________________________________________________________________________
________________________________________________________________________________________
SECTION 500
Reporting Phase
Reporting Phase
500 Contents of the Reporting Phase
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 500-1
Contents of the Reporting Phase
Introduction FAM
Overview of the FAM Methodology 110
Planning Phase FAM
Overview of the Planning Phase 210
Perform Preliminary Engagement Activities 215
Understand the Entity’s Operations 220
Perform Preliminary Analytical Procedures 225
Determine Materiality 230
Identify Significant Line Items, Accounts, and Assertions 235
Identify Significant Accounting Applications, Cycles, and Financial Management Systems 240
Identify Significant Provisions of Applicable Laws, Regulations, Contracts, and Grant Agreements 245
Identify Relevant Budget Restrictions 250
Identify Risk Factors 260
Determine Likelihood of Effective IS Controls 270
Identify Relevant Operations Controls to Evaluate and Test 275
Plan Other Audit Procedures 280
Plan Locations to Test 285
Documentation 290
Internal Control Phase FAM
Overview of the Internal Control Phase 310
Understand Information Systems 320
Identify Control Objectives 330
Identify and Understand Relevant Control Activities 340
Determine the Nature, Extent, and Timing of Tests of Controls and Compliance with FFMIA 350
Perform Tests of Controls and Compliance with FFMIA 360
Assess Internal Control on a Preliminary Basis 370
Other Considerations 380
Documentation 390
Testing Phase FAM
Overview of the Testing Phase 410
Design the Nature, Extent, and Timing of Further Audit Procedures 420
Design Tests 430
Perform Tests and Evaluate Results 440
Perform Sampling Control Tests 450
Perform Compliance Tests 460
Perform Substantive Procedures -- Overview 470
Perform Substantive Analytical Procedures 475
Perform Substantive Detail Tests 480
Documentation 490
Reporting Phase FAM
Overview of the Reporting Phase 510
Perform Overall Analytical Procedures 520
Reassess Materiality and Risks of Material Misstatement 530
Evaluate Effects of Misstatements on Financial Statements and Auditor’s Reports 540
Audit Exposure (Further Evaluation of Audit Risk) 545
Perform Other Reporting Phase Audit Procedures 550
Determine Whether Financial Statement Presentation is in Accordance with U.S. GAAP 560
Determine Compliance with GAO/CIGIE Financial Audit Manual 570
Draft Reports 580
Documentation 590
Reporting Phase
510 Overview of the Reporting Phase
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 510-1
510 Overview of the Reporting Phase
.01 Based on the work in the preceding phases, the auditor decides how to report on,
as applicable, the entity’s
financial statements, required supplementary information (RSI) (including
management’s discussion and analysis (MD&A)), and other information
included in the annual report;
internal control over financial reporting;
financial management systems’ substantial compliance with the three Federal
Financial Management Improvement Act of 1996 (FFMIA) requirements (for
Chief Financial Officers Act of 1990 (CFO Act) agencies); and
compliance with significant provisions of applicable laws, regulations,
contracts, and grant agreements.
The following sections provide guidance for making these determinations and
formulating the report type and form. Guidance is also provided on other
activities that the auditor should perform during the reporting phase (see
Contents).
Reporting Phase
520 Perform Overall Analytical Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 520-1
520 Perform Overall Analytical Procedures
Purposes of Overall Analytical Procedures
.01 As the audit nears completion, the auditor should design and perform overall
analytical procedures, as discussed in AU-C 520. The purposes of these
procedures are
to determine if an adequate understanding of all fluctuations from
expectations and relationships in the financial statements has been obtained;
or if not, to identify and resolve significant or unusual fluctuations from
expectations that have not been identified and resolved in other audit
procedures;
to determine if other audit evidence is consistent with explanations for
fluctuations from expectations documented during overall analytical
procedures; and
to assist the auditor when forming an overall conclusion about whether the
financial statements are consistent with the auditor’s understanding of the
entity (AU-C 520.06).
.02 If overall analytical procedures indicate that an adequate understanding of
relationships and fluctuations has not been obtained or if there are
inconsistencies in audit evidence gathered from other audit procedures, the
auditor should make further inquiries and perform sufficient testing to obtain an
adequate understanding or to resolve the inconsistencies.
.03 The auditor may perform overall analytical procedures in more detail than the
financial statement level (supplemental analytical procedures, as discussed in
FAM 475) and then use the results of these procedures to “roll up” into and
support the overall analytical procedures at the financial statement level. For
example, the auditor may perform overall analytical procedures at the account
level and roll them up to the financial statement line item to which they belong.
.04 The auditor may use analytical procedures to obtain complete or partial
substantive assurance for certain accounts or to perform supplemental analytical
procedures when detail tests are used exclusively to obtain substantive
assurance. The auditor may use information obtained during these procedures
as the basis for explanations of fluctuations for overall analytical procedures.
.05 Audit efficiency and effectiveness may be gained if the same audit staff that
conducted the detail tests on an account also conduct the supplemental
analytical procedures by building on the knowledge obtained during detail testing.
.06 The auditor generally should coordinate overall analytical procedures with the
evaluation of the MD&A, including forming conclusions about the information in it.
See FAM 280.08 for guidance on performing procedures over RSI.
Performance of Overall Analytical Procedures
.07 The auditor should achieve the purposes of overall analytical procedures
described above by taking the following actions:
Reporting Phase
520 Perform Overall Analytical Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 520-2
a. Assessing expectations. The auditor should determine if expectations
previously developed during preliminary analytical procedures in FAM 225
are still appropriate or should be revised.
b. Comparing current-year amounts with expectations. This information may
be on a summarized level, such as the level of financial statements, or a
more detailed level, as discussed in FAM 520.03.
c. Identifying significant or unusual fluctuations from expectations that
have not already been identified and resolved. The auditor should
determine whether previously established parameters for determining
whether a fluctuation is significant are still appropriate. Parameters are
usually based on performance materiality. Unusual fluctuations include
inappropriate accounting balances (such as debit balances in liability
accounts), balances with either no current-year or no prior-year comparison,
and decreases in property accounts that would normally occur only by
disposition (instead of by misstatements) or inconsistencies with other
relevant information obtained during the audit (AU-C 520.08c). Fluctuations
identified are a matter of the auditor’s professional judgment. The auditor
should also evaluate the absence of expected fluctuations when identifying
significant fluctuations (such as lower foreclosure rates on home loans
despite higher default rates).
d. Understanding identified fluctuations from expectations. The auditor
should understand all significant fluctuations identified, obtain audit evidence
corroborating the causes, and document the causes. The documentation may
be a brief description with a reference to corroborating audit evidence. If the
auditor does not understand the cause of a fluctuation or if the understanding
is not consistent with the audit evidence, the auditor should perform
procedures to obtain an understanding or to resolve any inconsistencies.
e. Evaluating the results of overall analytical procedures. The auditor
should evaluate these results to determine if the auditor obtained an
adequate understanding of significant fluctuations from expectations and if
the financial statements are consistent with the auditor’s understanding of the
entity. If the auditor identifies a previously unrecognized risk of material
misstatement, the auditor should revise the auditor’s assessment of the risks
of material misstatement and modify the audit procedures accordingly (AU-C
520.A26).
Reporting Phase
530 Reassess Materiality and Risks of Material Misstatement
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 530-1
530 Reassess Materiality and Risks of Material
Misstatement
.01 In the planning phase, the auditor determined materiality for the financial
statements as a whole based on preliminary information. Based on this
materiality, the auditor determined performance materiality and tolerable
misstatement, which affected the extent of audit testing. Also in planning, the
auditor assessed the risks of material misstatement by assertion. During the
audit, the auditor may have revised these determinations and assessments if
better information became available.
.02 Based on AU-C 450.10, before the end of the audit, prior to evaluating the effect
of uncorrected misstatements, the auditor should reassess materiality to confirm
whether it remains appropriate in the context of the entity’s final financial
statements. If the reassessment of materiality results in a lower amount (or
amounts), then the auditor should reconsider performance materiality and the
appropriateness of the nature, timing, and extent of the further audit procedures
in order to obtain sufficient appropriate audit evidence on which to base the audit
opinion.
.03 Before the conclusion of the audit, the auditor should also reassess, based on
the audit procedures performed and the audit evidence obtained, whether the
assessments of the risks of material misstatement at the relevant assertion level
remain appropriate (AU-C 330.27). The auditor should determine whether the
overall audit strategy and audit plan need to be revised
if the aggregate of misstatements accumulated during the audit approaches
materiality (AU-C 450.06b) (see FAM 540) or
if the nature of the identified misstatements and the circumstances of their
occurrence indicate that other misstatements may exist that when aggregated
with misstatements accumulated during the audit, could be material (AU-C
450.06a).
In addition, if material weaknesses or other significant deficiencies are identified,
the auditor should consider their implications on this risk assessment.
.04 The auditor should update the fraud risk evaluation throughout the audit because
evidence gathered later in the audit could change or support an earlier judgment
about fraud risks. For example, the auditor may identify discrepancies in the
accounting records or conflicting or missing evidence.
.05 The auditor should evaluate, at or near the end of the audit, whether the
accumulated results of auditing procedures affect the assessment of the risks of
material misstatement due to fraud made earlier in the audit or indicate a
previously unrecognized risk of material misstatement due to fraud. In this case,
the auditor should evaluate the need for additional or different audit procedures.
If not already performed when forming an overall conclusion, the analytical
procedures relating to revenue should be performed through the end of the
reporting period (AU-C 240.34). The auditor should
perform overall analytical procedures related to revenue, if revenue is (or is
expected to be) material;
Reporting Phase
530 Reassess Materiality and Risks of Material Misstatement
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 530-2
evaluate whether overall analytical or other substantive procedures indicate a
previously unrecognized fraud risk;
evaluate whether responses to inquiries during the audit have been vague,
implausible, or inconsistent with other evidence; and
evaluate other evidence gathered during the audit.
.06 Based on these reassessments, the auditor should determine whether the
nature, extent, and timing of substantive audit procedures were sufficient and
appropriate, such as the sample sizes used in detail tests and the limit used for
investigating differences identified in substantive analytical procedures. When the
auditor has questions regarding the sufficiency or appropriateness of audit
evidence, the auditor should consult with the reviewer to determine the need for
additional procedures.
.07 When the auditor determines whether an opinion can be expressed on the
financial statements, the auditor should evaluate any limitations on the nature,
extent, or timing of work performed. Additional guidance on scope limitations and
their impact is provided in FAM 580.03 through .08. Also see FAM 545 for further
evaluation of audit risk.
Reporting Phase
540 Evaluate Effects of Misstatements on Financial Statements and Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 540-1
540 Evaluate Effects of Misstatements on Financial
Statements and Auditors Reports
.01 The auditor might detect misstatements during substantive tests or other
procedures. The auditor should accumulate misstatements identified during the
audit, other than those that are clearly trivial (AU-C 450.05), and evaluate
misstatements individually and in the aggregate in both quantitative and
qualitative terms.
.02 Based on the evaluation of all misstatements, the auditor should determine
whether the overall audit strategy and audit plan need to be revised (AU-C
450.06), as discussed in FAM 530. Additionally, the auditor should determine the
effects of accumulated misstatements on the financial statements, notes, and the
auditor’s conclusions and reports. See FAM 595 C for additional details on
evaluating misstatements.
.03 As discussed in AU-C 330, the auditor should not assume that an instance of
fraud or error is an isolated occurrence and therefore should evaluate how the
detection of the misstatement affects the assessed risks of material
misstatement, including (1) the related nature, extent, and timing of substantive
audit procedures and (2) the audit evidence of the operating effectiveness of
relevant controls, including the entity’s risk assessment and monitoring process.
In addition to evaluating the effects of misstatements on the financial statements
and notes, the auditor should evaluate the effects of misstatements on the
following:
a. The auditor’s conclusions on internal control (see FAM 580.56–.85).
The auditor should determine whether the misstatements indicate control
deficiencies that had not been previously identified, whether the assessment
of the controls and the risk of material misstatement at the relevant assertion
level remain appropriate, whether audit procedures are appropriate in light of
any revisions to the risks of material misstatement, and whether the
categorization of control deficiencies for reporting purposes is appropriate
(whether they are material weaknesses or other significant deficiencies).
b. The consideration of the risks of material misstatement due to fraud (see
FAM 540.20–.23).
The auditor should determine whether to change the risk of material
misstatement due to fraud determined during planning, based on the
accumulated results of audit procedures.
c. The auditor’s evaluation of the financial management systems’ substantial
compliance with the three FFMIA requirements, if applicable (see FAM
580.86–.90).
The auditor should evaluate the effects of misstatements on the auditor’s
conclusions with respect to the financial management systems’ substantial
compliance with the three FFMIA requirements.
d. The entity’s compliance with significant provisions of applicable laws,
regulations, contracts, and grant agreements (see FAM 580.91–.99).
Reporting Phase
540 Evaluate Effects of Misstatements on Financial Statements and Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 540-2
The auditor should evaluate the effects of misstatements on the auditor’s
conclusions with respect to the entity’s compliance with significant provisions
of applicable laws, regulations, contracts, and grant agreements.
e. Budget formulation and execution.
The auditor should evaluate the effects the misstatements have on budget-
related matters for purposes of reporting budget control deficiencies,
reporting on the statement of budgetary resources and reconciliation of net
cost to budget note, and reporting on compliance with applicable budget-
related provisions of laws and regulations.
f. Other reports.
The auditor should consider whether to report the potential effects of the
misstatements and any related control deficiencies on other reports prepared
by the entity that are (1) used for management decision-making or (2)
distributed outside the entity.
.04 FAM 475 (substantive analytical procedures) and FAM 480 (substantive detail
tests) discuss the evaluation of individual misstatements from a quantitative
standpoint.
The auditor should accumulate all misstatements in the financial statements and
notes that are above clearly trivial (even those adjustments that the auditor
identified and management corrected during the audit). If the auditor judges an
individual misstatement to be material, the auditor generally should not offset
other misstatements against it.
1
Following that guidance, the auditor should
quantify the effects of the misstatement. See AU-C 450.11.
Based on AU-C 450.A6, to assist in evaluating the effects of misstatements
accumulated during the audit and in communicating misstatements to
management and those charged with governance, the auditor generally should
use the following categories to classify each misstatement:
Factual misstatements. The misstatement about which there is no doubt.
This includes identified factual misstatements arising from nonstatistical
selections or other nonstatistical tests.
Judgmental misstatements. Differences arising from the judgments of
management, including those concerning recognition, measurement,
presentation, and disclosure in the financial statements (including the
selection or application of accounting policies), that the auditor considers
unreasonable or inappropriate. This includes identified judgmental
misstatements arising from nonstatistical selections or other nonstatistical
tests.
Projected misstatements. The auditor’s best estimate of the amount of the
misstatements in populations, involving the projection of misstatements
1
For example, if assets have been materially overstated, the financial statements as a whole will be materially
misstated, even if the effect of the misstatement on net position is completely offset by an equivalent overstatement
of liabilities. It may be appropriate to offset misstatements within the same account balance or class of transactions;
however, the risk that further undetected misstatements may exist is considered before concluding that offsetting
even immaterial misstatements is appropriate. See AU-C 450.A26.
Reporting Phase
540 Evaluate Effects of Misstatements on Financial Statements and Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 540-3
identified in statistical audit samples to the entire population from which the
samples were drawn.
.05 The auditor should also accumulate all corrected misstatements throughout the
audit period. The auditor should evaluate the corrected misstatements and
consider whether the misstatements indicate (1) an increased risk in internal
control over financial reporting, (2) an increased risk of material misstatement, or
(3) the potential existence of further undetected misstatements.
.06 Misstatements in qualitative note disclosures that are not clearly trivial (based on
consideration of size, nature, or circumstances) are also accumulated to assist
the auditor in evaluating the effect of such misstatements on the relevant
disclosures and the financial statements as a whole (AU-C 450.A4). When
determining whether qualitative disclosures may be material, each individual
misstatement is considered to evaluate its effect on the relevant disclosures, as
well as its overall effect on the financial statements as a whole. The
determination of whether a misstatement in a qualitative disclosure is material, in
the context of the applicable financial reporting framework (i.e., U.S. generally
accepted accounting principles (U.S. GAAP)) and the specific circumstances of
the entity, is a matter that involves the exercise of professional judgment.
Examples of misstatements that may be material include
inaccurate or incomplete descriptions of information about the objectives,
policies, and processes for managing budgetary resources;
the omission of information about the events or circumstances that have led
to an impairment loss;
incorrect description of an accounting policy relating to a significant item in
any of the statements that the financial statements comprise; and
an inadequate description of the sensitivity of an exchange rate. (AU-C
450.A23).
Accumulate Misstatements
.07 To evaluate the aggregate effects of misstatements on the financial statements,
the auditor should accumulate misstatements identified during the audit, other
than those that are clearly trivial (AU-C 450.05), and generally should classify
each misstatement as factual, judgmental, or projected on the Summary of
Uncorrected Misstatements (before discussion with management). An example
of this summary is shown in in FAM 595 C, example 1. This includes any
misstatements that the entity brings to the auditor’s attention that have not been
corrected in the financial statements.
.08 If, during the audit of the current period, the auditor detects a misstatement that
arose in a prior period but was not previously detected, the auditor should include
the misstatement in the Summary of Uncorrected Misstatements and bring it to
management’s attention. The auditor should determine if the misstatement,
together with other uncorrected misstatements, is material to the prior-period
and/or current-period financial statements. The auditor should gather sufficient
information to evaluate the cumulative effects, as well as the current-year
change, related to the misstatement on beginning and ending balances, such as
those for balance sheet accounts, as well as the related impact on the current
year’s activity, such as that shown on the statement of net cost. If the
misstatement is material, the auditor should consult with the reviewer to
Reporting Phase
540 Evaluate Effects of Misstatements on Financial Statements and Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 540-4
determine the effect on the current-period statements and the auditor’s report.
Also see FAM 580.110 regarding financial statement restatements.
.09 The auditor should quantify and evaluate misstatements on the financial
statement line items under both the rollover and iron curtain approaches,
including consideration of the effects on the current-period financial statements of
any misstatements related to prior periods on the relevant classes of
transactions, account balances, or note disclosures and the financial statements
as a whole. Subsequently, the auditor generally should propose an adjusting
entry when either approach results in quantifying a misstatement that is above
clearly trivial, after considering all relevant quantitative and qualitative factors.
The rollover approach quantifies a misstatement based on the amount of the
misstatement originating in the current-year statement of net cost. Thus, this
approach ignores the effects of correcting the portion of the current-year balance
sheet misstatement that originated in prior years. Misstatements originating in the
current year, as quantified in the rollover approach, consist of (1) misstatements
arising in the current year (for example, an understatement of current-year
payroll expenses identified in the testing of these expenses) and (2)
misstatements arising in prior periods that affect the current year (for example,
an understatement of current-year nonpayroll expenses from a cutoff error in the
prior year). The iron curtain approach quantifies a misstatement based on the
effects of correcting the misstatement existing in the balance sheet at the end of
the current year, irrespective of the misstatement’s year of origination. Both
approaches quantify the effects of misstatements arising in the current year
identically; however, the approaches quantify misstatements arising in prior
periods differently.
For example, the auditor identifies an expense cutoff error in which $200,000 of
expenses related to the following year were recorded in the current year, thereby
overstating other liabilities by $200,000 at the end of the current year. In addition,
a similar cutoff error existed at the end of the prior year, in which $300,000 of
expenses related to the current year were included in the prior year.
Under the rollover approach, the auditor would only consider the effect of the
misstatement on the current year statement of net cost. Therefore, in this
example, the auditor would quantify (1) the effect of the $200,000
overstatement of expenses arising in the current year, offset by (2) the effect
of the reversal of the $300,000 understatement of expenses included in the
prior year that should have been incurred in the current year.
Under the iron curtain approach, the auditor instead quantifies the
misstatement based on correcting the misstatement in the balance sheet at
the end of the current year. Therefore, in this example, the auditor would
quantify the effect of only the $200,000 misstatement to other liabilities as of
the end of the current year.
See FAM 595 C for an illustration of these approaches. Also see Securities and
Exchange Commission Staff Accounting Bulletin No. 108 for additional
discussion and examples.
.10 The financial statements usually include various accounting estimates made by
management, such as the recoverability of assets (through allowances for
doubtful accounts receivable or loans) and liabilities for loan guarantees. The
auditor should evaluate, based on the audit evidence, whether the accounting
Reporting Phase
540 Evaluate Effects of Misstatements on Financial Statements and Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 540-5
estimates in the financial statements are either reasonable in the context of the
applicable financial reporting framework (U.S. GAAP) or are misstated (AU-C
540.18). If the recorded amount falls outside a range of amounts that the auditor
determines is reasonable, the auditor generally should include at least the
difference between the recorded amount and the closest end of the auditor’s
range as a judgmental misstatement in the Summary of Uncorrected
Misstatements (AU-C 540.A122).
Review Misstatements with Management
.11 After accumulating and summarizing the misstatements on the Summary of
Uncorrected Misstatements (an example of which is at FAM 595 C, example 1)
(AU-C 450.12b) the auditor should, on a timely basis, take the following actions:
a. Communicate all these misstatements accumulated during the audit with
appropriate entity management. This includes communicating factual,
judgmental, and projected misstatements (AU-C 450.07).
b. Request that entity management adjust the entity’s financial statements and
underlying records to correct all misstatements accumulated during the audit
(AU-C 450.07).
c. For misstatements that are material either individually or when aggregated
with other misstatements, request that entity management examine the
classes of transactions, account balances, or note disclosures to identify and
quantify the amount of related misstatements. This may also help determine
the cause of the misstatements. The auditor should then test management’s
procedures and the amount of the proposed adjustment to determine the
reasonableness of the amount. The auditor should perform additional audit
procedures, if needed, to determine whether misstatements remain (AU-C
450.08). Entity management may establish valuation allowances for projected
misstatements, net of factual misstatements (since the projected
misstatement represents the best estimate of the total correction needed).
2
For judgmental misstatements involving differences in estimates, the auditor
may share the assumptions and methods used to develop the estimate with
management so that management can revise its estimate.
d. Communicate all misstatements accumulated during the audit with those
charged with governance, including the following information:
The effect that the misstatements, individually or in the aggregate, may
have on the opinion in the auditor’s report. The auditor’s communication
should identify material uncorrected misstatements individually (see FAM
595 C, example 1). The auditor should request that uncorrected
misstatements be corrected (AU-C 260.13a). When there are a large
number of individually immaterial uncorrected misstatements, the auditor
may communicate the number and overall monetary effect of the
uncorrected misstatements, rather than the details of each uncorrected
misstatement (AU-C 260.A38). The auditor may discuss the reasons for,
and the implications of, failing to correct misstatements, taking into
2
Generally, entities resist booking projected misstatements citing no supporting transactions. However, the amount
can be booked through a general journal entry and reversed the following year.
Reporting Phase
540 Evaluate Effects of Misstatements on Financial Statements and Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 540-6
account the size and nature of the misstatement judged in the
surrounding circumstances and possible implications with regard to future
financial statements (AU-C 260.A39).
The effect of uncorrected misstatements related to prior periods on the
relevant classes of transactions, account balances, or note disclosures
and the financial statements as a whole (AU-C 260.13b).
That uncorrected misstatements or matters underlying those uncorrected
misstatements could potentially cause future-period financial statements
to be materially misstated, even if the auditor has concluded that the
uncorrected misstatements are immaterial to the financial statements
under audit (AU-C 260.13c).
Material, corrected misstatements that were brought to the attention of
management as a result of audit procedures (see FAM 595C, example 3)
(AU-C 260.14a).
.12 In presenting the misstatements to management, the auditor generally should
remind management that AU-C 580 requires the entity to indicate in the
management representation letter that the uncorrected misstatements
aggregated by the auditor, both individually and in the aggregate, are not
material to the financial statements as a whole. AU-C 580 also requires that a
summary of the uncorrected misstatements be attached to the representation
letter. Attaching this summary is further discussed in FAM 1001 and presented in
the example representation letter at FAM 1001 A. Thus, management may
consider some of the same factors presented in FAM 540.13 through .20.
Consider the Effects of Uncorrected Misstatements on the
Financial Statements
.13 If management does not correct the financial statements, the auditor should
obtain an understanding of management’s reasons for not making the corrections
and whether the uncorrected misstatements are considered material. The auditor
should take that understanding into account when evaluating whether the
financial statements as a whole are free from material misstatement (AU-C
450.09). The auditor should update the Summary of Uncorrected Misstatements
to reflect the uncorrected misstatements after discussions with management
(FAM 595 C, example 2) (AU-C 450.12b).
.14 If entity management declines to record adjustments for any identified
misstatements, the auditor should determine the effects of these uncorrected
misstatements, individually and in the aggregate, on the financial statements,
including the effect on individual line items (even if the amount is netted in the
line item). The auditor should also consider the effect on the financial statement
audit opinion in both quantitative and qualitative terms.
.15 If management disagrees with the auditor’s judgmental and projected
misstatements, and if the disagreement involves amounts that are material, the
auditor should again request that entity management perform procedures, such
as reviewing all or substantially all of the items in the relevant population, to
determine its own estimated amount of the misstatement and provide more
assurance as to the auditor’s estimate, if the entity has not yet done so. If the
entity determines its own estimate of the misstatement, the auditor should test
Reporting Phase
540 Evaluate Effects of Misstatements on Financial Statements and Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 540-7
management’s procedures and conclusions and determine whether additional
audit procedures are necessary.
If management refuses to perform the necessary investigation, the audit director
may decide not to expend additional time and audit resources to resolve the
disagreement because, for example, additional testing is unlikely to provide
different conclusions.
If the auditor believes that the auditor’s estimate is sufficiently accurate, the
auditor should express a qualified or adverse opinion, depending on the
materiality and pervasiveness of the item to the financial statements as a
whole.
If the auditor believes that the auditor’s estimate is not sufficiently accurate,
the auditor should express a qualified or disclaimer of opinion for a scope
limitation, depending on the materiality and pervasiveness of the item to the
financial statements as a whole.
The auditor should document an overall evaluation, including decisions reached,
of any management disagreement with the misstatements.
.16 If the total of uncorrected misstatements is material, the auditor should modify
the opinion on the financial statements (see FAM 580.09). Deciding how to
modify the opinion based on the materiality of total uncorrected misstatements
involves significant auditor judgment. The decision and the basis for it should be
documented. The audit director should be involved in the decision and review the
documentation related to it. Also, the reviewer should review and approve the
documentation of the decision.
Misstatements, either individually or in the aggregate, are material if, in light of
surrounding circumstances, it is probable that the judgment of a reasonable
person relying on the information would have been changed or influenced by the
correction of the items. The concept of materiality includes both quantitative and
qualitative considerations, as further discussed in FAM 230 and FAM 545.
.17 When determining whether uncorrected misstatements are material, either
individually or in the aggregate, to the financial statements, the auditor should
consider the
size and nature of the misstatements, both in relation to particular classes of
transactions, account balances, or note disclosures in the financial
statements and in relation to the financial statements as a whole, and the
particular circumstances of their occurrence, and
effect of uncorrected misstatements related to prior periods on the relevant
classes of transactions, account balances, or note disclosures and the
financial statements as a whole (AU-C 450.11).
If the auditor provides assurance on any combining statements and supplemental
schedules in relation to the financial statements as a whole, the auditor should
determine whether these statements and schedules are materially misstated due
to uncorrected misstatements.
.18 Although there is a point at which total uncorrected misstatements would
generally be considered material, there is no single amount that can be used for
the auditor’s decision to modify the opinion. The auditor should follow a process
Reporting Phase
540 Evaluate Effects of Misstatements on Financial Statements and Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 540-8
that considers various factors in reaching this decision. See FAM 545, if
applicable.
Qualitative Considerations
.19 The auditor should also evaluate appropriate qualitative aspects when
determining the effect of uncorrected misstatements on the auditor’s report. The
circumstances related to some misstatements may cause the auditor to evaluate
them as material, individually or when considered together with other
misstatements accumulated during the audit, even if they are quantitatively lower
than materiality for the financial statements as a whole. Circumstances that may
affect the evaluation include the extent to which a misstatement has the following
attributes:
a. Is considered sensitive to financial statement users, that is, the Congress, the
public, influential special interest groups, and interested foreign governments.
b. Offsets other misstatements in the aggregate but is individually significant.
c. Has a significant effect on the RSI (including the MD&A presented by
management) and other information.
d. Affects compliance with laws and regulations.
e. Affects compliance with contracts or grant agreements.
f. Relates to the incorrect selection or application of an accounting policy that
has an immaterial effect on the current period’s financial statements but is
likely to have a material effect on future periods’ financial statements.
g. Affects segment information presented in the financial statements (for
example, the significance of the matter to a segment or other portion of the
entity’s business that has been identified as playing a significant role in the
entity’s operations or profitability).
h. Represents an omission of information not specifically required by the
applicable financial reporting framework (U.S. GAAP) but that in the
professional judgment of the auditor is important to the users’ understanding
of the financial position, financial performance, or cash flows of the entity.
i. Affects other information that will be communicated in the annual report (for
example, information to be included in an MD&A) when there is a substantial
likelihood that the other information would influence the judgment made by a
reasonable user based on the financial statements.
j. Is currently immaterial but is likely to have a material effect in future periods
because of a cumulative effect, for example, that builds over several periods.
k. Is too costly to correct. It may not be cost beneficial for the entity to develop a
system to calculate a basis to record the effect of an immaterial
misstatement. On the other hand, if management appears to have developed
a system to calculate an amount that represents an immaterial misstatement,
it may reflect a motivation of management.
l. Represents a risk that possible additional undetected misstatements would
affect the auditor’s evaluation.
m. Changes a loss into income or vice versa.
Reporting Phase
540 Evaluate Effects of Misstatements on Financial Statements and Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 540-9
n. Heightens the sensitivity of the circumstances surrounding the misstatement
(for example, the implications of misstatements involving fraud, conflicts of
interest, or noncompliance with laws, regulations, contracts, or grant
agreements).
o. Relates to the definitive character of the misstatement (for example, the
precision of an error that is objectively determinable as contrasted with a
misstatement that unavoidably involves a degree of subjectivity through
estimation, allocation, or uncertainty).
p. Indicates the motivation of management (for example, (i) an indication of a
possible pattern of bias by management when developing and accumulating
accounting estimates, (ii) a misstatement precipitated by management’s
continued unwillingness to correct weaknesses in the financial reporting
process, or (iii) an intentional decision not to follow the applicable financial
reporting framework (U.S. GAAP)).
q. Involves proprietary or sensitive information, such as protected health
information, federal taxpayer information, or classified national security
information.
r. Affects financial markets, the U.S. economy, or political decisions, such as
controversial pending legislation or an upcoming election.
s. Indicates selective correction by management of certain misstatements
brought to its attention during the audit (for example, correcting
misstatements with the effect of increasing reported earnings but not
correcting misstatements that have the effect of decreasing reported
earnings).
These circumstances are only examplesnot all are likely to be present in all
audits nor is the list necessarily complete. The existence of any circumstances
such as these does not necessarily lead to a conclusion that a misstatement is
material. See AU-C 450.A28 for further examples.
Evaluate Whether Identified Misstatements Indicate Fraud
.20 The auditor should evaluate whether identified misstatements might indicate
fraud. If such an indication exists, the auditor should evaluate the implications of
the misstatement with regard to other aspects of the audit, particularly the
auditor’s evaluation of materiality, management and employee integrity, and the
reliability of management representations, recognizing that an instance of fraud is
unlikely to be an isolated occurrence (AU-C 240.35). If, preliminarily, the auditor
believes that a misstatement is or might be the result of fraud, the auditor should
consult with the audit director and the reviewer, who should determine whether to
seek assistance from the Special Investigator Unit or the Office of the General
Counsel (OGC). If performing the audit under contract, the auditor should consult
with the Assistant Inspector General for Audit or the GAO managing director who
has responsibility for the audit. If, on the basis of evidence obtained, the auditor
believes that an instance of fraud (or significant abuse) has occurred or is likely
to have occurred, the auditor should
consult with the Special Investigator Unit and OGC (or if performing the audit
under contract, consult with the Assistant Inspector General for Audit or the
GAO managing director),
Reporting Phase
540 Evaluate Effects of Misstatements on Financial Statements and Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 540-10
include relevant information in the audit report unless the instance is clearly
inconsequential, and
determine that those charged with governance are adequately informed.
If the auditor has identified or suspects fraud, the auditor should determine
whether the auditor has a responsibility to report the occurrence or suspicion to a
party outside the entity. Although the auditor’s professional duty to maintain the
confidentiality of client information may preclude such reporting, the auditor’s
legal responsibilities may override the duty of confidentiality in some
circumstances (AU-C 240.42 and GAGAS (2018) 6.536.56). In some
circumstances, the auditor may be required by law or regulation to report directly
to outside parties about fraud (or significant abuse). The auditor may limit public
reporting to matters that would not compromise any related investigative or legal
proceedings (GAGAS (2018) 6.49).
.21 If a misstatement is or might be the result of fraud and the effect is not material to
the financial statements, the auditor should evaluate the implications, especially
those regarding the organizational position and responsibilities of the individual
involved. If the matter involves a relatively low-level employee who is not
responsible for significant activities (for example, a misappropriation from a small
petty cash fund by a nonmanagement employee), the auditor may conclude that
the matter has little significance to the audit. However, if the auditor identifies a
misstatement, whether material or not, and the auditor has reason to believe that
it is, or may be, the result of fraud and that management (in particular, senior
management) is involved, the auditor should reevaluate the assessment of the
risks of material misstatement due to fraud and its resulting effect on the nature,
timing, and extent of audit procedures to respond to the assessed risks (AU-C
240.36). The auditor should evaluate whether (1) the misstatement is
qualitatively material and (2) it might indicate a more pervasive problem.
Accordingly, the auditor should reevaluate the assessment of fraud risk, as well
as the risk of material misstatement, and the resulting effects on the nature,
extent, and timing of substantive procedures. The auditor should also consider
whether circumstances or conditions indicate possible collusion involving
employees, management, or third parties when reconsidering the reliability of
evidence previously obtained (AU-C 240.36). Regardless of the level of the
employee involved, the auditor should report the potential fraud to at least the
next level of management. In addition, the auditor should reach an understanding
with those charged with governance regarding the nature and extent of
communications with them about fraud perpetrated by lower-level employees.
.22 If a misstatement is or might be the result of fraud and either the effect could be
material or the auditor is unable to determine whether the effect is material, the
auditor should
attempt to obtain additional evidential matter to determine whether material
fraud has occurred or is likely to have occurred and its effect on the financial
statements and the related audit report;
evaluate the implications for other aspects of the audit, including reevaluating
the assessment of risks and the resulting effects on testing, as described in
the preceding paragraph (AU-C 240.35 and .36);
Reporting Phase
540 Evaluate Effects of Misstatements on Financial Statements and Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 540-11
discuss the matter and the approach for further investigation with at least the
next higher level of entity management and with senior management and
those charged with governance; and
determine whether to advise entity management to consult with its legal
counsel.
.23 The auditor should discuss in the audit report any fraud that causes a material
misstatement of the financial statements. In addition, depending on the
circumstances, fraud (material or immaterial) could affect the quality of
management’s representations and the auditor’s reports on the financial
statements; internal control over financial reporting; and compliance with
significant provisions of applicable laws, regulations, contracts, and grant
agreements. The auditor should consult with the audit director and the reviewer
and should report the matter to those charged with governance.
Reporting Phase
545 Audit Exposure (Further Evaluation of Audit Risk)
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 545-1
545 Audit Exposure (Further Evaluation of Audit Risk)
.01 At the beginning of the audit, performance materiality (which, as defined, is one
or more amounts) was set to reduce to an appropriately low level the probability
that the aggregate of uncorrected and potential undetected misstatements in the
financial statements exceeds materiality for the financial statements as a whole
(AU-C 320.09). Before the conclusion of the audit, the auditor should consider
any potential further misstatement to the financial statements as a whole by
accumulating the total of uncorrected misstatements plus an overall allowance
for undetected misstatements. If the aggregate of misstatements accumulated
during the audit approaches materiality, a greater than acceptably low level of
risk may exist that possible undetected misstatements, when taken with the
aggregate of uncorrected misstatements accumulated during the audit, could
exceed materiality (AU-C 450.A8). It is important to evaluate the potential further
misstatement amount in relation to materiality for the financial statements as a
whole (see FAM 230.06) and the relative importance of the misstated items to
readers of the financial statements (qualitative and mitigating aspects).
Therefore, the auditor should determine whether its audit exposure (audit
exposure is the combination of detected misstatements, possible undetected
misstatements, and qualitative aspects) is material to the financial statements.
Evaluation
.02 The auditor may or may not detect misstatements during substantive tests or
other procedures performed during the audit (see FAM 540). However, the
auditor should evaluate the risk of potential undetected misstatement, which is
due to the imprecision of audit procedures. This risk includes such things as the
following:
a. Unaudited amounts/accounts that were considered to be individually
immaterial and were not tested on that basis (untested amounts). The auditor
should include all untested amounts/accounts, including those that are clearly
trivial. All untested amounts are considered to be 100 percent overstated for
this evaluation. Further, if the auditor believes there is a risk of material
understatement, the auditor should include the amount of potential
understatement (if the amount is not quantifiable, see FAM 545 A.20).
b. The sampling precision associated with statistical samples selected for
substantive tests of financial statement balances (or, if no statistical samples
are selected, including an allowance equal to performance materiality).
3
c. An allowance for the imprecision of substantive analytical procedures on
which the auditor placed complete reliance.
Totaling the amounts from these aspects with any uncorrected misstatements
(FAM 540) provides a conservative quantitative estimate of the potential amount
of misstatement to the financial statements as a whole, which affects audit
exposure. For example, if the aggregate uncorrected misstatement is $10 million
and the allowance for imprecision of audit procedures is probably no more than
$5 million, the auditor should determine whether the total of $15 million materially
3
An audit sampling specialist may perform or be consulted on all statistical calculations.
Reporting Phase
545Audit Exposure (Further Evaluation of Audit Risk)
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 545-2
misstates the financial statements as a whole. The auditor should consult the
reviewer in considering these issues.
.03 For any notes to the financial statements containing misstatements (other than
those that are clearly trivial quantitatively or qualitatively) or for which there is a
risk of significant potential undetected misstatements, the auditor should assess
the significance of and document any such misstatements and potential
undetected misstatements.
.04 The auditor may also consider any other aspects that may increase the risk of
potential undetected misstatements and also consider any mitigating factors that
may lower the risk of misstatement.
.05 See FAM 545 A for a template that the auditor can use to conduct this analysis.
Reporting Phase
545 A Further Evaluation of Audit Risk Template
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 545 A-1
545 A Further Evaluation of Audit Risk Template
.01 This template is a tool that the auditor can use to conduct the analysis described
in FAM 545. The template consists of four sections: (I) Conclusions, (II)
Consideration of Quantitative Factors, (III) Consideration of Notes to the
Financial Statements, and (IV) Consideration of Other Factors. In each section,
blank rows may be used, and if needed, more rows added for additional factors
specific to any given audit.
Consideration of Quantitative Factors
Overall
.02 Amounts that do not affect the materiality (benchmark) will be entered to column
C for each financial statement in the tables below.
a. Untested amounts and allowance for the imprecision of analytical procedures
on which complete substantive reliance was placed (see FAM 470.06) will be
entered at absolute value (simple addition with no +/- signs).
b. Uncorrected misstatements that do not affect the benchmark will first be
netted for each line item, and then the amount for all the line items will be
accumulated at absolute value and the total entered to column C.
c. Sampling precision associated with statistical samples selected to test
balances that do not affect the benchmark will be statistically combined with
the assistance of the audit sampling specialist, and the result entered to
column C. For any financial statement on which the benchmark does not
appear, all amounts will be entered to column C. Hence, in such cases,
column D will not be needed, and “N/A” can be entered in each row. Amounts
related to balances that do affect the benchmark will be entered in column D.
In these cases, untested amounts, limits related to analytical tests upon
which we placed 100 percent substantive reliance, and uncorrected
misstatements will all be added or netted, as appropriate, to determine their
actual effect on the benchmark and the results entered in column D.
Combined sampling precision calculations related to balances that do affect
the benchmark will be done the same way as for those balances that do not
affect the benchmark (above), except that they will be entered in column D.
So on any financial statement that includes the benchmark and also reports a
mixture of balances that do, and do not, affect the benchmark (and were
subject to statistical sampling), two separate sample combination calculations
will be neededone for column C and one for column D. To illustrate some
of these principles:
If the designated materiality benchmark is total assets, only the balance
sheet will use column D at all because total assets does not appear on
any other financial statement. On the balance sheet itself, the net
exposure amount (debits less credits) to assets will appear in column D
because it affects total assets. However, the amount of exposure to
liabilities will be calculated separately at absolute value (rather than net
value) and entered in column C because it does not affect total assets.
If the designated materiality benchmark is net position, the balance sheet
and the statement of changes in net position will both only use column D
Reporting Phase
545 A Further Evaluation of Audit Risk Template
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 545 A-2
because both statements include net position, and all of their line items
affect it. Hence, in both cases, column C will not be used, and “N/A” can
be entered in each row. On all other financial statements, net position
does not appear, and hence, the reverse will be true: Column D will be
N/A, and only column C will be used. Because both assets and liabilities
affect net position, the amount of exposure to each will be netted as
described above and entered in column D for untested amounts,
analytical limits, and uncorrected misstatements to arrive at the amount to
the benchmark.
.03 Use of column C. Calculate the net uncorrected misstatements for each
individual line item, as indicated above, and enter the result where directed. For
all other amount elements, calculate the absolute value (eliminate +/- signs and
add them up) of all individual amounts, and enter the result where directed. For
example, if you have a $50 untested liability, and a $20 untested asset, you enter
$70 on the untested amounts line. Similarly, if you have a total reliance analytical
procedures limit of $30 related to one liability line item, and a $60 dollar total
reliance on analytical procedures limit related to another liability line item, you
enter $90 as the related amount. Because it is absolute value, debit/credit,
asset/liability, and cost/revenue distinctions are irrelevant; remove the +/- signs
and add them up. Combined sampling precision calculations generally should be
performed by the audit sampling specialist. Auditors will need to identify
situations where a financial statement includes both balances that do, and do
not, affect the materiality benchmark. If both types of line items conditions exist
and both were subject to statistical sampling, separate sample combination
calculations would become necessary for each, so that the results can be split
between columns C and D.
.04 Use of column D. Calculate the net effect (debits less credits) of each factor on
the materiality benchmark, as described above, and enter the result. The
question of what affects the benchmark depends on what benchmark is selected.
For example, assume that the selected materiality benchmark on the balance
sheet is total assets, and you have four untested asset amounts totaling $50, and
two allowances (contra-assets) totaling $40you net the two against each other,
and enter $10 on the untested amounts line as the potential undetected
misstatement. Combined sampling precision calculations would be done the
same way, except that auditors will need to identify whether there are tests of
balances that do, and do not, affect the materiality benchmark. If multiple line
items were subject to statistical sampling, separate sample combination
calculations would become necessary for each, so that the results can be split
between columns C and D.
.05 Do not separately calculate an exposure amount for financial statement line
items, such as subtotals and totals, cumulative results of operations, and net
position, as the amount of exposure related to these is shown elsewhere.
.06 On the statement of budgetary resources (SBR), audit exposure will be
calculated separately for each of its sections. Within each of the three sections,
the results of all statistical samples selected will be statistically combined, which
generally should be done with the assistance of the audit sampling specialist.
Reporting Phase
545 A Further Evaluation of Audit Risk Template
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 545 A-3
Evaluation of Uncorrected Misstatements
.07 For each line item of each financial statement, calculate the net effect (debits
less credits) of uncorrected misstatements, if any. Include only the misstatements
from nonstatistical selections or other nonstatistical tests (factual and
judgmental). The estimated effect of the outcome of statistical tests will be
included in the sampling precision calculations below.
.08 For uncorrected misstatements that do not affect the materiality benchmark,
calculate the absolute value of the amounts calculated above for each financial
statement (i.e., once you have calculated the net effect on each line item, remove
the +/- signs for the totals and add them up). Enter the result in the appropriate
space under column C for each financial statement.
.09 For uncorrected misstatements that affect the materiality benchmark, calculate
the net effect on the materiality benchmark of all uncorrected misstatements (net
the debits and the credits). Enter the result in the appropriate space under
column D for each financial statement.
Evaluation of Potential Undetected Misstatements
Untested Amounts
.10 For untested amounts that do not affect the materiality benchmark, calculate the
absolute value of the untested amounts, and enter the result in the appropriate
space under column C, for each financial statement.
.11 For untested amounts that affect the materiality benchmark, calculate the net
effect on the materiality benchmark of all untested amounts (net the debits and
credits). Enter the result in the appropriate space under column D for each
financial statement. See FAM 545 A.04 for an example.
Sampling PrecisionMonetary Unit Samples (MUS) and Non-MUS Samples
.12 For statistical sample(s) selected to test line items that do not affect the
materiality benchmark, calculate and enter the combined sampling precision for
each financial statement in the appropriate space under column C.
.13 For statistical samples selected to test line items that affect the materiality
benchmark, calculate and enter the combined sampling precision for each
financial statement in the appropriate space under column D. Assess this amount
to the financial statement as a whole qualitatively.
.14 If no statistical sampling was performed, enter the performance materiality in
column D.
Allowance for Imprecision of Analytical Procedures on Which Complete
Substantive Reliance Was Placed
.15 For each financial statement, identify analytical procedures upon which complete
substantive reliance was placed, if any (see FAM 470.06). Include an allowance
for the imprecision of these procedures (i.e., potential undetected misstatement)
based on the following scenarios:
Scenario (a): The limit set is not exceeded by the observed difference
between the expected and actual outcome. Include the amount of the
difference between the expected and actual outcome. If the auditor elects to
Reporting Phase
545 A Further Evaluation of Audit Risk Template
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 545 A-4
investigate the difference even though it is not necessary in the
circumstances, do not include any portion of the difference for which the
auditor has obtained a reasonable and supported explanation.
Example: We projected a final balance of $1 million, and set a limit of
$200,000. The reported balance was actually $900,000. Since the difference
between the reported balance and our projected balance ($100,000) is within
the limit we set ($200,000), we did not investigate. The amount of potential
undetected misstatement in this case would be $100,000, which is the
difference we did not investigate between the reported balance ($900,000)
and the projected balance ($1 million).
Scenario (b): The limit set is exceeded by the observed difference between
the expected and actual outcome. Include the amount of the limit. As in
scenario (a), do not include any portion of the limit for which the auditor has
obtained a reasonable and supported explanation. The auditor would propose
an audit adjustment for the portion of any unexplained difference exceeding
the limit, and if management rejects the proposed audit adjustment, the
auditor would treat that portion as an uncorrected misstatement (see FAM
545 A.07A.09 above).
Example: We set the limit at $50,000, the projected balance is $900,000, and
the reported balance is $1,100,000. The difference between the reported
balance ($1,100,000) and our projected balance ($900,000) is $200,000,
which exceeds our limit ($50,000), so we investigated but without success.
We would propose an audit adjustment $150,000, which is the extent to
which the unexplained difference exceeds the limit. If the entity accepts and
posts the audit adjustment, the potential undetected misstatement would be
$50,000, which is the remaining portion of the unexplained difference that we
did not investigate and the entity did not correct. If the entity does not accept
the proposed audit adjustment, the audit difference would be $200,000. Of
this difference, $50,000 would be treated as a potential undetected
misstatement and $150,000 (the rejected adjustment) would be treated as an
uncorrected misstatement.
.16 For any such analytical procedures affecting line items that do not affect the
materiality benchmark, calculate the absolute value of all potential undetected
misstatements identified above, and enter the result in the appropriate space
under column C, for each financial statement.
.17 For any such analytical procedures affecting line items that affect the materiality
benchmark, calculate the net effect of all potential undetected misstatements
identified above, and enter the result in the appropriate space under column D,
for each financial statement.
.18 For consideration of the implications of any analytical procedures on which we
placed only partial substantive reliance, see section IV, Consideration of Other
Factors.
Consideration of Notes to the Financial Statements
.19 For any note to the financial statements containing misstatements (other than
those that are clearly trivial quantitatively or qualitatively) or for which there is a
risk of significant potential undetected misstatements (e.g., untested amounts,
imprecision of amounts or audit testing, or disclosures omitted due to
Reporting Phase
545 A – Further Evaluation of Audit Risk Template
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 545 A-5
immateriality), assess the significance of and document any such misstatements
and potential undetected misstatements (e.g., identifying the note number and
name, a description of the misstatement or potential misstatement, and
qualitative and quantitative factors considered). Include a misstatement in section
III to the extent that the misstatement is not fully considered in section II. For
example, include the information in section III if it relates to a disaggregation of a
line item (e.g., property, plant, and equipment) in the note. Index to appropriate
support.
Consideration of Other Factors
.20 Consider the (1) risk of undetected material misstatement arising from analytical
procedures upon which we placed only partial reliance, (2) risk of material
understatement, and (3) risk of material misstatement affecting amounts on the
financial statements that do not affect the materiality benchmark when
considered in relation to the total of the amounts they do directly affect. Index to
appropriate support.
.21 There may also be conditions that reduce the risk of material misstatement, in
terms of (1) reducing the risk that a misstatement has occurred or (2) reducing
the risk that users will perceive a misstatement to be material if it has occurred.
In section IV, list and assess any mitigating factors that are relevant to the
uncorrected misstatements and potential undetected misstatements listed in
section II. Index to appropriate support.
Reporting Phase
545 A Further Evaluation of Audit Risk Template
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 545 A-6
Section I: Conclusions
Purpose
To determine if our audit exposure (audit exposure is the combination of detected misstatements, possible undetected misstatements, and
qualitative aspects) is material for our financial statement audit.
Approach
We analyzed quantitative and qualitative factors potentially affecting our audit risk. The calculated measurable quantitative amounts for each
financial statement (section II) represents the total value of (1) the net amount of correcting audit adjustments that were not accepted and booked
by XYZ entity; (2) amounts that were considered to be individually immaterial and were not tested on that basis (untested amounts); (3) the
sampling precision associated with statistical samples selected for the purposes of performing substantive tests of financial statement balances; (4)
if no statistical sampling was performed, an allowance equal to performance materiality; and (5) an allowance for the imprecision of substantive
analytical procedures on which we placed total reliance. Our analysis was designed to provide a conservative estimate of the risk represented by
these conditions and therefore used conservative assumptions. For example, all untested amounts were considered to be 100 percent overstated.
All statistical calculations were performed by or in consultation with an audit sampling specialist. We assessed the significance of misstatements
and potential undetected misstatements affecting the notes to the financial statements to the extent not fully considered in section II and have
documented our assessment in section III. We also considered whether other factors were relevant or potentially significant to our evaluation of
audit risk. This includes factors that may affect risk but whose actual dollar effect cannot be measured with any degree of precision (nonmeasurable
quantitative factors). We also considered any mitigating factors that may lower the risk. These are documented in section IV.
Materiality Benchmark(s)
Complete as per instructions. Example: We determined that the materiality benchmark was total gross costs because, based upon our judgment,
we concluded that it is the most significant element of XXX’s financial statements to users (FAM 230.09). During the planning phase of the audit, we
used XXX’s reported $300 million in total gross costs for fiscal year 2022 to compute our performance materiality and tolerable misstatement
thresholds. As XXX’s actual total program costs of $315 million for fiscal year 2023 exceeded the prior-year amount used in the planning phase
calculations, we believe that the performance materiality and tolerable misstatement thresholds used are adequate. Additionally, we assessed the
adequacy of our determination to apply the materiality benchmark to each financial statement given the effect of identified misstatements on the
various financial statements and line items; we determined that the application of the benchmark was valid.
Sources
As indexed in sections II, III, and IV.
Conclusions
Based on considerations of both the quantitative and qualitative aspects of the audit exposure in this analysis, including the effect of amounts not
directly affecting the materiality benchmark, we believe that the audit exposure is immaterial.
Reporting Phase
545 A Further Evaluation of Audit Risk Template
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 545 A-7
Section II: Consideration of Quantitative Factors
BALANCE SHEET
A B C D
Risk of Material Misstatement (Quantitative)
Doc.
Ref.
Estimated Amounts
Absolute Value
Effect of Factors
Not Directly
Affecting the
Materiality
Benchmark
Net Effect of Factors
Directly Affecting the
Materiality
Benchmark, on the
Materiality
Benchmark
Factual Uncorrected Misstatements:
1
$0 $0
Judgmental Uncorrected Misstatements:
0 0
Subtotal: Factual and Judgmental Uncorrected Misstatements $0 $0
Estimate of Potential Undetected Misstatements:
Untested Amounts
0 0
Combined Sampling Precision; Non-MUS Sample(s)
0 0
Combined Sampling Precision; MUS Sample(s)
0 0
[Include Performance Materiality amount if no statistical sampling was performed (and therefore no global
upper error limit amount was included in the two rows above)]
0 0
Allowance for Imprecision of Analytical Procedures on Which Complete Substantive Reliance Was Placed
0 0
Other
2
0 0
Subtotal: Estimated Quantitatively Measurable Undetected Misstatements $0 $0
Total Estimated Quantitatively Measurable Misstatements $0 $0
Materiality Benchmark ($ amount and benchmark used)
[Add $ amount of
benchmark used
here]
[Describe
benchmark used
(total assets, total
cost, etc.)]
Total Estimated Quantitatively Measurable Misstatements as a Percentage of Materiality Benchmark 0.0% 0.0%
[Add auditor's note regarding the auditor’s assessment of the percentage.]
Reporting Phase
545 A Further Evaluation of Audit Risk Template
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 545 A-8
STATEMENT OF NET COST
A B C D
Risk of Material Misstatement (Quantitative)
Doc.
Ref.
Estimated Amounts
Absolute Value
Effect of Factors
Not Directly
Affecting the
Materiality
Benchmark
Net Effect of
Factors Directly
Affecting the
Materiality
Benchmark, on
the Materiality
Benchmark
Factual Uncorrected Misstatements:
1
$0 $0
Judgmental Uncorrected Misstatements:
0 0
Subtotal: Factual and Judgmental Uncorrected Misstatements $0 $0
Estimate of Potential Undetected Misstatements:
Untested Amounts
0 0
Combined Sampling Precision; Non-MUS Sample(s)
0 0
Combined Sampling Precision; MUS Sample(s)
0 0
[Include Performance Materiality amount if no statistical sampling was performed (and therefore no global
upper error limit amount was included in the two rows above)]
0 0
Allowance for Imprecision of Analytical Procedures on Which Complete Substantive Reliance Was Placed
0 0
Other
2
0 0
Subtotal: Estimated Quantitatively Measurable Undetected Misstatements $0 $0
Total Estimated Quantitatively Measurable Misstatements $0 $0
Materiality Benchmark ($ amount and benchmark used)
[Add $ amount of
benchmark used
here]
[Describe
benchmark used
(total assets,
total cost, etc.)]
Total Estimated Quantitatively Measurable Misstatements as a Percentage of Materiality Benchmark 0.0% 0.0%
[Add auditor's note regarding the auditor’s assessment of the percentage.]
Reporting Phase
545 A Further Evaluation of Audit Risk Template
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 545 A-9
STATEMENT OF CHANGES IN NET POSITION
A B C D
Risk of Material Misstatement (Quantitative)
Doc.
Ref.
Estimated Amounts
Absolute Value
Effect of Factors
Not Directly
Affecting the
Materiality
Benchmark
Net Effect of
Factors Directly
Affecting the
Materiality
Benchmark, on
the Materiality
Benchmark
Factual Uncorrected Misstatements:
1
$0 $0
Judgmental Uncorrected Misstatements:
0 0
Subtotal: Factual and Judgmental Uncorrected Misstatements $0 $0
Estimate of Potential Undetected Misstatements:
Untested Amounts
0 0
Combined Sampling Precision; Non-MUS Sample(s)
0 0
Combined Sampling Precision; MUS Sample(s)
0 0
[Include Performance Materiality amount if no statistical sampling was performed (and therefore no global
upper error limit amount was included in the two rows above)]
0 0
Allowance for Imprecision of Analytical Procedures on Which Complete Substantive Reliance Was Placed
0 0
Other
2
0 0
Subtotal: Estimated Quantitatively Measurable Undetected Misstatements $0 $0
Total Estimated Quantitatively Measurable Misstatements $0 $0
Materiality Benchmark ($ amount and benchmark used)
[Add $ amount of
benchmark used
here]
[Describe
benchmark used
(total assets,
total cost, etc.)]
Total Estimated Quantitatively Measurable Misstatements as a Percentage of Materiality Benchmark 0.0% 0.0%
[Add auditor's note regarding the auditor’s assessment of the percentage.]
Reporting Phase
545 A Further Evaluation of Audit Risk Template
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 545 A-10
STATEMENT OF BUDGETARY RESOURCES BUDGETARY RESOURCES
A B C D
Risk of Material Misstatement (Quantitative)
Doc.
Ref.
Estimated Amounts
Absolute Value
Effect of Factors
Not Directly
Affecting the
Materiality
Benchmark
Net Effect of
Factors Directly
Affecting the
Materiality
Benchmark, on
the Materiality
Benchmark
Factual Uncorrected Misstatements:
1
$0 $0
Judgmental Uncorrected Misstatements:
0 0
Subtotal: Factual and Judgmental Uncorrected Misstatements $0 $0
Estimate of Potential Undetected Misstatements:
Untested Amounts
0 0
Combined Sampling Precision; Non-MUS Sample(s)
0 0
Combined Sampling Precision; MUS Sample(s)
0 0
[Include Performance Materiality amount if no statistical sampling was performed (and therefore no global
upper error limit amount was included in the two rows above)]
0 0
Allowance for Imprecision of Analytical Procedures on Which Complete Substantive Reliance Was Placed
0 0
Other
2
0 0
Subtotal: Estimated Quantitatively Measurable Undetected Misstatements $0 $0
Total Estimated Quantitatively Measurable Misstatements $0 $0
Materiality Benchmark ($ amount and benchmark used)
[Add $ amount of
benchmark used
here]
[Describe
benchmark used
(total assets,
total cost, etc.)]
Total Estimated Quantitatively Measurable Misstatements as a Percentage of Materiality Benchmark 0.0% 0.0%
[Add auditor's note regarding the auditor’s assessment of the percentage.]
Reporting Phase
545 A Further Evaluation of Audit Risk Template
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 545 A-11
STATEMENT OF BUDGETARY RESOURCES STATUS OF BUDGETARY RESOURCES
A B C D
Risk of Material Misstatement (Quantitative)
Doc.
Ref.
Estimated Amounts
Absolute Value
Effect of Factors
Not Directly
Affecting the
Materiality
Benchmark
Net Effect of
Factors Directly
Affecting the
Materiality
Benchmark, on the
Materiality
Benchmark
Factual Uncorrected Misstatements:
1
$0 $0
Judgmental Uncorrected Misstatements:
0 0
Subtotal: Factual and Judgmental Uncorrected Misstatements $0 $0
Estimate of Potential Undetected Misstatements:
Untested Amounts
0 0
Combined Sampling Precision; Non-MUS Sample(s)
0 0
Combined Sampling Precision; MUS Sample(s)
0 0
[Include Performance Materiality amount if no statistical sampling was performed (and therefore no
global upper error limit amount was included in the two rows above)]
0 0
Allowance for Imprecision of Analytical Procedures on which Complete Substantive Reliance Was Placed
0 0
Other
2
0 0
Subtotal: Estimated Quantitatively Measurable Undetected Misstatements $0 $0
Total Estimated Quantitatively Measurable Misstatements $0 $0
Materiality Benchmark ($ amount and benchmark used)
[Add $ amount of
benchmark used
here]
[Describe
benchmark used
(total assets, total
cost, etc.)]
Total Estimated Quantitatively Measurable Misstatements as a Percentage of Materiality Benchmark 0.0% 0.0%
[Add auditor's note regarding the auditor’s assessment of the percentage.]
Reporting Phase
545 A Further Evaluation of Audit Risk Template
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 545 A-12
STATEMENT OF BUDGETARY RESOURCES OUTLAYS, NET AND DISBURSEMENTS, NET
A B C D
Risk of Material Misstatement (Quantitative)
Doc.
Ref.
Estimated Amounts
Absolute Value
Effect of Factors
Not Directly
Affecting the
Materiality
Benchmark
Net Effect of Factors
Directly Affecting the
Materiality
Benchmark, on the
Materiality
Benchmark
Factual Uncorrected Misstatements:
1
$0 $0
Judgmental Uncorrected Misstatements:
0 0
Subtotal: Factual and Judgmental Uncorrected Misstatements $0 $0
Estimate of Potential Undetected Misstatements:
Untested Amounts
0 0
Combined Sampling Precision; Non-MUS Sample(s)
0 0
Combined Sampling Precision; MUS Sample(s)
0 0
[Include Performance Materiality amount if no statistical sampling was performed (and therefore no
global upper error limit amount was included in the two rows above)]
0 0
Allowance for Imprecision of Analytical Procedures on Which Complete Substantive Reliance Was Placed
0 0
Other
2
0 0
Subtotal: Estimated Quantitatively Measurable Undetected Misstatements $0 $0
Total Estimated Quantitatively Measurable Misstatements $0 $0
Materiality Benchmark ($ amount and benchmark used)
[Add $ amount of
benchmark used
here]
[Describe
benchmark used
(total assets, total
cost, etc.)]
Total Estimated Quantitatively Measurable Misstatements as a Percentage of Materiality Benchmark 0.0% 0.0%
[Add auditor's note regarding the auditor’s assessment of the percentage.]
Reporting Phase
545 A Further Evaluation of Audit Risk Template
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 545 A-13
STATEMENT OF {NAME OF STATEMENT}
A B C D
Risk of Material Misstatement (Quantitative)
Doc.
Ref.
Estimated Amounts
Absolute Value
Effect of Factors
Not Directly
Affecting the
Materiality
Benchmark
Net Effect of Factors
Directly Affecting the
Materiality
Benchmark, on the
Materiality
Benchmark
Factual Uncorrected Misstatements:
1
$0 $0
Judgmental Uncorrected Misstatements:
0 0
Subtotal: Factual and Judgmental Uncorrected Misstatements $0 $0
Estimate of Potential Undetected Misstatements:
Untested Amounts
0 0
Combined Sampling Precision; Non-MUS Sample(s)
0 0
Combined Sampling Precision; MUS Sample(s)
0 0
[Include Performance Materiality amount if no statistical sampling was performed (and therefore no
global upper error limit amount was included in the two rows above)]
0 0
Allowance for Imprecision of Analytical Procedures on Which Complete Substantive Reliance Was Placed
0 0
Other
2
0 0
Subtotal: Estimated Quantitatively Measurable Undetected Misstatements $0 $0
Total Estimated Quantitatively Measurable Misstatements $0 $0
Materiality Benchmark ($ amount and benchmark used)
[Add $ amount
of benchmark
used here]
[Describe
benchmark used
(total assets, total
cost, etc.)]
Total Estimated Quantitatively Measurable Misstatements as a Percentage of Materiality Benchmark 0.0% 0.0%
[Add auditor's note regarding the auditor’s assessment of the percentage.]
Reporting Phase
545 A Further Evaluation of Audit Risk Template
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 545 A-14
Explanatory Comments
2
1
Include only the identified factual misstatements due to errors arising from nonstatistical selections or other nonstatistical tests. The full estimated
effect of the outcome of statistical tests (projected misstatement) will be included in the combined sampling precision calculations, including the
related factual amount.
2
Describe in Explanatory Commentssection any factor that does not fall into one of the listed categories.
Reporting Phase
545 A Further Evaluation of Audit Risk Template
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 545 A-15
Section III: Consideration of Notes to the Financial Statements
Note
No.
Note Name
Description of Misstatement
or Potential Undetected Misstatement
Auditor’s Assessment Doc.
Ref.
[Identify any notes to the financial
statements containing
misstatements or for which there is
a risk of significant potential
undetected misstatements (other
than those that are clearly trivial) to
the extent the misstatement is not
fully considered in section II.]
[Describe the misstatement or potential
undetected misstatement. Include a
reference to any related misstatement in
section II.]
[Assess the significance of the
misstatement or potential undetected
misstatement, including quantitative and
qualitative factors considered.]
Reporting Phase
545 A Further Evaluation of Audit Risk Template
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 545 A-16
Section IV: Consideration of Other Factors
Description Explanatory Comments Doc. Ref.
Nonquantitative Factors
1
Imprecision of analytical procedures on which
only partial reliance was placed
2
Risk of material understatement
3
Risk of material misstatement affecting amounts
on the financial statements that do not affect the
materiality benchmark (section II, column C),
when considered in relation to the total of the
amounts they directly affect
1
4
Consideration of all corrected misstatements
identified
5
{insert other factorsreconsider factors noted
in FAM 540.19}
Reporting Phase
545 A Further Evaluation of Audit Risk Template
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 545 A-17
Description Explanatory Comments Doc. Ref.
Mitigating Factors
2
1
{example} Conclusion that internal control was
effective, particularly if there is convincing
evidence that the entity monitors internal control
over financial reporting in a manner sufficiently
effective to further reduce the risk of material
misstatement
2
{example} Final, overall analytical procedures
did not identify any material changes that were
not adequately explained and supported
3 {insert other mitigating factors}
1
For example, if the materiality benchmark is total assets, exposure affecting liability amounts on the balance sheet would not directly affect the
benchmark and would therefore be entered to column C in section II. As a qualitative factor, the auditor should assess whether the quantifiably
measurable exposure affecting liability amounts, when considered in relation to total liabilities, was relevant and potentially significant.
2
Mitigating factors are conditions that may reduce the risk of material misstatement, in terms of (1) reducing the risk that a misstatement has occurred
and (2) reducing the risk that users will perceive a misstatement to be material if it has occurred.
Reporting Phase
550 Perform Other Reporting Phase Audit Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 550-1
550 – Perform Other Reporting Phase Audit Procedures
.01 The auditor should
perform procedures regarding litigation, claims, and assessments involving
the entity that may give rise to a risk of material misstatement (see FAM
550.02–.03);
identify material subsequent events and subsequently discovered facts (see
FAM 550.04–.08);
obtain management representations (see FAM 550.09–.14);
assess relationships and transactions with disclosure entities, related parties,
and public-private partnerships (see FAM 550.15);
communicate with those charged with governance (see FAM 550.16–.20);
assess RSI and other information (see FAM 550.21–.26); and
consider the entity’s ability to continue as a going concern (see FAM 550.28–
.29).
Litigation, Claims, and Assessments
.02 As discussed in FAM 280.02 through .05, the auditor should make inquiries of
the entity’s legal counsel and perform other procedures regarding litigation,
claims, and assessments involving the entity that may give rise to a risk of
material misstatement. In considering any liabilities, contingencies, or
uncertainties that may affect the entity or its financial statements, the auditor
should seek direct communication with the entity’s in-house and, if appropriate,
external legal counsel regarding these matters. The auditor should do so through
a legal counsel request prepared by management and sent by the auditor
requesting the entity’s legal counsel to communicate directly with the auditor.
.03 Further guidance on audit procedures related to litigation, claims, and
assessments, including the evaluation of legal counsel responses, is provided in
AU-C 501, Office of Management and Budget (OMB) audit guidance, FAM 280,
and FAM 1002.
Identify Material Subsequent Events and Subsequently Discovered
Facts
.04 Subsequent events are events occurring between the date of the financial
statements and the date of the auditor’s report. The auditor should perform audit
procedures to obtain sufficient appropriate audit evidence that all subsequent
events that require adjustments of, or disclosure in, the financial statements have
been identified (AU-C 560.09). The auditor should perform procedures required
by AU-C 560.10, which are included in FAM 1005. See AU-C 560 and FAM 1005
for additional guidance. If, as a result of these performed procedures, the auditor
identifies subsequent events that require adjustment of, or disclosure in, the
financial statements, the auditor should determine whether each such event is
appropriately reflected in the financial statements in accordance with U.S. GAAP
(AU-C 560.11).
Reporting Phase
550 Perform Other Reporting Phase Audit Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 550-2
.05 The auditor should perform subsequent event procedures near the completion of
the audit and should include any events between the date of the financial
statements and the date of the auditor’s report. If a long period elapses from the
date of the auditor’s report to report release date, the auditor should update the
procedures through the report release date.
The auditor should follow AU-C 560.13 and AU-C 700 on dating the auditor’s
report if management appropriately revises the financial statements for
subsequent events and should obtain updated or additional representations from
management, as appropriate. If management does not revise the financial
statements in circumstances when the auditor believes they need to be revised,
the auditor should modify the opinion (express a qualified or an adverse opinion),
as required by AU-C 705 (AU-C 560.14). See FAM 580 for guidance on drafting
the auditor’s report.
.06 The auditor is not required to perform any procedures regarding the financial
statements after the date of the auditor’s report (AU-C 560.12). The auditor may
inquire of management to determine if it is aware of subsequently discovered
facts (defined as facts that become known to the auditor after the date of the
auditor’s report that, had they been known to the auditor at that date, may have
caused the auditor to revise the auditor’s reportsee AU-C 560.07) that could
materially affect the financial statements (see FAM 1005.05). If the auditor
becomes aware of a subsequently discovered fact before the report release date,
the auditor should
discuss the matter with management and, when appropriate, those charged
with governance and
determine whether financial statements need revision and, if so, inquire how
management intends to address the matter in the financial statements (see
AU-C 560.12).
If a subsequently discovered fact becomes known to the auditor after the report
release date, the auditor should follow AU-C 560.15 through .18.
.07 The auditor should inquire of management and, when appropriate, those charged
with governance about whether there were any changes in internal control over
financial reporting or conditions that might significantly affect internal control over
financial reporting subsequent to the as of date but before the date of the
auditor’s report (AU-C 940.48), and perform the procedures in AU-C 940.48,
which are also included in FAM 1005.
If the auditor becomes aware of any such changes in internal control, the auditor
should determine whether the changes significantly affect the effectiveness of the
entity’s internal control and their impact on the auditor’s report, as discussed in
FAM 580.
.08 The auditor has no responsibility to keep informed of events subsequent to the
date of the report on internal control; however, after the release of the report on
internal control, the auditor may become aware of conditions that existed at the
report date that might have affected the auditor’s opinion had the auditor been
aware of them. The evaluation of such subsequent information is similar to the
evaluation of facts discovered subsequent to the date of the report on an audit of
financial statements, as discussed above.
Reporting Phase
550 – Perform Other Reporting Phase Audit Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 550-3
Obtain Management Representations
.09 As discussed in FAM 280.06, the auditor should request written representations
from entity management with appropriate responsibilities for the financial
statements and knowledge of the matters concerned (AU-C 580.09) (this may
include those charged with governance when appropriate). These
representations should be in the form of a representation letter addressed to the
auditor (AU-C 580.21). These representations supplement the other audit
procedures performed by the auditor but are not a substitute for them. Written
representations help avoid any misunderstandings that could arise if only oral
representations were received from management. In some circumstances,
corroborating evidence for representations may not be readily available, such as
for those involving management’s intent concerning a future transaction or
business decision.
.10 The auditor should request that entity management provide the representations
described in FAM 1001.09 through .28, as applicable, including that management
has fulfilled its responsibilities as set out in the terms of the engagement. See
FAM 1001 for additional guidance on obtaining management representations and
FAM 1001 A for an example representation letter.
.11 If the auditor has concerns about the competence, integrity, ethical values, or
diligence of management or about management’s commitment to, or
enforcement of, these, the auditor should determine the effect that such concerns
may have on the reliability of representations (oral and written) and audit
evidence in general (AU-C 580.22).
.12 If a representation is inconsistent with other audit evidence, the auditor should
perform audit procedures, such as identifying and understanding the
circumstances to attempt to resolve the matter. If the matter remains unresolved,
or if management does not provide one or more of the requested
representations, the auditor should (a) discuss the matter with management; (b)
reconsider the assessment of the competence, integrity, ethical values, or
diligence of management or of management’s commitment to, or enforcement of,
these; and (c) determine the effect that these may have on the reliability of
representations and audit evidence in general.
The auditor should also determine whether this may indicate a scope limitation
sufficient to preclude an unmodified opinion. If the auditor concludes that
management’s written representations are not reliable or complete, the auditor
should consider the effects on the assessment of risk and the integrity of
management. Further, the auditor should determine its ability to complete the
audit and the effects on the auditor’s report (AU-C 580.23.26). See FAM 580 for
additional reporting guidance. For example, in the case of identified
inconsistencies between one or more written representations and audit evidence
obtained from another source, the auditor may consider whether the risk
assessment remains appropriate and, if not, may revise the risk assessment and
determine the nature, timing, and extent of further audit procedures to respond to
the assessed risks.
In an audit of internal control over financial reporting performed as part of an
integrated audit, the failure to obtain written representations from management,
including management’s refusal to furnish them, constitutes a limitation on the
scope of the examination. The auditor should evaluate the effects of
Reporting Phase
550 Perform Other Reporting Phase Audit Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 550-4
management’s refusal on the auditor’s ability to rely on other representations,
such as those obtained during the audit of the entity’s financial statements. See
AU-C 940.73 through .77 for additional guidance and determine the effect on the
auditor’s report, as discussed in FAM 580.
The auditor may find it useful to discuss representations with management early
in the audit to identify and resolve any difficulties related to obtaining these
representations at the completion of the audit. This is particularly true for first-
year audits, when standards change, and when management changes (see FAM
280.06).
.13 The auditor should request that members of management and, when
appropriate, those charged with governance, who are responsible for and
knowledgeable about, directly or through others in the organization, the matters
covered by the representations, including the preparation and fair presentation of
the financial statements and the completeness of the information provided to the
auditor, sign the letter (AU-C 580.06a, .09, and .A2). As discussed in OMB audit
guidance, the signers generally should be officials at the highest levels of the
audited entity responsible for overseeing the financial reporting process and
generally should be the head of the entity, the CFO, and any others deemed
responsible for matters presented in this letter.
.14 Entity management should date the representation letter as of the date of the
auditor’s report. Typically, senior management will review the final financial
statements and note disclosures to take responsibility for them before signing the
representation letter. Although the auditor is not required to perform audit
procedures regarding the financial statements after the date of the auditor’s
report, the auditor may determine that an updated management representation
letter is necessary to provide evidence concerning events subsequent to the
report date. For example, the auditor may determine that updated management
representations are needed to (1) support a determination that subsequent
events identified after the report date do not require revisions to the financial
statements; (2) support a revised report date because of revisions to the financial
statements as a result of a subsequent event; or (3) provide evidence that no
subsequent events have occurred, particularly where the financial statements are
not issued shortly after the audit report release date.
Assess Relationships and Transactions with Disclosure Entities,
Related Parties, and Public-Private Partnerships
.15 The auditor should evaluate whether the identified relationships and
transactions with disclosure entities, related parties, and public-private
partnerships have been appropriately accounted for and disclosed.
4
The auditor
4
Under Federal Accounting Standards Advisory Board (FASAB) standards, organizations are considered to be
related parties if the existing relationship or one party to the existing relationship has the ability to exercise significant
influence over the other party’s policy decisions. In the federal government, there are additional relationships that
present risks similar to related parties, as defined by FASAB. These include disclosure entities and public-private
partnerships. Consequently, while AU-C 550 addresses only related parties, the auditor should apply audit
procedures required for related parties in AU-C 550 to disclosure entities and public-private partnerships. Note that
FASAB and the Financial Accounting Standards Board (FASB) provide different definitions for related parties.
Procedures pertaining to disclosure entities and public-private partnerships do not apply to entities issuing financial
statements in accordance with FASB accounting standards.
Reporting Phase
550 Perform Other Reporting Phase Audit Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 550-5
should also evaluate whether the effects of such relationships and transactions
prevent the financial statements from achieving fair presentation (AU-C 550.28).
See FAM 280.07, FAM 904, and AU-C 550 for additional guidance on
relationships and transactions with disclosure entities, related parties, and
public-private partnerships. Statement of Federal Financial Accounting
Standards (SFFAS) 47 provides the definitions of related parties and disclosure
entities and related disclosure requirements for federal entities. SFFAS 49
provides the criteria for public-private partnerships and related disclosure
requirements for federal entities.
Communicate with Those Charged with Governance
.16 The auditor should communicate with those charged with governance findings
and issues from the audit that are, in the auditor’s professional judgment,
significant and relevant to their responsibility to oversee the financial reporting
process. Those charged with governance are those responsible for overseeing
the strategic direction of the entity and obligations related to the accountability of
the entity, including overseeing the entity’s financial reporting process. At the
start of the audit, as part of gaining an understanding of the entity, the auditor
should have identified those charged with governance for the entity (see FAM
215). As discussed in FAM 215, in some instances, those charged with
governance may include management. The auditor should communicate the
following with those charged with governance:
a. The auditor’s views about qualitative aspects of significant accounting
practices, including accounting policies, accounting estimates, and note
disclosures. When applicable, the auditor should take the following actions:
Explain to those charged with governance why the auditor considers a
significant accounting practice that is acceptable under the applicable
financial reporting framework (U.S. GAAP) not to be the most appropriate
to the particular circumstances.
Determine that those charged with governance are informed about the
process management uses in formulating particularly sensitive accounting
estimates, including fair value estimates, and about the basis for the
auditor’s conclusion regarding the reasonableness of those estimates
(AU-C 260.12a). See AU-C 260.A27 through .A29 for items the auditor
may consider communicating related to accounting practices.
b. Significant unusual transactions, if any (AU-C 260.12b and .A30). See
also AU-C 240 and FAM 260.26 for a discussion of significant unusual
transactions.
c. Significant difficulties, if any, that the auditor encountered during the audit
(AU-C 260.12c). See AU-C 260.A31 and AU-C 730.06 for examples of
difficulties, such as significant delays in receiving required information,
extensive unexpected effort necessary to obtain sufficient appropriate audit
evidence, an unreasonably brief time within which to complete the audit, and
inability to complete procedures related to RSI.
d. Uncorrected misstatements, other than those the auditor believes are
clearly trivial, and material corrected misstatements that were brought to the
attention of management as a result of audit procedures (AU-C 260.13 and
.14a). See FAM 540.11 for detailed guidance.
Reporting Phase
550 Perform Other Reporting Phase Audit Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 550-6
e. Any disagreements with management, regardless of whether they were
satisfactorily resolved, about matters that individually or in the aggregate
could be significant to the entity’s financial statements or the auditor’s report
(AU-C 260.12d). Examples of disagreements are included in AU-C 260.A32.
For this purpose, disagreements do not include differences of opinion based
on incomplete facts or preliminary information that are later resolved.
f. Circumstances that affect the form and content of the auditor’s report, if
any, such as the auditor’s planned modifications to the audit opinion or
inclusion of emphasis-of-matter or other-matter paragraphs in the auditor’s
report (AU-C 260.12e and .A34). The auditor should also communicate to
those charged with governance the wording of the expected modification to
the auditor’s report (AU-C 705.31 and 706.12).
g. Matters that are difficult or contentious for which the auditor consulted
outside the engagement team and that are, in the auditor’s professional
judgment, significant and relevant to those charged with governance
regarding their responsibility to oversee the financial reporting process (AU-C
260.12f).
h. Other findings or issues, if any, arising during the audit that are, in the
auditor’s professional judgment, significant and relevant to those charged
with governance regarding their responsibility to oversee the financial
reporting process (AU-C 260.12g).
i. Unless all of those charged with governance are involved in managing the
entity, the auditor also should communicate the following:
Material corrected misstatements that were brought to the attention of
management as a result of audit procedures (see FAM 595 C, example 3)
(AU-C 260.14a).
Management representations requested by the auditor (AU-C 260.14d).
The auditor may provide those charged with governance a copy of
management’s written representations (AU-C 260.A42).
The auditor’s views about significant matters that were the subject of
management’s consultations with other accountants, if any, on
accounting and auditing matters when the auditor is aware that such
consultation has occurred (AU-C 260.14c).
Any significant findings or issues arising during the audit that were
discussed with management or that were the subject of correspondence
with management (AU-C 260.14b). AU-C 260.A41 includes examples of
significant matters that the auditor may communicate.
Significant findings or issues in connection with the entity’s relationships
and transactions with disclosure entities, related parties, and public-
private partnerships (AU-C 550.29).
j. Identified or suspected fraud involving (1) management, (2) employees
who have significant roles in internal control, or (3) others when the fraud
results in a material misstatement in the financial statements. If the auditor
suspects fraud involving management, the auditor should discuss the nature,
timing, and extent of audit procedures necessary to complete the audit. Also,
the auditor should discuss any other matters involving fraud that are, in the
Reporting Phase
550 Perform Other Reporting Phase Audit Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 550-7
auditor’s professional judgment, relevant to those charged with governance’s
responsibility (AU-C 240.40–.41).
k. Suspected noncompliance with laws, regulations, contracts, or grant
agreements when the auditor determines that it is appropriate to discuss with
those charged with governance (AU-C 250.18 and GAGAS (2018) 6.15).
l. The auditor’s responsibility and procedures performed relating to other
information included in the annual report and the results of these procedures
(AU-C 720.15).
m. Matters involving identified or suspected noncompliance with laws,
regulations, contracts, or grant agreements that come to the auditor’s
attention during the audit, unless clearly inconsequential. If, in the auditor’s
professional judgment, the matter is believed to be intentional and material,
the auditor should communicate the matter as soon as practicable (AU-C
250.21–.22 and GAGAS (2018) 6.15).
n. Significant deficiencies and material weaknesses identified during the
audit, including those that were remediated during the audit (AU-C 265.11).
For an integrated audit, the auditor should communicate in writing to
management and those charged with governance significant deficiencies and
material weaknesses identified during the integrated audit, including those
that were remediated during the integrated audit and those that were
previously communicated but have not yet been remediated (AU-C 940.59).
o. If management has imposed a limitation on the scope of the audit and
refuses to remove the limitation, the auditor should communicate the matter
to those charged with governance, unless all of those charged with
governance are involved in managing the entity, and if appropriate, determine
whether it is possible to perform alternative procedures to obtain sufficient
appropriate audit evidence (AU-C 705.11 and .12).
p. A material misstatement of the financial statements that relates to the
omission of information required to be presented or disclosed (AU-C
705.24a).
AU-C 260.A25 through .A42 provide further guidance on these matters. Matters
that arose during the audit that were communicated to those charged with
governance and satisfactorily resolved do not need to be included in the
communication.
.17 As discussed in FAM 215.33, the auditor should communicate significant findings
and issues in writing to those charged with governance if, in the auditor’s
professional judgment, oral communication would not be adequate. This
communication need not include matters that arose during the course of the audit
that were communicated with those charged with governance and satisfactorily
resolved. Factors that may affect whether to communicate orally or in writing, the
extent of detail or summarization in the communication, and the formality of the
communication are discussed in AU-C 260.A48 through .A50. Effective
communication may involve formal presentations and written reports as well as
less formal communications, including discussions (AU-C 260.A48–.A50).
As discussed in FAM 215.37 and .38, the auditor should communicate with those
charged with governance on a timely basis and should document all matters that
Reporting Phase
550 Perform Other Reporting Phase Audit Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 550-8
are required to be communicated, including when and to whom they were
communicated.
.18 If, as part of its communication to those charged with governance, management
communicated some or all of the matters the auditor is required to communicate,
and as a result, the auditor did not communicate these matters at the same level
of detail as management, the auditor should communicate any omitted or
inadequately described matters to those charged with governance. The auditor
does not need to communicate them at the same level of detail as to
management, as long as the auditor (a) participated in management’s discussion
with those charged with governance and (b) affirmatively confirmed to those
charged with governance that management has adequately communicated these
matters (AU-C 260.17).
.19 The auditor should evaluate the adequacy of the two-way communication
between the auditor and those charged with governance for the purposes of the
audit (AU-C 260.20). Inadequate two-way communication may indicate an
unsatisfactory control environment, which will influence the auditor’s assessment
of the risks of material misstatements. There is also a risk that the auditor may
not have obtained sufficient appropriate audit evidence to form an opinion on the
financial statements (AU-C 260.A54). The auditor does not need to design
specific procedures to evaluate the adequacy of this communication. Rather, the
auditor may base the evaluation on observations resulting from audit procedures
performed for other purposes. Such observations may include the following (AU-
C 260.A53):
the appropriateness and timeliness of actions taken by those charged with
governance in response to matters the auditor communicated;
the apparent openness of those charged with governance in their
communications with the auditor;
the willingness and capacity of those charged with governance to meet with
the auditor without management present;
the apparent ability of those charged with governance to fully comprehend
matters communicated by the auditor, such as the extent to which those
charged with governance probe issues and question recommendations made
to them;
difficulty in establishing with those charged with governance a mutual
understanding of the form, timing, and expected general content of
communications; and
when all or some of those charged with governance are involved in managing
the entity, their apparent awareness of how matters discussed with the
auditor affect their broader governance responsibilities, as well as their
management responsibilities.
.20 If the two-way communication between the auditor and those charged with
governance is not adequate, the auditor should evaluate the effect, if any, on the
auditor’s assessment of the risks of material misstatement and ability to obtain
sufficient appropriate audit evidence, and should take appropriate action. If the
situation cannot be resolved, the auditor may take actions as discussed in AU-C
260.A55, including modifying the auditor’s opinion for a limitation on the scope of
the audit (AU-C 260.20 and .A55).
Reporting Phase
550 Perform Other Reporting Phase Audit Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 550-9
Assess RSI and Other Information
.21 The auditor should conclude on procedures performed for RSI and other
information. See FAM 580.38 through .39 regarding how the auditor reports on
the work performed in these areas.
.22 For RSI, the auditor should determine whether there are any omissions, material
departures from Federal Accounting Standards Advisory Board (FASAB)
guidance, or material inconsistencies with the financial statements and the
auditor’s knowledge, based on procedures performed in FAM 280.08. The
auditor should also obtain management representations regarding RSI as
specified in FAM 280.08. If the auditor is unable to complete the procedures
described in FAM 280.08, the auditor should consider whether management
contributed to the auditor’s inability to complete the procedures. If the auditor
concludes that the inability to complete the procedures was due to significant
difficulties encountered in dealing with management, the auditor should inform
those charged with governance (AU-C 730.06).
.23 For other information, the auditor should determine whether there are any
material inconsistencies with the audited financial statements or misstatement of
fact based on procedures performed in FAM 280.09.
.24 If the auditor identifies that a material inconsistency appears to exist between the
other information and the audited financial statements or becomes aware that the
other information appears to be materially misstated, the auditor should discuss
the matter with management and, if necessary, perform other procedures to
conclude whether (1) a material misstatement of the other information exists, (2)
a material misstatement of the financial statement exists, and (3) the auditor’s
understanding of the entity and its environment needs to be updated (AU-C
720.19).
.25 If the auditor concludes that a material misstatement of the other information
exists, the auditor should request that management correct the other information
and, if management agrees to make the correction, determine that the correction
has been made. If management refuses to make the correction, the auditor
should communicate the matter to those charged with governance and request
that the correction be made. If the other information is not corrected after
communicating with those charged with governance, the auditor should consider
the implications for the auditor’s report and communicate to those charged with
governance about how the auditor plans to address the material misstatement in
the auditor’s report (AU-C 720.20 and .21a). If the auditor concludes that a
material misstatement exists in other information obtained after the date of the
auditor’s report, the auditor should follow the requirements in AU-C 720.22.
.26 If, as a result of performing procedures on other information, the auditor
concludes that a material misstatement in the financial statements exists or the
auditor’s understanding of the entity and its environment needs to be updated,
the auditor should respond appropriately in accordance with other relevant AU-C
sections (AU-C 720.23).
Supplementary Information
.27 If the auditor is engaged to report on whether supplementary information, such
as consolidating statements, is fairly stated, in all material respects, in relation to
Reporting Phase
550 Perform Other Reporting Phase Audit Procedures
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 550-10
the financial statements as a whole, the auditor should follow the requirements in
AU-C 725.
Consider the Entity’s Ability to Continue as a Going Concern
.28 AU-C 570 discusses the implications for the auditor’s report if conditions and
events have been identified that raise substantial doubt about an entity’s ability to
continue as a going concern for a reasonable period of time. However, according
to SFFAS 39, Subsequent Events: Codification of Accounting and Financial
Reporting Standards Contained in the AICPA Statements on Auditing Standards,
appendix A, FASAB considered the nature of the federal government and
determined that going concernas contemplated in the commercial sense is not
applicable to federal government financial reporting.
.29 For entities that conform to Financial Accounting Standards Board (FASB)
standards, the auditor should evaluate whether there is substantial doubt about
the entity’s ability to continue as a going concern for a reasonable period of time
based on the results of the audit procedures performed pursuant to AU-C 570.
Reporting Phase
560 Determine Whether Financial Statement Presentation Is in Accordance with U.S.
Generally Accepted Accounting Principles
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 560-1
560 Determine Whether Financial Statement Presentation Is
in Accordance with U.S. Generally Accepted Accounting
Principles
.01 U.S. GAAP for federal government entities is promulgated by FASAB. As
permitted by SFFAS 34, The Hierarchy of Generally Accepted Accounting
Principles, Including the Application of Standards Issued by the Financial
Accounting Standards Board, some federal entities, including government
corporations, prepare financial statements in accordance with standards
promulgated by FASB. For further information on the requirements for applying
FASB standards, see SFFAS 34.
.02 FASAB established the hierarchy of accounting principles for federal entities in
SFFAS 34. This hierarchy is presented below, from most authoritative to least
authoritative.
a. FASAB Statements and Interpretations and AICPA and FASB
pronouncements made applicable to federal governmental entities by a
FASAB Statement or Interpretation.
b. FASAB Technical Bulletins and the following pronouncements if the AICPA
specifically made them applicable to federal governmental entities and
FASAB cleared them: AICPA Industry Audit and Accounting Guides and
AICPA Statements of Position.
c. AICPA Accounting Standards Executive Committee Practice Bulletins if
specifically made applicable to federal governmental entities and cleared by
FASAB and Technical Releases of its Accounting and Auditing Policy
Committee.
d. Implementation guides published by FASAB staff and practices that are
widely recognized and prevalent in the U.S. government.
.03 In the absence of a pronouncement in the above hierarchy, the auditor may
evaluate other accounting literature, including
a. FASAB Concepts Statements;
b. pronouncements in categories a through d in FAM 560.02 when not
specifically made applicable to federal governmental entities;
c. FASB and Government Accounting Standards Board (GASB) Concepts
Statements;
5
d. GASB Statements, Interpretations, and Technical Bulletins;
e. AICPA Issue Papers;
f. International Accounting Standards of the International Accounting Standards
Committee;
g. pronouncements of other professional associations or regulatory agencies;
5
GASB establishes U.S. GAAP for units of state and local governments.
Reporting Phase
560 Determine Whether Financial Statement Presentation Is in Accordance with U.S.
Generally Accepted Accounting Principles
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 560-2
h. AICPA Technical Practice Aids; and
i. accounting textbooks, handbooks, and articles.
.04 Entities summarize their significant accounting policies, usually in note 1 to the
financial statements.
.05 The auditor should perform audit procedures to evaluate whether the financial
statements are prepared and presented, in all material respects, in accordance
with U.S. GAAP or other applicable financial reporting framework (AU-C 330.26
and 700.14). See FAM 215.14 for discussion of financial reporting framework.
This evaluation should include consideration of the qualitative aspects of the
entity’s accounting practices, including indicators of possible bias in
management’s judgments (AU-C 700.14). This evaluation should include the
following:
a. Whether, in view of the requirements of the applicable financial reporting
framework (U.S. GAAP):
The financial statements appropriately disclose the significant accounting
policies selected and applied. In making this evaluation, the auditor
should consider the relevance of the accounting policies to the entity and
whether they have been presented in an understandable manner.
The accounting policies selected and applied are consistent with the
applicable financial reporting framework (U.S. GAAP) and are
appropriate.
The accounting estimates made by management are reasonable.
The information presented in the financial statements is relevant, reliable,
comparable, and understandable. In making this evaluation, the auditor
should consider whether all required information has been included, and
whether such information is appropriately described, classified,
aggregated or disaggregated, and presented.
The financial statements provide adequate disclosures to enable the
intended users to understand the effect of material transactions and
events on the information conveyed in the financial statements.
The terminology used in the financial statements, including the title of
each financial statement, is appropriate (AU-C 700.15).
b. Whether the financial statements achieve fair presentation, including
consideration of the following:
the appropriate classification and description of financial information and
the underlying transactions, events, and conditions;
the appropriate presentation, structure, and content of the financial
statements (AU-C 330.26); and
whether the financial statements represent the underlying transactions
and events in a manner that achieves fair presentation (AU-C 700.16).
c. Whether the financial statements adequately refer to or describe the
applicable financial reporting framework (U.S. GAAP) (AU-C 700.17).
Reporting Phase
560 Determine Whether Financial Statement Presentation Is in Accordance with U.S.
Generally Accepted Accounting Principles
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 560-3
The auditor can meet the requirement for the above evaluations by completing
the Federal Financial Reporting Checklist.
6
This checklist also can assist the
entity in preparing financial statements with appropriate and adequate disclosure
in accordance with U.S. GAAP.
.06 For accounting estimates with significant risks, the auditor should evaluate the
adequacy of the disclosure of estimation uncertainty in the financial statements
(AU-C 540.20). Even when the note disclosures are in accordance with U.S.
GAAP, the auditor may conclude that the disclosure of estimation uncertainty is
inadequate in light of the circumstances and facts involved. The auditor’s
evaluation of adequacy increases in importance the greater the range of possible
outcomes of the estimate. (AU-C 540.A130)
.07 The auditor should evaluate the impact of any instances where the financial
statements are not in accordance with U.S. GAAP and should determine the
effects, if any, on the auditor’s report (see FAM 580.09.10 ).
6
Auditors may obtain the Federal Financial Reporting Checklist by contacting [email protected].
Reporting Phase
570 Determine Compliance with GAO/CIGIE Financial Audit Manual
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 570-1
570 Determine Compliance with GAO/CIGIE Financial Audit
Manual
.01 The auditor should determine whether the audit was conducted in accordance
with GAGAS and, if applicable, OMB audit guidance. The auditor should also
determine whether the FAM methodology was followed. One tool the auditor
should use to determine and document FAM compliance and whether there are
any exceptions or deviations is the audit completion checklist in FAM 1003. If the
auditor is using a different methodology and if required by contract, the auditor
should use the audit completion checklist to provide a crosswalk between the
audit methodology used and the FAM.
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-1
580 Draft Reports
.01 Based on AU-C 700.21, at the conclusion of the audit, the auditor should draft
written reports on the entity’s
financial statements, RSI (including MD&A), and other information included in
the annual report (see FAM 580.02–.55);
internal control over financial reporting (see FAM 580.56–.85);
financial management systemssubstantial compliance with the three FFMIA
requirements (for CFO Act agencies) (see FAM 580.86–.90);
7
and
compliance with significant provisions of applicable laws, regulations,
contracts, and grant agreements (see FAM 580.91–.99).
If the auditor is engaged to report on whether supplementary information is fairly
stated, in all material respects, in relation to the financial statements as a whole,
the auditor should follow the reporting requirements in AU-C 725.
Financial Statement Reporting
.02 The auditor should form an opinion on whether the financial statements are
presented fairly, in all material respects, in accordance with the applicable
financial reporting framework (U.S. GAAP) (AU-C 700.12).
Audit Scope
.03 To express an opinion, first the auditor should determine if the audit has been
conducted in accordance with GAGAS and, if applicable, OMB audit guidance
(see FAM 570). The auditor should conclude whether the auditor has obtained
reasonable assurance about whether the financial statements as a whole are
free from material misstatement, whether due to fraud or error (AU-C 700.13). If
the auditor is not able to perform all procedures considered necessary, the scope
of the audit is restricted, and the auditor should consider whether to modify the
GAGAS compliance statement in the report, as discussed in GAGAS (2018)
2.17b, 2.18 and 2.20, and determine whether to qualify or disclaim an opinion.
.04 Limitations on the scope of the auditor’s work resulting in the auditor’s inability to
obtain sufficient appropriate audit evidence may be imposed by the entity, may
be caused by circumstances beyond the entity’s control, or may result from
circumstances related to the nature or the timing of the audit work. Examples of
scope limitations are included in AU-C 705.A9 through .A13. Limitations imposed
by the entity may have other implications for the audit, such as the auditor’s
assessment of risk of material misstatement due to fraud.
.05 Based on AU-C 330.28, the auditor should conclude whether sufficient
appropriate audit evidence has been obtained to reduce the risk of undetected
material misstatements to an appropriately low level in the financial statements.
In forming a conclusion, the auditor should consider all relevant audit evidence,
regardless of whether it appears to corroborate or contradict the assertions in the
7
Non-GAO auditors may combine bullets 3 and 4.
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-2
financial statements. AU-C 330.A77 presents factors that may influence this
conclusion on the sufficiency and appropriateness of audit evidence.
.06 The auditor should determine whether any misstatements affect the audit scope
from a qualitative standpoint. The auditor should also determine whether the
audit scope is adequate in light of any (1) misstatements or (2) other findings that
indicate noncompliance with significant provisions of applicable laws, regulations,
contracts, and grant agreements.
.07 If the auditor has not obtained sufficient appropriate audit evidence about a
relevant assertion, the auditor should attempt to obtain further audit evidence
(AU-C 330.29). If the auditor is unable to obtain sufficient appropriate audit
evidence, the auditor should determine the implications on the audit opinion
following guidance in FAM 580.43 and include the reasons for that inability in the
“Basis for Opinion” section (AU-C 705.13 and .25).
.08 Whether to qualify or disclaim an opinion because of a scope limitation is a
matter of the auditor’s professional judgment. The auditor should assess how
important the omitted procedures were to the auditor’s ability to form an opinion
on the financial statements based on sufficient appropriate audit evidence. This
assessment is influenced by the nature, significance, and magnitude of the items
to which the omitted procedures relate. For example, the potential effect of a
scope limitation on a material account is likely to be greater than on an
immaterial account.
Departure from U.S. GAAP (Misstatements)
.09 The auditor should evaluate whether the financial statements as a whole,
including the related note disclosures, are materially misstated based on a
departure from U.S. GAAP, as discussed in FAM 560. If such a departure exists,
the auditor should determine the effects of the departure on the financial
statements, considering both quantitative and qualitative aspects. The auditor
should conclude whether the effects of the misstatements, individually or in the
aggregate, are (1) material and (2) pervasive to the financial statements. See
FAM 580.43 for further discussion.
.10 In rare cases when the auditor can demonstrate that compliance with U.S. GAAP
would result in misleading financial statements, the auditor may issue an
unmodified opinion that includes a description of the nature of the departure; the
effects, if practicable; and why compliance with U.S. GAAP would result in
misleading financial statements (see the AICPA Code of Professional Conduct,
1.320.001 Accounting Principles Rule). The reviewer should approve the
auditor’s conclusion in these circumstances.
Uncertainties
.11 Uncertainties are matters affecting the financial statements whose outcome is
expected to be resolved at a future date when conclusive evidence becomes
available and that could result in a modified opinion. Uncertainties may be related
to the resolution of litigation or the valuation of assets, such as real estate
owned, and include the contingencies discussed in SFFAS 5, as amended by
SFFAS 12, as well as other matters (see FAM 905 for discussion of auditing
accounting estimates). Absence of information related to the outcome of an
uncertainty does not necessarily indicate that the audit evidence supporting
management’s assertions is not sufficient. Rather, the auditor’s professional
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-3
judgment regarding the sufficiency of the audit evidence is based on the audit
evidence that is, or should be, available. If, after considering the existing
conditions and available evidence, the auditor concludes that sufficient
appropriate audit evidence supports management’s assertions about the nature
of a matter involving an uncertainty and its presentation or disclosure in the
financial statements, an unmodified opinion ordinarily is appropriate (AU-C
705.A14).
In cases involving multiple uncertainties, the auditor may conclude that it is not
possible to form an opinion on the financial statements as a whole due to the
interaction and possible cumulative effects of the uncertainties (AU-C 705.A15).
The auditor should express an unmodified opinion if, in the auditor’s judgment,
evidence is sufficient to support management’s analysis of the nature of the
uncertainty and its presentation or disclosure in the financial statements. The
auditor may also add an emphasis-of-matter paragraph.
Comparative Financial Statements and Comparative Information
.12 Entities subject to OMB reporting guidance are required to prepare comparative
financial statements. Those not subject to the requirement may nevertheless
elect to do so. When comparative financial statements are presented, the
auditor’s report should refer to each period for which financial statements are
presented and on which an audit opinion is expressed (AU-C 700.47).
.13 When expressing an opinion on all periods presented, a continuing auditor
should update the report on the financial statements of one or more prior periods,
presented on a comparative basis, with those of the current period. The auditor's
report on comparative financial statements should not be dated earlier than the
date on which the auditor has obtained sufficient appropriate audit evidence on
which to support the opinion for the most recent audit (AU-C 700.48).
.14 If comparative information is presented but not covered by the auditor’s opinion,
the auditor should clearly indicate in the auditor’s report the character of the
auditor’s work, if any, and the degree of responsibility the auditor is taking (AU-C
700.49).
.15 If comparative information is presented and the auditor has been engaged to
express an opinion on all periods presented, the auditor should consider whether
the information included for the prior period(s) contains sufficient detail to
constitute a fair presentation in accordance with the applicable financial reporting
framework (U.S. GAAP) (AU-C 700.50).
.16 If comparative financial statements or comparative information is presented for
prior periods, the auditor should determine whether the comparative financial
statements or comparative information has been presented in accordance with
the relevant requirements, if any, of the applicable financial reporting framework
(U.S. GAAP) (AU-C 700.51-.52). The auditor should also evaluate
whether the comparative financial statements or comparative information
agrees with the amounts and other disclosures presented in the prior period,
or when appropriate, has been restated for the correction of a material
misstatement or adjusted for the retrospective application of an accounting
principle, and
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-4
whether the accounting policies reflected in the comparative financial
statements or comparative information are consistent with those applied in
the current period or, if there have been changes in accounting policies,
whether those changes have been properly accounted for and adequately
presented and disclosed (AU-C 700.53).
.17 If the auditor becomes aware of a possible material misstatement in the
comparative financial statements or comparative information while performing the
current period audit, the auditor should perform such additional audit procedures
as are necessary in the circumstances to obtain sufficient appropriate audit
evidence to determine whether a material misstatement exists. If the auditor
audited the prior period’s financial statements and becomes aware of a material
misstatement in those financial statements, the auditor should also follow the
requirements of AU-C 560. If the prior-period financial statements are restated,
the auditor should determine that the comparative financial statements or
comparative information agrees with the restated financial statements (AU-C
700.54). Also see FAM 580.110 for additional guidance.
.18 As noted in FAM 1001.06, the auditor should request written representations for
all periods referred to in the auditor’s opinion. The auditor also should obtain a
specific written representation regarding any restatement made to correct a
material misstatement in a prior period that affects the comparative financial
statements (AU-C 700.55).
.19 When reporting on prior period financial statements in connection with the current
period’s audit, if the auditor’s opinion on such prior period financial statements
differs from the opinion the auditor previously expressed, the auditor should
disclose the following matters in an emphasis-of-matter or other matter
paragraph in accordance with AU-C 706 (AU-C 700.56):
the date of the auditor’s previous report;
the type of opinion previously expressed;
the substantive reasons for the different opinion; and
that the auditor’s opinion on the amended financial statements is different
from the auditor’s previous opinion.
.20 If the financial statements of the prior period were audited by a predecessor
auditor, the auditor should follow the reporting requirements of AU-C 700.57 and
.58. If comparative financial statements are presented, but the prior period
financial statements were not audited, the auditor should follow the reporting
requirements of AU-C 700.59 or 60, as applicable.
.21 The auditor should evaluate whether the comparability of the financial statements
between periods has been materially affected by a change in accounting
principle or by adjustments to correct a material misstatement in previously
issued financial statements (AU-C 708.05), and determine the implications of
such changes on the auditor’s report, following the requirements of AU-C 708.07
through .10 and .13 through .16.
.22 The periods included in the auditor’s evaluation of consistency depend on the
periods covered by the auditor’s opinion on the financial statements. When the
auditor’s opinion covers only the current period, the auditor should evaluate
whether the current-period financial statements are consistent with those of the
preceding period, regardless of whether the prior period’s financial statements
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-5
are presented. When the auditor’s opinion covers two or more periods, the
auditor should evaluate consistency between such periods and the consistency
of the earliest period covered by the auditor’s opinion with the period prior
thereto, if such prior period is presented with the financial statements being
reported on. The auditor should also evaluate whether the financial statements
for the periods being reported on are consistent with any previously issued
financial statements for those periods (AU-C 708.06).
.23 If the auditor identifies material inconsistencies between the comparative
financial statements, the auditor will need to determine the effect on the auditor’s
opinion and include an emphasis-of-matter paragraph. The auditor should see
AU-C 705 and AU-C 708 for further guidance.
Report Format
.24 The auditor’s report should have a title that clearly indicates that it is the report of
an independent auditor and should be addressed, as appropriate, based on the
circumstances of the engagement (AU-C 700.22 and .23).
.25 The auditor’s report should clearly identify the entity audited; the financial
statement(s) on which the auditor is reporting; and the period covered by the
financial statement(s), usually the current year with comparative prior year.
.26 The auditor’s report on the financial statements should include sections with the
following headings in the order shown below (AU-C 700.24, .28, .31, and .34):
Opinion
Basis for Opinion
Responsibilities of Management for the Financial Statements
Auditor’s Responsibilities for the Audit of the Financial Statements
If the auditor expresses a modified opinion, the auditor should modify the section
headings listed above in accordance with AU-C 705. See FAM 595 B auditor’s
report examples.
The auditor’s report on the financial statements should also include sections with
the following headings, as applicable:
Required Supplementary Information or other appropriate heading (see FAM
580.38)
Other Information or other appropriate heading (see FAM 580.39)
.27 The auditor’s report on the audit of internal control over financial reporting should
include sections with the following headings in the order shown below (AU-C
940.64):
Opinion on Internal Control over Financial Reporting
Basis for Opinion
Responsibilities of Management for Internal Control over Financial Reporting
Auditor’s Responsibilities for the Audit of Internal Control over Financial
Reporting
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-6
Definition and Inherent Limitations of Internal Control over Financial
Reporting or other appropriate heading
.28 The auditor may choose to issue a combined report containing both an opinion
on the financial statements and an opinion on internal control over financial
reporting or separate reports on the entity’s financial statements and on internal
control over financial reporting (AU-C 940.A115). If issuing separate reports, the
auditor should use the headings listed under FAM 580.26 and .27 above. If
issuing a combined report, the auditor should use the headings listed below in
the following order:
Opinion on the Financial Statements
Opinion on Internal Control over Financial Reporting
Basis for Opinions
Responsibilities of Management for the Financial Statements and Internal
Control over Financial Reporting
Auditor’s Responsibilities for the Audits of the Financial Statements and
Internal Control over Financial Reporting
Definition and Inherent Limitations of Internal Control over Financial
Reporting
Required Supplementary Information
Other Information
See auditor’s report example 1 in FAM 595 A.
.29 Other reporting responsibilities, such as the auditor’s report on internal control
over financial reporting in which no opinion is expressed or report on compliance
with laws, regulations, contracts, and grant agreements, should be addressed in
a separate section in the auditor’s report with a heading that is appropriate to the
content of the section (AU-C 700.39).
The auditor’s report on internal control over financial reporting in which no
opinion is expressed should include a section discussing the definition and
inherent limitations of internal control over financial reporting, similar to the
language the auditor would include in a report on the audit of internal control over
financial reporting.
8
The auditor’s report on internal control over financial
reporting in which no opinion is expressed should include sections with the
following headings:
Results of Our Consideration of Internal Control over Financial Reporting
Basis for Results of Our Consideration of Internal Control over Financial
Reporting
Responsibilities of Management for Internal Control over Financial Reporting
8
Although AICPA standards do not require the auditor to include the definition and inherent limitations of internal
control over financial reporting in an audit report where no opinion is expressed on internal control over financial
reporting, it is important for auditors of federal entities to include such information in order to provide transparency
regarding the objectives and limitations of internal control over financial reporting in the federal government.
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-7
Auditor’s Responsibilities for Internal Control over Financial Reporting
Definition and Inherent Limitations of Internal Control over Financial
Reporting
Intended Purpose of Report on Internal Control over Financial Reporting (see
FAM 580.74)
The auditor’s report on compliance with laws, regulations, contracts, and grant
agreements should include sections with the following headings:
Results of Our Tests for Compliance with Laws, Regulations, Contracts, and
Grant Agreements
Basis for Results of Tests for Compliance with Laws, Regulations, Contracts,
and Grant Agreements
Responsibilities of Management for Compliance with Laws, Regulations,
Contracts, and Grant Agreements
Auditor’s Responsibilities for Tests of Compliance with Laws, Regulations,
Contracts, and Grant Agreements
Intended Purpose of Report on Compliance with Laws, Regulations,
Contracts, and Grant Agreements (see FAM 580.96)
See auditor’s report example 2 in FAM 595 A.
.30 Information that is not required by the applicable financial reporting framework
(U.S. GAAP) but is nevertheless presented as part of the basic financial
statements should be covered by the auditor’s opinion if it cannot be clearly
differentiated. Information that can be clearly differentiated may be identified as
“unaudited” or as “not covered by the auditor’s report” (AU-C 700.61 and .A80).
.31 The auditor’s report should be dated no earlier than the date on which the auditor
has obtained sufficient appropriate audit evidence on which to base the auditor’s
opinion on the financial statements. See FAM 580.103 for further guidance.
.32 GAGAS (2018) 6.57 requires the auditor to obtain and report the views of entity
management concerning the findings, conclusions, and recommendations in the
audit report, as well as any planned corrective actions. The entity comments and
(auditor) evaluation section of the report discusses the extent to which the entity
agrees with the facts and conclusions presented by the auditor and the reasons
for any disagreements. The auditor should evaluate any disagreements that the
entity expresses and present the auditor’s view. The auditor may also outline in
the report the entity’s description of the efforts it is taking to correct or mitigate
matters. The auditor should disclaim an opinion on this information. See FAM
580.100–.102 for further guidance.
.33 The auditor may prepare a highlights page, executive summary, and/or
transmittal letter to provide a high-level presentation of the audit report and
significant matters of interest to the users of federal financial reports. The auditor
typically presents matters in nontechnical language so that report users can
readily grasp their significance.
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-8
Types of Reports
.34 If the auditor can express an opinion, the auditor may issue one of the following
opinion types: (1) unmodified or (2) modified, which may be a qualified opinion or
an adverse opinion. If an opinion cannot be expressed, the auditor should issue a
disclaimer of opinion report. Additionally, the auditor may be required or may
choose to include an emphasis-of-matter and/or other-matter paragraph as
discussed below.
.35 Guidance on reporting is included in AU-C 700, 701, 705, 706, 708, 720, 725,
730, 806, and 940 and GAGAS (2018) 6.39 through 6.41. Additionally, FAM 595
A includes an example of an unmodified report. FAM 595 B includes example
wording for an auditor’s report with an unmodified opinion on the financial
statements and an opinion on internal controls over financial reporting where a
material weakness or significant deficiency is identified. The auditor may use
another reporting format; however, the format should meet the requirements of
the standards listed above. GAO auditors also should document the reasons for
any significant deviations from the example reporting format or language in FAM
595 A or B. When findings are extensive, the auditor may modify the report
format to include findings in the report and additional details in an appendix
included with the report.
.36 If the auditor expresses an opinion only on a single financial statement, or
specific elements, accounts, or items of a financial statement, the auditor should
follow AU-C 805
Unmodified Opinion
.37 In an unmodified opinion on the financial statements, the auditor concludes that
the financial statements are presented fairly, in all material respects, as of the
specified date in accordance with U.S. GAAP (AU-C 700.18).
9
The auditor should
follow the requirements of AU-C 700.22 through .43 regarding specific wording
and structure of the auditor’s report, as specified in FAM 595 A. Additionally, the
auditor should include an emphasis-of-matter paragraph, other-matter paragraph,
or both to the unmodified report in certain circumstances, as discussed below.
.38 If RSI is applicable to the entity, the auditor should include a separate section in
the auditor’s report on the financial statements with the heading “Required
Supplementary Information,” or other appropriate heading. The auditor should
follow the requirements of AU-C 730.07 through .09 regarding specific wording of
this section, as specified in FAM 595 A. Refer to AU-C 730.08d through .08g;
.09; and .A3, illustrations 2 through 6, if (1) the auditor is unable to complete the
procedures discussed in FAM 280.08, (2) some or all of the RSI is omitted, (3)
the auditor has identified material departures from prescribed guidelines, or (4)
the auditor has unresolved doubts about whether the RSI is measured or
presented in accordance with prescribed guidelines.
.39 If other information is presented in the annual report, at the date of the auditor’s
report, when the auditor has obtained all the other information included in the
report, the composition of which was determined through discussion with
management and for which the auditor obtained management's written
9
These are usually comparative statements for the current and prior years unless it is the entity’s initial audit.
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-9
acknowledgment (see FAM 280.09), the auditor should include a separate
section in the auditor’s report on the financial statements with the heading “Other
Information” or other appropriate heading. The auditor should follow the
requirements of AU-C 720.24 and .25 regarding specific wording of this section,
as specified in FAM 595 A. Refer to AU-C 720.24f; .25; and .A62, illustration 2, if
the auditor has concluded that an uncorrected material misstatement of the other
information exists.
.40 For entities that conform to FASB standards, if, as a result of audit procedures
performed as specified in AU-C 570.12 through .17, the auditor concludes that
substantial doubt about the entity’s ability to continue as a going concern for a
reasonable period of time remains, the auditor should include a separate section
in the auditor’s report with the heading “Substantial Doubt About the Entity’s
Ability to Continue as a Going Concernin accordance with AU-C 570.24 through
.25. If adequate disclosure about the entity’s ability to continue as a going
concern for a reasonable period of time is not made in the financial statements,
the auditor should modify the audit opinion in accordance with AU-C 570.26. If
the financial statements have been prepared using the going concern basis of
accounting, but in the auditor’s judgment, management’s use of the going
concern basis of accounting in the preparation of the financial statements is
inappropriate, the auditor should express an adverse opinion (AU-C 570.23).
Refer to AU-C 570 for additional requirements pertaining to the entity’s ability to
continue as a going concern.
Types of Modified Opinions
.41 Pervasive effects on the financial statements are those that in the auditor’s
professional judgment,
are not confined to specific elements, accounts, or items of the financial
statements;
if so confined, represent or could represent a substantial proportion of the
financial statements; or
with regard to note disclosures, are fundamental to users’ understanding of
the financial statements (AU-C 705.06).
The auditor should conclude whether the possible effects of undetected
misstatements, if any, could be material to the financial statements and, if so,
also conclude whether the possible effects are pervasive to the financial
statements (AU-C 705.8b and .10).
.42 If the audit scope is adequate for expressing an opinion on the financial
statements, the auditor should determine the appropriate type of opinion. The
auditor should make this determination based on
a. the auditor’s conclusions on whether uncorrected misstatements are material,
individually or in the aggregate, to the financial statements, as discussed in
FAM 540 and AU-C 450.11 (AU-C 700.13b);
b. the auditor’s conclusions on whether the financial statements are prepared, in
all material respects, in accordance with the requirements of the applicable
financial reporting framework (U.S. GAAP), including consideration of the
qualitative aspects of the entity’s accounting practices, including indicators of
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-10
possible bias in management’s judgments, as discussed in FAM 560.05 (AU-
C 700.14);
c. the results of the auditor’s evaluation of the financial statement disclosure of
accounting policies, the selection of accounting policies, and other items
specified in AU-C 700.15a through .15f, as discussed in FAM 560;
d. the results of the auditor’s evaluation about whether the financial statements
achieve fair presentation considering the factors in AU-C 700.16a and .16b,
as discussed in FAM 560; and
e. the results of the auditor’s evaluation about whether the financial statements
adequately refer to or describe the applicable financial reporting framework
per AU-C 700.17 and as discussed in FAM 560.
.43 The following table illustrates how the auditor’s professional judgment about the
nature of the matter giving rise to the modification and the pervasiveness of its
effects or possible effects on the financial statements affect the type of opinion to
be expressed (AU-C 705.A1).
Nature of matter giving rise to
the modification
Auditor's professional judgment about
the pervasiveness of the effects or possible effects
on the financial statements
Material but not pervasive Material and pervasive
Financial statements are
materially misstated
Qualified opinion Adverse opinion
Inability to obtain sufficient
appropriate audit evidence
Qualified opinion Disclaimer of opinion
.44 The auditor should modify the opinion in the auditor’s report if the auditor
concludes that based on the audit evidence obtained, the financial statements as
a whole are materially misstated or the auditor is unable to obtain sufficient
appropriate audit evidence to conclude that the financial statements as a whole
are free from material misstatement (AU-C 700.19, AU-C 705.07).
When the auditor modifies the opinion on the financial statements, the auditor
should use the heading “Qualified Opinion,” Adverse Opinion,” or “Disclaimer of
Opinion,” as appropriate, for the “Opinion” section. The auditor should also
amend the heading “Basis for Opinion” toBasis for Qualified Opinion,” “Basis for
Adverse Opinion,” or “Basis for Disclaimer of Opinion,” as appropriate, and within
this section of the auditor’s report, include a description of the matter giving rise
to the modification (AU-C 705.17 and .21).
If the auditor concludes that it is necessary to express an adverse opinion or
disclaim an opinion on the entity’s complete set of financial statements as a
whole, an unmodified opinion on a specific element in the same auditor’s report
would contradict the adverse opinion or disclaimer of opinion on the entity’s
complete set of financial statements as a whole and would be tantamount to
expressing a piecemeal opinion (which is prohibited). In the context of a separate
audit of a specific element that is included in those financial statements, when
the auditor nevertheless considers it appropriate to express an unmodified
opinion on that specific element, the auditor should only do so if
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-11
a. that opinion is expressed in an auditor’s report that is neither published with
nor otherwise accompanies the auditor’s report containing the adverse
opinion or disclaimer of opinion and
b. the specific element does not constitute a major portion of the entity’s
complete set of financial statements or the specific element is not, or is not
based upon, the entity's stockholders’ equity or net income or the equivalent.
A single financial statement is deemed to constitute a major portion of a complete
set of financial statements. Therefore, the auditor should not express an
unmodified opinion on a single financial statement of a complete set of financial
statements if the auditor has expressed an adverse opinion or disclaimed an
opinion on the complete set of financial statements as a whole, even if the
auditor’s report on the single financial statement is neither published together nor
otherwise accompanies the auditor’s report containing the adverse opinion or
disclaimer of opinion (AU-C 705.15 and AU-C 805.21 and .22).
.45 If the auditor concludes that the financial statements do not achieve fair
presentation, the auditor should discuss the matter with management and,
depending on how the matter is resolved, should determine whether it is
necessary to modify the opinion in the auditor’s report in accordance with AU-C
705 (AU-C 700.20).
.46 Emphasis-of-matter paragraphs, other-matter paragraphs, or both may also be
included in the auditor’s report when the auditor expresses a qualified or adverse
opinion or disclaims an opinion.
.47 If the auditor concludes that the opinion on the financial statements should be
modified, the auditor should revise the auditor’s report to reflect the specific
wording changes required by AU-C 705.17 through .29. Specific wording is
provided for qualified opinions, adverse opinions, and disclaimers of opinion.
Qualified Opinion
.48 The auditor should express a qualified opinion, as discussed in AU-C 705.08, in
the following circumstances:
the auditor, having obtained sufficient appropriate audit evidence, concludes
that misstatements, individually or in the aggregate, are material but not
pervasive to the financial statements or
the auditor is unable to obtain sufficient appropriate audit evidence on which
to base the opinion, but the auditor concludes that the possible effects on the
financial statements of undetected misstatements, if any, could be material
but not pervasive.
Adverse Opinion
.49 The auditor should express an adverse opinion when the auditor, having
obtained sufficient appropriate audit evidence, concludes that misstatements,
individually or in the aggregate, are both material and pervasive to the financial
statements (AU-C 705.09).
Disclaimer of Opinion
.50 In a disclaimer of opinion, the auditor does not express an opinion on the
financial statements. The auditor should disclaim an opinion when the auditor is
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-12
unable to obtain sufficient appropriate audit evidence on which to base the
opinion, and the auditor concludes that the possible effects on the financial
statements of undetected misstatements, if any, could be both material and
pervasive (AU-C 705.10). When the auditor disclaims an opinion on the financial
statements, the auditor’s report should not include an “Other Information” section
in accordance with AU-C 720 (AU-C 705.30).
Emphasis-of-Matter and Other-Matter Paragraph(s)
.51 As discussed in AU-C 706, the auditor should add an emphasis-of-matter and/or
other-matter paragraph when certain conditions exist. Additionally, the auditor
may include emphasis-of-matter and/or other-matter paragraphs in the report
based on the auditor’s professional judgment. Inclusion of an emphasis-of-matter
paragraph does not affect the auditor’s opinion, including an unmodified opinion
(AU-C 706.A7).
Emphasis-of-Matter Paragraph
.52 If the auditor considers it necessary to draw users’ attention to a matter
appropriately presented or disclosed in the financial statements that in the
auditor’s professional judgment, is of such importance that it is fundamental to
users’ understanding of the financial statements, the auditor should include an
emphasis-of-matter paragraph in the auditor’s report, provided that the auditor
would not be required to modify the opinion in accordance with AU-C 705 as a
result of the matter (AU-C 706.08). See AU-C 706.A4 through .A8 and .A14 for
additional guidance on emphasis-of-matter paragraphs.
The auditor should follow the requirements of AU-C 706.09 for specific wording
and placement of emphasis-of-matter paragraphs in the auditor’s report.
Other-Matter Paragraph
.53 If the auditor considers it necessary to communicate a matter other than those
presented or disclosed in the financial statements that in the auditor’s
professional judgment, is relevant to users’ understanding of the audit, the
auditor’s responsibilities, or the auditor’s report, the auditor should do so in an
other-matter paragraph in the auditor’s report (AU-C 706.10). See AU-C 706.A9
through .A15 for additional guidance on other-matter paragraphs.
The auditor should follow the requirements of AU-C 706.11 for specific wording
and placement of other-matter paragraphs in the auditor’s report.
.54 The following is a list of conditions that may require the auditor to include an
emphasis-of-matter paragraph, other-matter paragraph, or both. This is not an
all-inclusive list. The auditor should refer to the related AU-C section for further
requirements and guidance.
a. Subsequently discovered facts that become known to the auditor after the
report release date (see FAM 580.110).
b. The accounting principles or their method of application changes between
periods and the effect on the financial statements is material (see FAM
580.21).
c. Previously issued financial statements are restated to correct a material
misstatement in the respective period (see AU-C 708.13).
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-13
d. Certain situations related to prior period financial statements that are audited
by a predecessor auditor or are not audited (see FAM 580.20).
e. There is a departure from U.S. GAAP that has a material effect on the
financial statements, and the auditor can demonstrate that the financial
statements would be misleading without this departure (see FAM 580.10).
.55 The following table provides a listing of situations that could cause the auditor to
modify the opinion or add an emphasis-of-matter and/or other-matter
paragraph(s) to the auditor’s unmodified opinion.
Situation FAM paragraph and further guidance
Relating to the financial statements
1. Insufficient appropriate audit evidence to conclude
that the financial statements as a whole are free
from material misstatement (also referred to as
limitations on the scope of the audit). (AU-C
705.07b)
FAM 580.48 and .50
AU-C 705 Illustration 4 (qualified)
AU-C 705 Illustrations 5 and 6
(disclaimer)
2. Effects of uncertainties on an audit opinion. FAM 580.11
3. Inconsistencies of comparability between the
financial statements for all periods presented,
including changes in accounting principles. (AU-C
708)
FAM 580.21.23
4. Material departures from U.S. GAAP resulting in a
qualified or adverse opinion. (AU-C 705.07a)
FAM 580.09–.10
AU-C 705 Illustrations 1 and 2 (qualified)
AU-C 705 Illustration 3 (adverse)
Relating to internal control
5. Scope limitation resulting in a disclaimer of opinion
on internal control.
FAM 580.64–.65
6. Material weaknesses and significant deficiencies in
a report or opinion on internal control or other control
deficiencies that the auditor has decided to describe
in the audit report.
FAM 580.68–.70
FAM 595 B Example 1 (material
weakness in internal control)
FAM 595 B Example 2 (significant
deficiency in internal control)
7. Material inconsistencies between Management’s
Report on Internal Control over Financial Reporting
prepared under FMFIA and the results of the
auditor’s evaluation of internal control.
FAM 580.85
8. Purpose of audit was not to give an opinion on
internal control, and significant deficiencies or
material weaknesses were found.
FAM 580.73–.74
AU-C 265
Relating to financial management systems’ substantial compliance with FFMIA requirements
(for CFO Act agencies)
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-14
Situation FAM paragraph and further guidance
9. Instances of lack of entity financial management
systems’ substantial compliance with the three
requirements of FFMIA for CFO Act agencies.
FAM 580.86–.90
Relating to compliance with significant provisions of applicable laws, regulations, contracts,
and grant agreements
10. Scope limitationsome significant provisions of
applicable laws, regulations, contracts, and grant
agreements could not be tested.
FAM 580.97
11. Scope limitationall significant provisions of
applicable laws, regulations, contracts, and grant
agreements could not be testeddisclaimer.
FAM 580.98
12. Reportable noncomplianceinstances of
noncompliance with significant provisions of
applicable laws, regulations, contracts, and grant
agreements that are reportable under GAGAS
(which incorporates U.S. GAAS) or OMB audit
guidance that are not clearly inconsequential.
FAM 580.95
13. Material noncompliance with significant provisions of
applicable laws, regulations, contracts, and grant
agreements.
FAM 580.91–.92
Internal Control
.56 Auditors may take one of two different approaches to reporting on internal
control: (1) management provides an assessment about the effectiveness of its
internal control and the auditor expresses an opinion on internal control or on
management’s assessment following the guidance in AU-C 940 (see FAM
580.63–.72)
10
or (2) the auditor reports material weaknesses and significant
deficiencies found but does not give an opinion on internal control (see FAM
580.73–.79). OMB reporting guidance requires management to include
representations about internal control in the management representation letter
and requires CFO Act agencies to include these representations in the MD&A in
the annual report. OMB audit guidance does not require auditors to express an
opinion on internal control; however, the terms of the engagement may include a
requirement for an auditor to express an opinion on the effectiveness of the
entity’s internal control over financial reporting. In either case, the auditor should
evaluate whether the design and implementation of internal control is sufficient to
meet the control objectives insofar as those objectives pertain to providing
reasonable assurance that a misstatement or omission in the relevant assertion
is prevented, or detected and corrected, on a timely basis. These control
objectives are as follows:
10
If the auditor finds no material weaknesses in internal control, the auditor may express an opinion on
management’s assessment or directly on internal control.
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-15
Reliability of financial reportingtransactions are properly recorded,
processed, and summarized to permit the preparation of the financial
statements in accordance with U.S. GAAP, and assets are safeguarded
against loss from unauthorized acquisition, use, or disposition.
Compliance with applicable laws, regulations, contracts, and grant
agreementstransactions are executed in accordance with provisions of
applicable laws, including those governing the use of budget authority;
regulations; contracts; and grant agreements, noncompliance with which
could have a material effect on the financial statements.
Classifying Control Weaknesses
.57 A control deficiency exists when the design or operation of a control does not
allow management or employees, in the normal course of performing their
assigned functions, to prevent, or detect and correct, misstatements on a timely
basis. A deficiency in design exists when (a) a control necessary to meet the
control objective is missing or (b) an existing control is not designed effectively so
that even if the control operates as designed the control objective would not be
met. A deficiency in operation exists when an effectively designed control does
not operate as designed or when the person performing the control does not
possess the necessary authority or competence to perform the control effectively
(AU-C 265.07). The auditor should classify internal control deficiencies following
AU-C 265 as follows:
A significant deficiency is a deficiency, or a combination of deficiencies, in
internal control over financial reporting that is less severe than a material
weakness yet important enough to merit attention by those charged with
governance.
A material weakness is a deficiency, or a combination of deficiencies, in
internal control over financial reporting, such that there is a reasonable
possibility
11
that a material misstatement of the entity’s financial statements
will not be prevented, or detected and corrected, on a timely basis (AU-C
265.07).
12
To avoid confusion, the auditor should include the definitions of these terms in
the auditor’s report, as these definitions differ from those in other auditing
standards, such as standards issued by the Public Company Accounting
Oversight Board (PCAOB).
.58 The auditor should determine whether each control deficiency or combination of
control deficiencies constitutes a significant deficiency or material weakness (AU-
C 265.09). The severity of a control deficiency depends not only on whether a
misstatement has actually occurred but also on the magnitude of the potential
misstatement resulting from the deficiency or deficiencies and whether there is a
reasonable possibility that the entity’s controls will fail to prevent, or detect and
11
A reasonable possibility exists when the likelihood of an event occurring is either reasonably possible or probable.
Reasonably possible is defined as the chance of the future event or events occurring is more than remote but less
than likely. Probable is defined as the future event or events are likely to occur (AU-C 265.07).
12
This definition is used to determine whether a material weakness exists.
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-16
correct, a misstatement of an account balance or note disclosure (AU-C 265.A5).
When making this determination, the auditor should evaluate the following:
The likelihood and magnitude of potential misstatement that would not be
prevented or detected because of the control deficiencies. AU-C 265.A6
through .A9 provide examples of factors for evaluating the likelihood and
magnitude of misstatement.
Whether individual control deficiencies that affect the same account balance,
note disclosure, relevant assertion, or component of internal control
collectively result in an internal control deficiency.
The possible mitigating effects of effective compensating controls that have
been tested and evaluated as part of the financial statement audit.
.59 If the auditor determines that a deficiency, or a combination of deficiencies, in
internal control is not a material weakness, the auditor should consider whether
prudent officials, having knowledge of the same facts and circumstances, would
likely reach the same conclusion (AU-C 265.10).
Additional guidance on evaluating identified deficiencies in internal control is
provided in AU-C 265.A5 through A11. AU-C 265.A11 includes indicators of
control deficiencies that the auditor should regard as indicators of a material
weakness, such as the auditor’s identification of a material misstatement of the
financial statements under audit that was not initially identified by the entity’s
internal control. Additionally, circumstances that may be considered control
deficiencies, significant deficiencies, or material weaknesses are described in
AU-C 265.A37. Guidance on concluding on the effectiveness of internal control
and reporting findings is provided in FAM 580.67 through .71.
.60 OMB Circular No. A-123 provides guidance for management to report control
weaknesses under 31 U.S.C. § 3512(c), (d), commonly known as the Federal
Managers’ Financial Integrity Act of 1982 (FMFIA). The term material weakness
as used by OMB (FMFIA material weakness) is different from the above
definition and includes matters of an operational nature. Management and the
auditor should evaluate the material weaknesses reported under FMFIA to
determine whether they meet the auditor’s definitions of material weakness and
significant deficiency for reporting as part of management’s assessment of the
effectiveness of internal control (see FAM 580.85).
.61 For controls other than financial reporting controls, a weakness is an FMFIA
material weakness if it is significant enough to be reported outside the entity, as
determined by the entity head. That is, it was included in the annual FMFIA
report to the President and the Congress. Entity reporting of system
noncompliance is governed by the criteria for FFMIA reporting in OMB Circular
No. A-123, Appendix D.
.62 The auditor should determine how threats, incidents, and risk assessments
reported in a Federal Information Security Modernization Act of 2014 annual
report regarding major incidents relate to the control deficiencies identified during
the financial statement audit.
Opinion on Internal Control
.63 Although not required by OMB audit guidance, if the auditor plans to express an
opinion on internal control, the auditor’s evaluation of the entity’s internal control
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-17
and the results of other audit procedures form the basis for this opinion. The
opinion may be (1) unmodified, (2) unmodified with reference to significant
deficiencies, (3) disclaimer, or (4) adverse (one or more material weaknesses).
Additionally, there may be restrictions on the scope of the procedures that result
in a disclaimer of opinion (see FAM 580.65). The auditor should communicate
any identified internal control deficiencies, including weaknesses in operations
controls, and consider the effects of these deficiencies on other entity-prepared
reports (see FAM 580.68.71 and .80–.84).
Scope of Procedures
.64 When performing an audit of internal control over financial reporting, the auditor
should do the following:
a. Obtain the agreement of management that it acknowledges and understands
its responsibility for the following (AU-C 940.06a):
i. designing, implementing, and maintaining effective internal control over
financial reporting;
ii. evaluating the effectiveness of the entity’s internal control over financial
reporting using suitable and available criteria;
iii. providing management’s assessment about internal control over financial
reporting in a report that accompanies the auditor’s report;
iv. supporting its assessment about the effectiveness of the entity’s internal
control over financial reporting with sufficient evaluations and
documentation; and
v. providing the auditor with (1) access to all information of which
management is aware that is relevant to management’s assessment of
internal control over financial reporting, such as records, documentation,
and other matters; (2) additional information that the auditor may request
from management for the purpose of the audit of internal control over
financial reporting; and (3) unrestricted access to persons within the entity
from whom the auditor determines it necessary to obtain audit evidence.
b. Determine that the date specified in management’s assessment about the
effectiveness of internal control over financial reporting corresponds to the
balance sheet date (or period ending date) of the period covered by the
financial statements (AU-C 940.04a and .06b).
The auditor should evaluate the effectiveness of the entity’s internal control over
financial reporting using the same suitable and available criteria used by
management for its assessment (AU-C 940.07).
In accordance with FAM 580.64a.iii above, the auditor should request from
management a written assessment about the effectiveness of the entitys internal
control over financial reporting. Managements refusal to provide a written
assessment represents a scope limitation, and the auditor should apply the
requirements in AU-C 940.74 through .77 (AU-C 940.08). The auditor should
perform all necessary procedures, as described in FAM 300 and FAM 450, on
the written assessment from management. The auditor should evaluate whether
management has a reasonable basis for its assessment. For example, the
assessment may be based on management’s monitoring procedures (see AU-C
940.A9 through .A12 for evidence that management can use to support its
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-18
assessment). The audit results alone cannot be the basis for management’s
assessment. When a scope limitation arises because management refuses to
furnish a written assessment about the effectiveness of internal control over
financial reporting, the auditor should withdraw from the integrated audit
engagement. When withdrawal is not possible under applicable law or regulation,
the auditor should disclaim an opinion on internal control over financial reporting
and consider the implications on the financial statement audit (AU-C 940.74).
.65 If there is a restriction on the scope of the audit, such that not all of these
procedures can be performed, the auditor should evaluate whether or not to
disclaim the opinion on internal control over financial reporting and determine
whether or not to modify the GAGAS compliance statement in the report, as
discussed in GAGAS (2018) 2.17b, 2.18, and 2.20. Scope restrictions may be
imposed by the entity or may be due to other circumstances. The auditor should
consult with the reviewer on this decision.
When determining the severity of a scope limitation on internal control, the
auditor should use the control objectives listed in the report for internal control
over financial reporting, including safeguarding assets. If the scope of work on
internal control over financial reporting is limited, the auditor should disclaim the
opinion on internal control. If the auditor concludes that the auditor cannot
express an opinion because there has been a limitation on the scope of the
examination, the auditor should communicate, in writing, to management and
those charged with governance that the audit of internal control over financial
reporting cannot be satisfactorily completed.
.66 If the auditor determines that an opinion can be expressed, the type of opinion
depends on whether any internal control deficiencies are identified and the
significance of such deficiencies. In identifying and evaluating deficiencies, the
auditor should consider deficiencies in each of the five components of internal
control (control environment, entity risk assessment, information and
communications, control activities, and monitoring). In concluding on the
effectiveness of internal control, the auditor should categorize control
deficiencies, in order of decreasing significance, as (1) material weaknesses, (2)
significant deficiencies, and (3) other deficiencies that do not meet the criteria for
a significant deficiency or material weakness (other deficiencies). Each of these
types of weaknesses and its effects on the auditor’s conclusion on internal
control is discussed below. If no material weaknesses are identified, the auditor
generally should conclude that internal control is effective in meeting the control
objectives.
Effects of Control Deficiencies on the Auditor’s Conclusion on the
Effectiveness of Internal Control over Financial Reporting
.67 Based on the types of deficiencies noted, the auditor should conclude on the
effectiveness of internal control over financial reporting as of the end of the audit
period, as discussed below. Management also should conclude on the
effectiveness of internal control in deciding what assessment to make. After
forming an opinion on the effectiveness of the entity’s internal control, the auditor
should evaluate management’s report to determine whether it appropriately
contains the following (AU-C 940.55):
a statement regarding management’s responsibility for internal control over
financial reporting;
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-19
a description of the subject matter of the examination (for example, controls
over the preparation of the entity’s financial statements in accordance with
U.S. GAAP);
an identification of the criteria against which internal control over financial
reporting is measured (for example, criteria established in the GAO’s
Standards for Internal Control in the Federal Government or the Committee of
Sponsoring Organizations of the Treadway Commission’s Internal Control
Integrated Framework);
management’s assessment of the effectiveness of internal control over
financial reporting;
a description of the material weaknesses, if any; and
the date as of which management’s assessment of internal control over
financial reporting is made.
When management includes, either within management’s report or in a
document containing management’s report and the related auditor’s report,
information in addition to the elements that are subject to the auditor’s evaluation
as described above, the auditor should perform the procedures required by AU-C
940.80. If the auditor determines that any required element of management’s
report is incomplete or improperly presented, the auditor should request
management to revise its report (AU-C 940.56). If management does not revise
its report, the auditor should modify the auditor’s report to include an other-matter
paragraph describing the reasons for this determination (AU-C 940.72).
Material Weaknesses
.68 If one or more material weaknesses exist at the end of the audit period, the
auditor should conclude that the entity’s internal control is ineffective, which
would result in an adverse opinion (AU-C 940.68). The existence of a material
weakness precludes a conclusion that internal control is effective, which would
result in a modified opinion. The auditor’s report should include in the “Basis for
Adverse Opinion on Internal Control over Financial Reporting” section (a) the
definition of a material weakness and (b) a statement that one or more material
weaknesses have been identified and an identification of the material
weaknesses described in management’s assessment about internal control over
financial reporting (AU-C 940.70).
If one or more material weaknesses have not been included in management’s
report accompanying the auditor’s report, the auditor’s report should be modified
to state that one or more material weaknesses have been identified but not
included in management’s report. Additionally, the auditor’s report should include
a description of each material weakness not included in management’s report.
The auditor’s description should include specific information about the nature of
each material weakness and its actual and potential effect on the presentation of
the entity’s financial statements issued during the existence of the weakness. In
this case, the auditor also should communicate, in writing, to those charged with
governance that one or more material weaknesses were not disclosed or
identified as a material weakness in management’s report. If one or more
material weaknesses have been included in management’s report but the auditor
concludes that the disclosure of such material weaknesses is not fairly presented
in all material respects, the auditor’s report should describe this conclusion as
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-20
well as the information necessary to fairly describe each material weakness (AU-
C 940.71).
.69 The auditor should determine the effect an adverse opinion on internal control
over financial reporting has on the auditor’s opinion on the financial statements.
Additionally, the auditor should disclose, as a separate paragraph within the
“Adverse Opinion on Internal Control over Financial Reporting” section of the
report, whether the auditor’s opinion on the financial statements was affected by
the material weakness (AU-C 940.69). If a material weakness is presented in a
report that also includes an unmodified opinion on the financial statements, the
auditor should add a statement to the unmodified opinion to indicate that as a
result of a material weakness, material misstatements may nevertheless occur in
other financial information reported by the entity. Example report modifications
for material weaknesses are provided in FAM 595 B.
Significant Deficiencies
.70 If significant deficiencies existed at the end of the audit period, but no material
weaknesses were identified, the auditor generally should conclude that the
controls are effective in achieving the control objectives. However, as required by
GAGAS, the auditor should indicate in the report that the work performed
identified significant deficiencies and should describe the deficiencies (see FAM
595 B).
Control Deficiencies That Do Not Meet the Criteria for Material
Weaknesses or Significant Deficiencies
.71 Control deficiencies that do not meet the criteria for material weaknesses or
significant deficiencies in FAM 580.57 do not affect the auditor’s conclusion on
the effectiveness of internal control. The auditor also should communicate to
management at an appropriate level of responsibilityon a timely basis either in
writing (e.g., in a separate report to management or a write-up of the deficiency
to management for its concurrence with the facts) or orallythese deficiencies in
internal control identified during the audit that have not been communicated to
management by other parties and that in the auditor’s professional judgment, are
of sufficient importance to merit management’s attention. If these deficiencies in
internal control are communicated orally, the auditor should document the
communication (AU-C 265.12b). This communication should be made no later
than 60 days following the report release date (AU-C 265.13). The auditor should
document any oral communication of these deficiencies. When performing an
integrated audit, the auditor should communicate these deficiencies in writing
and inform those charged with governance when such communication was
made. The auditor is not required to communicate those deficiencies that are not
material weaknesses or significant deficiencies that were included in previous
written communications, regardless of whether those communications were
made by the auditor, internal auditors, or others within the organization (AU-C
940.62).
Type of Opinion
.72 As described in FAM 580.65, if the auditor is unable to apply all the audit
procedures considered necessary in the circumstances, a scope limitation exists
and the auditor should issue a disclaimer of opinion on internal control over
financial reporting in accordance with AU-C 940.75 and .76. If all the procedures
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-21
considered necessary were performed, the auditor should issue one of the
following opinions:
If the auditor and management agree on the effectiveness of internal control
and there are no material weaknesses, the auditor should issue an
unmodified opinion on internal control (see FAM 595 A).
If the auditor and management agree on the effectiveness of internal control
and there are no material weaknesses in internal control, but there are
significant deficiencies, the auditor should issue an unmodified opinion,
including a statement that internal control is effective but could be improved
and referring to the significant deficiencies (see FAM 595 B).
If the auditor and management agree on the effectiveness of internal control
and there are material weaknesses in internal control, the auditor should
modify the opinion on internal control by (1) referring to the material
weakness(es) noted in management’s assessment (which states that internal
control over financial reporting is ineffective (adverse opinion)) and (2)
describing the material weakness(es) (see FAM 595 B). OMB Circular No.
A-123 guidance for FMFIA allows management to provide a qualified
assessment of internal control effectiveness even if material weaknesses
exist.
If the auditor and management disagree on the effectiveness of internal
control, either because (1) management does not agree that material
weakness(es) exist or (2) management does not appropriately modify its
assessment of the effectiveness of internal control in light of the material
weakness(es), the auditor should issue an adverse opinion. The existence of
a material weakness precludes management from asserting that its internal
control is effective. Thus, an adverse opinion is appropriate if management
states that internal control is effective “except for” the material weakness
when, in the auditor’s professional judgment, the material weakness indicates
that internal control is ineffective (see FAM 580.68).
Nonopinion Report
.73 If the purpose of the audit is not to express an opinion on internal control, the
auditor should still report any identified material weaknesses and significant
deficiencies in internal control in accordance with AU-C 265.11 through .16. Per
OMB audit guidance, if the auditor did not identify any material weaknesses
during the audit, the auditor should state, in the report on internal control, that no
deficiencies in internal control were identified that were considered to be material
weaknesses during the audit of the financial statements and include matters
required by AU-C 265.15 (see auditor’s report example 2 in FAM 595 A).
Including a statement in the report on internal control indicating that no material
weaknesses were identified during the audit does not provide any assurance
about the effectiveness of an entity’s internal control over financial reporting (AU-
C 265.A34). The auditor should not issue a written communication stating that no
significant deficiencies were identified during the audit because of the potential
for users to misinterpret the amount of assurance provided by such
communication (AU-C 265.16). If there are one or more material weaknesses,
the auditor may state in its report that internal control was ineffective for one or
more objectives. Further, the auditor should conclude whether the scope of the
work and the related audit evidence are sufficient to meet the audit objectives
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-22
described in the OMB audit guidance. If the work is not sufficient, the auditor
should report a scope limitation.
.74 Under AU-C 905.06c, a report on internal control in which no opinion is issued is
considered a by-product report. When no opinion is issued, the report provides
only a limited degree of assurance about internal control, as internal control is not
the primary objective of the engagement. The internal control report should
include an alert, in a separate paragraph, describing the purpose of the report
and state that the report is not suitable for any other purpose (AU-C 905.06 and
.11), because of the potential for users to misunderstand a by-product report’s
limited degree of assurance. Because the distribution of government audit
reports is not restricted, the reports should explain their limitations. See FAM 595
A, example 2, for an example of a report when the auditor does not provide an
opinion on internal control and cautions the reader that the internal control testing
performed may not be sufficient for other purposes.
Where and When to Report Control Deficiencies for Nonopinion
Report
.75 The means of communicating deficiencies in internal control depends on the type
of weakness, as discussed in FAM 580.57. The auditor should communicate in
writing to those charged with governance on a timely basis significant
deficiencies and material weaknesses identified during the audit, including those
that were remediated during the audit (AU-C 265.11). The auditor also should
communicate to management at an appropriate level of responsibility, on a timely
basis in writing, significant deficiencies and material weaknesses that the auditor
has communicated or intends to communicate to those charged with governance,
unless it would be inappropriate to communicate directly to management in the
circumstances (AU-C 265.12a). Under GAGAS, this communication is part of the
auditor’s report on financial statements. For other deficiencies, the auditor should
communicate no later than 60 days following the report release date. However,
the auditor may issue other written communication containing further details on
the deficiencies. The auditor should include any material weaknesses or other
significant deficiencies that were communicated in previous financial statement
audits that have not yet been corrected. The auditor may do this by referring to
the previously issued written communication and the date of the communication.
Communicating each type of deficiency is discussed below.
Material Weaknesses and Significant Deficiencies
.76 The auditor should report material weaknesses and significant deficiencies in the
internal control section of the auditor’s report. The auditor may report these
deficiencies in a separate report that is referenced to in the auditor’s report on
the financial statements. If management’s assessment about the effectiveness of
internal control is printed with the audit report, the auditor’s report should refer to
the discussion of the material weakness (or other significant deficiency) in
management’s assessment.
.77 The auditor generally should limit the internal control section of the auditors
report to summarized information. As such, the auditor may limit the discussion
of control deficiencies included in this section to providing the reader with an
understanding of the nature and extent of the deficiency. The auditor may
combine related control deficiencies. To the extent that any such control
deficiencies contribute to a significant deficiency, the auditor generally should
describe them in conjunction with the related significant deficiency.
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-23
.78 If more complete information concerning control deficiencies is provided in other
reports issued prior to or at the same time as the auditor’s report, the auditor
generally should refer to such other reports (such as date and title or report
number) in the auditor’s report. The auditor may also subsequently report
significant deficiencies in more detail in a separate report to management or
other written communication that includes other elements of the findings, as
discussed in FAM 580.81.
Other Control Deficiencies
.79 The auditor should communicate to management at an appropriate level of
responsibility, on a timely basis in writing or orally, other deficiencies in internal
control identified during the audit that have not been communicated to
management by other parties and that in the auditor's professional judgment, are
of sufficient importance to merit management’s attention. If other deficiencies in
internal control are communicated orally, the auditor should document the
communication (AU-C 265.12b).
What to Report about Control Deficiencies
.80 Control deficiencies identified by the auditor are findings. GAGAS (2018) 6.25
through 6.28 describe the four elements of a finding:
Criteria (what should be).
Condition (what is).
Cause (why the condition occurred).
Effect (the nature of the possible past or future impact).
.81 The auditor should decide whether to fully develop each of the four elements of a
finding. The auditor uses professional judgment in determining whether to apply
resources to investigate a control deficiency, based on the elements that the
auditor decides to report. For each significant deficiency, the extent to which the
auditor should develop the elements of a finding depends on how it is
communicated.
Material weaknesses and significant deficiencies reported in the
auditor’s report. The auditor generally should identify at least the criteria,
condition, cause, and possible asserted effect (related to the nature, not
necessarily amount) to permit entity management to determine the effect and
to take prompt and proper corrective action. The auditor may provide
recommendations to improve internal control and obtain management’s
response as part of entity comments on the auditor’s report.
Significant deficiencies described briefly in the auditor’s report and
detailed in a separate report to management. The auditor should identify
at least the condition and the criteria and generally should identify the
possible asserted effect to bring them to management’s attention, particularly
if there are sensitive or information technology issues. The auditor may also
evaluate the benefits of identifying the cause. The auditor generally should
provide recommendations or suggestions to improve reported findings and
obtain management’s response as part of entity comments on the auditor’s
report.
In discussing each material weakness that meets FMFIA reporting criteria, the
auditor should determine whether the material weakness was identified in the
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-24
entity’s FMFIA report or in the FMFIA report of the organization of which the
entity is a part (see FAM 580.85).
.82 For control deficiencies that do not meet the criteria for a material weakness or
significant deficiency, the auditor need not develop all of the elements of a finding
if the auditor decides to report these control deficiencies.
Other Considerations
.83 To communicate findings promptly, the auditor may issue written
communications during the audit. For example, GAO issued a report to a federal
entity where on an interim basis some installations were reporting in millions of
dollars and others in billions of dollars, causing materially inaccurate
consolidations of amounts. GAO issued this report to provide information so that
the entity could improve the consistency and accuracy of amounts in time for
year-end reporting. In such instances, the auditor may describe the control
deficiency and refer to the reports as discussed in FAM 580.78.
.84 The auditor should determine whether internal control deficiencies, particularly
material weaknesses, could affect information in other reports generated by the
entity for external distribution or internal decision-making. The auditor generally
should make inquiries and evaluate other knowledge obtained during the audit
concerning use of reports affected by these deficiencies. The auditor uses
professional judgment to determine whether such reports might contain
inaccuracies as a result of control deficiencies that would likely influence the
judgment of report users. If so, the auditor generally should describe, in the
auditor’s report, the nature of such reports and the effect of control deficiencies
on them. In determining if such reports are significant, the auditor should
evaluate whether user judgments or management decisions based on such
reports could affect the entity in amounts that would be material in relation to the
financial statements.
Reporting on Management’s FMFIA Reports
.85 In the internal control section of the auditor’s report, the auditor should disclose
whether material weaknesses or financial management systems’
nonconformance with financial systems requirements identified during the audit
was identified in management’s FMFIA report.
If the auditor found material weaknesses or systems’ nonconformance that
should have been reported under FMFIA, the auditor should refer to such
findings as indicated in FAM 580.60 and .61, and determine whether
management’s FMFIA process has deficiencies that the auditor should report.
Such deficiencies might result from the following:
Entity management did not initially recognize internal control deficiencies or
systems’ nonconformance, perhaps due to a lack of training, understanding,
or limitations in the scope of the FMFIA process. For example, certain areas
were not reviewed annually or certain types of controls or systems were not
reviewed.
Entity management did not recognize that identified deficiencies were FMFIA
material weaknesses or systems’ nonconformance.
Entity management relied on controls that the auditor concluded were
ineffective.
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-25
Entity management failed to report identified deficiencies due to inappropriate
report preparation. This could occur because of errors in aggregating the
internal control deficiencies or systems’ nonconformance of individual
components or locations.
The auditor may refer to the assessment of management’s FMFIA process
performed during planning, as discussed at FAM 260.67 through .73, when
concluding as to how to report these matters.
Financial Management Systems
.86 FFMIA requires the auditor to report whether the financial management systems
of the 24 CFO Act agencies comply substantially with three federal financial
management systems requirements. These requirements are as follows:
federal financial management systems requirements, including those found in
the Treasury Financial Manual, volume 1, part 6, chapter 9500, Revised
Federal Financial Management System Requirements;
applicable federal accounting standards; and
the USSGL at the transaction level.
Further information on FFMIA compliance can be found in OMB Circular No. A-
123, appendix D.
The auditor should conclude on whether the agency’s financial management
systems complied substantially with the three FFMIA requirements, following the
guidance provided in FAM 701 and by OMB.
Reporting on Systems’ Substantial Compliance with FFMIA Requirements
.87 If the auditor is required to report whether an agency’s financial management
systems comply with the three FFMIA requirements, the example reports in FAM
595 A should be revised to include this item. OMB audit guidance provides
information for reporting on FFMIA compliance without expressing an opinion.
.88 If the auditor finds that the entity’s financial management systems do not comply
substantially with any of the three FFMIA requirements, the auditor should
summarize the lack of substantial compliance in the auditors report. Frequently,
the financial management systems’ lack of substantial compliance is related to
significant deficiencies in internal control. If so, the auditor may make reference
to another report or another section within a combined report, as necessary.
.89 If the auditor finds that the entity’s financial management systems did not comply
substantially with the requirements, FFMIA requires the auditor to identify the
entity or organization responsible for the systems found not to comply. The
auditor should include pertinent facts, such as the nature and extent of
noncompliance, areas in which there is substantial but not full compliance,
primary reason or cause, and any relevant comments from management or
responsible employees. The auditor may make recommendations for corrective
actions and obtain management’s response as part of agency comments on the
auditor’s report.
Scope of Procedures
.90 If the auditor is unable to perform all the procedures considered necessary, as
discussed in FAM 350, the scope of the financial statement audit is restricted.
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-26
Generally, if the scope of the financial statement audit is restricted, for example,
because needed information from the systems is not available, the auditor should
report that the financial management systems do not comply substantially with
FFMIA requirements. Also, if the auditor concluded that the systems did not
comply substantially with FFMIA based on limited testing, the auditor should
report that the work on FFMIA would not necessarily disclose all instances of
noncompliance with FFMIA requirements.
Compliance with Applicable Laws, Regulations, Contracts, and
Grant Agreements and Instances of Fraud
.91 The auditor should report on the results of compliance testing and on compliance
matters (including fraud, as discussed in FAM 540.20.23) that come to the
auditor’s attention during procedures other than compliance tests.
If the auditor concludes that the noncompliance has a material effect on the
financial statements, and it has not been adequately reflected in the financial
statements, the auditor should, in accordance AU-C 705, Modifications to the
Opinion in the Independent Auditor's Report, express a qualified or adverse
opinion on the financial statements (AU-C 250.24). If the auditor is precluded by
management or those charged with governance from obtaining sufficient
appropriate audit evidence to evaluate whether noncompliance that may be
material to the financial statements has, or is likely to have, occurred, the auditor
should express a qualified opinion or disclaim an opinion on the financial
statements on the basis of a limitation on the scope of the audit, in accordance
with AU-C 705 (AU-C 250.25). If the auditor is unable to determine whether
noncompliance has occurred because of limitations imposed by circumstances
rather than by management or those charged with governance, the auditor
should evaluate the effect on the auditor’s opinion in accordance with AU-C 705
(AU-C 250.26).
.92 If the auditor concludes, based on sufficient appropriate evidence, that any of the
following have occurred or are likely to occur, the auditor should include in the
report on internal control or compliance the relevant information about
fraud that is material, either quantitatively or qualitatively, to the financial
statements or other financial data significant to the audit objectives or
noncompliance with provisions of laws, regulations, contracts, or grant
agreements that has a material effect on the financial statements or other
financial data significant to the audit objectives (GAGAS (2018) 6.41),
regardless of whether the noncompliance has been appropriately reflected in
the financial statements.
The auditor should consult with the entity’s legal counsel regarding conclusions
on the entity’s compliance with provisions of applicable laws, regulations,
contracts, and grant agreements.
.93 When the auditor identifies or suspects instances of fraud or noncompliance with
provisions of laws, regulations, contracts, or grant agreements that have an
effect on the financial statements or other financial data significant to the audit
objectives that is less than material but warrants the attention of those charged
with governance, the auditor should communicate those findings in writing to
audited entity officials (GAGAS (2018) 6.44). When the auditor identifies or
suspects any instances of noncompliance with provisions of applicable laws,
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-27
regulations, contracts, or grant agreements that do not warrant the attention of
those charged with governance, the auditor’s determination of whether and how
to communicate such instances to audited entity officials is a matter of
professional judgment (GAGAS (2018) 6.48).
.94 When the auditor identifies or suspects either noncompliance with provisions of
laws, regulations, contracts, or grant agreements or instances of fraud, the
auditor may consult with authorities or legal counsel about whether publicly
reporting such information would compromise investigative or legal proceedings.
The auditor may limit public reporting to matters that would not compromise
those proceedings and, for example, report only on information that is already a
part of the public record (GAGAS (2018) 6.49).
Reporting on Compliance Tests
.95 The auditor should state directly whether any reportable noncompliance was
detected during compliance tests. This type of direct statement is illustrated in
FAM 595 A for a situation in which the compliance tests disclosed no reportable
noncompliance. If the auditor identifies any reportable noncompliance, the
auditor should modify the statement, and the auditor should discuss the
reportable noncompliance in the auditor’s report as described above.
.96 Under AU-C 905, a report on compliance with significant provisions of applicable
laws, regulations, contracts, and grant agreements in which no opinion is issued
is a by-product of a financial statement audit that provides a limited degree of
assurance about compliance. When no opinion is issued, the report on
compliance is not the primary objective of the engagement. The auditor should
indicate the intended use of the report on compliance because of the potential for
users to misunderstand a by-product report’s limited degree of assurance.
Because the distribution of government audit reports is not restricted, based on
AU-C 905.11, the auditor’s report on compliance should (a) describe the purpose
of the report and (b) state that the report is not suitable for any other purpose.
See FAM 595 A and B for auditor’s report examples that include an alert on the
use of the report on compliance.
Scope of Procedures
.97 The auditor should perform all of the procedures considered necessary to test
compliance with significant provisions of applicable laws, regulations, contracts,
and grant agreements. If the auditor is unable to perform all of the necessary
procedures for one or more significant provisions, the auditor should report
based on the provisions tested. However, the auditor should modify the report, as
appropriate, to alert the reader that not all of the significant provisions of
applicable laws, regulations, contracts, and grant agreements were tested.
.98 If the scope limitation is so significant that the auditor believes that any
discussion of testing could be misleading, the auditor should report that the
auditor could not test compliance due to the scope limitation. The auditor should
describe significant scope limitations in the auditor’s report and should modify the
auditor’s report. The auditor also should determine the effect of such a scope
limitation on the auditor’s opinion on the financial statements.
.99 If deficiencies in compliance controls are identified but no instances of
noncompliance are found during compliance testing, the auditor should
determine whether controls or other mitigating factors prevented or detected
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-28
instances of noncompliance. If sufficient additional controls or other mitigating
factors are not identified, the auditor should consult with the reviewer and OGC
concerning the appropriate reporting of such deficiencies and compliance tests.
Entity Comments
.100 The auditor should obtain and report the views of responsible entity officials
concerning the findings, conclusions, recommendations, and planned corrective
actions, if included. The auditor should allow the audited entity to review a draft
of the report prior to issuance and provide either written or oral comments. This
entity review helps the auditor to identify any errors in fact; avoid surprises in the
message; and strive for fairness, balance, objectivity, accuracy, and
completeness. Written comments are generally preferred, especially when the
report is sensitive or controversial, when significant disagreements exist, or when
the report makes wide-ranging recommendations. When the entity provides
written comments, the auditor should include a copy of these comments or
summarize the comments in the auditor’s report.
Oral comments may be appropriate when (1) there is a reporting date critical to
meeting a user’s needs; (2) the auditor has worked closely with the entity so that
it is familiar with the findings and issues addressed in the draft report; or (3) the
auditor does not expect major disagreements with the findings, conclusions, or
recommendations in the draft report or major controversies with regard to the
issues discussed in the draft report. If the entity provides only oral comments, the
auditor should prepare a summary of these comments and provide a copy of the
summary to the responsible officials to verify that the comments are accurately
stated, and may report the entity’s views. If the report is unmodified and does not
include any material weaknesses or material noncompliance, the entity may
decide not to comment.
.101 The auditor generally should include an entity comments and (auditor’s)
evaluation section in the auditor’s report. The auditor generally should briefly
characterize the overall response to the draft regarding facts and conclusions,
such as whether the entity generally agrees, partially agrees, or disagrees with
the report. The auditor generally should summarize the major points made in the
comments, whether written or oral, usually in the last section of the auditor’s
report, and should include an evaluation of the comments, as appropriate. If
entity officials concurred with all the findings, conclusions, and recommendations,
the auditor should state that they concurred, mention any actions the entity has
agreed to take, and provide the auditor’s response to those actions. If entity
officials disagree with or have concerns regarding portions of the report, the
auditor should discuss these concerns in the auditor’s report and provide the
auditor’s evaluation of them.
.102 The auditor generally should include the entity’s written comments as an
appendix to the report. These comments may include, for example, a description
of corrective actions taken by the entity, the entity’s plans to implement new
controls, or a statement indicating that management believes the cost of
correcting a significant deficiency or material weakness would exceed the
benefits to be derived from doing so. If these types of comments are included in
the document containing the auditor’s written communication regarding material
weaknesses or other significant deficiencies, the auditor should disclaim an
opinion on such information.
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-29
Auditor’s Report Date, Report Release Date, and Documentation
Completion Date
Auditor’s Report Date
.103 The auditor’s report should be dated no earlier than the date on which the auditor
has obtained sufficient appropriate audit evidence on which to base the auditor’s
opinion on the financial statements, including evidence of the following (AU-C
700.43):
All the statements and notes that the financial statements comprise have
been prepared.
Management has asserted that it has taken responsibility for those financial
statements.
.104 For comparative financial statements, the auditors report should not be dated
earlier than the date on which the auditor has obtained sufficient appropriate
audit evidence on which to support the opinion for the most recent audit (AU-C
700.48).
.105 If the auditor identifies a material subsequent event for disclosure in the report,
as discussed in FAM 550.04 through .05, the auditor should follow guidance in
AU-C 560 with respect to report dating.
.106 The engagement partner should take responsibility for reviews being performed
in accordance with the audit organization’s review policies and procedures (AU-C
220.18). On or before the date of the auditor’s report, the engagement partner
should, through a review of the audit documentation and discussion with the
engagement team, be satisfied that sufficient appropriate audit evidence has
been obtained to support the conclusions reached and for the auditor’s report to
be issued (AU-C 220.19).
.107 Based on AU-C 220.A25, if the auditor identifies instances after the auditor’s
report date but before the report release date where additional procedures or
evidence is necessary, the auditor should change the date of the auditor’s report
to the date that the additional procedures have been satisfactorily completed or
the additional evidence has been obtained (see FAM 590.02 for documentation
requirements). However, if additional procedures or evidence obtained are the
result of facts discovered between the auditor’s report date and report release
date, the auditor should follow the requirements in AU-C 560.12 through .14.
Report Release Date
.108 The report release date is the date the auditor grants the entity permission to use
the auditor’s report in connection with the financial statements (AU-C 230.06).
Often, this will be the date that the auditor provides the audit report to the entity.
The report release date will ordinarily be a date that is close to the auditor’s
report date. The report release date is important because it starts the period
when the auditor should complete the audit documentation. If there are delays in
releasing the report, the auditor should perform additional procedures to comply
with AU-C 560 and AU-C 700.
Documentation Completion Date
.109 The documentation completion date is the date on which the auditor has
assembled for retention a complete and final set of documentation in an audit file
Reporting Phase
580 Draft Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 580-30
(AU-C 230.06). The auditor should assemble the audit documentation in an audit
file and complete the administrative process of assembling the final audit file on a
timely basis, no later than 60 days following the report release date (AU-C
230.16). See FAM 590.03 for additional guidance.
Restatement of Audited Financial Statements
.110 If the auditor becomes aware of information or subsequently discovered facts
after the report release date, the auditor should follow AU-C 560.15 through .18.
SFFAS 21, Reporting Corrections of Errors and Changes in Accounting
Principles, addresses restatement of prior-year federal entity financial
statements. AU-C 708 (on consistency of financial statements) and AU-C 560 (on
subsequent events and subsequently discovered facts) provide guidance on
when to reissue auditor’s reports on restated financial statements. Additionally,
OMB reporting guidance requires entity management to notify its auditor when
material errors are found in published financial statements and provides
guidance regarding note disclosure of restatements.
Reporting Phase
590 Documentation
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 590-1
590 – Documentation
.01 As discussed in FAM 290.01, the auditor should prepare audit documentation
that is sufficient to enable an experienced auditor, having no previous connection
with the audit, to understand
the nature, timing, and extent of the audit procedures performed to comply
with GAGAS, including the Statements on Auditing Standards and applicable
attestation standards, and applicable legal and regulatory requirements;
the results of the audit procedures performed and the audit evidence
obtained; and
the significant findings or issues arising during the audit, the conclusions
reached thereon, and significant professional judgments made in reaching
those conclusions.
The audit documentation should include, but is not limited to
a. audit summary memorandum (FAM 590.05–.06);
b. overall analytical procedures (FAM 590.07);
c. deficiencies in internal control (FAM 590.08);
d. evaluation and communication of misstatements (FAM 540);
e. responses from the entity’s legal counsel (FAM 1002);
f. subsequent events (FAM 1005);
g. management representations (FAM 1001);
h. names of identified disclosure entities, related parties, and public-private
partnerships and the nature of the relationships (AU-C 550.30);
i. procedures performed to determine consistency of the other information in
the annual report with the financial statements and in accordance with U.S.
GAAP or OMB reporting guidance, currently OMB Circular No. A-136, and
the final version of the other information on which the auditor has performed
the work (FAM 280.09 and AU-C 720.26);
j. evidence of exit conference(s) (FAM 590.15);
k. applicable audit completion checklists (FAM 1003); and
l. report release date (AU-C 230.15).
.02 If, in rare circumstances, the auditor performs new or additional audit procedures
or draws new conclusions after the date of the auditor’s report, the auditor should
document
a. the circumstances encountered;
b. the new or additional audit procedures performed, audit evidence obtained,
and conclusions reached, and their effect on the auditor’s report; and
c. when and by whom the resulting changes to audit documentation were made
and reviewed (AU-C 230.14).
Examples of these circumstances include the following (AU-C 230.A23):
Reporting Phase
590 Documentation
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 590-2
when, after the date of the auditor’s report, the auditor becomes aware of
facts that existed at the date and, which if known at that date, might have
caused the financial statements to be revised or the auditor to modify the
opinion in the auditor’s report (see FAM 550.06) and
when the auditor concludes that procedures necessary at the time of the
audit, in the circumstances then existing, were omitted from the audit of the
financial statements (see FAM 580.107).
.03 The auditor should assemble the audit documentation in an audit file and
complete the administrative process of assembling the final audit file on a timely
basis, no later than 60 days following the report release date (AU-C 230.16).
After the documentation completion date, the auditor should not delete or discard
audit documentation of any nature before the end of the specified retention
period. Such retention period, however, should not be shorter than 5 years from
the report release date (AU-C 230.17).
.04 In circumstances other than those discussed in FAM 590.02 in which the auditor
finds it necessary to modify existing audit documentation or add new audit
documentation after the documentation completion date, the auditor should,
regardless of the nature of the modifications or additions, document
a. the specific reasons for making the changes and
b. when and by whom they were made and reviewed (AU-C 230.18).
Specific Documentation Considerations
Audit Summary Memorandum
.05 At the completion of the audit, the auditor should prepare an audit summary
memorandum that summarizes the audit results and demonstrates the adequacy
of the audit procedures, appropriateness and sufficiency of the audit evidence,
and the reasonableness of the conclusions on
the financial statements;
internal control;
the financial management systemssubstantial compliance with FFMIA
requirements (for CFO Act agencies);
the entity’s compliance with significant provisions of applicable laws,
regulations, contracts, and grant agreements;
RSI, including MD&A; and
other information.
.06 In the audit summary memorandum, the auditor may refer to other
documentation that describes this information in more detail. The auditor
generally should summarize and refer in the documentation to
a. any significant changes from the auditor’s original assessment of materiality
for the financial statements as a whole and the risks of material
misstatement;
b. any additional fraud risks or other conditions beyond those considered in
planning (FAM 260), including analytical relationships identified during the
Reporting Phase
590 Documentation
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 590-3
audit that caused the auditor to believe that additional audit procedures or
any other response was required, as well as any further response the auditor
concluded was appropriate;
c. the results of the procedures performed to specifically address the risk of
management override of controls, including the consideration of the
qualitative aspects of the entity’s accounting practices, including indicators of
possible bias in management’s judgments (AU-C 240.44b and 700.14);
d. the work performed that demonstrates information in the financial statements
agrees or reconciles with the underlying accounting records, including
agreeing or reconciling note disclosures, whether such information is
obtained from within or outside of the general and subsidiary ledgers (AU-C
330.33);
e. the auditor’s evaluation of misstatements that the auditor believes are or
might be the result of fraud;
f. the nature of any communications about fraud or possible fraud (and any
significant abuse) made to management, those charged with governance, the
Special Investigator Unit, the Office of Inspector General, or others (AU-C
240.45);
g. the auditor’s summary conclusions related to the consideration of fraud;
h. significant accounting, auditing, or reporting issues;
i. how the auditor addressed inconsistencies if the auditor identified information
that is inconsistent with the auditor’s final conclusion regarding a significant
finding or issue (AU-C 230.12);
j. any limitations on the audit scope;
k. the auditor’s conclusions on whether the audit evidence obtained is sufficient
and appropriate, and supports the auditor’s reports on the financial
statements, RSI (including MD&A), and other information included in the
annual report; internal control over financial reporting; financial management
systems’ substantial compliance with the three FFMIA requirements (for CFO
Act agencies); and compliance with significant provisions of applicable laws,
regulations, contracts, and grant agreements;
l. the auditor’s conclusions on whether sufficient appropriate audit evidence
was obtained to reduce audit risk to an appropriately low level;
m. the auditor’s conclusion on whether the audit was performed in compliance
with GAGAS, OMB audit guidance, and, if used, the FAM, and whether the
report is appropriate;
n. the auditor’s conclusion on whether the entity’s financial statements are in
accordance with U.S. GAAP;
o. significant subsequent events, if any;
p. findings with respect to transactions with disclosure entities, related parties,
and public-private partnerships and complex or unusual transactions (AU-C
940.54c.);
q. the Summary of Uncorrected Misstatements (FAM 595 C) and
communication of the misstatements to management and those charged with
governance;
Reporting Phase
590 Documentation
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 590-4
r. a summary of internal control weaknesses classified as material weaknesses,
other significant deficiencies, and other control deficiencies, and a
comparison of material weaknesses the auditor found to the weaknesses
reported in management’s assessment of the effectiveness of internal control;
s. a summary of instances of the systems’ lack of substantial compliance with
FFMIA requirements, as well as areas in which there is substantial but not full
compliance (for CFO Act agencies);
t. a summary of instances of noncompliance with significant provisions of
applicable laws, regulations, contracts, and grant agreements;
u. documentation of overall analytical procedures;
v. documentation of required oral or written communication with management,
those charged with governance (see FAM 550.16–.18), and others, including
the nature of the significant findings or issues discussed, and when and with
whom the discussions took place (AU-C 230.11 and 260.21);
w. a copy or summary of management’s communications provided to those
charged with governance if, as part of its communication to those charged
with governance, management communicated some or all of the matters the
auditor is required to communicate, and as a result, the auditor did not
communicate these matters at the same level of detail as management (AU-
C 260.21);
x. the auditor’s conclusion on the adequacy of two-way communication with
those charged with governance (see FAM 550.19–.20); and
y. whether the audit director and reviewer approved any deviations from the
applicable “should” procedures in the FAM and the basis for the deviations.
Overall Analytical Procedures
.07 The auditor should document the following:
Expectations. The auditor develops these for account/line item balances
based on plausible relationships that can be reasonably expected to exist.
Data used and sources of data. These data consist of documentation on
the specific financial data used for the current-year amounts and
expectations, including the amounts of the financial items; the dates or
periods covered by the data; whether the data were audited or unaudited; the
persons from whom the data were obtained, if applicable; and the source of
the information, such as the general ledger trial balance, prior-year audit
documentation, or prior-year financial statements.
Parameters for identifying significant fluctuations. These parameters are
left to the auditor’s professional judgment based on performance materiality.
Explanations for significant fluctuations from expectations and sources
of these explanations. The auditor should determine if explanations
obtained are consistent with corroborating evidence in the documentation and
should reference to this work.
Auditor’s conclusions on the results of the procedures. The auditor
should document conclusions reached on the results of overall analytical
procedures.
Reporting Phase
590 Documentation
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 590-5
Deficiencies in Internal Control
.08 The auditor should document
the basis for considering internal control deficiencies as material
weaknesses, significant deficiencies, or other control deficiencies;
any oral communications of control deficiencies that are not included in a
written report; and
procedures performed, such as inquires, to determine the effects of
deficiencies in internal control on information in other reports that the entity
generated for external distribution or internal decision-making (see FAM
580.84).
Lack of Systems’ Substantial Compliance with FFMIA Requirements
.09 The auditor should document the basis for deciding whether systems’
noncompliance with FFMIA requirements (for CFO Act agencies) represents a
lack of substantial compliance with the three FFMIA requirements for financial
management systems (see FAM 580.86–.90 and FAM 701).
13
Instances of Noncompliance or Suspected Noncompliance
.10 The auditor should include a description of the identified and suspected
noncompliance with significant provisions of applicable laws, regulations,
contracts, and grant agreements; the results of discussions with management;
and the results of any discussions with those charged with governance and other
parties inside or outside the entity (AU-C 250.28).
.11 The auditor should document the basis for classifying instances of
noncompliance as material noncompliance, other reportable noncompliance, or
not reportable. The auditor should also document any oral communications of
noncompliance that are not included in a written report. See FAM 580.91 through
.99 and FAM 800.
Other Reporting Matters
.12 If the auditor identifies matters arising after the date of the auditor’s report, the
auditor should refer to AU-C 230.14 and AU-C 560.
.13 The auditor should document procedures performed with respect to any
subsequent discovery of facts that could have affected a previously issued audit
report on the financial statements (FAM 550.06 and 580.110).
.14 The auditor should document procedures performed with respect to comparative
information (FAM 580.14.17).
Exit Conference(s)
.15 The auditor should document exit conference(s) with appropriate entity officials.
The auditor should also document any exit conference held with those charged
with governance, as appropriate.
13
OMB audit guidance contains additional information regarding FFMIA audit requirements.
Reporting Phase
595 AExample Unmodified Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 A-1
595 A Example Unmodified Auditor’s Reports
OMB audit guidance requires the auditor to report on internal control but does not require the
auditor to express an opinion on the effectiveness of internal control over financial reporting.
Example 1 presents a report in which the auditor expresses an opinion on the effectiveness of
internal control over financial reporting. Example 2 presents a report in which the auditor has not
identified any material weaknesses in internal control and does not express an opinion on
internal control effectiveness. In both examples, the audited entity has a fiscal year ending
September 30; the auditor’s opinion on the financial statements is unmodified; and no reportable
noncompliance with selected provisions of applicable laws, regulations, contracts, and grant
agreements is identified.
If the auditor is required to report whether an agency’s systems comply substantially with the
three FFMIA requirements, the example reports should be revised to include this item.
See FAM 595 B for modifications to the auditor’s report for a variety of situations.
Reporting Phase
595 AExample Unmodified Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 A-2
Example 1 Unmodified Opinions on Financial Statements and
Effectiveness of Internal Control over Financial Reporting, No
Significant Deficiencies in Internal Control over Financial
Reporting; No Reportable Noncompliance with Applicable Laws,
Regulations, Contracts and Grant Agreements
[Auditor’s Address (including city and state where the auditor’s report is issued)]
Independent Auditor’s Report
To [appropriate addressee]
In our audits of the fiscal years [20X2 and 20X1
1
] financial statements of [entity
2
], we found
[entity’s] financial statements as of and for the fiscal years ended [September 30, 20X2,
and 20X1], are presented fairly, in all material respects, in accordance with U.S. generally
accepted accounting principles;
[entity] maintained, in all material respects, effective internal control over financial reporting
as of [September 30, 20X2]; and
no reportable noncompliance for [fiscal year 20X2] with provisions of applicable laws,
regulations, contracts, and grant agreements we tested.
The following sections discuss in more detail (1) our report on the financial statements and on
internal control over financial reporting, which includes [if applicable, insert “an emphasis-of-
matter paragraph related to (include brief description),”an other-matter paragraph
related to (include brief description),” or both] required supplementary information (RSI)
3
and other information included with the financial statements;
4
(2) our report on compliance with
laws, regulations, contracts, and grant agreements; and (3) agency comments [if applicable,
add “and our evaluation” and revise related heading on page 595 A-7 for consistency].
Report on the Financial Statements and on Internal Control over Financial Reporting
Opinion on the Financial Statements
In accordance with [cite audit authority], we have audited [entity’s] financial statements.
[Entity’s] financial statements comprise the balance sheets as of [September 30, 20X2, and
20X1]; the related statements of net cost [if included in statement title, insert “of
1
Note to auditor: 20X2 denotes the current year, and 20X1 denotes the prior year, under audit.
2
Note to auditor: This example assumes the acronym of the entity does not include the word “the” in front of it as part
of its common usage (example: CFPB). If “the” is part of the common usage of the acronym (example: the FBI), apply
throughout the example.
3
The RSI consists of [insert description of the RSI, such as “Management’s Discussion and Analysis” and the
“Combined Statement of Budgetary Resources”], which are included with the financial statements.
4
Other information consists of information included with the financial statements, other than the RSI [if applicable]
and the auditor’s report.
Reporting Phase
595 AExample Unmodified Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 A-3
operations”], changes in net position, and budgetary resources for the fiscal years then
ended;
5
and the related notes to the financial statements. In our opinion, [entity’s] financial
statements present fairly, in all material respects, [entity’s] financial position as of [September
30, 20X2, and 20X1], and its net cost of operations, changes in net position, and budgetary
resources for the fiscal years then ended in accordance with U.S. generally accepted
accounting principles.
Opinion on Internal Control over Financial Reporting
We also have audited [entity’s] internal control over financial reporting as of [September 30,
20X2], based on criteria established under 31 U.S.C. § 3512(c), (d), commonly known as the
Federal Managers’ Financial Integrity Act of 1982 (FMFIA). In our opinion, [entity] maintained,
in all material respects, effective internal control over financial reporting as of [September 30,
20X2], based on criteria established under FMFIA.
[If applicable] During our [20X2] audit, we identified deficiencies in [entity’s] internal control
over financial reporting that we do not consider to be material weaknesses or significant
deficiencies.
6
Nonetheless, these deficiencies warrant [entity] management’s attention. We
have communicated these matters to [entity] management and, where appropriate, will report
on them separately.
Basis for Opinions
We conducted our audits in accordance with U.S. generally accepted government auditing
standards. Our responsibilities under those standards are further described in the Auditor’s
Responsibilities for the Audits of the Financial Statements and Internal Control over Financial
Reporting section of our report. We are required to be independent of [entity] and to meet our
other ethical responsibilities, in accordance with the relevant ethical requirements relating to our
audits. We believe that the audit evidence we have obtained is sufficient and appropriate to
provide a basis for our audit opinions.
[Note: If applicable, insert emphasis-of-matter paragraph(s), other-matter paragraph(s),
or both in accordance with AU-C 706. Include related heading(s).]
Responsibilities of Management for the Financial Statements and Internal Control over Financial
Reporting
Management is responsible for
the preparation and fair presentation of the financial statements in accordance with U.S.
generally accepted accounting principles;
preparing, measuring, and presenting the RSI in accordance with U.S. generally accepted
accounting principles;
5
Note to auditor: The names of the financial statements should be modified as appropriate.
6
A deficiency in internal control exists when the design or operation of a control does not allow management or
employees, in the normal course of performing their assigned functions, to prevent, or detect and correct,
misstatements on a timely basis. A material weakness is a deficiency, or combination of deficiencies, in internal
control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity’s
financial statements will not be prevented, or detected and corrected, on a timely basis. A significant deficiency is a
deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a
material weakness, yet important enough to merit attention by those charged with governance.
Reporting Phase
595 AExample Unmodified Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 A-4
preparing and presenting other information included in [entity’s] [insert name of annual
report, e.g., agency financial report], and ensuring the consistency of that information with
the audited financial statements and the RSI;
designing, implementing, and maintaining effective internal control over financial reporting
relevant to the preparation and fair presentation of financial statements that are free from
material misstatement, whether due to fraud or error;
assessing the effectiveness of internal control over financial reporting based on the criteria
established under FMFIA; and
its assessment about the effectiveness of internal control over financial reporting as of
[September 30, 20X2], included in the accompanying Management’s Report on Internal
Control over
7
Financial Reporting [or other title of management’s report] in appendix I.
[For entities that conform to FASB standards] In preparing the financial statements,
management is required to evaluate whether there are conditions or events, considered in the
aggregate, that raise substantial doubt about [entity’s] ability to continue as a going concern for
a reasonable period of time.
Auditor’s Responsibilities for the Audits of the Financial Statements and Internal Control over
Financial Reporting
Our objectives are to (1) obtain reasonable assurance about whether the financial statements
as a whole are free from material misstatement, whether due to fraud or error, and whether
effective internal control over financial reporting was maintained in all material respects, and (2)
issue an auditor’s report that includes our opinions.
Reasonable assurance is a high level of assurance but is not absolute assurance and therefore
is not a guarantee that an audit of the financial statements or an audit of internal control over
financial reporting conducted in accordance with U.S. generally accepted government auditing
standards will always detect a material misstatement or a material weakness when it exists.
8
The risk of not detecting a material misstatement resulting from fraud is higher than for one
resulting from error, as fraud may involve collusion, forgery, intentional omissions,
misrepresentations, or the override of internal control. Misstatements, including omissions, are
considered to be material if there is a substantial likelihood that, individually or in the aggregate,
they would influence the judgment made by a reasonable user based on the financial
statements.
9
In performing an audit of financial statements and an audit of internal control over financial
reporting in accordance with U.S. generally accepted government auditing standards, we:
7
Note to auditor: GAO does not capitalize the “o” in “over” in the phrase “internal control over financial reporting”
when used in a heading or title. However, when referring to the title of management’s report included with the
auditor’s report, the wording and capitalization should be consistent with management’s presentation.
8
[Insert this footnote if this is the first time the term “material weakness” is used in the auditor’s report.] A
material weakness is a deficiency, or combination of deficiencies, in internal control over financial reporting, such that
there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented,
or detected and corrected, on a timely basis. A deficiency in internal control exists when the design or operation of a
control does not allow management or employees, in the normal course of performing their assigned functions, to
prevent, or detect and correct, misstatements on a timely basis.
9
Note to auditor: Statement of Federal Financial Accounting Concepts (SFFAC) 1 issued by FASAB provides a
slightly different definition of materiality. Since SFFACs are nonauthoritative, and in SFFAC 1, the board recognizes
differences from the audit definition, the FAM is based on the definition provided in AU-C 200.07.
Reporting Phase
595 AExample Unmodified Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 A-5
Exercise professional judgment and maintain professional skepticism throughout the audits.
Identify and assess the risks of material misstatement of the financial statements, whether
due to fraud or error, and design and perform audit procedures responsive to those risks.
Such procedures include examining, on a test basis, evidence regarding the amounts and
disclosures in the financial statements.
Obtain an understanding of internal control relevant to our audit of the financial statements
in order to design audit procedures that are appropriate in the circumstances.
Obtain an understanding of internal control relevant to our audit of internal control over
financial reporting, assess the risks that a material weakness exists, and test and evaluate
the design and operating effectiveness of internal control over financial reporting based on
the assessed risk. Our audit of internal control also considered [entity’s] process for
evaluating and reporting on internal control over financial reporting based on criteria
established under FMFIA. We did not evaluate all internal controls relevant to operating
objectives as broadly established under FMFIA, such as those controls relevant to preparing
performance information and ensuring efficient operations. We limited our internal control
testing to testing controls over financial reporting. Our internal control testing was for the
purpose of expressing an opinion on whether effective internal control over financial
reporting was maintained, in all material respects. Consequently, our audit may not identify
all deficiencies in internal control over financial reporting that are less severe than a material
weakness.
Evaluate the appropriateness of accounting policies used and the reasonableness of
significant accounting estimates made by management, as well as evaluate the overall
presentation of the financial statements.
Perform other procedures we consider necessary in the circumstances.
[For entities that conform to FASB standards] Conclude whether, in our judgment, there
are conditions or events, considered in the aggregate, that raise substantial doubt about
[entity’s] ability to continue as a going concern for a reasonable period of time.
We are required to communicate with those charged with governance regarding, among other
matters, the planned scope and timing of the audit, significant audit findings, and certain internal
controlrelated matters that we identified during the financial statement audit.
Definition and Inherent Limitations of Internal Control over Financial Reporting
An entity’s internal control over financial reporting is a process effected by those charged with
governance, management, and other personnel. The objectives of internal control over financial
reporting are to provide reasonable assurance that
transactions are properly recorded, processed, and summarized to permit the preparation of
financial statements in accordance with U.S. generally accepted accounting principles, and
assets are safeguarded against loss from unauthorized acquisition, use, or disposition, and
transactions are executed in accordance with provisions of applicable laws, including those
governing the use of budget authority, regulations, contracts, and grant agreements,
noncompliance with which could have a material effect on the financial statements.
Because of its inherent limitations, internal control over financial reporting may not prevent, or
detect and correct, misstatements due to fraud or error. We also caution that projecting any
evaluation of effectiveness to future periods is subject to the risk that controls may become
inadequate because of changes in conditions, or that the degree of compliance with the policies
or procedures may deteriorate.
Reporting Phase
595 AExample Unmodified Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 A-6
Required Supplementary Information
U.S. generally accepted accounting principles issued by the Federal Accounting Standards
Advisory Board (FASAB) require that the RSI be presented to supplement the financial
statements. Such information is the responsibility of management and, although not a part of the
financial statements, is required by FASAB, which considers it to be an essential part of
financial reporting for placing the financial statements in appropriate operational, economic, or
historical context.
We have applied certain limited procedures to the RSI in accordance with U.S. generally
accepted government auditing standards. These procedures consisted of (1) inquiring of
management about the methods used to prepare the RSI and (2) comparing the RSI for
consistency with management’s responses to our inquiries, the financial statements, and other
knowledge we obtained during the audit of the financial statements, in order to report omissions
or material departures from FASAB guidelines, if any, identified by these limited procedures. We
did not audit and we do not express an opinion or provide any assurance on the RSI because
the limited procedures we applied do not provide sufficient evidence to express an opinion or
provide any assurance.
10
Other Information
[Entity’s] other information contains a wide range of information, some of which is not directly
related to the financial statements. This information is presented for purposes of additional
analysis and is not a required part of the financial statements or the RSI. Management is
responsible for the other information included in [entity’s] [insert name of annual report, e.g.,
agency financial report]. The other information comprises the [information included in the
annual report
11
] but does not include the financial statements and our auditor’s report thereon.
Our opinion on the financial statements does not cover the other information, and we do not
express an opinion or any form of assurance thereon.
In connection with our audit of the financial statements, our responsibility is to read the other
information and consider whether a material inconsistency exists between the other information
and the financial statements, or the other information otherwise appears to be materially
misstated. If, based on the work performed, we conclude that an uncorrected material
misstatement of the other information exists, we are required to describe it in our report.
12
Report on Compliance with Laws, Regulations, Contracts, and Grant Agreements
In connection with our audits of [entity’s] financial statements, we tested compliance with
selected provisions of applicable laws, regulations, contracts, and grant agreements consistent
with our auditor’s responsibilities discussed below.
Results of Our Tests for Compliance with Laws, Regulations, Contracts, and Grant Agreements
Our tests for compliance with selected provisions of applicable laws, regulations, contracts, and
grant agreements disclosed no instances of noncompliance for [fiscal year 20X2] that would be
10
Note to auditor: Refer to AU-C 730.08d through .08g; .09; and .A3, illustrations 2 through 6, if (1) the auditor is
unable to complete the procedures described in this paragraph, (2) some or all of the RSI is omitted, (3) the
measurement or presentation of the RSI departs materially from prescribed guidelines, or (4) the auditor has
unresolved doubts about whether the RSI is measured or presented in accordance with prescribed guidelines.
11
Note to auditor: A more specific description of the information, such as “financial summaries” or “historical
information” may be used to identify the other information.
12
Note to auditor: Refer to AU-C 720.24f; .25; and .A62, illustration 2, if the auditor has concluded that an uncorrected
material misstatement of the other information exists.
Reporting Phase
595 AExample Unmodified Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 A-7
reportable under U.S. generally accepted government auditing standards. However, the
objective of our tests was not to provide an opinion on compliance with laws, regulations,
contracts, and grant agreements applicable to [entity]. Accordingly, we do not express such an
opinion.
Basis for Results of Our Tests for Compliance with Laws, Regulations, Contracts, and Grant
Agreements
We performed our tests of compliance in accordance with U.S. generally accepted government
auditing standards.
Responsibilities of Management for Compliance with Laws, Regulations, Contracts, and Grant
Agreements
[Entity] management is responsible for complying with laws, regulations, contracts, and grant
agreements applicable to [entity].
Auditor’s Responsibilities for Tests of Compliance with Laws, Regulations, Contracts, and Grant
Agreements
Our responsibility is to test compliance with selected provisions of laws, regulations, contracts,
and grant agreements applicable to [entity] that have a direct effect on the determination of
material amounts and disclosures in [entity’s] financial statements, and to perform certain other
limited procedures. Accordingly, we did not test compliance with all provisions of laws,
regulations, contracts, and grant agreements applicable to [entity]. We caution that
noncompliance may occur and not be detected by these tests.
Intended Purpose of Report on Compliance with Laws, Regulations, Contracts, and Grant
Agreements
The purpose of this report is solely to describe the scope of our testing of compliance with
selected provisions of applicable laws, regulations, contracts, and grant agreements, and the
results of that testing, and not to provide an opinion on compliance. This report is an integral
part of an audit performed in accordance with U.S. generally accepted government auditing
standards in considering compliance. Accordingly, this report on compliance with laws,
regulations, contracts, and grant agreements is not suitable for any other purpose.
Agency Comments [If applicable, add “and Our Evaluation.” Heading should be
consistent with related wording on page 595 A-2.]
In commenting on a draft of this report, [entity
13
] ………………………The complete text of
[entity’s] response is reprinted in appendix II.
[Signature]
[Title]
[Date of auditor’s report]
13
Note to auditor: For GAO reports, only the entity name is cited in this section if the entity provides written
comments. Do not include the name or title of the commenting official. If the entity provides email or oral comments,
the title of the commenting official is included. See Words@Work on the GAO intranet.
Reporting Phase
595 AExample Unmodified Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 A-8
Example 2 Unmodified Opinion on Financial Statements, No
Opinion on Effectiveness of Internal Control over Financial
Reporting (No Material Weakness or Significant Deficiency
Identified), No Reportable Noncompliance with Applicable Laws,
Regulations, Contracts, and Grant Agreements
[Auditor’s Address (including city and state where the auditor’s report is issued)]
Independent Auditor’s Report
To [appropriate addressee]
In our audits of the fiscal years [20X2 and 20X1
14
] financial statements of [entity
15
], we found
[entity’s] financial statements as of and for the fiscal years ended [September 30, 20X2,
and 20X1], are presented fairly, in all material respects, in accordance with U.S. generally
accepted accounting principles;
no material weaknesses in internal control over financial reporting based on the limited
procedures we performed;
16
and
no reportable noncompliance for [fiscal year 20X2] with provisions of applicable laws,
regulations, contracts, and grant agreements we tested.
The following sections discuss in more detail (1) our report on the financial statements, which
includes [if applicable, insert “an emphasis-of-matter paragraph related to (include brief
description),” “an other-matter paragraph related to (include brief description),” or both]
required supplementary information (RSI)
17
and other information included with the financial
statements;
18
(2) our report on internal control over financial reporting; (3) our report on
compliance with laws, regulations, contracts, and grant agreements; and (4) agency comments
[if applicable, add “and our evaluation” and revise related heading on page 595 A-14 for
consistency].
14
Note to auditor: 20X2 denotes the current year, and 20X1 denotes the prior year, under audit.
15
Note to auditor: This example assumes the acronym of the entity does not include the word “the” in front of it as
part of its common usage (example: CFPB). If “the” is part of the common usage of the acronym (example: the FBI),
apply throughout the example.
16
A material weakness is a deficiency, or combination of deficiencies, in internal control over financial reporting, such
that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be
prevented, or detected and corrected, on a timely basis. A deficiency in internal control exists when the design or
operation of a control does not allow management or employees, in the normal course of performing their assigned
functions, to prevent, or detect and correct, misstatements on a timely basis.
17
The RSI consists of [insert description of the RSI, such as “Management’s Discussion and Analysis” and the
“Combined Statement of Budgetary Resources”], which are included with the financial statements.
18
Other information consists of information included with the financial statements, other than the RSI [if applicable]
and the auditor’s report.
Reporting Phase
595 AExample Unmodified Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 A-9
Report on the Financial Statements
Opinion
In accordance with [cite audit authority], we have audited [entity’s] financial statements.
[Entity’s] financial statements comprise the balance sheets as of [September 30, 20X2, and
20X1]; the related statements of net cost [if included in the statement title, insert “of
operations”], changes in net position, and budgetary resources for the fiscal years then
ended;
19
and the related notes to the financial statements. In our opinion, [entity’s] financial
statements present fairly, in all material respects, [entity’s] financial position as of [September
30, 20X2, and 20X1], and its net cost of operations, changes in net position, and budgetary
resources for the fiscal years then ended in accordance with U.S. generally accepted
accounting principles.
Basis for Opinion
We conducted our audits in accordance with U.S. generally accepted government auditing
standards. Our responsibilities under those standards are further described in the Auditor’s
Responsibilities for the Audit of the Financial Statements section of our report. We are required
to be independent of [entity] and to meet our other ethical responsibilities, in accordance with
the relevant ethical requirements relating to our audit. We believe that the audit evidence we
have obtained is sufficient and appropriate to provide a basis for our audit opinion.
[Note: If applicable, insert emphasis-of-matter paragraph(s), other-matter paragraph(s),
or both in accordance with AU-C 706. Include related heading(s).]
Responsibilities of Management for the Financial Statements
Management is responsible for
the preparation and fair presentation of the financial statements in accordance with U.S.
generally accepted accounting principles;
preparing, measuring, and presenting the RSI in accordance with U.S. generally accepted
accounting principles;
preparing and presenting other information included in [entity’s] [insert name of annual
report, e.g., agency financial report], and ensuring the consistency of that information with
the audited financial statements and the RSI; and
designing, implementing, and maintaining effective internal control relevant to the
preparation and fair presentation of financial statements that are free from material
misstatement, whether due to fraud or error.
[For entities that conform to FASB standards] In preparing the financial statements,
management is required to evaluate whether there are conditions or events, considered in the
aggregate, that raise substantial doubt about [entity’s] ability to continue as a going concern for
a reasonable period of time.
Auditor’s Responsibilities for the Audit of the Financial Statements
Our objectives are to (1) obtain reasonable assurance about whether the financial statements
as a whole are free from material misstatement, whether due to fraud or error, and (2) issue an
auditor’s report that includes our opinion. Reasonable assurance is a high level of assurance
but is not absolute assurance and therefore is not a guarantee that an audit of the financial
19
Note to auditor: The names of the financial statements should be modified as appropriate.
Reporting Phase
595 AExample Unmodified Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 A-10
statements conducted in accordance with U.S. generally accepted government auditing
standards will always detect a material misstatement or a material weakness when it exists.
The
risk of not detecting a material misstatement resulting from fraud is higher than for one resulting
from error, as fraud may involve collusion, forgery, intentional omissions, misrepresentations, or
the override of internal control. Misstatements, including omissions, are considered to be
material if there is a substantial likelihood that, individually or in the aggregate, they would
influence the judgment made by a reasonable user based on the financial statements.
20
In performing an audit in accordance with U.S. generally accepted government auditing
standards, we:
Exercise professional judgment and maintain professional skepticism throughout the audit.
Identify and assess the risks of material misstatement of the financial statements, whether
due to fraud or error, and design and perform audit procedures responsive to those risks.
Such procedures include examining, on a test basis, evidence regarding the amounts and
disclosures in the financial statements.
Obtain an understanding of internal control relevant to our audit of the financial statements
in order to design audit procedures that are appropriate in the circumstances, but not for the
purpose of expressing an opinion on the effectiveness of [entity’s] internal control over
financial reporting. Accordingly, no such opinion is expressed.
Evaluate the appropriateness of accounting policies used and the reasonableness of
significant accounting estimates made by management, as well as evaluate the overall
presentation of the financial statements.
Perform other procedures we consider necessary in the circumstances.
[For entities that conform to FASB standards] Conclude whether, in our judgment, there
are conditions or events, considered in the aggregate, that raise substantial doubt about
[entity’s] ability to continue as a going concern for a reasonable period of time.
We are required to communicate with those charged with governance regarding, among other
matters, the planned scope and timing of the audit, significant audit findings, and certain internal
controlrelated matters that we identified during the financial statement audit.
Required Supplementary Information
U.S. generally accepted accounting principles issued by the Federal Accounting Standards
Advisory Board (FASAB) require that the RSI be presented to supplement the financial
statements. Such information is the responsibility of management and, although not a part of the
financial statements, is required by FASAB, which considers it to be an essential part of
financial reporting for placing the financial statements in appropriate operational, economic, or
historical context.
We have applied certain limited procedures to the RSI in accordance with U.S. generally
accepted government auditing standards. These procedures consisted of (1) inquiring of
management about the methods used to prepare the RSI and (2) comparing the RSI for
consistency with management’s responses to our inquiries, the financial statements, and other
knowledge we obtained during the audit of the financial statements, in order to report omissions
20
Note to auditor: Statement of Federal Financial Accounting Concepts (SFFAC) 1 issued by FASAB provides a
slightly different definition of materiality. Since SFFACs are nonauthoritative, and in SFFAC 1, the board recognizes
differences from the audit definition, the FAM is based on the definition provided in AU-C 200.07.
Reporting Phase
595 AExample Unmodified Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 A-11
or material departures from FASAB guidelines, if any, identified by these limited procedures. We
did not audit and we do not express an opinion or provide any assurance on the RSI because
the limited procedures we applied do not provide sufficient evidence to express an opinion or
provide any assurance.
21
Other Information
[Entity’s] other information contains a wide range of information, some of which is not directly
related to the financial statements. This information is presented for purposes of additional
analysis and is not a required part of the financial statements or the RSI. Management is
responsible for the other information included in [entity’s] [insert name of annual report, e.g.,
agency financial report]. The other information comprises the [information included in the
annual report
22
] but does not include the financial statements and our auditor’s report thereon.
Our opinion on the financial statements does not cover the other information, and we do not
express an opinion or any form of assurance thereon.
In connection with our audit of the financial statements, our responsibility is to read the other
information and consider whether a material inconsistency exists between the other information
and the financial statements, or the other information otherwise appears to be materially
misstated. If, based on the work performed, we conclude that an uncorrected material
misstatement of the other information exists, we are required to describe it in our report.
23
Report on Internal Control over Financial Reporting
In connection with our audits of [entity’s] financial statements, we considered [entity’s] internal
control over financial reporting, consistent with our auditor’s responsibilities discussed below.
Results of Our Consideration of Internal Control over Financial Reporting
Our consideration of internal control was for the limited purpose described below, and was not
designed to identify all deficiencies in internal control that might be material weaknesses or
significant deficiencies
24
or to express an opinion on the effectiveness of [entity’s] internal
control over financial reporting. Given these limitations, during our [20X2] audit, we did not
identify any deficiencies in internal control over financial reporting that we consider to be
material weaknesses. However, material weaknesses or significant deficiencies may exist that
have not been identified.
[If applicable] During our [20X2] audit, we identified deficiencies in [entity’s] internal control
over financial reporting that we do not consider to be material weaknesses or significant
deficiencies.
Nonetheless, these deficiencies warrant [entity] management’s attention. We have
21
Note to auditor: Refer to AU-C 730.08d through .08g; .09; and .A3, illustrations 2 through 6, if (1) the auditor is
unable to complete the procedures described in this paragraph, (2) some or all of the RSI is omitted, (3) the
measurement or presentation of the RSI departs materially from prescribed guidelines, or (4) the auditor has
unresolved doubts about whether the RSI is measured or presented in accordance with prescribed guidelines.
22
Note to auditor: A more specific description of the information, such as “financial summaries” or “historical
information” may be used to identify the other information.
23
Note to auditor: Refer to AU-C 720.24f; .25; and .A62, illustration 2, if the auditor has concluded that an uncorrected
material misstatement of the other information exists.
24
A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting
that is less severe than a material weakness, yet important enough to merit attention by those charged with
governance.
Reporting Phase
595 AExample Unmodified Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 A-12
communicated these matters to [entity] management and, where appropriate, will report on
them separately.
Basis for Results of Our Consideration of Internal Control over Financial Reporting
We performed our procedures related to [entity’s] internal control over financial reporting in
accordance with U.S. generally accepted government auditing standards and Office of
Management and Budget audit guidance.
25
Responsibilities of Management for Internal Control over Financial Reporting
[Entity] management is responsible for designing, implementing, and maintaining effective
internal control over financial reporting relevant to the preparation and fair presentation of
financial statements that are free from material misstatement, whether due to fraud or error.
Auditor’s Responsibilities for Internal Control over Financial Reporting
In planning and performing our audit of [entity’s] financial statements as of and for the fiscal
year ended [September 30, 20X2], in accordance with U.S. generally accepted government
auditing standards, we considered [entity’s] internal control relevant to the financial statement
audit in order to design audit procedures that are appropriate in the circumstances, but not for
the purpose of expressing an opinion on the effectiveness of [entity’s] internal control over
financial reporting. Accordingly, we do not express an opinion on [entitys] internal control over
financial reporting. We are required to report all deficiencies that are considered to be significant
deficiencies or material weaknesses. We did not consider all internal controls relevant to
operating objectives, such as those controls relevant to preparing performance information and
ensuring efficient operations.
Definition and Inherent Limitations of Internal Control over Financial Reporting
An entity’s internal control over financial reporting is a process effected by those charged with
governance, management, and other personnel. The objectives of internal control over financial
reporting are to provide reasonable assurance that
transactions are properly recorded, processed, and summarized to permit the preparation of
financial statements in accordance with U.S. generally accepted accounting principles, and
assets are safeguarded against loss from unauthorized acquisition, use, or disposition, and
transactions are executed in accordance with provisions of applicable laws, including those
governing the use of budget authority, regulations, contracts, and grant agreements,
noncompliance with which could have a material effect on the financial statements.
Because of its inherent limitations, internal control over financial reporting may not prevent, or
detect and correct, misstatements due to fraud or error.
Intended Purpose of Report on Internal Control over Financial Reporting
The purpose of this report is solely to describe the scope of our consideration of [entity’s]
internal control over financial reporting and the results of our procedures, and not to provide an
opinion on the effectiveness of [entity’s] internal control over financial reporting. This report is
an integral part of an audit performed in accordance with U.S. generally accepted government
25
Office of Management and Budget (OMB) Bulletin No. 22-01, Audit Requirements for Federal Financial Statements,
issued on August 26, 2022. According to the guidance, for those controls that have been suitably designed and
implemented, the auditor should perform sufficient tests of such controls to conclude on whether the controls are
operating effectively (i.e., sufficient tests of controls to support a low level of assessed control risk). OMB audit
guidance does not require the auditor to express an opinion on the effectiveness of internal control.
Reporting Phase
595 AExample Unmodified Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 A-13
auditing standards in considering internal control over financial reporting. Accordingly, this
report on internal control over financial reporting is not suitable for any other purpose.
Report on Compliance with Laws, Regulations, Contracts, and Grant Agreements
In connection with our audits of [entity’s] financial statements, we tested compliance with
selected provisions of applicable laws, regulations, contracts, and grant agreements consistent
with our auditor’s responsibilities discussed below.
Results of Our Tests for Compliance with Laws, Regulations, Contracts, and Grant Agreements
Our tests for compliance with selected provisions of applicable laws, regulations, contracts, and
grant agreements disclosed no instances of noncompliance for [fiscal year 20X2] that would be
reportable under U.S. generally accepted government auditing standards. However, the
objective of our tests was not to provide an opinion on compliance with laws, regulations,
contracts, and grant agreements applicable to [entity]. Accordingly, we do not express such an
opinion.
Basis for Results of Our Tests for Compliance with Laws, Regulations, Contracts, and Grant
Agreements
We performed our tests of compliance in accordance with U.S. generally accepted government
auditing standards.
Responsibilities of Management for Compliance with Laws, Regulations, Contracts, and Grant
Agreements
[Entity] management is responsible for complying with laws, regulations, contracts, and grant
agreements applicable to [entity].
Auditor’s Responsibilities for Tests of Compliance with Laws, Regulations, Contracts, and Grant
Agreements
Our responsibility is to test compliance with selected provisions of laws, regulations, contracts,
and grant agreements applicable to [entity] that have a direct effect on the determination of
material amounts and disclosures in [entity’s] financial statements, and to perform certain other
limited procedures. Accordingly, we did not test compliance with all provisions of laws,
regulations, contracts, and grant agreements applicable to [entity]. We caution that
noncompliance may occur and not be detected by these tests.
Intended Purpose of Report on Compliance with Laws, Regulations, Contracts, and Grant
Agreements
The purpose of this report is solely to describe the scope of our testing of compliance with
selected provisions of applicable laws, regulations, contracts, and grant agreements, and the
results of that testing, and not to provide an opinion on compliance. This report is an integral
part of an audit performed in accordance with U.S. generally accepted government auditing
standards in considering compliance. Accordingly, this report on compliance with laws,
regulations, contracts, and grant agreements is not suitable for any other purpose.
Reporting Phase
595 AExample Unmodified Auditor’s Reports
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 A-14
Agency Comments [if applicable, add “and Our Evaluation.” Heading should be
consistent with related wording on page 595 A-8.]
In commenting on a draft of this report, [entity
26
] ………………………The complete text of
[entity’s] response is reprinted in appendix II.
[Signature]
[Title]
[Date of auditor’s report]
26
Note to auditor: For GAO reports, only the entity name is cited in this section if the entity provides written
comments. Do not include the name or title of the commenting official. If the entity provides email or oral comments,
the title of the commenting official is included. See Words@Work on the GAO intranet.
Reporting Phase
595 B Example of Reporting Material Weakness or Significant Deficiency on Internal Control
over Financial Reporting
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 B-1
595 B Example of Reporting Material Weakness or
Significant Deficiency on Internal Control over Financial
Reporting
Example 1 presents a report in which the auditor expresses an adverse opinion on the
effectiveness of internal control over financial reporting and a material weakness exists.
Example 2 presents a report in which the auditor expresses an unmodified opinion on the
effectiveness of internal control over financial reporting and a significant deficiency exists.
In both examples, the audited entity has a fiscal year ending September 30; the auditor’s
opinion on the financial statements is unmodified; and no reportable noncompliance with
selected provisions of applicable laws, regulations, contracts, and grant agreements is
identified.
If the auditor is required to report whether an agency’s systems comply substantially with the
three FFMIA requirements, the example reports should be revised to include this item.
Reporting Phase
595 B Example of Reporting Material Weakness or Significant Deficiency on Internal Control
over Financial Reporting
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 B-2
Example 1 Unmodified Opinion on Financial Statements; Adverse
Opinion on Internal Control over Financial Reporting; No
Reportable Noncompliance with Applicable Laws, Regulations,
Contracts, and Grant Agreements
[Auditor’s Address (including city and state where the auditor’s report is issued)]
Independent Auditor’s Report
To [appropriate addressee]
In our audits of the fiscal years [20X2 and 20X1
1
] financial statements of [entity
2
], we found
[entity’s] financial statements as of and for the fiscal years ended [September 30, 20X2,
and 20X1], are presented fairly, in all material respects, in accordance with U.S. generally
accepted accounting principles;
[entity’s] internal control over financial reporting was not effective as of [September 30,
20X2]; and
no reportable noncompliance for [fiscal year 20X2] with provisions of applicable laws,
regulations, contracts, and grant agreements we tested.
The following sections discuss in more detail (1) our report on the financial statements and on
internal control over financial reporting, which includes [if applicable, insert “an emphasis-of-
matter paragraph related to (include brief description),” “an other-matter paragraph
related to (include brief description),” or both] required supplementary information (RSI)
3
and other information included with the financial statements;
4
(2) our report on compliance with
laws, regulations, contracts, and grant agreements; and (3) agency comments [if applicable,
add “and our evaluation” and revise related heading on page 595 B-8 for consistency].
Report on the Financial Statements and on Internal Control over Financial Reporting
Opinion on the Financial Statements
In accordance with [cite audit authority], we have audited [entity’s] financial statements.
[Entity’s] financial statements comprise the balance sheets as of [September 30, 20X2, and
1
Note to auditor: 20X2 denotes the current year, and 20X1 denotes the prior year, under audit.
2
Note to auditor: This example assumes the acronym of the entity does not include the word “the” in front of it as part
of its common usage (example: CFPB). If “the” is part of the common usage of the acronym (example: the FBI), apply
throughout the example.
3
The RSI consists of [insert description of the RSI, such as “Management’s Discussion and Analysis” and the
“Combined Statement of Budgetary Resources”], which are included with the financial statements.
4
Other information consists of information included with the financial statements, other than the RSI [if applicable]
and the auditor’s report.
Reporting Phase
595 B Example of Reporting Material Weakness or Significant Deficiency on Internal Control
over Financial Reporting
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 B-3
20X1]; the related statements of net cost [if included in statement title, insert “of
operations”], changes in net position, and budgetary resources for the fiscal years then
ended;
5
and the related notes to the financial statements. In our opinion, [entity’s] financial
statements present fairly, in all material respects, [entity’s] financial position as of [September
30, 20X2, and 20X1], and its net cost of operations, changes in net position, and budgetary
resources for the fiscal years then ended in accordance with U.S. generally accepted
accounting principles.
However, misstatements may nevertheless occur in unaudited financial information reported
internally or externally by [entity] as a result of the internal control deficiencies described in this
report.
Adverse Opinion on Internal Control over Financial Reporting
We also have audited [entity’s] internal control over financial reporting as of [September 30,
20X2], based on criteria established under 31 U.S.C. § 3512(c), (d), commonly known as the
Federal Managers’ Financial Integrity Act of 1982 (FMFIA). In our opinion, because of a material
weakness in internal control over [briefly name the deficiency], [entity] did not maintain, in all
material respects, effective internal control over financial reporting as of [September 30, 20X2],
based on criteria established under FMFIA.
6
[Customize as appropriate] Although [entity] had a material weakness in internal control over
[briefly name the deficiency], [which existed in prior years, (if applicable)] [entity] made
any necessary adjustments to its records and was therefore able to prepare financial statements
that were fairly presented in all material respects for fiscal year [20X2]. This material weakness,
which is discussed in more detail in the Basis for Adverse Opinion on Internal Control over
Financial Reporting section, is also disclosed by [entity] in its fiscal year [20X2] (1) FMFIA
assurance statement and (2) Management’s Report on Internal Control over Financial
Reporting. We considered this material weakness in determining the nature, timing, and extent
of our audit procedures on [entity’s] fiscal year [20X2] financial statements.
[If applicable] In addition to the material weakness in internal control over [insert description
of material weakness from above], we also identified other deficiencies in [entity’s] internal
control over financial reporting that we do not consider to be material weaknesses or significant
deficiencies.
7
Nonetheless, these deficiencies warrant [entity] management’s attention. We
have communicated these matters to [entity] management and, where appropriate, will report
on them separately.
8
5
Note to auditor: The names of the financial statements should be modified as appropriate.
6
A material weakness is a deficiency, or combination of deficiencies, in internal control over financial reporting, such
that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be
prevented, or detected and corrected, on a timely basis. A deficiency in internal control exists when the design or
operation of a control does not allow management or employees, in the normal course of performing their assigned
functions, to prevent, or detect and correct, misstatements on a timely basis.
7
A significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting
that is less severe than a material weakness, yet important enough to merit attention by those charged with
governance.
8
Note to auditor: If applicable, consider adding the following sentence to the beginning of the paragraph “We will be
reporting additional details concerning this material weakness separately to [entity] management, along with
recommendations for corrective actions.”
Reporting Phase
595 B Example of Reporting Material Weakness or Significant Deficiency on Internal Control
over Financial Reporting
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 B-4
Basis for Opinion on the Financial Statements
We conducted our audits in accordance with U.S. generally accepted government auditing
standards. Our responsibilities under those standards are further described in the Auditor’s
Responsibilities for the Audits of the Financial Statements and Internal Control over Financial
Reporting section of our report. We are required to be independent of [entity] and to meet our
other ethical responsibilities, in accordance with the relevant ethical requirements relating to our
audits. We believe that the audit evidence we have obtained is sufficient and appropriate to
provide a basis for our audit opinion on the financial statements.
Basis for Adverse Opinion on Internal Control over Financial Reporting
We identified the following material weakness in our audits of the fiscal years [20X2 and 20X1]
financial statements of [entity].
Material Weakness in Internal Control over [briefly name the deficiency]
[Describe material weakness, including any progress or changes in the internal control
deficiencies identified if they were previously reported.]
We conducted our audits in accordance with U.S. generally accepted government auditing
standards. Our responsibilities under those standards are further described in the Auditor’s
Responsibilities for the Audits of the Financial Statements and Internal Control over Financial
Reporting section of our report. We are required to be independent of [entity] and to meet our
other ethical responsibilities, in accordance with the relevant ethical requirements relating to our
audits. We believe that the audit evidence we have obtained is sufficient and appropriate to
provide a basis for our adverse audit opinion on internal control over financial reporting.
[Note: If applicable, insert emphasis-of-matter paragraph(s), other-matter paragraph(s),
or both in accordance with AU-C 706. Include related heading(s).]
Responsibilities of Management for the Financial Statements and Internal Control over Financial
Reporting
Management is responsible for
the preparation and fair presentation of the financial statements in accordance with U.S.
generally accepted accounting principles;
preparing, measuring, and presenting the RSI in accordance with U.S. generally accepted
accounting principles;
preparing and presenting other information included in [entity’s] [insert name of annual
report, e.g., agency financial report], and ensuring the consistency of that information with
the audited financial statements and the RSI;
designing, implementing, and maintaining effective internal control over financial reporting
relevant to the preparation and fair presentation of financial statements that are free from
material misstatement, whether due to fraud or error;
assessing the effectiveness of internal control over financial reporting based on the criteria
established under FMFIA; and
Reporting Phase
595 B Example of Reporting Material Weakness or Significant Deficiency on Internal Control
over Financial Reporting
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 B-5
its assessment about the effectiveness of internal control over financial reporting as of
[September 30, 20X2], included in the accompanying Management’s Report on Internal
Control over
9
Financial Reporting [or other title of management’s report] in appendix I.
[For entities that conform to FASB standards] In preparing the financial statements,
management is required to evaluate whether there are conditions or events, considered in the
aggregate, that raise substantial doubt about [entity’s] ability to continue as a going concern for
a reasonable period of time.
Auditor’s Responsibilities for the Audits of the Financial Statements and Internal Control over
Financial Reporting
Our objectives are to (1) obtain reasonable assurance about whether the financial statements
as a whole are free from material misstatement, whether due to fraud or error, and whether
effective internal control over financial reporting was maintained in all material respects, and (2)
issue an auditor’s report that includes our opinions. Reasonable assurance is a high level of
assurance but is not absolute assurance and therefore is not a guarantee that an audit of the
financial statements or an audit of internal control over financial reporting conducted in
accordance with U.S. generally accepted government auditing standards will always detect a
material misstatement or a material weakness when it exists.
The risk of not detecting a material
misstatement resulting from fraud is higher than for one resulting from error, as fraud may
involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal
control. Misstatements, including omissions, are considered to be material if there is a
substantial likelihood that, individually or in the aggregate, they would influence the judgment
made by a reasonable user based on the financial statements.
10
In performing an audit of financial statements and an audit of internal control over financial
reporting in accordance with U.S. generally accepted government auditing standards, we:
Exercise professional judgment and maintain professional skepticism throughout the audits.
Identify and assess the risks of material misstatement of the financial statements, whether
due to fraud or error, and design and perform audit procedures responsive to those risks.
Such procedures include examining, on a test basis, evidence regarding the amounts and
disclosures in the financial statements.
Obtain an understanding of internal control relevant to our audit of the financial statements
in order to design audit procedures that are appropriate in the circumstances.
Obtain an understanding of internal control relevant to our audit of internal control over
financial reporting, assess the risks that a material weakness exists, and test and evaluate
the design and operating effectiveness of internal control over financial reporting based on
the assessed risk. Our audit of internal control also considered [entity’s] process for
evaluating and reporting on internal control over financial reporting based on criteria
established under FMFIA. We did not evaluate all internal controls relevant to operating
objectives as broadly established under FMFIA, such as those controls relevant to preparing
9
Note to auditor: GAO does not capitalize the “o” in “over” in the phrase “internal control over financial reporting”
when used in a heading or title. However, when referring to the title of management’s report included with the
auditor’s report, the wording and capitalization should be consistent with management’s presentation.
10
Note to auditor: Statement of Federal Financial Accounting Concepts (SFFAC) 1 issued by FASAB provides a
slightly different definition of materiality. Since SFFACs are nonauthoritative, and in SFFAC 1, the board recognizes
differences from the audit definition, the FAM is based on the definition provided in AU-C 200.07.
Reporting Phase
595 B Example of Reporting Material Weakness or Significant Deficiency on Internal Control
over Financial Reporting
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 B-6
performance information and ensuring efficient operations. We limited our internal control
testing to testing controls over financial reporting. Our internal control testing was for the
purpose of expressing an opinion on whether effective internal control over financial
reporting was maintained, in all material respects. Consequently, our audit may not identify
all deficiencies in internal control over financial reporting that are less severe than a material
weakness.
Evaluate the appropriateness of accounting policies used and the reasonableness of
significant accounting estimates made by management, as well as evaluate the overall
presentation of the financial statements.
Perform other procedures we consider necessary in the circumstances.
[For entities that conform to FASB standards] Conclude whether, in our judgment, there
are conditions or events, considered in the aggregate, that raise substantial doubt about
[entity’s] ability to continue as a going concern for a reasonable period of time.
We are required to communicate with those charged with governance regarding, among other
matters, the planned scope and timing of the audit, significant audit findings, and certain internal
controlrelated matters that we identified during the financial statement audit.
Definition and Inherent Limitations of Internal Control over Financial Reporting
An entity’s internal control over financial reporting is a process effected by those charged with
governance, management, and other personnel. The objectives of internal control over financial
reporting are to provide reasonable assurance that
transactions are properly recorded, processed, and summarized to permit the preparation of
financial statements in accordance with U.S. generally accepted accounting principles, and
assets are safeguarded against loss from unauthorized acquisition, use, or disposition, and
transactions are executed in accordance with provisions of applicable laws, including those
governing the use of budget authority, regulations, contracts, and grant agreements,
noncompliance with which could have a material effect on the financial statements.
Because of its inherent limitations, internal control over financial reporting may not prevent, or
detect and correct, misstatements due to fraud or error. We also caution that projecting any
evaluation of effectiveness to future periods is subject to the risk that controls may become
inadequate because of changes in conditions, or that the degree of compliance with the policies
or procedures may deteriorate.
Required Supplementary Information
U.S. generally accepted accounting principles issued by the Federal Accounting Standards
Advisory Board (FASAB) require that the RSI be presented to supplement the financial
statements. Such information is the responsibility of management and, although not a part of the
financial statements, is required by FASAB, which considers it to be an essential part of
financial reporting for placing the financial statements in appropriate operational, economic, or
historical context.
We have applied certain limited procedures to the RSI in accordance with U.S. generally
accepted government auditing standards. These procedures consisted of (1) inquiring of
management about the methods used to prepare the RSI and (2) comparing the RSI for
consistency with management’s responses to our inquiries, the financial statements, and other
knowledge we obtained during the audit of the financial statements, in order to report omissions
or material departures from FASAB guidelines, if any, identified by these limited procedures. We
Reporting Phase
595 B Example of Reporting Material Weakness or Significant Deficiency on Internal Control
over Financial Reporting
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 B-7
did not audit and we do not express an opinion or provide any assurance on the RSI because
the limited procedures we applied do not provide sufficient evidence to express an opinion or
provide any assurance.
11
Other Information
[Entity’s] other information contains a wide range of information, some of which is not directly
related to the financial statements. This information is presented for purposes of additional
analysis and is not a required part of the financial statements or the RSI. Management is
responsible for the other information included in [entity’s] [insert name of annual report, e.g.,
agency financial report]. The other information comprises the [information included in the
annual report
12
] but does not include the financial statements and our auditor’s report thereon.
Our opinion on the financial statements does not cover the other information, and we do not
express an opinion or any form of assurance thereon.
In connection with our audit of the financial statements, our responsibility is to read the other
information and consider whether a material inconsistency exists between the other information
and the financial statements, or the other information otherwise appears to be materially
misstated. If, based on the work performed, we conclude that an uncorrected material
misstatement of the other information exists, we are required to describe it in our report.
13
Report on Compliance with Laws, Regulations, Contracts, and Grant Agreements
In connection with our audits of [entity
’s] financial statements, we tested compliance with
selected provisions of applicable laws, regulations, contracts, and grant agreements consistent
with our auditor’s responsibilities discussed below.
Results of Our Tests for Compliance with Laws, Regulations, Contracts, and Grant Agreements
Our tests for compliance with selected provisions of applicable laws, regulations, contracts, and
grant agreements disclosed no instances of noncompliance for [fiscal year 20X2] that would be
reportable under U.S. generally accepted government auditing standards. However, the
objective of our tests was not to provide an opinion on compliance with laws, regulations,
contracts, and grant agreements applicable to [entity]. Accordingly, we do not express such an
opinion.
Basis for Results of Our Tests for Compliance with Laws, Regulations, Contracts, and Grant
Agreements
We performed our tests of compliance in accordance with U.S. generally accepted government
auditing standards.
11
Note to auditor: Refer to AU-C 730.08d through .08g; .09; and .A3, illustrations 2 through 6, if (1) the auditor is
unable to complete the procedures described in this paragraph, (2) some or all of the RSI is omitted, (3) the
measurement or presentation of the RSI departs materially from the prescribed guidelines, or (4) the auditor has
unresolved doubts about whether the RSI is measured or presented in accordance with prescribed guidelines.
12
Note to auditor: A more specific description of the information, such as “financial summaries” or “historical
information” may be used to identify the other information.
13
Note to auditor: Refer to AU-C 720.24f; .25; and .A62, illustration 2, if the auditor has concluded that an uncorrected
material misstatement of the other information exists.
Reporting Phase
595 B Example of Reporting Material Weakness or Significant Deficiency on Internal Control
over Financial Reporting
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 B-8
Responsibilities of Management for Compliance with Laws, Regulations, Contracts, and Grant
Agreements
[Entity] management is responsible for complying with laws, regulations, contracts, and grant
agreements applicable to [entity].
Auditor’s Responsibilities for Tests of Compliance with Laws, Regulations, Contracts, and Grant
Agreements
Our responsibility is to test compliance with selected provisions of laws, regulations, contracts,
and grant agreements applicable to [entity] that have a direct effect on the determination of
material amounts and disclosures in [entity’s] financial statements, and to perform certain other
limited procedures. Accordingly, we did not test compliance with all provisions of laws,
regulations, contracts, and grant agreements applicable to [entity]. We caution that
noncompliance may occur and not be detected by these tests.
Intended Purpose of Report on Compliance with Laws, Regulations, Contracts, and Grant
Agreements
The purpose of this report is solely to describe the scope of our testing of compliance with
selected provisions of applicable laws, regulations, contracts, and grant agreements, and the
results of that testing, and not to provide an opinion on compliance. This report is an integral
part of an audit performed in accordance with U.S. generally accepted government auditing
standards in considering compliance. Accordingly, this report on compliance with laws,
regulations, contracts, and grant agreements is not suitable for any other purpose.
Agency Comments [If applicable, add “and Our Evaluation.” Heading should be
consistent with related wording on page 595 B-2.]
In commenting on a draft of this report, [entity
14
] ………………………The complete text of
[entity’s] response is reprinted in appendix II.
[Signature]
[Title]
[Date of auditor’s report]
14
Note to auditor: For GAO reports, only the entity name is cited in this section if the entity provides written
comments. Do not include the name or title of the commenting official. If the entity provides email or oral comments,
the title of the commenting official is included. See Words@Work on the GAO intranet.
Reporting Phase
595 B Example of Reporting Material Weakness or Significant Deficiency on Internal Control
over Financial Reporting
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 B-9
Example 2 Unmodified Opinion on Financial Statements;
Unmodified Opinion on Internal Control over Financial Reporting,
but Significant Deficiency Exists (No Material Weaknesses); No
Reportable Noncompliance with Applicable Laws, Regulations,
Contracts, and Grant Agreements
[Auditor’s Address (including city and state where the auditor’s report is issued)]
Independent Auditor’s Report
To [appropriate addressee]
In our audits of the fiscal years [20X2 and 20X1
15
] financial statements of [entity
16
], we found
[entity’s] financial statements as of and for the fiscal years ended [September 30, 20X2,
and 20X1], are presented fairly, in all material respects, in accordance with U.S. generally
accepted accounting principles;
although internal controls could be improved, [entity] maintained, in all material respects,
effective internal control over financial reporting as of [September 30, 20X2]; and
no reportable noncompliance for [fiscal year 20X2] with provisions of applicable laws,
regulations, contracts, and grant agreements we tested.
The following sections discuss in more detail (1) our report on the financial statements and on
internal control over financial reporting, which includes [if applicable insert “an emphasis-of-
matter paragraph related to (include brief description),” “an other-matter paragraph
related to (include brief description),” or both] required supplementary information (RSI)
17
and other information included with the financial statements;
18
(2) our report on compliance with
laws, regulations, contracts, and grant agreements; and (3) agency comments [if applicable,
add “and our evaluation” and revise related heading on page 595 B-15 for consistency].
Report on the Financial Statements and on Internal Control over Financial Reporting
Opinion on the Financial Statements
In accordance with [cite audit authority], we have audited [entity’s] financial statements.
[Entity’s] financial statements comprise the balance sheets as of [September 30, 20X2, and
15
Note to auditor: 20X2 denotes the current year, and 20X1 denotes the prior year, under audit.
16
Note to auditor: This example assumes the acronym of the entity does not include the word “the” in front of it as
part of its common usage (example: CFPB). If “the” is part of the common usage of the acronym (example: the FBI),
apply throughout the example.
17
The RSI consists of [insert description of the RSI, such as “Management’s Discussion and Analysis” and the
“Combined Statement of Budgetary Resources”], which are included with the financial statements.
18
Other information consists of information included with the financial statements, other than the RSI [if applicable]
and the auditor’s report.
Reporting Phase
595 B Example of Reporting Material Weakness or Significant Deficiency on Internal Control
over Financial Reporting
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 B-10
20X1]; the related statements of net cost [if included in statement title, insert “of
operations”], changes in net position, and budgetary resources for the fiscal years then
ended;
19
and the related notes to the financial statements. In our opinion, [entity’s] financial
statements present fairly, in all material respects, [entity’s] financial position as of [September
30, 20X2, and 20X1], and its net cost of operations, changes in net position, and budgetary
resources for the fiscal years then ended in accordance with U.S. generally accepted
accounting principles.
Opinion on Internal Control over Financial Reporting
We also have audited [entity’s] internal control over financial reporting as of [September 30,
20X2], based on criteria established under 31 U.S.C. § 3512(c), (d), commonly known as the
Federal Managers’ Financial Integrity Act of 1982 (FMFIA). In our opinion, although certain
internal controls could be improved, [entity] maintained, in all material respects, effective
internal control over financial reporting as of [September 30, 20X2], based on criteria
established under FMFIA. As discussed below in more detail, our [20X2] audit identified
deficiencies in [entity’s] controls over [describe account or process where significant
deficiency identified, for example, accounts receivable process] that collectively represent
a significant deficiency in [entity’s] internal control over financial reporting.
20
We considered
this significant deficiency in determining the nature, timing, and extent of our audit procedures
on [entity’s] fiscal year [20X2] financial statements.
Although the significant deficiency in internal control did not affect our opinion on [entity’s]
fiscal year [20X2] financial statements, misstatements may occur in unaudited financial
information reported internally and externally by [entity] because of this significant deficiency.
[If applicable] In addition to the significant deficiency in internal control over [insert
description of significant deficiency from above], we also identified other deficiencies in
[entity’s] internal control over financial reporting that we do not consider to be material
weaknesses or significant deficiencies. Nonetheless, these deficiencies warrant [entity]
management’s attention. We have communicated these matters to [entity] management and,
where appropriate, will report on them separately.
21
Significant Deficiency in Internal Control over [briefly name the deficiency]
[Describe significant deficiency, including any progress or changes in the internal
control deficiencies identified if they were previously reported.]
Basis for Opinions
We conducted our audits in accordance with U.S. generally accepted government auditing
standards. Our responsibilities under those standards are further described in the Auditor’s
19
Note to auditor: The names of the financial statements should be modified as appropriate.
20
A deficiency in internal control exists when the design or operation of a control does not allow management or
employees, in the normal course of performing their assigned functions, to prevent, or detect and correct,
misstatements on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal
control over financial reporting that is less severe than a material weakness, yet important enough to merit attention
by those charged with governance. A material weakness is a deficiency, or combination of deficiencies, in internal
control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity’s
financial statements will not be prevented, or detected and corrected, on a timely basis.
21
Note to auditor: If applicable, consider adding the following sentence to the beginning of the paragraph “We will be
reporting additional details concerning this significant deficiency separately to [entity] management, along with
recommendations for corrective actions.”
Reporting Phase
595 B Example of Reporting Material Weakness or Significant Deficiency on Internal Control
over Financial Reporting
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 B-11
Responsibilities for the Audits of the Financial Statements and Internal Control over Financial
Reporting section of our report. We are required to be independent of [entity] and to meet our
other ethical responsibilities, in accordance with the relevant ethical requirements relating to our
audits. We believe that the audit evidence we have obtained is sufficient and appropriate to
provide a basis for our audit opinions.
[Note: If applicable, insert emphasis-of-matter paragraph(s), other-matter paragraph(s),
or both in accordance with AU-C 706. Include related heading(s).]
Responsibilities of Management for the Financial Statements and Internal Control over Financial
Reporting
Management is responsible for
the preparation and fair presentation of the financial statements in accordance with U.S.
generally accepted accounting principles;
preparing, measuring, and presenting the RSI in accordance with U.S. generally accepted
accounting principles;
preparing and presenting other information included in [entity’s] [insert name of annual
report, e.g., agency financial report], and ensuring the consistency of that information with
the audited financial statements and the RSI;
designing, implementing, and maintaining effective internal control over financial reporting
relevant to the preparation and fair presentation of financial statements that are free from
material misstatement, whether due to fraud or error;
assessing the effectiveness of internal control over financial reporting based on the criteria
established under FMFIA; and
its assessment about the effectiveness of internal control over financial reporting as of
[September 30, 20X2], included in the accompanying Management’s Report on Internal
Control over
22
Financial Reporting [or other title of management’s report] in appendix I.
[For entities that conform to FASB standards] In preparing the financial statements,
management is required to evaluate whether there are conditions or events, considered in the
aggregate, that raise substantial doubt about [entity’s] ability to continue as a going concern for
a reasonable period of time.
Auditor’s Responsibilities for the Audits of the Financial Statements and Internal Control over
Financial Reporting
Our objectives are to (1) obtain reasonable assurance about whether the financial statements
as a whole are free from material misstatement, whether due to fraud or error, and whether
effective internal control over financial reporting was maintained in all material respects, and (2)
issue an auditor’s report that includes our opinions. Reasonable assurance is a high level of
assurance but is not absolute assurance and therefore is not a guarantee that an audit of the
financial statements or an audit of internal control over financial reporting conducted in
accordance with U.S. generally accepted government auditing standards will always detect a
material misstatement or a material weakness when it exists.
The risk of not detecting a material
22
Note to auditor: GAO does not capitalize the “o” in “over” in the phrase “internal control over financial reporting”
when used in a heading or title. However, when referring to the title of management’s report included with the
auditor’s report, the wording and capitalization should be consistent with management’s presentation.
Reporting Phase
595 B Example of Reporting Material Weakness or Significant Deficiency on Internal Control
over Financial Reporting
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 B-12
misstatement resulting from fraud is higher than for one resulting from error, as fraud may
involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal
control. Misstatements, including omissions, are considered to be material if there is a
substantial likelihood that, individually or in the aggregate, they would influence the judgment
made by a reasonable user based on the financial statements.
23
In performing an audit of financial statements and an audit of internal control over financial
reporting in accordance with U.S. generally accepted government auditing standards, we:
Exercise professional judgment and maintain professional skepticism throughout the audits.
Identify and assess the risks of material misstatement of the financial statements, whether
due to fraud or error, and design and perform audit procedures responsive to those risks.
Such procedures include examining, on a test basis, evidence regarding the amounts and
disclosures in the financial statements.
Obtain an understanding of internal control relevant to our audit of the financial statements
in order to design audit procedures that are appropriate in the circumstances.
Obtain an understanding of internal control relevant to our audit of internal control over
financial reporting, assess the risks that a material weakness exists, and test and evaluate
the design and operating effectiveness of internal control over financial reporting based on
the assessed risk. Our audit of internal control also considered [entity’s] process for
evaluating and reporting on internal control over financial reporting based on criteria
established under FMFIA. We did not evaluate all internal controls relevant to operating
objectives as broadly established under FMFIA, such as those controls relevant to preparing
performance information and ensuring efficient operations. We limited our internal control
testing to testing controls over financial reporting. Our internal control testing was for the
purpose of expressing an opinion on whether effective internal control over financial
reporting was maintained, in all material respects. Consequently, our audit may not identify
all deficiencies in internal control over financial reporting that are less severe than a material
weakness.
Evaluate the appropriateness of accounting policies used and the reasonableness of
significant accounting estimates made by management, as well as evaluate the overall
presentation of the financial statements.
Perform other procedures we consider necessary in the circumstances.
[For entities that conform to FASB standards] Conclude whether, in our judgment, there
are conditions or events, considered in the aggregate, that raise substantial doubt about
[entity’s] ability to continue as a going concern for a reasonable period of time.
We are required to communicate with those charged with governance regarding, among other
matters, the planned scope and timing of the audit, significant audit findings, and certain internal
controlrelated matters that we identified during the financial statement audit.
23
Note to auditor: Statement of Federal Financial Accounting Concepts (SFFAC) 1 issued by FASAB provides a
slightly different definition of materiality. Since SFFACs are nonauthoritative, and in SFFAC 1, the board recognizes
differences from the audit definition, the FAM is based on the definition provided in AU-C 200.07.
Reporting Phase
595 B Example of Reporting Material Weakness or Significant Deficiency on Internal Control
over Financial Reporting
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 B-13
Definition and Inherent Limitations of Internal Control over Financial Reporting
An entity’s internal control over financial reporting is a process effected by those charged with
governance, management, and other personnel. The objectives of internal control over financial
reporting are to provide reasonable assurance that
transactions are properly recorded, processed, and summarized to permit the preparation of
financial statements in accordance with U.S. generally accepted accounting principles, and
assets are safeguarded against loss from unauthorized acquisition, use, or disposition, and
transactions are executed in accordance with provisions of applicable laws, including those
governing the use of budget authority, regulations, contracts, and grant agreements,
noncompliance with which could have a material effect on the financial statements.
Because of its inherent limitations, internal control over financial reporting may not prevent, or
detect and correct, misstatements due to fraud or error. We also caution that projecting any
evaluation of effectiveness to future periods is subject to the risk that controls may become
inadequate because of changes in conditions, or that the degree of compliance with the policies
or procedures may deteriorate.
Required Supplementary Information
U.S. generally accepted accounting principles issued by the Federal Accounting Standards
Advisory Board (FASAB) require that the RSI be presented to supplement the financial
statements. Such information is the responsibility of management and, although not a part of the
financial statements, is required by FASAB, which considers it to be an essential part of
financial reporting for placing the financial statements in appropriate operational, economic, or
historical context.
We have applied certain limited procedures to the RSI in accordance with U.S. generally
accepted government auditing standards. These procedures consisted of (1) inquiring of
management about the methods used to prepare the RSI and (2) comparing the RSI for
consistency with management’s responses to our inquiries, the financial statements, and other
knowledge we obtained during the audit of the financial statements, in order to report omissions
or material departures from FASAB guidelines, if any, identified by these limited procedures. We
did not audit and we do not express an opinion or provide any assurance on the RSI because
the limited procedures we applied do not provide sufficient evidence to express an opinion or
provide any assurance.
24
Other Information
[Entity’s] other information contains a wide range of information, some of which is not directly
related to the financial statements. This information is presented for purposes of additional
analysis and is not a required part of the financial statements or the RSI. Management is
responsible for the other information included in [entity’s] [insert name of annual report, e.g.,
agency financial report]. The other information comprises the [information included in the
24
Note to auditor: Refer to AU-C 730.08d through .08g; .09; and .A3, illustrations 2 through 6, if (1) the auditor is
unable to complete the procedures described in this paragraph, (2) some or all of the RSI is omitted, (3) the
measurement or presentation of the RSI departs materially from the prescribed guidelines, or (4) the auditor has
unresolved doubts about whether the RSI is measured or presented in accordance with prescribed guidelines.
Reporting Phase
595 B Example of Reporting Material Weakness or Significant Deficiency on Internal Control
over Financial Reporting
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 B-14
annual report
25
] but does not include the financial statements and our auditor’s report thereon.
Our opinion on the financial statements does not cover the other information, and we do not
express an opinion or any form of assurance thereon.
In connection with our audit of the financial statements, our responsibility is to read the other
information and consider whether a material inconsistency exists between the other information
and the financial statements, or the other information otherwise appears to be materially
misstated. If, based on the work performed, we conclude that an uncorrected material
misstatement of the other information exists, we are required to describe it in our report.
26
Report on Compliance with Laws, Regulations, Contracts, and Grant Agreements
In connection with our audits of [entity’s] financial statements, we tested compliance with
selected provisions of applicable laws, regulations, contracts, and grant agreements consistent
with our auditor’s responsibilities discussed below.
Results of Our Tests for Compliance with Laws, Regulations, Contracts, and Grant Agreements
Our tests for compliance with selected provisions of applicable laws, regulations, contracts, and
grant agreements disclosed no instances of noncompliance for [fiscal year 20X2] that would be
reportable under U.S. generally accepted government auditing standards. However, the
objective of our tests was not to provide an opinion on compliance with laws, regulations,
contracts, and grant agreements applicable to [entity]. Accordingly, we do not express such an
opinion.
Basis for Results of Our Tests for Compliance with Laws, Regulations, Contracts, and Grant
Agreements
We performed our tests of compliance in accordance with U.S. generally accepted government
auditing standards.
Responsibilities of Management for Compliance with Laws, Regulations, Contracts, and Grant
Agreements
[Entity] management is responsible for complying with laws, regulations, contracts, and grant
agreements applicable to [entity].
Auditor’s Responsibilities for Tests of Compliance with Laws, Regulations, Contracts, and Grant
Agreements
Our responsibility is to test compliance with selected provisions of laws, regulations, contracts,
and grant agreements applicable to [entity] that have a direct effect on the determination of
material amounts and disclosures in [entity’s] financial statements, and perform certain other
limited procedures. Accordingly, we did not test compliance with all provisions of laws,
regulations, contracts, and grant agreements applicable to [entity]. We caution that
noncompliance may occur and not be detected by these tests.
25
Note to auditor: A more specific description of the information, such as “financial summaries” or “historical
information” may be used to identify the other information.
26
Note to auditor: Refer to AU-C 720.24f; .25; and .A62, illustration 2, if the auditor has concluded that an uncorrected
material misstatement of the other information exists.
Reporting Phase
595 B Example of Reporting Material Weakness or Significant Deficiency on Internal Control
over Financial Reporting
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 B-15
Intended Purpose of Report on Compliance with Laws, Regulations, Contracts, and Grant
Agreements
The purpose of this report is solely to describe the scope of our testing of compliance with
selected provisions of applicable laws, regulations, contracts, and grant agreements, and the
results of that testing, and not to provide an opinion on compliance. This report is an integral
part of an audit performed in accordance with U.S. generally accepted government auditing
standards in considering compliance. Accordingly, this report on compliance with laws,
regulations, contracts, and grant agreements is not suitable for any other purpose.
Agency Comments [If applicable, add “and Our Evaluation.” Heading should be
consistent with related wording on page 595 B-9.]
In commenting on a draft of this report, [entity
27
] ………………………The complete text of
[entity’s] response is reprinted in appendix II.
[Signature]
[Title]
[Date of auditor’s report]
27
Note to auditor: For GAO reports, only the entity name is cited in this section if the entity provides written
comments. Do not include the name or title of the commenting official. If the entity provides email or oral comments,
the title of the commenting official is included. See Words@Work on the GAO intranet.
Reporting Phase
595 C Uncorrected Misstatements and Adjusting Entries
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 C-1
595 C – Uncorrected Misstatements and Adjusting Entries
.01 As discussed in FAM 540.04, the auditor should accumulate factual, judgmental,
and projected misstatements that the auditor identified during the audit but have
not yet been corrected by the entity. The auditor may do this on a Summary of
Uncorrected Misstatements that includes any related adjusting entries (see FAM
595 C, example 1). Because the entity is responsible for its financial statements,
as discussed in FAM 540.11 through .12, management has to decide which
misstatements to correct in the financial statements and which will remain
uncorrected misstatements. The auditor should communicate misstatements to
those charged with governance.
Summary of Uncorrected Misstatements (before Discussion with
Management) (FAM 595 C Example 1)
.02 The auditor should include the effect of uncorrected misstatements on the entity’s
financial statements and note disclosures and provide any related adjusting
entries to entity management. Because this information follows the entity’s
financial statements, the specific line items may differ for each entity. The auditor
should list all uncorrected misstatements other than those that are clearly trivial
(see FAM 540.04).
.03 As discussed in FAM 540.09, the auditor should quantify and evaluate
misstatements under both the rollover and iron curtain approaches for financial
statement line items (see table I in example 1). Subsequently, the auditor
generally should propose an adjusting entry when either approach results in
quantifying a misstatement that is above clearly trivial, after considering all
relevant quantitative and qualitative factors.
.04 The auditor should also include the effect of uncorrected misstatements from the
prior year on the current year’s financial statements (the carryover effect) or note
that there were no prior-year misstatements.
.05 Typical information related to adjusting entries information would include the
following:
a. reference to an adjustment number or documentation reference;
b. whether the misstatement is factual, judgmental, or projected;
c. whether the misstatement is the carryover effect from a prior year (PY) or a
misstatement arising in the current year (CY);
d. description of the adjustment;
e. indication of whether each account affected is a federal intragovernmental (F)
or a nonfederal public account (N);
f. USSGL account number and account description;
g. amount of the debit and credit; and
h. line items affected in the entity’s financial statements (for entities required to
submit misstatements for use in the preparation and audit of the U.S.
government’s consolidated financial statements (CFS), the auditor generally
should indicate the CFS line item affected).
Reporting Phase
595 C Uncorrected Misstatements and Adjusting Entries
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 C-2
.06 The auditor should also include the effects of uncorrected misstatements
(including omissions) on the notes to the entity’s financial statements (other than
clearly trivial effects on a quantitative and qualitative basis) on the Summary of
Uncorrected Misstatements. Such information would typically include the note
number, note name, and a description of the misstatement. (See table II in
example 1.)
Discuss Uncorrected Misstatements with Management and Those
Charged with Governance
.07 The auditor should communicate factual, judgmental, and projected
misstatements identified during the audit to the appropriate level of management
and those charged with governance, as required by AU-C 450 and AU-C 260.
The auditor should request that management correct all misstatements, as
discussed in FAM 540.11 through .12. If management investigates and
challenges assumptions or methods used in developing an estimate for
judgmental and projected misstatements, the auditor should reevaluate the
misstatement and determine whether to perform additional audit procedures. The
auditor should document discussions with management on misstatements and
any additional audit procedures performed.
.08 The auditor also may communicate to those charged with governance other
corrected immaterial misstatements, such as frequently recurring immaterial
misstatements that may indicate a particular bias in the preparation of the
financial statements. An example would be recurring cutoff errors for liabilities at
year-end.
.09 If there are a large number of small uncorrected misstatements, the auditor may
communicate to those charged with governance the number and overall
monetary effect of the misstatements, rather than the details of each
misstatement.
.10 The auditor should discuss with those charged with governance the implications
of management’s failure to correct factual, judgmental, and projected
misstatements, considering qualitative as well as quantitative considerations,
including possible implications in relation to future financial statements.
Summary of Uncorrected Misstatements (after Discussion with
Management) (FAM 595 C Example 2)
.11 If management corrects one or more of the identified misstatements to the
financial statements, the auditor should use the Summary of Uncorrected
Misstatements (before Discussion with Management) Example 1 to create a
new Summary of Uncorrected Misstatements (after Discussion with
Management) for any uncorrected misstatements, as indicated in example 2 of
this FAM section. This summary should include the auditor’s conclusion about
whether uncorrected misstatements are material, individually or in the aggregate,
and the basis for that conclusion (AU-C 450.12c). The example summary
includes a last column of final account balances to assist the auditor in
calculating, evaluating, and concluding on the effect of uncorrected
misstatements on the final financial statements. In example 2, management has
declined to correct misstatements 1 through 5 in the financial statements as
management has determined them immaterial.
Reporting Phase
595 C Uncorrected Misstatements and Adjusting Entries
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 C-3
.12 The auditor generally should transfer any corrected misstatement to a Summary
of Corrected Misstatements as indicated in example 3 of this FAM section. In
example 3, management has agreed to correct misstatement 6 in the financial
statements as management has determined it to be material.
.13 The auditor should attach the Summary of Uncorrected Misstatements (from
example 2), including any misstatements to the notes to the financial statements,
without the auditor’s calculations, evaluation, and conclusion (or a listing of
uncorrected misstatements if the number and amount of the misstatements are
insignificant), to the management representation letter, as discussed in FAM
1001.
Final Evaluation
.14 The auditor should evaluate the effect of the uncorrected misstatements and
determine whether the financial statements as a whole are materially misstated
from a quantitative or qualitative viewpoint (FAM 540).
.15 The auditor should also conclude (in consultation with the reviewer, as discussed
in FAM 530.06 and FAM 545) on the adequacy of the scope of procedures
performed in light of the total uncorrected misstatements identified above.
Reporting Phase
595 C Uncorrected Misstatements and Adjusting Entries
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 C-4
Example 1 – Summary of Uncorrected Misstatements (before Discussion with Management),
Including a Prior Period Misstatement
(This summary lists the uncorrected misstatements (other than those that are clearly trivial) and the effects identified by the auditor. Effects of the uncorrected misstatements on the
financial statement line items are included in table I. The effects of uncorrected misstatements on any notes to the financial statements are included in table II, to the extent the
misstatement is not already considered in table I. See FAM 595 C.02 through .06. In this example, one of the proposed adjustments relates to an expense cutoff error in which
$200,000 of expenses related to the following year were recorded in the current year, thereby overstating other liabilities by $200,000 at the end of the current year. In addition, a
similar cutoff error existed at the end of the prior year, in which $300,000 of expenses related to the current year were included in the prior year. To evaluate misstatements under the
rollover approach in the current year, the entity quantifies the misstatement as a $200,000 overstatement of expenses, offset by the effect of the reversal of the $300,000
understatement of expenses included in the prior year that should have been included in the current year. The summary also includes the misstatements and related adjustment
quantified under the iron curtain approach. The adjustment consists of a $300,000 debit to beginning net position and a $300,000 credit to operating expenses to reverse the effects of
prior year misstatements recorded under the rollover approach, resulting in a $200,000 overstatement of other liabilities and total net cost as of the end of the current year.)
Table I: Effect of Uncorrected Misstatements on Financial Statement Line Items
(Dollars in thousands)
(1)
Adjustment
number
(2)
Factual,
judgmental, or
projected
misstatement
(3)
Line item
balance
(4)
Total misstatements
(5)
Effect of prior
year
misstatements
(6)
Adjusted line item
balance effect of
misstatements
originating in the
current year
(7) = (4) + (5) + (6)
Misstatement
as percentage
of reported
line item -
effect of
misstatements
originating in
the current
year
(8)
Adjustments
for the effect
of
misstatements
on the
balance sheet
as of the end
of the current
year
(9)
Adjusted line
item balance
effect of
misstatements
on the balance
sheet as of the
end of the
current year
(10) = (7) + (9)
Misstatement
as percentage
of reported line
item - effect of
misstatements
as of the end
of the current
year
(11)
Debit/(Credit) Debit (Credit)
Net
Debit/(Credit)
Debit/(Credit) Debit/(Credit) Debit/(Credit)
Balance Sheet
1
Assets
Fund balance with Treasury 5 F 50,000 (10,000) (10,000) 40,000 -20.00% 40,000 -20.00%
Accounts receivable, net
3
F
125
(25)
(105)
20
-84.00%
20
-84.00%
4
P
(80)
Loans receivable, net 1,000 1,000 0.00% 1,000 0.00%
PPE, net 40,000 40,000 0.00% 40,000 0.00%
Inventory 8,000 8,000 0.00% 8,000 0.00%
Total assets 99,125 (10,105) (10,105) 89,020
89,020
1
As needed, create additional summaries for other financial statements that have adjustments.
Reporting Phase
595 C Uncorrected Misstatements and Adjusting Entries
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 C-5
(Dollars in thousands)
(1)
Adjustment
number
(2)
Factual,
judgmental, or
projected
misstatement
(3)
Line item
balance
(4)
Total misstatements
(5)
Effect of prior
year
misstatements
(6)
Adjusted line item
balance effect of
misstatements
originating in the
current year
(7) = (4) + (5) + (6)
Misstatement
as percentage
of reported
line item -
effect of
misstatements
originating in
the current
year
(8)
Adjustments
for the effect
of
misstatements
on the
balance sheet
as of the end
of the current
year
(9)
Adjusted line
item balance
effect of
misstatements
on the balance
sheet as of the
end of the
current year
(10) = (7) + (9)
Misstatement
as percentage
of reported line
item - effect of
misstatements
as of the end
of the current
year
(11)
Debit/(Credit) Debit (Credit)
Net
Debit/(Credit)
Debit/(Credit) Debit/(Credit) Debit/(Credit)
Liabilities
Accounts payable -
nonfederal public
1 J (2,000) (230) (230) (2,230) 11.50% (2,230) 11.50%
Other liabilities 2 F (5,250) 200
200 (5,050) -3.81%
(5,050) -3.81%
Total liabilities (7,250) 200 (230) (30)
(7,280)
(7,280)
Net Position
Beginning Net Position (104,675) (300) (104,975) 0.29% 300 (104,675) 0.00%
Net current year (surplus)
deficit
1
J
12,800
230
10,135
23,235
81.52%
(300)
22,935
79.18%
2
F
(200)
300
3
F
25
4
P
80
5
F
10,000
Total net position (91,875) 10,335 (200) 10,135
(81,740)
(81,740)
Total liabilities and net
position
(99,125) 10,510 (430) 10,105
(89,020)
(89,020)
Total uncorrected
misstatements
10,535 (10,535) 300
300
Statement of Net Cost
Net cost of operations:
Program A:
Gross cost - nonfederal
public
1
J
19,800
230
30
20,130
1.67%
(300)
19,830
0.15%
2
F
(200)
300
Less: earned revenue
(23,000)
(23,000)
0.00%
(23,000)
0.00%
Net cost Program A
(3,200)
230
(200)
30
300
(2,870)
-10.31%
(300)
(3,170)
-0.94%
Reporting Phase
595 C Uncorrected Misstatements and Adjusting Entries
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 C-6
(Dollars in thousands)
(1)
Adjustment
number
(2)
Factual,
judgmental, or
projected
misstatement
(3)
Line item
balance
(4)
Total misstatements
(5)
Effect of prior
year
misstatements
(6)
Adjusted line item
balance effect of
misstatements
originating in the
current year
(7) = (4) + (5) + (6)
Misstatement
as percentage
of reported
line item -
effect of
misstatements
originating in
the current
year
(8)
Adjustments
for the effect
of
misstatements
on the
balance sheet
as of the end
of the current
year
(9)
Adjusted line
item balance
effect of
misstatements
on the balance
sheet as of the
end of the
current year
(10) = (7) + (9)
Misstatement
as percentage
of reported line
item - effect of
misstatements
as of the end
of the current
year
(11)
Debit/(Credit) Debit (Credit)
Net
Debit/(Credit)
Debit/(Credit) Debit/(Credit) Debit/(Credit)
Program B:
Gross cost - nonfederal
public
31,000
31,000
0.00%
31,000
0.00%
Gross cost -
intragovernmental
3
F
500
25
105
605
21.00%
605
21.00%
4
P
80
Less: earned revenue 5 F (15,500) 10,000 10,000
(5,500) -64.52% (5,500) -64.52%
Net cost Program B 16,000 10,105 10,105
26,105 63.16% 26,105 63.16%
Total net cost of operations 12,800 10,335 (200) 10,135 300 23,235 81.52% (300) 22,935 79.18%
Note: The line items presented mirror those in the entity’s financial statements. Also, for illustration purposes, only the balance sheet and net cost misstatements are presented. When
presented to management, the effect on all entity financial statements is presented
Legend:
Total misstatements – All misstatements arising in the current year are included in this column. This does not include misstatements arising in prior years (e.g., included in the prior year
Summary of Uncorrected Misstatements or misstatements identified in the current year that should be included in the prior year Summary of Uncorrected Misstatements.) Misstatements
in this column correspond to adjusting entries included below.
Effect of prior year misstatementsCurrent year misstatements as a result of misstatements arising in prior years (e.g., reversal of items included in the prior year Summary of Uncorrected
Misstatements are included in this column.) Misstatements in this column correspond to adjusting entries included below.
Adjusted line item balance – effect of misstatements originating in the current year – This column shows the adjusted line item balance after accounting for the effect of total misstatements
originating in the current year.
Misstatement as percentage of reported line item (effect of misstatements originating in the current year) – The effect of misstatements originating in the current year as a percentage of the
reported line item balance is displayed in this column to help assess the materiality of the misstatement on each line item.
Adjustments for the effect of misstatements on the balance sheet as of the end of the current year – This column includes any adjustments to misstatements as a result of switching
approaches from quantifying misstatements originating in the current year to quantifying all misstatements as of the end of the current year, regardless of the period in which the
misstatement arose. This column can include reversals of misstatements that were included when only considering the effect of misstatements originating in the current year.
Misstatements in this column correspond to adjusting entries included below.
Adjusted line item balance - effect of misstatements on the balance sheet as of the end of the current year – This column shows the adjusted line item balance after accounting for any
adjustments needed to consider the effect of all misstatements as of the end of the current year.
Misstatement as percentage of reported line item (effect of misstatements as of the end of the current year) - Misstatements as of the end of the current year are displayed in this column as a
percentage of the reported line item balance to help assess the materiality of the misstatement on each line item.
Reporting Phase
595 C Uncorrected Misstatements and Adjusting Entries
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 C-7
Table II: Effect of Uncorrected Misstatements on the Notes to the Financial Statements
Note no. Note name Factual, judgmental
or projected
Description of uncorrected misstatements (qualitative and q
uantitative)
10 General Property,
Plant, and Equipment,
Net
F While this line item was not misstated on the balance sheet, $5,000,000 of equipment was misclassified as
internal-use software in the related note.
17 Other Liabilities F As included in table I, the other liabilities line item was overstated on the balance sheet by $200,000. The
related misstatement in Note 17, Other Liabilities, is a $200,000 overstatement of accrued funded payroll
and leave. See adjustment 2.
19 Commitments and
Contingencies
F Required narrative related to contingent liabilities was omitted. Although the entity recognized the minimum
amount in a range of amounts for an estimated liability where no amount within the range was a better
estimate than any other amount, it did not disclose the amount recognized, the range, and a description of
the nature of the contingency in Note 19, Commitments and Contingencies.
Reporting Phase
595 CUncorrected Misstatements and Adjusting Entries
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 C-8
Example 1 Adjusting Entries to Correct Misstatements (before Discussion with Management)
Adj.
#
Management will record?
(Dollars in
thousands)
Corresponding U.S.
government's CFS line item
Factual, judgmental or projected?
Federal governmental (F) or nonfederal public (N)
Prior year (PY) or current year (CY)
USSGL account number
Description
USSGL Description Debit Credit
1 Judgmental CY To accrue accounts payable for
Program A.
N 6100 Operating expenses – Program A $230
Gross costs
N 2110 Accounts payable $230
Accounts payable
2
Factual CY To decrease operating expenses
arising in the current year from
the current year cut-off error.
N 2990 Other liabilities $200
Other liabilities
N 6100 Operating expenses – Program A $200
Gross costs
Factual PY
To increase current year
operating expenses arising from
the prior year cutoff error
N 6100 Operating expenses – Program A $300 Gross costs
N 3000 Beginning net position $300 Net Position, beginning of
period
3
Factual CY To increase current year loan
bad debt expense in Program B.
[Actual error amount of an
intragovernmental sample item.]
F 6720 Bad debt expense – Program B $25
Intragovernmental amounts are
eliminated in consolidation
F 1319 Allowance for accounts receivable $25
4 Projected CY To increase current year loan
bad debt expense in Program B.
[Additional projected
misstatement as a result of
actual error amount of sample
item from Adj #3 above projected
to the population. Total projected
misstatement of $105 less $25
actual misstatement]
F 6720 Bad debt expense – Program B $80
Intragovernmental amounts are
eliminated in consolidation
F 1319 Allowance for accounts receivable $80
5 Factual CY To adjust FBWT for receipts
after cutoff date.
N 5100 Earned revenue - Program B $10,000
Earned revenue
F 1010 FBWT
$10,000
FBWT eliminates in
consolidation
Reporting Phase
595 C Uncorrected Misstatements and Adjusting Entries
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 C-9
Adj.
#
Management will record?
(Dollars in
thousands)
Corresponding U.S.
government's CFS line item
Factual, judgmental or projected?
Federal governmental (F) or nonfederal public (N)
Prior year (PY) or current year (CY)
USSGL account number
Description
USSGL Description Debit Credit
Adjustments for the effect of misstatements as of the end of the current year:
Factual CY To decrease current year
operating expenses as a result
of the reversal of the correcting
entry for the prior year cut-off
error of operating expenses
(adjustment number 2), which
does not affect misstatements on
the balance sheet as of the end
of the current year.
N 3000 Beginning net position $300 Net position, beginning of
period
N 6100 Operating expenses – Program A $300 Gross costs
Note: The line items presented mirror those in the entity’s financial statements.
Reporting Phase
595 C Uncorrected Misstatements and Adjusting Entries
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 C-10
Example 2 Summary of Uncorrected Misstatements (after Discussions with Management)
(After discussions with management (FAM 595 C.07.10), a summary of uncorrected misstatements is created from example 1 that management has declined to correct. See FAM
595 C.11–.13.)
Table I: Effect of Uncorrected Misstatements on Financial Statement Line Items
(Dollars in thousands)
(1)
Adjustment
number
(2)
Factual,
judgmental, or
projected
misstatement
(3)
Line item
balance
(4)
Total misstatements
(5)
Effect of prior
year
misstatement
s
(6)
Adjusted line item
balance effect of
misstatements
originating in the
current year
(7) = (4) + (5) + (6)
Misstatement
as percentage
of reported
line item -
effect of
misstatement
s originating
in the current
year
(8)
Adjustments
for the effect
of
misstatement
s on the
balance sheet
as of the end
of the current
year
(9)
Adjusted line
item balance
effect of
misstatements
on the balance
sheet as of the
end of the
current year
(10) = (7) + (9)
Misstatement as
percentage of
reported line
item - effect of
misstatements
as of the end of
the current year
(11)
Debit/(Credit) Debit (Credit)
Net
Debit/(Credit)
Debit/(Credit) Debit/(Credit) Debit/(Credit)
Balance Sheet
2
Assets
Fund balance with Treasury 50,000 50,000 0.00% 50,000 0.00%
Accounts receivable, net
3
F
125
(25)
(105)
20
-84.00%
20
-84.00%
4
P
(80)
Loans receivable, net 1,000 1,000 0.00% 1,000 0.00%
PPE, net 40,000 40,000 0.00% 40,000 0.00%
Inventory 8,000 8,000 0.00% 8,000 0.00%
Total assets 99,125 (105) (105) 99,020
99,020
Liabilities
Accounts payable -
nonfederal public
1 J (2,000) (230) (230) (2,230) 11.50% (2,230) 11.50%
Other liabilities 2 F (5,250) 200 200 (5,050) -3.81%
(5,050) -3.81%
Total liabilities (7,250) 200 (230) (30) (7,280)
(7,280)
2
As needed, create additional summaries for other financial statements that have adjustments.
Reporting Phase
595 C Uncorrected Misstatements and Adjusting Entries
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 C-11
(Dollars in thousands)
(1)
Adjustment
number
(2)
Factual,
judgmental, or
projected
misstatement
(3)
Line item
balance
(4)
Total misstatements
(5)
Effect of prior
year
misstatement
s
(6)
Adjusted line item
balance effect of
misstatements
originating in the
current year
(7) = (4) + (5) + (6)
Misstatement
as percentage
of reported
line item -
effect of
misstatement
s originating
in the current
year
(8)
Adjustments
for the effect
of
misstatement
s on the
balance sheet
as of the end
of the current
year
(9)
Adjusted line
item balance
effect of
misstatements
on the balance
sheet as of the
end of the
current year
(10) = (7) + (9)
Misstatement as
percentage of
reported line
item - effect of
misstatements
as of the end of
the current year
(11)
Debit/(Credit) Debit (Credit)
Net
Debit/(Credit)
Debit/(Credit) Debit/(Credit) Debit/(Credit)
Net Position
Beginning Net Position (104,675) (300) (104,975) 0.29% 300 (104,675) 0.00%
Net current year (surplus)
deficit
1 J 12,800 230
135
13,235 3.40% (300) 12,935 1.05%
2 F (200) 300
3 F 25
4 P 80
Total net position
(91,875)
335
(200)
135
(91,740)
(91,740)
Total liabilities and net
position
(99,125) 535 (430) 105
(99,020)
(99,020)
Total uncorrected
misstatements
535 (535)
300
300
Statement of Net Cost
Net cost of operations:
Program A:
Gross cost - nonfederal
public
1
J
19,800
230
30
20,130
1.16%
(300)
19,830
-3.89%
2
F
(200)
300
Less: earned revenue (23,000) (23,000) 0.00%
(23,000) 0.00%
Net cost Program A (3,200) 230 (200) 30 300 (2,870) -10.31% (300) (3,170) -0.94%
Reporting Phase
595 C Uncorrected Misstatements and Adjusting Entries
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 C-12
(Dollars in thousands)
(1)
Adjustment
number
(2)
Factual,
judgmental, or
projected
misstatement
(3)
Line item
balance
(4)
Total misstatements
(5)
Effect of prior
year
misstatement
s
(6)
Adjusted line item
balance effect of
misstatements
originating in the
current year
(7) = (4) + (5) + (6)
Misstatement
as percentage
of reported
line item -
effect of
misstatement
s originating
in the current
year
(8)
Adjustments
for the effect
of
misstatement
s on the
balance sheet
as of the end
of the current
year
(9)
Adjusted line
item balance
effect of
misstatements
on the balance
sheet as of the
end of the
current year
(10) = (7) + (9)
Misstatement as
percentage of
reported line
item - effect of
misstatements
as of the end of
the current year
(11)
Debit/(Credit) Debit (Credit)
Net
Debit/(Credit)
Debit/(Credit) Debit/(Credit) Debit/(Credit)
Program B:
Gross cost - nonfederal
public
31,000 31,000 0.00% 31,000 0.00%
Gross cost -
intragovernmental
3
F
500
25
105
605
21.00%
605
21.00%
4
P
80
Less: earned revenue (15,500) (15,500) 0.00% (15,500) 0.00%
Net cost Program B 16,000 105 105
16,105 0.66%
16,105 0.66%
Total net cost of operations
12,800 335 (200) 135 300 13,235 3.40% (300) 12,935 1.05%
Note: For illustration purposes, only the balance sheet and net cost misstatements are presented. When presented to management, the effect of misstatements on all entity financial
statements is presented.
Legend:
Total misstatements – All misstatements arising in the current year are included in this column. This does not include misstatements arising in prior years (e.g., included in the prior year
Summary of Uncorrected Misstatements or misstatements identified in the current year that should be included in the prior year Summary of Uncorrected Misstatements.)
Misstatements in this column correspond to adjusting entries included below.
Effect of prior year misstatements – Current year misstatements as a result of misstatements arising in prior years (e.g., reversal of items included in the prior year Summary of Uncorrected
Misstatements are included in this column.) Misstatements in this column correspond to adjusting entries included below.
Adjusted line item balance – effect of misstatements originating in the current year – This column shows the adjusted line item balance after accounting for the effect of total misstatements
originating in the current year.
Misstatement as percentage of reported line item (effect of misstatements originating in the current year) – The effect of misstatements originating in the current year as a percentage of the
reported line item balance is displayed in this column to help assess the materiality of the misstatement on each line item.
Adjustments for the effect of misstatements on the balance sheet as of the end of the current year – This column includes any adjustments to misstatements as a result of switching
approaches from quantifying misstatements originating in the current year to quantifying all misstatements as of the end of the current year, regardless of the period in which the
misstatement arose. This column can include reversals of misstatements that were included when only considering the effect of misstatements originating in the current year.
Misstatements in this column correspond to adjusting entries included below.
Adjusted line item balance - effect of misstatements on the balance sheet as of the end of the current year – This column shows the adjusted line item balance after accounting for any
adjustments needed to consider the effect of all misstatements as of the end of the current year.
Misstatement as percentage of reported line item (effect of misstatements as of the end of the current year) - Misstatements as of the end of the current year are displayed in this column as
a percentage of the reported line item balance to help assess the materiality of the misstatement on each line item.
Reporting Phase
595 C Uncorrected Misstatements and Adjusting Entries
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 C-13
Table II: Effect of Uncorrected Misstatements on the Notes to the Financial Statements
Note
no.
Note name Factual,
judgmental, or
projected
Description of uncorrected misstatements (qualitative and quantitative)
17 Other Liabilities F As included in table I, the other liabilities line item was overstated on the balance sheet by $200,000. The related misstatement in Note
17, Other Liabilities, is a $200,000 overstatement of accrued funded payroll and leave. See adjustment 2.
Auditor’s analysis after providing the summary of uncorrected misstatements to management:
We discussed the Summary of Uncorrected Misstatements with Joe Jones, CFO, and Sandra Hawkins, COO, on 11/1/XX. We encouraged them to make adjustments for all of the factual
misstatements, and to investigate the judgmental and projected misstatements, in tables I and II. They recorded adjustment no. 5 in the financial statements (see table I in example 3)
because they believed it was material. They also corrected the misstatements in note 10 and note 19 (see table II in example 3). When considering the effect of misstatements originating
in the current year and the effect of misstatements as of the end of the current year and qualitative factors, they concluded that the other misstatements in the financial statements and
related note disclosures were not material. They indicated that after the audit, they will consider whether internal controls need to be strengthened in these areas. On 11/4/xx, we
discussed the misstatements with the entity’s executive committee, including the entity’s head, Jane Green. The executive committee agreed with the actions taken by management.
Conclusion: The quantitative effect of uncorrected misstatements in table I originating in the current year, excluding the effects of misstatements arising in prior years ($135,000), and the
effect of all uncorrected misstatements originating in the current year ($435,000), on total net cost are each less than our materiality for the financial statements as a whole of $1,524,000
(3 percent of gross cost with the public of $50.8 million—our materiality benchmark). In addition, the quantitative effect of uncorrected misstatements originating in the current year,
excluding the effects of misstatements arising in prior years ($30,000), and the effect of all uncorrected misstatements originating in the current year ($330,000), on total gross cost with
the public are each less than our materiality for the financial statements as a whole. Further, the quantitative effect of all uncorrected prior period misstatements on the balance sheet as of
the end of the current year ($135,000) on both total net cost and total gross cost with the public is less than materiality for the financial statements as a whole. We also considered the
effect of uncorrected misstatements on other financial statement line items and whether these misstatements are qualitatively material. We considered whether misstatements in the note
disclosures (table II) are qualitatively or quantitatively material. Based on our analysis, we concur with management that the uncorrected misstatements in both tables I and II are not
material to the financial statements as a whole.
Reporting Phase
595 C Uncorrected Misstatements and Adjusting Entries
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 C-14
Example 2 Adjusting Entries to Correct Misstatements (after Discussion with Management)
Adj.
#
Management will record?
(Dollars in
thousands)
Corresponding U.S.
government's CFS line
item
Factual, judgmental or projected?
Federal governmental (F) or nonfederal public
(N)
Prior year (PY) or current year (CY) USSGL account number
Description USSGL Description Debit Credit
1 No Judgmental CY To accrue accounts payable for
Program A.
N 6100 Operating expenses – Program A $230 Gross costs
N 2110 Accounts payable $230 Accounts payable
No Factual CY To decrease operating expenses
arising in the current year from the
current year cut-off error.
N 2990 Other liabilities $200 Other liabilities
2
N 6100 Operating expenses – Program A $200 Gross costs
No Factual PY
To increase current year operating
expenses arising from the prior year
cutoff error
N 6100 Operating expenses – Program A $300 Gross costs
N 3000 Beginning net position $300 Net position, beginning of
period
3
No Factual CY To increase current year loan bad
debt expense in Program B. [Actual
error amount of an
intragovernmental sample item.]
F 6720 Bad debt expense – Program B $25 Intragovernmental
amounts are eliminated in
consolidation
F 1319 Allowance for accounts
receivable
$25
4 No Projected CY To increase current year loan bad
debt expense in Program B.
[Additional projected misstatement
as a result of actual error amount of
sample item from Adj. #3 above
projected to the population. Total
projected misstatement of $105 less
$25 actual misstatement]
F 6720 Bad debt expense – Program B $80 Intragovernmental
amounts are eliminated in
consolidation
F 1319 Allowance for accounts
receivable
$80
Adjustments for the effect of misstatements as of the end of the current year:
No Factual CY To decrease current year operating
expenses as a result of the reversal
of the correcting entry for the prior
year cut-off error of operating
expenses (adjustment number 2),
which does not affect
misstatements on the balance sheet
as of the end of the current year.
N 3000 Beginning net position $300 Net position, beginning of
period
N 6100 Operating expenses – Program A $300 Gross costs
Reporting Phase
595 C Uncorrected Misstatements and Adjusting Entries
Updated May 2023 GAO/CIGIE Financial Audit Manual Page 595 C-15
Example 3 Summary of Corrected Misstatements (after Discussion with Management)
(This summary shows the misstatements from example 1 that management has corrected. See FAM 595 C.12.)
Table I: Corrected Misstatements for Financial Statement Line Items
Adj.
#
Management will record?
(Dollars in
thousands)
Corresponding U.S.
government's CFS line item
Factual, judgmental or projected?
Federal governmental (F) or nonfederal public (N)
Prior year (PY) or current year (CY)
USSGL account number
Description
USSGL Description Debit Credit
5 Yes Factual CY To reconcile FBWT for
receipts after cutoff date.
N 5100 Earned revenue - Program B $10,000
FBWT eliminates in
consolidation
F 1010 FBWT $10,000
Table II: Corrected Misstatements for the Notes to the Financial Statements
Note
no.
Note name Factual,
judgmental, or
projected
Description of corrected misstatement (qualitative and quantitative)
10 General Property,
Plant, and Equipment,
Net
F While this line item was not misstated on the balance sheet, $5,000,000 of equipment was misclassified as internal-use
software in the related note. Management corrected this misstatement by reclassifying $5,000,000 from internal-use
software to equipment in this note.
19 Commitments and
Contingencies
F Required narrative related to contingent liabilities was omitted. Although the entity recognized the minimum amount in a
range of amounts for an estimated liability where no amount within the range was a better estimate than any other amount,
it did not disclose the amount recognized, the range, and a description of the nature of the contingency in Note 19,
Commitments and Contingencies. Management corrected this misstatement by including the omitted information.
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-1
Glossary
Accounting applications
The methods and records used to (1) identify,
assemble, analyze, classify, and record a particular
type of transaction or (2) report recorded
transactions and maintain accountability for related
assets and liabilities. Accounting applications often
include information system processing. Information
system processing is often performed by software
programs hosted by information systems, which are
also commonly referred to as applications.
Common accounting applications are (1) billings,
(2) accounts receivable, (3) cash receipts,
(4) purchasing and receiving, (5) accounts payable,
(6) cash disbursements, (7) payroll, (8) inventory
control, and (9) property, plant, and equipment
(PP&E).
Accounting estimate
An approximation of a monetary amount in the
absence of a precise means of measurement.
Accounting system
The methods, records, and processes used to
identify, assemble, analyze, classify, record, and
report an entitys transactions and to maintain
accountability for the related assets and liabilities.
Accuracy, valuation, and
allocation
Amounts and other data relating to recorded
transactions and events have been appropriately
recorded. Assets, liabilities, net position, budgetary
balances, and projections in sustainability financial
statements have been included in the financial
statements at appropriate amounts, and any
resulting valuation or allocation adjustments have
been appropriately recorded.
Agency financial report
(AFR)
As defined by the Office of Management and
Budget (OMB), the AFR comprises
unaudited management’s discussion and
analysis (MD&A), part of required
supplementary information (RSI);
audited financial statements, including note
disclosures;
unaudited required supplementary information
(RSI) (other than the MD&A), if applicable; and
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-2
unaudited other information, if applicable.
Analytical procedures
The evaluations of financial information made
through analysis of plausible relationships among
both financial and nonfinancial data. Analytical
procedures also encompass the investigation of
identified fluctuations and relationships that are
inconsistent with other relevant information or
deviate significantly from predicted amounts.
Annual management report
(AMR)
A report consisting of the financial statements and
related information prepared by government
corporation. Government corporations subject to
the Government Corporation Control Act are
required to submit AMRs to the Congress annually
under 31 U.S.C. § 9106.
Annual report
A document containing the audited financial
statements and the auditor’s report, such as the
performance and accountability report, agency
financial report, or annual management report.
Applicable financial
reporting framework
Provides the criteria for management to present the
financial statements of an entity, including the fair
presentation of those financial statements (U.S.
GAAP). The Federal Accounting Standards
Advisory Board (FASAB) is the body designated by
the American Institute of Certified Public
Accountants as the source of U.S. GAAP for federal
reporting entities.
Application controls
Controls that are incorporated directly into software
programs, or applications, to help ensure the
validity, completeness, accuracy, and confidentiality
of transactions and data during information system
processing.
Appropriateness
Appropriateness of audit evidence is the measure
of the quality of audit evidence, that is, its relevance
and reliability in providing support for the
conclusions on which the auditors reports are
based.
Appropriation
The most common form of budget authority,
appropriations are statutory authority that permits
federal entities to incur obligations and to make
payments from the Department of the Treasury for
specified purposes. Appropriations do not represent
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-3
cash actually set aside in the Treasury for purposes
specified in the appropriation acts. Appropriations
represent amounts that entities may obligate during
the period specified in the appropriation acts.
Periods can be single year, multiyear, or no year.
Assertions
Management representations that are embodied in
financial statement components. The FAM
classifies assertions in the following five broad
categories (as described in FAM 235.02).
Existence or occurrence
Completeness
Rights and obligations
Accuracy/valuation or allocation
Presentation and disclosure
Assistant director
The person responsible for the operational conduct
of the audit and generally for preparation of the
audit report. In public accounting firms, the audit
manager may have these responsibilities.
Attribute sampling
Statistical sampling that reaches a conclusion about
a population in terms of a rate of occurrence.
Audit assurance
The complement of audit risk, which is an auditor
judgment. This is not the same as confidence level,
which relates to an individual sample.
Audit director (first partner)
The person responsible for the quality of the
financial statement audit and the audit report,
reporting to the assistant IG for the audit or, at
GAO, to the managing director.
Audit documentation
The record of audit procedures performed, audit
evidence obtained, and conclusions the auditor
reached. Terms such as working papers or
workpapers are also sometimes used.
Audit evidence
Information used by the auditor in arriving at the
conclusions on which the auditor’s reports are
based. Audit evidence is information to which audit
procedures have been applied and consists of
information that corroborates or contradicts
assertions in the financial statements.
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-4
Audit file
One or more folders or other storage media, in
physical or electronic form, containing the records
that constitute the audit documentation for a
specific engagement.
Audit plan
An audit document that describes
the nature and extent of planned risk
assessment procedures;
the nature, timing, and extent of planned further
audit procedures at the relevant assertion level;
and
other planned audit procedures that are required
to be carried out so that the engagement
complies with generally accepted government
auditing standards.
Audit risk
The risk that the auditor expresses an inappropriate
audit opinion when the financial statements are
materially misstated. Audit risk is composed of
inherent risk, control risk, risk of material
misstatement, detection risk, and fraud risk.
Audit sample (sample)
Items selected from a population to reach a
conclusion about the population as a whole.
(Compare with nonstatistical selection.)
Audit sampling (sampling)
The selection and evaluation of less than 100
percent of the population of audit relevance such
that the auditor expects the items selected (the
sample) to be representative of the population and
thus likely to provide a reasonable basis for
conclusions about the population. In this context,
representative means that evaluating the sample
will result in conclusions that, subject to the
limitations of sampling risk, are similar to those that
would be drawn if the same procedures were
applied to the entire population. Sampling involves
selection techniques that can be applied using
either statistical or nonstatistical sampling
approaches.
Audit sampling specialist
A statistician or other person the auditor consults
for technical expertise in areas such as audit
sampling, audit sample evaluation, and selecting
entity field locations to test.
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-5
Auditor’s report date
The date on which the auditor has obtained
sufficient appropriate audit evidence on which to
base the auditor’s opinion on the financial
statements.
Borrowing authority
Statutory authority that permits federal entities to
borrow money and then to obligate against amounts
borrowed. The amount to be borrowed may be
definite or indefinite in nature, and the purposes for
which the borrowed funds are to be used are
stipulated by the authorizing statute.
Budget authority
Authority provided by law to allow federal entities to
enter into financial obligations that will result in
immediate or future outlays involving government
funds. The Congress provides an entity with budget
authority and may place restrictions on the amount,
purpose, and timing of the obligation or outlay of
such authority. The basic forms of budget authority
include (1) appropriations, (2) borrowing authority,
(3) contract authority, and (4) authority to obligate
and expend offsetting receipts and collections.
Budget controls
Management’s policies and procedures for
managing and controlling the use of appropriated
funds and other forms of budget authority.
Budgetary resources
An amount available to enter into new obligations
and to liquidate them. Budgetary resources are
made up of new budget authority (including direct
spending authority provided in existing statute and
obligation limitations) and unobligated balances of
budget authority provided in previous years. (Also
see budget authority.)
Canceled (closed) account
An appropriation account whose balance has been
canceled. Once balances are canceled, the
amounts are not available for obligation or
expenditure for any purpose.
Cause and effect basis
In cost accounting, a way to group costs into cost
pools in which an intermediate activity may be a link
between the cause and the effect.
Classical probability
proportional to size
sampling
A sample selection procedure that selects items for
the sample in proportion to their relative size,
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-6
usually their monetary amounts. Monetary unit
sampling uses this method to select the sample.
Classical variables
sampling
A sampling approach that measures sampling risk
using the variation of the underlying characteristic
of interest. This approach includes methods such
as mean-per-unit, ratio estimation, difference
estimation, and a classical form of probability
proportional to size estimation.
Clearly trivial
The amount below which misstatements would not
need to be accumulated because the auditor
expects that the accumulation of such amounts
clearly would not have a material effect on the
financial statements.
Client
In the federal environment, the “client” may include
the
management of the federal entity to be audited,
including senior executive and financial
managers;
inspector general (IG) if the IG has contracted
for the audit;
members of a board or commission responsible
for the federal entity; and/or
audit committee.
Combined precision
The achieved precision for all statistical sampling
applications.
Commitment letter
A letter used by some auditors, either after a survey
of work or the planning phase has been completed
to confirm a commitment for a congressional
request, mandate, or auditor’s statutory
discretionary authority for any type of work.
Common data source
All of the financial and programmatic information
available for the budgetary, cost, and financial
accounting processes. It includes all financial and
much non-financial data, such as environmental
data, that are necessary for budgeting and financial
reporting as well as evaluation and decision
information developed as a result of prior reporting
and feedback.
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-7
Comparative financial
statements
A complete set of financial statements for one or
more prior periods included for comparison with the
financial statements of the current period.
Comparative information
Prior period information presented for purposes of
comparison with current period amounts or note
disclosures that is not in the form of a complete set
of financial statements. Comparative information
includes prior period information presented as
condensed financial statements or summarized
financial information.
Compensating control
A control that limits the severity of a control
deficiency and prevents it from rising to the level of
significant deficiency or, in some cases, a material
weakness. Only compensating controls that operate
at a level of precision that would prevent, or detect
and correct, a material misstatement are capable of
having a mitigating effect. Although compensating
controls can mitigate the effects of a control
deficiency, they do not eliminate the control
deficiency.
Completeness
All transactions and events that should have been
recorded have been recorded in the proper period
and accounts. All assets, liabilities, net position, and
budgetary balances that should have been
recorded have been recorded in the proper period
and accounts, and properly included in the financial
statements. Projections in the sustainability
financial statements include all estimated future
revenues and expenditures at present value that
should have been included.
Compliance control
A process, by management and others, designed to
provide reasonable assurance regarding the
achievement of objectives for compliance with
applicable laws, regulations, contracts, and grant
agreements.
Compliance control tests
Tests to obtain evidence on the entity’s compliance
controls for each significant provision of applicable
laws, regulations, contracts, and grant agreements
identified for testing, including budget controls for
each relevant budget restriction.
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-8
Compliance system
The entity’s policies and procedures to monitor
compliance with laws, regulations, contracts, and
grant agreements applicable to the entity.
Compliance tests
Tests to obtain evidence on the entity’s compliance
with each significant provision of applicable laws,
regulations, contracts, and grant agreements
identified for testing, including compliance with
relevant budget restrictions.
Component auditor
An auditor who performs work on the financial
information of a component that will be used as
audit evidence for the group audit.
Confidence interval
A statistical sample-based estimate expressed as
an interval or range of values. The sample is
designed such that there is a specified confidence
level for which the population value being estimated
is expected to be located within the interval. More
specifically, it is the projected misstatement or point
estimate plus or minus precision at the desired
confidence level and is also known as a precision or
precision interval.
Confidence level
The probability associated with the precision, that
is, the probability that the true misstatement is
within the confidence interval. This is not the same
as assurance.
Contingency
An existing condition, situation, or set of
circumstances involving uncertainty as to possible
gain or loss to an entity. The uncertainty will
ultimately be resolved when one or more future
events occur or fail to occur.
Contract authority
Statutory authority that permits obligations to be
incurred in advance of appropriations or in
anticipation of receipts to be credited to a revolving
fund or other account (offsetting collections).
Contract authority is unfunded. Subsequent funding
by an appropriation or by offsetting collections is
needed to liquidate the obligations incurred under
the contract authority.
Control activities
One of the five components of internal control, in
addition to control environment, risk assessment,
information and communications, and monitoring.
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-9
Control activities are the policies, procedures,
techniques, and mechanisms that help ensure that
management directives are carried out and respond
to risks in the internal control system, which
includes the entity’s information system.
Control deficiency
A condition when the design or operation of a
control does not allow management or employees,
in the normal course of performing their assigned
functions, to prevent, or detect and correct,
misstatements on a timely basis. (Also see
significant deficiency and material weakness.)
Control environment
One of the five components of internal control, in
addition to risk assessment, control activities,
information and communications, and monitoring.
Control environment sets the tone of an
organization, influencing the control consciousness
of its people. It is the foundation for all other
components of internal control, providing discipline
and structure.
Control objective
The aim or purpose of specified controls. Control
objectives address the risks that the controls are
intended to mitigate. In the context of internal
control over financial reporting, a control objective
generally relates to a relevant assertion for a
significant class of transactions, account balance,
or disclosure and addresses the risk that the
controls in a specific area will not provide
reasonable assurance that a misstatement or
omission in that relevant assertion is prevented, or
detected and corrected, on a timely basis.
Control risk
The risk that a misstatement that could occur in an
assertion about a class of transaction, account
balance, or disclosure and that could be material,
either individually or when aggregated with other
misstatements, will not be prevented, or detected
and corrected, on a timely basis by the entity's
internal control. That risk is a function of the
effectiveness of the design and operation of internal
control in achieving the entity’s objectives relevant
to preparation and fair presentation of the entity’s
financial statements. Some control risk will always
exist because of the inherent limitations of internal
control.
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-10
Control tests
Audit procedures designed to evaluate the
operating effectiveness of controls in preventing, or
detecting and correcting, material misstatements at
the assertion level.
Cost
The monetary value of resources used or sacrificed
or liabilities incurred to achieve an objective, such
as to acquire or produce a good or to perform an
activity or service.
Cycle
A grouping of related accounting applications.
Cycle matrix
An audit document that links each of the entity’s
accounts (in the chart of accounts) to a cycle, an
accounting application, and a financial statement
line item.
Degree of compliance
The following terms are used throughout the FAM
to describe the degree of compliance with the
standard or policy.
Must: Compliance is mandatory when the
circumstances exist to which the requirement is
relevant. Most “musts” indicate unconditional
requirements that come directly from
professional auditing standards while other
instances of “must” are unique needs for the
government environment and, therefore,
GAO/CIGIE determined them to be required.
Should: Compliance is mandatory when the
circumstances exist to which the requirement is
relevant, except in rare circumstances when the
specific procedure to be performed would be
ineffective in achieving the intent of the
requirement. The auditor must document (1) the
justification for any departure and (2) how the
alternative audit procedures performed were
sufficient to achieve the intent of the
requirement or policy. The documentation
should be approved by the reviewer.
Generally should: Compliance is strongly
encouraged when the circumstances exist to
which this policy is relevant. The auditor should
discuss any departure with the assistant
director (or equivalent, such as the audit
manager in a public accounting firm) and
document such discussions.
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-11
May, might, could: These terms are used in
the FAM to provide further explanation of and
guidance for implementing audit requirements.
Compliance is optional. The auditor need not
document compliance.
Deobligation
An entity’s cancellation or downward adjustment
(i.e., reduction) of previously incurred obligations.
The entity should not cancel or reduce an obligation
until it has made a formal decision to do so,
supported by any necessary documentation that
has been fully executed (e.g., SF-30 for contract
amendments). There may be specific statutory or
other requirements concerning deobligation.
Deobligated funds may be reobligated within the
period of availability of the appropriation. For
example, annual appropriated funds may be
reobligated in the fiscal year in which the funds
were appropriated, while multiyear or no-year
appropriated funds may be reobligated in the same
or subsequent fiscal years.
Detection risk
The risk that the procedures performed by the
auditor to reduce audit risk to an acceptably low
level will not detect a misstatement that exists and
that could be material, either individually or when
aggregated with other misstatements. It is a
function of the effectiveness of an audit procedure
and of its application by the auditor.
Direct assistance
The use of internal auditors to perform audit
procedures under the direction, supervision, and
review of the auditor.
Disclosure entities
Organizations similar to consolidation entities in that
they are either (1) in the budget, (2) majority owned
by the government, (3) controlled by the
government, or (4) would be misleading to exclude.
Disclosure entities have a greater degree of
autonomy with the government than consolidation
entities.
Disclosures
See note disclosures.
Documentation completion
date
The date, no later than 60 days following the report
release date, on which the auditor has assembled
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-12
for retention a complete and final set of
documentation in an audit file.
Emphasis-of-matter
paragraph
A paragraph included in the auditor's report that is
required by U.S. GAAS, or is included at the
auditor's discretion, and that refers to a matter
appropriately presented or disclosed in the financial
statements that, in the auditor's professional
judgment, is of such importance that it is
fundamental to users' understanding of the financial
statements.
Engagement letter
A written agreement that documents the objectives
and scope, roles and responsibilities of both
management and the auditor, and other matters of
the engagement.
Entity-level controls
Controls that have a pervasive effect on an entity’s
internal control system. Entity-level controls may
include controls related to the entity’s risk
assessment process, control environment, service
organizations, management override, and
monitoring.
Entity management
The persons with executive responsibility for the
conduct of the entity’s operations.
Entity profile
An audit document that the auditor uses to
document the information useful for understanding
the entity and its operations. In this profile, the
auditor generally should briefly document such
elements as the entity’s origin, history, mission,
size, locations, organization, and key members of
management; the legal and regulatory framework;
the applicable financial reporting framework (U.S.
GAAP); and external and internal factors affecting
operations, use of information systems, and
accounting policies.
Errors
Unintentional actions, such as mathematical
mistakes, mistakes in the application of accounting
principles, or oversight or misuse of facts, that
existed at the time the financial statements were
prepared.
Existence or occurrence
Transactions and events have occurred during the
given period, have been recorded in the proper
accounts, and pertain to the entity. An entity’s
assets, liabilities, net position, and budgetary
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-13
balances exist at a given date and have been
recorded in the proper accounts. Projected
revenues and expenditures in the sustainability
financial statements are valid.
Expectation
The auditor’s estimate of a recorded amount (based
on an analysis and understanding of relationships
between the recorded amounts and other data) in
an analytical procedure.
Expected misstatement
The dollar amount of misstatements the auditor
expects in a population.
Expired accounts
(appropriations)
Accounts in which the balances are no longer
available for incurring new obligations because the
time available for incurring such obligations has
expired.
External confirmation
Audit evidence obtained as a direct written
response to the auditor from a third party (the
confirming party), either in paper form or by
electronic or other medium (for example, through
the auditor's direct access to information held by a
third party).
Factual misstatement
A misstatement in which there is no doubt about the
misstatement.
Federal financial
management systems
requirements
Consists of three parts: (1) reliable financial
reporting, (2) effective and efficient operations, and
(3) compliance with applicable laws and
regulations. OMB and Treasury develop, issue, and
maintain the federal financial management systems
requirements to support these areas and publish
them in the Treasury Financial Manual.
Federal reporting entities
Reporting entities are organizations that issue a
general purpose federal financial report because
either there is a statutory or administrative
requirement to prepare one or they choose to
prepare one. The term “reporting entity” may refer
to either the government-wide reporting entity or a
component reporting entity. Statement of Federal
Financial Accounting Concepts (SFFAC) 2 provides
criteria for an entity to be a reporting entity.
Financial management
systems
The financial systems and the financial portions of
mixed systems necessary to support financial
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-14
management, including automated and manual
processes, procedures, controls, data, hardware,
software, and support personnel dedicated to the
operation and maintenance of system functions.
Financial reporting control
A process, created by management and other
personnel, designed to provide reasonable
assurance regarding the achievement of financial
reporting objectives.
Financial statements (also
called the basic or principal
financial statements)
A component of a federal entity’s annual report
(e.g., PAR or AFR), which consists of the following
presented on a comparative basis for the current
and prior years:
balance sheets,
statements of net cost,
statements of changes in net position,
statements of budgetary resources,
statements of custodial activity (if applicable),
statements of social insurance (if applicable),
statements of changes in social insurance
amounts (if applicable), and
related note disclosures.
Fraud
An intentional act by one or more individuals among
management, those charged with governance,
employees, or third parties, involving the use of
deception that results in a misstatement in financial
statements that are the subject of an audit.
Fraud risk
The risk of fraudulent financial reporting and the risk
of misappropriation of assets that cause a material
misstatement of the financial statements.
Fraudulent financial
reporting
Intentional misstatements or omissions of amounts
or disclosures in financial statements to deceive
financial statement users. Fraudulent financial
reporting could involve intentional alteration of
accounting records, misrepresentation of
transactions, intentional misapplication of
accounting principles, or other means.
Full cost
The total amount of resources used to produce the
output. More specifically, the full cost of an output
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-15
produced by a responsibility segment is the sum of
(1) the costs of resources consumed by the
responsibility segment that directly or indirectly
contribute to the output and (2) the costs of
identifiable supporting services provided by other
responsibility segments within the reporting entity
and by other reporting entities.
Fund Balance with Treasury
(FBWT)
An asset account representing the unexpended
spending authority in entity appropriations. Also
serves as a mechanism to prevent entity
disbursements from exceeding appropriated
amounts.
General controls
General controls are the policies and procedures
that apply to all or a large segment of an entity’s
information system. General controls help ensure
the proper operation of information systems by
creating the environment for proper operation of
application controls.
Generally should
See degree of compliance.
Haphazard sample
A nonstatistical sample consisting of sampling units
selected without any conscious bias, that is, without
any special reason for including or omitting items
from the sample. It does not consist of sampling
units selected in a careless manner; rather it is
selected in a manner the auditor expects to be
representative of the population.
Heritage assets
Property, plant, and equipment that are unique for
one or more of the following reasons: (1) historical
or natural significance, (2) cultural, educational,
artistic (or aesthetic) importance, or (3) significant
architectural characteristics.
Information and
communication
One of the five components of internal control, in
addition to control environment, entity risk
assessment, control activities, and monitoring.
Information and communication systems support
the identification, capture, and exchange of
information in a form and time frame that enable
people to carry out their responsibilities.
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-16
Information system
A discrete set of information resources organized
for the collection, processing, maintenance, use,
sharing, dissemination, or disposition of information.
Information system controls
Internal controls that are dependent on information
systems processing and include general controls
(entity-wide, system, and application levels),
application controls (input, processing, output,
master file, interface, and data management system
controls), and user controls (controls performed by
people interacting with information systems).
Information system controls
auditor
A person with technical expertise in information
technology systems, general controls, applications,
and information security. This person is involved
with the planning, directing, or performing of audit
procedures related to assessing information system
controls.
Information system
processing
Processing performed by information systems
through the use of information technology.
Information technology
specialist
A person possessing special skills or knowledge in
the information technology field that extend beyond
the skills and knowledge normally possessed by
those working in specialized fields of auditing, such
as information system controls auditing.
Inherent risk
The susceptibility of an assertion about a class of
transaction, account balance, or disclosure to a
misstatement that could be material, either
individually or when aggregated with other
misstatements, before consideration of any related
controls.
Integrated audit
An audit of internal control over financial reporting
that is integrated with an audit of financial
statements
Intent letter
A letter used by some auditors to acknowledge a
congressional request for any type of work.
Inter-entity
Activity and balances occurring between federal
entities that are trading partners. Inter-entity and
intra-entity amounts comprise intragovernmental
activity and balances.
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-17
Internal audit function
A function of an entity that performs assurance and
consulting activities designed to evaluate and
improve the effectiveness of the entity’s
governance, risk management, and internal control
processes.
Internal control
Internal control is a process effected by oversight
body, management, and other personnel that is
designed to provide reasonable assurance about
the achievement of the entity’s objectives with
regard to the reliability of financial reporting,
effectiveness and efficiency of operations, and
compliance with applicable laws and regulations.
Internal control over financial
reporting
A process effected by those charged with
governance, management, and other personnel.
Internal control over financial reporting is a subset
of the entity’s internal control, and its objectives are
to provide reasonable assurance that (1)
transactions are properly recorded, processed, and
summarized to permit the preparation of financial
statements in accordance with U.S. generally
accepted accounting principles, and assets are
safeguarded against loss from unauthorized
acquisition, use, or disposition, and (2) transactions
are executed in accordance with provisions of
applicable laws, including those governing the use
of budget authority, regulations, contracts, and
grant agreements, noncompliance with which could
have a material effect on the financial statements.
Internal control phase
This audit phase entails understanding, testing, and
assessing internal control over financial reporting to
reach conclusions about the reliability of financial
reporting and compliance with significant provisions
of applicable laws, regulations, contracts, and grant
agreements.
Intra-entity
Activity and balances occurring within a federal
entity. Intra-entity and inter-entity amounts comprise
intragovernmental activity and balances.
Intragovernmental amounts
Activity and balances occurring within a federal
entity (i.e. intra-entity) or between federal entities
(i.e. inter-entity).
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-18
Intragovernmental Payment
and Collection (IPAC) system
The primary method used by most federal entities
to electronically bill or pay for services and supplies
within the U.S. government. IPAC is used to
communicate between the Treasury and the trading
partner entities that the online billing or payment for
services and supplies has occurred.
Iron curtain approach
An approach used to evaluate misstatements. This
approach quantifies a misstatement based on the
effects of correcting the misstatement existing in the
balance sheet at the end of the current year,
irrespective of the misstatement’s year of
origination.
Judgment fund
A permanent and indefinite appropriation
administered by the Department of the Treasury
that is available to pay judgments, settlement
agreements, and certain types of administrative
awards against the United States when such
payment is not otherwise provided for in entity
appropriations.
Judgmental misstatement
Misstatements arising from the judgments of
management, including those concerning
recognition, measurement, presentation, and
disclosure in the financial statements (including the
selection or application of accounting policies) that
the auditor considers unreasonable or
inappropriate.
Limit
Used in performing substantive analytical
procedures, the limit is the amount of difference
between the expected and the recorded amount
that the auditor will accept without investigation.
Limitation
A restriction on the amount, purpose, or period of
availability of budget authority. While limitations are
most often established through appropriations acts,
they may also be established through authorization
legislation. Limitations may be placed on the
availability of funds for program levels,
administrative expenses, direct loan obligations,
loan guarantee commitments, or other purposes.
Line item risk analysis (LIRA)
An audit document that contains the audit plan for
each significant line item and identifies significant
line items, assertions, and cycles/accounting
applications and the related risks of material
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-19
misstatement at the relevant assertion level. The
auditor should also summarize and document the
specific risks of material misstatement, other than
pervasive risks, including the inherent, fraud, and
control risk factors, for use in determining the
nature, extent, and timing of audit procedures.
Logical unit
The balance or transaction that includes the
selected dollar in a monetary unit sample.
Management
The persons with executive responsibility for the
conduct of the entity’s operations. For some
entities, management includes some or all of those
charged with governance, for example, senior
executives.
Management’s specialists
Individuals or organizations possessing expertise in
a field other than accounting or auditing, whose
work in that field is used by the entity to assist in
preparing the financial statements.
Material weakness
A deficiency, or a combination of deficiencies, in
internal control over financial reporting, such that
there is a reasonable possibility that a material
misstatement of the entity’s financial statements will
not be prevented, or detected and corrected, on a
timely basis. (Also see control deficiency and
significant deficiency.)
Materiality
For purposes of the audit, misstatements, including
omissions, are considered to be material if there is
a substantial likelihood that, individually or in the
aggregate, they would influence the judgment made
by a reasonable user based on the financial
statements.
Note that FASAB’s Statement of Federal Financial
Accounting Concepts (SFFAC) 1, Objectives of
Federal Financial Reporting, provides a slightly
different definition of materiality. Since SFFACs are
nonauthoritative and in SFFAC 1, the board
recognizes differences from the audit definition, the
FAM is based on the definition provided in AU-C
200.07.
(Also see materiality for the financial statements as
a whole, performance materiality, and tolerable
misstatement.)
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-20
Materiality benchmark
The element of the financial statements that the
auditor judges is most significant to the primary
users of the statements. The basis for which
materiality is calculated.
Materiality for the financial
statements as a whole
The auditor’s preliminary estimate of materiality in
relation to the financial statements as a whole,
primarily based on quantitative measures. It is used
to determine performance materiality, which in turn
is used to determine tolerable misstatement. These
are then used to determine the risks of material
misstatement and the nature, extent, and timing of
substantive audit procedures. It is also used to
identify significant provisions of applicable laws,
regulations, contracts, and grant agreements for
compliance testing.
May, might, or could
See degree of compliance.
Misappropriation of assets
Theft of an entity’s assets causing misstatements in
the financial statements.
Misstatement
A difference between the reported amount,
classification, presentation, or disclosure of a
financial statement item and the amount,
classification, presentation, or disclosure that is
required for the item to be presented fairly in
accordance with U.S. GAAP. Misstatements can
arise from fraud or error. (Also see factual
misstatement, judgmental misstatement, and
projected misstatement.)
Misstatements also include those adjustments of
amounts, classifications, presentations, or
disclosures that, in the auditor's professional
judgment, are necessary for the financial
statements to be presented fairly, in all material
respects.
Misstatement of fact
Other information that is unrelated to matters
appearing in the audited financial statements that is
incorrectly stated or presented. A material
misstatement of fact may undermine the credibility
of the document containing audited financial
statements.
Modified opinion
A qualified opinion, an adverse opinion, or a
disclaimer of opinion.
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-21
Monetary unit sampling
A variables sampling method that uses a probability
proportional to size (PPS) sample selection
technique.
Monitoring
One of the five components of internal control, in
addition to control environment, risk assessment,
control activities, and information and
communications.
Monitoring of controls is a process to assess the
effectiveness of internal control performance over
time. This consists of activities management
establishes and operates to assess the quality of
performance over time and promptly resolve the
findings of audits and other reviews.
Multipurpose testing
Performing several tests, such as control tests,
compliance tests, and substantive tests, on a single
selection, usually a statistical sample.
Must
See degree of compliance.
Noncompliance
Acts of omission or commission by the entity, either
intentional or unintentional, which are contrary to
the prevailing laws, regulations, contracts, or grant
agreements. Such acts include transactions entered
into by, or in the name of, the entity or on its behalf
by those charged with governance, management,
or employees. Noncompliance does not include
personal misconduct (unrelated to the business
activities of the entity) by those charged with
governance, management, or employees of the
entity.
Nonrecognized events
Subsequent events that provide evidence with
respect to conditions that did not exist at the date of
the financial statements but arose subsequent to
that date.
Nonstatistical sampling
A sampling approach to draw conclusions about a
population that does not have all the characteristics
of statistical sampling (see statistical sampling). The
two principal techniques of selecting a nonstatistical
sample are the use of random selection or
haphazard selection. A nonstatistical sample is
representative of, but not statistically projectable to,
the population.
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-22
Nonstatistical selection
A selection of items for substantive testing to reach
a conclusion only on the items selected. A
nonstatistical selection is not representative of, nor
statistically projectable to, the portion of the
population that was not tested. Accordingly, the
auditor applies appropriate analytical and/or other
substantive procedures to the remaining items,
unless those items are immaterial in total or the
auditor has already obtained enough assurance
that there is a low risk of material misstatement in
the total population.
The auditor may also use nonstatistical selection to
test controls. Similar to nonstatistical selection for
substantive testing, the auditor may not project the
results of nonstatistical selection for control testing
to the portion of the population not tested. To
determine whether sufficient evidence has been
obtained to conclude on the effectiveness of the
controls tested, the auditor considers the results of
the nonstatistical selection in conjunction with other
sources of evidence.
Note disclosures
Individual elements of information that are reported
in a note to the financial statements.
Notification letter
A letter used by some auditors to notify an entity of
new engagements for any type of work.
Obligation (budgetary
obligation)
OMB Circular No. A-11, Preparation, Submission,
and Execution of the Budget, defines obligation as
a binding agreement that will result in outlays,
immediately or in the future. GAO’s Federal Budget
Glossary (GAO-05-734SP) defines obligation as a
definite commitment that creates a legal liability of
the government for the payment of goods and
services ordered or received, or a legal duty on the
part of the United States that could mature into a
legal liability by virtue of actions on the part of the
other party beyond the control of the United States.
Payment may be made immediately or in the future.
An agency incurs an obligation, for example, when
it places an order, signs a contract, awards a grant,
purchases a service, or takes other actions that
require the government to make payments to the
public or from one government account to another.
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-23
Office of the General
Counsel (OGC)
The office advises the auditor in (1) identifying
significant provisions of applicable laws and
regulations to test; (2) identifying budget
restrictions; and (3) identifying and resolving legal
issues encountered during the financial statement
audit, such as evaluating potential instances of
noncompliance.
Offsetting receipts and
collections authority
Statutory authority that permits federal entities to
obligate and expend the proceeds of offsetting
receipts and collections. Offsetting receipts and
collections are of a business-market-oriented nature
and may include intragovernmental transactions,
such as reimbursements for materials or services
provided to other government entities. If, pursuant
to law, they are credited to appropriations or fund
expenditure accounts and are available for
obligation without further congressional action, they
are referred to as offsetting collections.
Operations controls
A process by management and others, designed to
provide reasonable assurance regarding the
achievement of objectives for the planning,
productivity, quality, economy, efficiency or
effectiveness of operations.
Other auditors
Auditors other than the audit organization
performing the entity’s financial statement audit as
group auditor. These “other” auditors may be part of
the entity’s monitoring controls.
Other information
Financial or nonfinancial information (other than the
financial statements, supplementary information,
required supplementary information, and auditor’s
report) included in an entity’s annual report.
Other-matter paragraph
A paragraph included in the auditor's report that is
required by U.S. GAAS, or is included at the
auditor's discretion, and that refers to a matter other
than those presented or disclosed in the financial
statements that, in the auditor's professional
judgment, is relevant to users' understanding of the
audit, the auditor's responsibilities, or the auditor's
report.
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-24
Overall analytical procedures
Analytical procedures performed as an overall
financial statement review during the reporting
phase.
Overall audit strategy
An audit document that sets the scope, timing, and
direction of the audit and guides the development of
the audit plan. In establishing the overall audit
strategy, the auditor should
identify the characteristics of the engagement
that define its scope;
ascertain the reporting objectives of the
engagement in order to plan the timing of the
audit and the nature of the communications
required;
consider the factors that in the auditor’s
professional judgment, are significant in
directing the engagement team’s efforts; and
ascertain the nature, timing, and extent of
resources necessary to perform the
engagement.
Performance and
accountability report (PAR)
The PAR consists of the information in the AFR
(see agency financial report above) and
performance information required for most federal
executive agencies.
Performance materiality
The amount or amounts set by the auditor as a
portion of materiality that the auditor allocates to
particular line items, accounts, classes of
transactions (such as disbursements), or
disclosures.
Planning phase
The objectives of this audit phase are to gain an
understanding of the entity to be audited; to
understand its environment, including internal
control; to identify significant areas for audit; and to
design effective and efficient audit procedures.
Point estimate
Most likely amount of the population characteristic
based on the extrapolation of the sample results.
Population
The entire set of data from which a sample is
selected and about which the auditor wishes to
draw conclusions.
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-25
Precision (allowance for
sampling risk)
A measure of the difference between a sample
estimate (projection) and the tolerable rate of
deviation or tolerable misstatement at a specified
sampling risk.
Preliminary analytical
procedures
Analytical procedures performed during the audit
planning phase.
Presentation and disclosure
Financial and other information in the financial
statements is appropriately aggregated or
disaggregated and clearly described. Note
disclosures are appropriately measured and
described and are relevant and understandable in
the context of the requirements of U.S. GAAP. All
note disclosures that should have been included in
the financial statements have been included.
Disclosed transactions and events have occurred
and pertain to the entity.
Principal statements
See financial statements.
Probable
Generally, in evaluating a loss contingency, the
future confirming event or events are more likely
than not to occur. In evaluating a loss contingency
for pending or threatened litigation and unasserted
claims, the future confirming event or events are
likely to occur.
Professional judgment
The application of relevant training, knowledge, and
experience, within the context provided by auditing,
accounting, and ethical standards, in making
informed decisions about the courses of action that
are appropriate in the circumstances of the audit
engagement.
Professional skepticism
An attitude that includes a questioning mind, being
alert to conditions that may indicate possible
misstatement due to fraud or error, and a critical
assessment of audit evidence.
Projected misstatement
The auditor’s best estimate of the amount of the
misstatements in populations, involving the
projection of misstatements identified in audit
samples to the entire population from which the
samples were drawn.
Providing entity
The entity providing services, products, goods,
transfer funds, investments, debt, and/or incurring
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-26
the reimbursable costs. This includes bureaus,
departments, and/or programs within entities. The
providing agency is the seller. The providing entity
transfers out funds to another entity (transfers out)
when appropriations are transferred without the
exchange of goods or services.
Public-private partnerships
(P3)
Risk-sharing arrangements or transactions lasting
more than 5 years between public and private
sector entities.
Random sample
A sample selected so that every combination of the
same number of items has an equal probability of
selection.
Ratio estimation
A classical variables sampling technique that uses
the ratio of audited amounts to recorded amounts in
the sample to estimate the total dollar amount of the
population and an allowance for sampling risk.
Reasonable assurance
In the context of an audit of financial statements, a
high, but not absolute, level of assurance.
Reasonably possible
In evaluating a loss contingency, the chance of the
future confirming event or events occurring is more
than remote but less than probable.
Receiving entity
The entity receiving services, products, goods,
transfer funds, purchasing investments, and/or
borrowing from Treasury (or other entities). This
includes bureaus, departments, and/or programs
within entities. The receiving entity is the purchaser.
The receiving entity receives transfers of funds
(transfers in) when appropriations are transferred
without the exchange of goods or services.
Reciprocal accounts
Corresponding U.S. Standard General Ledger
(USSGL) accounts that should be used by a
providing/seller and receiving/buyer entity to record
like intragovernmental transactions. For example,
the providing entity’s accounts receivable would
normally be reconciled to the reciprocal account,
accounts payable, on the receiving entity’s records.
Recognized events
Subsequent events that provide additional evidence
with respect to conditions that existed at the date of
the financial statements and affect the estimates
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-27
inherent in the process of preparing the financial
statements, notes, and RSI.
Recorded amount
The financial statement amount being tested by the
auditor in the specific application of substantive
tests.
Regression estimate
An estimate of a population parameter for one
variable that is obtained by substituting the known
total for another variable into a regression equation
calculated on the basis of sample values of the two
variables. Ratio estimates are special kinds of
regression estimates.
Reimbursable activity
An intragovernmental activity in which the entity
receiving goods or services reimburses the
providing entity in accordance with an agreed-upon
price, which may or may not represent fair value.
Related parties
Under FASAB standards, organizations are
considered to be related parties in the general
purpose federal financial report if the existing
relationship or one party to the existing relationship
has the ability to exercise significant influence over
the other party’s policy decisions. Relationships and
transactions between the entity and other federal
entities (intragovernmental) are not considered
related party relationships and transactions. Given
the similarity of risks, related parties, as used in
auditing standards, include disclosure entities,
related parties, and public-private partnerships, as
these terms are defined by FASAB.
Remote
In evaluating a loss contingency, the chance of the
future confirming event or events occurring is slight.
Reporting phase
This phase completes the audit based on the
results of audit procedures performed in the
preceding phases. This involves developing the
auditor’s report on the entity’s (1) financial
statements, RSI (including MD&A), and other
information included in the annual report; (2)
internal control over financial reporting; (3) financial
management systems’ substantial compliance with
the three FFMIA requirements (for CFO Act
agencies); and (4) compliance with significant
provisions of applicable laws, regulations, contracts,
and grant agreements.
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-28
Report release date
The date the auditor grants the entity permission to
use the auditor’s report in connection with the
financial statements. Often, this will be the date the
auditor provides the audit report to the entity. The
report release date will ordinarily be a date that is
close to the auditor’s report date.
Required supplementary
information (RSI)
Information that a designated accounting standards
setter requires to accompany an entity’s basic
financial statements. RSI is not part of the basic
financial statements; however, a designated
accounting standards setter considers the
information to be an essential part of financial
reporting for placing the basic financial statements
in an appropriate operational, economic, or
historical context. In addition, authoritative
guidelines for the methods of measurement and
presentation of the information have been
established.
Responsibility segment
A significant organizational, operational, functional,
or process component that has the following
characteristics: (1) its manager reports to the
entity’s top management, (2) it is responsible for
carrying out a mission, performing a line of activities
or services, or producing one or a group of
products, and (3) for financial reporting and cost
management purposes, its resources and results of
operations can be clearly distinguished, physically
and operationally, from those of other segments of
the entity.
Reviewer (engagement
quality control reviewer or
second partner)
The person responsible for providing negative
assurance about the quality of the audit and reports
to the assistant IG for audit (or higher position) or,
at GAO, is the chief accountant or designee. The
reviewer may consult with other personnel as
needed.
Rights and obligations
The entity holds or controls the rights to assets, and
liabilities are the obligations of the entity, at a given
date. The entity has rights to budgetary resources,
and budgetary obligations pertain to the entity, at a
given date (see budgetary resources and
obligation).
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-29
Risk
See audit risk, inherent risk, control risk, risk of
material misstatement, and detection risk.
Risk assessment
One of the five components of internal control, in
addition to control environment, control activities,
information and communications, and monitoring.
Risk assessment is the entity’s identification,
analysis, and management of risks relevant to
achievement of its objectives. This assessment
provides the basis for developing appropriate
responses to risk.
Risk of material
misstatement
The risk that the financial statements are materially
misstated prior to the audit. It is the auditor’s
combined assessment of inherent risk and control
risk.
Rollover approach
An approach used to evaluate misstatements. This
approach quantifies a misstatement based on the
amount of the misstatement originating in the
current year Statement of Net Cost.
Safeguarding controls
Internal controls to protect assets from loss from
unauthorized acquisition, use, or disposition of
entity assets that could have a material effect on
the financial statements.
Sample
See audit sample.
Sampling
See audit sampling.
Sampling interval
An amount between two consecutive sample items
in a systematic sample. The sampling interval is
determined by dividing the number of items in the
population by the desired number of selections.
When used in the context of a systematic sample
used to select items for monetary unit sampling
(MUS), it is the tolerable misstatement divided by
the statistical risk factor.
Sampling risk
The risk that the auditor’s conclusion based on a
sample may be different from the conclusion if the
entire population were subjected to the same audit
procedure. For tests of controls, sampling risk is the
risk of assessing control risk either too low or too
high. For substantive testing, sampling risk is the
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-30
risk of incorrect acceptance or the risk of incorrect
rejection.
Sampling unit
Any of the individual elements, as defined by the
auditor, that constitute the population.
Sequential sampling
A sampling plan for which the sample is selected in
several steps, with each step conditional on the
results of the previous steps.
Service auditor
A practitioner who reports on controls at a service
organization.
Service organization
An organization of segment of an organization that
provides services to user entities that are relevant
to those user entities’ internal control over financial
reporting.
Should
See degree of compliance.
Significant deficiency
A deficiency, or a combination of deficiencies, in
internal control over financial reporting, that is less
severe than a material weakness yet important
enough to merit attention by those charged with
governance. (Also see control deficiency and
material weakness.)
Significant unusual
transactions
Significant transactions that are outside the normal
course of business for the entity or that otherwise
appear to be unusual due to their timing, size, or
nature.
Special Investigator Unit
The unit investigates specific allegations involving
conflict-of-interest and ethics matters, contract and
procurement irregularities, official misconduct and
abuse, and fraud in federal programs or activities.
In the offices of the IGs, this is the investigation
unit; at GAO, it is the Forensic Audits and
Investigative Service team. The Special Investigator
Unit provides assistance to the auditor by (1)
informing the auditor of relevant pending or
completed investigations of the entity and (2)
investigating possible instances of fraud, waste,
and abuse.
Special purpose entity
An entity created for a specific, limited, and
normally temporary purpose. A special purpose
entity can be a corporation, trust, partnership,
limited liability company, or some type of variable
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-31
interest entity. Special purpose entities are often an
integral part of public-private partnerships because
of their risk-containment nature of isolating
participating entities from financial risk.
Specific control evaluation
(SCE)
Evaluating the effectiveness of specific control
activities in achieving the control objectives. This
process is documented on the SCE worksheet.
Statistical sampling
A sampling approach to draw conclusions about a
population that has the following characteristics:
random selection of the sample items and
the use of an appropriate statistical technique to
evaluate sample results, including measurement
of sampling risk, to project the results to the
population.
A sampling approach that does not have these
characteristics is considered nonstatistical
sampling.
Stewardship land
Land and rights owned by the federal government
but not acquired for or in connection with items of
general PP&E.
Stratification
The process of dividing a population into
subpopulations, each of which is a group of
sampling units that have similar characteristics.
Stratification may be used to focus procedures on
risk areas or to reduce variability in sampling
populations.
Subsequent events
Events or transactions that affect the financial
statements, notes, or RSI that may occur or
become known between the date of the financial
statements and the date of the auditor’s report.
Subsequently discovered
facts
Facts that become known to the auditor after the
date of the auditor's report that, had they been
known to the auditor at that date, may have caused
the auditor to revise the auditor's report.
Substantive analytical
procedures
The comparison of a recorded amount with an
expectation of that amount and subsequent
investigation of any significant differences to reach
a conclusion on the recorded amount.
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-32
Substantive audit assurance
The auditor’s judgment about the probability that all
substantive tests of an assertion will detect
aggregate misstatements that exceed materiality.
Not the same as confidence level.
Substantive procedures or
tests
Audit procedures designed to detect material
misstatements at the assertion level. Substantive
procedures comprise tests of details and
substantive analytical procedures.
Sufficiency (of audit
evidence)
The measure of the quantity of audit evidence. The
quantity of the audit evidence necessary is affected
by the auditors assessment of the risks of material
misstatement and the quality of the audit evidence
obtained (that is, its appropriateness).
Suitable criteria
In agreed upon procedures engagements or other
attestation engagement engagements, standards
for acceptability which have the attributes of
objectivity, measurability, completeness, and
relevance.
Supplemental analytical
procedures
Analytical procedures to increase the auditor’s
understanding of account balances and
transactions when detail tests are used as the sole
source of substantive assurance.
Supplementary information
Information presented outside the financial
statements and RSI, for which the auditor is
engaged to report on whether such information is
fairly stated, in all material respects, in relation to
the financial statements as a whole. Supplementary
information is not considered necessary for the
financial statements to be fairly presented in
accordance with U.S. GAAP. Such information may
be presented in a document containing the audited
financial statements or separate from the financial
statements.
Sustainability financial
statements
The sustainability financial statements are the
statement of long-term fiscal projections (at the
government-wide consolidated level only),
statement of social insurance, and
statement of changes in social insurance
amounts.
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-33
The sustainability financial statements are based on
projections of future receipts and spending.
Systematic random sampling
A method of selecting a sample in which every nth
item is selected using one or more random starts.
When the first item is selected using judgment from
the interval, the method is termed systematic
sampling.
Technical accounting and
auditing expert
The person who reports to the assistant IG for audit
or higher. At GAO, this is the chief accountant or
other designated expert. This expert advises on
accounting and auditing professional matters and
government-related issues. This person also may
be the reviewer or may review reports on financial
statements and reports that express opinions on
financial information for compliance with
professional auditing standards.
Testing phase
The objectives of this audit phase are to (1) obtain
reasonable assurance about whether the financial
statements are presented fairly, in all material
respects, in accordance with U.S. GAAP; (2)
determine whether the entity complied with
significant provisions of applicable laws,
regulations, contracts, and grant agreements; and
(3) assess the effectiveness of internal control over
financial reporting through testing controls often in
coordination with other tests.
Those charged with
governance (oversight body)
Those who have the responsibility for overseeing
the strategic direction of the entity and obligations
related to the accountability of the entity, including
overseeing the entity’s financial reporting process.
For a federal entity, those charged with governance
may be members of a board or commission, an
audit committee, the secretary of a cabinet-level
department, or senior executives and financial
managers responsible for the entity.
Tolerable misstatement
The application of performance materiality to a
particular substantive sampling procedure.
Tolerable misstatement is defined in AU-C 530.05
as a monetary amount set by the auditor in respect
of which the auditor seeks to obtain an appropriate
level of assurance that the monetary amount set by
the auditor is not exceeded by the actual
misstatement in the population.
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-34
Tolerable rate of deviation
The maximum rate of deviations from the
prescribed control that the auditor is willing to
accept without altering the preliminary control risk.
This is also referred to as tolerable error, tolerable
rate, or tolerable deviation.
Trading partner code
Assigned by the U.S. Department of the Treasury,
trading partner codes are used to facilitate the
preparation of the Financial Report of the United
States Government.
Trading partners
Federal entities that request or provide transactions
and transfers between federal entities.
Transfers
Shifting of all or part of the budget authority in one
appropriation or fund account to another. Entities
may transfer budget authority only as specifically
authorized by law. For accounting purposes, the
nature of the transfer determines whether the
transaction is treated as an expenditure or a
nonexpenditure transfer.
Treasury Financial Manual
(TFM)
The Treasury Financial Manual (TFM) is Treasury’s
official publication of policies, procedures, and
instructions concerning financial management in the
Federal Government. It is intended to promote the
Government’s financial integrity and operational
efficiency.
Type 1 Report
Report on the fairness of the presentation of
management’s description of the service
organization’s system and the suitability of the
design of the controls to achieve the related control
objectives included in the description as of a
specified date.
Type 2 Report
Report on the fairness of the presentation of
management’s description of the service
organization’s system and the suitability of the
design and operating effectiveness of the controls
to achieve the related control objectives included in
the description throughout a specified period.
Uncorrected misstatements
Misstatements that the auditor has accumulated
during the audit and that have not been corrected.
Undelivered orders
The value of goods and services ordered and
obligated that have not been received. This amount
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-35
includes any orders for which advance payment has
been made but for which delivery or performance
has not yet occurred.
Universe
See population.
Unliquidated obligation
The amount of outstanding obligations or liabilities.
U.S. generally accepted
accounting principles
(U.S. GAAP)
The U.S. accounting principles that are
promulgated by a standard setter approved by the
AICPA. SFFAS 34 contains the hierarchy of
accounting standards for financial statements of
federal government entities. The standards issued
by FASAB are the first level of the hierarchy. For
government corporations and certain other entities,
the standards issued by FASB are the first level of
the hierarchy.
U.S. Standard General
Ledger (USSGL)
A uniform chart of accounts and guidance for
standardizing U.S. federal accounting. Composed
of five major sections: (1) chart of accounts,
(2) accounts and descriptions, (3) account
transactions, (4) USSGL attributes, and (5) USSGL
crosswalks to standard external reports. Prescribed
by the Department of the Treasury in its Treasury
Financial Manual.
U.S. Standard General
Ledger (USSGL) at the
transaction level
One of the three requirements of FFMIA.
Implementing the USSGL at the transaction level
means that transactions are recorded in full
compliance with the USSGL Chart of Account’s
descriptions and posting models/attributes that
demonstrate how the USSGL is to be used for
recording transactions of the federal government
accounting process; reports produced by the
systems provide financial information, whether used
internally or externally, that can be traced directly to
the USSGL accounts; and transactions from feeder
systems, which may be summarized and interfaced
into the core financial system’s general ledger, are
posted following USSGL requirements.
User auditor
An auditor who audits and reports on the financial
statements of a user entity.
User controls
Controls that are performed by people interacting
with IS controls. The effectiveness of user controls
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-36
typically depend on the accuracy of the information
produced by the IS controls.
User entity
An entity that uses a service organization for which
controls at the service organization are likely to be
relevant to that entity’s internal control over financial
reporting.
Walk-throughs
Audit procedures to help the auditor understand the
design of controls and whether they have been
implemented. They may also provide some
evidence of control effectiveness. Walk-throughs of
financial reporting controls include tracing one or
more transactions from initiation, through all
processing, to inclusion in the general ledger;
observing the processing and applicable controls in
operation; making inquiries of personnel applying
the controls; and inspecting related documents.
All Audit Phases
Glossary
Updated May 2023 GAO/CIGIE Financial Audit Manual Glossary-37
OTHER GLOSSARIES
NOTE 1
The
Federal Information System Controls Audit
Manual
(FISCAM) contains a glossary of information
systems terms (see GAO
-09-232G, February 2009).
NOTE 2
A Glossary of Terms Used
in the Federal Budget
Process
contains additional terms and definitions (see
GAO
-05-734SP, September 2005).
NOTE 3
The AICPA’s
Audit Sampling Guide contains a
glossary of terms.
NOTE 4
The Federal Accounting Standards Advisory Board’s
Handbook
of Federal Accounting Standards and
Other
Pronouncements, as Amended contains a
glossary of terms.
All Audit Phases
Abbreviations
Updated May 2023 GAO/CIGIE Financial Audit Manual Abbreviations-1
Abbreviations
AFR
agency financial report
AICPA
American Institute of Certified Public Accountants
ASB
Auditing Standards Board of the AICPA
AT-C
AICPA’s Clarified Statements on Standards for Attestation
Engagements
ATDA
Accountability of Tax Dollars Act of 2002
AU-C
AICPA’s Clarified Statements on Auditing Standards
CFO
chief financial officer
CFO Act
Chief Financial Officers Act of 1990
CFS
consolidated financial statements of the U.S. government
CIGIE
Council of the Inspectors General on Integrity and Efficiency
FAM
GAO/CIGIE Financial Audit Manual
FASAB
Federal Accounting Standards Advisory Board
FASB
Financial Accounting Standards Board
FBWT
Fund Balance with Treasury
FISCAM
Federal Information System Controls Audit Manual
FISMA
Federal Information Security Modernization Act of 2014
FFMIA
Federal Financial Management Improvement Act of 1996
FMFIA
31 U.S.C. § 3512(c), (d), commonly known as the Federal
Managers’ Financial Integrity Act of 1982
GAGAS
generally accepted government auditing standards (also known as
the Yellow Book)
GAO
Government Accountability Office
GASB
Governmental Accounting Standards Board
GMRA
Government Management Reform Act of 1994
Green Book
Standards for Internal Control in the Federal Government
IDEA
Interactive Data Extraction and Analysis
IG
inspector general
IS
information system
LIRA
Line Item Risk Analysis
All Audit Phases
Abbreviations
Updated May 2023 GAO/CIGIE Financial Audit Manual Abbreviations-2
MD&A
management’s discussion and analysis
MUS
monetary unit sampling [also known as dollar unit sampling]
NIST
National Institute of Standards and Technology
OGC
Office of the General Counsel
OMB
Office of Management and Budget
PAR
performance and accountability report
PIIA
Payment Integrity Information Act of 2019
PPS
probability proportional to size
RSI
required supplementary information
SCE
Specific Control Evaluation
SFFAS
Statement of Federal Financial Accounting Standards
SSAE
Statement on Standards for Attestation Engagements
TFM
Treasury Financial Manual
U.S. GAAP
U.S. generally accepted accounting principles
U.S. GAAS
U.S. generally accepted auditing standards
U.S.C.
United States Code or U.S. Code
USSGL
U.S. Standard General Ledger
Yellow Book
generally accepted government auditing standards (GAGAS)