General - apipa 2010
advertisement
Government Auditing Standards (GAGAS): Review and Update 2007 Revision Philip E. Flora, CIA, CISA, CFE, CCSA Special thanks to Steve Morgan for sharing slides for use in this presentation Session Objectives Provide an overview of Use and application of GAGAS including types of audits and engagements. Review Auditors’ ethical responsibilities. Discuss/review General Standards, including updates. Discuss/review Performance Audit Standards, including updates. Review Supplemental Guidance (Appendix I) GAS-2 Government Auditing Standards General Standards All phases of audit process Field Work Standards Survey, planning, and finding development phases Reporting Standards Reporting phase GAS-3 Introductions GAS-4 Introductions Please Share with the Group Name experience – Whatever you would like to share Education/Work Questions about the standards Anything else you want to share with the group about yourself GAS-5 Standards? GAS-6 Overview Why follow GAGAS? _________________________________ _________________________________ _________________________________ _________________________________ _________________________________ _________________________________ GAS-7 Why Standards Necessary for a profession Required by laws/rules/regulations/ agreements/grantees, etc. Promotes Provides consistency guidance Other GAS-8 Signs of a Profession Commitment Code to Serving Others of Ethics Professional Standards Professional Certification Process Continuing Quality Education Requirements Assessment Review GAS-9 Certifications __________________________________ __________________________________ __________________________________ __________________________________ __________________________________ __________________________________ __________________________________ GAS-10 2007 Yellow Book Implementation Dates Performance audits: standards are proposed to become effective for audits beginning January 1, 2008. Financial audits and attestation engagements: standards are proposed to become effective for audits of periods ending on or after January 1, 2008. – Certain standards issued by the AICPA's have earlier effective dates. For financial statement audits conducted under GAGAS, the effective dates of those new standards will apply. Early implementation of the 2007 revision of Government Auditing Standards will be permitted. GAS-11 2007 Yellow Book Major Areas of Revisions – General: • Bringing performance audits under a professional assurance framework using concepts of audit risk, significance, and sufficient, appropriate evidence • Emphasizing the critical role of government audits in achieving credibility and accountability in government GAS-12 2007 Yellow Book Major Areas of Revisions – General: • Expanding and strengthening the discussion and guidance on audit quality • Outlining overarching ethical framework in government audits • Modernizing GAGAS and updating for major developments in the accountability and audit environment GAS-13 2007 Yellow Book Major Areas of Revisions – General: • Two forms of GAGAS statement • Change in CPE requirements – for some • Expanding and strengthening the discussion and guidance on audit quality GAS-14 2007 Yellow Book Major Revisions – Performance Auditing: New definition of performance auditing Emphasis on reasonable assurance, significance, audit risk Stress put on critical role of auditor judgment GAS-15 2007 Yellow Book Major Revisions – Performance Auditing: Must consider risk of fraud in planning Evidence tests – appropriate & sufficient Evidence types – analytical deleted No reporting Quality standards GAS-16 Chapter 1 Use and Applicability of GAGAS Roles of government auditors and managers Purpose of GAGAS and why it is important Terminology to define professional requirements Citing compliance with GAGAS in Auditors’ Report Relationship between GAGAS and other professional standards Types of government audits and attestation engagements GAS-17 Auditor’s Role Supports accountability to the public Provides independent, objective, nonpartisan assessment of government GAS-18 Management’s Role Provide reliable and useful accountability reports Comply with laws and regulations Achieve program objectives and desired outcomes Provide services efficiently, economically, effectively, ethically, equitably, and legally Be accountable for use of public resources (par 1.02) GAS-19 Government Performance Expectations MISSION PERFORMANCE GOALS INPUT ECONOMY PROCESS EFFICIENCY •Financial –Amount, timing •Physical –Quantity, quality –Timing, price •Productivity •Unit Cost •Operating Ratios OUTPUT OUTCOME EFFECTIVENESS EFFECTIVENESS •Quantity •Quality: products, delivery •Timeliness •Price/Cost •Mission&Outcome Goal Achievement •Financial Viability •Cost-Benefit •Cost-Effectiveness CROSSCUTTING PERFORMANCE GOALS Compliance with Laws and Regulations Resources - Safeguarding - Infrastructure Continuous Improvement Reliability, Validity, Availability of Information Underlying Values Customer and Stakeholder Satisfaction GAS-20 Performance Auditing Inputs Input Economy Financial Amount Timing Physical Quantity Quality Timing Process Outputs Process Efficiency Intermediate Outcomes Long-term Outcomes Output Effectiveness Impacts Outcome Effectiveness Productivity Output/input Level/Quantity Timeliness Mission & Goal Achievement Unit Cost Input/output Quality Financial Viability Price/Cost Operating Ratios Customer Satisfaction Customer Satisfaction Crosscutting Performance Goals Compliance with Laws and Regulations Reliability, Validity, and Availability of Information Maintaining Underlying Values • Individual Ethics and Integrity • Societal Equity • Cooperation and Partnership Continuous Improvement GAS-21 Why are Performance Expectations Sometimes not Accomplished? Theoretical framework is flawed, i.e. no direct cause and effect relationship exists between program and desired outcomes Intervening or external variables which negate, deflect, or mask the program’s effect, i.e., GASB’s emphasis on explanatory information Management systems/processes are deficient Program goals are unrealistic/unattainable Inputs/resources are inadequate Act of providence intercedes GAS-22 Purpose and Applicability of Auditing Standards Why have auditing standards? Who are the standards for? What are the standards used for? What results can be achieved by complying with GAGAS? GAS-23 Use of Terminology to Define Professional Requirement Consistent with SAS No. 102: Must and is required indicate an unconditional requirement Should indicates a presumptively mandatory requirement Should consider indicates that the consideration is presumptively required; carrying out the procedure or action is a matter of auditor professional judgment based on existing facts and circumstances Text not using the above conventions is considered explanatory material (par 1.07) GAS-24 Citing Compliance with GAGAS Unqualified GAGAS compliance statement – Engagement was performed in accordance with GAGAS Qualified GAGAS compliance statement – Engagement was performed in accordance with GAGAS, except for specific applicable standards that were not followed Negative GAGAS compliance – Engagement was not performed in accordance with GAGAS (par 1.12) GAS-25 Relationship Between GAGAS and Other Standards AICPA field work and reporting standards are incorporated by reference for financial statement audits PCAOB and IAASB standards can be used in conjunction with GAGAS for financial statement audits IIA standards can be used in conjunction with GAGAS for performance audits (par 1.15) GAS-26 Auditing Standards Government Auditing Standards – GAGAS (GAO) Standards for the Professional Practice of Internal Auditing (The IIA) Statements on Auditing Standards (AICPA) Statements on Standards for Attestation Engagements (AICPA) GAS-27 Types of Government Audits and Attestation Engagements Objectives determine Types of work to be performed Applicable standards to be followed GAS-28 Financial Audits Financial Statements – Verify that statements are presented fairly in all material respects in conformance with GAAP, or another comprehensive basis of accounting. » financial position, results of operations, cash flows – Verify special reports, letters for underwriters, etc. (par 1.22) GAS-29 Attestation Engagements Examining, reviewing or performing agreed-upon procedures on a subject matter or an assertion about a subject matter and reporting on the results. – Can cover a broad range of financial and nonfinancial subjects. – Verify information – one objective. (par 1.23) GAS-30 Performance Audits Provide information to improve program performance and operations, reduce costs and facilitate decision-making by parties with responsibility to oversee or initiate corrective action, and improve public accountability. – Identify outstanding, adequate, and poor performance and the related consequences. – Suggest practical solutions for improving performance, as appropriate. GAS-31 Performance Audit Objectives Program effectiveness and results Economy and efficiency Internal control Compliance Prospective analysis (par 1.28) GAS-32 Nonaudit Services What is a non-audit service? Should Is standards be cited? independence impaired? GAS-33 Chapter 2 Auditor’s Ethical Responsibilities Overarching auditor ethical concepts to uphold and protect the public trust. “While audit organizations have overall responsibility for creating the environment to promote conducting audit work in accordance with ethical principles, ethics are also a matter of personal responsibility. It is essential that government auditors observe overarching ethical concepts in the performance of their professional responsibilities.” Excerpt from paragraph 2.02 GAS-34 Auditor’s Ethical Framework Ethical concepts that provide the framework for auditors’ work: (par 2.04) Public interest Professional behavior Integrity Objectivity Proper use of government information, resources, and position GAS-35 Auditor’s Ethical Framework – The Public Interest Who What is the “public”? is the “public trust”? What is the relationship between auditor responsibilities and the public interest? (par 2.06) GAS-36 Auditor’s Ethical Framework – Professional Behavior Test of reasonable and informed third party Standard for auditor’s professional behavior (par 2.15) GAS-37 Auditor’s Ethical Framework – Integrity Relationship to public confidence Form and spirit of relevant ethical standards (par 2.08 and 2.09) GAS-38 Auditor’s Ethical Framework – Objectivity What Why is an “objective attitude”? is objectivity important? (par 2.10) GAS-39 Proper Use of Government Information, Resources, and Position Be sensitive to personal gain from information or position Balance transparency and proper use of government information (par 2.11 – 2.14) GAS-40 Exercise #1 - General GAS-41 Chapter 3 General Standards Concern the fundamental requirements for ensuring the credibility of auditors’ results Independence Professional Judgment Competence Quality Control and Assurance * * These standards are still under development GAS-42 General Standards – Independence In all matters relating to the audit work, the audit organization and the individual auditor, whether government or public, must be free both in fact and appearance from personal, external, and organization impairments to independence. (par 3.02) GAS-43 General Standards – Independence Knowledgeable third party test Disclosure requirements Use of specialists GAS-44 Stopping Short of the Line Avoid situations that could lead reasonable third parties with knowledge of the relevant facts and circumstances to conclude that the auditor is not able to maintain independence in conducting audits. (par 3.03) GAS-45 Mandates for Both Audit and Nonaudit Services “… in those situations in which the government auditor because of a legislative requirement or for other reasons cannot decline to perform the work, the impairment(s) should be reported in the scope section of the audit report.” (par 3.04) GAS-46 Specialists Explain GAGAS requirements to specialists Obtain representations from specialists, e.g., have them sign independence statements GAS-47 General Standards – Independence Personal Impairments – result from relationships and beliefs that might cause auditors to limit the extent of the inquiry, disclosure or weaken or slant audit findings in any way (par 3.07) External Impairments – occur when auditors are deterred from acting objectively and exercising professional skepticism by pressures, actual or perceived, from management and employees of the audited entity or oversight organization (par 3.10) Organizational Independence – can be affected by an audit organizations place within government and the government entity it is assigned to audit (par 3.12) GAS-48 General Standards – Personal Impairments What are examples of personal impairments? What should audit organizations do to prevent and detect personal impairments? What should an audit organization do if a personal impairment is identified prior to or during an audit? What should an audit organization do if a personal impairment is identified after the pertinent audit report(s) is issued? GAS-49 General Standards – External Impairments External impairments may restrict the auditor’s freedom to make independent and objective judgments Conditions are described that may restrict the auditor’s freedom Audit organizations should maintain internal policies and procedures for resolving and reporting external impairments (par 3.10) GAS-50 General Standards – Organizational Impairments Organizational independence when • • • Reporting Externally to Third Parties Reporting Internally to Management Performing Non-audit Services GAS-51 General Standards – Organizational Independence When Reporting Externally to Third Parties: Presumptive criteria for appointed and elected auditors Safeguards through statutory protections GAS-52 Organizational Independence When Reporting Internally to Management Government internal audit org. can be presumed to be free from org. impairments from independence if it meets the following: (par 3.16) • Accountable to head or deputy head of the gov’t entity Required to report results of work to the head or deputy head of the gov’t entity, and • Located organizationally outside the staff or line management function of the unit under audit • Has access to those charged with governance • GAS-53 Organizational Impairments When Performing Nonaudit Services – Revisions and Updates Moved nonaudit services from “personal impairments “to “organizational impairments” Created three categories of nonaudit services, and consolidated and streamlined the examples previously interspersed throughout the independence section: Nonaudit services that do not impair independence Nonaudit services that would not impair independence if supplemental safeguards are complied with Nonaudit services that impair independence GAS-54 General Standards – Overarching Principles Auditors must not perform management functions or make management decisions Auditors must not audit their own work or provide nonaudit services in situations where the amounts or services involved are significant/material to the subject matter of the audit GAS-55 General Standards – Substance Over Form Doctrine Use reasonable judgment and consider: The facts and circumstances The nature of the nonaudit service The significance/materiality to the subject matter of the audit The totality of services provided to the audited entity Cannot “unbundle” services to circumvent an independence impairment Source: See GAO's GAS Web Page for "Answers to Independence Standard Questions" GAS-56 Effect on Auditors Required to Use GAGAS Sometimes not appropriate to perform both audit and nonaudit services for the same client May need to choose which of these services an audit organization will provide GAS-57 Nonaudit Services that do not Impair Auditor Independence Participation Activities as a Non-voting Member Advisory Assistance Tools and Techniques GAS-58 Nonaudit Services that would not Impair Independence if Supplemental Safeguards Implemented Expert services Basic assistance Five safeguards must be implemented. GAS-59 Exercises #2 & 3 - Independence GAS-60 Example: Providing Information Technology Services • Limit to advice on system design, system installation, and system security • Apply the safeguards and have management acknowledge responsibility • Should not operate or supervise the operation of the entity’s information technology system GAS-61 “Holistic” Approach Nonaudit services provided by one office or unit of an audit organization affects the entire audit organization’s independence as it relates to the audited entity Nonaudit services provided to one agency do not affect independence for audits of other agencies – Except when the subject matter of the audit involves an area where one of the agencies performs work for, or provides a service to the other Source: See GAO's GAS Web Page for "Answers to Independence Standard Questions" GAS-62 General Standards – Professional Judgment “Auditors must use professional judgment in planning and performing audits and attestation engagements and in reporting the results.” (par 3.31) GAS-63 General Standards – Professional Judgment What is professional skepticism? What is reasonable care? What is appropriate evidence? What is audit risk? GAS-64 General Standards – Professional Judgment Audit staff should Observe auditing standards Use professional judgment in establishing scope and methodology, to include: – determining the sufficiency and appropriateness of evidence to be gathered, and – choosing tests and procedures Exercise professional skepticism GAS-65 Exercise #4 - Judgment GAS-66 General Standards – Competence “The staff assigned to perform the audit or attestation engagement must collectively possess adequate professional competence for the tasks required.” (par 3.40) Staff assigned must collectively possess technical knowledge, skills and experience (par 3.43) Maintain professional competence thru CPE Meet additional qualifications for financial audit and attestation engagements GAS-67 General Standards - Quality Control and Assurance Each audit organization performing audits and/or attestation engagements in accordance with GAGAS must: Establish Have a system of quality control an external peer review at least once every 3 years. (par 3.50) General Standards Audit Quality Control and Assurance Clarified that an audit organization’s – noncompliance with peer review results in a modified GAGAS statement – noncompliance with the requirements for a system of quality control does not impact the GAGAS statement but is monitored through peer review – system of quality control also provides reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements Requirements for system of quality control are consistent with the AICPA proposed statement on Quality Control Standards except that the GAGAS requirements state that reviews of the work and the report that are normally part of supervision are not monitoring controls when used alone GAS-69 General Standards Audit Quality Control and Assurance Added a requirement that the quality control policies and procedures collectively address » Leadership responsibilities within the audit organization » Independence, legal, and ethical requirements » Initiation, acceptance, and continuance of audit and attestation engagements » Human resources » Audit and attestation engagement performance, documentation, and reporting » Monitoring of quality GAS-70 General Standards Audit Quality Control and Assurance Added requirements for – Audit organizations to analyze and summarize the results of monitoring procedures at least annually » Include identification of any systemic issues needing improvement » Include recommendations for corrective action GAS-71 General Standards Audit Quality Control and Assurance – External audit organizations to make peer review reports publicly available » Does not include letter of comment » Can be done by posting the peer review report on an external Web site or to a publicly available file designed for public transparency of peer review results – Internal audit organizations to provide a copy of the external peer review report to those charged with governance – Government audit organizations should also communicate the overall results and the availability of their external peer review GAS-72 reports to appropriate oversight bodies General Standards Audit Quality Control and Assurance Those audit organizations seeking to enter into a contract to perform a GAGAS audit or attestation engagement should provide the following to the party contracting for such services » The audit organization’s most recent peer review report and any letter of comment » Any subsequent peer review reports and letters of comment received during the period of the contract Auditors who are using another audit organization’s work should request – The audit organization’s latest peer review report GAS-73 – Any letter of comment General Standards Audit Quality Control and Assurance Added guidance to assist auditors and audit organizations in establishing polices and procedures in its system of quality control to address – Audit and attestation engagement performance, documentation, and reporting – Monitoring of quality Added guidance on how to achieve the transparency requirement Added guidance for audit organizations to include a description of the peer review process and how it applies to its GAS-74 organization Audit Quality/ Peer Review Enhanced Quality Assurance Criteria Description of overall quality assurance system is made public The audit organization has a functioning annual internal quality inspection process that meets the stated criteria The audit organization provides its oversight organization with an assertion about the effectiveness of its quality assurance program annually GAS-75 Chapter 7: Fieldwork Standards for Performance Audits – Additions and Revisions Reasonable assurance Concept of significance (materiality) Audit risk Level of assurance in performance audits Sufficient, appropriate evidence Auditor’s responsibility for fraud Auditor’s responsibility for abuse GAS-76 Chapter 7: Field Work Standards for Performance Audits Reasonable Assurance Significance Audit Risk Planning [MUST] Supervision [MUST] Sufficient, Appropriate Evidence [MUST] Audit Documentation [MUST] GAS-77 Performance Audits Reasonable Assurance Performance audits that comply with GAGAS provide reasonable assurance that evidence is sufficient and appropriate to support the auditor’s findings and conclusions. (par. 7.03) GAS-78 Performance Audits Concept of Significance Significance is defined as the relative importance of a matter within the context in which it is being considered, in terms of both quantitative and qualitative factors, such as relative magnitude, the nature and effect on the subject matter, and the needs and interests of intended users or recipients. (par 7.04) GAS-79 Performance Audits Concept of Significance Auditors consider significance when deciding the type and extent of audit work to perform, when evaluating results, and developing the report (par 7.04) Auditors consider • quantitative or qualitative factors that would affect auditor findings, conclusions, or recommendations. • whether the matter would change or influence the judgment of a reasonable person relying on the auditor’s report GAS-80 Performance Audits Concept of Significance Why is “significance” an important concept to guide performance audits? How can “significance” be fully integrated into the performance audit process? GAS-81 Performance Audits Audit Risk Audit risk is the risk that the auditor may provide improper findings, conclusions, recommendations, or assurance because the information obtained is not sufficient or not appropriate, the audit process was inadequate, or intentional omissions or misleading information existed due to misrepresentation or fraud. (par 7.05) GAS-82 Performance Auditing Process Survey (Annual Planning) What should be audited? Planning What will we focus on and how will we do it? Field Work or Findings Development What are we finding; what does it tell us? Reporting What is our message; what can we conclude and recommend? GAS-83 Performance Auditing – Planning Background Risks Vulnerabilities GAS-84 Performance Auditing – Planning Standard Planning Auditors must adequately plan, and document the planning of, the work necessary to address the audit objectives. (par 7.07) GAS-85 Performance Auditing – Planning Standard Planning Audit risk Auditors must plan the audit so that audit risk is reduced to a level that is sufficiently low for the auditor to provide reasonable assurance that the evidence is sufficient and appropriate to achieve the audit objectives and support the conclusions reached. (par 7.07) GAS-86 Performance Auditing – Planning Standard Planning • Auditors should assess significance and audit risk and apply these assessments in defining the audit objectives and the scope and methodology to address those objectives. (par 7.07) GAS-87 Steps in Planning Audits Formulate Select the objectives scope and methodology Determine staff and other resource needs Establish field work and reporting milestones Include details in a written audit plan GAS-88 Steps in Doing Field Work Collect data/information Analyze Assess information and apply logic type and strength of evidence Prepare and maintain audit documentation (work papers) Develop findings (positive or negative or both) GAS-89 Planning – Formulate the Audit Objectives Objectives are what the audit is expected to accomplish (par 7.08) Establish direction for planning and detailed review Provide focus for developing findings GAS-90 Audit Objectives Where How do audit objectives come from? are audit objectives prioritized? GAS-91 Develop Audit Objectives – Risk and Vulnerability Process Rank Risk & Auditability: Vulnerability/Final Risk – Inherent Risk » Risk without controls – Control Risk » Risk with controls Auditability GAS-92 Develop Audit Objectives – Well Stated Objectives Are answerable Identify the audit subject Identify the performance aspects Identify the finding elements expected to be developed GAS-93 Develop Audit Objectives – Be Answerable Two ways to state objectives in answerable form: As a question or questions Is Engineering assessing bridge conditions _______________? As a “to determine” statement To determine if Engineering is assessing bridge conditions __________________? GAS-94 Develop Audit Objectives – Identify Audit Subject Organization Program Activity and/or function and/or service GAS-95 Develop Audit Objectives – Identify Performance Aspects GAS-96 Planning – Select Scope and Methodology Scope Boundary of audit e.g., time period, locations, transactions, people Should be directly tied to the objectives Methodology Data gathering Analytical Rational methods argumentation/logic GAS-97 Exercise #5 & 6 - Objectives GAS-98 What Performance Auditors Audit: Nature and Profile of the Program Resources Acquisition Work process Processes (and Controls) Outputs Delivery Outcomes GAS-99 Internal Control What are internal controls? What is COSO? What are internal control objectives? Should information systems controls be audited as part of the performance audit? GAS-100 Considering Internal Control Auditors should: Obtain an understanding of controls significant within the context of the audit objectives Consider whether specific internal control procedures have been properly designed and placed in operation When significant to the objectives, plan to obtain sufficient evidence to support judgments about those controls (par 7.16) GAS-101 Control Objectives Can Address Effectiveness and efficiency of program operations Validity and reliability of data Compliance with applicable laws and regulations and provisions of contracts or grant agreements Safeguarding of resources GAS-102 COSO and GAO Control Standards Control Environment Risk Assessment Control Activities Information and Communications Monitoring GAS-103 COSO ERM FRAMEWORK •The four objectives categories – strategic, operations, reporting compliance – are represented by the vertical columns. •The eight components are represented by horizontal rows. •The entity and its organizational units are depicted by the third dimension of the matrix. Source: COSO Enterprise Risk Management Framework GAS-104 Requirements of Law, Reg., Contract, Grants –Design Audit to Detect NonCompliance • Determine provisions of laws, regulations, contract or grant applicable to audit objectives. • Assess risk that illegal acts or violations of those provisions could occur. • Based on that risk assessment, auditors should design and perform procedures to provide reasonable assurance of detecting violations that are significant within the context of the audit objectives. (par 7.28) GAS-105 Identify Potential Illegal Acts and Significant Abuse Consider risks due to fraud that could significantly affect the audit objectives and the results of the audit Be alert to situations or transactions that could be indicative of fraud or significant abuse – Be aware of inherent risk areas – Be alert to “red flag” indicators – Design planning process to provide reasonable assurance of detecting potential fraud that is within the audit scope GAS-106 Performance Audits – Planning Auditors’ responsibility for fraud In planning the audit, auditors should assess risks of potential significant fraud within the scope of the audit objectives. Auditors should – discuss potential fraud risks with management and the audit team – gather and assess information necessary to identify potential fraud risks When auditors identify risk of significant fraud, they should design procedures to provide reasonable assurance of detecting potential fraud significant to the audit objectives. GAS-107 Some Indicators of Potential Fraud Unsupported costs Inventory shortages Unexplained overruns Contracts not documented or monitored Defective materials Altered documents Unauthorized subcontracting Bid rigging Mis-charged costs Unallowable costs Excessive overtime Conflicts of interest No duties separation GAS-108 Performance Audits – Planning Auditors’ responsibility for abuse If auditor becomes aware of indications of significant abuse, auditors perform audit procedures to determine 1. whether abuse has occurred, and 2. the potential effect on the subject matter of the audit. However, because the determination of abuse is subjective, auditors are not required to provide reasonable assurance of detecting abuse. GAS-109 Performance Audit Fieldwork Identifying Audit Criteria Objectivity Measurability Completeness Relevant (par 7.37) GAS-110 Program Performance – Developing Criteria Government Performance Expectations MISSION PERFORMANCE GOALS INPUT ECONOMY PROCESS EFFICIENCY •Financial –Amount, timing •Physical –Quantity, quality –Timing, price •Productivity •Unit Cost •Operating Ratios OUTPUT OUTCOME EFFECTIVENESS EFFECTIVENESS •Quantity •Quality: products, delivery •Timeliness •Price/Cost •Mission&Outcome Goal Achievement •Financial Viability •Cost-Benefit •Cost-Effectiveness CROSSCUTTING PERFORMANCE GOALS Compliance with Laws and Regulations Resources - Safeguarding - Infrastructure Continuous Improvement Reliability, Validity, Availability of Information Underlying Values Customer and Stakeholder Satisfaction GAS-111 Sources of Criteria for Establishing or Asserting Performance Expectations Historical trends and baselines Program requirements or intent Customer expectations or demands Industry or sector standards Benchmarking within the organization Benchmarking outside the organization GAS-112 Field Work Standard – Planning Planning Steps Also Include: Identifying sources of audit evidence Considering work of others Assigning staff and other resources Communicating with stakeholders Preparing the audit plan GAS-113 Field Work Standard – Supervision Staff must be properly supervised Elements include: • Providing guidance to staff members • Communicating clearly with staff • Staying informed about significant problems encountered • Reviewing the work performed • Providing effective on-the-job training GAS-114 Exercise #7 - Supervision GAS-115 Field Work Standard – Evidence Sufficient, Appropriate Evidence Appropriate evidence is defined as a measure of quality, which encompasses relevance, reliability, and validity in providing support for audit objectives. Sufficiency is defined as a measure of quantity and is evaluated based on the collective audit evidence supporting the findings, conclusions, or recommendations related to the audit objectives. GAS-116 Field Work Standard – Evidence Appropriateness of Evidence (Quality) Relevance Validity Reliability GAS-117 Field Work Standard – Evidence Sufficiency of Evidence (Quantity) > Audit Risk, then > quantity of evidence required Stronger evidence may allow less evidence to be used Large volume of evidence does not compensate for lack of relevance, validity, or reliability GAS-118 Field Work Standard – Types of Evidence GAGAS focus is on the sources of evidence and methods of obtaining evidence. (par 7.60) Appendix cites following types (A7.02): Physical Documentary Testimonial GAS-119 Field Work Standard – Evidence Is Better If… Developed from system with good controls Obtained directly by auditor Documents are originals Provider is free to speak Provider is knowledgeable Obtained from 3rd party (par 7.60) GAS-120 Field Work Standard – Evidence Why Classification of Evidence is Helpful: Method of collecting each type differs Competence of evidence depends in part on the type Methods of assuring competence differs GAS-121 Physical Evidence Physical Evidence Anything that is apparent to the senses – it can be heard, felt, smelled, tasted and seen, and can be described. Common forms — — — — — Creatures of all types Man-made physical resources Natural resources Activities of people Events GAS-122 Physical Evidence Strengths • Most reliable • More persuasive Weaknesses • May not be what it appears • May be staged • May differ from yesterday GAS-123 Documentary Evidence Documentary Evidence Data in written and graphic form gathered and prepared by someone other than the auditor. Common forms: — — — Paper Electronic Film GAS-124 Documentary Evidence Strengths • Most common type used in audit work • Relatively inexpensive to obtain Weaknesses • Generally cannot be accepted as reliable; some checking is necessary GAS-125 Testimonial Evidence Testimonial Evidence Data obtained directly from people in response to inquiries from the auditor or other persons. It may be oral or written — It may represent personal knowledge and fact, or opinion and belief GAS-126 Testimonial Evidence Strengths • May be valuable leads not readily obtainable in other ways • May be the only source Weaknesses • Least reliable evidence • It may be false, biased, incomplete GAS-127 Analytical Evidence – Not Considered a Type of Evidence Analytical Evidence Comes from the auditor’s analysis and logical reasoning using data previously obtained Determines the sufficiency and appropriateness of evidence collected through physical, documentary, and testimonial methods Common analytical methods – Comparison – Computations (measurement, etc.) – Separation of information into components – Rational argumentation GAS-128 Analytical Evidence Strengths • Versatility • Powerful form of evidence Weaknesses • Competence dependent of auditor skill • Potential for auditor bias GAS-129 Assuring Reliability – of Physical Evidence Physical evidence is its own objective reality May need validation to affirm that it is what it purports to be Competence depends on the auditor’s observation skills and the methods of documenting, recording and measuring the observations GAS-130 Assuring Reliability – of Physical Evidence Methods to corroborate auditor observations: • • • • Have a second observer Take a picture and have it authenticated by a third party Have an agency person document concurrence with the auditor’s description Special testing (e.g., laboratory analysis) GAS-131 Assuring Reliability – of Documentary Evidence Data from 3rd Parties: • Inquire into their professional reputation, qualifications, and independence • Check to see if the data have been audited, or if their auditors will audit it or if you can audit it • Ask users, and assess the reliability of the input data GAS-132 Assuring Reliability – of Documentary Evidence When data are found to have errors and auditors are not able to confirm its reliability, it may be necessary to: • • • Seek evidence from other sources. Redefine the audit’s objectives to eliminate the need to use the data. Use the data, but indicate in the report the data’s limitations and refrain from making unwarranted conclusions or recommendations. GAS-133 Assuring Reliability – of Testimonial Evidence Competence is dependent on: The person interviewed being credible — He/she can be relied upon to be truthful — He/she is not reluctant to provide the data The skill of the auditor in… — Asking questions — Recording the responses — Interpreting the results GAS-134 Assuring Reliability – of Analytical Evidence Competence of analytical evidence depends on the knowledge and skill of the auditor, and the auditor’s objectivity and the quality of the data used in preparing the analysis. GAS-135 Assuring Reliability – of Analytical Evidence Ways to assure competence: Supervisory review Expert review Review by knowledgeable client staff Review by knowledgeable uninterested persons GAS-136 Assessment of Evidence Overall Assessment of Evidence 1. 2. 3. Considered to be sufficient and appropriate Considered to be not sufficient and appropriate Considered to be of undetermined sufficiency and appropriateness (par 7.70) GAS-137 Exercise #8 - Evidence GAS-138 Findings – Identify Finding Elements Findings are often regarded as containing the elements of Condition, Criteria, Effect and Cause Auditors may be asked or choose to develop only selected elements Elements needed for a finding depend on the objectives of the audit (par 7.72) GAS-139 Findings – Elements of a Causal Finding Criteria – what should be or could be – what is, (usually in comparison to criteria) Condition Effect – so what Cause – why GAS-140 Findings – What Elements to Develop? Do we want to: Describe what is being done? Determine if a problem exists? Establish the effect? Identify the cause? Recommend a solution? Learn the impact of an intervention? Make a cost and benefit analysis? GAS-141 Findings – Traditional: Example Objectives Is Engineering assessing bridge conditions efficiently? • If not, what is the effect? • If significant, what are the causes? Is the Collection Agency collecting delinquent student loans timely? • If not, what are the consequences? • If significant, what actions should be taken? GAS-142 Field Work Standards – Audit Documentation Auditors must prepare audit documentation related to planning, conducting and reporting for each audit. Auditors should prepare audit documentation that contains support for findings, conclusions and recommendations before they issue their report. (par 7.77) GAS-143 Audit Documentation – Purposes Provide principal support for the auditors’ report Aid the auditors in conducting and supervising the audit (to assure that objectives are met, findings are supported and standards are followed) Allow for the review of audit quality (par 7.79) GAS-144 Audit Documentation – Contents Objectives, scope and methodology (including audit samples) Auditor’s determination about standards that do not apply or were not followed with an explanation Work performed to support significant judgments and conclusions, including descriptions of transactions and records examined Evidence of supervisory review of work done GAS-145 Audit Documentation – Preparation Principles Complete and accurate Relevant Clear and understandable Legible and neat Prepared and documented in a standardized format GAS-146 Audit Documentation – Cross-Referencing Audit program to audit documentation One audit document to another, usually from lead schedules or summary to supporting documentation Audit report (or draft) to audit documentation Audit documentation to audit report GAS-147 Audit Documentation – Safeguarding “Audit organizations should establish reasonable policies and procedures for the safe custody and retention of audit documentation for a time sufficient to satisfy legal and administrative requirements.” (par 7.82) GAS-148 Audit Documentation – Safeguarding Take special precautions with: Report drafts Proprietary data Classified information Personal privacy data Plans for future agency operations Other unclassified sensitive information GAS-149 Chapter 8: Reporting Standards for Performance Audits Reporting Contents Issuance and Distribution Note: GAGAS no longer has a “Report Quality” standard but see Appendix One, Supplemental Guidance for Chapter 8: Report Quality Elements GAS-150 Reporting Standards for Performance Audits: Additions and Revisions GAGAS statement in auditor’s report If auditors comply with GAGAS in all respects, they should include the following language in the report: “We conducted this performance audit in accordance with Generally Accepted Government Auditing Standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence that provides a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.” GAS-151 Reporting Standards – Reporting Auditors must prepare audit reports communicating the results of each audit. The form of the audit report should be appropriate for its intended use, but should be written or in some retrievable form Briefing slides may be considered audit reports Electronic media may be used to convey report information (par 8.03, 8.04) GAS-152 Reporting Standards – Reporting Purpose of a retrievable report (par 8.05) Communicates to officials at all levels Makes results less susceptible to misunderstanding Makes results available for public inspection Facilitates follow up to determine if corrective actions taken GAS-153 Report Discloses What auditors did Objectives, scope & methodology, background What auditors found Overview section or paragraph, details addressing elements of finding What should be done Recommendations, auditee comments GAS-154 Reporting Standards – Report Contents Questions: What sections does an audit report contain? For which sections does GAGAS cite requirements and guidance on the content and presentation? GAS-155 Reporting Standards – Report Contents The audit report should include: (par 8.08) Objectives and scope and methodology Audit results – Findings, Conclusions, and Recommendations as appropriate Statement on compliance with GAGAS Views of responsible officials Nature of any privileged and confidential information omitted, if applicable GAS-156 Report Contents Standard – Objectives Objectives: Component of Report Explain why the assignment was undertaken State what the report is to accomplish Perhaps, state objectives that were not pursued (par 8.10) GAS-157 Report Contents Standard – Scope and Methodology Requirement for Presenting the Audit Scope and Methodology: What is the purpose in reporting the scope and methodology? What edition of GAGAS first called for describing the scope and methodology in audit reports? GAS-158 Report Contents Standard – Scope and Methodology Readers need information on OS&M To understand the audit purpose To understand the nature of the audit work performed To understand any significant limitations For perspective on what is reported (to judge merits of the audit work and what is reported) (par 8.09) GAS-159 Report Contents Standard – Scope Scope: Describes depth and coverage of work conducted (par 8.11, 8.12) Explain relationship between population and items sampled and what was audited Identify organizations, geographic locations, and period covered Report kinds and sources of evidence and any limitations Significant constraints imposed on the audit GAS-160 Report Contents Standard – Methodology Methodology: Explain the evidence gathering and analysis techniques used Describe any comparative techniques applied Describe the criteria used Describe sampling design and why it was chosen and if results can be projected (par 8.13) GAS-161 Exercise #9 - Reporting GAS-162 Report Contents Standard – Findings Findings Report findings by providing credible evidence that relates to the audit objectives Findings should be supported by sufficient, appropriate (relevant & reliable) evidence Present in manner to promote understanding and provide convincing but fair presentation in proper perspective Provide selective background information GAS-163 Report Contents Standard – Findings Findings The elements needed for a finding depend on the audit objectives Thus, a finding or set of findings is complete to the extent that the audit objectives are satisfied and the report clearly relates those objectives to the elements of the finding GAS-164 Report Contents Standard – Findings Findings The audit report should include: Significant deficiencies in internal controls – Deficiencies in controls may be the cause of deficient performance Instances of fraud and illegal acts Significant violations of provisions of contracts or grants Significant abuse GAS-165 Exercise #10- Findings GAS-166 Reporting Standards – Report Distribution Government auditors should submit audit reports to: Those charged with governance Appropriate officials of the organizations requiring or arranging for the audits Officials having legal oversight authority or for acting on findings and recommendations Others authorized to receive such reports Make available to public unless legal restrictions prevent it GAS-167 Why Should Auditors Care? Credibility Quality Work Professional Standing Competence & Integrity Independence & Objectivity Standards GAS-168 Why Should Audit Clients Care? Assurance/Accountability Better Government Public Trust GAS-169 Conclusion — Auditors will continue to conduct value added audits but will also offer new services Balancing the accountability vs. consultant auditor Creating “audigators” to prevent, detect, investigate, and correct integrity violations Certifying/Attesting to relevance and reliability of performance measures and reports Conducting partnership audits and quick response audits Conducting nonaudit services including control selfassessment and system design Question: Are you excited to be an auditor in the 21st century? GAS-170 Reference Materials • Yellow Book is available on GAO’s website: http://www.gao.gov/gova ud/ybk01.htm • Technical assistance, contact GAO staff :http://www.yellowbook @gao.gov GAS-171 References (Continued) Texas State Agency Internal Audit Forum – Peer Review Process http://www2.dir.state.tx.us/sponsored/sacc /Pages/SAIAF-PeerReviewProcess.aspx IIA Professional Practices Framework http://www.theiia.org/guidance/standardsand-guidance/ GAS-172 References (Continued) IS Auditing Standards http://www.isaca.org/KNOWLEDGECENTER/STANDARDS/Pages/default.asp GAO: Government Audit Standards & IIA International Professional Practices Framework – A Comparison – IIA www.theiia.org/download.cfm?file=39377 GAS-173 It is all right to forget your mistakes If you remember their lessons Anonymous GAS-174 Summary & Questions GAS-175 CLOSING THOUGHT “If you come to a fork in the road, take it.” Yogi Berra – New York Yankee Catcher Contact Information Phil Flora efafvain@io.com GAS-177
