Financial Audit Manual Vol.01

8/8/2019 Financial Audit Manual Vol.01

1/523

Source: GAO

GOVERNMENT

ACCOUNTABI

LITY

OFFICE

UNITE

D STATES

United States Government

Accountability Ofce

Presidents Council on

Integrity & Efciency

UN

ITED

STATESofAM

ERIC

A

PRES

IDENT

'SCOUNCIL

on INTEGRITY

&EF

FIC

IE

NCY

PCIE

Financ ia l

Audit Manual

H H H H H H H H H

VOLUME 1

GAO-08-585G

July 2008


2/523


3/523

Page 1 GAO-08-585G FAM Volume 1

July 2008

TO AUDIT OFFICIALS, AGENCY CFOS, AND OTHERS INTERESTED INFEDERAL FINANCIAL AUDITING AND REPORTING

This letter transmits the revisedFinancial Audit Manual (FAM) Volume 1 of theGovernment Accountability Office (GAO) and the Presidents Council on Integrityand Efficiency (PCIE). GAO and the PCIE issued the joint FAM in July 2001. TheFAM presents a methodology to perform financial statement audits of federalentities in accordance with professional standards. We have updated the FAM forsignificant changes that have occurred in auditing financial statements in the U.S.government since the last major revisions to the FAM were issued in July 2004.

To help the FAM continue to meet the needs of the federal audit community and thepublic it serves, GAO and the PCIE created a joint FAM Working Group. The Groupis comprised of auditors from GAO and several Offices of the Inspectors Generalexperienced in conducting audits of federal entity financial statements. Through acollaborative effort, the FAM Working Group prepared a revised FAM Volume 1 thatcontains the audit methodology. A revised FAM Volume 2 that contains audit toolsis being issued separately. FAM Volume 3, which contains checklists for FederalAccounting (FAM 2010) and Federal Reporting and Disclosures (FAM 2020), wasissued on August 28, 2007 (GAO-07-1173G).

On October 5, 2007, we issued exposure drafts of FAM Volumes 1 and 2 for anextended public comment period that ended on January 31, 2008. We received 15letters of comment which have been considered in this issued version of FAMVolume 1, as well as FAM Volume 2.

The revisions to the FAM are primarily due to changes in (1) professional auditingand attestation standards of the Auditing Standards Board of the American Instituteof Certified Public Accountants (AICPA); (2) Government Auditing Standardsissued by GAO; (3) audit and reporting guidance issued by the Office ofManagement and Budget (OMB); (4) accounting standards issued by the FederalAccounting Standards Advisory Board (FASAB); and (5) laws.

Summary of Major Revisions and Improvements for FAM Volume 1

FAM Volume 1 incorporates changes based on (1) AICPA Statement of AuditingStandards (SAS) Nos. 100 through 114, which include the audit risk standards (SASNos. 104 through 111); (2) Government Auditing Standards (July 2007 Revision);(3) audit guidance in OMB Bulletin No. 07-04,Audit Requirements for Federal

Financial Statements (September 4, 2007); and (4) financial reporting guidance inrevised OMB Circular No. A-136,Financial Reporting Requirements (June 29,2007).


4/523

Attachment

GAO-08-585G FAM Volume 1Page 2

FAM Volume 1 also includes the effects on financial audits of FASAB accountingconcepts and standards issued through May 31, 2007. This includes accounting,reporting, and disclosure requirements for social insurance, heritage assets andstewardship land, and earmarked funds. Finally, throughout the updated FAMVolume 1, revisions were made for new terminology, changes in the federal auditenvironment, and effects of applicable laws. A table of major changes to FAMVolume 1 is presented in attachment 1 to this letter.

This FAM Volume 1 supersedes previously issued versions of FAM Volume 1through July 2004 and can be used to audit federal entity financial statements forthe fiscal year ended September 30, 2008.

* * * * *

Should you need additional information, please contact us at [email protected] callGAOs Financial Management and Assurance Assistant Directors Roger Stoltz, at(202) 512-9408; or Janet Krell, at (202) 512-4716; Director Steve Sebastian at (202)512-9521; or PCIE FAM Working Group Leaders Alex Biggs, at (202) 693-5258; or

Joel Grover, at (202) 927-5768. Other GAO FAM Project Team and PCIE FAMWorking Group members are presented in attachment 2 of this letter.

Sincerely yours,

/Signed/ /Sig

McCoy Williams The Honorable Jon T. RymerManaging Director Chair, Audit Committee

Financial Management and Assurance Presidents Council on IntegrityU.S. Government Accountability Office and Efficiency

Attachments and enclosures
mailto:[email protected]:[email protected]:[email protected]


5/523

Attachment 1


Table of Major Changes to FAM Volume 1

FAM section Major change

100-500 The audit risk standards (SAS Nos. 104-111), effective foraudits of financial statements for periods beginning on or afterDecember 15, 2006, provide guidance concerning the auditorsassessment of the risk of material misstatement (whethercaused by error or fraud) in a financial statement audit and thedesign and performance of audit procedures whose nature,extent, and timing respond to assessed risks. These standardsalso provide guidance on planning and supervision, the natureof audit evidence, and evaluating whether the audit evidenceobtained affords a reasonable basis for an opinion on thefinancial statements. While the FAM has always used a risk-based methodology, many changes were made throughoutFAM Volume 1 to comply with the terminology and guidance of

the risk standards, particularly in FAM 200 on audit planning.

110.28 Must as used in the FAM now indicates a required procedure(mostly by professional standards) where the auditors failureto perform means the auditor will not be able to express anunqualified opinion on the entitys financial statements. Minorclarifications have been made to the definitions of the relatedterms should, generally should, and may.

215, 215 A, 215 B These are new sections of the FAM that address establishingan understanding with the client. They include guidance for

identifying the client and those charged with governance in thefederal environment; issues of audit scope; matters to becommunicated to management and those charged withgovernance (following SAS Nos. 112 and 114, and GAGAS); andthe use of engagement, intent, notification, and commitmentletters. FAM 215 A provides two example of an engagementletter (SAS No. 108), and FAM 215 B provides an example of aletter to those charged with governance. Some of thisinformation was previously in FAM 280.06-.09.

230.05 The term test materiality was changed to tolerable

misstatement, consistent with SAS No. 107.

235 The definitions of the assertions were revised to be consistentwith SAS No. 106. This standard identifies 13 financialstatement assertions, which are grouped in the FAM into5 assertions, as shown in FAM 235.08. The revised assertiondefinitions do not significantly affect the related potentialmisstatement definitions in the FAM used for audit planningand testing.


6/523

Attachment 1



260 The term combined risk was changed to risk of materialmisstatement and is the auditors combined assessment ofinherent risk and control risk (SAS No. 107). FAM 260.13-.17now discuss identification and communication of the risk ofmaterial misstatement among the audit team, includingbrainstorming sessions (SAS No. 109). FAM 260.67-.70 havebeen added to discuss work conducted under the FederalInformation Security Management Act of 2002 and itsrelationship to the auditors risk assessment.

285 When planning locations to visit, the auditor now should relyonly on controls tested for the current year and past 2 years,after determining that there were no changes (SAS No. 110),rather than the previous 5 years.

290 Documentation requirements were expanded to include theunderstanding established with the client (FAM 215); auditstrategy (SAS No. 108.13-.14) as part of the General RiskAnalysis; effect of the risk of material misstatement, includingfraud risk on the audit strategy; changes to the assessment ofrisk of material misstatement, including fraud risk during theaudit (SAS No. 109); audit plan/procedures expected to reduceaudit risk to an acceptably low level (SAS No. 108); andcommunication of audit issues (FAM 290.11) to include thosecharged with governance (SAS No. 112 and 114).

295 B FAM 295 B.12 expands identifying and analyzing risks ofmaterial misstatements (SAS No. 109) within the entitys riskassessment process. FAM 295 B.17 includes consideration ofOMB Circular No. A-123 reviews.

310 The overview was expanded in FAM 310.01 on how the auditorshould use results of internal control work and a new FAM310.02 explains that auditors may no longer default tomaximum for the control risk assessment when designingfurther audit procedures (SAS No. 110). New FAM 310.11-.13discusses use of SAS No. 70 reports in the financial audit.

320 FAM 320.03 expanded the discussion of the auditorsunderstanding of the accounting system(s).

350 A new FAM 350.21 expanded the discussion regarding thetiming of control tests that was formerly in FAM 350.17.

380 FAM 380.01 expanded the discussion of multiyear testing ofcontrols (SAS No. 110).


7/523

Attachment 1



390 A new FAM 390.03 was created to document audit proceduresand conclusions on multiyear testing.

410 The overview was reorganized to better present the audit workto be done during the testing phase.

420 New FAM 420.01-.02 were created to explain designing furtheraudit procedures.

450 A new FAM 450.01 was added on performing tests of controls.

470 FAM 470.01-.03 were revised to discuss substantive proceduresand detection risk.

475 FAM 475.04 was added for designing substantive analyticalprocedures as discussed in SAS No. 110.

490 FAM 490.01-.04 was revised for documenting assessed risk ofmaterial misstatement at the relevant assertion level (SAS No.110) and for classifying deficiencies as material weaknesses,other significant deficiencies, or other control deficiencies(SAS No. 112).

540 FAM 540.07-.08 were revised for discussing misstatements withmanagement and those charged with governance (SAS No.114).

550 FAM 550.13-.16 were added to discuss communication withthose charged with governance (SAS No. 114).

580 FAM 580.01 was revised to indicate that non-GAO auditors mayreport FFMIA with compliance with laws and regulations. FAM580.33-.34 were revised and FAM 580.35 was added on controldeficiency, significant deficiency, and material weakness (SASNo. 112). FAM 580.82 on other information in the annualfinancial statement was expanded through FAM 580.84. A newFAM 580.85 was added on dating the auditors report (SAS No.

103); new FAM 580.86-.87 was added on other reportingmatters concerning restatements and information contained inthe Performance and Accountability Report.

590 FAM 590.08-.10 have been added for documenting subsequentdiscovery of facts, condensed financial statements, and exitconference.


8/523

Attachment 1



595 A A new example 2 report was added for reporting internalcontrol deficiencies without expressing an opinion on controleffectiveness. Both example reports reflect new terminologyconsistent with changes in professional standards. Bothexamples indicate that non-GAO auditors may report FFMIAwith compliance with laws and regulations.

595 B Example modifications to the auditors report were revised forterminology in new standards.

595 C New narrative in FAM 595 C.01-.15 was added for discussinguncorrected misstatements and adjusting entries withmanagement (SAS No. 107) and those charged withgovernance (SAS No. 114). Also, new examples are provided ofthe Schedule of Uncorrected Misstatements and the Summary

of Uncorrected Misstatements.

595 D Example Summary of Unadjusted Misstatements has beeneliminated, and examples are now provided in FAM 595 C.


9/523

Attachment 2


GAO FAM Project Team

McCoy Williams, Managing Director

Steven J. Sebastian, Director

Robert F. Dacey, Chief Accountant

Abraham D. Akresh, Senior Level Expert for Auditing StandardsRoger R. Stoltz, Assistant Director

Janet M. Krell, Assistant Director

Corinne P. Robertson, Senior Auditor and Project Manager

William E. Boutboul, Project Manager

Charles R. Fox, Project Manager

Suzanne Murphy, Project Manager

Vera M. Seekins, Senior Auditor

Sharon O. Bryd, Audit Sampling Specialist

Francis L. Dymond, Assistant General Counsel

Jacquelyn N. Hamilton, Deputy Assistant General Counsel

PCIE FAM Working Group Members

The Honorable John P. Higgins, Jr., Chairman, Audit Committee, PCIE

Alex Biggs, PCIE Working Group Leader, Office of Inspector General,U.S. Department of Labor

Joel Grover, PCIE Working Group Leader, Office of Inspector General,

U.S. Department of Treasury

Debra Alford, Office of Inspector General, U.S. Department of Defense

Morgan Aronson, Office of Inspector General, U.S. Department of Interior

Ade Bankole, Office of Inspector General, U.S. Department of Treasury

Susan Barron, Office of Inspector General, U.S. Department of Treasury

Paul Curtis, Office of Inspector General, Environmental Protection Agency

Mary Harmison, Office of Inspector General, Federal Trade Commission

Mark L. Hayes, Office of Inspector General, U.S. Department of Justice

David S. Laun, Office of Inspector General, U.S. Department of Justice

Marie Maguire, Office of Inspector General, National Science Foundation

Kelly A. McFadden, Office of Inspector General, U.S. Department of Justice

Joon Park, Office of Inspector General, U.S. Department of Labor

Kieu Rubb, Office of Inspector General, U.S. Department of Treasury

Gregory Spencer, Office of Inspector General, U.S. Department of Education


10/523

Attachment 2


[This page intentionally left blank.]


11/523

CONTENTS


12/523



13/523

Contents

July 2008 GAO Financial Audit Manual Contents-1

100 INTRODUCTION

110 Overview of the FAM Methodology

200 PLANNING PHASE

210 Overview of the Planning Phase215 Establish an Understanding with the Client

220 Understand the Entitys Operations225 Perform Preliminary Analytical Procedures230 Determine Planning and Design Materiality and Tolerable

Misstatement235 Identify Significant Line Items, Accounts, Assertions, and RSSI240 Identify Significant Cycles, Accounting Applications, and

Financial Management Systems

245 Identify Significant Provisions of Laws and Regulations250 Identify Relevant Budget Restrictions260 Identify Risk Factors270 Determine Likelihood of Effective Information System Controls275 Identify Relevant Operations Controls to Evaluate and Test280 Plan Other Audit Procedures

Inquiries of Legal Counsel Management Representations Related Party Transactions Sensitive Payments Other Planning Issues

285 Plan Locations to Visit290 Documentation

Appendixes to FAM 200

215 A Sample Audit Engagement Letter to a Federal Entity215 B Sample Letter to Those Charged With Governance295 A Potential Inherent Risk Conditions295 B Potential Control Environment, Risk Assessment,

Communication, and Monitoring Weaknesses295 C An Approach for Multiple-Location Audits295 D Interim Substantive Testing of Balance Sheet Accounts

295 E Effect of Risk of Material Misstatement on Extent of AuditProcedures

295 F Types of Information System Controls295 G Budget Controls295 H Laws Identified in OMB Audit Guidance and Other General Laws295 I Examples of Auditor Responses to Fraud Risks295 J Steps in Assessing Information System Controls


14/523

Contents


300 INTERNAL CONTROL PHASE

310 Overview of the Internal Control Phase320 Understand Information Systems330 Identify Control Objectives

340 Identify and Understand Relevant Control Activities350 Determine the Nature, Extent, and Timing of Control Tests and

Compliance with FFMIA360 Perform Nonsampling Control Tests and Test Compliance

with FFMIA370 Assess Internal Control on a Preliminary Basis380 Other Considerations390 Documentation


395 A Typical Relationships of Accounting Applications to LineItems/Accounts

395 B Financial Statement Assertions, Potential Misstatements,and Control Objectives

395 C Typical Control Activities395 D Selected Statutes Relevant to Budget Execution395 E Budget Execution Process395 F Budget Control Objectives395 FS Budget Control Objectives for Federal Credit Reform Act395 G Multiyear Testing of Controls395 H Specific Control Evaluation Worksheet395 I Account Risk Analysis Form

400 TESTING PHASE

410 Overview of the Testing Phase420 Design the Nature, Extent, Timing, of Further Audit Procedures430 Design Tests440 Perform Tests and Evaluate Results450 Sampling Control Tests460 Compliance Tests470 Substantive Procedures Overview475 Substantive Analytical Procedures480 Substantive Detail Tests

490 Documentation


495 A Substantive Analytical Procedure Determinations495 B Example Procedures for Tests of Budget Information495 C Guidance for Interim Testing495 D Example of Audit Matrix with Statistical Risk Factors495 E Sampling495 F Manually Selecting a Monetary Unit Sampling


15/523

Contents


500 REPORTING PHASE

510 Overview of the Reporting Phase520 Perform Overall Analytical Procedures530 Reassess Materiality and Risk

540 Evaluate Misstatements550 Conclude Other Audit Procedures

Obtain Legal Representation Identify Material Subsequent Events Obtain Management Representations Assess Related Party Transactions Communicate With Those Charged With Governance

560 Determine Conformity with U.S. Generally Accepted AccountingPrinciples

570 Determine Compliance with GAO/PCIE Financial Audit Manual580 Draft Reports

Report Format Financial Statements Internal Control Financial Management Systems Compliance with Laws and Regulations Other Information in the Annual Financial Report Dating the Auditors Report Restatement of Audited Financial Statements Other Reporting Matters

590 Documentation


595 A Example Unqualified Auditors Report595 B Example Modifications to the Auditors Report595 C Uncorrected Misstatements and Adjusting Entries

APPENDIXES

A ConsultationsB Instances Where the Auditor "Must" Comply in the FAM

GLOSSARY

ABBREVIATIONS

INDEX


16/523

Contents




17/523

SECTION 100

Introduction


18/523

Introduction


July 2008 GAO/PCIE Financial Audit Manual Page 100

Figure 100 Overview of the FAM Methodology

Planning Phase FAM Establish an Understanding with the Client 215

Understand the Entitys Operations 220 Perform Preliminary Analytical Procedures 225

Determine Planning and Design Materiality and Tolerable Misstatement 230

Identify Significant Line Items, Accounts, Assertions, and RSSI 235

Identify Significant Cycles, Accounting Applications, and Systems 240

Identify Significant Provisions of Laws and Regulations 245

Identify Relevant Budget Restrictions 250

Identify Risk Factors 260

Determine Likelihood of Effective Information System Controls 270

Identify Relevant Operations Controls to Evaluate and Test 275

Plan Other Audit Procedures 280

Plan Locations to Visit 285

Documentation 290

Internal Control Phase FAM Understand Information Systems 320

Identify Control Objectives 330

Identify and Understand Relevant Control Activities 340

Determine the Nature, Extent, and Timing of Control Tests and

Compliance with FFMIA 350

Perform Nonsampling Control Tests and Test Compliance with FFMIA 360

Assess Internal Control on a Preliminary Basis 370

Other Considerations 380

Documentation 390

Testing Phase FAM Design the Nature, Extent, and Timing of Further Audit Procedures 420 Design Tests 430

Perform Tests and Evaluate Results 440

Sampling Control Tests 450 Compliance Tests 460 Substantive Procedures -- Overview 470 Substantive Analytical Procedures 475 Substantive Detail Tests 480 Documentation 490

Reporting Phase FAM Perform Overall Analytical Procedures 520

Reassess Materiality and Risk 530

Evaluate Misstatements 540 Conclude Other Audit Procedures 550

Determine Conformity with U.S. GAAP 560

Determine Compliance with GAO/PCIEFinancial Audit Manual 570

Draft Reports 580

Documentation 590


19/523

Introduction


July 2008 GAO/PCIE Financial Audit Manual Page 110-1


.01 This introduction provides an overview of the methodology of theGovernment Accountability Office (GAO) and the Presidents Council onIntegrity and Efficiency (PCIE) for performing financial statement audits of

federal entities. It describes how the methodology in the Financial AuditManual (FAM) relates to relevant professional auditing and attestationstandards and Office of Management and Budget (OMB) guidance, andoutlines key issues to be considered in using the methodology.

.02 The purposes of performing financial statement audits of federal entitiesinclude providing decision makers (financial statement users) withassurance as to whether the financial statements are reliable [presentedfairly in all material respects, in accordance with U.S. generally acceptedaccounting principles (U.S. GAAP)], report deficiencies in internal control,and, in certain circumstances, provide an opinion on the effectiveness ofinternal control, and report on noncompliance with laws and regulationstested. To achieve these purposes, the FAM approach to federal financialstatement audits involves four phases Planning, Internal Control, Testing,and Reporting -- which are outlined in the rest of this section. In broadterms, the auditor

adequately plans the audit to obtain sufficient appropriate evidence; understands the design of the entitys internal control; determines

whether the design has been implemented; assesses the risks ofmaterial misstatements; designs appropriate tests of controls andsubstantive procedures; and, for Chief Financial Officers (CFO) Act

agencies and their components as designated by OMB, determineswhether financial management systems substantially comply with thethree requirements of the Federal Financial Management ImprovementAct of 1996 (FFMIA): (1) federal financial management systemsrequirements, (2) applicable federal accounting standards,

1and (3) the

U.S. Government Standard General Ledger(SGL) at the transactionlevel;

2

tests the significant assertions related to the financial statements,internal control effectiveness, and compliance with laws andregulations; and

1The American Institute of Certified Public Accountants (AICPA) has recognized the Federal Accounting

Standards Advisory Board (FASAB) as the accounting standards-setting body for federal governmententities under Rule 203 of the AICPA's Code of Professional Conduct. Thus, FASAB standards arerecognized as U.S. GAAP for federal entities. However, some federal entities, including governmentcorporations and certain others, are required by law, regulation, or policy to publish financial statementsusing U.S. GAAP issued by the Financial Accounting Standards Board (FASB). For such entities, FASABprovides general principles. See FASABs Statement of Federal Financial Accounting Standards No. 8,paragraph .40.2Testing for compliance with FFMIA is efficiently accomplished, for the most part, as part of the work

done in understanding agency systems in the internal control phase of the audit.


20/523

Introduction



reports the results of audit procedures performed, and performs otheraudit procedures to complete the audit in accordance with generallyaccepted government auditing standards (GAGAS).

The FAM audit phases are illustrated in the FAM methodology overview in

figure 100 and are summarized in the following pages of this section.3

Planning Phase

.03 Although planning continues throughout the audit, the objectives of thisinitial phase are to gain an understanding of the entity to be audited; tounderstand its environment, including internal control; to identifysignificant areas for audit; and to design effective and efficient auditprocedures. To accomplish this, the methodology includes guidance in

establishing an understanding about the audit with the client, entitymanagement, and those charged with governance;

understanding the entitys operations and its environment, including itsorganization, management style, internal control, and internal andexternal factors influencing its operating environment;

performing analytical procedures to assist in planning the audit; identifying significant accounts, accounting applications, and financial

management systems; important budget restrictions; significantprovisions of laws and regulations; and relevant internal controls;

determining the likelihood of effective information system (IS) controls; identifying assertions and using them in planning the audit; determining materiality for the financial statements including tolerablemisstatement (formerly test materiality) for accounts and related

assertions;

performing a preliminary risk assessment to determine the risk ofmaterial misstatement, whether by error or fraud; and

developing the audit strategy and audit plan, including entity fieldlocations to visit.

Based on evidence obtained throughout the audit, the auditor shouldmonitor and revise, if needed, preliminary assessments made during the

planning phase for risk of material misstatement and the likelihood ofcontrol effectiveness.

3The methodology presented is for a financial statement audit. If the auditor is to use the work of another

auditor, see FAM 650.


21/523

Introduction



Internal Control Phase

.04 This phase entails understanding, testing, and assessing internal control toreach conclusions about the achievement of the following internal controlobjectives

Reliability of financial reportingtransactions are properly recorded,processed, and summarized to permit the preparation of the financialstatements in accordance with U.S. GAAP, and assets are safeguardedagainst loss from unauthorized acquisition, use, or disposition.

Compliance with applicable laws and regulationstransactions areexecuted in accordance with (a) laws governing the use of budgetauthority and other laws and regulations that could have a direct andmaterial effect on the financial statements and (b) any other laws,regulations, and governmentwide policies identified by OMB in its auditguidance.

.05 OMB audit guidance indicates that the auditor should test controls thathave been properly designed and implemented (placed into operation) toachieve these objectives in order to support a low assessed level of controlrisk. OMB audit guidance does not require the auditor to express anopinion on the effectiveness of internal control.

As required by GAGAS 5.08, if the auditor does not express an opinion oninternal control, the auditor should state in the report whether testsperformed provided sufficient, appropriate evidence to express an opinionon the effectiveness of internal control over financial reporting.

GAO auditors4should design the audit to express an opinion on internal

control over financial reporting and internal control over compliance withselected provisions of laws and regulations.

5For audits performed by GAO,

the internal control testing described in the OMB audit guidance and in theFAM typically is sufficient to provide an opinion on internal controleffectiveness. Sufficiency and appropriateness of audit evidence is a matterof auditor judgment.

4The FAM refers specifically to objectives for GAO auditors in various sections. Such objectives are

optional for other audit organizations.5 If the auditor plans to report on internal control effectiveness, AICPA attestation standards (AT 501)allow the auditor to give an opinion directly on internal control or on managements assertion about theeffectiveness of internal control. However, if material weaknesses are present, the opinion must be directlyon the effectiveness of internal control, rather than managements assertion, so as not to be misleading.The example 1 auditors report in FAM 595 A illustrates expressing an opinion on internal control directly.Although the FAM distinguishes between internal control objectives related to financial reporting and tocompliance with laws and regulations, compliance controls tested as part of federal financial statementaudits are limited to controls over compliance with selected significant provisions of laws and regulationsthat have a direct and material effect on the determination of financial statement amounts. Consequently,compliance controls in federal financial statement audits are considered to be the equivalent of financialreporting controls for purposes of reporting on control effectiveness under AT 501.


22/523

Introduction



.06 The FAM also provides guidance on evaluating internal controls related tooperating objectives that the auditor elects to evaluate. Such controlsinclude those related to safeguarding assets from waste or preparingstatistical reports.

.07 To evaluate internal control, the auditor identifies and understands therelevant controls and tests their effectiveness. Where the auditordetermines controls to be effective, the extent of substantive procedurescan be reduced.

.08 The FAM also includes guidance on assessing specific levels of control risk; selecting controls to test; determining the effectiveness of IS controls; and testing controls, including coordinating control tests in the testing

phase for efficiency.

.09 Also, during the internal control phase, for CFO Act agencies and theircomponents identified in OMBs audit guidance, the auditor shouldunderstand the design of the entitys significant financial managementsystems and test their compliance with FFMIA.

Testing Phase

.10 The objectives of this phase are to (1) obtain reasonable assurance aboutwhether the financial statements are free of material misstatements,(2) determine whether the entity complied with significant provisions ofapplicable laws and regulations, and (3) assess the effectiveness of internalcontrol through testing controls often in coordination with other tests.

.11 To achieve these objectives, the FAM includes guidance on designing and performing substantive, compliance, and control tests; designing and evaluating audit samples; correlating risk of material misstatement, audit risk, and materiality

with the nature, timing, and extent of substantive procedures; and

designing multipurpose tests that use a common sample to test severaldifferent controls, specific accounts or transactions, and auditassertions.

Reporting Phase

.12

This phase completes the audit based on the results of audit proceduresperformed in the preceding phases. This involves developing the auditor'sreport on the entitys (1) annual financial statements and supplementaryinformation,

6(2) internal control, (3) financial management systems

6As defined in OMB reporting guidance, the annual Performance and Accountability Report (PAR) consists

of (1) unaudited MD&A, part of required supplementary information (RSI); (2) audited basic financialstatements, including note disclosures; (3) unaudited required supplementary stewardship information(RSSI), if applicable; (4) unaudited RSI, if applicable; and (5) unaudited other accompanying information,if applicable. The audited basic financial statements at an entity level include the (1) balance sheet;(2) statement of net cost; (3) statement of changes in net position; (4) statement of budgetary resources;


23/523

Introduction



substantial compliance with FFMIA requirements (for CFO Act agencies),and (4) compliance with laws and regulations. To assist in this process, theFAM includes guidance on forming opinions on the basic financialstatements and conclusions on internal control, as well as reportingfindings. Also included in FAM 595 A are two examples of auditors reports

designed to be understandable to the reader. The first example is for whenthe auditor expresses an opinion on internal control and the secondexample when the auditor issues a report on internal control.

Relationship to Applicable Standards

.13 The following section describes the relationship of the FAM to applicableauditing standards, OMB guidance, and other policy requirements. Thissection is organized into three areas:

relevant auditing standards and OMB guidance, audit guidance beyond the yellow book, and auditing standards and policies not addressed in this manual.

Relevant Auditing Standards and OMB Guidance

.14 The FAM provides a framework for performing financial statement auditsof federal entities in accordance with Government Auditing Standards(also known as GAGAS) issued by the Comptroller General of the UnitedStates, frequently referred to as the yellow book and OMB auditguidance. GAGAS incorporates, by reference, certain U.S. generallyaccepted auditing standards (U.S. GAAS) and attestation standardsestablished by the Auditing Standards Board (ASB) of the AmericanInstitute of Certified Public Accountants (AICPA). GAGAS are available at

www.gao.gov.

.15 The FAM is an audit methodology that both integrates the requirements ofthe standards and provides implementation guidance based upon practicalexperience. The FAM is designed to achieve

effective audits by considering compliance with GAGAS, significantlaws, and OMB guidance;

efficient audits by focusing audit procedures on areas of higher riskand materiality and by providing an integrated approach designed to

gather audit evidence efficiently;

quality control through an agreed-upon framework that isdocumented and can be followed by all personnel; and

consistency of application through a documented methodology.

(5) statement of custodial activity, if applicable; and (6) statement of social insurance, if applicable. Thestatements include related audited note disclosures.
http://www.gao.gov/http://www.gao.gov/


24/523

Introduction



.16 The FAM supplements GAGAS and OMBs audit guidance and includesreferences to the AICPA Codification of Statements on Auditing

Standards (AU) and to the related codification ofStandards forAttestation Engagements (AT). The AICPA standards are updated andissued annually and are incorporated into GAGAS by reference. Certain

standards are available through www.aicpa.org, and GAO staff may accessthem electronically through the audit reference library.

Audit Guidance Beyond the Yellow Book

.17 In addition to meeting GAGAS, for audits of federal entities to whichOMBs audit guidance applies, the auditor should

perform sufficient tests of internal controls that have been properlydesigned and placed in operation, to support a low assessed level ofcontrol risk;

evaluate and test controls related to budget execution and compliancewith selected provisions of laws and regulations;

understand the design of the entitys process for complying with 31U.S.C. 3512 (c), (d) (commonly known as the Federal ManagersFinancial Integrity Act (FMFIA) and whether the design has beenimplemented;

perform tests at CFO Act agencies to report on the entitys financialmanagement systems substantial compliance with FFMIArequirements;

test for compliance with laws, regulations, and governmentwidepolicies identified in OMBs audit guidance; and

read the MD&A and other supplementary information for conformitywith FASAB standards and OMB guidance.

.18 Auditors may design procedures to consider and report whethermisstatements and internal control weaknesses could effect theachievement of operations objectives or the accuracy of reports preparedby the entity.

.19 GAO auditors should design audits to express an opinion on the entitysinternal control over financial reporting.

Auditing Standards and Policies Not Addressed in the Manual

.20 The FAM supplements financial audit standards and policies adopted byGAO and the inspectors general (IG). It is not intended to address allstandards or policies. For example, report processing is not addressed.Further, IGs may use other methodologies that are equivalent to the FAMfor conducting financial statement audits in accordance with GAGAS,including AICPA auditing standards, and OMB audit requirements.
http://www.aicpa.org/http://www.aicpa.org/


25/523

Introduction



Key Implementation Considerations

.21 In applying the FAM to a federal entity, the auditor considers audit objectives, exercise of professional judgment and professional skepticism, references to positions, knowledge of information systems and use of IS controls specialists, compliance with policies in the FAM, use of technical terms, and reference to sections of the FAM.These items are discussed in more detail below.

Audit Objectives

.22 For audits of certain federal entities not subject to OMB audit guidance, theauditor should evaluate whether to conduct those audits in accordancewith OMB audit guidance to achieve the audits objectives. The FAMgenerally assumes that the objective of the audit is to express an opinionon the current year financial statements as part of a 2-year opinion oncomparative financial statements, to issue a report (or opinion) on internalcontrol, and to issue a report on compliance. When these are not theobjectives, the auditor uses judgment in applying the FAM guidance. Insome circumstances, the auditor may expect to issue a disclaimer on thecurrent year financial statements due to scope limitations, including theauditability of information. In these circumstances, the auditor maydevelop a multiyear plan to be able to express a future opinion when thefinancial statements are expected to become auditable.

Exercise of Professional Judgment and Professional Skepticism

.23 In performing a financial statement audit, the auditor uses professionaljudgment and exercises professional skepticism in evaluating the quantityand quality of audit evidence, and thus its sufficiency and appropriateness,in determining the audit opinion. Although the auditor may find itnecessary to rely on audit evidence that is persuasive rather thanconclusive to obtain reasonable assurance, the auditor must not besatisfied with audit evidence that is less than persuasive. The auditorshould tailor the guidance in the FAM, if needed, to respond to specificsituations encountered during an audit. However, the auditor must, at a

minimum, meet professional standards. Proper application of professionaljudgment and skepticism may result in more extensive audit work thandescribed in the FAM. The auditor should document these decisions.

.24 When exercising judgment, particularly when tailoring FAM guidance, theauditor should consider the needs of, and consult in a timely manner with,other auditors who plan to use the work being performed. In turn, theauditor should coordinate with other auditors whose work the auditorplans to use so that the judgments exercised can satisfy the needs of bothauditors. For example, auditors of a consolidated entity (such as the U.S.


26/523

Introduction



government or an entire department or agency) are likely to plan to use thework of auditors of subsidiary entities (such as individual departments andagencies or bureaus and components of a department). This coordinationcan result in more effective government audits and avoid duplication ofeffort.

.25 Many aspects of a financial statement audit involve technical judgments.The auditor is responsible for making these judgments. The auditorganization should have or contract for personnel with adequate technicalexpertise to provide technical assistance to the auditor, particularly in thefollowing areas

quantifying planning and design materiality and tolerable misstatement,and using tolerable misstatement in determining the extent of testing(see FAM 230);

identifying risk factors to assess risks of material misstatement (seeFAM 260);

assessing the effectiveness of IS controls (see FAM 270); specifying a minimum level of substantive assurance based on the

assessed risk of material misstatement, substantive analyticalprocedures, and substantive detail tests (see FAM 470, 480, and 495 D);

determining whether selections are samples (intended to berepresentative and projected to populations) or nonsampling selectionsthat are not projectible (see FAM 480);

using sampling methods, such as monetary unit sampling, classicalvariables estimation sampling, or classical probability proportional tosize (PPS) sampling, for substantive or multipurpose testing (includingnonstatistical sampling) (see FAM 480);

using sampling for control testing, other than attribute sampling usingthe tables in FAM 450, to determine sample size when not performing amultipurpose test;

using sampling for compliance testing of laws and regulations, otherthan attribute sampling using the tables in FAM 460, to determinesample size when not performing a multipurpose test; and

placing complete or partial reliance on analytical procedures, usingtolerable misstatements to calculate the limit. The limit is the amount ofdifference between the expected and recorded amounts that can beaccepted without further investigation (see FAM 475).


27/523

Introduction



References to Positions

.26 Various sections of the FAM refer to consultation with audit managementand/or persons with technical expertise to obtain approval or additionalguidance. The auditor should document key consultations. Each audit

organization should have written evidence, in the audit documentation orin its audit policy manual, of the specific positions of persons who willperform these functions.

The following are references to positions at GAO; however, description ofposition responsibilities in relation to the audit are included foridentification of the position or role in other audit organizations. IGsperforming an audit or using a firm to perform an audit in accordance withthe FAM should clarify and document the positions of the persons theauditor should consult in various circumstances.

The audit director (first partner)is responsible for the quality of thefinancial statement audit and the audit report, reporting to the assistantinspector general for audit or, at GAO, to the managing director.

The assistant director is responsible for the operational conduct ofthe audit and generally for preparation of the audit report. In publicaccounting firms, the audit manager may have these responsibilities.

The reviewer (engagement quality control reviewer or second partner)is responsible for providing negative assurance about the quality of theaudit and reports to the assistant inspector general for audit (or higherposition) or, at GAO, is the chief accountant or designee. The reviewer

may consult with other personnel as needed.

The statistician is a person the auditor consults for technical expertisein areas such as audit sampling, audit sample evaluation, and selectingentity field locations to visit.

The data extraction specialist has technical expertise in extractingdata from entity records.

The IS controls specialist is a person with technical expertise ininformation systems, general controls, application controls, and

information security.

The technical accounting and auditing expert reports to theassistant inspector general for audit or higher. At GAO, this is the chiefaccountant or other designated expert. This expert advises onaccounting and auditing professional matters and related nationalissues. This person also may be the reviewer or may review reports onfinancial statements and reports that express opinions on financialinformation for compliance with professional auditing standards.


28/523

Introduction



The Office of General Counsel7(OGC) advises the auditor in(1) identifying provisions of laws and regulations to test, (2) identifyingbudget restrictions, and (3) identifying and resolving legal issuesencountered in the financial statement audit, such as evaluatingpotential instances of noncompliance.

The Special Investigator Unit (SIU) investigates specific allegationsinvolving conflict-of-interest and ethics matters, contract andprocurement irregularities, official misconduct and abuse, and fraud infederal programs or activities. In the offices of the IGs, this is theinvestigation unit; at GAO, it is the Forensic Audits and SpecialInvestigations Unit. The SIU provides assistance to the auditor by(1) informing the auditor of relevant pending or completedinvestigations of the entity and (2) investigating possible instances offederal fraud, waste, and abuse.

Knowledge of IS Controls and Use of IS Controls Specialists.27 The audit team should possess sufficient knowledge of IS controls to

determine the effect of information systems on the audit, to understand IScontrols, and to consult with an IS controls specialist to design and test IScontrols. Specialized IS control audit skills generally are needed insituations where

the entitys systems, IS controls, or the manner in which they are usedin conducting the entitys business are complex;

significant changes have been made to existing systems or new systemshave been implemented;

data are extensively shared among systems; the entity participates in electronic commerce; the entity uses emerging technologies; or significant audit evidence is available only in electronic form.Appendix V of GAOsFederal Information System Controls Audit Manual(FISCAM) contains examples of knowledge, skills, and abilities auditorsneed.

If needed, the auditor should seek the assistance of IS controls specialistsor use outside contractors to provide these skills. However, per AU 311.22,the auditor should have sufficient knowledge to communicate the auditobjectives of the specialists work; to evaluate whether the specified auditprocedures will meet the auditors objectives; and to evaluate the results ofthe audit procedures applied as they relate to the nature, extent, and timing

7Audit organizations obtain legal counsel in a variety of ways and each audit organizations OGC size and

configuration can vary. In that regard, the designation of OGC in the FAM could include legal counsel inIG offices that employ or hire their own legal counsel as well as their agencys legal counsel.


29/523

Introduction



of further planned audit procedures. The auditors responsibilities forsupervising specialists who are essentially functioning as part of the auditteam are the same as for other audit team members as discussed in AU311.22 and AU 311.28-32.

Compliance with Policies in the FAM

.28 The following terms are used throughout the FAM to describe the degree ofcompliance with the standard or policy:

Must: Compliance is mandatory when the circumstances exist to whichthe standard or policy applies. Most musts come directly fromprofessional auditing standards where the auditors failure to performmeans the auditor will not be able to express an unqualified opinion onthe entitys financial statements.

Should: Compliance is expected when the circumstances exist towhich the standard or policy applies, unless there is a reasonable basisfor the departure. The auditor must document any such departure andthe basis for it. The documentation should describe how the alternativeprocedures performed in the circumstances were sufficient to achievethe objectives of the standard or policy and should be approved by thereviewer.

8

Generally should:Although optional, compliance with this policy isstrongly encouraged. The auditor may discuss any departure with theassistant director, but need not document compliance.

May: Compliance with this policy or procedure is optional. Theauditor need not document compliance.

Situations can arise where the auditor is unable to or decides not toperform a procedure. Frequently, this is caused by missing, incomplete, orerroneous information. If it is decided that this is a key decision, theauditor should document why the procedure was not performed.

When auditors plan to deviate from a standard or policy expressed by ashould, they should determine the needs of, and consult in a timelymanner with, other auditors who plan to use their work. This is necessaryto provide an opportunity for other auditors to review the documentation

explaining these decisions.

8Similar to the AICPA auditing standards, if the FAM states that a procedure or action is one that the

auditor should consider, determining whether to perform the procedure or action is required; however,performing the procedure or action is not. Because this is a should, the auditor should document anyreasons for not performing this procedure and the alternative procedures performed to meet the objective.

When the FAM lists factors that the auditor should evaluate when making a judgment, the auditor isexpected to use these factors to make an informed judgment. However, the auditor may also considerother factors.


30/523

Introduction



Use of Technical Terms

.29 The FAM uses many existing technical auditing terms and includes aglossary of significant terms towards the end of FAM Volume I.

Reference to the FAM

.30 When cited in audit documentation, correspondence, or othercommunication, the letters FAM may precede section or paragraphnumbers. For example, this paragraph is referred to as FAM 110.30.


31/523

SECTION 200

Planning Phase


32/523

Planning Phase

200 Overview of the Planning Phase

July 2008 GAO/PCIE Financial Audit Manual Page 200

Figure 200 - Overview of the Planning Phase

Planning Phase FAM Establish an Understanding with the Client 215

Understand the Entitys Operations 220 Perform Preliminary Analytical Procedures 225

Determine Planning and Design Materiality and Tolerable Misstatement 230

Identify Significant Line Items, Accounts, Assertions, and RSSI 235

Identify Significant Cycles, Accounting Applications, and Systems 240

Identify Significant Provisions of Laws and Regulations 245

Identify Relevant Budget Restrictions 250

Identify Risk Factors 260

Determine Likelihood of Effective Information System Controls 270

Identify Relevant Operations Controls to Evaluate and Test 275

Plan Other Audit Procedures 280

Plan Locations to Visit 285

Documentation 290Internal Control Phase FAM

Understand Information Systems 320

Identify Control Objectives 330

Identify and Understand Relevant Control Activities 340

Determine the Nature, Extent, and Timing of Control Tests and

Compliance with FFMIA 350

Perform Nonsampling Control Tests and Test Compliance with FFMIA 360

Assess Internal Control on a Preliminary Basis 370

Other Considerations 380

Documentation 390Testing Phase FAM

Design the Nature, Extent, and Timing of Further Audit Procedures 420

Design Tests 430

Perform Tests and Evaluate Results 440

Sampling Control Tests 450 Compliance Tests 460 Substantive Procedures -- Overview 470 Substantive Analytical Procedures 475 Substantive Detail Tests 480 Documentation 490

Reporting Phase FAM

Perform Overall Analytical Procedures 520 Reassess Materiality and Risk 530

Evaluate Misstatements 540

Conclude Other Audit Procedures 550

Determine Conformity with U.S. GAAP 560

Determine Compliance with GAO/PCIEFinancial Audit Manual 570

Draft Reports 580

Documentation 590


33/523

Planning Phase




.01 The auditor must adequately plan the audit work. The auditor shoulddevelop effective and efficient ways to obtain the sufficient appropriate

evidence necessary to report on the federal entitys financial statements,internal controls, and compliance with laws and regulations. The nature,extent, and timing of planning varies with such factors as the entitys sizeand complexity, the auditor's experience with the entity, and the auditorsknowledge of entity operations.

The FAM methodology overview in figure 200 shows the proceduresperformed in the planning phase of a financial audit to develop an overallstrategy for the audit.

.02 Senior, experienced members of the audit team should be involved inplanning. Although concentrated in the planning phase, planning is aniterative process performed throughout the audit. For example, findingsfrom the internal control phase directly affect planning the substantiveaudit procedures. Also, the results of control and substantive tests mayrequire changes in the planned audit approach.

.03 Auditors should consider the needs of, and consult in a timely mannerwith, other auditors who plan to use the work being performed, especiallywhen exercising significant professional judgment.


34/523

Planning Phase





35/523

Planning Phase

215 Establish an Understanding with the Client



.01 The auditor should establish an understanding with the client regarding anaudit of the financial statements. The auditor should document theunderstanding through a written communication with the client. AU

311.08-.10 provides guidance to the auditor in establishing thisunderstanding. The auditor may use an engagement letter, contract, orother written communication to describe the terms of the engagement.The auditor should also communicate these and other matters with thosecharged with governance,

1and with the individuals contracting for or

requesting the audit. When auditors perform the audit pursuant to a law orregulation or they conduct the work for the legislative committee that hasoversight of the entity, the auditor also should communicate with thelegislative committee.

If the auditor believes that an understanding with the client has not beenestablished, the auditor should discuss the issue(s) with the audit director.

.02 In the federal environment, the client may include the management of the federal entity to be audited, including senior

executive and financial managers;2

Inspector General if the IG has contracted for the audit; members of a board or commission responsible for the federal entity; audit committee; and congressional committees, subcommittees, or members requesting the

audit.

The auditor should identify and document who is the client and thosecharged with governance for each federal audit. The client and thosecharged with governance may include multiple entities from this list. SeeFAM 215.12 for additional guidance on identifying those charged withgovernance.

1 Those charged with governance refers to those who have the responsibility for overseeing thestrategic direction of the entity and obligations related to the accountability of the entity, includingoverseeing the entitys financial reporting and disclosure process. For a federal entity, this may bemembers of a board or commission, an audit committee, the Secretary of a cabinet-level department,or senior executives and financial managers responsible for the entity. Additionally, this may includecongressional committees with oversight of the audited entity.2

Management means the persons responsible for achieving the objectives of the entity and who havethe authority to establish policies and make decisions by which those objectives are to be pursued.Management is responsible for the financial statements, including designing, implementing, andmaintaining effective internal control over financial reporting.


36/523


37/523

Planning Phase



Establishing an Understanding on the Scope of the Engagement

.07 The auditor may use an engagement letter, contract, or other writtencommunication to document the auditors and the federal entitysresponsibilities as well as the limitations of the engagement. The letter

generally states that the auditor will conduct the audit in accordance withGAGAS, and if applicable, OMB audit guidance. Those standards requirethat the auditor obtain reasonable, rather than absolute, assurance aboutwhether financial statements are free of material misstatement, whethercaused by error or fraud. While reasonable assurance is a high level ofassurance, the nature of audit evidence and the characteristics of fraudmakes it such that the auditor cannot provide absolute assurance.Accordingly, a material misstatement may remain undetected. Also, anaudit is not designed to detect error or fraud that is immaterial to thefinancial statements. If, for any reason, the auditor is unable to completethe audit or is unable to form or has not formed an opinion on the

financial statements, the auditor may decline to express an opinion, ordecline to issue a report. However, declining to issue a report may not bepossible for audits mandated by law.

.08 An audit includes obtaining an understanding of internal control sufficientto plan the audit and to determine the nature, timing, and extent of auditprocedures to be performed. An auditor will either express an opinion oninternal control or report on internal control as discussed in FAM 580.31.

.09 Auditors should reach agreement with the client on their responsibilitiesin a financial statement audit, including their responsibilities for testingand reporting on internal control over financial reporting and compliancewith laws and regulations. The communication should include the nature

of any additional testing of internal control and compliance required bylaws and regulations or otherwise requested, whether the auditor plans toexpress an opinion or report on internal control over financial reporting,and if applicable, the entitys financial systems compliance with FFMIA(for CFO Act agencies).

.10 The engagement letter, contract, or other written communication shouldprovide that if the management of the federal entity to be audited does notagree with the terms of the audit reached between the party contractingfor the audit and the auditor, as documented in the contract orengagement letter, the entity should promptly notify the auditor. Theauditor should try to resolve any disagreements promptly.

Communicating with Those Charged with Governance

.11 The auditor must communicate with those charged with governancematters related to the financial statement audit that are, in the auditorsprofessional judgment, significant and relevant to the responsibilities ofthose charged with governance in overseeing the financial reportingprocess. Clear communication of specific matters is an integral part ofevery audit. However, the auditor is not required to perform procedures


38/523

Planning Phase



specifically to identify other significant matters to communicate withthose charged with governance.

.12 Similar to the process described above for client communication, theauditor should determine the appropriate persons within the entitys

governance structure with whom to communicate. The appropriatepersons may vary depending on the matter to be communicated. Insituations where there is not a single individual or group that bothoversees the strategic direction of the entity and the fulfillment of itsaccountability obligations or in other situations where the identify ofthose charged with governance is not clearly evident, the auditor shoulddocument the process followed and conclusions reached for identifyingappropriate individuals to receive the required auditor communications.When the appropriate persons with whom to communicate are not clearlyidentifiable, the auditor and the engaging party should agree on therelevant persons within the entitys governance structure with whom the

auditor will communicate..13 The auditor should evaluate whether communication with a subgroup of

those charged with governance, such as an audit committee or anindividual, adequately fulfills the auditors responsibility to communicatewith those charged with governance. AU 380.18 and AU 380.54 providefactors to consider when making this judgment. When all of those chargedwith governance are involved with managing the entity, the auditor shouldevaluate whether communication with person(s) with financial reportingresponsibilities adequately informs all of those with whom the auditorwould otherwise communicate in their governance capacity.

.14 The auditor should communicate to those charged with governance(1) the auditors responsibilities under GAGAS, (2) an overview of theplanned scope and timing of the audit, (3) the nature of planned work andlevel of assurance provided related to internal control over financialreporting and compliance with laws and regulations, (4) the form, generalcontent, and timing of communications, and (5) any potential restrictionon the auditors reports, in order to reduce the risk that the needs orexpectations of the parties involved may be misrepresented. Thesematters may be communicated either orally or in writing. The auditor mayuse an engagement letter, contract, or other written communication aspart of this communication.

.15 The auditors clear communication of these matters helps establish thebasis for effective two-way communication. Other discussion topics thatmay contribute to the effectiveness of two-way communication arediscussed in AU 380.49. The auditor should evaluate whether the two-waycommunication between the auditor and those charged with governancehas been adequate for purposes of the audit. This evaluation may be basedon observations resulting from performing other audit procedures.AU 380.60-.61 provide guidance for making this evaluation. If in theauditors judgment, the two-way communication between the auditor and


39/523

Planning Phase



those charged with governance is not adequate, there is a risk that theauditor may not have obtained all the audit evidence required to form anopinion on the financial statements. The auditor should evaluate theeffect, if any, on the auditors assessment of the risks of materialmisstatement and may take actions as discussed in AU 380.63.

.16 Managements communication of these matters to those charged withgovernance does not relieve the auditor of the responsibility to alsocommunicate with them. However, communication of these matters bymanagement may affect the form or timing of the auditorscommunication. Factors that may affect whether the communicationwould be most effective orally or in writing as well as the content ofcommunication are discussed in AU 380.53.

.17 The auditor should communicate significant findings from the audit inwriting to those charged with governance as discussed in FAM 550.13 andFAM 580. When matters are communicated in writing, the auditor should

indicate in the communication that it is intended solely for the informationand use of those charged with governance, and if appropriate,management, and is not intended to be and should not be used by anyoneother than these specified parties as discussed in AU 380.55. Becausethese audits involve government entities, the auditors communicationalso should indicate that government reports and communication aregenerally a matter of public record; therefore, the distribution of thecommunication is not limited.

.18 The auditor should communicate with those charged with governance ona sufficiently timely basis to enable those charged with governance to takeappropriate action. AU 380.57-.58 discuss factors relevant for making

judgments regarding the timing of communications.

.19 The auditor should communicate with those charged with governance theauditors responsibilities under GAGAS, including that

the auditor is responsible for forming and expressing an opinion aboutwhether the financial statements that have been prepared bymanagement with the oversight of those charged with governance arepresented fairly, in all material respects, in conformity with generallyaccepted accounting principles, and

the audit of the financial statements does not relieve management orthose charged with governance of their responsibilities.

If the entity includes other information in documents containing auditedfinancial statements, such as in a performance and accountability report,the auditor should communicate with those charged with governance theauditors responsibility with respect to such other information, anyprocedures performed relating to the other information, and the results.


40/523

Planning Phase



.20 The auditor may also communicate to those charged with governance theitems communicated with management discussed in FAM 215.07-.09.Additionally, the auditor may communicate the auditors responsibility forcommunicating significant matters as well as the limitations on thisresponsibility discussed in FAM 215.11.

.21 The auditor should communicate with those charged with governance anoverview of the planned scope and timing of the audit. However, it isimportant for the auditor not to compromise the effectiveness of the audit,particularly where some of those charged with governance are involvedwith managing the entity. For example, communicating the nature andtiming of detailed audit procedures may reduce the effectiveness of thoseprocedures by making them too predictable. AU 380.30-.31 provideguidance on communicating the planned scope and timing of the audit.

.22 AU 380.32 provides additional matters that the auditor may discuss withthose charged with governance that may be useful for planning the auditand assessing the risks of material misstatement.

.23 The auditor should document all communications with those charged withgovernance. If the communication was written, the auditor should retain acopy of the communication with the audit documentation.

Intent, Notification, and Commitment Letters

.24 The auditor should establish an understanding with involved parties, thatmay include congressional requesters, regarding the financial audit. Whenthe engagement letter is addressed to the head of a federal entity to beaudited, or the IG if the audit is contracted out, the auditor may alsoprovide a copy to those charged with governance if the auditor determinesthis to be an effective form of communication. The auditors internalprocedures may also provide for additional communication with others inthe form of an intent, notification, or commitment letter as discussedbelow.

.25 GAO and some IGs use an intent letter to acknowledge a congressionalrequest for any type of work. This letter may include

acknowledgement of a meeting with congressional staff to understandthe request;

indication of a survey of work or planning phase to understand thefederal entity, identify accounting or auditing issues, and determine theavailability and access to books and records, particularly for an initialengagement;

an estimated completion date for the planning phase; the auditor team performing the audit; and auditor contact names, phone numbers, and e-mail addresses.


41/523

Planning Phase



.26 A notification letter is used by some auditors to notify federal agencies ofnew engagements for any type of work. This letter may include

source of work (mandate, request, or auditors statutory discretionaryauthority);

objective(s) of the work; agencies and locations to be contacted; estimated start date; estimated date of entrance conference; auditor team performing the audit; auditor contact names, phone numbers, and e-mail addresses; and engagement (job) code or other tracking number.

.27

A commitment letter is used by some auditors, either after a survey ofwork or the planning phase has been completed as discussed in FAM215.24, or to confirm a commitment for a congressional request, mandate,or auditors statutory discretionary authority for any type of work. Thisletter may include

a confirmation of the auditors commitment to perform work and issuea report;

overview of the engagement approach, objective(s), and key aspects ofthe work to include a separate survey of work or planning phase, ifconducted;

the planned report issuance date; auditor team performing the audit; and auditor contact names, phone numbers, and e-mail addresses.

.28 The auditor should send intent, notification, or commitment letters asprovided by the auditors protocols. The auditor may use the engagementletter to assist in documenting communication with those charged withgovernance. The auditor may use the example letter in FAM 215 B or othercommunication methods to communicate with those charged withgovernance.

.29

For agreed-upon procedure engagements as discussed in FAM 660.04, theauditor may issue an engagement letter unless covered by contract orother written communication. An example letter for agreed-uponprocedure engagements is presented in FAM 660 A.


42/523

Planning Phase





43/523

Planning Phase

215 A Sample Audit Engagement Letter to a Federal Entity

July 2008 GAO/PCIE Financial Audit Manual Page 215 A-1

215 A Sample Audit Engagement Letter to a Federal

Entity

.01 As discussed in FAM 215.06, the engagement letter documents theobjectives and limitations of the audit and the roles and responsibilities ofboth federal entity management and the auditor. Example 1 presents asample audit engagement letter when the auditor plans to provide anopinion on the effectiveness of an entitys internal control. Example 2presents a sample audit engagement letter when the auditor plans to reporton the entitys internal control and will not provide an opinion. Thesesample letters are prepared on auditor letterhead and modified for thespecific circumstances of each individual audit, as needed.


44/523

Planning Phase



Example 1 -- Auditor Provides an Opinion on Effectiveness of

Entitys Internal Control

Auditor letterhead

Date[Address to the chief executive of the federal entity whose financialstatements are to be audited or the Inspector General if the audit has beencontracted out to a CPA firm or the client as determined by the auditor.]

Dear ____________:

Pursuant to [cite legal or contract authority for audit], [name of auditor]will audit, for fiscal year 20xx, the financial statements of the [name offederal entity]. The job code for this audit is XXXXXX.

1The objectives of

our audit are as follows:

1. Express an opinion on whether the [entitys] fiscal year 20xx financialstatements are fairly presented, in all material respects, in conformitywith U.S. generally accepted accounting principles.

2. Express an opinion on whether the [entitys] internal control overfinancial reporting (including safeguarding assets) and compliance inplace as of [end of fiscal year] are suitably designed and operatedeffectively to provide reasonable assurance that misstatements, losses,or noncompliance material in relation to the financial statementswould be prevented or detected on a timely basis.

3. Report whether the [entitys] financial management systemssubstantially comply with the requirements of the Federal Financial

Management Improvement Act (FFMIA) as of [end of fiscal year20XX]. [If the entity is subject to the act].

4. Report on our tests of the [entitys] compliance with selectedprovisions of laws and regulations.

[Entity] management is responsible for preparing the financial statementsand appropriate disclosures in conformity with U.S. generally acceptedaccounting principles. This includes maintaining adequate accountingrecords, developing accounting systems that comply with the requirementsof FFMIA [if applicable], selecting and applying appropriate accountingpolicies, and safeguarding U.S. government assets related to [entity]operations. Management is also responsible for designing andimplementing programs and controls to prevent and detect fraud,establishing and maintaining effective internal control over financialreporting and compliance, and identifying and ensuring compliance withapplicable laws and regulations.

1Optional: However, some numerical code is normally used by organizations for tracking purposes.


45/523

Planning Phase



[Entity] management is responsible for establishing and maintainingeffective internal control to provide reasonable assurance that thefollowing objectives are met for financial reporting and compliance.

Financial reporting: Transactions are properly recorded, processed, andsummarized to permit the preparation of financial statements inconformity with U.S. generally accepted accounting principles, andassets are safeguarded against loss from unauthorized acquisition, use,or disposition.

Compliance with laws and regulations: Transactions are executed inaccordance with laws governing the use of budget authority and withother laws and regulations that could have a direct and material effecton the financial statements and any other laws, regulations, andgovernmentwide policies identified in OMB audit guidance.

[Entity] management is responsible for making all financial records and

related information available to us to conduct the audit. [Entity]management is also responsible for adjusting the financial statements tocorrect material misstatements and to represent to us that any uncorrectedmisstatements are immaterial, both individually and in the aggregate, to thefinancial statements taken as a whole. Further, [entity] management agreesto communicate to us the discovery of any material misstatement thatwould affect the fair presentation of its fiscal year 20xx or prior fiscalyears financial statements.

We are responsible for conducting our audit in accordance with U.S.generally accepted government auditing standards. Those standards requirethat we obtain reasonable, rather than absolute, assurance about whether

the financial statements are free of material misstatement, whether causedby error or fraud. Accordingly, a material misstatement may remainundetected. Also, an audit is not designed to detect error or fraud that isimmaterial to the financial statements. We are responsible for obtainingreasonable assurance about whether management maintained effectiveinternal control, the objectives of which are stated above. If, for any reason,we are unable to complete the audit or are unable to form an opinion on thefinancial statements or internal control, we may decline to express theseopinions.

We are also responsible for (1) testing whether [entitys] financialmanagement systems substantially comply with the three FFMIA

requirements [if applicable], (2) testing compliance with selectedprovisions of laws and regulations that have a direct and material effect onthe financial statements and laws for which OMB audit guidance requirestesting, and (3) performing limited procedures with respect to certain otherinformation in the Annual Financial Statement.

In fulfilling our responsibilities and as part of our overall audit strategy, wewill: obtain an understanding of the [entity] and its environment, includingits internal control; assess the risks of material misstatement; design thenature, timing, and extent of further audit procedures; test relevant internal


46/523

Planning Phase



controls over financial reporting (including safeguarding of assets) andcompliance; test whether the [entitys] financial management systemssubstantially comply with the requirements of FFMIA as of [fiscal year end][if applicable]; test compliance with selected provisions of laws andregulations

2; and examine, on a test basis, evidence supporting the amounts

and disclosures in the [entitys] financial statements.

Our internal control testing will be limited to controls over financialreporting and compliance. This audit does not include evaluating allinternal controls relevant to operating objectives as broadly defined by theFederal Managers Financial Integrity Act, such as those controls relevantto preparing statistical reports and ensuring efficient operations. Becauseof inherent limitations in internal control, misstatements due to error orfraud, losses, or noncompliance may nevertheless occur and not bedetected.

We will not test compliance with all laws and regulations applicable to

[entity]. We will limit our tests of compliance to those laws and regulationsrequired by OMB audit guidance that we deem applicable to the financialstatements for the fiscal year ended [date]. We caution that noncompliancemay occur and not be detected by these tests and that such testing may notbe sufficient for other purposes.

We are also responsible for communicating in writing to those chargedwith governance any significant deficiencies and material weaknesses ininternal control that come to our attention as a result of the audit. Inaddition, we will communicate any suggestions for improving [entity]operations and other control deficiencies identified during our audit in aseparate letter to management [as applicable].

To assist us in the audit, we will use specialists in [information technology,statistical sampling, actuarial methods, or other areas as applicable]. At theconclusion of the audit, we will require certain written representationsfrom [entity] management about the financial statements, internal control,and related matters. These representations include a representation thatthe effects of any uncorrected misstatements are not material, bothindividually and in the aggregate, to the financial statements taken as awhole. The representations on internal control include managementsassertion that internal control over financial reporting and compliance withlaws and regulations is suitably designed and operating effectively, and theinternal control criteria used to make this assertion.

To make efficient use of audit resources and expedite audit completion, wewill request assistance from [entity] staff. This assistance may includepreparing schedules or analyses; locating, copying, and providing selecteddocuments; and participating in meetings. We will discuss this assistancewith [entity] staff as the need arises. Throughout the audit, we will workwith [entity] staff to obtain information needed for the completion of the

2If applicable, add and contracts and grant agreements as discussed in GAGAS.


47/523


48/523

Planning Phase



Example 2 -- Auditor Does Not Provide an Opinion on Entitys

Internal Control

Auditor letterhead

Date[Address to the chief executive of the federal entity whose financialstatements are to be audited or the Inspector General if the audit has beencontracted out to a CPA firm or the client as determined by the auditor.]

Dear ____________:

Pursuant to [cite legal or contract authority for audit], [name of auditor]will audit, for fiscal year 20xx, the financial statements of the [name offederal entity]. The job code for this audit is XXXXXX.

3The objectives of

our audit are as follows:

1. Express an opinion on whether the {entitys} fiscal year 20xx financialstatements are fairly presented, in all material respects, in conformitywith U.S. generally accepted accounting principles.

2. Report any significant deficiencies and material weaknesses in internalcontrol that come to our attention as a result of the audit.

3. Report whether the [entitys] financial management systemssubstantially comply with the requirements of the Federal FinancialManagement Improvement Act (FFMIA) as of [end of fiscal year 20XX].[If the entity is subject to the act].

4. Report on our tests of the [entitys] compliance with selected provisionsof laws and regulations.

[Entity] management is responsible for preparing the financial statementsand appropriate disclosures in conformity with U.S. generally acceptedaccounting principles. This includes maintaining adequate accountingrecords, developing accounting systems that comply with the requirementsof FFMIA [if applicable], selecting and applying appropriate accountingpolicies, and safeguarding U.S. government assets related to [entity]operations. Management is also responsible for designing andimplementing programs and controls to prevent and detect fraud,establishing and maintaining effective internal control over financialreporting and compliance, and identifying and ensuring compliance withapplicable laws and regulations.

[Entity] management is responsible for establishing and maintainingeffective internal control to provide reasonable assurance that thefollowing objectives are met for financial reporting and compliance.

Financial reporting: Transactions are properly recorded, processed, andsummarized to permit the preparation of financial statements inconformity with U.S. generally accepted accounting principles, and

3Optional: However, some numerical code is normally used by organizations for tracking purposes.


49/523

Planning Phase



assets are safeguarded against loss from unauthorized acquisition, use,or disposition.

Compliance with laws and regulations: Transactions are executed inaccordance with laws governing the use of budget authority and with

other laws and regulations that could have a direct and material effecton the financial statements and any other laws, regulations, andgovernmentwide policies identified in OMB audit guidance.

[Entity] management is responsible for making all financial records andrelated information available to us to conduct the audit. [Entity]management is also responsible for adjusting the financial statements tocorrect material misstatements and to represent to us that any uncorrectedmisstatements are immaterial, both individually and in the aggregate, to thefinancial statements taken as a whole. Further, [entity] management a

Financial Audit Manual Vol.01

Documents

Transcript of Financial Audit Manual Vol.01