The reporting phase, Phase IV, will, of course, culminate with the issuance of the auditor’s reports; however, prior to the issuance of the reports a significant number of procedures requiring the involvement of the more senior members of the audit team will take place. During this phase, the auditor:
Guidance from the American Institute of Certified Public Accountants (AICPA) AU-C 580 requires auditors to obtain management representations on all audit engagements.1 Office of Management and Budget (OMB) Bulletin 07-04, Audit Requirements for Federal Financial Statements, and the Government Accountability Office (GAO) Financial Audit Manual (FAM) adopt this guidance and require that the letter, at a minimum, address:
More specific topics generally addressed by the letter include these:
The required representations just listed, especially for large entities, may be made using a materiality threshold. The auditor should discuss and reach an understanding of this threshold with management. Ultimately, the threshold should be disclosed in the letter and would clearly state that items below the threshold are not reported. Generally, the materiality threshold should be set at a level significantly below design materiality to ensure that many items below this level would not aggregate to a more significant amount. When the management representation letter does not disclose a threshold, management should note all relevant matters in the letter, regardless of significance.
A management representation letter is not a substitute for audit procedures, and it is presumed that, with the exception of very subjective information, such as management’s future plans, the auditor has independently verified all significant assertions made by management. However, a management representation letter provides the auditor with a useful vehicle for addressing significant accounting and auditing issues by requiring management to state in writing its understanding and position on the issue, thus ensuring that auditee and auditor share the same understanding of complex issues. In addition to the required contents just listed, the auditor should consider tailoring additional representations to the specific circumstances of the auditee.
Under AICPA guidance, referenced by OMB Bulletin 07-04, the management representation letter is an important audit procedure. Management’s refusal to provide these written representations would be a limitation to the scope of the audit, sufficient to preclude issuance of an unmodified (also referred to as unqualified) audit opinion and ordinarily sufficient to cause the auditor to disclaim an audit opinion or withdraw from the engagement (AU-C 580.25). In the face of this type of refusal, an auditor may wish to reconsider whether to be associated with the auditee at all, according to the AICPA.
The letter is typically signed by relevant officials who are knowledgeable and responsible for the matters noted in the letter. This often includes the chief executive of the auditee and the chief financial officer (CFO). As a matter of practice, other individuals in a position to influence financial data, such as a chief accountant or controller, should also be considered. Finally, the auditor may wish to obtain specific representations from other management personnel (e.g., representation by a program manager on certain aspects of a major program for which he or she is responsible). The letter should cover all periods reported on and should be dated as of the date of the auditor’s report to ensure the representation covers the entire period for which the auditor is responsible. The representation letter should be received after the legal representation letter, discussed next. Additionally, OMB and GAO guidance requires the auditor’s summary of unadjusted misstatements to be attached to the signed management representation letter.
Legal representation letters are governed by AICPA guidance (AU-C 501), OMB Bulletin 07-04, GAO FAM, and guidance from the Department of Justice. The purpose of the legal letter is to obtain information on active and/or potential litigation that may have an impact on the financial statements. According to the AICPA guidance, a lawyer’s refusal to furnish the requested information, either in writing or orally, would be a limitation on the scope of the audit sufficient to preclude issuance of an unmodified audit opinion. As a general rule, the auditor will request such information from the agency’s general counsel. The AICPA states that evidence obtained from inside counsel is not a substitute for information that outside counsel refuses to furnish. However, the auditor should also consider whether outside legal counsel (including the Department of Justice) has been involved in litigation and, as necessary, obtain legal letters from them.
It is important to note that the auditee’s management is the primary source of information on legal matters. The legal letter provides independent evidence on the validity of management’s assertion. Legal letters are requested by appropriate auditee personnel (e.g., the CFO) and instruct the attorney to respond directly to the auditor (with a copy to the individual making the request). In general, the letter will request information on litigation, claims, and assessments that exceed specific amounts based on the auditor’s assessment of materiality and as agreed with the auditee. Legal letter content typically includes these items:
OMB Bulletin 07-04 and the GAO FAM provide a detailed illustration of the letter requesting a response from the attorneys. Because of the technical nature of the letter, the auditor is well advised to encourage the agency to follow the bulletin’s format as closely as possible. As a practical matter, the auditor often drafts the legal letter request for the auditee’s signature. Timing of the letter is critical to ensure that the date is within two weeks of the end of fieldwork and that it is received with sufficient time to meet the reporting deadlines of the auditee’s and the U.S. Government financial statements. Finally, the auditor should consider corroborating the responses received from legal counsel through inquiry and other procedures.
The GAO FAM provides an example summary schedule that agencies are encouraged to use to summarize the case-specific details provided in the legal representation letter. Specifically, the likelihood of unfavorable outcome and the estimated range of potential loss is summarized in order to determine which contingencies may need to be accrued in the financial statements and which may need to be described in a note disclosure to those statements.
Assuming that testing proceeded as expected (e.g., tests of controls supported the effective operation of internal controls and substantive testing resulted in no significant findings or adjustments), the auditor can conclude that the audit results support the issuance of an unmodified opinion.
In short, the audit process requires the auditor to continually reassess his or her approach and develop additional and/or alternate procedures to compensate for audit findings, audit obstacles, and other peculiar or unanticipated conditions or circumstances that were encountered in relation to the specific auditee. Given the dynamic nature of the process, it is essential that at the conclusion of testing, senior members of the audit team carefully consider the implications of the audit findings and whether the audit effort resulted in sufficient audit coverage to warrant the expression of an audit opinion, as well as what type of opinion can be issued.
In determining the sufficiency of audit coverage, the auditor will consider quantifiable findings as well as more subjective issues including financial statement exposures, accounting issues, and scope limitations (including incomplete data and limitations imposed by national security requirements).
To the extent that there is agreement with the auditee on audit adjustments and materiality, recording (or waiving, if not material) audit adjustments is a relatively straightforward process, requiring only that the auditor verify that adjustments are properly reflected in the financial statements.
Subjective issues, however, require the exercise of audit judgment in, for example, determining the reasonableness and support for estimates and contingencies (including the likelihood of occurrence in the case of contingencies), deciding on a preferred accounting principle, or considering the implications of scope limitations.
There is no simple answer or checklist approach to deal with issues that require the exercise of audit judgment. What is clear, however, is that these matters need to be properly documented in the work papers. As a practical matter, the auditor generally documents this effort in written memoranda that describe the important audit and accounting issues encountered and the rationale behind his or her decisions. Thus, the auditor’s conclusions regarding estimates and contingencies should carefully document all sources of information consulted and leading to his or her conclusion. Decisions regarding a choice of accounting principles should clearly identify the authoritative guidance researched by the auditor as well as the alternatives considered.
Finally, scope limitations must be considered in light of their nature. Limitations imposed by national security requirements usually need be analyzed only in light of the materiality of the specific account that is affected. Limitations imposed by incomplete data (e.g., missing documentation) raise significant doubts regarding the effectiveness of internal controls and the internal control environment. Here the auditor must consider whether sufficient additional procedures were performed to overcome this situation, or whether the deficiency is significant enough to force a qualification or disclaimer of the auditor’s opinion due to the lack of documentation. Finally, scope limitations that appear to be capricious in nature (e.g., an auditee’s refusal to provide access to certain information or to provide requested written representations) are particularly troublesome and may force the auditor to disclaim an opinion or even to refuse to be involved with the audit.
Although the auditor cannot guarantee the issuance of a clean opinion, he or she has a professional responsibility to use best efforts to develop an audit approach capable of compensating for existing audit obstacles. Where the auditor is unable to develop such an audit approach, he or she should provide recommendations that will enable the auditee to effectively address audit obstacles and issues to enable the issuance of an unmodified opinion in future years.
In performing the final end-of-audit evaluation of audit coverage, the auditor is also responsible for evaluating the audit team’s collective professional competence. The issuance of a qualified opinion or disclaimer (modified opinion) due to a faulty audit approach that failed to provide sufficient coverage can never justify or compensate for poor audit execution on the part of the audit team. Thus, this final assessment of audit results requires an honest evaluation of the auditor’s own performance. It is the auditor’s responsibility to be candid about any shortcomings in the approach or execution and attempt to resolve these matters within the contractually agreed deadlines and/or discuss the issues, as necessary, with the auditee or other appropriate officials.
A critical closing procedure is ensuring that the auditor has adhered to professional standards. Statements on Quality Control Standards (SQCS) are issued by the AICPA Auditing Standards Board (ASB) to provide the framework for developing and maintaining an effective system of quality control. SQCS 8, A Firm’s System of Quality Control, establishes standards and provides guidance for a CPA firm’s responsibilities for its system of quality control for its accounting and auditing practice. Critical quality control issues are discussed next.
AICPA and GAO general standards both address independence. Certified public accountants (CPAs) performing audits for governmental units are subject to these standards, as well as the standards imposed by the applicable state commission with jurisdiction over the audit. CPAs are bound to follow, and should be aware of, all applicable standards. Paragraph 3.02 of GAO’s Government Auditing Standards (2011 revision; Yellow Book) states:
In all matters relating to the audit work, the audit organization and the individual auditor, whether government or public, must be independent.
Further, GAO standards explain that independence comprises:
The 2011 revision of GAO’s Government Auditing Standards added a conceptual framework approach for independence to provide a way for auditors to assess auditor independence in unique circumstances that may exist and are not expressly prohibited. The conceptual framework is applied at the audit organization, engagement, and individual auditor level to:
The conceptual framework describes threats to independence, such as providing nonaudit services, as circumstances that could impair independence. Further, safeguards are defined as controls that eliminate or reduce to an acceptable level a threat’s potential to impair independence. The revision clarified the requirements for continuing professional education (CPE), including highlighting the distinction between internal and external specialists. The recent revision also clarifies for internal specialists that training in areas of auditing, the government environment, or the specific or unique environment in which the audited entity operates is required.
The standards for auditor independence attempts to respond to the existence of real, apparent, and perceived independence or, alternatively, impairments to independence. The auditor must be independent in fact as well as appearance. Although these standards apply to external auditors, most generally CPAs, the independence standards of the profession hold all practitioners, regardless of their employer, to similar standards. For auditors employed by a government, the independence issue would not often arise with respect to most audit assignments. But, except for the Yellow Book provisions, the standards provide minimal or no guidance to auditors employed by the government with respect to their independence.
In general, audit organizations will have developed internal quality control procedures to monitor compliance with independence rules. As a matter of practice, no audit organization will or should accept an audit engagement without first performing verification procedures to ensure that past or present endeavors and/or relationships do not compromise or appear to compromise the organization’s independence. Similarly, audit staff should not be assigned to the audit without first ensuring that the individual auditors are free of independence impairments and that they remain free of impairments throughout the audit’s life cycle.
Currently, many government agencies receiving audit services require that the audit organization represent that it is free of independence impairments (including an explanation of what procedures are followed to make the determination). In addition, individual representations from staff members are often required. In the interest of fully documenting the auditor’s independence, quality control procedures should consider whether sufficient procedures were performed (including documentation, as discussed earlier) to ensure compliance with independence requirements.
Unlike the AICPA’s generally accepted auditing standards (GAAS), GAO’s Government Auditing Standards explicitly provides a separate fieldwork standard addressing the quality of audit documentation. Paragraph 4.15 requires that the auditor document:
All work performed by the auditor in support of his or her assertions must be documented in the work papers to substantiate the procedures and/or tests that are performed and the conclusions reached. To facilitate the review of work performed, every work plan, procedure, step, task, and/or test is to be referenced to the work paper containing or displaying evidence of the work performed, including the individual(s) who performed the procedures and/or reviewed the work. Additionally, each work paper should stand on its own, having sufficient documentation to allow the reviewer to reach the same conclusion as the individual responsible for performing the procedure. In general, well-developed work papers that fully support the auditor’s work and assertion should include these items:
During the course of an audit, internal control issues may be uncovered that impact the audit and/or must be brought to the attention of the auditee. These issues or findings include material weaknesses, significant deficiencies, and management letter comments, discussed in more detail later in this chapter. Yellow Book standards require that the documentation of these issues include:
The audit documentation also includes the auditor’s evaluation of the severity of the audit finding and whether the condition should be considered a significant deficiency or a material weakness, which will need to be included in the auditor’s report on internal controls.
Because reportable findings of this nature typically require the auditor to make a special reporting or issue related documentation, the audit documentation in support of the finding must also include a description of the actions the auditee should take to address the finding. To the extent that the issue has been discussed with the auditee, the auditee’s response should also be documented.
GAO’s general standard addressing competence (paragraph 3.69) states:
The staff assigned to perform the audit must collectively possess adequate professional competence needed to address the audit objectives and perform the work in accordance with GAGAS.
The execution of an efficient and effective audit requires a staff size and skill mix (including specialists and subject matter experts [SMEs]) commensurate with the requirements of the audit’s magnitude, scope, and complexity. Typically, the level of individuals assigned to a specific engagement will range from junior or staff-level personnel to partner or equivalent-level professionals in a governmental audit organization. The determination and assignment of the number, quality, and type of staff (including specialists and SMEs) required should occur as early as possible during the planning phase of the engagement. This determination is based on risk assessments and other matters of professional judgment.
The successful execution of an audit requires audit procedures to be delegated to auditors with the requisite skill and experience. The next summary describes responsibilities typically associated with the different levels found in an audit. The discussion addresses the traditional partner, manager, senior accountant, and staff accountant hierarchy found in most commercial firms. However, it should be understood that these titles vary among firms. In addition, while government audit organizations include partner-level auditors, the title partner is clearly not appropriate for these organizations.
The AICPA’s Code of Conduct states in part, that “due care requires a member to . . . supervise adequately any professional activity for which he or she is responsible.” Procedures must be in place to ensure that all work performed is reviewed at various stages of the audit. Although practice varies somewhat from engagement to engagement depending on the circumstances and the competence/experience level of seniors and staff, a sound supervision approach will ensure that, at a minimum, all work papers and reports prepared by staff auditors are reviewed by audit senior(s) and/or the audit manager. This review takes place continually, as the audit progresses, and not just at the conclusion of audit fieldwork.
Procedures should require that all work papers prepared by the audit senior are reviewed by the audit manager and/or partner or governmental audit director and that all work papers prepared by the audit manager are reviewed by the audit partner or governmental audit director. In addition, a second partner or governmental audit director should review all original work prepared by partners or governmental audit directors, and all work products and reports should be independently reviewed by a partner or governmental audit director with no other involvement in the audit. This same individual could also be responsible for the review of original audit work papers developed by the partner(s) participating in the audit. Finally, it is important that work paper documentation clearly shows the review process (e.g., by requiring individuals reviewing the work to sign the work paper, either manually or through electronic documentation tools, and state their agreement with the conclusions reached, when applicable, and/or completeness of the procedures performed).
The AICPA and GAO both recognize the importance of staying abreast of developments affecting Federal auditing and accounting. As a means to achieving this perpetual competence, CPE requirements beyond those contained in the AICPA’s GAAS have been imposed by GAO on all audits performed in accordance with Yellow Book standards. In addition, the AICPA and state agencies having jurisdiction over CPA licenses also issue CPE requirements. The auditor must be aware of these requirements and ensure compliance with both or all.
It is important that during the planning Phase I, the auditor consider whether all personnel assigned to the audit are in compliance with Government Auditing Standards and other applicable CPE requirements (or will be by the completion of the audit). As a matter of routine, closing procedures should ensure that audit work papers sufficiently document compliance with CPE requirements for all participating professionals subject to the requirements. In the words of GAO (paragraph 3.76), these continuing professional education requirements apply to all auditors performing work under GAGAS, including auditors planning, directing, performing fieldwork, or reporting on an audit or attestation engagement subject to GAGAS. These individuals must complete, every two years, at least 24 hours of CPE that directly relates to government auditing, the government environment, or the specific or unique environment in which the audited entity operates.
In general, reports issued in connection with audits of Federal Agencies in accordance with GAO and OMB requirements, particularly OMB Bulletin 07-04, must include:
The appendix to this chapter provides examples of selected reports. The reports on financial statements, internal controls, and compliance with laws and regulations may be combined into one or two reports.
The auditor’s report should state whether the department or agency’s principal financial statements (including related notes) are fairly stated in all material respects in accordance with the GAAP, which, as noted in earlier chapters, are promulgated by Federal Accounting Standards Advisory Board (FASAB). The auditor’s report must comply with AICPA guidance, specifically sections AU-C 700, 705, and 706. The auditor’s opinion or report usually covers these principal statements:
In addition to the listed statements, the auditor will report on required supplementary information, including:
Generally, contracts for audit issued by a Federal department or agency require that audit reporting procedures follow the GAO FAM. Unless the auditor has been engaged to audit the required supplementary information, the auditor must mention that limited procedures were performed (e.g., inquiries of management) and disclaim an opinion on the information.
The specific audit opinion issued on the financial statements depends on the auditor’s findings and ability to validate the implicit and explicit assertions by agency management with respect to its financial statements. An unmodified, or clean, audit opinion cannot be issued given any of these circumstances:
The accounting and financial reporting contained in the principal financial statements of Federal departments and agencies—that is, the GAAP for Federal entities—were initially delineated by FASAB. During the 1990s, Congress, in several laws, codified FASAB’s standards and detailed other financial management requirements for examination and report during an annual audit. Soon after, OMB, by its circulars and bulletins relative to Federal Agency financial statements, duplicated the congressional financial reporting criteria, prescribed additional guidance, and imposed other requirements to be implemented during the annual financial reporting phase.
Federal auditing requirements—GAAS for Federal audits—are structured in a somewhat similar fashion. The auditor of a Federal entity must adhere to all of the AICPA’s GAAS plus the additional standards required by GAO’s Government Auditing Standards, and requirements imposed on Federal audits by OMB in its circulars and bulletins (of particular note is Bulletin 07-04, which imposes more detailed audit procedures and provides sample audit opinions and audit assurance requirements).
In many ways, the auditor’s report on Federal financial statements parallels the auditor’s report on the financial statements of an organization in the private sector. However, differences do exist and will continue to arise as Congress identifies issues that require examination and reporting. To ensure the currency of compliance with emerging Federal audit requirements, auditors must annually examine OMB and GAO issuances as well as those of agency Inspectors General for emerging issues warranting audit coverage.
The content of the standard (unmodified) independent auditor’s report is set forth in AU-C 700 and includes the following elements:
(1) identifies the entity whose financial statements have been audited, (2) states that the financial statements have been audited, (3) identifies the title of each statement that the financial statements comprise, and (4) identifies the date or period covered by each financial statement that the financial statements comprise.
A statement regarding management’s responsibility for the financial statements, as well as related internal controls which promote the preparation of fairly stated statements free from material misstatement due to errors and/or fraud.
(1) A statement that the auditor is responsible for the expression of an opinion on the statements based on standards generally accepted in the United States. (2) A general description of the procedures typically used in an audit, including the auditor’s consideration of internal control. This latter consideration would be following by a disclaimer on internal controls, unless the auditor is required to issue such an opinion as is the case, for example, with most SEC filings.
The standard (unmodified) report concludes with an opinion that the statements are fairly stated in accordance with Generally Accepted Accounting Principles.
As noted in Chapter 6, the requirements for the end of fieldwork were modified in SAS 103. According to SAS 103, the report date is the date when all required data to support an opinion (including supervisory review) on the financial statements have been obtained.
All of the information above will typically appear on an unqualified report on Federal financial statements. However, the report on Federal financial statements is more extensive and is required to refer to the requirements set forth by GAGAS, as well as OMB audit guidance. In addition to reporting on financial statements, audits of Federal Agencies require that the auditor report on the results of tests performed on internal controls, as well as tests of compliance with Federal laws, policies, and regulations. The Reports on Internal Controls and Compliance with Laws and Regulations may be combined with the Report on the Financial Statements or may be issued separately.
By way of clarification, it is important to note that in the Federal arena the authoritative body for U.S. Generally Accepted Accounting Principles is the Federal Accounting Standards Advisory Board (FASAB), while for private sector entities it is the Financial Accounting Standards Board (FASB).
The report on internal controls (like the report on compliance with laws and regulations, discussed next) is a unique requirement of governmental auditing. GAAS require only that reportable conditions (including material weaknesses) relative to internal controls are disclosed, and then only to an audit committee or, in its absence, the board of directors and/or appropriate management levels. Further, while the AICPA’s GAAS state that written communication is preferable, this is not a requirement as long as the verbal communication is documented in the work papers. When auditing a Federal entity, however, such practices with respect to reporting on controls are not acceptable.
The second reporting standard of Government Auditing Standards requires that:
When providing an opinion or a disclaimer on financial statements, auditors should include in their report on the financial statements either a: (1) description of the scope of the auditors’ testing of internal control over financial reporting and compliance with laws, regulations, and provisions of contracts or grant agreements and the results of those tests or an opinion, if sufficient work was performed, or (2) reference to the separate report(s) containing that information. If auditors report separately, the opinion or disclaimer should contain a reference to the separate report containing this information and state that the separate report is an integral part of the audit and should be considered in assessing the results of the audit.
Further, OMB Bulletin 07-04 sets forth these requirements for the auditor’s internal control report required in relation to a financial statements audit of a Federal entity:
A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis. A significant deficiency is a deficiency, or combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
A material weakness is a deficiency, or combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented or detected and corrected on a timely basis. With respect to both significant deficiencies and material weaknesses, auditors must ensure that the applied definitions are required to be employed by the conditions or auditing standards noted in the audit engagement contract. At times, the applied definitions related to these circumstances have varied among Congress (in its laws), OMB (in its circulars and bulletins relating to Federal audits), GAO (in its guidance and auditing standards), and Internal Control—Integrated Framework of the Treadway Commission of the Committee of Sponsoring Organizations (COSO), which has been adopted by the Federal Government as guidance for its practices.
The auditor’s report on internal controls should include each of the elements discussed next.
The initial paragraph of the auditor’s report on an agency’s internal controls must state that an audit was made of the agency’s principal financial statements as of and for the fiscal years audited and that the auditor has issued an audit report thereon, citing the date of that audit report. The auditor must report that the audit was conducted in accordance with the AICPA’s GAAS; the standards applicable to financial audits contained in the Government Auditing Standards, issued by the Comptroller General of the United States; and OMB’s applicable circulars and bulletins.
The auditor is required to mention that when planning and performing the financial statement audit, the agency’s internal control over financial reporting was considered by:
Auditors are permitted to limit internal control testing to those controls necessary to achieve the internal control objectives described in OMB Bulletin 07-04.
Although not stated, no specific audit or special examination is required to be made of the entity’s controls, separate from tests made to audit the agency’s financial statements. The controls information reported on are data compiled in conjunction with the audit of the financial statements.
These paragraphs of the report on internal controls contain comments on limitations of tests performed and disclaimers to the effect that no audit opinion is provided on an agency’s controls. Some of the more common language includes:
In these paragraphs, more than one statement is made to the effect that the current objective of testing controls is not to provide an assurance or an audit opinion on internal controls. However, if the auditor notes significant weaknesses when testing internal controls as part of the audit of the financial statements, these deficiencies must be described and reported in the auditor’s report on internal controls. Government Auditing Standards require that these control deficiencies be reported, even though the conditions may have been immediately corrected by the agency. In contrast, if similar control deficiencies were noted in an audit of a private sector entity, the AICPA’s GAAS would not require the auditor to make a reporting in the audit report.
With respect to the auditor’s report on a Federal Agency’s compliance with laws and regulations, the auditor must look to OMB rather than the AICPA for guidance. OMB Bulletin 07-04 sets forth these requirements for the internal control report:
In connection with noncompliance with the Federal Financial Management Improvement Act (FFMIA), the auditor’s report should:
An auditor’s report on compliance with laws and regulations that could have a direct and material effect on the financial statements is not a requirement for conformance with the AICPA’s GAAS. Like the report on internal controls, this report is another distinguishing criteria imposed by Government Auditing Standards. Only Government Auditing Standards require the auditor to report on the results of tests of compliance with laws and regulations.
The second GAGAS reporting standard states that when providing an opinion or disclaimer on financial statements, auditors should include in their report on the financial statements either:
The standards of both the AICPA and GAO require the testing of any transaction (whether laws, regulations, contracts, grant agreements, financial covenants, etc.) that could have a direct and material effect on the financial statements. However, only GAO’s Government Auditing Standards require the auditor to report on the fact that tests were made for compliance.
The auditor’s report on compliance with laws and regulations should include each of the elements discussed next.
Reference is made to the audited principal financial statements in the introductory paragraph, as tests for compliance with laws and regulations are typically made in conjunction with an audit of an agency’s financial statements. In a sense, this audit report, like the earlier report on controls, is a by-product of tests and audit procedures employed during the overall audit of the Federal entity’s financial statements. To comply with Government Auditing Standards, a separate audit need not be made, nor a separate examination undertaken, to test a Federal entity’s compliance with laws and regulations that could have a direct and material effect on the financial statements. Government Auditing Standards require that there be a separate reporting of the tests made and of the results of those tests.
To comply with GAO’s standards, the auditor must report on the tests performed relative to the entity’s compliance with provisions of laws and regulations, noncompliance with which could have a direct and material effect on the determination of financial statement amounts and regulations of OMB Bulletin 07-04 as well as requirements referred to in the FFMIA.
In the compliance report, the auditor disclaims an audit opinion and audit assurances with respect to compliance with certain provisions of laws and regulations stating that an audit opinion on compliance was not an objective of the financial statement audit. In addition, the auditor notes that tests were not made in compliance with all laws and regulations applicable to the Federal entity.
Alternatively, though, the auditor is required to provide an audit assurance (a positive assurance) on the results of these tests. For example, this assurance might read:
The results of our tests of compliance with the laws and regulations . . . disclosed no instances of noncompliance with the laws and regulations that are required to be reported under Government Auditing Standards and OMB Bulletin No. 07-04.
Concurrently, though, the auditor provides a disclaimer:
Providing an opinion on compliance with certain provisions of laws and regulations was not an objective of our audit and, accordingly, we do not express such an opinion.
As a matter of practice, both the report on compliance and the report on internal control should include management’s responses indicating concurrence or disagreement and, when applicable, future corrective efforts.
The issuance of a combined auditor’s report encompassing the Auditor’s Report on Federal Financial Statements, the Report on Internal Controls, and the Report on Compliance with Laws and Regulations is also acceptable.
The management letters transmitted by the auditor to the auditee may cover any areas identified during the audit that need not be disclosed in the report on internal controls, but where, in the auditor’s opinion, opportunities for improvements in internal controls and/or an operating efficiency exist.
The Department of the Treasury is responsible for the preparation of the consolidated financial statements of the executive branch of the United States Government. OMB Bulletin 07-04 requires those agencies significant to the preparation of the financial report of the U.S. government to submit special-purpose financial statements to the Department of the Treasury.
The special-purpose financial statements include reclassified balance sheets, statements of net cost and changes in net position, and accompanying notes. They are designed to facilitate the government-wide financial statement consolidation process at the Treasury. The audit scope for these agencies must be designed to ensure that the audited statements of these agencies are reclassified in accordance with the Treasury’s requirements. A sample report is included in OMB Bulletin No. 07-04 and is presented in the appendix to this chapter.
This appendix includes illustrations of selected auditor’s reports to be issued in connection with audits of Federal Agencies. The illustration of the auditor’s opinion on the special-purpose Financial Statements was reproduced from OMB’s Bulletin 07-04, Audit Requirements for Federal Financial Statements.
The reports are:
To the [Agency Head] and Inspector General of [Agency]
We have audited the accompanying consolidated balance sheets of the [Agency] as of September 30, 20X2, and 20X1, and the related consolidated statements of net costs, changes in net position, and combined statements of budgetary resources (hereinafter referred to as the “financial statements”) for the year then ended.
Management is responsible for the preparation and fair presentation of these financial statements in accordance with accounting principles generally accepted in the United States of America; this includes the design, implementation, and maintenance of internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to fraud or error.
Our responsibility is to express opinions on these financial statements based on our audit. We conducted our audit in accordance with auditing standards generally accepted in the United States of America, the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States, and Office of Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements, as amended. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement.
An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. Accordingly, we express no such opinion. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of significant accounting estimates made by management as well as evaluating the overall presentation of the financial statements.
We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our audit opinions.
In our opinion, the consolidated financial statements referred to above present fairly, in all material respects, the respective financial position of the [Agency] as of September 30, 20X2, and 20X1, and its net cost of operations, changes in net position, and budgetary resources for the years then ended, in conformity with accounting principles generally accepted in the United States of America.
Accounting principles generally accepted in the United States of America require that the Management’s Discussion and Analysis, Required Supplementary Information, and Required Supplementary Stewardship Information be presented to supplement the basic financial statements. Such information, although not a part of the basic financial statements, is required by OMB Circular A-136, Financial Reporting Requirements, and the Federal Accounting Standards Advisory Board who considers it to be an essential part of the financial reporting for placing the basic financial statements in an appropriate operational, economic, or historical context. We have applied certain limited procedures to the required supplementary information in accordance with auditing standards generally accepted in the United States of America, which consisted of inquiries of management about the methods of preparing the information and comparing the information for consistency with management’s responses to our inquires, the basic financial statements, and other knowledge we obtained during our audit of the basic financial statements. We do not express an opinion or provide any assurance on the information because the limited procedures do not provide us with sufficient evidence to express an opinion or provide any assurance.
Our audits were conducted for the purpose of forming an opinion on the consolidated financial statements taken as a whole. Other Accompanying Information is presented for purposes of additional analysis and is not required part of the basic financial statements. Such information has not been subjected to the auditing procedures applied in the audits of the basic financial statements, and accordingly, we do not express an opinion or provide any assurance on it.
In accordance with Government Auditing Standards and OMB Bulletin No. 07-04, as amended, we have also issued our report dated [Report Date], on our consideration of the [Agency]’s internal control over financial reporting and on our tests of its compliance with certain provisions of laws, regulations, contracts, and other matters. The purpose of that report is to describe the scope of our testing of internal control over financial reporting and compliance and the results of that testing, and not to provide an opinion on internal control over financial reporting or on compliance. That report is an integral part of an audit performed in accordance with Government Auditing Standards and OMB Bulletin No. 07-04, as amended, in considering [Entity]’s internal control over financial reporting and compliance.
[Firm’s signature]
[City, State]
[Date]
We have audited, in accordance with the auditing standards generally accepted in the United States of America; standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States, and Office of Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements, as amended, the financial statements of the [Agency], as of and for the year ended September 30, 20X2, and the related notes to the financial statements, and have issued our report thereon dated [Report Date]. The management of the [Agency] is responsible for establishing, maintaining, and assessing internal control related to financial reporting and compliance, and assessing internal control to provide reasonable assurance that the broad control objectives of the Federal Managers’ Financial Integrity Act of 1982 (FMFIA) are met.
In planning and performing our audit of the financial statements, we considered the [Agency]’s internal control over financial reporting (internal control) to determine the audit procedures that are appropriate in the circumstances for the purpose of expressing our opinions on the financial statements, but not for the purpose of expressing an opinion on the effectiveness of the [Agency]’s internal control. Accordingly, we do not express an opinion on the effectiveness of [Agency]’s internal control over financial reporting or on management’s assertion on internal control included in Management’s Discussion and Analysis.
We limited our internal control testing to those controls necessary to achieve the OMB Bulletin No. 07-04, as amended, control objectives that provide reasonable, but not absolute assurance, that: (1) transactions are properly recorded, processed, and summarized to permit the preparation of the financial statements in accordance with accounting principles generally accepted in the United States of America (GAAP), and assets are safeguarded against loss from unauthorized acquisition, use, or disposition; and (2) transactions are executed in compliance with laws governing the use of budget authority, Government-wide policies and laws identified in Appendix E of OMB Bulletin No. 07-04, as amended, and other laws and regulations that could have a direct and material effect on the financial statements.
Our consideration of internal control was for the limited purpose described in the preceding paragraph and was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies and therefore, material weaknesses or significant deficiencies may exist that were not identified. However, as described in the accompanying schedule of findings and questioned costs we identified certain deficiencies in internal control that we consider to be material weaknesses and significant deficiencies.
A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis. We consider the deficiencies summarized in the following paragraphs to be material weaknesses.
[List the material weaknesses.]
A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. We consider the deficiencies summarized in the following paragraphs to be significant deficiencies.
[List the significant deficiencies.]
As part of obtaining reasonable assurance about whether the [Agency]’s financial statements are free from material misstatement, we performed tests of its compliance with certain provisions of laws, regulations, contracts, noncompliance with which could have a direct and material effect on the determination of financial statement amounts, and certain other laws and regulations specified in OMB Bulletin No. 07-04, as amended, that we determined were applicable. However, providing an opinion on compliance with those provisions was not an objective of our audit, and accordingly, we do not express such an opinion. The results of our tests disclosed instances of noncompliance or other matters that are required to be reported under Government Auditing Standards and OMB Bulletin No. 07-04, as amended, and which are summarized in the following paragraphs.
[List the noncompliance items.]
[Agency]’s response to the findings identified in our audit is described in the accompanying schedule of findings and questioned costs. [Agency]’s response was not subjected to the auditing procedures applied in the audit of the financial statements and, accordingly, we express no opinion on it.
The purpose of this report is solely to describe the scope of our testing of internal control and compliance and the results of that testing, and not to provide an opinion on the effectiveness of the entity’s internal control or on compliance. This report is an integral part of an audit performed in accordance with Government Auditing Standards in considering the entity’s internal control and compliance. Accordingly, this communication is not suitable for any other purpose.
[Firm’s signature]
[City, State]
[Date]
We have audited the accompanying reclassified balance sheets as of September 30, [insert years] and the related reclassified statements of net cost and changes in net position for the year then ended, and the statements of social insurance (if applicable) (hereinafter referred to as the special-purpose financial statements) contained in the special-purpose closing package of [Agency]. These special-purpose financial statements are the responsibility of [Agency]’s management. Our responsibility is to express an opinion on these special-purpose financial statements based on our audit.
We conducted our audit in accordance with auditing standards generally accepted in the United States of America and the standards applicable to financial audits contained in U.S. Government Auditing Standards, issued by the Comptroller General of the United States; and, Office of Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements, as amended. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the special-purpose financial statements are free of material misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the special-purpose financial statements. An audit also includes assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall special-purpose financial statement presentation. We believe that our audit provides a reasonable basis for our opinion.
The accompanying special-purpose financial statements and accompanying notes contained in the special-purpose closing package have been prepared for the purpose of complying with the requirements of the U.S. Department of the Treasury’s Financial Manual (TFM) Volume I, Part 2, Chapter 4700, as described in note X, solely for the purpose of providing financial information to the U.S. Department of the Treasury and U.S. Government Accountability Office to use in preparing and auditing the Financial Report of the U.S. Government, and are not intended to be a complete presentation of [Agency]’s financial statements.
In our opinion, the special-purpose financial statements and accompanying notes referred to above present fairly, in all material respects, the financial position of [Agency] as of September 30, [Year], and its net costs and changes in net position for the year then ended, and the statements of social insurance (if applicable) in conformity with accounting principles generally accepted in the United States of America and the presentation pursuant to the requirements of the TFM Chapter 4700.
The information included in the Other Data is presented for the purpose of additional analysis and is not a required part of the special-purpose financial statements, but is supplementary information required by the TFM Chapter 4700. We have applied certain limited procedures, which consisted principally of inquiries of management regarding methodology and presentation of this information. We also reviewed such information for consistency with the related information presented in [Agency]’s financial statements. However, we did not audit this information, and accordingly, we express no opinion on it.
In accordance with U.S. Government Auditing Standards and OMB Bulletin No. 07-xx, we have also issued reports dated [Report Date] on our consideration of [Agency]’s internal control over financial reporting and its compliance with certain provisions of laws and regulations. Those reports are an integral part of an audit of general-purpose financial statement reporting performed in accordance with U.S. Government Auditing Standards and OMB Bulletin No. 07-04, as amended, and should be read in conjunction with this report in considering the results of our audit.
In planning and performing our audit of the special-purpose financial statements, we also considered [Agency]’s internal control over the financial reporting process for the special-purpose financial statements and compliance with the TFM Chapter 4700. Management is responsible for establishing and maintaining internal control over financial reporting, including Other Data, and for complying with laws and regulations, including compliance with the TFM Chapter 4700 requirements.
Our consideration of internal control over the financial reporting process for the special-purpose financial statements would not necessarily disclose all matters in the internal control over the financial reporting process that might be significant deficiencies. Under standards issued by the American Institute of Certified Public Accountants, significant deficiencies are deficiencies in internal control, or a combination of deficiencies, that adversely affects [Agency]’s ability to initiate, authorize, record, process, or report financial data reliably and in accordance with accounting principles generally accepted in the United States of America such that there is more than a remote likelihood that a misstatement of the special-purpose financial statements being audited that is more than inconsequential will not be prevented or detected. Material weaknesses are significant deficiencies, or a combination of significant deficiencies, that result in a more than remote likelihood that material misstatements in relation to the special-purpose financial statements being audited will not be prevented or detected.
We found no material weaknesses in internal control over the financial reporting process for the special-purpose financial statements, and our tests of compliance with the TFM Chapter 4700 requirements disclosed no instances of noncompliance that are required to be reported under U.S. Government Auditing Standards and OMB Bulletin No. 07-04, as amended. However, providing opinions on internal control over the financial reporting process for the special-purpose financial statements or on compliance with the TFM Chapter 4700 requirements were not objectives of our audit of the special-purpose financial statements and, accordingly, we do not express such.
[Signature]
[Report Date]
1 The AICPA is currently engaged in a clarification and recodification effort that will replace the current AUs. The term AU-C refers to section numbers that have replaced AUs. Once this effort is completed (anticipated for 2014), all references will revert back to AU.