8/7/2019 Financial Internal Audit
1/507
July 2001 GAO/PCIE Financial Audit Manual Forward-1
Financial Audit Manual
Foreword
On behalf of the General Accounting Office (GAO) and the Presidents Council on Integrityand Efficiency (PCIE), we are pleased to present the first-ever GAO/PCIE Financial Audit
Manual.
With passage of the Government Management and Reform Act of 1994, executive branchInspectors General and GAO gained statutory responsibility for auditing agency andgovernment-wide consolidated financial statements, respectively. Since that time, GAO andthe PCIE community have worked cooperatively to ensure that these audits are of thehighest possible quality, consistency, and cost-effectiveness. This manual is a naturaloutgrowth of that cooperation. More importantly, the new manual represents our ongoingefforts to ensure that financial statement audits achieve their intended outcomes ofproviding enhanced accountability over taxpayer-provided resources.
We extend our thanks to the many individuals and organizations that provided commentsand insights to make the manual stronger. The Task Force assembled by GAO and the PCIEalso deserves much credit for its dedication to completing this project.
Jeffrey C. Steinhoff The Honorable Gregory H. FriedmanManaging Director Chair, Audit CommitteeU.S. General Accounting Office Presidents Council on Integrity
and Efficiency
8/7/2019 Financial Internal Audit
2/507
[This pa ge int ent iona lly left blan k.]
8/7/2019 Financial Internal Audit
3/507
CONTENTS
8/7/2019 Financial Internal Audit
4/507
[This pa ge int ent iona lly left blan k]
8/7/2019 Financial Internal Audit
5/507
CONTENTS
J uly 2001 GAO/PCIE Financia l Audit Manual Con ten ts-1
100 INTRODUCTION
200 P LANNING P HASE
210 Overview
220 Un dersta nd th e E nt ity's Opera tion s
225 P er for m P r elim in a ry An a lyt ica l P r oced ur es
230 Det er m in e P la n n in g, Des ign , a n d Test Ma t er ia lit y
235 Ident ify Significant Line It ems , Accounts , Assert ions , and
RSSI
240 Ident i fy Significant Cycles, Account ing Applicat ions , and Financial
Management Systems
245 Ident ify Significant Provis ions of Laws and Regula t ions
250 Iden tify Releva nt Bu dget Rest rict ion s260 Ident ify Risk Factors
270 Determine Likelihood of Effect ive Informat ion Sys tem Cont rols
275 I den t ify Relevan t Oper a t ions Con t r ols to Eva lua t e and Tes t
280
285
Plan Other Audit Pr ocedures
Inquiries of Attorneys
Management Representations
Related P ar ty Transa ctions
Sensitive Paymen ts
Reaching an Underst an ding with Man agement an d Requesters
Other Audit RequirementsPla n Locat ions t o Visit
290 Documenta t ion
Appen dixes to Sec t ion 200:
295 A Pot en t ia l I nher en t Ris k Cond it ions
295 B Potent ial Control Environment , Risk Assessment , Communicat ion ,
and Monitoring Weaknesses
295 C An Approach for Mult iple-Locat ion Audits
295 D Inter im Substant ive Test ing of Balance Sheet Accounts
295 E Effect of Risk on Extent of Audit Procedures
295 F Types of Informat ion Sys tem Cont rols
295 G Bu dget Con trols
295 H Laws Ident ified in OMB Audit Guidance and Other General Laws
295 I Examples of Auditor Responses to Fraud Risk Factor s
295 J Steps in Assess ing Informat ion Sys tem Cont rols
8/7/2019 Financial Internal Audit
6/507
Contents
J uly 2001 GAO/PCIE Financia l Audit Manual Content s-2
300 INTERNAL CONTROL P HASE
310 Overview320 Un der sta nd In form at ion Syst em s
330 Iden tify Con tr ol Object ives
340 I den t ify and Unders tand Relevan t Con t r ol Act ivit ies
350 Det er mine t he Na t ur e, Timing, and Ext en t of Con t r ol Tes ts and of
Tests for Syst ems' Complian ce with F FMIA Requirement s
360 Per for m Nonsampling Con t r ol Test s and Tes ts for Sys tems '
Complian ce with F FMIA Requiremen ts
370 Assess Con tr ols on a P relim in ar y Ba sis
380 Other Considera t ions
390 Documenta t ionAppen dixes to Sect ion 300:
395 A Typical Relat ionships of Accounting Applications to Line
Items/Accounts
395 B Fina ncial Sta tement Assertions an d Potential
Misstatements
395 C Typ ica l Con t r ol Act ivit ie s
395 D Selected Sta tu tes Relevant to Budget Execut ion
395 E Bu dget Execu t ion Pr ocess
395 F Bu dget Con t rol Object ives
395 F
Sup
Budget Control ObjectivesFeder al Credit Reform Act Su pplement
395 G Rot a t ion Tes ting of Con t r ols
395 H Specific Cont rol Evaluat ion Worksheet
395 I Accou n t Risk An a lysis F or m
8/7/2019 Financial Internal Audit
7/507
Contents
J uly 2001 GAO/PCIE Financia l Audit Manual Con ten ts-3
400 TESTING P HASE
410 Overview420 Con sid er th e N a tu r e, Tim in g, a n d E xt en t of Test s
430 Design Efficien t Tests
440 P erform Tests an d E va lu ate Resu lt s
450 Sampling Control Tests
460 Compliance Test s
470 Substant ive TestsOverview
475 Su bst an tive An alyt ica l P rocedu res
480 Substant ive Deta il Tests
490 Documenta t ion
Appen dixes to Sec t ion 400:495 A Determining Whether Substant ive Analyt ical Procedures Will Be
Efficient and Effective
495 B Example Procedures for Tes ts of Budget Informat ion
495 C Gu id an ce for In t er im Test in g
495 D Example of Audit Matr ix with Stat is t ical Risk Factors
495 E Sampling
495 F Manua lly Select ing a Dolla r Un it Sampling
8/7/2019 Financial Internal Audit
8/507
Contents
J uly 2001 GAO/PCIE Financia l Audit Manual Content s-4
500 REP ORTING P HASE
510 Overview520 P er for m Over all An alyt ica l P rocedu res
530 Det er mine Adequacy of Aud it P r ocedur es and Audit Scope
540 Evalua te Missta tements
550 Con clu de Ot her Au dit P rocedu res
Inqu iries of Att orneys
Subsequent Events
Management Representations
Relat ed Par ty Tran sactions
560 Det er m in e Con for m it y Wit h Gen er a lly Accep ted
Accoun tin g Pr inciples570 Det er min e Com plia n ce wit h GAO/P CIE Financial Audit Manu al
580 Draft Repor t s
Financial Sta tements
Intern al Cont rol
Fina ncial Management Systems
Complian ce with Laws an d Regula tions
Oth er In forma tion in th e Accoun ta bility Report
590 Documenta t ion
Appen dixes to Sect ion 500:
595 A E xa m ple Au dit or 's Repor tUnqualified595 B Sugges ted Modificat ions to Auditor 's Repor t
595 C Example Summary of Possib le Adjus tments
595 D Example Summary of Unadjust ed Mis st a t emen t s
APPENDIXES
A Consulta t ions
B In st an ces Wh er e t he Au dit or "Mu st " Com ply wit h t he F AM
GLOSSARY
ABBREVIATIONS
INDEX
8/7/2019 Financial Internal Audit
9/507
SECTION 100
Introduction
8/7/2019 Financial Internal Audit
10/507
Figu re 100.1: Meth odology Overview
Pl anni ng Phas e Section Understand the en tity's operat ions 220
Perform preliminary analyt ical procedures 225
Determine planning, design, and test mater ia lity 230
Iden tify s ign ifica nt lin e it em s, a ccou nt s, a sser tion s, a nd RSSI 235 Ident ify significan t cycles, accountin g applications, an d finan cial
management systems 240
Ident ify sign ificant provisions of laws and regulat ions 245
Ident ify relevant budget rest r ict ions 250
Assess r isk factors 260
Det er min e likelih ood of effect ive in for ma tion syst em con tr ols 270
Ident ify relevant opera t ions cont rols to evaluate and test 275
Plan other audit procedures 280
Plan loca tions to visit 285
Internal Control Pha se Section Understand informat ion systems 320
Ident ify con t rol object ives 330
Ident ify and understand relevant cont rol act ivit ies 340
Determ ine the n at ure, timing, and extent of cont rol tests an d of tests
for systems compliance with FFMIA requirements 350
Per form nonsa mpling cont rol tes ts a nd t ests for syst ems complian ce
with FFMIA requirements 360
Assess cont rols on a preliminary basis 370
Testing Ph ase Section Consider the nature, t iming, and extent of test s 420
Design efficien t test s 430
Perform tests and evaluate result s 440
Sampling cont rol test s 450
Compliance test s 460
Substant ive test s 470
Substant ive analyt ica l procedures 475
Substant ive deta il tests 480
Report ing P hase Section Perform overa ll analyt ica l procedures 520 Determine adequacy of audit procedures and audit scope 530
Evaluate missta tements 540
Conclude other audit procedures: 550
Inquire of attorneys
Consider subsequent events
Obtain mana gement representations
Consider related par ty tra nsa ctions
Determine conformity with generally accepted accounting principles 560
Determine compliance with GAO/PCIE Financial Audit Manu al 570
Draft repor ts 580
8/7/2019 Financial Internal Audit
11/507
100 INTRODU CTION
J uly 2001 GAO/PCIE Financia l Audit Manua l Page 100-1
.01 This int roduction provides a n overview of th e m eth odology of the Genera lAccoun tin g Office (GAO) an d t he P residen ts Council on I n tegr ity and
Efficiency (PCIE) for performing financial statement audits of federal
ent ities, describes how th e meth odology relat es to relevan t a uditin g and
at testat ion stan dards an d Office of Mana gement a nd Budget (OMB)
guidan ce, an d outlines k ey issues to be considered in u sing th e met hodology.
OVERVIEW OF THE METHODOLOGY
.02 The overa ll pur poses of perform ing finan cial sta tem ent au dits of federa lent ities include providing decisionm ak ers (finan cial sta tem ent user s) withassur an ce as to wheth er th e finan cial stat ements a re reliable, interna l
cont rol is effective, an d laws an d regula tions ar e complied with . To achieve
th ese purposes, th e appr oach to federa l fina ncial stat emen t au dits involves
four ph ases:
Plan th e au dit to obta in relevant inform at ion in t he m ost efficient
manner .
Eva luat e th e effectiveness of th e ent ity's int ern al cont rol and, for Ch ief
Fin an cial Officers (CFO) Act Agencies an d component s designa ted byOMB, whether financial management systems substantially comply with
the r equirements of th e Federal Fina ncial Mana gement Improvement
Act of 1996 (FF MIA): federa l finan cial ma na gement systems
8/7/2019 Financial Internal Audit
12/507
100 INTRODU CTION
J uly 2001 GAO/PCIE F inancia l Audit Manual Page 100-2
requirements, applicable federal accounting standards,1
and the U.S.
Government Standard General Ledger(SGL) at th e tra nsa ction level.2
Test th e significan t assertions r elat ed to the finan cial statem ents a nd
test complian ce with la ws and r egulat ions.
Report th e result s of au dit procedur es perform ed.
These phases a re illustr at ed in figure 100.1 an d a re sum ma rized below.3
Planning Phase
.03 Although pla nn ing cont inu es th roughout t he a udit, th e objectives of th isinitial pha se ar e to identify significan t a rea s an d to design efficient a udit
procedur es. To accomplish th is, th e meth odology includes guida nce to help in
understanding the entity's operations, including its organization,
ma na gement style, an d intern al an d externa l factors influencing the
operat ing environm ent;
identifying significan t accoun ts, a ccoun ting applicat ions, a nd finan cial
management systems; important budget restrictions, significant
1 In October 1999 th e American Inst itut e of Certified Pu blic Accoun ta nt s(AICPA) recognized the Federal Accounting Standards Advisory Board
(FASAB) as th e a ccoun ting st an dar ds-sett ing body for federal govern men t
ent ities under Rule 203 of th e AICPAs Code of Pr ofessional Cond uct. Thu s,
FASAB sta nda rds a re r ecognized as gener ally accepted a ccoun ting pr inciples
(GAAP) for federa l entities. FASAB stan dar ds (Sta tem ent of Feder al
Fina ncial Accoun ting St an dar ds No. 8, para gra ph .40) allow governm ent
corporat ions a nd certa in other federal ent ities to report u sing GAAP issued
by the F inan cial Accoun ting St an dar ds Boar d (FASB).
2Testin g for FF MIA is most efficient ly accomplished, for t he m ost pa rt , as
part of the work done in un derstan ding agency systems in th e Intern al
Cont rol pha se of th e au dit.
3The m eth odology present ed is for per form an ce of a finan cial sta tem ent au dit.
If the a uditor is to use t he work of an oth er a udit or, see FAM section 650
(under revision).
8/7/2019 Financial Internal Audit
13/507
100 INTRODU CTION
J uly 2001 GAO/PCIE Financia l Audit Manua l Page 100-3
provisions of laws a nd regula tions; an d relevan t cont rols over th e ent ity's
operations;
det erm ining th e likelihood of effective informa tion syst ems (IS) contr ols;
perform ing a prelimina ry risk assessm ent t o identify high-risk ar eas,
including considering t he r isk of fra ud; an d
plan ning ent ity field locat ions to visit.
Intern al Cont rol Ph ase
.04 This phase ent ails evalua ting an d testing interna l contr ol to support th eau ditor's conclusions about th e a chievemen t of the following inter na l control
objectives:
Reliability of fina ncial reportin gtr an sactions ar e pr operly r ecorded,
processed, an d summ ar ized to perm it the pr epar at ion of th e principal
stat ements a nd r equired supplementa ry stewardship informa tion (RSSI)
in accordance with generally accepted accounting principles (GAAP), and
asset s are sa feguar ded again st loss from un au th orized acquisition, use,
or disposition.
Complian ce with a pplicable laws and r egulat ionstra nsa ctions areexecut ed in accordan ce with (a) laws governing th e u se of budget
au thority and other laws an d regulations th at could ha ve a direct a nd
ma ter ial effect on th e principal sta tem ent s or RSSI an d (b) an y oth er
laws, regula tions, an d govern men twide policies identified by OMB in its
au dit guidance.
OMB audit guidance requires the a uditor t o test contr ols tha t h ave been
properly designed to achieve th ese objectives an d placed in opera tion, t o
support a low assessed level of cont rol risk. This ma y be enough testin g to
give an opinion on int ern al cont rol. GAO au dits sh ould be designed t o give
8/7/2019 Financial Internal Audit
14/507
100 INTRODU CTION
J uly 2001 GAO/PCIE F inancia l Audit Manual Page 100-4
an opinion on int ern al cont rol.4
If the a uditor does not give an opinion,
genera lly accepted governm ent a uditin g stan dar ds (GAGAS) requ ire the
report t o sta te whet her test s were sufficient t o give an opinion.
.05 OMBs a udit guidan ce includes a th ird objective of inter na l cont rol, relat ed toperforma nce measur es. The auditor is required to un derstan d the
componen ts of inter na l cont rol relating to th e existen ce an d completen ess
assertions a nd t o report on int erna l contr ols tha t h ave not been properly
designed a nd placed in operat ion, ra th er th an to test cont rols.
.06 This ma nu al also provides guidance on evalua ting inter na l controls relat ed toopera ting objectives tha t th e aud itor elects to evalua te. Such cont rols include
those related to safeguarding assets from waste or preparing statistical
reports.
.07 To evaluate int erna l contr ol, the au ditor identifies and u ndersta nds t herelevant cont rols an d test s th eir effectiveness. Where cont rols ar e considered
to be effective, the exten t of subst an tive testin g can be redu ced.
.08 The methodology includes guidance on as sessing specific levels of contr ol risk,
selecting controls to test,
determining the effectiveness of IS controls, and
testin g cont rols, including coordina ting cont rol tests with th e testin g
phase.
.09 Also, durin g th e inter na l cont rol phase, for CF O Act a gencies an d th eircomponen ts iden tified in OMBs a udit guidan ce, the au ditor should
un derstan d th e entitys significan t fina ncial ma na gement systems a nd test
their compliance with FFMIA requirements.
4AICPA attesta tion stan dards allow th e au ditor t o give an opinion on interna l
cont rol or on m an agemen ts a ssertion a bout th e effectiveness of inter na l
cont rol (except t ha t if ma ter ial weakn esses are pr esent, th e opinion m ust be
on inter na l cont rol, not ma na gement s assert ion). The example report in th is
ma nu al a ssum es th e opinion will be on int ern al cont rol directly.
8/7/2019 Financial Internal Audit
15/507
100 INTRODU CTION
J uly 2001 GAO/PCIE Financia l Audit Manua l Page 100-5
Testing Pha se
.10 The objectives of th is pha se ar e to (1) obta in r easona ble assur an ce aboutwhether t he financial stat ements a re free from mat erial misstat ements,
(2) determin e whet her th e ent ity complied with significan t provisions of
app licable laws a nd regula tions, a nd (3) assess th e effectiveness of inter na l
control th rough cont rol test s tha t a re coordina ted with other t ests.
.11 To achieve these objectives, th e met hodology includes gu idan ce on designing a nd perform ing substa nt ive, complian ce, and cont rol tests;
designing and evalua ting au dit samples;
correlating risk an d ma teriality with th e nat ure, timing, an d extent of
substan tive tests; an d
designing multipurpose tests tha t use a common sa mple to test several
different controls and specific accounts or transactions.
Reporting P ha se
.12 This pha se completes th e aud it by reporting useful inform at ion a bout t heent ity, based on th e result s of au dit procedur es performed in th e preceding
pha ses. This involves developing the a uditor's report on th e entity's
(1) finan cial stat emen ts (also called Principal Sta tem ent s) an d oth er
inform a tion (ma na gemen ts discus sion a nd a na lysis [MD&A] or the overview,
RSSI, other required supplementary information, and other accompanying
inform at ion), (2) inter na l cont rol, (3) wheth er t he finan cial m an agemen t
systems su bsta nt ially comply with F FMIA requiremen ts, an d (4) complian ce
with laws an d regulat ions. To assist in th is process, th e meth odology
includes guida nce on form ing opinions on th e principal stat emen ts a nd
conclusions on int ern al cont rol, as well as h ow t o determ ine wh ich findings
should be reported. Also included is an examp le report designed t o be
un derstan dable to th e reader.
8/7/2019 Financial Internal Audit
16/507
100 INTRODU CTION
J uly 2001 GAO/PCIE F inancia l Audit Manual Page 100-6
RELATIONS HIP TO AP P LICABLE STANDARDS
.13 The following section describes the relationship of this audit methodology toapplicable au diting sta nda rds, OMB guidan ce, and other policyrequirements. It is organized into th ree areas:
relevan t au diting stan dards a nd OMB guidance,
au dit r equirem ent s beyond th e yellow book, an d
au diting sta nda rds an d other policies not addressed in t his man ua l.
Relevant Auditing Standa rds an d OMB Guidance
.14 This ma nu al provides a fra mework for perform ing fina ncial stat emen t au ditsin a ccorda nce with Government Auditing Standards (also known as gen era lly
accepted governm ent a uditin g stan dar ds or GAGAS) issued by the
Compt roller Gener al of th e Un ited St a tes ("yellow book"); incorporat ed
generally accepted au diting sta nda rds (GAAS) and a ttesta tion stan dar ds
esta blished by t he American In stitu te of Certified Pu blic Accoun ta nt s
(AICPA); an d OMBs a ud it gu idan ce.
.15 This man ua l describes an au dit meth odology th at both integrates th erequirements of the sta nda rds an d provides implementa tion guidance. The
met hodology is designed t o achieve
effect ive au dits by considering complian ce with th e CF O Act, F FMIA,
GAGAS, and OMB guidance;
efficient au dits by focusing a udit procedur es on a rea s of higher risk a nd
ma teriality and by providing an integrated a pproach designed to gather
evidence efficiently;
qual i ty control th rough a n a greed-upon fram ework t ha t can be followed
by all personn el; an d
consis te ncy of appl icat ion th rough a docum ent ed meth odology.
.16 The ma nu al supplemen ts GAGAS an d OMBs aud it guidance. References arema de to Stat emen ts on Auditin g Sta nda rds (preceded by the pr efix "AU") an d
Statements on Standards for Attestation Engagements (SSAE) (preceded by
8/7/2019 Financial Internal Audit
17/507
100 INTRODU CTION
J uly 2001 GAO/PCIE Financia l Audit Manua l Page 100-7
the pr efix "AT") of th e Codification of S tatem ents on Au diting S tandard s,
issued by th e AICPA, tha t a re incorporat ed into GAGAS.
Audit Requ irem ent s Beyond th e Yellow Book
.17 In a ddition t o meet ing GAGAS requ iremen ts, au dits of federa l entities towhich OMB's audit gu idance applies must be designed to achieve th e
following objectives d escribed in OMBs a udit guida nce:
responsibility for performing sufficient tests of internal controls that
ha ve been properly designed a nd placed in operat ion, to support a low
as sessed level of cont rol risk;
expan sion of the n at ure of contr ols that ar e evalua ted an d tested t o
include cont rols related to RSSI, budget execut ion, a nd complian ce with
laws and regulations;
responsibility to under sta nd t he componen ts of inter na l cont rol relat ing
to the existence an d completeness asser tions r elevan t t o th e perform an ce
mea sur es included in t he MD&A, in order t o report on cont rols th at ha ve
not been properly designed an d placed in operat ion;
responsibility t o consider t he en tit y's process for complying with 31
U.S.C. 3512 (th e Feder al Ma na gers' Fina ncial Int egrity Act (FMFIA));
responsibility t o perform test s at CFO Act a gencies an d componen ts
identified by OMB to report on t he en tity's finan cial ma na gement
systems' substantial compliance with FFMIA requirements;
responsibility t o test for complian ce with laws, regulat ions, a nd
govern men twide policies ident ified in OMBs au dit gu idan ce a t CF O Act
agencies (regar dless of th eir ma ter iality to th e au dit); an d
responsibility t o consider conform ity of th e MD&A, RSSI, r equir ed
supplemen ta ry inform at ion, an d oth er accompa nying inform at ion with
FASAB requiremen ts an d OMB guidan ce.
8/7/2019 Financial Internal Audit
18/507
100 INTRODU CTION
J uly 2001 GAO/PCIE F inancia l Audit Manual Page 100-8
.18 To help achieve th e goals of th e CFO Act, GAO au dits sh ould be designed t oachieve th e following objectives,
5in a ddit ion t o those described in OMBs
au dit guidance:
Pr ovide an opinion on inter na l cont rol.
Determ ine th e effects of missta tem ent s an d intern al cont rol weakn esses
on (1) th e achievemen t of opera tions cont rol objectives, (2) th e accur acy of
reports pr epar ed by th e entity, an d (3) th e form ula tion of th e budget.
Determ ine whet her specific cont rol activities ar e properly designed a nd
placed in operat ion, even if a poor cont rol environm ent precludes th eir
effectiveness.
Understand the components of internal control relating to the valuation
asser tion relevan t to perform an ce measu res reported in t he MD&A in
order t o report on cont rols th at ha ve not been pr operly designed an d
placed in operat ion.
Auditing Stan dards an d Oth er P olicies Not Addressed in t he Man ua l
.19 This ma nu al was designed to supplemen t fina ncial audit a nd other policiesan d procedur es adopted by GAO an d Inspectors Genera l (IGs). As such, it
was not intended to address in deta il all requirement s. For exam ple, reportprocessing is not a ddressed.
.20 Updat es to this ma nua l tha t include additiona l audit guidance and pra cticeaids, such as checklists an d au dit program s, will be issued from tim e to time.
GAO an d a team representing th e PCIE au dit committ ee will be responsible
for pr epar ing th e upda tes. There will be an exposur e process for significan t
updates.
KEY IMPLEMENTATION ISSU ES
.21 The a uditor sh ould consider th e following factors in applying th emet hodology to a par ticular en tity:
5
The m an ua l refers specifically to objectives of GAO au dits in var ious
sections. Such objectives are optiona l for other au dit organizat ions.
8/7/2019 Financial Internal Audit
19/507
100 INTRODU CTION
J uly 2001 GAO/PCIE Financia l Audit Manua l Page 100-9
audit objectives,
exercise of professiona l judgmen t,
referen ces to positions,
use of IS a uditors,
complian ce with policies and p rocedur es in th e ma nu al,
use of technical term s, and
referen ce t o GAO/PCI E Financial Audit Manu al (FAM).
Audit Objectives
.22 While cert ain federa l entities ar e not subject t o OMB audit gu idan ce,finan cial sta tem ent au dits of all federa l entities should be condu cted in
accorda nce with th is guida nce to the extent app licable to achieve th e au dit's
objectives. The ma nu al gener ally assu mes th at t he objective of th e audit is to
render an opinion on th e curr ent year financial sta tement s, a report on
inter na l cont rol, an d a report on complian ce. Where these ar e not th e
objectives, th e aud itor should use judgment in a pplying th e guidance. In
some circum sta nces, the a uditor will expect t o issue a disclaimer on t he
curren t year fina ncial stat emen ts (becau se of scope limita tions). In th ese
circumsta nces, th e au ditor may develop a m ultiyear p lan t o be able to ren der
an opinion when th e finan cial stat emen ts ar e expected to become audita ble.
Exercise of Professiona l J udgm ent
.23 In performing a financial sta tement au dit, the a uditor should exerciseprofessiona l judgment . Consequ ent ly, th e auditor should ta ilor th e guidan ce
in the ma nu al to respond to situ ations encoun tered in an au dit. However,
th e auditor must exercise judgment properly, assuring tha t, at a m inimum,
th e work m eets professiona l stan dar ds. Pr oper a pplicat ion of professiona l
judgment could resu lt in add itiona l or m ore extensive aud it procedur es tha n
described in t his man ua l.
.24 In a ddition, when exercising judgment , the au ditor should consider t he n eedsof, and consult in a timely ma nn er with, oth er a uditors who plan to use th e
work being perform ed. In tu rn , th e auditor should coordina te with oth er
au ditors whose work h e or sh e wishes to use so th at th e judgm ent s exercised
can sat isfy the needs of both au ditors. For examp le, au ditors of a
consolidated ent ity (such as the US Governm ent or a n entire depar tmen t or
agency) ar e likely to plan to use t he work of auditors of subsidiary en tities
8/7/2019 Financial Internal Audit
20/507
100 INTRODU CTION
J uly 2001 GAO/PCIE F inancia l Audit Manual Page 100-10
(such as individual depart ment s a nd agencies or bu reau s a nd components of
a d epar tm ent ). This coordinat ion can resu lt in m ore economy, efficiency, an d
effectiveness of government audits in general and avoid duplication of effort.
.25 Man y aspects of th e audit requ ire techn ical judgm ent s. The au ditor shouldensu re a person(s) with a dequa te techn ical expertise is (ar e) ava ilable,
especially in t he following a rea s:
quan tifying plan ning m at eriality, design m ater iality, and test
ma teriality and using ma teriality as one consideration in determining
the extent of testing (see section 230);
specifying a m inimu m level of subst an tive assur an ce based on the
assessed combined r isk, ana lytical pr ocedur es, and deta il tests (see
sections 470, 480, an d 495 D);
docum ent ing wheth er selections are sa mples (inten ded to be
repr esenta tive an d pr ojected to popula tions) or n onsa mpling selections
that are not projectible (see section 480);
using sa mpling met hods, such a s dollar -un it sam pling, classical var iables
estima tion sa mpling, or classical probability p roport iona l to size (PP S)
sam pling, for su bsta nt ive or mult ipurpose testing (including
nonstatistical sampling) (see section 480);
using sampling for cont rol testing, oth er th an at tribute sampling using
th e ta bles in section 450 to determ ine sam ple size when n ot per forming a
mu ltipurpose test;
using sa mpling for complian ce test ing of laws an d regulat ions, other t ha n
at tribute sampling using the ta bles in section 460 to determine sa mple
size when not perform ing a mu ltipurp ose test; an d
placing complete or pa rt ial reliance on a na lytical pr ocedur es, using test
ma ter iality to calculate t he limit. The limit is th e am oun t of difference
between the expected a nd r ecorded a mounts tha t can be accepted without
fur th er investigation (see section 475).
8/7/2019 Financial Internal Audit
21/507
100 INTRODU CTION
J uly 2001 GAO/PCIE Financia l Audit Manua l Page 100-11
References to Positions
.26 Var ious sections of th is man ua l mak e referen ce to consu ltat ion with au ditma na gement a nd/or persons with technical expert ise to obta in appr oval oradd itiona l guidan ce. Key consu ltat ions should be docum ent ed in th e audit
workp aper s. Ea ch au dit orga nizat ion should docum ent , in the work paper s or
its a ud it policy ma nu a l, the s pecific positions of persons wh o will perform
th ese fun ctions. An IG using a firm to perform an au dit in accorda nce with
th is man ua l should clar ify an d docum ent th e positions of th e persons th e firm
should consu lt in va rious circum sta nces.
Th e Assistant Direc tor is th e top person responsible for th e da y-to-daycondu ct of th e au dit.
Th e Audit Direc tor is the sen ior m an ager r esponsible for the t echn ical
quality of the fina ncial sta tement au dit, reporting t o the Assistan t
Inspector Genera l for Audit or, a t GAO, to the Ma na ging Director.
Th e Revi ewer is the sen ior m an ager r esponsible for t he qu ality of th e
au ditor's reports, reporting to the Assista nt Inspector Genera l for Audit
(or higher position) or, at GAO, is th e Man aging Director or th e second
par tn er. The Reviewer ma y consu lt with oth ers.
Th e Stat is t ician is the person t he a udit or consu lts for t echn icalexpertise in a reas such as a udit sam pling, audit sam ple evaluation, an d
selecting en tit y field locations t o visit.
Th e Data Extract ion Special is t is the person with technical expert isein extra cting da ta from agen cy records.
Th e Technica l Accou nting and Audit ing Expert is th e senior
ma na ger reporting to the Assistan t In spector Genera l for Audit or h igher
or, at GAO, is the Chief Accoun ta nt . The Techn ica l Accoun tin g an d
Auditin g Expert advises on a ccoun ting an d au diting professiona l mat ter san d related na tional issues. The Techn ical Accoun ting an d Auditin g
Expert r eviews reports on fina ncial sta tement s an d reports th at cont ain
opinions on financial information.
Th e Office of General Coun sel (OGC) provides a ssistan ce t o th e
au ditor in (1) identifying provisions of laws a nd regula tions to test ,
8/7/2019 Financial Internal Audit
22/507
100 INTRODU CTION
J uly 2001 GAO/PCIE F inancia l Audit Manual Page 100-12
(2) identifying budget restrictions, and (3) identifying and resolving legal
issues encoun tered in t he fina ncial sta tement au dit, such as evalua ting
potentia l inst an ces of noncomplian ce.
Th e Spec ial Invest igator Unit investigates specific allegations
involving conflict-of-inter est an d eth ics m at ter s, cont ra ct an d
procur ement irregula rities, official misconduct an d a buse, an d frau d in
federa l progra ms or a ctivities. In t he offices of th e IGs th is is th e
investigation un it; at GAO, it is Special Investigations. The Special
Investigat or U nit pr ovides assista nce to th e au ditor by (1) inform ing th e
au ditor of relevant pending or completed invest igations of th e ent ity an d
(2) investigat ing possible insta nces of federa l fra ud, wa ste, an d a buse.
Use of Inform at ion Systems Auditors
.27 The au dit sta nda rds (SAS 94) require th at th e au dit tea m possess sufficientkn owledge of inform at ion syst ems (IS) to deter min e th e effect of IS on th e
au dit, to un derst an d th e IS cont rols, an d to design an d perform tests of IS
cont rols an d substa nt ive test s. This is gener ally done by having IS au ditors
as pa rt of th e audit t eam . IS au ditors should possess sufficient technical
kn owledge an d experience to under sta nd t he r elevan t concepts discussed in
the m an ua l and to apply th em to the au dit. While the au ditor is ultima tely
responsible for a ssessing inh erent an d cont rol risk, assessing th e
effectiveness of IS cont rols requ ires a person with IS a udit technical skills.Specialized techn ical skills generally ar e needed in situ at ions wh ere, (1) th e
ent itys systems, aut oma ted cont rols, or th e man ner in which th ey ar e used
in condu cting th e en titys bu siness a re complex, (2) significan t cha nges h ave
been ma de to existing system s or new system s implement ed, (3) dat a a re
extensively sha red a mong systems, (4) th e ent ity par ticipa tes in electr onic
comm erce, (5) th e ent ity us es emer ging techn ologies, or (6) significan t a ud it
eviden ce is ava ilable only in electr onic form . Appen dix V of GAOs Federal
Inform ation S ystem Controls Aud it M anual (FISCAM) cont ain s exam ples of
kn owledge, skills, an d abilities needed by IS au ditors. Certa in fina ncial
au ditors also ma y possess IS au dit technical skills. In some cases, the
au ditor ma y require out side consu ltan ts to provide these skills.
Complian ce With Policies and P rocedur es in the Ma nu al
.28 The following term s ar e used th roughout t he m an ua l to describe the degree ofcompliance with the policy or procedure required.
8/7/2019 Financial Internal Audit
23/507
100 INTRODU CTION
J uly 2001 GAO/PCIE Financia l Audit Manua l Page 100-13
Must: Complian ce with th is policy or p rocedur e is ma nda tory
un less an exception is appr oved in writing by th e Reviewer,6
such a s in certa in inst an ces when a d isclaimer of opinion is
anticipated.
Should: Compliance with this policy or procedure is expected unless
th ere is a rea sona ble basis for depar tu re from it. Any such
depart ure a nd t he basis for it a re to be docum ented in a
mem ora ndu m. The Assistan t Director should approve th is
mem ora ndu m an d copies should be sent t o th e Audit
Director an d th e Reviewer.
General ly
Should: Compliance with this policy or procedure is strongly
encour aged. Depar tu re from such policy or pr ocedur e
should be discussed with t he Assista nt Director or th e au dit
manager.
May: Complian ce with th is policy or pr ocedu re is optional.
When t he a uditor deviates from a policy or pr ocedur e th at is expressed by
use of th e ter m "must " or "should" in t he F AM, he or sh e should consider th e
needs of, and consult in a timely mann er with, other au ditors who plan touse th e work of th e au ditor and pr ovide an opport un ity for th e oth er a uditors
to review the docum ent at ion explainin g th ese deviat ion d ecisions.
Use of Techn ica l Terms
.29 The ma nu al uses ma ny existing techn ical au diting term s an d introducesma ny other s. To assist you, a glossar y of significan t t erm s is included in th is
manual .
6
Capita lized positions a re described in par agra ph 100.25.
8/7/2019 Financial Internal Audit
24/507
100 INTRODU CTION
J uly 2001 GAO/PCIE F inancia l Audit Manual Page 100-14
Referen ce to GAO/PCI E Financial Audit Man ual
.30 When cited in workpa pers, corr esponden ce, or oth er comm un icat ion, t heletters FAM should precede section or pa ra graph nu mbers from th is
ma nu al. For exam ple, this para graph sh ould be referred to as FAM 100.30.
8/7/2019 Financial Internal Audit
25/507
SECTION 200
Plan ning Pha se
8/7/2019 Financial Internal Audit
26/507
Figu re 200.1: Meth odology Overview
Pl anni ng Phas e Section Understand the ent ity's operat ions 220
Perform preliminary analyt ical procedures 225
Determine planning, design, and test mater ia lity 230
Iden tify sign ifica nt lin e it em s, a ccou nt s, a sser tion s a nd RSSI 235 Ident ify significan t cycles, account ing applications, an d financial
management systems 240
Ident ify significant provisions of laws and regu lat ions 245
Ident ify relevant budget rest r ict ions 250
Assess r isk factors 260
Det er m in e lik elih ood of effect ive in for m at ion sys tem con t rols 270
Ident ify relevant operat ions cont rols to eva lua te and test 275
Plan other audit procedures 280
Plan locat ions to visit 285
Internal Control Ph ase Section Understand informat ion systems 320
Ident ify cont rol object ives 330
Ident ify and understand relevan t cont rol act ivit ies 340
Determine t he na tur e, timing, an d extent of contr ol tests a nd of tests
for systems compliance with FFMIA requirements 350
Per form nonsa mpling cont rol tests a nd tes ts for syst ems complia nce
with FFMIA requirements 360
Assess con t rols on a preliminary basis 370
Testing Ph ase Section Consider the nature, t iming, and exten t of tests 420
Design efficient test s 430
Perform tests and evaluate results 440
Sampling con trol test s 450
Compliance test s 460
Substant ive test s 470
Substan tive analyt ical procedures 475
Substant ive deta il test s 480
Report ing P hase Section Perform overall analyt ical procedures 520
Determine adequacy of audit procedures and audit scope 530
Evaluate missta tements 540
Conclude other audit procedures: 550
Inquire of att orn eys
Consider subsequent events
Obtain mana gement representations
Consider related par ty tra nsa ctions
Determine conformity with generally accepted accounting principles 560
Determine compliance with GAO/PCIE Financial Audit Man ual 570
Draft repor ts 580
8/7/2019 Financial Internal Audit
27/507
Planning Phase
210 - OVERVIEW
J uly 2001 GAO/PCIE Financia l Audit Manual Page 210-1
.01 The auditor performs planning to determine an effect ive and efficient way to
obtain t he evidential ma tter necessary to report on th e entity's
Accoun ta bility Report (or an nu al finan cial stat emen t). The nat ur e, extent ,
an d timing of plan ning var ies with , for exam ple, th e ent ity's size an d
complexity, th e au ditor's experience with th e entity, an d th e au ditor's
kn owledge of th e entity's operations. Pr ocedur es perform ed in th e plann ing
pha se are sh own in figure 200.1.
.02 A key to a qual ity audit , planning requires the involvement of senior
members of the a udit team . Although concentra ted in the plann ing phase,
planning is an itera tive process performed th roughout the a udit. For
examp le, findings from th e inter na l contr ol pha se directly affect pla nn ing th esubst an tive au dit procedur es. Also, th e results of cont rol an d substa nt ive
tests ma y require cha nges in th e plan ned au dit approach.
.03 Auditors should cons ider the needs of, and consult in a t imely manner with,
other a udit ors wh o plan to use t he work being perform ed, especially when
ma king decisions t ha t requ ire th e au ditor to exercise significan t judgmen t.
8/7/2019 Financial Internal Audit
28/507
[This pa ge int ent iona lly left blan k.]
8/7/2019 Financial Internal Audit
29/507
Planning Phase
220 - UNDERSTAND THE ENTITY'S
OPERATIONS
J uly 2001 GAO/PCIE Financia l Audit Manual Page 220-1
.01 The auditor should obtain an u nderstanding of the ent i ty sufficient to plan
an d perform the a udit in a ccorda nce with a pplicable auditing stan dards a nd
requirements. In planning the audit, the au ditor gathers informa tion to
obta in an overall under sta ndin g of th e entity an d its origin and h istory, size
an d location, organizat ion, mission, business, str at egies, inh eren t r isks,
fra ud r isks, control environmen t, risk assessm ent , comm un icat ions, an d
monitoring. Un derst an ding th e ent ity's opera tions in th e plan ning process
ena bles the au ditor to ident ify, respond t o, and r esolve accoun ting a nd
au diting problems ear ly in th e au dit.
.02 The auditor 's unders tanding of the ent i ty and it s operat ions does not need tobe compr ehen sive but should include:
entity man agement an d organ izat ion,
extern al factors a ffecting opera tions,
inter na l factors affecting operat ions, a nd
accounting policies and issues.
.03 The auditor should ident ify key members of management and obta in a
general understa nding of the organizat iona l structure. The auditor 's main
objective is to un derstan d how the entity is man aged an d how theorganization is stru ctu red for t he pa rticular ma na gement style.
.04 The auditor should ident ify significant external and internal factors that
a ffect the en tit y's opera tions. Ext ern al factors might include (1) sour ce(s) of
funds, (2) seasonal fluctuations, (3) current political climate, and (4) relevant
legislat ion. Int ern al factors m ight include (1) size of th e ent ity, (2) nu mber
of locations, (3) st ru ctur e of th e ent ity (cent ra lized or decent ra lized), (4)
complexity of opera tions, (5) inform at ion syst em st ru ctur e, (6) qua lificat ions
an d compet ence of key personnel, an d (7) tu rn over of key personn el.
.05 In identifying account ing policies and issues, the auditor should consider
genera lly accepted a ccoun ting pr inciples, including wheth er t he en tity is
likely to be in comp liance;
cha nges in GAAP t ha t a ffect t he ent ity; an d
8/7/2019 Financial Internal Audit
30/507
Pl anning Phas e
220 - Unde rstand th e Enti ty's Operat ions
J uly 2001 GAO/PCIE Financia l Audit Manua l Page 220-2
whet her en tity ma na gement a ppear s to follow aggressive or conser vative
accoun tin g policies.
.06 The auditor also should cons ider whether the ent i ty will repor t any required
supplemen ta ry stewa rdsh ip inform at ion (RSSI). This includes stewar dship
property, plant, and equipment (PP&E) (heritage assets, national defense
assets, and stewardship land), stewardship investments (nonfederal physical
property, human capital, and research and development), social insurance,
an d risk-assum ed inform at ion. RSSI an d deferred ma inten an ce, which is
considered r equired sup plement ar y inform at ion, should be designa ted
"unaudited."
.07 The auditor should develop and document a high-level understanding of theent ity's u se of inform at ion syst ems (IS) an d h ow IS a ffect t he gen era tion of
finan cial sta tement informa tion, RSSI, an d th e data th at support
perform an ce mea sur es reported in t he MD&A (overview) of the
Accoun ta bility Report (CFO report). An IS a uditor ma y assist th e au ditor in
un derst an ding the en tity's use of IS. Append ix I of th e GAO Federal
Information System Controls Manual (FISCAM) can be u sed t o docum ent
this u nderstanding.
.08 The auditor gathers planning informat ion through different methods
(observat ion, int erviews, rea ding policy an d pr ocedur e ma nu als, etc.) and
from a var iety of sources, includ ing
top-level entity management,
ent ity man agemen t responsible for significan t program s,
Office of Inspector Genera l (IG) an d inter na l aud it ma na gement
(includin g an y inte rn al cont rol officer),
oth ers in t he a udit organ izat ion concernin g oth er completed, plan ned or
in-progress assignments,
personn el in OGC,
personn el in th e Special Investigator Unit, an d
entity legal representa tives.
8/7/2019 Financial Internal Audit
31/507
8/7/2019 Financial Internal Audit
32/507
[This pa ge int ent iona lly left blan k.]
8/7/2019 Financial Internal Audit
33/507
Planning Phase
225 - P ERFORM P RELIMINARY ANALYTICAL
PROCEDURES
J uly 2001 GAO/PCIE Financia l Audit Manual Page 225-1
.01 During the planning phase, preliminary analyt ical procedures are performed
to help the a uditor
un derstan d th e entity's business, including curr ent-year t ran sactions a nd
events;
identify accoun t balances or tra nsa ctions t ha t ma y signa l inherent or
cont rol risks (see section 260);
identify an d un derst an d th e significan t a ccount ing policies;
deter mine plan ning, design, an d test m at eriality (see section 230); an d
determine th e na tur e, timing, and extent of au dit procedures to be
performed.
.02 GAAS requires the audi tor to perform preliminary analyt ical procedures (AU
329). The resources spent in perform ing these procedur es should be
comm ensu ra te with th e expected reliability of compa ra tive inform at ion. For
examp le, in a first -year a udit, compa ra tive inform at ion m ight be un reliable;
th erefore, preliminar y an alytical pr ocedur es genera lly should be limited.
.03 The auditor generally should perform the following s teps to achieve the
objectives of preliminary analytical procedures.
a . Compare current-year amoun ts with relevan t comparat ive
f inan cial information: The financial data used in prelimina ry
an alytical procedur es gener ally ar e summ ar ized at a high level, such
as th e level of fina ncial sta tem ent s. If finan cial stat emen ts ar e not
available, the budget or fina ncial sum ma ries tha t sh ow th e entity's
finan cial position a nd resu lts of opera tions m ay be u sed.
The au ditor compar es curr ent-year a mounts with r elevan t
compar at ive fina ncial inform at ion. Use of un au dited compa ra tive
dat a m ight n ot a llow th e au ditor to ident ify significan t fluctu at ions,
par ticularly if an item consisten tly has been t rea ted incorr ectly. Also,th e au ditor ma y identify fluctua tions th at are not rea lly fluctua tions
due to errors in the un au dited compa rat ive data .
A key to effective prelimina ry a na lytical procedur es is t o use
informa tion t ha t is compa ra ble in term s of th e time period present ed
8/7/2019 Financial Internal Audit
34/507
Pl anning Phas e
225 - Pe rform P rel iminary Analyt ical Procedu res
J uly 2001 GAO/PCIE Financia l Audit Manua l Page 225-2
an d th e presen ta tion (i.e., sam e level of deta il and consisten t
grouping of deta il accoun ts int o sum ma rized am oun ts u sed for
comparison).
The au ditor m ay perform rat io an alysis on curren t-year da ta an d
compa re t he curr ent year's ra tios with t hose derived from prior
periods or budgets. The au ditor does this to stu dy the relat ionsh ips
am ong componen ts of th e finan cial stat emen ts an d to increase
kn owledge of th e entity's activities. The au ditor uses rat ios tha t ar e
relevant in dicat ors or mea sur es for th e entity. Also, th e audit or
should consider a ny tren ds in the perform an ce indicators prepa red by
th e ent ity.
b. Ident i fy s ignif icant f luctuat ions : Fluctu at ions a re differen ces
between t he recorded am oun ts an d th e amount s expected by the
au ditor, based on compa ra tive finan cial inform at ion a nd t he au ditor's
kn owledge of th e entity. Fluctu at ions refer to both u nexpected
differen ces between cur ren t-year a moun ts an d compa ra tive finan cial
inform at ion as well as th e absence of expected differences. The
identificat ion of fluctua tions is a ma tt er of th e au ditor's judgmen t.
The a uditor esta blishes pa ra met ers for ident ifying significan t
fluctu ations. When setting these param eters, the auditor genera lly
considers t he a moun t of th e fluctua tion in ter ms of absolut e sizean d/or the percenta ge differen ce. The amoun t an d percent age used
ar e left to the a uditor's judgm ent . An exam ple of a pa ra met er is "All
fluctu at ions in excess of $10 million a nd /or 15 percent of th e prior-
year ba lance or other un usu al fluctua tions will be considered
significant."
c. Inquire about s ignif icant f luctua t ions: The a uditor discusses th e
identified fluctua tions with a ppropriat e entity personnel. The focus
of the discussion is to achieve the purposes of the procedures
described in pa ra graph 225.01. For preliminar y ana lyticalprocedur es, the a uditor does not n eed to corr obora te th e explan at ions
since th ey will be tested lat er. However, the explana tions should
appear reasonable and consistent t o th e auditor. The inability of
ent ity personn el to explain t he cause of a fluctu at ion m ay indicat e the
existen ce of cont rol, fra ud, a nd/or in her ent risks.
8/7/2019 Financial Internal Audit
35/507
8/7/2019 Financial Internal Audit
36/507
Pl anning Phas e
230 - Determin e P lanning , Design, and Test Material i ty
J uly 2001 GAO/PCIE Financia l Audit Manua l Page 230-2
Planning material i ty is a preliminar y estimat e of ma ter iality, in
relation t o the financial sta tement s ta ken a s a wh ole, used to determine
th e nat ure, timing, an d extent of substan tive au dit procedures an d toidentify significan t laws a nd regulat ions for complian ce test ing.
Design Material i ty is the portion of plann ing mater iality th at ha s been
allocated t o line item s, accoun ts, or classes of tra nsa ctions (such a s
disbursem ent s). This am oun t will be the sa me for all line items or
accoun ts (except for certa in int ra governm ent al or offsett ing balan ces as
discussed in pa ra grap h 230.10).
Test ma terial i ty is the ma teriality actua lly used by the a uditor in
tes tin g a specific line item , accoun t, or clas s of tr an sactions . Bas ed onth e au ditor 's judgment , test ma teriality can be equal to or less tha n
design ma teriality, as discussed in para graph 230.13. Test mat eriality
ma y be differen t for differen t line items or a ccoun ts.
.06 The following other uses of the term "mat erial ity" relate principally to the
reporting ph ase:
Disclosure ma terial i ty is the t hr eshold for deter mining whether an
item should be reported or presented separ at ely in th e finan cial
stat ements or in th e related notes. This value ma y differ from plan ning
materiality.
FMFIA mate riality is the thr eshold for determ ining whether a m att er
meets OMB criter ia for report ing mat ter s un der F MFIA as described in
paragraphs 580.35-.37.
Report ing ma terial i ty is the t hreshold for determ ining whether a n
un qua lified opinion can be issued. In th e report ing pha se, th e auditor
considers whether u na djusted misstat ements a re quan titat ively or
qua lita tively ma ter ial. If considered to be mat erial, th e audit or would be
precluded from issuing a n u nqu alified opinion on t he finan cialstatements. See section 540.
Un less otherwise specified, such as t hr ough using th e term s above, the ter m
"ma ter iality" in th is man ua l refers to th e overall finan cial stat emen t
ma teriality as defined in par agraph 230.01.
8/7/2019 Financial Internal Audit
37/507
8/7/2019 Financial Internal Audit
38/507
Pl anning Phas e
230 - Determin e P lanning , Design, and Test Material i ty
J uly 2001 GAO/PCIE Financia l Audit Manua l Page 230-4
au ditor would comput e separa te plan ning ma ter iality for auditin g (1) th e
offsett ing accoun ts, u sing th e ba lance of th e offsett ing accoun ts as th e
ma teriality base an d (2) the r est of th e finan cial statemen ts u sing thema teriality base guidance in pa ragra ph 230.09.
.11 Planning mater iality general ly should be 3 percent of the mater ial ity base.
Although a mecha nical mea ns m ight be used to comput e plann ing
ma teriality, the au ditor should use judgment in evalua ting whether t he
compu ted level is appropriat e. The au ditor also should consider a djusting
th e ma ter iality base for t he impa ct of such items a s un recorded liabilities,
cont ingencies, and other items th at ar e not incorporated in the entity's
finan cial statemen ts (and n ot r eflected in t he ma teriality base) but t ha t m ay
be importan t to the financial stat ement u ser.
.12 Design mater iality for the audi t should be one-thi rd of planning mater ial ity
to allow for the pr ecision of au dit pr ocedu res. This guideline recognizes th at
misstatemen ts ma y occur thr oughout th e entity's various a ccoun ts. The
design mat eriality represents th e mat eriality used as a sta rting point to
design a udit pr ocedur es for line item s or a ccoun ts so tha t a n a ggregate
ma terial misstat ement in th e financial statemen ts will be detected, for a
given level of audit a ssur an ce (discussed in par agra ph 260.04).
.13 Generally, the test mater ial ity used for a specific test is the same as the
design ma teriality. However, the a uditor may use a test m at eriality lowerth an th e design m at eriality for substa nt ive test ing of specific line item s an d
asser tions (which increa ses th e extent of test ing) when
th e au dit is being perform ed at some, but not a ll, entity locat ions
(requirin g increased a udit assu ra nce for t hose locations visited - see
section 285);
th e area tested is deemed to be sensitive to the fina ncial sta tement users;
or
8/7/2019 Financial Internal Audit
39/507
Pl anni ng Phas e
230 - Determin e Plann ing, Design, and Test Material i ty
1 If th e au ditor uses softwa re t o calculate sa mple size, he or sh e shouldun derst an d how th e softwa re considers expected missta tem ent s. For
example, if the au ditor uses Int eractive Data Extra ction an d Analysis
(IDEA) to calculate sa mple size when t est m at eriality is lower th an design
ma teriality, becau se th e au ditor expects m issta tement s, the a uditor sh ould
use design m at eriality in IDEA becau se he or she separa tely inpu ts th e
expected misstat ement. See para graph 480.27.
J u ly 2001 GAO/PCIE Financia l Audit Manual Page 230-5
th e au ditor expects to find a significan t a moun t of missta tem ent s.1
8/7/2019 Financial Internal Audit
40/507
[This pa ge int ent iona lly left blan k.]
8/7/2019 Financial Internal Audit
41/507
8/7/2019 Financial Internal Audit
42/507
Pl anning Phas e
235 - Ident i fy Signi fi cant Lines I tems , Accounts , Assert ions , and
RSSI
J uly 2001 GAO/PCIE Financia l Audit Manual Page 235-2
Presentat ion and di sc losure: The par ticular componen ts of th efinan cial sta tem ent s a re properly classified, described, an d disclosed.
.03 A line item or an account in the financial statements or RSSI should be
cons idered significant if it h as one or more of th e following cha ra cterist ics:
Its ba lance is ma ter ial (exceeds design ma ter iality) or compr ises a
significan t portion of a m at erial finan cial stat emen t or RSSI am ount .
A high combined r isk (inh erent an d cont rol risk, as discussed in
para graph 260.02) of material m issta tement (eith er overstat ement orun derstat ement) is associated with one or m ore a ssertions r elating t o the
line item or account . For examp le, a zero or unu sua lly small bala nce
accoun t ma y have a high risk of ma terial underst at ement.
Special audit concern s, such as r egulatory requirements, warr an t a dded
consideration.
The auditor should determine that any accounts considered insignificant are
not significan t in th e aggregate.
.04 An assert ion is s ignificant if misstatements in the assert ion could exceed testma ter iality for th e related line item , accoun t, or disclosur e. Certa in
asser tions for a specific line item or accoun t, su ch as completeness a nd
disclosur e, could be significan t even t hough th e r ecorded balan ce of the
relat ed line item or accoun t is not ma ter ial. For example, (1) th e
completeness assertion could be significant for an accrued payroll account
with a h igh combined r isk of ma ter ial und erst at emen t even if its recorded
bala nce is zero an d (2) th e disclosure a sser tion could be significan t for a
cont ingent liability even if no amoun t is recorda ble.
.05 Assert ions are l ikely to vary in degree of s ignificance, and some assert ionsma y be insignifican t or irrelevan t for a given line item or account . For
example:
The completeness a ssert ion for liabilities m ay be of great er significan ce
th an th e existen ce asser tion for liabilities.
8/7/2019 Financial Internal Audit
43/507
8/7/2019 Financial Internal Audit
44/507
[This pa ge int ent iona lly left blan k.]
8/7/2019 Financial Internal Audit
45/507
Planning Phase
240 - IDENTIFY SIGNIFICANT CYCLES,
ACCOUN TING AP P LICATIONS, AND
FIN ANCIAL MANAGEMENT SYSTEMS
J uly 2001 GAO/PCIE Financia l Audit Manual Page 240-1
.01 In the internal control phase, the auditor evaluates controls for each
significan t cycle and a ccoun ting a pplicat ion a nd det erm ines wheth er
significan t fina ncial ma na gement syst ems subst an tially comply with federa l
financial ma na gement systems r equirements, federal accoun ting stan dar ds,
an d th e SGL at th e tra nsa ction level. A cycle or a n a ccoun ting ap plicat ion
should be considered significan t if it p rocesses an am ount of tra nsa ctions in
excess of design ma ter iality or if it su pports a significan t accoun t balan ce in
th e fina ncial sta tem ent s or significan t RSSI. A finan cial ma na gement
system gener ally consists of one or more account ing app licat ions . If one or
more of th e account ing applicat ions ma king up a fina ncial man agemen t
system ar e considered significan t, th en t ha t financial man agement system
genera lly should be considered significan t for det erm ining whet her th e
system substan tially complies with FF MIA requirements. The au ditor ma y
identify oth er cycles, accoun ting a pplicat ions, or fina ncial ma na gement
systems as significan t based on qualitat ive considera tions. For example,
finan cial ma na gement systems covered by FFMIA include not only systems
involved in processing finan cial tra nsa ctions a nd pr epar ing finan cial
stat ements, but also systems supporting fina ncial plann ing, ma na gement
reportin g, or bu dgeting activities, systems a ccumu latin g an d report ing cost
inform at ion, a nd th e fina ncial port ion of mixed system s, such a s benefitpaym ent , logistics, personn el, and a cquisition syst ems.
.02 The enti ty's account ing system may be viewed as consist ing of logical
groupings of relat ed tr an sactions a nd a ctivities, or account ing applicat ions.
Ea ch significan t line it em/accoun t is affected by input from one or m ore
account ing applications (sources of debits or credits). Relat ed accoun tin g
app licat ions m ay be grouped int o cycles by th e au ditor an d int o fina ncial
ma na gement system s by th e entity. Account ing applicat ions ar e classified as
(1) tra nsa ction-related or (2) line item/account -relat ed.
.03 A t ransact ion-related account ing applicat ion cons is ts of the methods and
records esta blished to identify, assem ble, ana lyze, classify, an d r ecord (in t he
genera l ledger) a par ticular type of tr an saction. Typical tra nsa ction-related
accoun ting a pplicat ions include billing, cash receipts, p ur cha sing, cash
disbursem ent s, an d payroll. A line item/accoun t-related accoun ting
app licat ion consists of th e met hods an d records est ablished to report a n
8/7/2019 Financial Internal Audit
46/507
Pl anning Phas e
240 - Ident i fy Signi fi cant Cycles , Account ing Appl icat ions , and
Financia l Manageme nt Sys tems
J uly 2001 GAO/PCIE Financia l Audit Manua l Page 240-2
ent ity's recorded tr an sactions a nd t o ma inta in account ability for related
asset s an d liabilities. Typical line item /accoun t-related a ccount ingapp lications include cash balan ces, accoun ts receivable, inventory cont rol,
property a nd equipment, an d accoun ts pa yable.
.04 Within a given ent ity, there may be several examples of each account ing
app licat ion. For exam ple, a differen t billing app lication m ay exist for ea ch
program t ha t u ses a billing process. Accoun ting app licat ions t ha t pr ocess a
relat ed group of tr an sactions a nd a ccoun ts compr ise cycles. For insta nce, th e
billing, ret ur ns, cash receipts, a nd accoun ts r eceivable accoun ting
app lications m ight be grouped to form th e revenu e cycle. Similarly, relat ed
accoun ting a pplicat ions a lso compr ise finan cial ma na gement systems.
.05 For each s ignificant l ine item and account , the auditor should use the
Accoun t Risk Ana lysis form (ARA) (see section 395 I) or a n equ ivalent
workp aper to documen t t he significan t t ra nsa ction cycles (such a s revenu e,
pur cha sing, an d pr oduction) an d t he specific significan t accoun ting
app lications th at a ffect th ese significan t line item s an d accoun ts. For
example, the a uditor might determ ine tha t billing, retu rns, cash r eceipts,
an d a ccount s receivable a re significan t a ccoun ting a pplicat ions th at affect
accoun ts r eceivable (a significant line item). The Account Risk Ana lysis form
provides a convenient way for docum ent ing th e specific risks of misstat emen t
for significan t line items for considera tion in determ ining th e na tu re, timing,an d extent of au dit procedures. If an equivalent workpaper is used, rat her
th an th e ARA, it sh ould docum ent th e inform at ion discussed in section 395 I.
.06 Related account ing applicat ions may be grouped into cycles to aid in
preparing workpa pers. This helps the au ditor design a udit procedures tha t
ar e both efficient a nd r elevan t to the report ing objectives. The au ditor may
docum ent insignifican t a ccoun ts in each line item on t he ARA or equivalent,
indicat ing th eir insignifican ce an d consequ ent lack of audit procedur es
app lied to th em. In such insta nces, th e cycle ma tr ix ma y not be necessar y.
Oth erwise, th e au ditor should prepar e a cycle mat rix or equivalent docum entth at link s each of th e ent ity's a ccount s (in th e char t of accoun ts) to a cycle, an
accoun ting app licat ion, an d a finan cial sta tem ent or RSSI line item.
.07 Based on discuss ions with ent ity personnel, the auditor should determine the
accoun ting ap plication t ha t is the best source of th e finan cial stat emen t
inform at ion. When a significan t line item h as m ore th an one source of
8/7/2019 Financial Internal Audit
47/507
Pl anni ng Phas e
240 - Ident ify Signi fi cant Cycles , Account ing Appl icat ions , and
Financia l Manageme nt Sys tems
J uly 2001 GAO/PCIE Financia l Audit Manual Page 240-3
finan cial data , the au ditor should consider t he var ious sources and
deter mine which is best for finan cial aud it purp oses. The au ditor needs toconsider t he likelihood of missta tem ent an d a udita bility in choosing th e
source to use. For au dit pu rposes, th e best sour ce of finan cial inform at ion
sometimes ma y be operat iona l inform at ion pr epar ed out side th e account ing
system.
.08 Once the s ignificant account ing applicat ions are ident i fied, the audi tor
deter mines wh ich compu ter systems a re involved in th ose applicat ions.
Those particular computer systems are then considered in assessing
compu ter -relat ed cont rols usin g an appr opriate m eth odology.
.09 An a ppropr iate methodology would require the au ditor to obtain sufficient
kn owledge of th e inform at ion syst em r elevan t t o finan cial reporting t o
un derst an d th e accoun ting processing from initiat ion of a t ra nsa ction to its
inclusion in t he fina ncial stat emen ts, including electronic mea ns u sed to
tr an smit, pr ocess, ma inta in, an d a ccess inform at ion (see AU 319.49, SAS 94).
AU 319.61 requ ires documen ta tion of th is un derst an ding. OMB au dit
guidan ce notes tha t t he componen ts of inter na l control include genera l and
app licat ion cont rols. Genera l cont rols are t he ent itywide secur ity
ma na gement program , access cont rol, applicat ion softwa re developmen t a nd
chan ge cont rol, system softwa re cont rol, segregat ion of dut ies, and service
cont inuit y control. Applicat ion cont rols ar e au th orizat ion cont rol,completen ess cont rol, accura cy cont rol, an d cont rol over int egrity of
processing and da ta files. OMB au dit guidan ce also requ ires tha t, for
cont rols th at ha ve been pr operly designed a nd pla ced in opera tion, th e
au ditor sha ll perform sufficient t ests t o support a low assessed level of
cont rol risk. The au ditor should docum ent t he basis for believing th at t he
met hodology used is appropriat e to satisfy these r equiremen ts for a ssessing
genera l an d applicat ion cont rols. The GAO Federal Information S ystem
Controls Aud it Man ual (FISCAM) is designed to meet t hese requ iremen ts.
See section 295 J for a flowchar t of steps gener ally followed in a ssessin g
inform at ion system cont rols in a fina ncial sta tem ent a udit . IS secur itycont rols are also addr essed in OMB Circular A-130,Management of Federal
Information Resources, in the Nat iona l Institu te of Stan dar ds and
TechnologysAn Int rodu ction to Com puter S ecurity: T he NIS T H and book,
and in other publications.
8/7/2019 Financial Internal Audit
48/507
[This pa ge int ent iona lly left blan k.]
8/7/2019 Financial Internal Audit
49/507
8/7/2019 Financial Internal Audit
50/507
Pl anning Phas e
245 - Ident i fy Significant P rovis ions of Laws an d Regu lat ions
J uly 2001 GAO/PCIE Financia l Audit Manua l Page 245-2
ma terial to th e consolidated fina ncial sta tement s of th e Un ited Stat es
Governm ent . In ad dition, the au ditor should identify (with OGC
assista nce) an y laws or r egulat ions (in add ition t o those ident ified byOMB and t he ent ity) tha t h ave a direct effect on determ ining amounts in
th e finan cial sta tem ent s. The mea ning of direct effect is discussed below
in para graph 245.03.
b. For each such law or regulation, the auditor should identify those
pr ovisions th at a re significant . A pr ovision should be cons idered
significant if (1) compliance with the provision can be measured
objectively an d (2) it meets one of th e following criter ia for deter min ing
th at th e provision ha s a ma terial effect on determining fina ncial
statement amounts:
Transac t ion-based p rovis ions: Tra nsa ctions processed by th e
ent ity tha t ar e subject to the provision exceed plann ing mat eriality in
th e aggregate.
Quantitat ive-based p rovis ions: The qu an titat ive informa tion
requ ired by t he p rovision or by esta blished rest rictions exceeds
plann ing ma teriality.
Procedural-based provis ions: The pr ovision broad ly affects a ll or
a segmen t of th e entity's opera tions th at process tra nsa ctionsexceeding plan ning ma ter iality in the aggregate. For exam ple, a
provision m ay require th at t he ent ity establish procedur es to monitor
th e receipt of cert ain in form at ion from gran tees; in det erm ining
whet her to test complian ce with th is provision, th e au ditor should
consider whet her t he tota l amount of money gra nt ed exceeded
plann ing ma teriality.
.03 A direct effect means that the provis ion specifies
th e nat ure a nd/or dollar am oun t of tra nsactions th at ma y be incurr ed(such as obliga tion, out lay, or borr owing r est rictions),
th e meth od used t o record su ch tra nsa ctions (such a s revenu e recognition
policies), or
8/7/2019 Financial Internal Audit
51/507
Pl anni ng Phas e
245 - Ident i fy Signif icant P rovis ions of Laws an d Regu lat ions
J uly 2001 GAO/PCIE Financia l Audit Manual Page 245-3
th e na tu re a nd exten t of inform at ion t o be reported or disclosed in th e
an nu al finan cial stat ements (such a s the sta tement of budgetary
resources).
For exam ple, ent ity-ena bling legislation ma y conta in pr ovisions t ha t limit
th e na tu re a nd am oun t of obligat ions or outlays an d th erefore h ave a direct
effect on determ ining amoun ts in th e finan cial stat emen ts. If a pr ovision's
effect on t he finan cial sta tem ent s is limited t o cont ingent liabilities as a
result of noncompliance (typically for fines, penalties, and interest), such a
provision d oes not h ave a direct effect on det erm ining finan cial sta tem ent
am ount s. Laws identified by th e au ditor th at h ave a direct effect might
include (1) new la ws an d regu lat ions (not yet r eflected on OMB's list) an d (2)
en tit y-specific laws a nd r egula tions. The concept of direct effect is discussedin AU 801 (SAS 74) an d AU 317.
.04 In contras t , indirect laws relate more to the ent i ty's operat ing aspects than
to its finan cial an d accoun ting asp ects, an d th eir fina ncial stat emen t effect is
indirect. In oth er words, their effect m ay be limited to recording or
disclosing liab ilities ar ising from noncomplian ce. Exa mples of indir ect laws
and regulations include those related to environmental protection and
occupational safety and health.
.05 The auditor is not responsible for test ing compliance controls over or
complian ce with a ny indirect laws an d regula tions not oth erwise ident ifiedby OMB or t he en tity (see par agra ph 245.02.a.). However, as discussed in
AU 317, th e au ditor should mak e inquiries of ma na gement regar ding policies
an d procedur es for t he pr evention of noncomplian ce with indirect laws a nd
regula tions. Un less possible insta nces of noncomplian ce with indirect laws
or r egulat ions come t o the a uditor 's att ention during th e au dit, no furt her
procedur es with respect to indirect laws an d regulat ions a re necessary.
.06 The auditor may elect to tes t compliance with indirect laws and regulat ions .
For example, if the au ditor becomes a ware t ha t t he ent ity has operations
similar to those of an oth er ent ity tha t was r ecent ly in noncomplian ce withenvironmen ta l laws an d regulat ions, th e aud itor may elect to test complian ce
with such laws an d regulat ions. The au ditor may also elect to test provisions
of direct laws a nd r egulations tha t do not meet th e ma teriality criteria in
par agraph 245.02.b. but th at ar e deemed significan t, such as laws an d
regulations t ha t h ave generated significan t int erest by the Congress, the
media, or th e public.
8/7/2019 Financial Internal Audit
52/507
Pl anning Phas e
245 - Ident i fy Significant P rovis ions of Laws an d Regu lat ions
J uly 2001 GAO/PCIE Financia l Audit Manua l Page 245-4
.07 The significant provisions identified by the above procedures are intended to
include pr ovisions of all laws an d regulat ions th at ha ve a direct an d ma ter ial
effect on the deter mining of finan cial stat emen t am oun ts an d th ereforecomp ly with GAGAS, AU 801 (SAS 74), an d OMB aud it gu idan ce.
.08 In considering regulat ions to test for compliance, the auditor should consider
extern ally imposed requirement s issued pursu an t t o the Administrat ive
Pr ocedur es Act, which ha s a defined du e process. This would include
regulations in t he Code of Federal Regula tions, but would n ot in clude OMB
circulars an d bulletins. Such circula rs an d bulletins genera lly implement
laws, an d th e provisions of th e laws th emse lves could be considered for
complian ce testing. Int ern al policies, ma nu als, an d directives ma y be the
basis for in ter na l cont rols, but ar e not r egulations to consider for t esting forcompliance.
8/7/2019 Financial Internal Audit
53/507
Planning Phase
250 - IDENTIFY RELEVANT BUDGET
RESTRICTIONS
J uly 2001 GAO/PCIE Financia l Audit Manual Page 250-1
.01 To evaluate budget controls (see section 295 G) and to design compliance-
related audit procedures relevant to budget restrictions, the auditor should
un derst an d th e following inform at ion (which m ay be obta ined from th e
entity or OGC):
th e Ant ideficiency Act (title 31 of th e U.S. Code, sections 1341, 1342,
1349-1351, 1511-1519);
th e Pu rpose Sta tu te (title 31 of the U .S. Code, section 1301);
th e Time St at ut e (title 31 of the U.S. Code, section 1502);
OMB Circula r A-34;
tit le 7 of th e GAO Policy and Procedu res Manua l for Guida nce of Federal
Agencies;
th e Impoundm ent Contr ol Act; and
th e F edera l Credit Reform Act of 1990.
.02 The auditor should read the following informat ion relat ing to the ent ity 's
app ropriat ion (or other budget a ut hority) for t he per iod of au dit inter est:
au th orizing legislat ion;
enabling legislation an d a mendm ents;
appropriation legislation and supplemental appropriation legislation; apport ionm ent s an d budget execut ion r eport s (includin g OMB form s 132
an d 133 an d supporting docum enta tion);
Impoun dmen t Contr ol Act r eport s regar ding rescissions a nd deferra ls, if
any;
th e system of fun ds cont rol documen t a pproved by OMB; an d
an y oth er informa tion deemed by the a uditor t o be relevan t to
un derstan ding the entity's budget a ut hority, such as legislative history
cont ained in comm ittee r eport s or conference reports.
Although legislat ive histories ar e not legally bindin g, th ey may h elp the
au ditor un derstan d t he political environm ent surr oun ding the entity (i.e.,
why th e ent ity has un derta ken certa in activities an d t he objectives of th ese
activities).
.03 Through d iscussions with OGC and the ent ity and by using the above
inform at ion, th e au ditor should ident ify all legally binding rest rictions on t he
8/7/2019 Financial Internal Audit
54/507
8/7/2019 Financial Internal Audit
55/507
Planning Phase
260 - IDENTIFY RISK FACTORS
J uly 2001 GAO/PCIE Financia l Audit Manual Page 260-1
.01 The auditor 's consideration of inherent r isk, frau d r isk, control environment,
risk a ssessmen t, comm un icat ion, an d monitoring (par ts of inter na l cont rol)
affects th e nat ur e, timing, and extent of subst an tive an d cont rol test s. This
section describes (1) the impact of risk factors identified during this
considera tion on su bsta nt ive and control tests, (2) th e pr ocess for identifying
th ese risk factors, an d (3) th e au ditor's considera tion of the en tity's process
for reporting under FMFIA (both for internal control (section 2 of FMFIA)
an d for finan cial ma na gement systems' conform an ce with system
requ iremen ts (section 4 of FMF IA)) and for form ulat ing th e budget.
IMP ACT ON S UBS TANTIVE TES TING
.02 AU 312 provides guidance on the cons iderat ion of audit r i sk and defines
"au dit risk" as t he r isk tha t t he a uditor m ay un knowingly fail to
appr opriately modify an opinion on financial statem ents th at ar e ma terially
missta ted. Audit r isk can be thought of in ter ms of th e following thr ee
component risks:
Inheren t risk is the susceptibility of an asser tion t o a m at erial
misstatemen t, assuming tha t th ere are no relat ed int erna l contr ols.
Control risk is the risk that a m at erial misstat ement t ha t could occur inan asser tion will not be prevent ed or det ected a nd corr ected on a t imely
basis by the en tity's int ern al cont rol. Int ern al cont rol consists of five
componen ts: (1) th e cont rol environment , (2) risk a ssessmen t,
(3) monit oring, (4) inform at ion a nd comm un icat ion, a nd (5) con tr ol
activities (defined in par agr ap h 260.08 below). This section will discuss
th e first t hr ee of th e componen ts a nd comm un icat ion a nd section 300
(Int ern al Cont rol Ph ase) will discuss t he inform at ion system s an d control
activities.
Detec t ion risk is th e risk that th e auditor will not detect a m at erial
misstatemen t th at exists in an a ssertion.
AU 316 (SAS 82) requires th e a uditor t o consider fraud risk , which is a pa rt
of au dit risk, ma king up a portion of inher ent a nd cont rol risk. Fr au d risk
consists of th e risk of fra udu lent fina ncial report ing an d th e risk of
misappropriat ion of assets th at cau se a ma terial misstatement of the
8/7/2019 Financial Internal Audit
56/507
Pl anning Phas e
2 60 - Id e n ti fy Ri sk Fa c to rs
1 Assur an ce is not the sam e as sta tistical confidence. Assur an ce is a
combinat ion of quan titat ive measu rement an d au ditor judgment.
J u ly 2001 GAO/PCIE Financia l Audit Manua l Page 260-2
finan cial sta tem ent s. The au ditor should specifically consider a nd docum ent
the r isk of ma terial misstatemen ts of the fina ncial stat ements du e to frau d
an d keep in mind t he considera tion of fra ud r isk in designing au ditprocedur es. Considering th e risk of ma ter ial fra ud gener ally should be done
concur ren tly with th e considera tion of inher ent an d cont rol risk, but it
should be a separa te conclusion. The au ditor also should consider t he risk of
fra ud th roughout th e au dit. Section 290 includes docum ent at ion
requirem ent s for t he considera tion of fra ud r isk.
.03 Based on the level of audit r isk and an assessment of the ent i ty's inherent
an d cont rol risk, including th e considerat ion of fra ud risk, th e au ditor
determines th e na tur e, timing, and extent of substan tive audit procedures
necessary to achieve th e resulta nt det ection risk. For example, in responseto a high level of inher ent an d cont rol risk, th e au ditor ma y perform
additional audit procedures that provide more competent evidential
ma tt er (nat ur e of procedur es);
subst an tive tests at or closer to the finan cial stat emen t da te (timing of
procedures); or
more extensive subst an tive tests (extent of procedur es), as discussed in
section 295 E.
.04 Audit assurance is the complement of audit r isk. The auditor can determine
the level of audit a ssura nce obtained by subtr acting the a udit r isk from 1.(Assur an ce equa ls 1 minus r isk).1 AU 350.48 uses 5 percent as t he a llowable
au dit risk in explaining th e au dit risk model (95 percent au dit assur an ce).
The a udit organ ization sh ould deter mine t he level of assu ra nce to use, which
ma y vary between aud its based on risk. GAO auditors should use
95 percent . In other words, the GAO au ditor, in order t o provide an opinion,
should design th e au dit to achieve at least 95 percent au dit assur an ce tha t
the fina ncial sta tement s ar e not ma terially misstated (5 percent au dit risk).
Section 470 pr ovides guida nce to th e a uditor on how to combine (1) the
assessm ent of inher ent an d cont rol risk (including fra ud r isk) an d (2)
substan tive tests to achieve the a udit assu ran ce required by the a uditorganization.
8/7/2019 Financial Internal Audit
57/507
Pl anni ng Phas e
2 60 - Id e n ti fy Ri sk Fa c to rs
2 See also GAOs S tan dard s for Int ernal Control in th e Federal Governm ent,
GAO/AIMD-00-21.3.1, November 1999.
J u ly 2001 GAO/PCIE Financia l Audit Manual Page 260-3
.05 The auditor may consider i t necessary to achieve increased audit assurance if
th e ent ity is politically sensitive or if th e Congress ha s expressed concerns
about t he ent ity's finan cial report ing. In th is case, th e level of au ditassu ra nce should be appr oved by th e Reviewer.
RELATIONSHIP TO CONTROL ASS ESS MENT
.06 Internal control, as identified in AU 319 (SAS 55 amended by SAS 78), is a
processeffected by an ent ity's governin g body, man agemen t, an d other
personneldesigned to provide reasonable assurance regarding the
achievemen t of objectives in th e following categories (OMB au dit gu idan ce
expan ds t he cat egory definitions a s noted):2
Reliability off inancial report ingtr an sactions a re properly recorded,
processed, an d sum ma rized to perm it the pr epar at ion of th e finan cial
sta tem ent s an d RSSI in a ccorda nce with gener ally accepted account ing
principles, and assets are safeguarded against loss from unauthorized
acqu isition, use, or disposition. (Note th at safeguarding controls (see
par agra phs 310.02-.04) ar e considered a s pa rt of finan cial reporting
cont rols, alth ough th ey ar e a lso opera tions cont rols.)
Compliance with a pplicable laws an d regulat ionstransactions are
execut ed in accorda nce with (a) laws governing th e u se of budget
au th ority and other laws an d regulations th at could ha ve a direct a ndma ter ial effect on th e fina ncial stat emen ts or RSSI, an d (b) an y oth er
laws, regulat ions, a nd governm ent wide policies identified by OMB in its
au dit guidance. (Note th at budget cont rols a re pa rt of fina ncial
reporting cont rols as th ey relat e to th e stat emen ts of budgeta ry resources
an d of fina ncing, but th at th ey are a lso pa rt of complian ce cont rols in
tha t t hey are used to man age and cont rol the u se of appropriated fun ds
an d other form s of budget a ut hority in a ccorda nce with applicable law.
These cont rols a re described in more det ail in section 295 G.)
Effectiveness and efficiency ofoperat ions. Thes e cont rols includepolicies an d pr ocedur es t o car ry out organ izat iona l objectives, such a s
planning, productivity, programmatic, quality, economy, efficiency, and
8/7/2019 Financial Internal Audit
58/507
Pl anning Phas e
2 60 - Id e n ti fy Ri sk Fa c to rs
J uly 2001 GAO/PCIE Financia l Audit Manua l Page 260-4
effectiveness objectives. Man agem en t uses th ese contr ols to pr ovide
rea sona ble assu ra nce tha t th e entity (1) achieves its mission,
(2) ma intains qu ality sta nda rds, and (3) does what man agement directsit to do. (Note tha t performance m easures controls (those designed to
provide rea sona ble assur an ce about reliability of perform an ce reportin g
tra nsactions an d oth er data tha t support reported performa nce measu res
ar e properly r