GOVERNMENT
AUDITING
STANDARDS
2018 Revision
By the Comptroller General of the
United States
July 2018
GAO-18-568G
United States Government Accountability Office
GOVERNMENT
AUDITING
STANDARDS
2018 Revision
By the Comptroller General of the
United States
July 2018
GAO-18-568G
United States Government Accountability Office
The 2018 revision of Government Auditing Standards is effective for
financial audits, attestation engagements, and reviews of financial
statements for periods ending on or after June 30, 2020, and for
performance audits beginning on or after July 1, 2019. Early
implementation is not permitted. The 2018 revision of Government
Auditing Standards supersedes the 2011 revision (GAO-12-331G,
December 2011), the 2005 Government Auditing Standards: Guidance
on GAGAS Requirements for Continuing Professional Education
(GAO-05-568G, April 2005), and the 2014 Government Auditing
Standards: Guidance for Understanding the New Peer Review Ratings
(D06602, January 2014). The 2018 revision should be used until
further updates and revisions are made. An electronic version of this
document can be accessed on GAO’s Yellow Book web page at
http://www.gao.gov/yellowbook.
Page i GAO-18-568G Government Auditing Standards
Letter 1
Chapter 1: Foundation and Principles for the Use and Application of Government Auditing Standards 3
Introduction 3
Types of GAGAS Users 6
Types of GAGAS Engagements 7
Financial Audits 7
Attestation Engagements and Reviews of Financial
Statements 9
Performance Audits 10
Terms Used in GAGAS 15
The GAGAS Format 16
Chapter 2: General Requirements for Complying with Government Auditing Standards 18
Complying with GAGAS 18
Relationship between GAGAS and Other Professional Standards 20
Stating Compliance with GAGAS in the Audit Report 22
Chapter 3: Ethics, Independence, and Professional Judgment 25
Ethical Principles 25
The Public Interest 26
Integrity 26
Objectivity 27
Proper Use of Government Information, Resources, and
Positions 27
Professional Behavior 28
Independence 28
GAGAS Conceptual Framework Approach to
Independence 31
Provision of Nonaudit Services to Audited Entities 43
Consideration of Specific Nonaudit Services 50
Documentation 57
Professional Judgment 58
Chapter 4: Competence and Continuing Professional Education 63
Competence 63
Continuing Professional Education 67
Contents
Page ii GAO-18-568G Government Auditing Standards
Chapter 5: Quality Control and Peer Review 81
Quality Control and Assurance 81
System of Quality Control 81
Leadership Responsibilities for Quality within the Audit
Organization 82
Independence, Legal, and Ethical Requirements 82
Initiation, Acceptance, and Continuance of Engagements 84
Human Resources 84
Engagement Performance 86
Monitoring of Quality 91
External Peer Review 96
Additional Requirements for Audit Organizations Not
Affiliated with Recognized Organizations 102
Chapter 6: Standards for Financial Audits 109
Additional GAGAS Requirements for Conducting Financial Audits 109
Compliance with Standards 109
Licensing and Certification 110
Auditor Communication 110
Results of Previous Engagements 111
Investigations or Legal Proceedings 112
Noncompliance with Provisions of Laws, Regulations,
Contracts, and Grant Agreements 112
Findings 113
Audit Documentation 116
Availability of Individuals and Documentation 117
Additional GAGAS Requirements for Reporting on Financial
Audits 118
Reporting the Auditors’ Compliance with GAGAS 118
Reporting on Internal Control; Compliance with Provisions
of Laws, Regulations, Contracts, and Grant
Agreements; and Instances of Fraud 119
Presenting Findings in the Audit Report 121
Reporting Findings Directly to Parties outside the Audited
Entity 122
Obtaining and Reporting the Views of Responsible Officials 123
Reporting Confidential or Sensitive Information 125
Distributing Reports 126
Page iii GAO-18-568G Government Auditing Standards
Chapter 7: Standards for Attestation Engagements and Reviews of Financial Statements 127
Examination Engagements 128
Compliance with Standards 128
Licensing and Certification 129
Auditor Communication 129
Results of Previous Engagements 130
Investigations or Legal Proceedings 130
Noncompliance with Provisions of Laws, Regulations,
Contracts, and Grant Agreements 131
Findings 132
Examination Engagement Documentation 135
Availability of Individuals and Documentation 136
Reporting the Auditors’ Compliance with GAGAS 136
Reporting Deficiencies in Internal Control 137
Reporting on Noncompliance with Provisions of Laws,
Regulations, Contracts, and Grant Agreements or
Instances of Fraud 138
Presenting Findings in the Report 139
Reporting Findings Directly to Parties outside the Audited
Entity 139
Obtaining and Reporting the Views of Responsible Officials 140
Reporting Confidential or Sensitive Information 142
Distributing Reports 143
Review Engagements 144
Compliance with Standards 144
Licensing and Certification 144
Noncompliance with Provisions of Laws, Regulations,
Contracts, and Grant Agreements 145
Reporting Auditors’ Compliance with GAGAS 145
Distributing Reports 146
Agreed-Upon Procedures Engagements 147
Compliance with Standards 147
Licensing and Certification 147
Noncompliance with Provisions of Laws, Regulations,
Contracts, and Grant Agreements 148
Reporting Auditors’ Compliance with GAGAS 148
Distributing Reports 149
Reviews of Financial Statements 150
Compliance with Standards 150
Licensing and Certification 150
Noncompliance with Provisions of Laws, Regulations,
Contracts, and Grant Agreements 151
Page iv GAO-18-568G Government Auditing Standards
Reporting Auditors’ Compliance with GAGAS 151
Distributing Reports 152
Chapter 8: Fieldwork Standards for Performance Audits 154
Planning 154
Auditor Communication 158
Investigations or Legal Proceedings 159
Results of Previous Engagements 160
Assigning Auditors 160
Preparing a Written Audit Plan 161
Conducting the Engagement 162
Nature and Profile of the Program and User Needs 162
Determining Significance and Obtaining an Understanding
of Internal Control 165
Assessing Internal Control 168
Internal Control Deficiencies Considerations 169
Information Systems Controls Considerations 171
Provisions of Laws, Regulations, Contracts, and Grant
Agreements 174
Fraud 175
Identifying Sources of Evidence and the Amount and Type
of Evidence Required 177
Using the Work of Others 177
Supervision 179
Evidence 179
Overall Assessment of Evidence 185
Findings 186
Audit Documentation 190
Availability of Individuals and Documentation 192
Chapter 9: Reporting Standards for Performance Audits 194
Reporting Auditors’ Compliance with GAGAS 194
Report Format 195
Report Content 195
Reporting Findings, Conclusions, and Recommendations 199
Reporting on Internal Control 201
Reporting on Noncompliance with Provisions of Laws,
Regulations, Contracts, and Grant Agreements 203
Reporting on Instances of Fraud 204
Reporting Findings Directly to Parties outside the Audited
Entity 204
Page v GAO-18-568G Government Auditing Standards
Obtaining the Views of Responsible Officials 206
Report Distribution 207
Reporting Confidential or Sensitive Information 208
Discovery of Insufficient Evidence after Report Release 210
Glossary 211
Acknowledgments 222
Comptroller General’s Advisory Council on Government Auditing
Standards (2016-2020) 222
GAO Project Team 223
Staff Acknowledgments 223
Figures
Figure 1: Generally Accepted Government Auditing Standards
Conceptual Framework for Independence 61
Figure 2: Independence Considerations for Preparing Accounting
Records and Financial Statements 62
Figure 3: Developing Peer Review Communications for Observed
Matters in Accordance with Generally Accepted
Government Auditing Standards 108
Figure 4: Consideration of Internal Control in a Generally
Accepted Government Auditing Standards Performance
Audit 193
Page vi GAO-18-568G Government Auditing Standards
Abbreviations
AICPA American Institute of Certified Public Accountants
AR-C AICPA Codification of Statements on Standards for
Accounting and Review Services
AT-C AICPA Codification of Statements on Standards for Attestation
Engagements
AU-C AICPA Codification of Statements on Auditing Standards
CPA certified public accountant
CPE continuing professional education
GAGAS generally accepted government auditing standards
IAASB International Auditing and Assurance Standards Board
IT information technology
OMB Office of Management and Budget
PCAOB Public Company Accounting Oversight Board
SAS Statements on Auditing Standards
SSAE Statements on Standards for Attestation Engagements
This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.
Page 1 GAO-18-568G Government Auditing Standards
441 G St. N.W. Comptroller General
Washington, DC 20548 of the United States
Audits provide essential accountability and transparency over government
programs. Given the current challenges facing governments and their
programs, the oversight provided through auditing is more critical than
ever. Government auditing provides the objective analysis and
information needed to make the decisions necessary to help create a
better future. The professional standards presented in this 2018 revision
of Government Auditing Standards (known as the Yellow Book) provide a
framework for performing high-quality audit work with competence,
integrity, objectivity, and independence to provide accountability and to
help improve government operations and services. These standards,
commonly referred to as generally accepted government auditing
standards (GAGAS), provide the foundation for government auditors to
lead by example in the areas of independence, transparency,
accountability, and quality through the audit process.
This revision contains major changes from, and supersedes, the 2011
revision. These changes, summarized below, reinforce the principles of
transparency and accountability and strengthen the framework for high-
quality government audits.
All chapters are presented in a revised format that differentiates
requirements and application guidance related to those requirements.
Supplemental guidance from the appendix of the 2011 revision is
either removed or incorporated into the individual chapters.
The independence standard is expanded to state that preparing
financial statements from a client-provided trial balance or underlying
accounting records generally creates significant threats to auditors
independence, and auditors should document the threats and
safeguards applied to eliminate and reduce threats to an acceptable
level or decline to perform the service.
The peer review standard is modified to require that audit
organizations comply with their respective affiliated organizations
peer review requirements and GAGAS peer review requirements.
Additional requirements are provided for audit organizations not
affiliated with recognized organizations.
The standards include a definition for waste.
The performance audit standards are updated with specific
considerations for when internal control is significant to the audit
objectives.
Letter
Page 2 GAO-18-568G Government Auditing Standards
Effective with the implementation dates for the 2018 revision of
Government Auditing Standards, GAO is also retiring Government
Auditing Standards: Guidance on GAGAS Requirements for Continuing
Professional Education (GAO-05-568G, April 2005) and Government
Auditing Standards: Guidance for Understanding the New Peer Review
Ratings (D06602, January 2014).
This revision of the standards has gone through an extensive deliberative
process, including public comments and input from the Comptroller
Generals Advisory Council on Government Auditing Standards (Advisory
Council). The Advisory Council consists of experts in financial and
performance auditing and reporting from federal, state, and local
government; the private sector; and academia. The views of all parties
were thoroughly considered in finalizing the standards.
The 2018 revision of Government Auditing Standards is effective for
financial audits, attestation engagements, and reviews of financial
statements for periods ending on or after June 30, 2020, and for
performance audits beginning on or after July 1, 2019. Early
implementation is not permitted.
An electronic version of this document can be accessed at
http://www.gao.gov/yellowbook.
I extend special thanks to the members of the Advisory Council for their
extensive input and feedback throughout the process of developing and
finalizing the standards.
Gene L. Dodaro
Comptroller General of the United States
July 2018
Chapter 1: Foundation and Principles for the
Use and Application of Government Auditing
Standards
Page 3 GAO-18-568G Government Auditing Standards
1.01 This chapter provides guidance for engagements conducted in
accordance with generally accepted government auditing standards
(GAGAS). This chapter also
a. explains the types of auditors and audit organizations that may
employ GAGAS to conduct their work,
b. identifies the types of engagements that may be conducted in
accordance with GAGAS, and
c. explains terminology that is commonly used in GAGAS.
1.02 The concept of accountability for use of public resources and
government authority is key to our nations governing processes.
Management and officials entrusted with public resources are responsible
for carrying out public functions and providing service to the public
effectively, efficiently, economically, and ethically within the context of the
statutory boundaries of the specific government program.
1.03 As reflected in applicable laws, regulations, agreements, and
standards, management and officials of government programs are
responsible for providing reliable, useful, and timely information for
transparency and accountability of these programs and their operations.
Legislators, oversight bodies, those charged with governance, and the
public need to know whether (1) management and officials manage
government resources and use their authority properly and in compliance
with laws and regulations; (2) government programs are achieving their
objectives and desired outcomes; and (3) government services are
provided effectively, efficiently, economically, and ethically.
1.04Those charged with governancerefers to the individuals
responsible for overseeing the strategic direction of the entity and
obligations related to the accountability of the entity. This includes
overseeing the financial reporting process, subject matter, or program
under audit, including related internal controls. Those charged with
governance may also be part of the entitys management. In some
audited entities, multiple parties may be charged with governance,
including oversight bodies, members or staff of legislative committees,
boards of directors, audit committees, or parties contracting for the
engagement.
Use and Application of Government Auditing
Introduction
Chapter 1: Foundation and Principles for the
Use and Application of Government Auditing
Standards
Page 4 GAO-18-568G Government Auditing Standards
1.05 Government auditing is essential in providing accountability to
legislators, oversight bodies, those charged with governance, and the
public. GAGAS engagements provide an independent, objective,
nonpartisan assessment of the stewardship, performance, or cost of
government policies, programs, or operations, depending upon the type
and scope of the engagement.
1.06 The professional standards and guidance contained in this
document provide a framework for conducting high-quality engagements
with competence, integrity, objectivity, and independence. Auditors of
government entities, entities that receive government awards, and other
entities, as required by law or regulation or as they elect, may use these
standards. Overall, GAGAS contains standards for engagements
comprising individual requirements that are identified by terminology as
discussed in paragraphs 2.02 through 2.10. GAGAS contains
requirements and guidance dealing with ethics, independence, auditors
professional judgment and competence, quality control, peer review,
conducting the engagement, and reporting.
1.07 Engagements conducted in accordance with GAGAS provide
information used for oversight, accountability, transparency, and
improvements of government programs and operations. GAGAS contains
requirements and guidance to assist auditors in objectively obtaining and
evaluating sufficient, appropriate evidence and reporting the results.
When auditors conduct their work in this manner and comply with GAGAS
in reporting the results, their work can lead to improved government
management, better decision making and oversight, effective and efficient
operations, and accountability and transparency for resources and
results.
1.08 Laws, regulations, contracts, grant agreements, and policies
frequently require that engagements be conducted in accordance with
GAGAS. In addition, many auditors and audit organizations voluntarily
choose to conduct their work in accordance with GAGAS. The
requirements and guidance in GAGAS in totality apply to engagements
pertaining to government entities, programs, activities, and functions, and
to government assistance administered by contractors, nonprofit entities,
and other nongovernmental entities when the use of GAGAS is required
or voluntarily adopted.
1.09 The following are some of the laws, regulations, and other
authoritative sources that require the use of GAGAS:
Chapter 1: Foundation and Principles for the
Use and Application of Government Auditing
Standards
Page 5 GAO-18-568G Government Auditing Standards
a. The Inspector General Act of 1978, as amended (5 U.S.C. App.),
requires that the federal inspectors general appointed under that
act comply with GAGAS for audits of federal establishments,
organizations, programs, activities, and functions. The act further
states that the inspectors general shall take appropriate steps to
assure that any work performed by nonfederal auditors complies
with GAGAS.
b. The Chief Financial Officers Act of 1990 (Public Law 101-576), as
expanded by the Government Management Reform Act of 1994
(Public Law 103-356), requires that GAGAS be followed in audits
of major executive branch departmentsand agenciesfinancial
statements. The Accountability of Tax Dollars Act of 2002 (Public
Law 107-289) generally extends this requirement to most
executive agencies not subject to the Chief Financial Officers Act.
c. The Single Audit Act Amendments of 1996 (Public Law 104-156)
requires that GAGAS be followed in audits of state and local
governments and nonprofit entities that receive federal awards.
Subpart F of OMBs Uniform Administrative Requirements, Cost
Principles, and Audit Requirements for Federal Awards (2 C.F.R.
part 200), which provides the government-wide guidelines and
policies on conducting audits to comply with the Single Audit Act,
reiterates the requirement to use GAGAS.
1.10 Other laws, regulations, or authoritative sources may require the use
of GAGAS. For example, auditors at the state and local government
levels may be required by state and local laws and regulations to follow
GAGAS. Also, auditors may be required by the terms of an agreement or
contract to follow GAGAS. Auditors may also be required to follow
GAGAS by federal audit guidelines pertaining to program requirements.
Being aware of such other laws, regulations, or authoritative sources may
assist auditors in performing their work in accordance with the required
standards.
1.11 Even if not required to do so, auditors may find it useful to follow
GAGAS in conducting engagements pertaining to federal, state, and local
government programs as well as engagements pertaining to state and
local government awards that contractors, nonprofit entities, and other
nongovernmental entities administer. Though not formally required to do
so, many audit organizations, both in the United States and in other
countries, voluntarily follow GAGAS.
Chapter 1: Foundation and Principles for the
Use and Application of Government Auditing
Standards
Page 6 GAO-18-568G Government Auditing Standards
1.12 GAGAS provides standards that are used by a wide range of
auditors and audit organizations that audit government entities, entities
that receive government awards, and other entities. These auditors and
audit organizations may also be subject to additional requirements unique
to their environments. Examples of the various types of users who may
be required or may elect to use GAGAS include the following:
a. Contract auditors: audit organizations that specialize in conducting
engagements pertaining to government acquisitions and contract
administration
b. Certified public accounting firms: public accounting organizations
in the private sector that provide audit, attestation, or review
services under contract to government entities or recipients of
government funds
c. Federal inspectors general: government audit organizations within
federal agencies that conduct engagements and investigations
relating to the programs and operations of their agencies and
issue reports both to agency management and to third parties
external to the audited entity
d. Federal agency internal auditors: internal government audit
organizations associated with federal agencies that conduct
engagements and investigations relating to the programs and
operations of their agencies
e. Municipal auditors: elected or appointed officials in government
audit organizations in the United States at the city, county, and
other local government levels
f. State auditors: elected or appointed officials in audit organizations
in the governments of the 50 states, the District of Columbia, and
the U.S. territories
g. Supreme audit institutions: national government audit
organizations, in the United States or elsewhere, typically headed
by a comptroller general or auditor general
Types of GAGAS
Users
Chapter 1: Foundation and Principles for the
Use and Application of Government Auditing
Standards
Page 7 GAO-18-568G Government Auditing Standards
1.13 This section describes the types of engagements that audit
organizations may conduct in accordance with GAGAS. This description
is not intended to limit or require the types of engagements that may be
conducted in accordance with GAGAS.
1.14 All GAGAS engagements begin with objectives, and those objectives
determine the type of engagement to be conducted and the applicable
standards to be followed. This document classifies financial audits,
attestation engagements, reviews of financial statements, and
performance audits, as defined by their objectives, as the types of
engagements that are covered by GAGAS.
1.15 In some GAGAS engagements, the standards applicable to the
specific objective will be apparent. For example, if the objective is to
express an opinion on financial statements, the standards for financial
audits apply. However, some engagements may have objectives that
could be met using more than one approach. For example, if the objective
is to determine the reliability of performance measures, auditors can
perform this work in accordance with either the standards for attestation
engagements or performance audits.
1.16 GAGAS requirements and guidance apply to the types of
engagements that auditors may conduct in accordance with GAGAS as
follows:
a. Financial audits: the requirements and guidance in chapters 1
through 6 apply.
b. Attestation-level examination, review, and agreed-upon
procedures engagements and reviews of financial statements: the
requirements and guidance in chapters 1 through 5 and 7 apply.
c. Performance audits: the requirements and guidance in chapters 1
through 5, 8, and 9 apply.
1.17 Financial audits provide independent assessments of whether
entitiesreported financial information (e.g., financial condition, results,
and use of resources) is presented fairly, in all material respects, in
accordance with recognized criteria. Financial audits conducted in
accordance with GAGAS include financial statement audits and other
related financial audits.
Types of GAGAS
Engagements
Financial Audits
Chapter 1: Foundation and Principles for the
Use and Application of Government Auditing
Standards
Page 8 GAO-18-568G Government Auditing Standards
a. Financial statement audits: The primary purpose of a financial
statement audit is to provide financial statement users with an
opinion by an auditor on whether an entitys financial statements
are presented fairly, in all material respects, in accordance with an
applicable financial reporting framework. Reporting on financial
statement audits conducted in accordance with GAGAS also
includes reports on internal control over financial reporting and on
compliance with provisions of laws, regulations, contracts, and
grant agreements that have a material effect on the financial
statements.
b. Other types of financial audits: Other types of financial audits
conducted in accordance with GAGAS entail various scopes of
work, including
(1) obtaining sufficient, appropriate evidence to form an
opinion on a single financial statement or specified
elements, accounts, or line items of a financial statement;
1
(2) issuing letters (commonly referred to as comfort letters) for
underwriters and certain other requesting parties;
2
(3) auditing applicable compliance and internal control
requirements relating to one or more government
programs;
3
and
(4) conducting an audit of internal control over financial
reporting that is integrated with an audit of financial
statements (integrated audit).
4
1
See AU-C section 805, Special Considerations Audits of Single Financial Statements
and Specific Elements, Accounts, or Items of a Financial Statement (AICPA, Professional
Standards).
2
See AU-C section 920, Letters for Underwriters and Certain Other Requesting Parties
(AICPA, Professional Standards).
3
See AU-C section 935, Compliance Audits (AICPA, Professional Standards).
4
See AU-C section 940, An Audit of Internal Control Over Financial Reporting That Is
Integrated With an Audit of Financial Statements (AICPA, Professional Standards).
Chapter 1: Foundation and Principles for the
Use and Application of Government Auditing
Standards
Page 9 GAO-18-568G Government Auditing Standards
1.18 Attestation engagements can cover a broad range of financial or
nonfinancial objectives about the subject matter or assertion depending
on the usersneeds. In an attestation engagement, the subject matter or
an assertion by a party other than the auditors is measured or evaluated
in accordance with suitable criteria. The work the auditors perform and
the level of assurance associated with the report vary based on the type
of attestation engagement. The three types of attestation engagements
are as follows:
a. Examination: An auditor obtains reasonable assurance by
obtaining sufficient, appropriate evidence about the measurement
or evaluation of subject matter against criteria in order to be able
to draw reasonable conclusions on which to base the auditors
opinion about whether the subject matter is in accordance with (or
based on) the criteria or the assertion is fairly stated, in all material
respects. The auditor obtains the same level of assurance in an
examination as in a financial statement audit.
5
b. Review: An auditor obtains limited assurance by obtaining
sufficient, appropriate review evidence about the measurement or
evaluation of subject matter against criteria in order to express a
conclusion about whether any material modification should be
made to the subject matter in order for it to be in accordance with
(or based on) the criteria or to the assertion in order for it to be
fairly stated. Review-level work does not include reporting on
internal control or compliance with provisions of laws, regulations,
contracts, and grant agreements. The auditor obtains the same
level of assurance in a review engagement as in a review of
financial statements.
6
c. Agreed-upon procedures engagement: An auditor performs
specific procedures on subject matter or an assertion and reports
the findings without providing an opinion or a conclusion on it. The
specified parties to the engagement agree upon and are
responsible for the sufficiency of the procedures for their
5
See AT-C section 205, Examination Engagements (AICPA, Professional Standards).
6
See AT-C section 210, Review Engagements (AICPA, Professional Standards).
Attestation Engagements
and Reviews of Financial
Statements
Chapter 1: Foundation and Principles for the
Use and Application of Government Auditing
Standards
Page 10 GAO-18-568G Government Auditing Standards
purposes. The specified parties are the intended users to whom
use of the report is limited.
7
1.19 The subject matter of an attestation engagement may take many
forms, including the following:
a. historical or prospective performance or condition, historical or
prospective financial information, performance measurements, or
backlog data;
b. physical characteristics, for example, narrative descriptions or
square footage of facilities;
c. historical events, for example, the price of a market basket of
goods on a certain date;
d. analyses, for example, break-even analyses;
e. systems and processes, for example, internal control; and
f. behavior, for example, corporate governance, compliance with
laws and regulations, and human resource practices.
1.20 The objective of the auditor when performing a review of financial
statements is to obtain limited assurance as a basis for reporting whether
the auditor is aware of any material modifications that should be made to
financial statements in order for the financial statements to be in
accordance with the applicable financial reporting framework. A review of
financial statements does not include obtaining an understanding of the
entitys internal control, assessing fraud risk, or certain other procedures
ordinarily performed in an audit.
8
1.21 Performance audits provide objective analysis, findings, and
conclusions to assist management and those charged with governance
and oversight with, among other things, improving program performance
and operations, reducing costs, facilitating decision making by parties
7
See AT-C section 215, Agreed-Upon Procedures Engagements (AICPA, Professional
Standards).
8
See AR-C section 90, Review of Financial Statements (AICPA, Professional Standards).
Performance Audits
Chapter 1: Foundation and Principles for the
Use and Application of Government Auditing
Standards
Page 11 GAO-18-568G Government Auditing Standards
responsible for overseeing or initiating corrective action, and contributing
to public accountability.
1.22 Performance audit objectives vary widely and include assessments
of program effectiveness, economy, and efficiency; internal control;
compliance; and prospective analyses. Audit objectives may also pertain
to the current status or condition of a program. These overall objectives
are not mutually exclusive. For example, a performance audit with an
objective of determining or evaluating program effectiveness may also
involve an additional objective of evaluating the programs internal
controls. Key categories of performance audit objectives include the
following:
a. Program effectiveness and results audit objectives. These are
frequently interrelated with economy and efficiency objectives.
Audit objectives that focus on program effectiveness and results
typically measure the extent to which a program is achieving its
goals and objectives. Audit objectives that focus on economy and
efficiency address the costs and resources used to achieve
program results.
b. Internal control audit objectives. These relate to an assessment of
one or more aspects of an entitys system of internal control that is
designed to provide reasonable assurance of achieving effective
and efficient operations, reliability of reporting for internal and
external use, or compliance with provisions of applicable laws and
regulations. Internal control objectives also may be relevant when
determining the cause of unsatisfactory program performance.
Internal control is a process effected by an entitys oversight body,
management, and other personnel that provides reasonable
assurance that the objectives of an entity will be achieved. Internal
control comprises the plans, methods, policies, and procedures
used to fulfill the mission, strategic plan, goals, and objectives of
the entity.
c. Compliance audit objectives. These relate to an assessment of
compliance with criteria established by provisions of laws,
regulations, contracts, and grant agreements, or other
requirements that could affect the acquisition, protection, use, and
disposition of the entitys resources and the quantity, quality,
timeliness, and cost of services the entity produces and delivers.
Compliance requirements can be either financial or nonfinancial.
Chapter 1: Foundation and Principles for the
Use and Application of Government Auditing
Standards
Page 12 GAO-18-568G Government Auditing Standards
d. Prospective analysis audit objectives. These provide analysis or
conclusions about information that is based on assumptions about
events that may occur in the future, along with possible actions
that the entity may take in response to the future events.
1.23 Examples of program effectiveness and results audit objectives
include
a. assessing the extent to which legislative, regulatory, or
organizational goals and objectives are being achieved;
b. assessing the relative ability of alternative approaches to yield
better program performance or eliminate factors that inhibit
program effectiveness;
c. analyzing the relative cost-effectiveness of a program or activity,
focusing on combining cost information or other inputs with
(1) information about outputs or the benefit provided or
(2) outcomes or the results achieved;
d. determining whether a program produced intended results or
produced results that were not consistent with the programs
objectives;
e. determining the current status or condition of program operations
or progress in implementing legislative requirements;
f. determining whether a program provides access to or distribution
of public resources within the context of statutory parameters;
g. assessing the extent to which programs duplicate, overlap, or
conflict with other related programs;
h. evaluating whether the entity is following sound procurement
practices;
i. assessing the reliability, validity, or relevance of performance
measures concerning program effectiveness and results or
economy and efficiency;
j. assessing the reliability, validity, or relevance of financial
information related to the performance of a program;
Chapter 1: Foundation and Principles for the
Use and Application of Government Auditing
Standards
Page 13 GAO-18-568G Government Auditing Standards
k. determining whether government resources (inputs) are obtained
at reasonable costs while meeting timeliness and quality
considerations;
l. determining whether appropriate value was obtained based on the
cost or amount paid or based on the amount of revenue received;
m. determining whether government services and benefits are
accessible to those individuals who have a right to access those
services and benefits;
n. determining whether fees assessed cover costs;
o. determining whether and how the programs unit costs can be
decreased or its productivity increased; and
p. assessing the reliability, validity, or relevance of budget proposals
or budget requests to assist legislatures in the budget process.
1.24 Examples of internal control audit objectives include determining
whether
a. organizational missions, goals, and objectives are achieved
effectively and efficiently;
b. resources are used in compliance with laws, regulations, or other
requirements;
c. resources, including sensitive information accessed or stored
outside the organizations physical perimeter, are safeguarded
against unauthorized acquisition, use, or disposition;
d. management information, such as performance measures, and
public reports are complete, accurate, and consistent to support
performance and decision making;
e. the integrity of information from computerized systems is
achieved; and
f. contingency planning for information systems provides essential
backup to prevent unwarranted disruption of the activities and
functions that the systems support.
Chapter 1: Foundation and Principles for the
Use and Application of Government Auditing
Standards
Page 14 GAO-18-568G Government Auditing Standards
1.25 Examples of compliance objectives include determining whether
a. the purpose of the program, the manner in which it is to be
conducted, the services delivered, the outcomes, or the population
it serves is in compliance with provisions of laws, regulations,
contracts, or grant agreements or other requirements;
b. government services and benefits are distributed or delivered to
citizens based on eligibility to obtain those services and benefits;
c. incurred or proposed costs are in compliance with applicable laws,
regulations, contracts, or grant agreements; and
d. revenues received are in compliance with applicable laws,
regulations, contracts, or grant agreements.
1.26 Examples of prospective analysis objectives include providing
conclusions based on
a. current and projected trends and future potential impact on
government programs and services and their implications for
program or policy alternatives;
b. program or policy alternatives, including forecasting program
outcomes under various assumptions;
c. policy or legislative proposals, including advantages,
disadvantages, and analysis of stakeholder views;
d. prospective information prepared by management;
e. budgets and forecasts that are based on (1) assumptions about
expected future events and (2) stakeholdersand managements
expected reaction to those future events; and
f. management’s assumptions on which prospective information is
based.
Chapter 1: Foundation and Principles for the
Use and Application of Government Auditing
Standards
Page 15 GAO-18-568G Government Auditing Standards
1.27 This paragraph describes certain terms used in GAGAS. When
terminology differs from that used at an organization subject to GAGAS,
auditors use professional judgment to determine if there is an equivalent
term.
9
a. Attestation engagement: An examination, review, or agreed-upon
procedures engagement conducted under the GAGAS attestation
standards related to subject matter or an assertion that is the
responsibility of another party.
b. Audit: Either a financial audit or performance audit conducted in
accordance with GAGAS.
c. Audit organization: A government audit entity or a public
accounting firm or other audit entity that conducts GAGAS
engagements.
d. Audit report: A report issued as a result of a financial audit,
attestation engagement, review of financial statements, or
performance audit conducted in accordance with GAGAS.
e. Audited entity: The entity that is subject to a GAGAS engagement,
whether that engagement is a financial audit, attestation
engagement, review of financial statements, or performance audit.
f. Auditor: An individual assigned to planning, directing, performing
engagement procedures, or reporting on GAGAS engagements
(including work on audits, attestation engagements, and reviews
of financial statements) regardless of job title. Therefore,
individuals who may have the title auditor, information technology
auditor, analyst, practitioner, evaluator, inspector, or other similar
titles are considered auditors under GAGAS.
g. Control objective: The aim or purpose of specified controls; control
objectives address the risks related to achieving an entitys
objectives.
9
See the Glossary for an expanded list of terms used in GAGAS.
Terms Used in
GAGAS
Chapter 1: Foundation and Principles for the
Use and Application of Government Auditing
Standards
Page 16 GAO-18-568G Government Auditing Standards
h. Engagement: A financial audit, attestation engagement, review of
financial statements, or performance audit conducted in
accordance with GAGAS.
i. Engagement team (or audit team): Auditors assigned to planning,
directing, performing engagement procedures, or reporting on
GAGAS engagements.
j. Engaging party: The party that engages the auditor to conduct the
GAGAS engagement.
k. Entity objective: What an entity wants to achieve; entity objectives
are intended to meet the entitys mission, strategic plan, and goals
and the requirements of applicable laws and regulations.
l. External audit organization: An audit organization that issues
reports to third parties external to the audited entity, either
exclusively or in addition to issuing reports to senior management
and those charged with governance of the audited entity.
m. Internal audit organization: An audit organization that is
accountable to senior management and those charged with
governance of the audited entity and that does not generally issue
reports to third parties external to the audited entity.
n. Responsible party: The party responsible for a GAGAS
engagements subject matter.
o. Review of financial statements: An engagement conducted under
GAGAS for review of financial statements.
p. Specialist: An individual or organization possessing special skill or
knowledge in a particular field other than accounting or auditing
that assists auditors in conducting engagements. A specialist may
be either an internal specialist or an external specialist.
1.28 GAGAS uses a format designed to allow auditors to quickly identify
requirements and application guidance related to those requirements.
GAGAS requirements are differentiated from application guidance by
borders surrounding the text. The requirements are followed immediately
by application guidance that relates directly to the preceding
The GAGAS Format
Chapter 1: Foundation and Principles for the
Use and Application of Government Auditing
Standards
Page 17 GAO-18-568G Government Auditing Standards
requirements. The auditorsresponsibilities related to requirements and
application guidance are discussed in paragraphs 2.02 through 2.10.
Chapter 2: General Requirements for
Complying with Government Auditing
Standards
Page 18 GAO-18-568G Government Auditing Standards
2.01 This chapter establishes general requirements for complying with
generally accepted government auditing standards (GAGAS) that are
applicable to all GAGAS engagements. The information it contains relates
to how auditors conducting GAGAS engagements identify and apply the
requirements contained in GAGAS. The chapter also contains
requirements for using other audit standards in conjunction with GAGAS
and for reporting compliance with GAGAS in the audit report.
10
See para. 2.19 for additional documentation requirements for departures from GAGAS
requirements.
Complying with Government Auditing
Complying with
GAGAS
Requirements: Complying with GAGAS
2.02 GAGAS uses two categories of requirements, identified by
specific terms, to describe the degree of responsibility they impose on
auditors and audit organizations:
a. Unconditional requirements: Auditors and audit organizations
must comply with an unconditional requirement in all cases
where such requirement is relevant. GAGAS uses must to
indicate an unconditional requirement.
b. Presumptively mandatory requirements: Auditors and audit
organizations must comply with a presumptively mandatory
requirement in all cases where such a requirement is relevant
except in rare circumstances discussed in paragraphs 2.03,
2.04, and 2.08. GAGAS uses should to indicate a
presumptively mandatory requirement.
10
2.03 In rare circumstances, auditors and audit organizations may
determine it necessary to depart from a relevant presumptively
mandatory requirement. In such rare circumstances, auditors should
perform alternative procedures to achieve the intent of that
requirement.
2.04 If, in rare circumstances, auditors judge it necessary to depart
from a relevant presumptively mandatory requirement, they must
document their justification for the departure and how the alternative
Chapter 2: General Requirements for
Complying with Government Auditing
Standards
Page 19 GAO-18-568G Government Auditing Standards
Application Guidance: Complying with GAGAS
2.07 GAGAS contains requirements together with related explanatory
material in the form of application guidance. Not every paragraph of
GAGAS carries a requirement. Rather, GAGAS identifies the
requirements through use of specific language. GAGAS also contains
introductory material that provides context relevant to a proper
understanding of a GAGAS chapter or section. Having an understanding
of the entire text of applicable GAGAS includes an understanding of any
financial audit, attestation, and reviews of financial statement standards
incorporated by reference.
13
2.08 The need for auditors to depart from a relevant presumptively
mandatory requirement is expected to arise only when the requirement is
for a specific procedure to be performed and, in the specific
circumstances of the engagement, that procedure would be ineffective in
achieving the intent of the requirement.
2.09 The application guidance provides further explanation of the
requirements and guidance for applying them. In particular, it may explain
more precisely what a requirement means or is intended to address or
include examples of procedures that may be appropriate in the
circumstances. Although such guidance does not in itself impose a
11
See http://www.gao.gov/yellowbook for GAGAS amendments.
12
See http://www.gao.gov/yellowbook for GAGAS interpretive guidance.
13
See paras. 2.13, 6.01, and 7.01 for discussion of standards incorporated by reference.
procedures performed in the circumstances were sufficient to achieve
the intent of that requirement.
2.05 Auditors should have an understanding of the entire text of
applicable chapters of GAGAS, including application guidance, and
any amendments that GAO issued, to understand the intent of the
requirements and to apply the requirements properly.
11
2.06 Auditors should consider applicable GAO-issued GAGAS
interpretive guidance in conducting and reporting on GAGAS
engagements.
12
Chapter 2: General Requirements for
Complying with Government Auditing
Standards
Page 20 GAO-18-568G Government Auditing Standards
requirement, it is relevant to the proper application of the requirements.
May,” “might,and couldare used to describe these actions and
procedures. The application guidance may also provide background
information on matters addressed in GAGAS.
2.10 Interpretive guidance is not auditing standards. Interpretive guidance
provides guidance on the application of GAGAS and recommendations
on the application of GAGAS in specific circumstances.
Requirement: Relationship between GAGAS and Other
Professional Standards
2.11 When auditors cite compliance with both GAGAS and another set
of standards, such as those listed in paragraphs 2.13, 2.15, 6.01, and
7.01, auditors should refer to paragraph 2.17 for the requirements for
citing compliance with GAGAS. In addition to citing GAGAS, auditors
may also cite the use of other standards in their reports when they
have also met the requirements for citing compliance with the other
standards. Auditors should refer to the other set of standards for the
basis for citing compliance with those standards.
Application Guidance: Relationship between GAGAS and Other
Professional Standards
2.12 Auditors may use GAGAS in conjunction with professional standards
issued by other authoritative bodies.
2.13 The relationship between GAGAS and other professional standards
for financial audits, attestation engagements, and reviews of financial
statements is as follows:
a. The American Institute of Certified Public Accountants (AICPA)
has established professional standards that apply to financial
audits, attestation engagements, and reviews of financial
statements for nonissuers (entities other than issuers under the
Sarbanes-Oxley Act of 2002,
14
such as privately held companies,
14
See the Sarbanes-Oxley Act of 2002 (Public Law 107-204) for a discussion of issuers
(generally, publicly traded companies with a reporting obligation under the Securities
Exchange Act of 1934).
Relationship between
GAGAS and Other
Professional
Standards
Chapter 2: General Requirements for
Complying with Government Auditing
Standards
Page 21 GAO-18-568G Government Auditing Standards
nonprofit entities, and government entities) conducted by certified
public accountants (CPA). For financial audits and attestation
engagements, GAGAS incorporates by reference AICPA
Statements on Auditing Standards and Statements on Standards
for Attestation Engagements.
15
For reviews of financial
statements, GAGAS incorporates by reference AR-C, section 90,
Review of Financial Statements.
16
b. The International Auditing and Assurance Standards Board
(IAASB) has established professional standards that apply to
financial audits and assurance engagements. Auditors may elect
to use the IAASB standards and the related International
Standards on Auditing and International Standards on Assurance
Engagements in conjunction with GAGAS.
c. The Public Company Accounting Oversight Board (PCAOB) has
established professional standards that apply to financial audits
and attestation engagements for issuers. Auditors may elect to
use the PCAOB standards in conjunction with GAGAS.
2.14 For financial audits, attestation engagements, and reviews of
financial statements, GAGAS does not incorporate the AICPA Code of
Professional Conduct by reference, but recognizes that certain CPAs may
use or may be required to use the code in conjunction with GAGAS.
2.15 For performance audits, GAGAS does not incorporate other
standards by reference, but recognizes that auditors may use or may be
required to use other professional standards in conjunction with GAGAS,
such as the following:
a. International Standards for the Professional Practice of Internal
Auditing, Institute of Internal Auditors, Inc.;
b. International Standards of Supreme Audit Institutions,
International Organization of Supreme Audit Institutions;
c. Guiding Principles for Evaluators, American Evaluation
Association;
15
AICPA, Professional Standards.
16
AICPA, Professional Standards.
Chapter 2: General Requirements for
Complying with Government Auditing
Standards
Page 22 GAO-18-568G Government Auditing Standards
d. The Program Evaluation Standards, Joint Committee on
Standards for Education Evaluation;
e. Standards for Educational and Psychological Testing, American
Psychological Association; and
f. IT Standards, Guidelines, and Tools and Techniques for Audit and
Assurance and Control Professionals, Information Systems Audit
and Control Association.
Stating Compliance
with GAGAS in the
Audit Report
Requirements: Stating Compliance with GAGAS in the Audit
Report
2.16 When auditors are required to conduct an engagement in
accordance with GAGAS or are representing to others that they did so,
they should cite compliance with GAGAS in the audit report as set forth
in paragraphs 2.17 through 2.19.
2.17 Auditors should include one of the following types of GAGAS
compliance statements in reports on GAGAS engagements, as
appropriate.
a. Unmodified GAGAS compliance statement: Stating that the
auditors conducted the engagement in accordance with
GAGAS. Auditors should include an unmodified GAGAS
compliance statement in the audit report when they have
(1) followed unconditional and applicable presumptively
mandatory GAGAS requirements or (2) followed unconditional
requirements, documented justification for any departures from
applicable presumptively mandatory requirements, and
achieved the objectives of those requirements through other
means.
b. Modified GAGAS compliance statement: Stating either that
(1) the auditors conducted the engagement in accordance
with GAGAS, except for specific applicable
requirements that were not followed, or
(2) because of the significance of the departure(s) from the
Chapter 2: General Requirements for
Complying with Government Auditing
Standards
Page 23 GAO-18-568G Government Auditing Standards
Application Guidance: Stating Compliance with GAGAS in the Audit
Report
2.20 Situations for using modified compliance statements include scope
limitations, such as restrictions on access to records, government
officials, or other individuals needed to conduct the engagement.
2.21 The auditorsdetermination of noncompliance with applicable
requirements is a matter of professional judgment, which is affected by
the significance of the requirement(s) not followed in relation to the
engagement objectives.
2.22 Determining whether an unmodified or modified GAGAS compliance
statement is appropriate is based on the consideration of the individual
and aggregate effect of the instances of noncompliance with GAGAS
requirements. Factors that the auditor may consider include
a. the pervasiveness of the instance(s) of noncompliance;
b. the potential effect of the instance(s) of noncompliance on the
sufficiency and appropriateness of evidence supporting the
findings, conclusions, and recommendations; and
c. whether report users might misunderstand the implications of a
modified or unmodified GAGAS compliance statement.
requirements, the auditors were unable to and did not
conduct the engagement in accordance with GAGAS.
2.18 When auditors use a modified GAGAS statement, they should
disclose in the report the applicable requirement(s) not followed, the
reasons for not following the requirement(s), and how not following the
requirement(s) affected or could have affected the engagement and
the assurance provided.
2.19 When auditors do not comply with applicable requirement(s), they
should (1) assess the significance of the noncompliance to the
engagement objectives; (2) document the assessment, along with their
reasons for not following the requirement(s); and (3) determine the
type of GAGAS compliance statement.
Chapter 2: General Requirements for
Complying with Government Auditing
Standards
Page 24 GAO-18-568G Government Auditing Standards
2.23 If an audit report is issued in situations described in paragraph 3.60
(except in circumstances discussed in paragraphs 3.25 or 3.84), a
modified GAGAS compliance statement as discussed in paragraph
2.17b(2) is used.
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 25 GAO-18-568G Government Auditing Standards
3.01 The first section of this chapter sets forth fundamental ethical
principles for auditors in the government environment. The second
section establishes independence standards and provides guidance on
this topic for auditors conducting financial audits, attestation
engagements, reviews of financial statements, and performance audits
under generally accepted government auditing standards (GAGAS). This
section emphasizes the importance of independence of the auditor and
the audit organization. The third section establishes the standard for the
auditors use of professional judgment and provides related application
guidance. The requirements of this chapter are intended to be followed in
conjunction with all other applicable GAGAS requirements.
3.02 The ethical principles presented in this section provide the
foundation, discipline, and structure, as well as the environment, that
influence the application of GAGAS.
17
3.03 Because auditing is essential to government accountability to the
public, the public expects audit organizations and auditors who perform
their work in accordance with GAGAS to follow ethical principles.
Management of the audit organization sets the tone for ethical behavior
throughout the organization by maintaining an ethical culture, clearly
communicating acceptable behavior and expectations to each employee,
and creating an environment that reinforces and encourages ethical
behavior throughout all levels of the organization. The ethical tone
maintained and demonstrated by management and personnel is an
essential element of a positive ethical environment for the audit
organization.
3.04 Performing audit work in accordance with ethical principles is a
matter of personal and organizational responsibility. Ethical principles
apply in preserving auditor independence,
18
taking on only work that the
audit organization is competent to perform,
19
performing high-quality
work, and following the applicable standards cited in the audit report.
Integrity and objectivity are maintained when auditors perform their work
17
See para. 5.08 for a discussion of ethical requirements in an audit organizations system
of quality control.
18
See paras. 3.18 through 3.108 for requirements and guidance related to independence.
19
See paras. 4.02 through 4.15 for additional information on competence.
Professional Judgment
Ethical Principles
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 26 GAO-18-568G Government Auditing Standards
and make decisions that are consistent with the broader interest of those
relying on the audit report, including the public.
3.05 Other ethical requirements or codes of professional conduct may
also be applicable to auditors who conduct engagements in accordance
with GAGAS. For example, individual auditors who are members of
professional organizations or are licensed or certified professionals may
also be subject to ethical requirements of those professional
organizations or licensing bodies. Auditors employed by government
entities may also be subject to government ethics laws and regulations.
3.06 The ethical principles that guide the work of auditors who conduct
engagements in accordance with GAGAS are
a. the public interest;
b. integrity;
c. objectivity;
d. proper use of government information, resources, and positions;
and
e. professional behavior.
3.07 The public interest is defined as the collective well-being of the
community of people and entities that the auditors serve. Observing
integrity, objectivity, and independence in discharging their professional
responsibilities helps auditors serve the public interest and honor the
public trust. The principle of the public interest is fundamental to the
responsibilities of auditors and critical in the government environment.
3.08 A distinguishing mark of an auditor is acceptance of responsibility to
serve the public interest. This responsibility is critical when auditing in the
government environment. GAGAS embodies the concept of accountability
for public resources, which is fundamental to serving the public interest.
3.09 Public confidence in government is maintained and strengthened by
auditors performing their professional responsibilities with integrity.
Integrity includes auditors performing their work with an attitude that is
objective, fact-based, nonpartisan, and nonideological with regard to
The Public Interest
Integrity
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 27 GAO-18-568G Government Auditing Standards
audited entities and users of the audit reports. Within the constraints of
applicable confidentiality laws, regulations, or policies, communications
with the audited entity, those charged with governance, and the
individuals contracting for or requesting the engagement are expected to
be honest, candid, and constructive.
3.10 Making decisions consistent with the public interest of the program
or activity under audit is an important part of the principle of integrity. In
discharging their professional responsibilities, auditors may encounter
conflicting pressures from management of the audited entity, various
levels of government, and other likely users. Auditors may also encounter
pressures to inappropriately achieve personal or organizational gain. In
resolving those conflicts and pressures, acting with integrity means that
auditors place priority on their responsibilities to the public interest.
3.11 Auditorsobjectivity in discharging their professional responsibilities
is the basis for the credibility of auditing in the government sector.
Objectivity includes independence of mind and appearance when
conducting engagements, maintaining an attitude of impartiality, having
intellectual honesty, and being free of conflicts of interest. Maintaining
objectivity includes a continuing assessment of relationships with audited
entities and other stakeholders in the context of the auditors
responsibility to the public. The concepts of objectivity and independence
are closely related. Independence impairments affect auditors
objectivity.
20
3.12 Government information, resources, and positions are to be used for
official purposes and not inappropriately for the auditorspersonal gain or
in a manner contrary to law or detrimental to the legitimate interests of the
audited entity or the audit organization. This concept includes the proper
handling of sensitive or classified information or resources.
3.13 In the government environment, the publics right to the transparency
of government information has to be balanced with the proper use of that
information. In addition, many government programs are subject to laws
and regulations dealing with the disclosure of information. Exercising
discretion in using information acquired in the course of auditorsduties is
20
See paras. 3.18 through 3.108 for independence requirements and guidance.
Objectivity
Proper Use of
Government Information,
Resources, and Positions
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 28 GAO-18-568G Government Auditing Standards
an important part in achieving this balance. Improperly disclosing any
such information to third parties is not an acceptable practice.
3.14 Accountability to the public for the proper use and prudent
management of government resources is an essential part of auditors
responsibilities. Protecting and conserving government resources and
using them appropriately for authorized activities are important elements
of the publics expectations for auditors.
3.15 Misusing the auditor position for financial gain or other benefits
violates an auditors fundamental responsibilities. An auditors credibility
can be damaged by actions that could be perceived by an objective third
party with knowledge of the relevant information as improperly benefiting
an auditors personal financial interests or those of an immediate or close
family member; a general partner; an entity for which the auditor serves
as an officer, director, trustee, or employee; or an entity with which the
auditor is negotiating concerning future employment.
3.16 High expectations for the auditing profession include complying with
all relevant legal, regulatory, and professional obligations and avoiding
any conduct that could bring discredit to auditorswork, including actions
that would cause an objective third party with knowledge of the relevant
information to conclude that the auditorswork was professionally
deficient. Professional behavior includes auditors putting forth an honest
effort in performing their duties in accordance with the relevant technical
and professional standards.
3.17 GAGASs practical consideration of independence consists of four
interrelated sections, providing
a. general requirements and application guidance;
b. requirements for and guidance on a conceptual framework for
making independence determinations based on facts and
circumstances that are often unique to specific environments;
c. requirements for and guidance on independence for auditors
providing nonaudit services, including identification of specific
nonaudit services that always impair independence and others
that would not normally impair independence; and
Professional Behavior
Independence
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 29 GAO-18-568G Government Auditing Standards
d. requirements for and guidance on documentation necessary to
support adequate consideration of auditor independence.
Application Guidance: General
3.21 Independence comprises the following:
a. Independence of mind: The state of mind that permits the conduct
of an engagement without being affected by influences that
compromise professional judgment, thereby allowing an individual
to act with integrity and exercise objectivity and professional
skepticism.
b. Independence in appearance: The absence of circumstances that
would cause a reasonable and informed third party to reasonably
conclude that the integrity, objectivity, or professional skepticism
of an audit organization or member of the engagement team had
been compromised.
3.22 Auditors and audit organizations maintain their independence so that
their opinions, findings, conclusions, judgments, and recommendations
Requirements: General
3.18 In all matters relating to the GAGAS engagement, auditors and
audit organizations must be independent from an audited entity.
3.19 Auditors and audit organizations should avoid situations that could
lead reasonable and informed third parties to conclude that the auditors
and audit organizations are not independent and thus are not capable
of exercising objective and impartial judgment on all issues associated
with conducting the engagement and reporting on the work.
3.20 Except under the limited circumstances discussed in paragraphs
3.66 and 3.67, auditors and audit organizations should be independent
from an audited entity during
a. any period of time that falls within the period covered by the
financial statements or subject matter of the engagement and
b. the period of professional engagement.
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 30 GAO-18-568G Government Auditing Standards
will be impartial and will be viewed as impartial by reasonable and
informed third parties.
3.23 The period of professional engagement begins when the auditors
either sign an initial engagement letter or other agreement to conduct an
engagement or begin to conduct an engagement, whichever is earlier.
The period lasts for the duration of the professional relationshipwhich,
for recurring engagements, could cover many periodsand ends with the
formal or informal notification, either by the auditors or the audited entity,
of the termination of the professional relationship or with the issuance of a
report, whichever is later. Accordingly, the period of professional
engagement does not necessarily end with the issuance of a report and
recommence with the beginning of the following years engagement or a
subsequent engagement with a similar objective.
3.24 Under some conditions, the party requesting or requiring an
engagement, referred to as the engaging party, will differ from the party
responsible for the engagements subject matter, referred to as the
responsible party. Under such conditions, the GAGAS independence
requirements apply to the relationship between the auditors and the
responsible party, not the relationship between the auditors and the
engaging party. The following are examples of conditions under which the
party requesting an engagement may differ from the party responsible for
the engagements subject matter.
a. A legislative body requires that auditors conduct, on the legislative
bodys behalf, a performance audit of program operations that are
the responsibility of an executive agency. GAGAS requires that
the auditors be independent of the executive agency.
b. A state agency engages an independent public accountant to
conduct an examination-level attestation engagement to assess
the validity of certain information that a local government provided
to the state agency. GAGAS requires that the independent public
accountant be independent of the local government.
c. A government department works with a government agency that
conducts examination-level attestation engagements of contractor
compliance with the terms and conditions of agreements between
the department and the contractor. GAGAS requires that the
auditors be independent of the contractors.
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 31 GAO-18-568G Government Auditing Standards
3.25 Auditors in government sometimes work under conditions that impair
independence in accordance with this section. An example of such a
circumstance is a threat created by a statutory requirement for auditors to
serve in official roles that conflict with the independence requirements of
this section, such as a law that requires an auditor to serve as a voting
member of an entitys management committee or board of directors, for
which there are no safeguards to eliminate or reduce the threats to an
acceptable level. Paragraph 2.17b provides standard language for
modified GAGAS compliance statements for auditors who experience
such impairments. Determining how to modify the GAGAS compliance
statement in these circumstances is a matter of professional judgment.
3.26 Many different circumstances, or combinations of circumstances, are
relevant in evaluating threats to independence. Therefore, GAGAS
establishes a conceptual framework that auditors use to identify,
evaluate, and apply safeguards to address threats to independence. The
conceptual framework assists auditors in maintaining both independence
of mind and independence in appearance. It can be applied to many
variations in circumstances that create threats to independence and
allows auditors to address threats to independence that result from
activities that are not specifically prohibited by GAGAS.
Requirements: GAGAS Conceptual Framework Approach to
Independence
3.27 Auditors should apply the conceptual framework
21
at the audit
organization, engagement team, and individual auditor levels to
a. identify threats to independence;
b. evaluate the significance of the threats identified, both
individually and in the aggregate; and
c. apply safeguards as necessary to eliminate the threats or
reduce them to an acceptable level.
3.28 Auditors should reevaluate threats to independence, including
21
See fig. 1 at the end of ch. 3 for a flowchart on applying the conceptual framework in
accordance with GAGAS.
GAGAS Conceptual
Framework Approach to
Independence
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 32 GAO-18-568G Government Auditing Standards
any safeguards applied, whenever the audit organization or the
auditors become aware of new information or changes in facts and
circumstances that could affect whether a threat has been eliminated
or reduced to an acceptable level.
3.29 Auditors should use professional judgment when applying the
conceptual framework.
3.30 Auditors should evaluate the following broad categories of threats
to independence when applying the GAGAS conceptual framework:
a. Self-interest threat: The threat that a financial or other interest
will inappropriately influence an auditors judgment or behavior.
b. Self-review threat: The threat that an auditor or audit
organization that has provided nonaudit services will not
appropriately evaluate the results of previous judgments made
or services provided as part of the nonaudit services when
forming a judgment significant to a GAGAS engagement.
c. Bias threat: The threat that an auditor will, as a result of
political, ideological, social, or other convictions, take a position
that is not objective.
d. Familiarity threat: The threat that aspects of a relationship with
management or personnel of an audited entity, such as a close
or long relationship, or that of an immediate or close family
member, will lead an auditor to take a position that is not
objective.
e. Undue influence threat: The threat that influences or pressures
from sources external to the audit organization will affect an
auditors ability to make objective judgments.
f. Management participation threat: The threat that results from
an auditors taking on the role of management or otherwise
performing management functions on behalf of the audited
entity, which will lead an auditor to take a position that is not
objective.
g. Structural threat: The threat that an audit organizations
placement within a government entity, in combination with the
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 33 GAO-18-568G Government Auditing Standards
structure of the government entity being audited, will affect the
audit organizations ability to perform work and report results
objectively.
3.31 Auditors should determine whether identified threats to
independence are at an acceptable level or have been eliminated or
reduced to an acceptable level, considering both qualitative and
quantitative factors to determine the significance of a threat.
3.32 When auditors determine that threats to independence are not at
an acceptable level, the auditors should determine whether
appropriate safeguards can be applied to eliminate the threats or
reduce them to an acceptable level.
3.33 In cases where auditors determine that threats to independence
require the application of safeguards, auditors should document the
threats identified and the safeguards applied to eliminate or reduce the
threats to an acceptable level.
3.34 If auditors initially identify a threat to independence after the audit
report is issued, auditors should evaluate the threats effect on the
engagement and on GAGAS compliance. If the auditors determine that
the newly identified threats effect on the engagement would have
resulted in the audit report being different from the report issued had
the auditors been aware of it, they should communicate in the same
manner as that used to originally distribute the report to those charged
with governance, the appropriate officials of the audited entity, the
appropriate officials of the audit organization requiring or arranging for
the engagements, and other known users, so that they do not continue
to rely on findings or conclusions that were affected by the threat to
independence. If auditors previously posted the report to their publicly
accessible website, they should remove the report and post a public
notification that the report was removed. The auditors should then
determine whether to perform the additional engagement work
necessary to reissue the report, including any revised findings or
conclusions, or to repost the original report if the additional
engagement work does not result in a change in findings or
conclusions.
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 34 GAO-18-568G Government Auditing Standards
Application Guidance: GAGAS Conceptual Framework Approach to
Independence
3.35 For consideration of auditor independence, offices or units of an
audit organization, or related or affiliated entities under common control,
are not differentiated from one another. Consequently, for the purposes of
evaluating independence using the conceptual framework, an audit
organization that includes multiple offices or units, or includes multiple
entities related or affiliated through common control, is considered to be
one audit organization. Common ownership may also affect
independence in appearance regardless of the level of control.
Identifying Threats
3.36 Facts and circumstances that create threats to independence can
result from events such as the start of a new engagement, assignment of
new personnel to an ongoing engagement, and acceptance of a nonaudit
service for an audited entity.
3.37 Threats to independence may be created by a wide range of
relationships and circumstances. Circumstances that result in a threat to
independence in one of the categories may result in other threats as well.
3.38 Examples of circumstances that create self-interest threats for an
auditor follow:
a. An audit organization having undue dependence on income from
a particular audited entity.
b. A member of the audit team entering into employment
negotiations with an audited entity.
c. An audit organization discovering a significant error when
evaluating the results of a previous professional service provided
by the audit organization.
d. A member of the audit team having a direct financial interest in the
audited entity. However, this would not preclude auditors from
auditing pension plans that they participate in if (1) the auditors
have no control over the investment strategy, benefits, or other
management issues associated with the pension plan and (2) the
auditors belong to such pension plan as part of their employment
with the audit organization or prior employment with the audited
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 35 GAO-18-568G Government Auditing Standards
entity, provided that the plan is normally offered to all employees
in equivalent employment positions.
3.39 Examples of circumstances that create self-review threats for an
auditor follow:
a. An audit organization issuing a report on the effectiveness of the
operation of financial or performance management systems after
designing or implementing the systems.
b. An audit organization having prepared the original data used to
generate records that are the subject matter of the engagement.
c. An audit organization providing a service for an audited entity that
directly affects the subject matter information of the engagement.
d. A member of the engagement team being, or having recently
been, employed by the audited entity in a position to exert
significant influence over the subject matter of the engagement.
3.40 Examples of circumstances that create bias threats for an auditor
follow:
a. A member of the engagement team having preconceptions about
the objectives of a program under audit that are strong enough to
affect the auditors objectivity.
b. A member of the engagement team having biases associated with
political, ideological, or social convictions that result from
membership or employment in, or loyalty to, a particular type of
policy, group, entity, or level of government that could affect the
auditors objectivity.
3.41 Examples of circumstances that create familiarity threats for an
auditor follow:
a. A member of the engagement team having a close or immediate
family member who is a principal or senior manager of the audited
entity.
b. A member of the engagement team having a close or immediate
family member who is an employee of the audited entity and is in
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 36 GAO-18-568G Government Auditing Standards
a position to exert significant influence over the subject matter of
the engagement.
c. A principal or employee of the audited entity having recently
served on the engagement team in a position to exert significant
influence over the subject matter of the engagement.
d. An auditor accepting gifts or preferential treatment from an audited
entity, unless the value is trivial or inconsequential.
e. Senior engagement personnel having a long association with the
audited entity.
3.42 Examples of circumstances that create undue influence threats for
an auditor or audit organization include existence of the following:
a. External interference or influence that could improperly limit or
modify the scope of an engagement or threaten to do so, including
exerting pressure to inappropriately reduce the extent of work
performed in order to reduce costs or fees.
b. External interference with the selection or application of
engagement procedures or in the selection of transactions to be
examined.
c. Unreasonable restrictions on the time allowed to complete an
engagement or issue the report.
d. External interference over assignment, appointment,
compensation, and promotion.
e. Restrictions on funds or other resources provided to the audit
organization that adversely affect the audit organizations ability to
carry out its responsibilities.
f. Authority to overrule or to inappropriately influence the auditors
judgment as to the appropriate content of the report.
g. Threat of replacing the auditor or the audit organization based on
a disagreement with the contents of an audit report, the auditors
conclusions, or the application of an accounting principle or other
criteria.
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 37 GAO-18-568G Government Auditing Standards
h. Influences that jeopardize the auditorscontinued employment for
reasons other than incompetence, misconduct, or the audited
entitys need for GAGAS engagements.
3.43 Examples of circumstances that create management participation
threats for an auditor follow:
a. A member of the engagement team being, or having recently
been, a principal or senior manager of the audited entity.
b. An auditor serving as a voting member of an entitys management
committee or board of directors, making policy decisions that
affect future direction and operation of an entitys programs,
supervising entity employees, developing or approving
programmatic policy, authorizing an entitys transactions, or
maintaining custody of an entitys assets.
c. An auditor or audit organization recommending a single individual
for a specific position that is key to the audited entity or program
under audit, or otherwise ranking or influencing managements
selection of the candidate.
d. An auditor preparing managements corrective action plan to deal
with deficiencies detected in the engagement.
3.44 Examples of circumstances that create structural threats for an
auditor follow:
a. For both external and internal audit organizations, structural
placement of the audit function within the reporting line of the
areas under audit.
b. For internal audit organizations, administrative direction from the
audited entitys management.
Evaluating Threats
3.45 Threats to independence are evaluated both individually and in the
aggregate, as threats can have a cumulative effect on auditors
independence.
3.46 When evaluating threats to independence, an acceptable level is a
level at which a reasonable and informed third party would likely conclude
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 38 GAO-18-568G Government Auditing Standards
that the audit organization or auditor is independent. The concept of a
reasonable and informed third party is a test that involves an evaluation
by a hypothetical person. Such a person possesses skills, knowledge,
and experience to objectively evaluate the appropriateness of the
auditors judgments and conclusions. This evaluation entails weighing all
the relevant facts and circumstances, including any safeguards applied,
that the auditor knows, or could reasonably be expected to know, at the
time that the evaluation is made.
3.47 A threat to independence is not at an acceptable level if it either
a. could affect the auditorsability to conduct an engagement without
being affected by influences that compromise professional
judgment or
b. could expose the auditors or audit organization to circumstances
that would cause a reasonable and informed third party to
conclude that the integrity, objectivity, or professional skepticism
of the audit organization, or an auditor, had been compromised.
3.48 The GAGAS section on nonaudit services in paragraphs 3.64
through 3.106 provides requirements and guidance on evaluating threats
to independence related to nonaudit services that auditors provide to
audited entities. That section also enumerates specific nonaudit services
that always impair auditor independence with respect to audited entities
and that auditors are prohibited from providing to audited entities.
Applying Safeguards
3.49 Safeguards are actions or other measures, individually or in
combination, that auditors and audit organizations take that effectively
eliminate threats to independence or reduce them to an acceptable level.
Safeguards vary depending on the facts and circumstances.
3.50 Examples of safeguards include
a. consulting an independent third party, such as a professional
organization, a professional regulatory body, or another auditor to
discuss engagement issues or assess issues that are highly
technical or that require significant judgment;
b. involving another audit organization to perform or re-perform part
of the engagement;
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 39 GAO-18-568G Government Auditing Standards
c. having an auditor who was not a member of the engagement team
review the work performed; and
d. removing an auditor from an engagement team when that
auditors financial or other interests or relationships pose a threat
to independence.
3.51 The lists of safeguards in 3.50 and 3.69 cannot provide safeguards
for all circumstances. They may, however, provide a starting point for
auditors who have identified threats to independence and are considering
what safeguards could eliminate those threats or reduce them to an
acceptable level. In some cases, multiple safeguards may be necessary
to address a threat.
Audit Organizations in Government Entities
3.52 The ability of an audit organization structurally located in a
government entity to perform work and report the results objectively can
be affected by its placement within the government entity and the
structure of the government entity being audited. The independence
standard applies to auditors in both external audit organizations (reporting
to third parties externally or to both internal and external parties) and
internal audit organizations (reporting only to senior management within
the audited entity). Such audit organizations are often subject to
constitutional or statutory safeguards that mitigate the effects of structural
threats to independence.
3.53 For external audit organizations, constitutional or statutory
safeguards that mitigate the effects of structural threats to independence
may include governmental structures under which a government audit
organization is
a. at a level of government other than the one of which the audited
entity is part (federal, state, or local)for example, federal
auditors auditing a state government programor
b. placed within a different branch of government from that of the
audited entityfor example, legislative auditors auditing an
executive branch program.
3.54 Safeguards other than those described in paragraph 3.53 may
mitigate threats resulting from governmental structures. For external audit
organizations, structural threats may be mitigated if the head of the audit
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 40 GAO-18-568G Government Auditing Standards
organization meets any of the following criteria in accordance with
constitutional or statutory requirements:
a. directly elected by voters of the jurisdiction being audited;
b. elected or appointed by a legislative body, subject to removal by a
legislative body, and reporting the results of engagements to and
accountable to a legislative body;
c. appointed by someone other than a legislative body, so long as
the appointment is confirmed by a legislative body and removal
from the position is subject to oversight or approval by a legislative
body, and reports the results of engagements to and is
accountable to a legislative body; or
d. appointed by, accountable to, reports to, and can only be removed
by a statutorily created governing body, the majority of whose
members are independently elected or appointed and are outside
the organization being audited.
3.55 In addition to the criteria in paragraphs 3.53 and 3.54, GAGAS
recognizes that there may be other organizational structures under which
external audit organizations in government entities could be considered
independent. If appropriately designed and implemented, these structures
provide safeguards that prevent the audited entity from interfering with the
audit organizations ability to perform the work and report the results
impartially. An external audit organization may be structurally
independent under a structure different from the ones listed in paragraphs
3.53 and 3.54 if the government audit organization is subject to all of the
following constitutional or statutory provisions. The following constitutional
or statutory provisions may also be used as safeguards to augment those
listed in paragraphs 3.53 and 3.54:
a. protections that prevent the audited entity from abolishing the
audit organization;
b. protections requiring that if the head of the audit organization is
removed from office, the head of the agency reports this fact and
the reasons for the removal to the legislative body;
c. protections that prevent the audited entity from interfering with the
initiation, scope, timing, and completion of any engagement;
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 41 GAO-18-568G Government Auditing Standards
d. protections that prevent the audited entity from interfering with
audit reporting, including the findings and conclusions or the
manner, means, or timing of the audit organizations reports;
e. protections that require the audit organization to report to a
legislative body or other independent governing body on a
recurring basis;
f. protections that give the audit organization sole authority over the
selection, retention, advancement, and dismissal of its personnel;
and
g. access to records and documents related to the agency, program,
or function being audited and access to government officials or
other individuals as needed to conduct the engagement.
3.56 Government internal auditors who work under the direction of the
audited entitys management are considered structurally independent for
the purposes of reporting internally, if the head of the audit organization
meets all of the following criteria:
a. is accountable to the head or deputy head of the government
entity or to those charged with governance;
b. reports the engagement results both to the head or deputy head of
the government entity and to those charged with governance;
c. is located organizationally outside the staff or line management
function of the unit under audit;
d. has access to those charged with governance; and
e. is sufficiently removed from pressures to conduct engagements
and report findings, opinions, and conclusions objectively without
fear of reprisal.
Internal Auditors
3.57 Certain entities employ auditors to work for entity management.
These auditors may be subject to administrative direction from persons
involved in the entity management process. Such audit organizations are
internal audit functions and are encouraged to use the Institute of Internal
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 42 GAO-18-568G Government Auditing Standards
AuditorsInternational Standards for the Professional Practice of Internal
Auditing, in conjunction with GAGAS.
3.58 When an internal audit organization conducts engagements
pertaining to external parties, such as contractors or entities subject to
other outside agreements, and no impairments to independence exist, the
audit organization can be considered independent as an external audit
organization of those external parties.
Requirements: Independence Impairments
3.59 Auditors should conclude that independence is impaired if no
safeguards have been effectively applied to eliminate an unacceptable
threat or reduce it to an acceptable level.
3.60 When auditors conclude that independence of the engagement
team or the audit organization is impaired under paragraph 3.59,
auditors should decline to accept an engagement or should terminate
an engagement in progress (except in circumstances discussed in
paragraphs 3.25 or 3.84).
Application Guidance: Independence Impairments
3.61 Whether independence is impaired depends on the nature of the
threat, whether the threat is of such significance that it would compromise
an auditors professional judgment or create the appearance that the
auditors integrity, objectivity, or professional skepticism may be
compromised, and the specific safeguards applied to eliminate the threat
or reduce it to an acceptable level.
3.62 If auditors conclude that an individual auditors independence is
impaired under paragraph 3.59, it may be necessary to terminate the
engagement or it may be possible to take action that satisfactorily
addresses the effect of the individual auditors independence impairment.
3.63 Factors that are relevant in evaluating whether the independence of
the engagement team or the audit organization is impaired by an
individual auditors independence impairment include
a. the nature and duration of the individual auditors impairment;
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 43 GAO-18-568G Government Auditing Standards
b. the number and nature of any previous impairments with respect
to the current engagement;
c. whether a member of the engagement team had knowledge of the
interest or relationship that caused the individual auditors
impairment;
d. whether the individual auditor whose independence is impaired is
(1) a member of the engagement team or (2) another individual for
whom there are independence requirements;
e. the role of the individual auditor on the engagement team whose
independence is impaired;
f. the effect of the service, if any, on the accounting records or
audited entitys financial statements if the individual auditors
impairment was caused by the provision of a nonaudit service;
g. whether a partner or director of the audit organization had
knowledge of the individual auditors impairment and failed to
ensure that the individual auditors impairment was promptly
communicated to an appropriate individual within the audit
organization; and
h. the extent of the self-interest, undue influence, or other threats
created by the individual auditors impairment.
Requirement: Nonaudit Services
3.64 Before auditors agree to provide a nonaudit service to an audited
entity, they should determine whether providing such a service would
create a threat to independence, either by itself or in aggregate with
other nonaudit services provided, with respect to any GAGAS
engagement they conduct.
Application Guidance: Nonaudit Services
3.65 Auditors have traditionally provided a range of nonaudit services that
are consistent with their skills and expertise. Providing nonaudit services
to audited entities may create threats to the independence of auditors or
audit organizations.
Provision of Nonaudit
Services to Audited
Entities
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 44 GAO-18-568G Government Auditing Standards
3.66 For performance audits and agreed-upon procedures engagements,
nonaudit services that are otherwise prohibited by GAGAS may be
provided when such services do not relate to the specific subject matter
of the engagement.
3.67 For financial audits, examination or review engagements, and
reviews of financial statements, a nonaudit service otherwise prohibited
by GAGAS and provided during the period covered by the financial
statements may not threaten independence with respect to those financial
statements provided that the following conditions exist:
a. the nonaudit service was provided prior to the period of
professional engagement;
b. the nonaudit service related only to periods prior to the period
covered by the financial statements; and
c. the financial statements for the period to which the nonaudit
service did relate were audited by other auditors (or in the case of
an examination, review, or review of financial statements,
examined, reviewed, or audited by other auditors as appropriate).
3.68 Nonaudit services that auditors provide can affect independence of
mind and in appearance in periods after the nonaudit services were
provided. For example, if auditors have designed and implemented an
accounting and financial reporting system that is expected to be in place
for many years, a threat to independence in appearance may exist in
subsequent periods for future engagements that those auditors conduct.
For recurring engagements, having another independent audit
organization conduct an engagement over the areas affected by the
nonaudit service may provide a safeguard that allows the audit
organization that provided the nonaudit service to mitigate the threat to its
independence.
3.69 The following are examples of actions that in certain circumstances
could be safeguards in addressing threats to independence related to
nonaudit services:
a. not including individuals who provided the nonaudit service as
engagement team members;
b. having another auditor, not associated with the engagement,
review the engagement and nonaudit work as appropriate;
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 45 GAO-18-568G Government Auditing Standards
c. engaging another audit organization to evaluate the results of the
nonaudit service; or
d. having another audit organization re-perform the nonaudit service
to the extent necessary to enable that other audit organization to
take responsibility for the service.
Routine Activities
3.70 Routine activities that auditors perform related directly to conducting
an engagement, such as providing advice and responding to questions as
part of an engagement, are not considered nonaudit services under
GAGAS. Such routine activities generally involve providing advice or
assistance to the audited entity on an informal basis as part of an
engagement. Routine activities typically are insignificant in terms of time
incurred or resources expended and generally do not result in a specific
project or engagement or in the auditors producing a formal report or
other formal work product. However, activities such as financial statement
preparation, cash-to-accrual conversions, and reconciliations are
considered nonaudit services under GAGAS, not routine activities related
to the performance of an engagement, and are evaluated using the
conceptual framework as discussed in paragraphs 3.87 through 3.95.
3.71 Routine activities directly related to an engagement may include the
following:
a. providing advice to the audited entity on an accounting matter as
an ancillary part of the overall financial audit;
b. providing advice to the audited entity on routine business matters;
c. educating the audited entity about matters within the technical
expertise of the auditors; and
d. providing information to the audited entity that is readily available
to the auditors, such as best practices and benchmarking studies.
Other Services Provided by Government Audit Organizations
3.72 Audit organizations in government entities frequently provide
services that differ from the traditional professional services that an
accounting or consulting firm provides to or for an audited entity. These
types of services are often provided in response to a statutory
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 46 GAO-18-568G Government Auditing Standards
requirement, at the discretion of the authority of the audit organization, or
to an engaging party (such as a legislative oversight body or an
independent external organization) rather than a responsible party, and
would generally not create a threat to independence. Examples of these
types of services include the following:
a. providing information or data to a requesting party without auditor
evaluation or verification of the information or data;
b. developing standards, methodologies, audit guides, audit
programs, or criteria for use throughout the government or for use
in certain specified situations;
c. collaborating with other professional organizations to advance
auditing of government entities and programs;
d. developing question and answer documents to promote
understanding of technical issues or standards;
e. providing assistance and technical expertise to legislative bodies
or independent external organizations;
f. assisting legislative bodies by developing questions for use at
hearings;
g. providing training, speeches, and technical presentations;
h. providing assistance in reviewing budget submissions;
i. contracting for audit services on behalf of an audited entity and
overseeing the audit contract, as long as the overarching
principles are not violated and the auditor under contract reports
to the audit organization and not to management; and
j. providing audit, investigative, and oversight-related services that
do not involve a GAGAS engagement, such as
(1) investigations of alleged fraud, violation of contract
provisions or grant agreements, or abuse;
(2) periodic audit recommendation follow-up engagements
and reports; and
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 47 GAO-18-568G Government Auditing Standards
(3) identifying best practices or leading practices for use in
advancing the practices of government organizations.
Requirements: Management Responsibilities
3.73 Before auditors agree to provide nonaudit services to an audited
entity that the audited entitys management requested and that could
create a threat to independence, either by themselves or in aggregate
with other nonaudit services provided, with respect to any GAGAS
engagement they conduct, auditors should determine that the audited
entity has designated an individual who possesses suitable skill,
knowledge, or experience and that the individual understands the
services to be provided sufficiently to oversee them.
3.74 Auditors should document consideration of managements ability
to effectively oversee nonaudit services to be provided.
3.75 In cases where the audited entity is unable or unwilling to assume
these responsibilities (for example, the audited entity does not have an
individual with suitable skill, knowledge, or experience to oversee the
nonaudit services provided, or is unwilling to perform such functions
because of lack of time or desire), auditors should conclude that the
provision of these services is an impairment to independence.
3.76 Auditors providing nonaudit services to audited entities should
obtain agreement from audited entity management that audited entity
management performs the following functions in connection with the
nonaudit services:
a. assumes all management responsibilities;
b. oversees the services, by designating an individual, preferably
within senior management, who possesses suitable skill,
knowledge, or experience;
c. evaluates the adequacy and results of the services provided;
and
d. accepts responsibility for the results of the services.
3.77 In connection with nonaudit services, auditors should establish
and document their understanding with the audited entitys
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 48 GAO-18-568G Government Auditing Standards
management or those charged with governance, as appropriate,
regarding the following:
a. objectives of the nonaudit service,
b. services to be provided,
c. audited entitys acceptance of its responsibilities as discussed
in paragraph 3.76,
d. the auditorsresponsibilities, and
e. any limitations on the provision of nonaudit services.
3.78 Auditors should conclude that management responsibilities that
the auditors perform for an audited entity are impairments to
independence. If the auditors were to assume management
responsibilities for an audited entity, the management participation
threats created would be so significant that no safeguards could
reduce them to an acceptable level.
Application Guidance: Management Responsibilities
3.79 A critical component of determining whether a threat to
independence exists is consideration of managements ability to
effectively oversee the nonaudit service to be provided. Although the
responsible individual in management is required to have sufficient
expertise to oversee the nonaudit services, management is not required
to possess the expertise to perform or re-perform the services. However,
indicators of managements ability to effectively oversee the nonaudit
service include managements ability to determine the reasonableness of
the results of the nonaudit services provided and to recognize a material
error, omission, or misstatement in the results of the nonaudit services
provided.
3.80 Management responsibilities involve leading and directing an entity,
including making decisions regarding the acquisition, deployment, and
control of human, financial, physical, and intangible resources.
3.81 The following are considered management responsibilities:
a. setting policies and strategic direction for the audited entity;
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 49 GAO-18-568G Government Auditing Standards
b. directing and accepting responsibility for the actions of the audited
entitys employees in the performance of their routine, recurring
activities;
c. having custody of an audited entitys assets;
d. reporting to those charged with governance on behalf of
management;
e. deciding which of the audit organization’s or outside third partys
recommendations to implement;
f. accepting responsibility for the management of an audited entitys
project;
g. accepting responsibility for designing, implementing, or
maintaining internal control;
h. providing services that are intended to be used as managements
primary basis for making decisions that are significant to the
subject matter of the engagement;
i. developing an audited entitys performance measurement system
when that system is material or significant to the subject matter of
the engagement; and
j. serving as a voting member of an audited entitys management
committee or board of directors.
3.82 Whether a specific activity is a management responsibility as
identified in paragraph 3.81 or otherwise depends on the facts and
circumstances.
Requirements: Providing Nonaudit Services
3.83 Auditors who previously provided nonaudit services for an entity
that is a prospective subject of an engagement should evaluate the
effect of those nonaudit services on independence before agreeing to
conduct a GAGAS engagement. If auditors provided a nonaudit
service in the period to be covered by the engagement, they should
(1) determine if GAGAS expressly prohibits the nonaudit service; (2) if
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 50 GAO-18-568G Government Auditing Standards
audited entity management requested the nonaudit service, determine
whether the skills, knowledge, and experience of the individual
responsible for overseeing the nonaudit service were sufficient; and
(3) determine whether a threat to independence exists and address
any threats noted in accordance with the conceptual framework.
3.84 Auditors in a government entity may be required to provide a
nonaudit service that impairs the auditorsindependence with respect
to a required engagement. If, because of constitutional or statutory
requirements over which they have no control, the auditors can neither
implement safeguards to reduce the resulting threat to an acceptable
level nor decline to provide or terminate a nonaudit service that is
incompatible with engagement responsibilities, auditors should
disclose the nature of the threat that could not be eliminated or
reduced to an acceptable level and modify the GAGAS compliance
statement as discussed in paragraph 2.17b accordingly. Determining
how to modify the GAGAS compliance statement in these
circumstances is a matter of professional judgment.
3.85 By their nature, certain nonaudit services directly support an entitys
operations and, if provided to an audited entity, create a threat to the
auditorsability to maintain independence in mind and appearance. Some
aspects of these services will impair auditorsability to conduct GAGAS
engagements for the entities to which the services are provided.
3.86 Auditors may be able to provide nonaudit services in the broad areas
indicated in paragraphs 3.87 through 3.106 without impairing
independence if (1) the nonaudit services are not expressly prohibited by
GAGAS requirements, (2) the auditors have determined that the
requirements for providing nonaudit services in paragraphs 3.73 through
3.78 and paragraph 3.83 have been met, and (3) any significant threats to
independence have been eliminated or reduced to an acceptable level
through the application of safeguards. The conceptual framework enables
auditors to evaluate independence given the facts and circumstances of
individual services that are not specifically prohibited.
Consideration of Specific
Nonaudit Services
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 51 GAO-18-568G Government Auditing Standards
Requirements: Preparing Accounting Records and Financial
Statements
3.87 Auditors should conclude that the following services involving
preparation of accounting records impair independence with respect to
an audited entity:
a. determining or changing journal entries, account codes or
classifications for transactions, or other accounting records for
the entity without obtaining managements approval;
b. authorizing or approving the entitys transactions; and
c. preparing or making changes to source documents without
management approval.
3.88 Auditors should conclude that preparing financial statements in
their entirety from a client-provided trial balance or underlying
accounting records creates significant threats to auditors
independence, and should document the threats and safeguards
applied to eliminate and reduce threats to an acceptable level in
accordance with paragraph 3.33 or decline to provide the services.
22
3.89 Auditors should identify as threats to independence any services
related to preparing accounting records and financial statements, other
than those defined as impairments to independence in paragraph 3.87
and significant threats in paragraph 3.88. These services include
a. recording transactions for which management has determined
or approved the appropriate account classification, or posting
coded transactions to an audited entitys general ledger;
b. preparing certain line items or sections of the financial
statements based on information in the trial balance;
c. posting entries that an audited entitys management has
approved to the entitys trial balance; and
22
See fig. 2 at the end of ch. 3 for a flowchart on independence considerations for
preparing accounting records and financial statements.
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 52 GAO-18-568G Government Auditing Standards
d. preparing account reconciliations that identify reconciling items
for the audited entity managements evaluation.
3.90 Auditors should evaluate the significance of threats to
independence created by providing any services discussed in
paragraph 3.89 and should document the evaluation of the significance
of such threats.
23
Application Guidance: Preparing Accounting Records and Financial
Statements
3.91 Management is responsible for the preparation and fair presentation
of the financial statements in accordance with the applicable financial
reporting framework, even if the auditor assisted in drafting those financial
statements. Consequently, an auditor accepting responsibility for the
preparation and fair presentation of financial statements that the auditor
will subsequently audit or that will otherwise be the subject matter of an
engagement would impair the auditors independence.
3.92 Source documents include those providing evidence that
transactions have occurred (for example, purchase orders, payroll time
records, customer orders, and contracts). Such records also include an
audited entitys general ledger and subsidiary records or equivalent.
3.93 Determining whether services, as discussed in paragraph 3.89, are
significant threats and require safeguards is a matter of professional
judgment.
3.94 Factors that are relevant in evaluating the significance of any threats
created by providing services as discussed in paragraph 3.89 include
a. the extent to which the outcome of the service could have a
material effect on the financial statements,
b. the degree of subjectivity involved in determining the appropriate
amounts or treatment for those matters reflected in the financial
statements, and
23
See para. 3.33 for additional requirements related to documenting threats identified and
safeguards applied to eliminate or reduce threats to an acceptable level.
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 53 GAO-18-568G Government Auditing Standards
c. the extent of the audited entitys involvement in determining
significant matters of judgment.
3.95 Providing clerical assistance, such as typing, formatting, printing,
and binding financial statements, is unlikely to be a significant threat.
Requirement: Internal Audit Assistance Services Provided by
External Auditors
3.96 Internal audit assistance services involve assisting an entity in
performing its internal audit activities. Auditors should conclude that
the following internal audit assistance activities impair an external
auditors independence with respect to an audited entity:
a. setting internal audit policies or the strategic direction of internal
audit activities;
b. performing procedures that form part of the internal control, such
as reviewing and approving changes to employee data access
privileges; and
c. determining the scope of the internal audit function and resulting
work.
Requirements: Internal Control Evaluation as a Nonaudit Service
3.97 Auditors should conclude that providing or supervising ongoing
monitoring procedures over an entitys system of internal control
impairs independence because the management participation threat
created is so significant that no safeguards could reduce the threat to
an acceptable level.
3.98 Separate evaluations are sometimes provided as a nonaudit
service. When providing separate evaluations as nonaudit services,
auditors should evaluate the significance of the threat created by
performing separate evaluations and apply safeguards when
necessary to eliminate the threat or reduce it to an acceptable level.
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 54 GAO-18-568G Government Auditing Standards
Application Guidance: Internal Control Evaluation as a Nonaudit
Service
3.99 Accepting responsibility for designing, implementing, or maintaining
internal control includes accepting responsibility for designing,
implementing, or maintaining monitoring procedures. Monitoring involves
the use of either ongoing monitoring procedures or separate evaluations
to gather and analyze persuasive information supporting conclusions
about the effectiveness of the internal control system. Ongoing monitoring
procedures performed on behalf of management are built into the routine,
recurring operating activities of an entity.
3.100 Factors relevant to evaluating the significance of any threats
created by providing separate evaluations as a nonaudit service include
a. the frequency of the separate evaluations and
b. the scope or extent of the controls (in relation to the scope of the
engagement conducted) being evaluated.
3.101 A separate evaluation provided as a nonaudit service is not a
substitute for engagement procedures in a GAGAS engagement.
Requirement: Information Technology Services
3.102 Auditors should conclude that providing information technology
(IT) services to an audited entity that relate to the period under audit
impairs independence if those services include
a. designing or developing an audited entitys financial information
system or other IT system that will play a significant role in the
management of an area of operations that is or will be the
subject matter of an engagement;
b. making other than insignificant modifications to source code
underlying an audited entitys existing financial information
system or other IT system that will play a significant role in the
management of an area of operations that is or will be the
subject matter of an engagement;
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 55 GAO-18-568G Government Auditing Standards
Application Guidance: Information Technology Services
3.103 Services related to IT systems include the design or
implementation of hardware or software systems. The systems may
aggregate source data, form part of the internal control over the subject
matter of the engagement, or generate information that affects the subject
matter of the engagement.
Application Guidance: Appraisal, Valuation, and Actuarial Services
3.105 A valuation comprises the making of assumptions with regard to
future developments; the application of appropriate methodologies and
techniques; and the combination of both to compute a certain value, or
range of values, for an asset, a liability, or an entity as a whole.
c. supervising audited entity personnel in the daily operation of an
audited entitys information system; or
d. operating an audited entitys network, financial information
system, or other IT system that will play a significant role in the
management of an area of operations that is or will be the
subject matter of an engagement.
Requirement: Appraisal, Valuation, and Actuarial Services
3.104 Auditors should conclude that independence is impaired if an
audit organization provides appraisal, valuation, or actuarial services to
an audited entity when (1) the services involve a significant degree of
subjectivity and (2) the results of the service, individually or when
combined with other valuation, appraisal, or actuarial services, are
material to the audited entitys financial statements or other information
on which the audit organization is reporting.
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 56 GAO-18-568G Government Auditing Standards
24
See Section 2510.3-21 of Title 29, Code of Federal Regulations.
Requirement: Other Nonaudit Services
3.106 Auditors should conclude that providing certain other nonaudit
services impairs an external auditors independence with respect to an
audited entity. These activities include the following:
a. Advisory service
(1) Assuming any management responsibilities
b. Benefit plan administration
(1) Making policy decisions on behalf of management
(2) Interpreting the provisions in a plan document for a plan
participant on behalf of management without first
obtaining managements concurrence
(3) Making disbursements on behalf of the plan
(4) Having custody of the plans assets
(5) Serving in a fiduciary capacity, as defined under the
Employee Retirement Income Security Act of 1974
24
c. Business risk consulting
(1) Making or approving business risk decisions
(2) Presenting business risk considerations to those
charged with governance on behalf of management
d. Executive or employee recruiting
(1) Committing the audited entity to employee
compensation or benefit arrangements
(2) Hiring or terminating the audited entitys employees
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 57 GAO-18-568G Government Auditing Standards
25
See para. 5.04 for additional discussion of documenting compliance with quality control
policies and procedures and paras. 5.08 through 5.11 for additional discussion of policies
and procedures on independence, legal, and ethical requirements.
e. Investment advisory or management
(1) Making investment decisions on behalf of management
or otherwise having discretionary authority over an
audited entitys investments
(2) Executing a transaction to buy or sell an audited entitys
investments
(3) Having custody of an audited entitys assets, such as
taking temporary possession of securities
Documentation
Requirement: Documentation
3.107 While insufficient documentation of an auditors compliance with
the independence standard does not impair independence, auditors
should prepare appropriate documentation under the GAGAS quality
control and assurance requirements.
25
The independence standard
includes the following documentation requirements, where applicable:
a. document threats to independence that require the application
of safeguards, along with safeguards applied, in accordance
with the conceptual framework for independence as required by
paragraph 3.33;
b. document the safeguards in paragraphs 3.52 through 3.56 if an
audit organization is structurally located within a government
entity and is considered structurally independent based on
those safeguards;
c. document consideration of audited entity managements ability
to effectively oversee a nonaudit service to be provided by the
auditor as indicated in paragraph 3.74;
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 58 GAO-18-568G Government Auditing Standards
Application Guidance: Documentation
3.108 Documentation of independence considerations provides evidence
of the auditors judgments in forming conclusions regarding compliance
with independence requirements.
Requirement: Professional Judgment
3.109 Auditors must use professional judgment in planning and
conducting the engagement and in reporting the results.
Application Guidance: Professional Judgment
3.110 Professional judgment includes exercising reasonable care and
professional skepticism. Reasonable care includes acting diligently in
accordance with applicable professional standards and ethical principles.
Attributes of professional skepticism include a questioning mind,
awareness of conditions that may indicate possible misstatement owing
to error or fraud, and a critical assessment of evidence. Professional
skepticism includes being alert to, for example, evidence that contradicts
other evidence obtained or information that brings into question the
reliability of documents or responses to inquiries to be used as evidence.
Further, it includes a mindset in which auditors assume that management
is neither dishonest nor of unquestioned honesty. Auditors may accept
records and documents as genuine unless they have reason to believe
the contrary. Auditors may consider documenting procedures undertaken
to support their application of professional skepticism in highly judgmental
or subjective areas under audit.
3.111 Using the auditors professional knowledge, skills, and abilities, in
good faith and with integrity, to diligently gather information and
d. document the auditors understanding with an audited entity for
which the auditor will provide a nonaudit service as indicated in
paragraph 3.77; and
e. document the evaluation of the significance of the threats
created by providing any of the services discussed in
paragraph 3.89.
Professional
Judgment
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 59 GAO-18-568G Government Auditing Standards
objectively evaluate the sufficiency and appropriateness of evidence is a
critical component of GAGAS engagements. Professional judgment and
competence are interrelated because judgments made depend upon the
auditors competence, as discussed in chapter 4.
3.112 Professional judgment represents the application of the collective
knowledge, skills, and abilities of all the personnel involved with an
engagement, as well as the professional judgment of individual auditors.
In addition, professional judgment may involve consultation with other
stakeholders, specialists, and management in the audit organization.
3.113 Using professional judgment is important to auditors in carrying out
all aspects of their professional responsibilities, including following the
independence standards and related conceptual framework; maintaining
objectivity and credibility; assigning competent personnel to the
engagement; defining the scope of work; evaluating, documenting, and
reporting the results of the work; and maintaining appropriate quality
control over the engagement process.
3.114 Using professional judgment is important to auditors in applying the
conceptual framework to determine independence in a given situation.
This includes identifying and evaluating any threats to independence,
including threats to the appearance of independence, and related
safeguards that may mitigate the identified threats.
26
3.115 Using professional judgment is important to auditors in determining
the necessary level of understanding of the engagement subject matter
and related circumstances. This includes considering whether the audit
teams collective experience, training, knowledge, skills, abilities, and
overall understanding are sufficient to assess the risks that the subject
matter of the engagement may contain a significant inaccuracy or could
be misinterpreted.
27
3.116 An auditors consideration of the risk level of each engagement,
including the risk of arriving at improper conclusions, is also important.
Within the context of audit risk, exercising professional judgment in
determining the sufficiency and appropriateness of evidence to be used to
support the findings and conclusions based on the engagement
26
See para. 3.21b for a description of independence in appearance.
27
See paras. 4.02 through 4.15 for a discussion of competence.
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 60 GAO-18-568G Government Auditing Standards
objectives and any recommendations reported is integral to the
engagement process.
3.117 While this requirement places responsibility on each auditor and
audit organization to exercise professional judgment in planning and
conducting an engagement, it does not imply unlimited responsibility nor
does it imply infallibility on the part of either the individual auditor or the
audit organization. Absolute assurance is not attainable because of
factors such as the nature of evidence and characteristics of fraud.
Professional judgment does not mean eliminating all possible limitations
or weaknesses associated with a specific engagement, but rather
identifying, assessing, mitigating, and concluding on them.
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 61 GAO-18-568G Government Auditing Standards
Figure 1: Generally Accepted Government Auditing Standards Conceptual Framework for Independence
Chapter 3: Ethics, Independence, and
Professional Judgment
Page 62 GAO-18-568G Government Auditing Standards
Figure 2: Independence Considerations for Preparing Accounting Records and
Financial Statements
Chapter 4: Competence and Continuing
Professional Education
Page 63 GAO-18-568G Government Auditing Standards
4.01 This chapter establishes the generally accepted government auditing
standards (GAGAS) requirements for competence and continuing
professional education (CPE). Competence includes being
knowledgeable about the specific GAGAS requirements and having the
skills and abilities to proficiently apply that knowledge on GAGAS
engagements. CPE contributes to auditorscompetence. The
requirements of this chapter are intended to be followed in conjunction
with all other applicable GAGAS requirements.
Requirements: General
4.02 The audit organizations management must assign auditors to
conduct the engagement who before beginning work on the
engagement collectively possess the competence needed to address
the engagement objectives and perform their work in accordance with
GAGAS.
4.03 The audit organizations management must assign auditors who
before beginning work on the engagement possess the competence
needed for their assigned roles.
4.04 The audit organization should have a process for recruitment,
hiring, continuous development, assignment, and evaluation of
personnel so that the workforce has the essential knowledge, skills,
and abilities necessary to conduct the engagement. The nature,
extent, and formality of the process will depend on various factors,
such as the size of the audit organization, its structure, and its work.
Application Guidance: General
4.05 Competence is the knowledge, skills, and abilities, obtained from
education and experience, necessary to conduct the GAGAS
engagement. Competence enables auditors to make sound professional
judgments. Competence includes possessing the technical knowledge
and skills necessary for the assigned role and the type of work being
done. This includes possessing specific knowledge about GAGAS.
4.06 Competence is derived from a combination of education and
experience. Education is a structured and systematic process aimed at
developing knowledge, skills, and other abilities; it is a process that is
typically but not exclusively conducted in academic or learning
Professional Education
Competence
Chapter 4: Competence and Continuing
Professional Education
Page 64 GAO-18-568G Government Auditing Standards
environments. Experience refers to workplace activities that are relevant
to developing professional proficiency. Competence is not necessarily
measured by years of auditing experience because such a quantitative
measurement may not accurately reflect the kinds of experiences gained
by auditors in any given time period. Maintaining competence through a
commitment to learning and development throughout auditors
professional lives is an important element for auditors.
Application Guidance: Indicators of Competence
Technical Knowledge and Skills
4.07 The knowledge, skills, and abilities needed when conducting an
engagement in accordance with GAGAS include the understanding
necessary to proficiently apply
a. GAGAS;
b. standards, statutory requirements, regulations, criteria, and
guidance applicable to auditing or the objectives for the
engagement(s) being conducted; and
c. techniques, tools, and guidance related to professional expertise
applicable to the work being performed.
Auditor proficiency in these areas helps ensure that engagements are
conducted in accordance with GAGAS.
4.08 Achieving the knowledge, skills, and abilities needed to conduct a
GAGAS engagement may include
a. having prior experience in the subject matter or type of
engagement;
b. completing CPE related to the subject matter or type of
engagement; and
c. obtaining degrees or certifications relevant to the subject matter or
type of engagement.
Chapter 4: Competence and Continuing
Professional Education
Page 65 GAO-18-568G Government Auditing Standards
Competence for Assigned Roles
4.09 The audit organization and engagement teams may consider the
levels of proficiency needed for each role on the engagement when
assigning auditors to the engagement.
4.10 Roles on the engagement generally include the following:
a. Nonsupervisory auditors: Auditors in these roles plan or perform
engagement procedures. Work situations for these auditors are
characterized by low levels of ambiguity, complexity, and
uncertainty. The nonsupervisory auditor role necessitates at least
a basic level of proficiency.
b. Supervisory auditors: Auditors in these roles plan engagements,
perform engagement procedures, or direct engagements. Work
situations for these auditors are characterized by moderate levels
of ambiguity, complexity, and uncertainty. The supervisory auditor
role necessitates at least an intermediate level of proficiency.
c. Partners and directors: Auditors in these roles plan engagements,
perform engagement procedures, or direct or report on
engagements. Partners and directors may also be responsible for
reviewing engagement quality prior to issuing the report, for
signing the report, or both. Work situations for these auditors are
characterized by high levels of ambiguity, complexity, and
uncertainty. The partner and director role necessitates an
advanced level of proficiency.
4.11 Definitions of key terms follow:
a. Planning: Determining engagement objectives, scope, and
methodology; establishing criteria to evaluate matters subject to
audit; or coordinating the work of the other audit organizations.
This definition excludes auditors whose role is limited to gathering
information used in planning the engagement.
b. Directing: Supervising the efforts of others who are involved in
accomplishing the objectives of the engagement or reviewing
engagement work to determine whether those objectives have
been accomplished.
Chapter 4: Competence and Continuing
Professional Education
Page 66 GAO-18-568G Government Auditing Standards
c. Performing engagement procedures: Performing tests and
procedures necessary to accomplish the engagement objectives
in accordance with GAGAS.
d. Reporting: Determining the report content and substance or
reviewing reports to determine whether the engagement
objectives have been accomplished and the evidence supports
the reports technical content and substance prior to issuance.
This includes signing the report.
Application Guidance: Specialists
4.13 Some engagements may necessitate the use of specialized
techniques or methods that call for the skills of specialists. Specialists do
not include individuals with special skill or knowledge related to
specialized areas within the field of accounting or auditing, such as
income taxation and information technology. Such individuals are
considered auditors.
4.14 The competence and qualifications of specialists significantly affect
whether their work will be adequate for the engagement teams purposes
and will meet GAGAS requirements. Competence of specialists relates to
the nature and level of expertise. Qualifications of specialists relate to
their professional certifications, reputations, and previous work in the
subject matter. Other relevant factors include the ability of specialists to
exercise competence in the circumstances of the engagement and the
effects that bias, conflict of interest, or the influence of others may have
on the specialistsprofessional judgment.
4.15 Sources that may inform the auditorsassessment of the
competence and professional qualifications of a specialist include the
following:
a. the professional certification, license, or other recognition of the
competence of the specialist in his or her field, as appropriate;
Requirement: Specialists
4.12 The engagement team should determine that specialists assisting
the engagement team on a GAGAS engagement are qualified and
competent in their areas of specialization.
Chapter 4: Competence and Continuing
Professional Education
Page 67 GAO-18-568G Government Auditing Standards
b. the reputation and standing of the specialist in the views of peers
and others familiar with the specialists capability or performance;
c. the specialists experience and previous work in the subject
matter;
d. the auditorsassessment of the specialists knowledge and
qualification based on prior experience in using the specialists
work;
e. the specialists knowledge of any technical performance standards
or other professional or industry requirements in the specialists
field (for example, ethical standards and other membership
requirements of a professional body or industry association,
accreditation standards of a licensing body, or requirements
imposed by law or regulation);
f. the knowledge of the specialist with respect to relevant auditing
standards; and
g. the assessment of unexpected events, changes in conditions, or
the evidence obtained from the results of engagement procedures
that indicate it may be necessary to reconsider the initial
evaluation of the competence and qualifications of a specialist as
the engagement progresses.
Requirements: General
4.16 Auditors who plan, direct, perform engagement procedures for, or
report on an engagement conducted in accordance with GAGAS
should develop and maintain their professional competence by
completing at least 80 hours of CPE in every 2-year period as follows.
CPE hours
Subject matter categories of CPE
24 hours
Subject matter directly related to the government environment,
government auditing, or the specific or unique environment in
which the audited entity operates
56 hours
Subject matter that directly enhance auditorsprofessional
expertise to conduct engagements
Continuing
Professional
Education
Chapter 4: Competence and Continuing
Professional Education
Page 68 GAO-18-568G Government Auditing Standards
4.17 Auditors should complete at least 20 hours of CPE in each year of
the 2-year periods.
4.18 The audit organization should maintain documentation of each
auditors CPE.
28
Application Guidance: General
4.19 The continuing competence of the audit organizations personnel
depends, in part, on an appropriate level of CPE so that auditors maintain
the knowledge, skills, and abilities necessary to conduct the GAGAS
engagement. Obtaining CPE specifically on GAGAS, particularly during
years in which there are revisions to the standards, may assist auditors in
maintaining the competence necessary to conduct GAGAS engagements.
4.20 CPE used to fulfill the 24-hour requirement may be taken at any time
during the 2-year measurement period.
Application Guidance: Subject Matter Categories of CPE
4.21 Determining what subjects are appropriate for individual auditors to
satisfy the CPE requirements is a matter of professional judgment to be
exercised by auditors in consultation with appropriate officials in their
audit organization. When determining what specific subjects qualify for
the CPE requirement, the auditors may consider the types of knowledge,
skills, and abilities, and the level of proficiency necessary, in order to be
competent for their assigned roles. Auditors may consider probable future
engagements to which they may be assigned when selecting specific
CPE subjects to satisfy the 24-hour and the 56-hour CPE requirements.
The audit organization is ultimately responsible for determining whether a
subject or topic qualifies as acceptable for its auditors.
4.22 The subject matter categories for the 24-hour requirement may be
used to satisfy the 56-hour CPE requirement. If CPE in any of the subject
matter and topics that would satisfy the 56-hour requirement, as
discussed in paragraph 4.24, is tailored specifically to the government
environment, such CPE may qualify toward satisfying the 24-hour
28
See paras. 4.51 and 5.16 for a discussion of CPE documentation.
Chapter 4: Competence and Continuing
Professional Education
Page 69 GAO-18-568G Government Auditing Standards
requirement. Examples of CPE subjects that may qualify for each of the
categories are listed below.
Subject Matter Directly Related to the Government Environment,
Government Auditing, or the Specific or Unique Environment in Which the
Audited Entity Operates (24-Hour Requirement)
4.23 Subject matter directly related to the government environment,
government auditing, or the specific or unique environment in which the
audited entity operates may include, but is not limited to, the following:
a. generally accepted government auditing standards (GAGAS) and
related topics, such as internal control as addressed in GAGAS;
b. the applicable American Institute of Certified Public Accountants
(AICPA) Statements on Auditing Standards;
29
c. the applicable AICPA Statements on Standards for Attestation
Engagements and Statements on Standards for Accounting and
Review Services;
30
d. the applicable auditing standards issued by the Institute of Internal
Auditors, the Public Company Accounting and Oversight Board,
the International Auditing and Assurance Standards Board, or
other auditing standard-setting body;
e. U.S. generally accepted accounting principles, or the applicable
financial reporting framework being used, such as those issued by
the Federal Accounting Standards Advisory Board, the
Governmental Accounting Standards Board, or the Financial
Accounting Standards Board;
f. Standards for Internal Control in the Federal Government;
31
29
See para. 6.01 for a discussion of the AICPA standards incorporated into GAGAS for
financial audits.
30
See para. 7.01 for a discussion of the AICPA standards incorporated into GAGAS for
attestation engagements and reviews of financial statements.
31
GAO, Standards for Internal Control in the Federal Government, GAO-14-704G
(Washington, D.C.: September 2014).
Chapter 4: Competence and Continuing
Professional Education
Page 70 GAO-18-568G Government Auditing Standards
g. Internal ControlIntegrated Framework,
32
as applicable;
h. requirements for recipients of federal contracts or grants, such as
Single Audits under the Uniform Administrative Requirements,
Cost Principles, and Audit Requirements for Federal Awards;
33
i. requirements for federal, state, or local program audits;
j. relevant or applicable audit standards or guides, including those
for information technology auditing and forensic auditing;
k. information technology auditing topics applicable to the
government environment;
l. fraud topics applicable to a government environment;
m. statutory requirements, regulations, criteria, guidance, trends,
risks, or topics relevant to the specific and unique environment in
which the audited entity operates;
n. statutory requirements, regulations, criteria, guidance, trends,
risks, or topics relevant to the subject matter of the engagement,
such as scientific, medical, environmental, educational, or any
other specialized subject matter;
o. topics directly related to the government environment, such as the
nature of government (structures, financing, and operations),
economic or other conditions and pressures facing governments,
common government financial management issues,
appropriations, measurement or evaluation of government
financial or program performance, and application of general audit
methodologies or techniques to a government environment or
program;
32
Committee of Sponsoring Organizations of the Treadway Commission, Internal
ControlIntegrated Framework (New York: American Institute of Certified Public
Accountants, 2013).
33
See Part 200, Subpart F, of Title 2, Code of Federal Regulations.
Chapter 4: Competence and Continuing
Professional Education
Page 71 GAO-18-568G Government Auditing Standards
p. specialized audit methodologies or analytical techniques, such as
the use of complex survey instruments, actuarial estimates,
statistical analysis tests, or statistical or nonstatistical sampling;
q. performance auditing topics, such as obtaining evidence,
professional skepticism, and other applicable audit skills;
34
r. government ethics and independence;
s. partnerships between governments, businesses, and citizens;
t. legislative policies and procedures;
u. topics related to fraud, waste, abuse, or improper payments
affecting government entities; and
v. compliance with laws and regulations.
Subject Matter That Directly Enhances Auditors’ Professional Expertise to
Conduct Engagements (56-Hour Requirement)
4.24 Subject matter that directly enhances auditors’ professional
expertise to conduct engagements may include, but is not limited to, the
following:
a. subject matter categories for the 24-hour requirement listed in
paragraph 4.23;
b. general ethics and independence;
c. topics related to accounting, acquisitions management, asset
management, budgeting, cash management, contracting, data
analysis, program performance, or procurement;
d. communicating clearly and effectively, both orally and in writing;
e. managing time and resources;
f. leadership;
34
See chs. 8 and 9 for performance audit topics that may be included.
Chapter 4: Competence and Continuing
Professional Education
Page 72 GAO-18-568G Government Auditing Standards
g. software applications used in conducting engagements;
h. information technology; and
i. economics, human capital management, social and political
sciences, and other academic disciplines that may be applied in
engagements, as applicable.
Application Guidance: Exemptions and Exceptions
4.25 Auditors may be exempted from the 56-hour CPE requirement by
the audit organization, but not the 24-hour requirement, if they
a. charge less than 20 percent of their time annually to engagements
conducted in accordance with GAGAS and
b. are only involved in performing engagement procedures, but not
involved in planning, directing, or reporting on the engagement.
The 20 percent may be based on historical or estimated charges in a
year, provided that the audit organization has a basis for this
determination and monitors actual time. For auditors who change status
such that they are charging more than 20 percent of their time annually to
engagements under GAGAS, the audit organization may prorate the
required CPE hours similar to when auditors are assigned to GAGAS
engagements after the beginning of a 2-year CPE measurement period,
as discussed in paragraph 4.42.
4.26 Nonsupervisory auditors who charge less than 40 hours of their time
annually to engagements conducted in accordance with GAGAS may be
exempted by the organization from all CPE requirements in paragraph
4.16.
4.27 The audit organization may exempt from the CPE requirements
college and university students employed on a temporary basis for a
limited period of time (for example, an internship of limited duration) or
enrolled in a formal program sponsored by the college or university for a
specific period of employment, such as a term or semester.
4.28 Employees or contract employees performing support services
within the audit organization, such as individuals who are assigned to
positions in budgeting, human resources, training, and administrative
functions, and who do not conduct engagement activities are not auditors
Chapter 4: Competence and Continuing
Professional Education
Page 73 GAO-18-568G Government Auditing Standards
subject to the GAGAS CPE requirements. Employees or contract
employees who assist in the engagement by performing support services,
such as performing background research, data entry, writing and editing
assistance, proofreading, or report production and distribution are not
auditors subject to the GAGAS CPE requirements.
4.29 The audit organization, at its discretion, may grant exemptions from
a portion of the CPE requirement in the event of extended absences or
other extenuating circumstances if situations such as the following
prevent auditors from fulfilling those requirements and conducting
engagements:
a. ill health,
b. maternity or paternity leave,
c. extended family leave,
d. sabbaticals,
e. leave without pay absences,
f. foreign residency,
g. military service, and
h. disasters.
The audit organization may not grant exceptions for reasons such as
workload, budget, or travel constraints.
Application Guidance: Specialists
4.30 External specialists are not auditors subject to the GAGAS CPE
requirements. Also, internal specialists assisting on a GAGAS
engagement who are not involved in planning, directing, performing
engagement procedures, or reporting on a GAGAS engagement are not
auditors subject to the GAGAS CPE requirements.
4.31 Internal specialists who are performing work in accordance with
GAGAS as part of the engagement teamincluding planning, directing,
performing engagement procedures, or reporting on a GAGAS
engagement—are considered auditors and are subject to the GAGAS
Chapter 4: Competence and Continuing
Professional Education
Page 74 GAO-18-568G Government Auditing Standards
CPE requirements. The GAGAS CPE requirements become effective for
internal specialists when an audit organization first assigns an internal
specialist to an engagement. Because internal specialists apply
specialized knowledge in government engagements, CPE in their areas
of specialization qualifies under the requirement for 24 hours of CPE that
directly relates to government auditing, the government environment, or
the specific or unique environment in which the audited entity operates.
Application Guidance: Programs and Activities That Qualify for CPE
4.32 CPE programs are structured educational activities or programs with
learning objectives designed to maintain or enhance the auditors
competence to address engagement objectives and perform work in
accordance with GAGAS.
4.33 The following are examples of structured educational programs and
activities:
a. internal training programs (e.g., courses, seminars, and
workshops);
b. education and development programs presented at conferences,
conventions, meetings, and seminars and meetings or workshops
of professional organizations;
c. training programs presented by other audit organizations,
educational organizations, foundations, and associations;
d. web-based seminars and individual-study or eLearning programs;
e. audio conferences;
f. accredited university and college courses (credit and noncredit);
g. standard-setting organization, professional organization, or audit
organization staff meetings when a structured educational
program with learning objectives is presented (e.g., the portion of
the meeting that is a structured educational program with learning
objectives designed to maintain or enhance auditors
competence);
h. correspondence courses, individual-study guides, and workbooks;
Chapter 4: Competence and Continuing
Professional Education
Page 75 GAO-18-568G Government Auditing Standards
i. serving as a speaker, panelist, instructor, or discussion leader at
programs that qualify for CPE hours;
j. developing or technical review of courses or the course materials
for programs that qualify for CPE hours; and
k. publishing articles and books that contribute directly to the
authors professional proficiency to conduct engagements.
4.34 Individual auditors who are members of professional organizations
or who are licensed professionals, such as certified public accountants,
are cautioned that the GAGAS CPE requirements, while similar in many
respects to those of professional organizations and of licensing bodies,
may not be identical. Some subjects and topics may be acceptable to
state licensing bodies or professional organizations, but may not qualify
as CPE under GAGAS. Conversely, some CPE that qualifies for GAGAS
may not qualify for state licensing bodies or professional organizations.
Careful consideration of auditorsrelevant professional organizations or
licensing body requirements is encouraged to meet other relevant CPE
requirements.
4.35 Examples of training topics that may qualify as CPE for state
licensing bodies or professional organizations but would not generally
qualify as CPE for purposes of satisfying requirements under GAGAS
include certain training in taxation, personal financial planning and
investment, taxation strategies, estate planning, retirement planning, and
practice management, unless such training directly enhances the
auditorsprofessional proficiency to perform engagements or relate to the
subject matter of an engagement. However, if certain taxation or other
topics relate to an objective or the subject matter of an engagement,
training in those related topics could qualify as CPE under GAGAS.
4.36 Examples of programs and activities that do not qualify for CPE
hours under GAGAS include, but are not limited to, the following:
a. on-the-job training;
b. basic or elementary courses in subjects or topics in which auditors
already have the knowledge and skills being taught;
c. programs that are designed for general personal development,
such as résumé writing, improving parent-child relations, personal
investments and money management, and retirement planning;
Chapter 4: Competence and Continuing
Professional Education
Page 76 GAO-18-568G Government Auditing Standards
d. programs that demonstrate office equipment or software that is
not used in conducting engagements;
e. programs that provide training on the audit organizations
administrative operations;
f. business sessions at professional organization conferences,
conventions, and meetings that do not have a structured
educational program with learning objectives;
g. conducting external quality control reviews; and
h. sitting for professional certification examinations.
Basic or elementary courses would be acceptable in cases where they
are deemed necessary as refreshercourses to enhance the auditors
proficiency to conduct audits and attestation engagements.
Application Guidance: Measurement of CPE
4.37 A CPE hour may be granted for each 50 minutes of participation in
programs and activities that qualify.
4.38 For university or college credit courses, each unit of college credit
under a semester system equals 15 CPE hours, and each unit of college
credit under a quarter system equals 10 CPE hours. For university or
college noncredit courses, CPE hours may be granted only for the actual
classroom time.
4.39 For individual-study programs where successful completion is
measured by a summary examination, CPE credit may be granted if
auditors complete the examination with a passing grade. Auditors in other
individual-study programs may earn CPE hours when they satisfactorily
complete the requirements of the self-study program. The number of
hours granted may be based on the CPE providers recommended
number of CPE hours for the program.
4.40 Speakers, instructors, and discussion leaders at programs that
qualify for CPE and auditors who develop or write the course materials
may receive CPE hours for preparation and presentation time to the
extent the subject matter contributes to auditorscompetence. One CPE
hour may be granted for each 50 minutes of presentation time. Up to 2
CPE hours may be granted for developing, writing, or advance
Chapter 4: Competence and Continuing
Professional Education
Page 77 GAO-18-568G Government Auditing Standards
preparation for each 50 minutes of the presentation. Auditors may not
receive CPE hours for either preparation or presentation time for repeated
presentations that they make within the 2-year period, unless the subject
matter involved was changed significantly for each presentation. The
maximum number of CPE hours that may be granted to an auditor as a
speaker, instructor, discussion leader, or preparer of course materials
may not exceed 40 hours for any 2-year period.
4.41 Articles, books, or materials written by auditors and published on
subjects and topics that contribute directly to professional proficiency to
conduct engagements qualify for CPE hours in the year they are
published. One CPE hour may be granted for each hour devoted to
writing articles, books, or materials that are published. However, CPE
hours for published writings may not exceed 20 hours for any 2-year
period.
4.42 Auditors hired or assigned to a GAGAS engagement after the
beginning of an audit organizations 2-year CPE period may complete a
prorated number of CPE hours. An audit organization may define a
prorated number of hours based on the number of full 6-month intervals
remaining in the CPE period. For example, an audit organization has a 2-
year CPE period running from January 1, 2020, through December 31,
2021. The audit organization assigns a new auditor to a GAGAS
engagement in May 2020. The audit organization may calculate the
prorated CPE requirement for the auditor as follows:
a. Number of full 6-month intervals remaining in the CPE period: 3
b. Number of 6-month intervals in the full 2-year period: 4
c. Newly assigned auditors CPE requirement: 3/4 x 80 hours = 60
hours
When auditors are newly hired or newly assigned to GAGAS
engagements and have had some previous CPE, the audit organization
has flexibility and may choose between using a pro rata approach or
evaluating whether and to what extent any CPE already taken in that
period would satisfy GAGAS CPE requirements.
4.43 For newly assigned auditors who are subject to the 24-hour
requirement, the number of prorated hours may be calculated in a similar
manner: 3/4 x 24 hours = 18 hours, in this example. The prorated amount
of hours would be the total requirement over the partial period. The 20-
Chapter 4: Competence and Continuing
Professional Education
Page 78 GAO-18-568G Government Auditing Standards
hour minimum for each CPE year would not apply when the prorated
number of hours is being used to cover a partial 2-year CPE period.
4.44 At their discretion, audit organizations may give auditors who have
not completed the 80-hour CPE requirement for any 2-year period up to 2
months immediately following the 2-year period to make up the
deficiency. Audit organizations may also give auditors who have not
completed the 20 hours of CPE in a 1-year period up to 2 months
immediately following the 1-year period to make up the deficiency. Any
CPE hours completed toward a deficiency in one period may be
documented in the CPE records and may not be counted toward the
requirements for the next period. Audit organizations that grant the 2-
month grace period may not allow auditors who have not satisfied the
CPE requirements after the grace period to participate in GAGAS
engagements until those requirements are satisfied.
4.45 Auditors may not carry over CPE hours earned in excess of the 80-
hour and 24-hour requirements from one 2-year CPE measurement
period to the next.
4.46 If an audit organization discontinues conducting GAGAS
engagements or reassigns auditors to non-GAGAS assignments before
auditors complete the CPE requirements, the auditors are not required to
complete the number of hours to satisfy the CPE requirements. However,
the audit organization may wish to have its auditors complete those
requirements if it is foreseeable that the auditors will conduct GAGAS
engagements in the future.
4.47 Auditors who complete a professional certification review course
may receive CPE hours only for those segments of the review course that
are relevant to the standards, statutory requirements, regulations, criteria,
and guidance applicable to auditing or to the engagement objectives
being performed, or for subject matter that directly enhances auditors
professional expertise to conduct engagements.
4.48 To simplify administration of the CPE requirements, an audit
organization may establish a standard 2-year period for all of its auditors,
which can be on either a fixed-year or rolling-year basis. A fixed-year
measurement period, for example, would be the 2-year periods 2019
through 2020, 2021 through 2022, and so forth, while a rolling-year
measurement period would be 2019 through 2020, 2020 through 2021,
2021 through 2022, and so forth.
Chapter 4: Competence and Continuing
Professional Education
Page 79 GAO-18-568G Government Auditing Standards
4.49 An audit organization may use a measurement date other than the
date it started its first GAGAS engagement, or the audit organization may
choose to change its measurement date to coincide with a fiscal year or
another reporting requirement, such as one established by a state
licensing body or professional organization. For example, if an audit
organization changes the end date of the measurement period from
December 31 to June 30, during the audit organizations transition period
(January 1 to June 30), its auditors may complete at least a prorated
number of CPE hours for the 6-month transition period. The number of
prorated hours required may be calculated using the method illustrated in
paragraphs 4.42 and 4.43.
Application Guidance: Monitoring CPE
4.50 The audit organizations policies and procedures for CPE may
address the following:
a. identifying all auditors required to meet the CPE requirements;
b. providing auditors with the opportunity to attend internal CPE
programs, external CPE programs, or both;
c. assisting auditors in determining which programs, activities, and
subjects qualify for CPE;
d. documenting the number of CPE hours completed by each
auditor; and
e. monitoring auditor compliance with the CPE requirements to
ensure that auditors complete sufficient CPE in qualifying
programs and subjects.
4.51 Policies and procedures for documentation may address maintaining
documentation of the CPE hours completed by each auditor subject to the
CPE requirements for an appropriate period of time to satisfy any legal
and administrative requirements, including peer review. The audit
organization may maintain documentation of CPE or may delegate the
responsibility to the auditor and put in place adequate procedures to
ensure that its records of CPE hours earned by auditors are supported by
the documentation maintained by auditors. Documentation may include
the following information:
a. the name of the organization providing the CPE;
Chapter 4: Competence and Continuing
Professional Education
Page 80 GAO-18-568G Government Auditing Standards
b. the title of the training program, including the subject matter or
field of study;
c. the dates attended for group programs or dates completed for
individual study programs;
d. the number of CPE hours earned toward the 56-hour and 24-hour
requirements;
e. any reasons for specific exceptions granted to the CPE
requirement; and
f. evidence of completion of CPE, such as a certificate or other
evidence of completion from the CPE provider for group and
individual-study programs, if provided; documentation of CPE
courses presented or copies of course materials developed by or
for speakers, instructors, or discussion leaders, along with a
written statement supporting the number of CPE hours claimed; or
a copy of the published book, article, or other material that name
the writer as author or contributor, or a written statement from the
writer supporting the number of CPE hours claimed.
4.52 The audit organization may monitor CPE compliance through its
internal inspections or other quality assurance monitoring activities.
4.53 The audit organization is not required to prepare reports on CPE.
However, the audit organization may consider preparing a periodic CPE
report for distribution to the auditors or maintaining or accessing training
data online to monitor its auditorsprogress toward meeting the CPE
requirements.
Chapter 5: Quality Control and Peer Review
Page 81 GAO-18-568G Government Auditing Standards
5.01 This chapter establishes the generally accepted government auditing
standards (GAGAS) requirements and guidance for quality control and
assurance, and for administering, planning, performing, and reporting on
peer reviews of audit organizations that conduct engagements in
accordance with GAGAS. The requirements of this chapter are intended
to be followed in conjunction with those of all other applicable GAGAS
requirements.
Requirement: Quality Control and Assurance
5.02 An audit organization conducting engagements in accordance
with GAGAS must establish and maintain a system of quality control
that is designed to provide the audit organization with reasonable
assurance that the organization and its personnel comply with
professional standards and applicable legal and regulatory
requirements.
Application Guidance: Quality Control and Assurance
5.03 An audit organizations system of quality control encompasses the
organizations leadership, emphasis on performing high-quality work, and
policies and procedures designed to provide reasonable assurance of
complying with professional standards and applicable legal and regulatory
requirements. The nature, extent, and formality of an audit organizations
quality control system will vary based on the audit organizations
circumstances, such as size, number of offices and geographic
dispersion, knowledge and experience of its personnel, nature and
complexity of its engagement work, and cost-benefit considerations.
Quality Control and
Assurance
System of Quality Control
Requirement: System of Quality Control
5.04 An audit organization should document its quality control policies
and procedures and communicate those policies and procedures to its
personnel. The audit organization should document compliance with its
quality control policies and procedures and maintain such
documentation for a period of time sufficient to enable those
performing monitoring procedures and peer reviews to evaluate the
Chapter 5: Quality Control and Peer Review
Page 82 GAO-18-568G Government Auditing Standards
Requirements: Leadership Responsibilities for Quality within the
Audit Organization
5.05 The audit organization should establish policies and procedures
on leadership responsibilities for quality within the audit organization
that include designating responsibility for quality of engagements
conducted in accordance with GAGAS and communicating policies
and procedures relating to quality.
5.06 The audit organization should establish policies and procedures
designed to provide reasonable assurance that those assigned
operational responsibility for the audit organizations system of quality
control have sufficient and appropriate experience and ability, and the
necessary authority, to assume that responsibility.
Application Guidance: Leadership Responsibilities for Quality within
the Audit Organization
5.07 Appropriate policies and communications encourage a culture that
recognizes that quality is essential in conducting GAGAS engagements
and that audit organization leadership is ultimately responsible for the
system of quality control.
extent to which the audit organization complies with its quality control
policies and procedures.
Leadership
Responsibilities for Quality
within the Audit
Organization
Independence, Legal, and
Ethical Requirements
Requirements: Independence, Legal, and Ethical Requirements
5.08 The audit organization should establish policies and procedures
on independence and legal and ethical requirements that are designed
to provide reasonable assurance that the organization and its
Chapter 5: Quality Control and Peer Review
Page 83 GAO-18-568G Government Auditing Standards
Application Guidance: Independence, Legal, and Ethical
Requirements
5.10 Policies and procedures pertaining to independence and legal and
ethical requirements assist the audit organization in
a. communicating its independence requirements to its personnel
and
b. identifying and evaluating circumstances and relationships that
create threats to independence and taking appropriate action to
eliminate those threats or reduce them to an acceptable level by
applying safeguards or, if considered appropriate, withdrawing
from the engagement where withdrawal is not prohibited by law or
regulation.
5.11 Written affirmation of compliance with its policies and procedures on
independence from all audit organization personnel required to be
independent may be in paper or electronic form. By obtaining affirmation
of retrospective compliance with the audit organizations policies and
procedures on independence during a specified period and taking
appropriate action on information indicating noncompliance, or potential
noncompliance, the organization demonstrates the importance that it
attaches to independence and keeps the issue current for, and visible to,
its personnel. An audit organization may obtain affirmation of required
personnels compliance with policies and procedures on independence
more frequently than once per year. For example, affirmation may be
obtained on a per-engagement basis when such engagements last less
than 1 year.
35
See paras. 3.02 through 3.16 for a discussion of ethical principles and paras. 3.18
through 3.108 for independence requirements and guidance.
personnel maintain independence and comply with applicable legal
and ethical requirements.
35
5.09 At least annually, the audit organization should obtain written
affirmation of compliance with its policies and procedures on
independence from all of its personnel required to be independent.
Chapter 5: Quality Control and Peer Review
Page 84 GAO-18-568G Government Auditing Standards
Application Guidance: Initiation, Acceptance, and Continuance of
Engagements
5.13 Government audit organizations initiate engagements as a result of
(1) legal mandates, (2) requests from legislative bodies or oversight
bodies, and (3) audit organization discretion. In the case of legal
mandates and requests, a government audit organization may be
required to conduct the engagement and may not be permitted to make
decisions about acceptance or continuance and may not be permitted to
resign or withdraw from the engagement.
5.14 Audit organizations may operate with limited resources. Audit
organizations may consider their workloads in determining whether they
have the resources to deliver the range of work to the desired level of
quality. To achieve this, audit organizations may develop systems to
prioritize their work in a way that takes into account the need to maintain
quality.
Initiation, Acceptance, and
Continuance of
Engagements
Requirement: Initiation, Acceptance, and Continuance of
Engagements
5.12 The audit organization should establish policies and procedures
for the initiation, acceptance, and continuance of engagements that are
designed to provide reasonable assurance that the organization will
undertake engagements only if it
a. complies with professional standards, applicable legal and
regulatory requirements, and ethical principles;
b. acts within its legal mandate or authority; and
c. has the capabilities, including time and resources, to do so.
Human Resources
Requirements: Human Resources
5.15 The audit organization should establish policies and procedures
for human resources that are designed to provide the organization with
reasonable assurance that it has personnel with the competence to
conduct GAGAS engagements in accordance with professional
Chapter 5: Quality Control and Peer Review
Page 85 GAO-18-568G Government Auditing Standards
Application Guidance: Human Resources
5.17 Effective recruitment processes and procedures help the audit
organization select individuals of integrity who have the capacity to
develop the competence and capabilities necessary to perform the audit
organizations work and possess the appropriate characteristics to enable
them to perform competently. Examples of such characteristics include
meeting minimum academic requirements established by the audit
organization and leadership traits.
5.18 The audit organization may use a suitably qualified external person
to conduct engagement work when internal resources, for example,
personnel with particular areas of technical expertise, are unavailable.
5.19 Effective performance evaluation, compensation, and advancement
procedures give due recognition and reward to developing and
maintaining competent personnel. Steps that an audit organization may
take in developing and maintaining competent personnel include the
following:
a. making personnel aware of the audit organizations expectations
regarding performance and ethical principles;
b. providing personnel with an evaluation of, and counseling on,
performance, progress, and career development; and
c. helping personnel understand that compensation and
advancement to positions of greater responsibility depend on,
among other things, performance quality, and that failure to
36
Refer to paras. 4.02 through 4.15 for requirements and guidance on competence.
standards and applicable legal and regulatory requirements.
36
5.16 The audit organization should establish policies and procedures
to provide reasonable assurance that auditors who are performing
work in accordance with GAGAS meet the continuing professional
education (CPE) requirements, including maintaining documentation of
the CPE completed and any exemptions granted.
Chapter 5: Quality Control and Peer Review
Page 86 GAO-18-568G Government Auditing Standards
comply with the audit organizations policies and procedures may
result in disciplinary action.
5.20 The size and circumstances of the audit organization are important
considerations in determining the structure of the audit organizations
performance evaluation process. A smaller audit organization, in
particular, may employ less formal methods of evaluating the
performance of its personnel.
5.21 Objectives of the audit organizations human resources policies and
procedures may include
a. promoting learning and training for all personnel to encourage
their professional development and to help ensure that personnel
are trained in current developments in the profession and
b. helping ensure that personnel and any parties contracted to carry
out work for the audit organization have an appropriate
understanding of the environment(s) in which the organization
operates and a good understanding of the work they are required
to carry out.
Engagement Performance
Requirements: General
5.22 The audit organization should establish policies and procedures
for engagement performance, documentation, and reporting that are
designed to provide the audit organization with reasonable assurance
that engagements are conducted and reports are issued in accordance
with professional standards and applicable legal and regulatory
requirements.
5.23 If auditors change the engagement objectives during the
engagement, they should document the revised engagement
objectives and the reasons for the changes.
5.24 The audit organization should establish policies and procedures
designed to provide it with reasonable assurance that
a. appropriate consultation takes place on difficult or contentious
issues that arise among engagement team members in the
Chapter 5: Quality Control and Peer Review
Page 87 GAO-18-568G Government Auditing Standards
Application Guidance: General
5.26 The audit organizations policies and procedures may address
consistency in the quality of engagement performance. This is often
accomplished through written or electronic manuals, software tools or
other forms of standardized documentation, and industry-specific or
subject matter-specific guidance materials. Matters addressed may
include the following:
a. maintaining current policies and procedures;
b. briefing the engagement team to provide an understanding of the
engagement objectives and professional standards;
c. complying with applicable engagement standards;
d. planning the engagement, supervision, staff training, and
mentoring;
e. reviewing the work performed, the significant judgments made,
and the type of report being issued;
f. documenting the work performed and the timing and extent of
review;
g. reviewing the independence and qualifications of any specialists
and the scope and quality of their work;
course of conducting a GAGAS engagement;
b. both the individual seeking consultation and the individual
consulted document and agree upon the nature and scope of
such consultations; and
c. the conclusions resulting from consultations are documented,
understood by both the individual seeking consultation and the
individual consulted, and implemented.
5.25 If an engagement is terminated before it is completed and an
audit report is not issued, auditors should document the results of the
work to the date of termination and why the engagement was
terminated.
Chapter 5: Quality Control and Peer Review
Page 88 GAO-18-568G Government Auditing Standards
h. resolving difficult or contentious issues or disagreements among
team members, including specialists;
i. obtaining and addressing comments from the audited entity on
draft reports; and
j. reporting findings and conclusions supported by the evidence
obtained and in accordance with professional standards and
applicable legal and regulatory requirements.
5.27 The form and content of the documentation of the audit
organizations policies and procedures, as well as documentation of its
compliance with those policies and procedures, are matters of
professional judgment and will vary based on the organizations
circumstances.
5.28 Documentation of policies and procedures, as well as compliance
with those policies and procedures, may be either electronic or manual.
For example, large audit organizations may use electronic databases to
document matters such as independence confirmations, performance
evaluations, and the results of monitoring. Smaller audit organizations
may use more informal methods in the documentation of their systems of
quality control, such as manual notes, checklists, and forms.
5.29 Consultation includes discussion at the appropriate professional
level with individuals within or outside the audit organization who have
relevant specialized expertise.
5.30 Consultation uses appropriate research resources, as well as the
collective experience and technical expertise of the audit organization.
Consultation helps promote quality and improves the application of
professional judgment. Appropriate recognition of consultation in the audit
organizations policies and procedures helps promote a culture in which
consultation is recognized as a strength and personnel are encouraged to
consult on difficult or contentious issues.
5.31 Effective consultation on significant technical, ethical, and other
matters within the audit organization or, when applicable, outside the
audit organization can be achieved when
a. those consulted are given all the relevant facts that will enable
them to provide informed advice;
Chapter 5: Quality Control and Peer Review
Page 89 GAO-18-568G Government Auditing Standards
b. those consulted have appropriate knowledge, authority, and
experience; and
c. conclusions resulting from consultations are appropriately
documented and implemented.
5.32 Documentation of consultations with other professionals that involve
difficult or contentious matters contributes to an understanding of
a. the issue on which consultation was sought and
b. the results of the consultation, including any decisions made, the
basis for those decisions, and how they were implemented.
5.33 An audit organization needing to obtain specialized or technical
expertise from external providers may take advantage of services
provided by
a. other audit organizations,
b. professional and regulatory bodies, and
c. commercial organizations that provide relevant quality control
services.
5.34 Before contracting for services, consideration of the competence and
capabilities of the external provider helps the audit organization determine
whether the external provider is suitably qualified for that purpose.
5.35 Determining whether and how to communicate the reason for
terminating an engagement or changing the engagement objectives to
those charged with governance, appropriate officials of the audited entity,
the entity contracting for or requesting the engagement, and other
appropriate officials will depend on the facts and circumstances and
therefore is a matter of professional judgment.
Requirements: Supervision
5.36 The audit organization should establish policies and procedures
that require engagement team members with appropriate levels of skill
and proficiency in auditing to supervise engagements and review work
Chapter 5: Quality Control and Peer Review
Page 90 GAO-18-568G Government Auditing Standards
Application Guidance: Supervision
5.38 Appropriate teamwork and training help less experienced members
of the engagement team to clearly understand the objectives of the
assigned work.
5.39 Engagement supervision includes the following:
a. tracking the progress of the engagement;
b. considering the competence of individual members of the
engagement team, whether they understand their instructions, and
whether the work is being carried out in accordance with the
planned approach to the engagement;
c. addressing significant findings and issues arising during the
engagement, considering their significance, and modifying the
planned approach appropriately; and
d. identifying matters for consultation or consideration by
engagement team members with appropriate levels of skill and
proficiency in auditing, specialists, or both during the engagement.
5.40 A review of the work performed includes consideration of whether
a. the work has been performed in accordance with professional
standards and applicable legal and regulatory requirements;
performed by other engagement team members.
5.37 The audit organization should assign responsibility for each
engagement to an engagement partner or director with authority
designated by the audit organization to assume that responsibility and
should establish policies and procedures requiring the organization to
a. communicate the identity and role of the engagement partner or
director to management and those charged with governance of
the audited entity and
b. clearly define the responsibilities of the engagement partner or
director and communicate them to that individual.
Chapter 5: Quality Control and Peer Review
Page 91 GAO-18-568G Government Auditing Standards
b. significant findings and issues have been raised for further
consideration;
c. appropriate consultations have taken place and the resulting
conclusions have been documented and implemented;
d. the nature, timing, and extent of the work performed is appropriate
and without need for revision;
e. the work performed supports the conclusions reached and is
appropriately documented;
f. the evidence obtained is sufficient and appropriate to support the
report; and
g. the objectives of the engagement procedures have been
achieved.
5.41 In the case of a sole proprietor, the requirement for a second auditor
to review work performed and related documentation may be achieved
through alternative procedures.
Monitoring of Quality
Requirements: Monitoring of Quality
5.42 The audit organization should establish policies and procedures
for monitoring its system of quality control.
5.43 The audit organization should perform monitoring procedures that
enable it to assess compliance with professional standards and quality
control policies and procedures for GAGAS engagements. Individuals
performing monitoring should have sufficient expertise and authority
within the audit organization.
5.44 The audit organization should analyze and summarize the results
of its monitoring process at least annually, with identification of any
systemic or repetitive issues needing improvement, along with
recommendations for corrective action. The audit organization should
communicate to the relevant engagement partner or director, and other
appropriate personnel, any deficiencies noted during the monitoring
process and recommend appropriate remedial action. This
Chapter 5: Quality Control and Peer Review
Page 92 GAO-18-568G Government Auditing Standards
Application Guidance: Monitoring of Quality
5.47 Monitoring of quality is a process comprising an ongoing
consideration and evaluation of the audit organizations system of quality
control, including inspection of engagement documentation and reports
for a selection of completed engagements. The purpose of monitoring is
to provide management of the audit organization with reasonable
assurance that (1) the policies and procedures related to the system of
quality control are suitably designed and operating effectively in practice
and (2) auditors have followed professional standards and applicable
legal and regulatory requirements.
communication should be sufficient to enable the audit organization
and appropriate personnel to take prompt corrective action related to
deficiencies, when necessary, in accordance with their defined roles
and responsibilities. Information communicated should include the
following:
a. a description of the monitoring procedures performed;
b. the conclusions reached from the monitoring procedures; and
c. when relevant, a description of systemic, repetitive, or other
deficiencies and of the actions taken to resolve those
deficiencies.
5.45 The audit organization should evaluate the effects of deficiencies
noted during monitoring of the audit organizations system of quality
control to determine and implement appropriate actions to address the
deficiencies. This evaluation should include assessments to determine
if the deficiencies noted indicate that the audit organizations system of
quality control is insufficient to provide it with reasonable assurance
that it complies with professional standards and applicable legal and
regulatory requirements, and that accordingly the reports that the audit
organization issues are not appropriate in the circumstances.
5.46 The audit organization should establish policies and procedures
that require retention of engagement documentation for a period of
time sufficient to permit those performing monitoring procedures and
peer review of the organization to evaluate its compliance with its
system of quality control or for a longer period if required by law or
regulation.
Chapter 5: Quality Control and Peer Review
Page 93 GAO-18-568G Government Auditing Standards
5.48 Monitoring is most effective when performed by persons who do not
have responsibility for the specific activity being monitored.
5.49 Monitoring procedures will vary based on the audit organizations
facts and circumstances.
5.50 Ongoing consideration and evaluation of the audit organizations
system of quality control may identify circumstances that necessitate
changes to, or improve compliance with, the audit organizations policies
and procedures to provide the audit organization with reasonable
assurance that its system of quality control is effective.
5.51 Ongoing consideration and evaluation of the audit organizations
system of quality control may include matters such as the following:
a. review of selected administrative and human resource records
pertaining to the quality control elements;
b. review of engagement documentation and reports;
c. discussions with the audit organizations personnel;
d. determination of corrective actions to be taken and improvements
to be made in the system, including providing feedback on the
audit organizations policies and procedures relating to education
and training;
e. communication to appropriate audit organization personnel of
weaknesses identified in the system, in the level of understanding
of the system, or compliance with the system; and
f. follow-up by appropriate audit organization personnel so that
necessary modifications are promptly made to the quality control
policies and procedures.
5.52 Monitoring procedures may also include an assessment of the
following:
a. the appropriateness of the audit organizations guidance materials
and any practice aids;
Chapter 5: Quality Control and Peer Review
Page 94 GAO-18-568G Government Auditing Standards
b. new developments in professional standards and applicable legal
and regulatory requirements and how they are reflected in the
audit organizations policies and procedures, when appropriate;
c. written affirmation of compliance with policies and procedures on
independence;
d. the effectiveness of staff training;
e. decisions related to acceptance and continuance of relationships
with audited entities and specific engagements; and
f. audit organization personnels understanding of the organizations
quality control policies and procedures and implementation
thereof.
5.53 Reviews of the work by engagement team members prior to the date
of the report are not monitoring procedures.
5.54 The extent of inspection procedures depends, in part, on the
existence and effectiveness of the other monitoring procedures.
Inspection is a retrospective evaluation of the adequacy of the audit
organizations quality control policies and procedures, its personnels
understanding of those policies and procedures, and the extent of the
audit organizations compliance with them. The nature of inspection
procedures varies based on the audit organizations quality control
policies and procedures and the effectiveness and results of other
monitoring procedures.
5.55 The inspection of a selection of completed engagements may be
performed on a cyclical basis. The manner in which the inspection cycle
is organized, including the timing of selection of individual engagements,
depends on many factors, such as the following:
a. the size of the audit organization;
b. the number and geographical location of offices;
c. the results of previous monitoring procedures;
d. the degree of authority of both personnel and office (for example,
whether individual offices are authorized to conduct their own
inspections or whether only the head office may conduct them);
Chapter 5: Quality Control and Peer Review
Page 95 GAO-18-568G Government Auditing Standards
e. the nature and complexity of the audit organizations practice and
structure; and
f. the risks associated with entities audited by the audit organization
and specific engagements.
5.56 The inspection process involves the selection of individual
engagements, some of which may be selected without prior notification to
the engagement team. In determining the scope of the inspections, the
audit organization may take into account the scope or conclusions of a
peer review or regulatory inspections.
5.57 Reporting of identified deficiencies to individuals other than the
relevant engagement partner or director need not include identifying the
specific engagements concerned, unless such identification is necessary
for individuals other than the engagement partner or director to properly
discharge their responsibilities.
5.58 Whether engagement documentation is in paper, electronic, or other
form, the integrity, accessibility, and retrievability of the underlying
information could be compromised if the documentation is altered, added
to, or deleted without the auditorsknowledge or if the documentation is
lost or damaged.
5.59 Appropriate documentation relating to monitoring may include, for
example, the following:
a. monitoring procedures, including the procedure for selecting
completed engagements to be inspected;
b. a record of the evaluation of the following:
(1) adherence to professional standards and applicable legal
and regulatory requirements,
(2) whether the system of quality control has been
appropriately designed and is effectively implemented and
operating, and
(3) whether the audit organizations quality control policies and
procedures have been appropriately applied so that the
reports that are issued by the audit organization are
appropriate in the circumstances; and
Chapter 5: Quality Control and Peer Review
Page 96 GAO-18-568G Government Auditing Standards
c. identification of the deficiencies noted, an evaluation of their
effect, and the basis for determining whether and what further
action is necessary.
Application Guidance: General
5.63 Each audit organization has discretion in selecting and accepting its
peer review teams. Auditors in governments or jurisdictions without
access to established peer review programs may engage other auditors,
External Peer Review
Requirements: General
5.60 Each audit organization conducting engagements in accordance
with GAGAS must obtain an external peer review conducted by
reviewers independent of the audit organization being reviewed. The
peer review should be sufficient in scope to provide a reasonable basis
for determining whether, for the period under review, (1) the reviewed
audit organizations system of quality control was suitably designed
and (2) the organization is complying with its quality control system so
that it has reasonable assurance that it is performing and reporting in
conformity with professional standards and applicable legal and
regulatory requirements in all material respects.
5.61 Audit organizations affiliated with one of the following recognized
organizations should comply with the respective organizations peer
review requirements and the requirements listed throughout
paragraphs 5.66 through 5.80.
a. American Institute of Certified Public Accountants
b. Council of the Inspectors General on Integrity and Efficiency
c. Association of Local Government Auditors
d. International Organization of Supreme Audit Institutions
e. National State Auditors Association
5.62 Any audit organization not affiliated with an organization listed in
paragraph 5.61 should meet the minimum GAGAS peer review
requirements throughout paragraphs 5.66 through 5.94.
Chapter 5: Quality Control and Peer Review
Page 97 GAO-18-568G Government Auditing Standards
including public accounting firms, to conduct their peer reviews. If access
to an established peer review program is not available, auditors may
organize regional programs with other auditors.
5.64 In cases of unusual difficulty or hardship, extensions of the deadlines
for submitting peer review reports exceeding 3 months beyond the due
date may be granted by the entity that administers the peer review
program with the concurrence of GAO.
5.65 Some audit organizations may be subject to or required to follow a
peer review program of a recognized organization. Other audit
organizations may follow a specific peer review program voluntarily. In
instances where the audit organization follows a recognized
organizations peer review program voluntarily, the use of such a peer
review program means compliance with the recognized organizations
entire peer review process, including, where applicable, standards for
administering, performing, and reporting on peer reviews, oversight
procedures, training, and related guidance materials.
Application Guidance: Assessment of Peer Review Risk
5.68 Peer review risk is the risk that the review team
a. fails to identify significant weaknesses in the reviewed audit
organizations system of quality control for its auditing practice, its
lack of compliance with that system, or a combination thereof;
b. issues an inappropriate opinion on the reviewed audit
organizations system of quality control for its auditing practice, its
compliance with that system, or a combination thereof; or
Requirements: Assessment of Peer Review Risk
5.66 The peer review team should perform an assessment of peer
review risk to help determine the number and types of engagements to
select for review.
5.67 Based on the risk assessment, the peer review team should
select engagements that provide a reasonable cross section of all
types of work subject to the reviewed audit organizations quality
control system, including one or more engagements conducted in
accordance with GAGAS.
Chapter 5: Quality Control and Peer Review
Page 98 GAO-18-568G Government Auditing Standards
c. makes an inappropriate decision about the matters to be included
in, or excluded from, the peer review report.
5.69 A selection approach that provides a cross section of all types of
work is generally applicable to audit organizations that conduct a small
number of GAGAS engagements in relation to other types of
engagements. In these cases, one or more GAGAS engagements may
represent more than what would be selected when looking at a cross
section of the audit organizations work as a whole. Some audit
organizations conduct audit and attestation work in a number of functional
areas. For example, an organization may conduct financial audits,
attestation engagements, reviews of financial statements, and
performance audits. The peer review team may consider reviewing a
sample of engagements from each of the major functional areas included
within the scope of the review.
5.70 A peer review is designed to test significant risk areas where it is
possible that engagements are not being conducted, reported on, or both
in conformity with professional standards and applicable legal and
regulatory requirements in all material respects. A peer review is not
designed to test every engagement, compliance with every professional
standard, or every detailed component of the audit organizations system
of quality control.
5.71 Examples of the factors that may be considered when performing an
assessment of risk for selecting engagements for peer review include
a. scope of the engagements, including size of the audited entity or
engagements covering multiple locations;
b. functional area or type of government program;
c. types of engagements conducted, including the extent of nonaudit
services provided to audited entities;
d. personnel (including use of new personnel or personnel not