0003704
GAO-21-368G, GOVERNMENT AUDITING STANDARDS 2018 Revision Technical Update April 2021
US General Accounting Office
Audit Guideline
Free
The Yellow Book
GAO-21-368G, GOVERNMENT AUDITING STANDARDS 2018 Revision Technical Update April 2021
2021-04-01
The document as a whole was last reviewed and released on 2024-07-23T00:00:00-0700.
0003704
Free
US General Accounting Office
Audit Guideline
The Yellow Book
GAO-21-368G, GOVERNMENT AUDITING STANDARDS 2018 Revision Technical Update April 2021
2021-04-01
The document as a whole was last reviewed and released on 2024-07-23T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within GAO-21-368G, GOVERNMENT AUDITING STANDARDS 2018 Revision Technical Update April 2021 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for GAO-21-368G, GOVERNMENT AUDITING STANDARDS 2018 Revision Technical Update April 2021 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Statement of Compliance. CC ID 12499 [{regular basis} At least annually, the audit organization should obtain written affirmation of compliance with its policies and procedures on independence from all of its personnel required to be independent. 5.09 Auditors should report on internal control and compliance with provisions of laws, regulations, contracts, or grant agreements regardless of whether they identify internal control deficiencies or instances of noncompliance. 6.39] | Establish/Maintain Documentation | Preventive | |
| Publish a Statement of Compliance for the organization's external requirements. CC ID 12350 [{non-affiliate} Any audit organization not affiliated with an organization listed in paragraph 5.61 should meet the minimum GAGAS peer review requirements throughout paragraphs 5.66 through 5.94. 5.62 {quality control requirements} Audit organizations affiliated with one of the following recognized organizations should comply with the respective organization's peer review requirements and the requirements listed throughout paragraphs 5.66 through 5.80. 5.61] | Communicate | Preventive | |
| Include the verification method in the Statement of Compliance. CC ID 16820 | Actionable Reports or Measurements | Preventive | |
| Include a description of the awareness and training program in the Statement of Compliance. CC ID 16817 | Actionable Reports or Measurements | Preventive | |
| Include contact information for the handling of requests and issues in the Statement of Compliance. CC ID 16816 | Actionable Reports or Measurements | Preventive | |
| Include the privacy programs the organization is a member of in the Statement of Compliance. CC ID 16818 | Actionable Reports or Measurements | Preventive | |
| Include the personal data use purpose specification in the Statement of Compliance. CC ID 17175 | Establish/Maintain Documentation | Preventive | |
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [In connection with nonaudit services, auditors should establish and document their understanding with the audited entity's management or those charged with governance, as appropriate, regarding the following: the auditors' responsibilities, and 3.77d.] | Establish Roles | Preventive | |
| Rotate auditors, as necessary. CC ID 15589 | Audits and Risk Management | Preventive | |
| Withdraw the approvals of auditors, as necessary. CC ID 17260 | Business Processes | Preventive | |
| Notify interested personnel and affected parties of the reasons for the withdrawal of auditors. CC ID 17283 | Communicate | Preventive | |
| Define the qualification requirements for auditors. CC ID 17259 | Human Resources Management | Preventive | |
| Disseminate and communicate the auditor's qualification requirements to interested personnel and affected parties. CC ID 17265 | Communicate | Preventive | |
| Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 [The audit organization should assign responsibility for each engagement to an engagement partner or director with authority designated by the audit organization to assume that responsibility and should establish policies and procedures requiring the organization to 5.37] | Establish Roles | Preventive | |
| Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 [Internal audit assistance services involve assisting an entity in performing its internal audit activities. Auditors should conclude that the following internal audit assistance activities impair an external auditor's independence with respect to an audited entity: determining the scope of the internal audit function and resulting work. 3.96c.] | Establish Roles | Preventive | |
| Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 [Auditors should have an understanding of the entire text of applicable chapters of GAGAS, including application guidance, and any amendments that GAO issued, to understand the intent of the requirements and to apply the requirements properly. 2.05 Before auditors agree to provide nonaudit services to an audited entity that the audited entity's management requested and that could create a threat to independence, either by themselves or in aggregate with other nonaudit services provided, with respect to any GAGAS engagement they conduct, auditors should determine that the audited entity has designated an individual who possesses suitable skill, knowledge, or experience and that the individual understands the services to be provided sufficiently to oversee them. 3.73 The audit organization's management must assign auditors who before beginning work on the engagement possess the competence needed for their assigned roles. 4.03 {are competent} The engagement team should determine that specialists assisting the engagement team on a GAGAS engagement are qualified and competent in their areas of specialization. 4.12 The audit organization should perform monitoring procedures that enable it to assess compliance with professional standards and quality control policies and procedures for GAGAS engagements. Individuals performing monitoring should have sufficient expertise and authority within the audit organization. 5.43 The audit organization's management must assign auditors to conduct the engagement who before beginning work on the engagement collectively possess the competence needed to address the engagement objectives and perform their work in accordance with GAGAS. 4.02 The peer review team should meet the following criteria: The review team collectively has adequate professional competence and knowledge of GAGAS and government auditing. 5.89a. The peer review team should meet the following criteria: The review team collectively has sufficient knowledge to conduct a peer review. 5.89c. Auditors engaged to conduct review engagements in the United States who do not work for a government audit organization should be licensed CPAs, persons working for licensed certified public accounting firms, or licensed accountants in states that have multiclass licensing systems that recognize licensed accountants other than CPAs. 7.71 Auditors engaged to conduct agreed-upon procedures engagements in the United States who do not work for a government audit organization should be licensed CPAs, persons working for licensed certified public accounting firms, or licensed accountants in states that have multiclass licensing systems that recognize licensed accountants other than CPAs. 7.79 {licensed} {accountant} Auditors engaged to conduct agreed-upon procedures engagements of entities operating outside of the United States who do not work for a government audit organization should meet the qualifications indicated in paragraph 7.79, have certifications that meet all applicable national and international standards and serve in their respective countries as the functional equivalent of CPAs in the United States, or work for nongovernment audit organizations that are the functional equivalent of licensed certified public accounting firms in the United States. 7.80 Auditors engaged to conduct reviews of financial statements in the United States who do not work for a government audit organization should be licensed CPAs, persons working for licensed certified public accounting firms, or licensed accountants in states that have multiclass licensing systems that recognize licensed accountants other than CPAs. 7.87 {licensed} {accountant} Auditors engaged to conduct reviews of financial statements of entities operating outside of the United States who do not work for a government audit organization should meet the qualifications indicated in paragraph 7.87, have certifications that meet all applicable national and international standards and serve in their respective countries as the functional equivalent of CPAs in the United States, or work for nongovernment audit organizations that are the functional equivalent of licensed certified public accounting firms in the United States. 7.88 Audit management should assign sufficient auditors with adequate collective professional competence, as described in paragraphs 4.02 through 4.15, to conduct the audit. Staffing an audit includes, among other things, 8.31 Audit management should assign sufficient auditors with adequate collective professional competence, as described in paragraphs 4.02 through 4.15, to conduct the audit. Staffing an audit includes, among other things, assigning auditors with the collective knowledge, skills, and abilities appropriate for the audit; 8.31a. If it is determined that internal control is significant to the audit objectives, auditors should obtain an understanding of such internal control. 8.40] | Audits and Risk Management | Preventive | |
| Review external auditor outsourcing contracts and engagement letters. CC ID 01189 [The peer review team and the reviewed audit organization should incorporate their basic agreement on the peer review into a written agreement. The written agreement should be drafted by the peer review team, reviewed by the reviewed audit organization to ensure that it accurately describes the agreement between the parties, and signed by the authorized representatives of both the peer review team and the reviewed audit organization prior to the initiation of work under the agreement. The written agreement should state that the peer review will be conducted in accordance with GAGAS peer review requirements. 5.86 The peer review team and the reviewed audit organization should incorporate their basic agreement on the peer review into a written agreement. The written agreement should be drafted by the peer review team, reviewed by the reviewed audit organization to ensure that it accurately describes the agreement between the parties, and signed by the authorized representatives of both the peer review team and the reviewed audit organization prior to the initiation of work under the agreement. The written agreement should state that the peer review will be conducted in accordance with GAGAS peer review requirements. 5.86] | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Establish/Maintain Documentation | Preventive | |
| Review the external auditor's qualifications. CC ID 01197 [Auditors engaged to conduct financial audits in the United States who do not work for a government audit organization should be licensed CPAs, persons working for licensed certified public accounting firms, or licensed accountants in states that have multiclass licensing systems that recognize licensed accountants other than CPAs. 6.04 Auditors engaged to conduct financial audits of entities operating outside of the United States who do not work for a government audit organization should meet the qualifications indicated in paragraph 6.04, have certifications that meet all applicable national and international standards and serve in their respective countries as the functional equivalent of CPAs in the United States, or work for nongovernment audit organizations that are the functional equivalent of licensed certified public accounting firms in the United States. 6.05 Auditors engaged to conduct examination engagements in the United States who do not work for a government audit organization should be licensed CPAs, persons working for licensed certified public accounting firms, or licensed accountants in states that have multiclass licensing systems that recognize licensed accountants other than CPAs. 7.07 {licensed} {accountant} Auditors engaged to conduct examination engagements of entities operating outside of the United States who do not work for a government audit organization should meet the qualifications indicated in paragraph 7.07, have certifications that meet all applicable national and international standards and serve in their respective countries as the functional equivalent of CPAs in the United States, or work for nongovernment audit organizations that are the functional equivalent of licensed certified public accounting firms in the United States. 7.08 {licensed} {accountant} Auditors engaged to conduct review engagements of entities operating outside of the United States who do not work for a government audit organization should meet the qualifications indicated in paragraph 7.71, have certifications that meet all applicable national and international standards and serve in their respective countries as the functional equivalent of CPAs in the United States, or work for nongovernment audit organizations that are the functional equivalent of licensed certified public accounting firms in the United States. 7.72 If the engagement team intends to use the work of a specialist, it should assess the independence of the specialist. 8.82 If auditors use the work of other auditors, they should perform procedures that provide a sufficient basis for using that work. Auditors should obtain evidence concerning the other auditors' qualifications and independence and should determine whether the scope, quality, and timing of the audit work performed by the other auditors can be relied on in the context of the current audit objectives. 8.81] | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 [Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed; the evidence obtained; and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 8.132] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain audit policies. CC ID 13166 | Establish/Maintain Documentation | Preventive | |
| Assign the audit to impartial auditors. CC ID 07118 [In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity. 3.18 Except under the limited circumstances discussed in paragraphs 3.66 and 3.67, auditors and audit organizations should be independent from an audited entity during any period of time that falls within the period covered by the financial statements or subject matter of the engagement and 3.20a. Except under the limited circumstances discussed in paragraphs 3.66 and 3.67, auditors and audit organizations should be independent from an audited entity during the period of professional engagement 3.20b. Each audit organization conducting engagements in accordance with GAGAS must obtain an external peer review conducted by reviewers independent of the audit organization being reviewed. The peer review should be sufficient in scope to provide a reasonable basis for determining whether, for the period under review, (1) the reviewed audit organization's system of quality control was suitably designed and (2) the organization is complying with its quality control system so that it has reasonable assurance that it is performing and reporting in conformity with professional standards and applicable legal and regulatory requirements in all material respects. 5.60 The peer review team should meet the following criteria: The organization conducting the peer review and individual review team members are independent (as defined in GAGAS) of the audit organization being reviewed, its personnel, and the engagements selected for the peer review. 5.89b. Except under the limited circumstances discussed in paragraphs 3.66 and 3.67, auditors and audit organizations should be independent from an audited entity during 3.20] | Establish Roles | Preventive | |
| Define what constitutes a threat to independence. CC ID 16824 [Internal audit assistance services involve assisting an entity in performing its internal audit activities. Auditors should conclude that the following internal audit assistance activities impair an external auditor's independence with respect to an audited entity: performing procedures that form part of the internal control, such as reviewing and approving changes to employee data access privileges; and 3.96b. Internal audit assistance services involve assisting an entity in performing its internal audit activities. Auditors should conclude that the following internal audit assistance activities impair an external auditor's independence with respect to an audited entity: setting internal audit policies or the strategic direction of internal audit activities; 3.96a. Auditors should conclude that providing certain other nonaudit services impairs an external auditor's independence with respect to an audited entity. These activities include the following: 3.106 While insufficient documentation of an auditor's compliance with the independence standard does not impair independence, auditors should prepare appropriate documentation under the GAGAS quality control and assurance requirements. The independence standard includes the following documentation requirements, where applicable: document threats to independence that require the application of safeguards, along with safeguards applied, in accordance with the conceptual framework for independence as required by paragraph 3.33; 3.107a. While insufficient documentation of an auditor's compliance with the independence standard does not impair independence, auditors should prepare appropriate documentation under the GAGAS quality control and assurance requirements. The independence standard includes the following documentation requirements, where applicable: document the safeguards in paragraphs 3.52 through 3.56 if an audit organization is structurally located within a government entity and is considered structurally independent based on those safeguards; 3.107b. If auditors initially identify a threat to independence after the audit report is issued, auditors should evaluate the threat's effect on the engagement and on GAGAS compliance. If the auditors determine that the newly identified threat's effect on the engagement would have resulted in the audit report being different from the report issued had the auditors been aware of it, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the audit organization requiring or arranging for the engagements, and other known users, so that they do not continue to rely on findings or conclusions that were affected by the threat to independence. If auditors previously posted the report to their publicly accessible website, they should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional engagement work necessary to reissue the report, including any revised findings or conclusions, or to repost the original report if the additional engagement work does not result in a change in findings or conclusions. 3.34] | Audits and Risk Management | Preventive | |
| Mitigate the threats to an auditor's independence. CC ID 17282 | Process or Activity | Preventive | |
| Determine if requested services create a threat to independence. CC ID 16823 [Before auditors agree to provide a nonaudit service to an audited entity, they should determine whether providing such a service would create a threat to independence, either by itself or in aggregate with other nonaudit services provided, with respect to any GAGAS engagement they conduct. 3.64 Auditors who previously provided nonaudit services for an entity that is a prospective subject of an engagement should evaluate the effect of those nonaudit services on independence before agreeing to conduct a GAGAS engagement. If auditors provided a nonaudit service in the period to be covered by the engagement, they should (1) determine if GAGAS expressly prohibits the nonaudit service; (2) if audited entity management requested the nonaudit service, determine whether the skill, knowledge, or experience of the individual responsible for overseeing the nonaudit service was sufficient; and (3) determine whether a threat to independence exists and address any threats noted in accordance with the conceptual framework. 3.83 Auditors who previously provided nonaudit services for an entity that is a prospective subject of an engagement should evaluate the effect of those nonaudit services on independence before agreeing to conduct a GAGAS engagement. If auditors provided a nonaudit service in the period to be covered by the engagement, they should (1) determine if GAGAS expressly prohibits the nonaudit service; (2) if audited entity management requested the nonaudit service, determine whether the skill, knowledge, or experience of the individual responsible for overseeing the nonaudit service was sufficient; and (3) determine whether a threat to independence exists and address any threats noted in accordance with the conceptual framework. 3.83] | Audits and Risk Management | Detective | |
| Exercise due professional care during the planning and performance of the audit. CC ID 07119 [Auditors and audit organizations should avoid situations that could lead reasonable and informed third parties to conclude that the auditors and audit organizations are not independent and thus are not capable of exercising objective and impartial judgment on all issues associated with conducting the engagement and reporting on the work. 3.19 Auditors should use professional judgment when applying the conceptual framework. 3.29 Auditors must use professional judgment in planning and conducting the engagement and in reporting the results. 3.109 Auditors must use professional judgment in planning and conducting the engagement and in reporting the results. 3.109 The audit organization should establish policies and procedures for engagement performance, documentation, and reporting that are designed to provide the audit organization with reasonable assurance that engagements are conducted and reports are issued in accordance with professional standards and applicable legal and regulatory requirements. 5.22 The peer review team should use professional judgment in deciding on the type of peer review rating to issue; the ratings are as follows: 5.72 If the law or regulation requiring an audit specifically identifies the entities to be audited, auditors should communicate pertinent information that in the auditors' professional judgment needs to be communicated both to individuals contracting for or requesting the audit and to those legislative committees, if any, that have ongoing oversight responsibilities for the audited entity. 6.06] | Behavior | Preventive | |
| Include resource requirements in the audit program. CC ID 15237 | Establish/Maintain Documentation | Preventive | |
| Include risks and opportunities in the audit program. CC ID 15236 [{cannot} Auditors in a government entity may be required to provide a nonaudit service that impairs the auditors' independence with respect to a required engagement. If, because of constitutional or statutory requirements over which they have no control, the auditors can neither implement safeguards to reduce the resulting threat to an acceptable level nor decline to provide or terminate a nonaudit service that is incompatible with engagement responsibilities, auditors should disclose the nature of the threat that could not be eliminated or reduced to an acceptable level and modify the GAGAS compliance statement as discussed in paragraph 2.17b accordingly. Determining how to modify the GAGAS compliance statement in these circumstances is a matter of professional judgment. 3.84] | Establish/Maintain Documentation | Preventive | |
| Establish and maintain audit terms. CC ID 13880 [If auditors change the engagement objectives during the engagement, they should document the revised engagement objectives and the reasons for the changes. 5.23] | Establish/Maintain Documentation | Preventive | |
| Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Process or Activity | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 [In connection with nonaudit services, auditors should establish and document their understanding with the audited entity's management or those charged with governance, as appropriate, regarding the following: any limitations on the provision of nonaudit services. 3.77e. Auditors should describe in their report limitations or uncertainties with the reliability or validity of evidence if (1) the evidence is significant to the findings and conclusions within the context of the audit objectives and (2) such disclosure is necessary to avoid misleading the report users about the findings and conclusions. Auditors should describe the limitations or uncertainties regarding evidence in conjunction with the findings and conclusions, in addition to describing those limitations or uncertainties as part of the objectives, scope, and methodology. 9.20 Auditors should describe in their report limitations or uncertainties with the reliability or validity of evidence if (1) the evidence is significant to the findings and conclusions within the context of the audit objectives and (2) such disclosure is necessary to avoid misleading the report users about the findings and conclusions. Auditors should describe the limitations or uncertainties regarding evidence in conjunction with the findings and conclusions, in addition to describing those limitations or uncertainties as part of the objectives, scope, and methodology. 9.20 Auditors should describe in their report limitations or uncertainties with the reliability or validity of evidence if (1) the evidence is significant to the findings and conclusions within the context of the audit objectives and (2) such disclosure is necessary to avoid misleading the report users about the findings and conclusions. Auditors should describe the limitations or uncertainties regarding evidence in conjunction with the findings and conclusions, in addition to describing those limitations or uncertainties as part of the objectives, scope, and methodology. 9.20] | Establish/Maintain Documentation | Preventive | |
| Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 [Auditors who previously provided nonaudit services for an entity that is a prospective subject of an engagement should evaluate the effect of those nonaudit services on independence before agreeing to conduct a GAGAS engagement. If auditors provided a nonaudit service in the period to be covered by the engagement, they should (1) determine if GAGAS expressly prohibits the nonaudit service; (2) if audited entity management requested the nonaudit service, determine whether the skill, knowledge, or experience of the individual responsible for overseeing the nonaudit service was sufficient; and (3) determine whether a threat to independence exists and address any threats noted in accordance with the conceptual framework. 3.83] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 [In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence-gathering and evidence-analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives. Auditors should identify significant assumptions made in conducting the audit; describe comparative techniques applied; describe the criteria used; and, when the results of sample testing significantly support the auditors' findings, conclusions, or recommendations, describe the sample design and state why the design was chosen, including whether the results can be projected to the intended population. 9.14] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an in scope system description. CC ID 14873 | Establish/Maintain Documentation | Preventive | |
| Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and Risk Management | Preventive | |
| Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 [In connection with nonaudit services, auditors should establish and document their understanding with the audited entity's management or those charged with governance, as appropriate, regarding the following: audited entity's acceptance of its responsibilities as discussed in paragraph 3.76, 3.77c. {be evident} If the identity of those charged with governance is not clearly evident, auditors should document the process followed and conclusions reached in identifying the appropriate individuals to receive the required communications. 7.10] | Audits and Risk Management | Preventive | |
| Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and Risk Management | Preventive | |
| Include facility locations in the audit assertion's in scope system description. CC ID 17261 | Establish/Maintain Documentation | Preventive | |
| Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and Risk Management | Preventive | |
| Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and Risk Management | Preventive | |
| Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 [{cannot} Auditors in a government entity may be required to provide a nonaudit service that impairs the auditors' independence with respect to a required engagement. If, because of constitutional or statutory requirements over which they have no control, the auditors can neither implement safeguards to reduce the resulting threat to an acceptable level nor decline to provide or terminate a nonaudit service that is incompatible with engagement responsibilities, auditors should disclose the nature of the threat that could not be eliminated or reduced to an acceptable level and modify the GAGAS compliance statement as discussed in paragraph 2.17b accordingly. Determining how to modify the GAGAS compliance statement in these circumstances is a matter of professional judgment. 3.84 {external requirements} Auditors should extend the AICPA requirements concerning consideration of noncompliance with laws and regulations to include consideration of noncompliance with provisions of contracts and grant agreements. 6.15 Auditors should extend the AICPA requirements concerning consideration of noncompliance with laws and regulations to include consideration of noncompliance with provisions of contracts and grant agreements. 7.17 {external requirements} Auditors should extend the AICPA requirements concerning consideration of noncompliance with laws and regulations to include consideration of noncompliance with provisions of contracts and grant agreements. 7.73 {external requirements} Auditors should extend the AICPA requirements concerning consideration of noncompliance with laws and regulations to include consideration of noncompliance with provisions of contracts and grant agreements. 7.81 {external requirements} Auditors should extend the AICPA requirements concerning consideration of noncompliance with laws and regulations to include consideration of noncompliance with provisions of contracts and grant agreements. 7.89] | Audits and Risk Management | Preventive | |
| Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and Risk Management | Preventive | |
| Include third party services in the audit assertion's in scope system description. CC ID 16503 | Establish/Maintain Documentation | Preventive | |
| Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Establish/Maintain Documentation | Preventive | |
| Include availability commitments in the audit assertion's in scope system description. CC ID 14914 [{if} {be appropriate} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 7.63 {if} {be appropriate} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 7.63 {be appropriate} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 6.65 {if} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 9.63] | Establish/Maintain Documentation | Preventive | |
| Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 [When planning a GAGAS examination engagement, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter or an assertion about the subject matter of the examination engagement, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter or an assertion about the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work and determining the extent to which testing the implementation of the corrective actions is applicable to the current examination engagement objectives. 7.13] | Audits and Risk Management | Preventive | |
| Include changes in the audit assertion's in scope system description. CC ID 14894 | Establish/Maintain Documentation | Preventive | |
| Include external communications in the audit assertion's in scope system description. CC ID 14913 | Establish/Maintain Documentation | Preventive | |
| Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Establish/Maintain Documentation | Preventive | |
| Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Establish/Maintain Documentation | Preventive | |
| Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Establish/Maintain Documentation | Preventive | |
| Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Establish/Maintain Documentation | Preventive | |
| Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Establish/Maintain Documentation | Preventive | |
| Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Establish/Maintain Documentation | Preventive | |
| Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Establish/Maintain Documentation | Preventive | |
| Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 [Auditors should consider applicable GAO-issued GAGAS interpretive guidance in conducting and reporting on GAGAS engagements. 2.06 GAGAS establishes requirements for examination engagements in addition to the requirements for examinations contained in the AICPA's SSAEs. Auditors should comply with these additional requirements, along with the AICPA requirements for examination engagements, when citing GAGAS in their examination engagement reports. 7.05] | Establish/Maintain Documentation | Preventive | |
| Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Establish/Maintain Documentation | Preventive | |
| Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Establish/Maintain Documentation | Preventive | |
| Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Establish/Maintain Documentation | Preventive | |
| Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Establish/Maintain Documentation | Preventive | |
| Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Establish/Maintain Documentation | Preventive | |
| Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Establish/Maintain Documentation | Preventive | |
| Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Establish/Maintain Documentation | Preventive | |
| Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Establish/Maintain Documentation | Preventive | |
| Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Establish/Maintain Documentation | Detective | |
| Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Establish/Maintain Documentation | Preventive | |
| Include commitments to third parties in the audit assertion. CC ID 14899 | Establish/Maintain Documentation | Preventive | |
| Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Establish/Maintain Documentation | Preventive | |
| Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and Risk Management | Detective | |
| Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Establish/Maintain Documentation | Preventive | |
| Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Establish/Maintain Documentation | Preventive | |
| Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and Risk Management | Preventive | |
| Identify personnel who should attend the closing meeting. CC ID 15261 | Business Processes | Preventive | |
| Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and Risk Management | Detective | |
| Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 [The audit organization should establish policies and procedures designed to provide it with reasonable assurance that appropriate consultation takes place on difficult or contentious issues that arise among engagement team members in the course of conducting a GAGAS engagement; 5.24a.] | Audits and Risk Management | Preventive | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 [The audit organization should establish policies and procedures designed to provide it with reasonable assurance that both the individual seeking consultation and the individual consulted document and agree upon the nature and scope of such consultations; and 5.24b. The audit organization should establish policies and procedures designed to provide it with reasonable assurance that the conclusions resulting from consultations are documented, understood by both the individual seeking consultation and the individual consulted, and implemented. 5.24c. The audit organization should establish policies and procedures designed to provide it with reasonable assurance that the conclusions resulting from consultations are documented, understood by both the individual seeking consultation and the individual consulted, and implemented. 5.24c. Auditors should obtain an understanding of the nature of the program or program component under audit and the potential use that will be made of the audit results or report as they plan a performance audit. The nature and profile of a program include 8.36] | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 [The peer review team should include the following elements in the scope of the peer review: consideration of the adequacy and results of the audit organization's internal monitoring procedures; 5.82b. The peer review team should include the following elements in the scope of the peer review: consideration of the adequacy and results of the audit organization's internal monitoring procedures; 5.82b.] | Establish/Maintain Documentation | Preventive | |
| Include third party assets in the audit scope. CC ID 16504 | Audits and Risk Management | Preventive | |
| Include audit subject matter in the audit program. CC ID 07103 | Establish/Maintain Documentation | Preventive | |
| Examine the availability of the audit criteria in the audit program. CC ID 16520 | Investigate | Preventive | |
| Examine the completeness of the audit criteria in the audit program. CC ID 07106 [{are accurate} When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 6.58 {are accurate} When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 7.56 When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 9.51] | Establish/Maintain Documentation | Preventive | |
| Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Establish/Maintain Documentation | Preventive | |
| Determine the appropriateness of the audit subject matter. CC ID 16505 [{be illegal} When circumstances call for omission of certain information from the report, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices and revise the report language as necessary to avoid report users drawing inappropriate conclusions from the information presented. 6.64] | Audits and Risk Management | Preventive | |
| Include in scope information in the audit program. CC ID 16198 | Establish/Maintain Documentation | Preventive | |
| Provide a representation letter in support of the audit assertion. CC ID 07158 | Establish/Maintain Documentation | Preventive | |
| Include the date of the audit in the representation letter. CC ID 16517 | Audits and Risk Management | Preventive | |
| Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Establish/Maintain Documentation | Preventive | |
| Include a statement that management has disclosed the implementation status in the representation letter. CC ID 17162 [Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30] | Audits and Risk Management | Preventive | |
| Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Establish/Maintain Documentation | Preventive | |
| Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Establish/Maintain Documentation | Preventive | |
| Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Establish/Maintain Documentation | Preventive | |
| Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Establish/Maintain Documentation | Preventive | |
| Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 [Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30 When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work and determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 6.11] | Establish/Maintain Documentation | Preventive | |
| Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain audit assertions, as necessary. CC ID 14871 [GAGAS uses two categories of requirements, identified by specific terms, to describe the degree of responsibility they impose on auditors and audit organizations: Unconditional requirements: Auditors and audit organizations must comply with an unconditional requirement in all cases where such requirement is relevant. GAGAS uses must to indicate an unconditional requirement. 2.02a. When planning a GAGAS examination engagement, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter or an assertion about the subject matter of the examination engagement, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter or an assertion about the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work and determining the extent to which testing the implementation of the corrective actions is applicable to the current examination engagement objectives. 7.13] | Establish/Maintain Documentation | Detective | |
| Include an in scope system description in the audit assertion. CC ID 14872 | Establish/Maintain Documentation | Preventive | |
| Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Establish/Maintain Documentation | Preventive | |
| Include investigations and legal proceedings in the audit assertion. CC ID 16846 [Auditors should inquire of management of the audited entity whether any investigations or legal proceedings have been initiated or are in process with respect to the period under audit, and should evaluate the effect of initiated or in-process investigations or legal proceedings on the current audit. 6.12 Auditors should inquire of management of the audited entity whether any investigations or legal proceedings significant to the audit objectives have been initiated or are in process with respect to the period under audit, and should evaluate the effect of initiated or inprocess investigations or legal proceedings on the current audit. 8.27 Auditors should inquire of management of the audited entity whether any investigations or legal proceedings significant to the engagement objectives have been initiated or are in process with respect to the period under examination, and should evaluate the effect of initiated or in-process investigations or legal proceedings on the current examination engagement. 7.14] | Establish/Maintain Documentation | Preventive | |
| Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Establish/Maintain Documentation | Preventive | |
| Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Establish/Maintain Documentation | Preventive | |
| Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Establish/Maintain Documentation | Preventive | |
| Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 [When planning a GAGAS examination engagement, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter or an assertion about the subject matter of the examination engagement, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter or an assertion about the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work and determining the extent to which testing the implementation of the corrective actions is applicable to the current examination engagement objectives. 7.13] | Establish/Maintain Documentation | Preventive | |
| Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Establish/Maintain Documentation | Preventive | |
| Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 [In connection with nonaudit services, auditors should establish and document their understanding with the audited entity's management or those charged with governance, as appropriate, regarding the following: services to be provided, 3.77b. While insufficient documentation of an auditor's compliance with the independence standard does not impair independence, auditors should prepare appropriate documentation under the GAGAS quality control and assurance requirements. The independence standard includes the following documentation requirements, where applicable: document the auditor's understanding with an audited entity for which the auditor will provide a nonaudit service as indicated in paragraph 3.77; and 3.107d.] | Establish/Maintain Documentation | Preventive | |
| Include the in scope procedures in the audit assertion. CC ID 06972 | Establish/Maintain Documentation | Preventive | |
| Include the in scope records produced in the audit assertion. CC ID 06968 [Auditors should determine whether other auditors have conducted, or are conducting, audits that could be relevant to the current audit objectives. 8.80] | Establish/Maintain Documentation | Preventive | |
| Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Establish/Maintain Documentation | Preventive | |
| Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Establish/Maintain Documentation | Preventive | |
| Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Establish/Maintain Documentation | Preventive | |
| Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Establish/Maintain Documentation | Preventive | |
| Include in scope change controls in the audit assertion. CC ID 06976 | Establish/Maintain Documentation | Preventive | |
| Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Establish/Maintain Documentation | Preventive | |
| Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Establish/Maintain Documentation | Corrective | |
| Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Communicate | Preventive | |
| Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 [Auditors should reevaluate threats to independence, including any safeguards applied, whenever the audit organization or the auditors become aware of new information or changes in facts and circumstances that could affect whether a threat has been eliminated or reduced to an acceptable level. 3.28] | Establish/Maintain Documentation | Preventive | |
| Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Business Processes | Preventive | |
| Refrain from performing an attestation engagement under defined conditions. CC ID 13952 [When auditors conclude that independence of the engagement team or the audit organization is impaired under paragraph 3.59, auditors should decline to accept an engagement or should terminate an engagement in progress (except in circumstances discussed in paragraphs 3.25 or 3.84). 3.60 Auditors should conclude that preparing financial statements in their entirety from a client-provided trial balance or underlying accounting records creates significant threats to auditors' independence, and should document the threats and safeguards applied to eliminate and reduce threats to an acceptable level in accordance with paragraph 3.33 or decline to provide the services. 3.88] | Audits and Risk Management | Detective | |
| Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Business Processes | Preventive | |
| Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Behavior | Preventive | |
| Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and Risk Management | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 [The audit organization should establish policies and procedures for the initiation, acceptance, and continuance of engagements that are designed to provide reasonable assurance that the organization will undertake engagements only if it has the capabilities, including time and resources, to do so. 5.12c. The audit organization should establish policies and procedures for the initiation, acceptance, and continuance of engagements that are designed to provide reasonable assurance that the organization will undertake engagements only if it complies with professional standards, applicable legal and regulatory requirements, and ethical principles; 5.12a. The audit organization should establish policies and procedures for the initiation, acceptance, and continuance of engagements that are designed to provide reasonable assurance that the organization will undertake engagements only if it acts within its legal mandate or authority; and 5.12b. The audit organization should establish policies and procedures designed to provide it with reasonable assurance that the conclusions resulting from consultations are documented, understood by both the individual seeking consultation and the individual consulted, and implemented. 5.24c.] | Business Processes | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 [Auditors should assess the risk of fraud occurring that is significant within the context of the audit objectives. Audit team members should discuss among the team fraud risks, including factors such as individuals' incentives or pressures to commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could increase the risk of fraud. Auditors should gather and assess information to identify the risk of fraud that is significant within the scope of the audit objectives or that could affect the findings and conclusions. 8.71 Auditors should perform and document an overall assessment of the collective evidence used to support findings and conclusions, including the results of any specific assessments performed to conclude on the validity and reliability of specific evidence. 8.108] | Audits and Risk Management | Preventive | |
| Document any after the fact changes to the engagement file. CC ID 07002 [If auditors change the engagement objectives during the engagement, they should document the revised engagement objectives and the reasons for the changes. 5.23] | Establish/Maintain Documentation | Preventive | |
| Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 [The audit organization should establish policies and procedures that require retention of engagement documentation for a period of time sufficient to permit those performing monitoring procedures and peer review of the organization to evaluate its compliance with its system of quality control or for a longer period if required by law or regulation. 5.46] | Records Management | Preventive | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Testing | Preventive | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and Risk Management | Detective | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and Risk Management | Detective | |
| Audit policies, standards, and procedures. CC ID 12927 [The peer review team should include the following elements in the scope of the peer review: review of other documents necessary for assessing compliance with standards, for example, independence documentation, CPE records, and relevant human resource management files; and 5.82e.] | Audits and Risk Management | Preventive | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Investigate | Detective | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Investigate | Detective | |
| Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 [When auditors use information provided by officials of the audited entity as part of their evidence, they should determine what the officials of the audited entity or other auditors did to obtain assurance over the reliability of the information. 8.93] | Testing | Detective | |
| Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 [{if} {no evidence} Auditors should evaluate whether any lack of sufficient, appropriate evidence is caused by internal control deficiencies or other program weaknesses, and whether the lack of sufficient, appropriate evidence could be the basis for audit findings. 8.78] | Testing | Detective | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and Risk Management | Detective | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 [Auditors should consider internal control deficiencies in their evaluation of identified findings when developing the cause element of the identified findings. 7.20] | Process or Activity | Detective | |
| Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 [When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 6.59 {are valid} When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 9.52] | Establish/Maintain Documentation | Preventive | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 [When information systems controls are determined to be significant to the audit objectives or when the effectiveness of significant controls depends on the effectiveness of information systems controls, auditors should then evaluate the design, implementation, and/or operating effectiveness of such controls. This evaluation includes other information systems controls that affect the effectiveness of the significant controls or the reliability of information used in performing the significant controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives. 8.60] | Testing | Detective | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 [If auditors initially identify a threat to independence after the audit report is issued, auditors should evaluate the threat's effect on the engagement and on GAGAS compliance. If the auditors determine that the newly identified threat's effect on the engagement would have resulted in the audit report being different from the report issued had the auditors been aware of it, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the audit organization requiring or arranging for the engagements, and other known users, so that they do not continue to rely on findings or conclusions that were affected by the threat to independence. If auditors previously posted the report to their publicly accessible website, they should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional engagement work necessary to reissue the report, including any revised findings or conclusions, or to repost the original report if the additional engagement work does not result in a change in findings or conclusions. 3.34] | Process or Activity | Detective | |
| Document test plans for auditing in scope controls. CC ID 06985 [When auditors identify findings, they should plan and perform procedures to develop the criteria, condition, cause, and effect of the findings to the extent that these elements are relevant and necessary to achieve the audit objectives. 6.17 When auditors identify findings, they should plan and perform procedures to develop the criteria, condition, cause, and effect of the findings to the extent that these elements are relevant and necessary to achieve the examination objectives. 7.19 Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30 When evaluating information systems controls is an audit objective, auditors should test information systems controls to the extent necessary to address the audit objective. 8.62 As part of a performance audit, when auditors identify findings, they should plan and perform procedures to develop the criteria, condition, cause, and effect of the findings to the extent that these elements are relevant and necessary to achieve the audit objectives. 8.116 When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work and determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 6.11] | Testing | Detective | |
| Determine the implementation status of in scope controls. CC ID 06981 [When information systems controls are determined to be significant to the audit objectives or when the effectiveness of significant controls depends on the effectiveness of information systems controls, auditors should then evaluate the design, implementation, and/or operating effectiveness of such controls. This evaluation includes other information systems controls that affect the effectiveness of the significant controls or the reliability of information used in performing the significant controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives. 8.60] | Testing | Detective | |
| Determine the effectiveness of in scope controls. CC ID 06984 [Auditors should consider internal control deficiencies in their evaluation of identified findings when developing the cause element of the identified findings. 6.18 {if} Auditors should determine and document whether internal control is significant to the audit objectives. 8.39 When information systems controls are determined to be significant to the audit objectives or when the effectiveness of significant controls depends on the effectiveness of information systems controls, auditors should then evaluate the design, implementation, and/or operating effectiveness of such controls. This evaluation includes other information systems controls that affect the effectiveness of the significant controls or the reliability of information used in performing the significant controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives. 8.60] | Testing | Detective | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and Risk Management | Detective | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 [The peer review team should include the following elements in the scope of the peer review: interviews with selected members of the audit organization's personnel in various roles to assess their understanding of and compliance with relevant quality control policies and procedures. 5.82f.] | Audits and Risk Management | Detective | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Process or Activity | Preventive | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and Risk Management | Detective | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and Risk Management | Detective | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 [Auditors who previously provided nonaudit services for an entity that is a prospective subject of an engagement should evaluate the effect of those nonaudit services on independence before agreeing to conduct a GAGAS engagement. If auditors provided a nonaudit service in the period to be covered by the engagement, they should (1) determine if GAGAS expressly prohibits the nonaudit service; (2) if audited entity management requested the nonaudit service, determine whether the skill, knowledge, or experience of the individual responsible for overseeing the nonaudit service was sufficient; and (3) determine whether a threat to independence exists and address any threats noted in accordance with the conceptual framework. 3.83] | Audits and Risk Management | Detective | |
| Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 [{is valid} {is reliable} In assessing the appropriateness of evidence, auditors should assess whether the evidence is relevant, valid, and reliable. 8.91 Auditors should evaluate the objectivity, credibility, and reliability of testimonial evidence. 8.94] | Testing | Preventive | |
| Implement procedures that collect sufficient audit evidence. CC ID 07153 [Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate representations by management of the audited entity that it has reported audit findings in accordance with provisions of laws, regulations, or funding agreements. When auditors are unable to do so, they should report such information directly as discussed in paragraphs 6.53 and 6.54. 6.55 Auditors should design the methodology to obtain sufficient, appropriate evidence that provides a reasonable basis for findings and conclusions based on the audit objectives and to reduce audit risk to an acceptably low level. 8.06 Auditors should assess the risk of fraud occurring that is significant within the context of the audit objectives. Audit team members should discuss among the team fraud risks, including factors such as individuals' incentives or pressures to commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could increase the risk of fraud. Auditors should gather and assess information to identify the risk of fraud that is significant within the scope of the audit objectives or that could affect the findings and conclusions. 8.71 Auditors should identify potential sources of information that could be used as evidence. Auditors should determine the amount and type of evidence needed to obtain sufficient, appropriate evidence to address the audit objectives and adequately plan audit work. 8.77 Auditors should identify potential sources of information that could be used as evidence. Auditors should determine the amount and type of evidence needed to obtain sufficient, appropriate evidence to address the audit objectives and adequately plan audit work. 8.77 Auditors should determine which audit procedures related to information systems controls are needed to obtain sufficient, appropriate evidence to support the audit findings and conclusions. 8.61 Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate representations by audited entity management that it has reported audit findings in accordance with provisions of laws, regulations, or funding agreements. When auditors are unable to do so, they should report such information directly, as discussed in paragraphs 9.45 and 9.46. 9.47 Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate representations by management of the audited entity that it has reported engagement findings in accordance with laws, regulations, or funding agreements. When auditors are unable to do so, they should report such information directly, as discussed in paragraphs 7.51 and 7.52. 7.53] | Audits and Risk Management | Preventive | |
| Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 [Auditors should identify potential sources of information that could be used as evidence. Auditors should determine the amount and type of evidence needed to obtain sufficient, appropriate evidence to address the audit objectives and adequately plan audit work. 8.77 Auditors must obtain sufficient, appropriate evidence to provide a reasonable basis for addressing the audit objectives and supporting their findings and conclusions. 8.90] | Audits and Risk Management | Preventive | |
| Collect audit evidence sufficient to avoid misstatements. CC ID 07155 [Auditors must obtain sufficient, appropriate evidence to provide a reasonable basis for addressing the audit objectives and supporting their findings and conclusions. 8.90] | Audits and Risk Management | Preventive | |
| Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 [When assessing the overall sufficiency and appropriateness of evidence, auditors should evaluate the expected significance of evidence to the audit objectives, findings, and conclusions; available corroborating evidence; and the level of audit risk. If auditors conclude that evidence is not sufficient or appropriate, they should not use such evidence as support for findings and conclusions. 8.109] | Audits and Risk Management | Preventive | |
| Refrain from using audit evidence that is not sufficient. CC ID 17163 [When assessing the overall sufficiency and appropriateness of evidence, auditors should evaluate the expected significance of evidence to the audit objectives, findings, and conclusions; available corroborating evidence; and the level of audit risk. If auditors conclude that evidence is not sufficient or appropriate, they should not use such evidence as support for findings and conclusions. 8.109] | Audits and Risk Management | Preventive | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 [Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate representations by management of the audited entity that it has reported audit findings in accordance with provisions of laws, regulations, or funding agreements. When auditors are unable to do so, they should report such information directly as discussed in paragraphs 6.53 and 6.54. 6.55 Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate representations by audited entity management that it has reported audit findings in accordance with provisions of laws, regulations, or funding agreements. When auditors are unable to do so, they should report such information directly, as discussed in paragraphs 9.45 and 9.46. 9.47 Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate representations by management of the audited entity that it has reported engagement findings in accordance with laws, regulations, or funding agreements. When auditors are unable to do so, they should report such information directly, as discussed in paragraphs 7.51 and 7.52. 7.53] | Communicate | Preventive | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Human Resources Management | Preventive | |
| Coordinate the scheduling of interviews. CC ID 16293 | Process or Activity | Preventive | |
| Create a schedule for the interviews. CC ID 16292 | Process or Activity | Preventive | |
| Identify interviewees. CC ID 16290 | Process or Activity | Preventive | |
| Verify statements made by interviewees are correct. CC ID 16299 | Behavior | Detective | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Process or Activity | Detective | |
| Allow interviewee to respond to explanations. CC ID 16296 | Process or Activity | Detective | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Process or Activity | Detective | |
| Explain the testing results to the interviewee. CC ID 16291 | Process or Activity | Preventive | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Process or Activity | Corrective | |
| Establish and maintain work papers, as necessary. CC ID 13891 [Before the date of the examination report, document supervisory review of the evidence that supports the findings, conclusions, and recommendations contained in the examination report. 7.33a. Auditors should prepare audit documentation that contains evidence that supports the findings, conclusions, and recommendations before they issue their report. 8.133] | Establish/Maintain Documentation | Preventive | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 [If an engagement is terminated before it is completed and an audit report is not issued, auditors should document the results of the work to the date of termination and why the engagement was terminated. 5.25 If auditors use the work of other auditors, they should perform procedures that provide a sufficient basis for using that work. Auditors should obtain evidence concerning the other auditors' qualifications and independence and should determine whether the scope, quality, and timing of the audit work performed by the other auditors can be relied on in the context of the current audit objectives. 8.81] | Establish/Maintain Documentation | Preventive | |
| Include audit irregularities in the work papers. CC ID 16774 [If an engagement is terminated before it is completed and an audit report is not issued, auditors should document the results of the work to the date of termination and why the engagement was terminated. 5.25] | Establish/Maintain Documentation | Preventive | |
| Include corrective actions in the work papers. CC ID 16771 | Establish/Maintain Documentation | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Establish/Maintain Documentation | Preventive | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Establish/Maintain Documentation | Preventive | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 [If, in rare circumstances, auditors judge it necessary to depart from a relevant presumptively mandatory requirement, they must document their justification for the departure and how the alternative procedures performed in the circumstances were sufficient to achieve the intent of that requirement. 2.04 Auditors should document any departures from the GAGAS requirements and the effect on the audit and on the auditors' conclusions when the audit is not in compliance with applicable GAGAS requirements because of law, regulation, scope limitations, restrictions on access to records, or other issues affecting the audit. 6.32 When auditors do not comply with applicable GAGAS requirements because of law, regulation, scope limitations, restrictions on access to records, or other issues affecting the audit, the auditors should document the departure from the GAGAS requirements and the impact on the audit and on the auditors' conclusions. 8.136 When auditors do not comply with applicable GAGAS requirements because of law, regulation, scope limitations, restrictions on access to records, or other issues affecting the audit, the auditors should document the departure from the GAGAS requirements and the impact on the audit and on the auditors' conclusions. 8.136] | Establish/Maintain Documentation | Preventive | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 [Auditors should document the following: the work performed and evidence obtained to support significant judgments and conclusions, as well as expectations in analytical procedures, including descriptions of transactions and records examined (for example, by listing file numbers, case numbers, or other means of identifying specific documents examined, though copies of documents examined or detailed listings of information from those documents are not required); and 8.135b.] | Audits and Risk Management | Preventive | |
| Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Establish/Maintain Documentation | Preventive | |
| Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 [If, in rare circumstances, auditors judge it necessary to depart from a relevant presumptively mandatory requirement, they must document their justification for the departure and how the alternative procedures performed in the circumstances were sufficient to achieve the intent of that requirement. 2.04 In rare circumstances, auditors and audit organizations may determine it necessary to depart from a relevant presumptively mandatory requirement. In such rare circumstances, auditors should perform alternative procedures to achieve the intent of that requirement. 2.03 The audit organization should establish policies and procedures that require engagement team members with appropriate levels of skill and proficiency in auditing to supervise engagements and review work performed by other engagement team members. 5.36 Auditors should document the following: the work performed and evidence obtained to support significant judgments and conclusions, as well as expectations in analytical procedures, including descriptions of transactions and records examined (for example, by listing file numbers, case numbers, or other means of identifying specific documents examined, though copies of documents examined or detailed listings of information from those documents are not required); and 8.135b.] | Establish/Maintain Documentation | Preventive | |
| Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Establish/Maintain Documentation | Preventive | |
| Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Establish/Maintain Documentation | Preventive | |
| Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and Risk Management | Detective | |
| Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 [{be illegal} When circumstances call for omission of certain information from the report, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices and revise the report language as necessary to avoid report users drawing inappropriate conclusions from the information presented. 6.64] | Audits and Risk Management | Preventive | |
| Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Testing | Detective | |
| Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 [Auditors should evaluate and document the significance of identified internal control deficiencies within the context of the audit objectives. 8.54] | Establish/Maintain Documentation | Preventive | |
| Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Establish/Maintain Documentation | Preventive | |
| Supervise interested personnel and affected parties participating in the audit. CC ID 07150 [Auditors should conclude that providing information technology (IT) services to an audited entity that relate to the period under audit impairs independence if those services include supervising audited entity personnel in the daily operation of an audited entity's information system; or 3.102c. The audit organization should establish policies and procedures that require engagement team members with appropriate levels of skill and proficiency in auditing to supervise engagements and review work performed by other engagement team members. 5.36 Auditors must properly supervise audit staff. 8.87] | Monitor and Evaluate Occurrences | Preventive | |
| Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 [The audit organization should assign responsibility for each engagement to an engagement partner or director with authority designated by the audit organization to assume that responsibility and should establish policies and procedures requiring the organization to communicate the identity and role of the engagement partner or director to management and those charged with governance of the audited entity and 5.37a. The audit organization should assign responsibility for each engagement to an engagement partner or director with authority designated by the audit organization to assume that responsibility and should establish policies and procedures requiring the organization to clearly define the responsibilities of the engagement partner or director and communicate them to that individual. 5.37b.] | Establish Roles | Preventive | |
| Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 [Audit management should assign sufficient auditors with adequate collective professional competence, as described in paragraphs 4.02 through 4.15, to conduct the audit. Staffing an audit includes, among other things, engaging specialists when necessary. 8.31d.] | Process or Activity | Preventive | |
| Review the subject matter expert's findings. CC ID 16559 [If planning to use the work of specialists, auditors should document the nature and scope of the work to be performed by the specialists, including the specialists' procedures and findings so they can be evaluated and related to other planned audit procedures, and 8.32c.] | Audits and Risk Management | Detective | |
| Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Establish/Maintain Documentation | Preventive | |
| Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 [{third party} Because information in peer review reports may be relevant to decisions on procuring audit services, an audit organization seeking to enter into a contract to conduct an engagement in accordance with GAGAS should provide the following to the party contracting for such services when requested: the audit organization's most recent peer review report and 5.79a. {third party} Because information in peer review reports may be relevant to decisions on procuring audit services, an audit organization seeking to enter into a contract to conduct an engagement in accordance with GAGAS should provide the following to the party contracting for such services when requested: any subsequent peer review reports received during the period of the contract. 5.79b. {make available} Subject to applicable provisions of laws and regulations, auditors should make appropriate individuals and audit documentation available upon request and in a timely manner to other auditors or reviewers. 6.34] | Audits and Risk Management | Preventive | |
| Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Investigate | Detective | |
| Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 [In situations where the parties required to receive communications, as described in paragraph 8.20, are not clearly evident, auditors should document the process followed and conclusions reached in identifying the appropriate individuals to receive the required communications. 8.21 {make available} Subject to applicable provisions of laws and regulations, auditors should make appropriate individuals and audit documentation available upon request and in a timely manner to other auditors or reviewers. 6.34 {make available} Subject to applicable provisions of laws and regulations, auditors should make appropriate individuals and audit documentation available upon request and in a timely manner to other auditors or reviewers. 8.140 {make available} Subject to applicable provisions of laws and regulations, auditors should make appropriate individuals and examination engagement documentation available upon request and in a timely manner to other auditors or reviewers. 7.37] | Business Processes | Preventive | |
| Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Establish/Maintain Documentation | Preventive | |
| Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain organizational audit reports. CC ID 06731 [The audit organization should establish policies and procedures for engagement performance, documentation, and reporting that are designed to provide the audit organization with reasonable assurance that engagements are conducted and reports are issued in accordance with professional standards and applicable legal and regulatory requirements. 5.22 {quality assurance} While insufficient documentation of an auditor's compliance with the independence standard does not impair independence, auditors should prepare appropriate documentation under the GAGAS quality control and assurance requirements. The independence standard includes the following documentation requirements, where applicable: 3.107 The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: 5.91 {do not receive} If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors should issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments. 6.60 {are valid} When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 7.57 {external requirements} In addition to the requirements of the examination engagement standards used in conjunction with GAGAS, auditors should prepare attest documentation in sufficient detail to enable an experienced auditor, having no previous connection to the examination engagement, to understand from the documentation the nature, timing, extent, and results of procedures performed and the evidence obtained and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 7.34 {have not received} If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors should issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments. 7.58 {if} When circumstances call for omission of certain information, auditors should evaluate whether the omission could distort the examination engagement results or conceal improper or illegal practices and revise the report language as necessary to avoid report users drawing inappropriate conclusions from the information presented. 7.62 Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed; the evidence obtained; and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 8.132 Auditors should design the form and content of audit documentation to meet the circumstances of the particular audit. The audit documentation constitutes the principal record of the work that the auditors have performed in accordance with standards and the conclusions that the auditors have reached. The quantity, type, and content of audit documentation are a matter of the auditors' professional judgment. 8.134 Auditors should issue the audit report in a form that is appropriate for its intended use, either in writing or in some other retrievable form. 9.07 {if} When circumstances call for omission of certain information, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices and revise the report language as necessary to avoid report users drawing inappropriate conclusions from the information presented. 9.62 Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; (3) a summary of the views of responsible officials; and (4) if applicable, the nature of any confidential or sensitive information omitted. 9.10] | Establish/Maintain Documentation | Preventive | |
| Determine what disclosures are required in the audit report. CC ID 14888 | Establish/Maintain Documentation | Detective | |
| Include the purpose in the audit report. CC ID 17263 | Establish/Maintain Documentation | Preventive | |
| Include the justification for not following the applicable requirements in the audit report. CC ID 16822 [{are not} When auditors use a modified GAGAS statement, they should disclose in the report the applicable requirement(s) not followed, the reasons for not following the requirement(s), and how not following the requirement(s) affected or could have affected the engagement and the assurance provided. 2.18 When auditors do not comply with applicable requirement(s), they should (1) assess the significance of the noncompliance to the engagement objectives; (2) document the assessment, along with their reasons for not following the requirement(s); and (3) determine the type of GAGAS compliance statement. 2.19] | Audits and Risk Management | Preventive | |
| Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 [{are not} When auditors use a modified GAGAS statement, they should disclose in the report the applicable requirement(s) not followed, the reasons for not following the requirement(s), and how not following the requirement(s) affected or could have affected the engagement and the assurance provided. 2.18 {do not receive} If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors should issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments. 6.60 When auditors do not comply with all applicable GAGAS requirements, they should include a modified GAGAS compliance statement in the audit report. For performance audits, auditors should use a statement that includes either (1) the language in paragraph 9.03, modified to indicate the requirements that were not followed, or (2) language indicating that the auditors did not follow GAGAS. 9.05] | Audits and Risk Management | Preventive | |
| Include audit subject matter in the audit report. CC ID 14882 | Establish/Maintain Documentation | Preventive | |
| Include an other-matter paragraph in the audit report. CC ID 14901 | Establish/Maintain Documentation | Preventive | |
| Identify the audit team members in the audit report. CC ID 15259 | Human Resources Management | Detective | |
| Include that the auditee did not provide comments in the audit report. CC ID 16849 [{have not received} If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors should issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments. 7.58 If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors may issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments. 9.53] | Establish/Maintain Documentation | Preventive | |
| Include written agreements in the audit report. CC ID 17266 | Establish/Maintain Documentation | Preventive | |
| Write the audit report using clear and conspicuous language. CC ID 13948 [{external requirements} In addition to the requirements of the examination engagement standards used in conjunction with GAGAS, auditors should prepare attest documentation in sufficient detail to enable an experienced auditor, having no previous connection to the examination engagement, to understand from the documentation the nature, timing, extent, and results of procedures performed and the evidence obtained and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 7.34 Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed; the evidence obtained; and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 8.132 {be clear} Auditors should communicate audit objectives in the audit report in a clear, specific, neutral, and unbiased manner that includes relevant assumptions. In order to avoid potential misunderstanding, when audit objectives are limited but users could infer broader objectives, auditors should state in the audit report that certain issues were outside the scope of the audit. 9.11] | Establish/Maintain Documentation | Preventive | |
| Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 [Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS engagements, as appropriate. Unmodified GAGAS compliance statement: Stating that the auditors conducted the engagement in accordance with GAGAS. Auditors should include an unmodified GAGAS compliance statement in the audit report when they have (1) followed unconditional and applicable presumptively mandatory GAGAS requirements or (2) followed unconditional requirements, documented justification for any departures from applicable presumptively mandatory requirements, and achieved the objectives of those requirements through other means. 2.17a. {external requirement} Document any departures from the GAGAS requirements and the effect on the examination engagement and on the auditors' conclusions when the examination engagement does not comply with applicable GAGAS requirements because of law, regulation, scope limitations, restrictions on access to records, or other issues affecting the examination engagement. 7.33b.] | Establish/Maintain Documentation | Preventive | |
| Include a statement that the financial statements were audited in the audit report. CC ID 13963 [{make available} If auditors report separately (including separate reports bound in the same document) on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements, they should include a reference in the audit report on the financial statements to those additional reports. They should also state in the audit report that the reports on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements are an integral part of a GAGAS audit in considering the audited entity's internal control over financial reporting and compliance. If separate reports are used, the auditors should make the report on internal control and compliance available to users in the same manner as the financial audit report to which it relates. 6.43 {make available} If auditors report separately (including separate reports bound in the same document) on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements, they should include a reference in the audit report on the financial statements to those additional reports. They should also state in the audit report that the reports on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements are an integral part of a GAGAS audit in considering the audited entity's internal control over financial reporting and compliance. If separate reports are used, the auditors should make the report on internal control and compliance available to users in the same manner as the financial audit report to which it relates. 6.43] | Establish/Maintain Documentation | Preventive | |
| Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Establish/Maintain Documentation | Preventive | |
| Include a description of the financial information being reported on in the audit report. CC ID 13965 | Establish/Maintain Documentation | Preventive | |
| Include references to any adjustments of financial information in the audit report. CC ID 13964 | Establish/Maintain Documentation | Preventive | |
| Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Establish/Maintain Documentation | Preventive | |
| Include references to historical financial information used in the audit report. CC ID 13961 | Establish/Maintain Documentation | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 [{are not} When auditors use a modified GAGAS statement, they should disclose in the report the applicable requirement(s) not followed, the reasons for not following the requirement(s), and how not following the requirement(s) affected or could have affected the engagement and the assurance provided. 2.18 Auditors should describe the scope of the work performed and any limitations, including issues that would be relevant to likely users, so that report users can reasonably interpret the findings, conclusions, and recommendations in the report without being misled. Auditors should also report any significant constraints imposed on the audit approach by information limitations or scope impairments, including denials of, or excessive delays in, access to certain records or individuals. 9.12 Auditors should describe the scope of the work performed and any limitations, including issues that would be relevant to likely users, so that report users can reasonably interpret the findings, conclusions, and recommendations in the report without being misled. Auditors should also report any significant constraints imposed on the audit approach by information limitations or scope impairments, including denials of, or excessive delays in, access to certain records or individuals. 9.12 {be clear} Auditors should communicate audit objectives in the audit report in a clear, specific, neutral, and unbiased manner that includes relevant assumptions. In order to avoid potential misunderstanding, when audit objectives are limited but users could infer broader objectives, auditors should state in the audit report that certain issues were outside the scope of the audit. 9.11 In describing the work performed to address the audit objectives and support the reported findings and conclusions, auditors should, as applicable, explain the relationship between the population and the items tested; identify entities, geographic locations, and the period covered; report the kinds and sources of evidence; and explain any significant limitations or uncertainties based on the auditors' overall assessment of the sufficiency and appropriateness of the evidence in the aggregate. 9.13] | Establish/Maintain Documentation | Preventive | |
| Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Establish/Maintain Documentation | Preventive | |
| Include the word independent in the title of audit reports. CC ID 07003 [Audit organizations that meet the independence requirements for internal audit organizations, but not those for external audit organizations, should include in the GAGAS compliance statement, where applicable, a statement that they are independent per the GAGAS requirements for internal auditors. 9.04] | Actionable Reports or Measurements | Preventive | |
| Structure the audit report to be in the form of procedures and findings. CC ID 13940 [When presenting findings, auditors should develop the elements of the findings to the extent necessary to assist management or oversight officials of the audited entity in understanding the need for corrective action. 6.50 When presenting findings, auditors should develop the elements of the findings to the extent necessary to assist management or oversight officials of the audited entity in understanding the need for taking corrective action. 7.48 Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed; the evidence obtained; and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 8.132 Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed; the evidence obtained; and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 8.132] | Establish/Maintain Documentation | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 [In describing the work performed to address the audit objectives and support the reported findings and conclusions, auditors should, as applicable, explain the relationship between the population and the items tested; identify entities, geographic locations, and the period covered; report the kinds and sources of evidence; and explain any significant limitations or uncertainties based on the auditors' overall assessment of the sufficiency and appropriateness of the evidence in the aggregate. 9.13] | Actionable Reports or Measurements | Preventive | |
| Include any discussions of significant findings in the audit report. CC ID 13955 [Auditors should document supervisory review, before the report release date, of the evidence that supports the findings and conclusions contained in the audit report. 6.31 The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: a detailed description of the findings, conclusions, and recommendations related to any deficiencies or significant deficiencies identified in the review. 5.91f. Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 6.51 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of the findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 7.49 In determining the sufficiency of evidence, auditors should determine whether enough appropriate evidence exists to address the audit objectives and support the findings and conclusions to the extent that would persuade a knowledgeable person that the findings are reasonable. 8.92 In determining the sufficiency of evidence, auditors should determine whether enough appropriate evidence exists to address the audit objectives and support the findings and conclusions to the extent that would persuade a knowledgeable person that the findings are reasonable. 8.92 {if} {no evidence} Auditors should evaluate whether any lack of sufficient, appropriate evidence is caused by internal control deficiencies or other program weaknesses, and whether the lack of sufficient, appropriate evidence could be the basis for audit findings. 8.78 Auditors should document the following: supervisory review, before the audit report is issued, of the evidence that supports the findings, conclusions, and recommendations contained in the audit report. 8.135c. Auditors should obtain and report the views of responsible officials of the audited entity concerning the findings, conclusions, and recommendations in the examination report, as well as any planned corrective actions. 7.55 When reporting on the results of their work, auditors should disclose significant facts relevant to the objectives of their work and known to them that if not disclosed could mislead knowledgeable users, misrepresent the results, or conceal significant improper or illegal practices. 9.22] | Establish/Maintain Documentation | Preventive | |
| Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Establish/Maintain Documentation | Preventive | |
| Include the audit criteria in the audit report. CC ID 13945 [Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; (3) a summary of the views of responsible officials; and (4) if applicable, the nature of any confidential or sensitive information omitted. 9.10] | Establish/Maintain Documentation | Preventive | |
| Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Establish/Maintain Documentation | Preventive | |
| Include all hypothetical assumptions in the audit report. CC ID 13947 [{be clear} Auditors should communicate audit objectives in the audit report in a clear, specific, neutral, and unbiased manner that includes relevant assumptions. In order to avoid potential misunderstanding, when audit objectives are limited but users could infer broader objectives, auditors should state in the audit report that certain issues were outside the scope of the audit. 9.11 In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence-gathering and evidence-analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives. Auditors should identify significant assumptions made in conducting the audit; describe comparative techniques applied; describe the criteria used; and, when the results of sample testing significantly support the auditors' findings, conclusions, or recommendations, describe the sample design and state why the design was chosen, including whether the results can be projected to the intended population. 9.14] | Establish/Maintain Documentation | Preventive | |
| Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 [Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited entity and the nature of the information contained in the reports. Auditors should document any limitation on report distribution. 6.70 Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. If the subject matter or the assertion involves material that is classified or contains confidential or sensitive information, auditors should limit the report distribution. Auditors should document any limitation on report distribution. 7.85 Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. Auditors should document any limitation on report distribution. 7.69 Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. If the subject matter or the assertion involves material that is classified or contains confidential or sensitive information, auditors should limit report distribution. Auditors should document any limitation on report distribution. 7.77 Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. If the subject matter involves material that is classified or contains confidential or sensitive information, auditors should limit report distribution. Auditors should document any limitation on report distribution. 7.93 {make available} Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. Auditors should document any limitation on report distribution. Auditors should make audit reports available to the public, unless distribution is specifically limited by the terms of the engagement, law, or regulation. 9.56 If an internal audit organization in a government entity follows the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing as well as GAGAS, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should (1) assess the potential risk to the organization, (2) consult with senior management or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report. 9.57] | Establish/Maintain Documentation | Preventive | |
| Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 [Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS engagements, as appropriate. Unmodified GAGAS compliance statement: Stating that the auditors conducted the engagement in accordance with GAGAS. Auditors should include an unmodified GAGAS compliance statement in the audit report when they have (1) followed unconditional and applicable presumptively mandatory GAGAS requirements or (2) followed unconditional requirements, documented justification for any departures from applicable presumptively mandatory requirements, and achieved the objectives of those requirements through other means. 2.17a. Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS engagements, as appropriate. Modified GAGAS compliance statement: Stating either that because of the significance of the departure(s) from the requirements, the auditors were unable to and did not conduct the engagement in accordance with GAGAS. 2.17b. (2)] | Establish/Maintain Documentation | Preventive | |
| Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Establish/Maintain Documentation | Preventive | |
| Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 [If planning to use the work of specialists, auditors should document the nature and scope of the work to be performed by the specialists, including 8.32 If planning to use the work of specialists, auditors should document the nature and scope of the work to be performed by the specialists, including the objectives and scope of the specialists' work, 8.32a. If planning to use the work of specialists, auditors should document the nature and scope of the work to be performed by the specialists, including the objectives and scope of the specialists' work, 8.32a. If planning to use the work of specialists, auditors should document the nature and scope of the work to be performed by the specialists, including the intended use of the specialists' work to support the audit objectives, 8.32b. If planning to use the work of specialists, auditors should document the nature and scope of the work to be performed by the specialists, including the assumptions and methods used by the specialists. 8.32d.] | Establish/Maintain Documentation | Preventive | |
| Include a review of the subject matter expert's findings in the audit report. CC ID 13972 [If planning to use the work of specialists, auditors should document the nature and scope of the work to be performed by the specialists, including the specialists' procedures and findings so they can be evaluated and related to other planned audit procedures, and 8.32c.] | Establish/Maintain Documentation | Preventive | |
| Include a statement of the character of the engagement in the audit report. CC ID 07166 [Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS engagements, as appropriate. Unmodified GAGAS compliance statement: Stating that the auditors conducted the engagement in accordance with GAGAS. Auditors should include an unmodified GAGAS compliance statement in the audit report when they have (1) followed unconditional and applicable presumptively mandatory GAGAS requirements or (2) followed unconditional requirements, documented justification for any departures from applicable presumptively mandatory requirements, and achieved the objectives of those requirements through other means. 2.17a. When auditors do not comply with applicable requirement(s), they should (1) assess the significance of the noncompliance to the engagement objectives; (2) document the assessment, along with their reasons for not following the requirement(s); and (3) determine the type of GAGAS compliance statement. 2.19 Auditors should conclude that independence is impaired if no safeguards have been effectively applied to eliminate an unacceptable threat or reduce it to an acceptable level. 3.59 Auditors should conclude that independence is impaired if an audit organization provides appraisal, valuation, or actuarial services to an audited entity when (1) the services involve a significant degree of subjectivity and (2) the results of the service, individually or when combined with other valuation, appraisal, or actuarial services, are material to the audited entity's financial statements or other information on which the audit organization is reporting. 3.104 Auditors should conclude that independence is impaired if an audit organization provides appraisal, valuation, or actuarial services to an audited entity when (1) the services involve a significant degree of subjectivity and (2) the results of the service, individually or when combined with other valuation, appraisal, or actuarial services, are material to the audited entity's financial statements or other information on which the audit organization is reporting. 3.104 When auditors do not comply with all applicable GAGAS requirements, they should include a modified GAGAS compliance statement in the audit report. For performance audits, auditors should use a statement that includes either (1) the language in paragraph 9.03, modified to indicate the requirements that were not followed, or (2) language indicating that the auditors did not follow GAGAS. 9.05 Auditors should document the following: the work performed and evidence obtained to support significant judgments and conclusions, as well as expectations in analytical procedures, including descriptions of transactions and records examined (for example, by listing file numbers, case numbers, or other means of identifying specific documents examined, though copies of documents examined or detailed listings of information from those documents are not required); and 8.135b.] | Establish/Maintain Documentation | Preventive | |
| Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 [The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: a description of the scope of the peer review, including any limitations; 5.91a.] | Establish/Maintain Documentation | Preventive | |
| Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 [When auditors are required to conduct an engagement in accordance with GAGAS or are representing to others that they did so, they should cite compliance with GAGAS in the audit report as set forth in paragraphs 2.17 through 2.19. 2.16 Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS engagements, as appropriate. Unmodified GAGAS compliance statement: Stating that the auditors conducted the engagement in accordance with GAGAS. Auditors should include an unmodified GAGAS compliance statement in the audit report when they have (1) followed unconditional and applicable presumptively mandatory GAGAS requirements or (2) followed unconditional requirements, documented justification for any departures from applicable presumptively mandatory requirements, and achieved the objectives of those requirements through other means. 2.17a. Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS engagements, as appropriate. Modified GAGAS compliance statement: Stating either that the auditors conducted the engagement in accordance with GAGAS, except for specific applicable requirements that were not followed, or 2.17b. (1) The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: specification of the professional standards and applicable legal and regulatory requirements to which the reviewed audit organization is being held; 5.91c. When auditors comply with all applicable GAGAS requirements for agreed-upon procedures engagements, they should include a statement in the agreed-upon procedures engagement report that they conducted the engagement in accordance with GAGAS. 7.82 {external requirement} When auditors comply with all applicable GAGAS requirements, they should include a statement in the report that they conducted the examination in accordance with GAGAS. 7.39] | Establish/Maintain Documentation | Preventive | |
| Include all restrictions on the audit in the audit report. CC ID 13930 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Establish/Maintain Documentation | Preventive | |
| Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 [Auditors should perform and document an overall assessment of the collective evidence used to support findings and conclusions, including the results of any specific assessments performed to conclude on the validity and reliability of specific evidence. 8.108] | Establish/Maintain Documentation | Preventive | |
| Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Establish/Maintain Documentation | Preventive | |
| Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Establish/Maintain Documentation | Preventive | |
| Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and Risk Management | Preventive | |
| Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Establish/Maintain Documentation | Preventive | |
| Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and Risk Management | Detective | |
| Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Establish/Maintain Documentation | Preventive | |
| Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 [Auditors should document the following: the work performed and evidence obtained to support significant judgments and conclusions, as well as expectations in analytical procedures, including descriptions of transactions and records examined (for example, by listing file numbers, case numbers, or other means of identifying specific documents examined, though copies of documents examined or detailed listings of information from those documents are not required); and 8.135b. In describing the work performed to address the audit objectives and support the reported findings and conclusions, auditors should, as applicable, explain the relationship between the population and the items tested; identify entities, geographic locations, and the period covered; report the kinds and sources of evidence; and explain any significant limitations or uncertainties based on the auditors' overall assessment of the sufficiency and appropriateness of the evidence in the aggregate. 9.13 In the audit report, auditors should present sufficient, appropriate evidence to support the findings and conclusions in relation to the audit objectives. Auditors should provide recommendations for corrective action if findings are significant within the context of the audit objectives. 9.18] | Establish/Maintain Documentation | Preventive | |
| Include recommended corrective actions in the audit report. CC ID 16197 [{regular basis} The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: 5.44 Auditors should obtain and report the views of responsible officials of the audited entity concerning the findings, conclusions, and recommendations in the audit report, as well as any planned corrective actions. 6.57 The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: a detailed description of the findings, conclusions, and recommendations related to any deficiencies or significant deficiencies identified in the review. 5.91f. Auditors should obtain and report the views of responsible officials of the audited entity concerning the findings, conclusions, and recommendations in the examination report, as well as any planned corrective actions. 7.55 When feasible, auditors should recommend actions to correct deficiencies and other findings identified during the audit and to improve programs and operations when the potential for improvement in programs, operations, and performance is substantiated by the reported findings and conclusions. Auditors should make recommendations that flow logically from the findings and conclusions, are directed at resolving the cause of identified deficiencies and findings, and clearly state the actions recommended. 9.23 When feasible, auditors should recommend actions to correct deficiencies and other findings identified during the audit and to improve programs and operations when the potential for improvement in programs, operations, and performance is substantiated by the reported findings and conclusions. Auditors should make recommendations that flow logically from the findings and conclusions, are directed at resolving the cause of identified deficiencies and findings, and clearly state the actions recommended. 9.23 Auditors should obtain and report the views of responsible officials of the audited entity concerning the findings, conclusions, and recommendations in the audit report, as well as any planned corrective actions. 9.50 In the audit report, auditors should present sufficient, appropriate evidence to support the findings and conclusions in relation to the audit objectives. Auditors should provide recommendations for corrective action if findings are significant within the context of the audit objectives. 9.18] | Establish/Maintain Documentation | Preventive | |
| Include the cost of corrective action in the audit report. CC ID 17015 [Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 6.51 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of the findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 7.49 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 9.21] | Audits and Risk Management | Preventive | |
| Include risks and opportunities in the audit report. CC ID 16196 | Establish/Maintain Documentation | Preventive | |
| Include the description of tests of controls and results in the audit report. CC ID 14898 [Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; (3) a summary of the views of responsible officials; and (4) if applicable, the nature of any confidential or sensitive information omitted. 9.10 In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence-gathering and evidence-analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives. Auditors should identify significant assumptions made in conducting the audit; describe comparative techniques applied; describe the criteria used; and, when the results of sample testing significantly support the auditors' findings, conclusions, or recommendations, describe the sample design and state why the design was chosen, including whether the results can be projected to the intended population. 9.14] | Establish/Maintain Documentation | Preventive | |
| Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Establish/Maintain Documentation | Preventive | |
| Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 [Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 6.51 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of the findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 7.49 In describing the work performed to address the audit objectives and support the reported findings and conclusions, auditors should, as applicable, explain the relationship between the population and the items tested; identify entities, geographic locations, and the period covered; report the kinds and sources of evidence; and explain any significant limitations or uncertainties based on the auditors' overall assessment of the sufficiency and appropriateness of the evidence in the aggregate. 9.13 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 9.21] | Establish/Maintain Documentation | Preventive | |
| Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Establish/Maintain Documentation | Preventive | |
| Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and Risk Management | Preventive | |
| Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 [In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence-gathering and evidence-analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives. Auditors should identify significant assumptions made in conducting the audit; describe comparative techniques applied; describe the criteria used; and, when the results of sample testing significantly support the auditors' findings, conclusions, or recommendations, describe the sample design and state why the design was chosen, including whether the results can be projected to the intended population. 9.14] | Establish/Maintain Documentation | Preventive | |
| Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 [{are accurate} When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 6.58 {are accurate} When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 7.56 When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 9.51 When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 9.51 When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 9.51] | Establish/Maintain Documentation | Preventive | |
| Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 [{be sufficient} Auditors should include either in the same or in separate report(s) a description of the scope of the auditors' testing of internal control over financial reporting and of compliance with provisions of laws, regulations, contracts, and grant agreements. Auditors should also state in the report(s) whether the tests they performed provided sufficient, appropriate evidence to support opinions on the effectiveness of internal control and on compliance with provisions of laws, regulations, contracts, and grant agreements. 6.42 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 9.21] | Actionable Reports or Measurements | Preventive | |
| Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Establish/Maintain Documentation | Preventive | |
| Include the attestation standards the auditor follows in the audit report. CC ID 07015 [The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: a statement that the peer review was conducted in accordance with GAGAS peer review requirements; and 5.91e. {external requirements} When auditors comply with all applicable requirements for a review engagement conducted in accordance with GAGAS, they should include a statement in the review report that they conducted the engagement in accordance with GAGAS. 7.74 {external requirements} When auditors comply with all applicable requirements for a review of financial statements conducted in accordance with GAGAS, they should include a statement in the report that they conducted the engagement in accordance with GAGAS. 7.90 When auditors comply with all applicable GAGAS requirements, they should include a statement in the audit report that they conducted the audit in accordance with GAGAS. 6.36 When auditors comply with all applicable GAGAS requirements, they should use the following language, which represents an unmodified GAGAS compliance statement, in the audit report to indicate that they conducted the audit in accordance with GAGAS: 9.03 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 [When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 6.59 {are valid} When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 9.52] | Establish/Maintain Documentation | Preventive | |
| Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Establish/Maintain Documentation | Preventive | |
| Include the scope and work performed in the audit report. CC ID 11621 [Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 6.51 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of the findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 7.49 Auditors should document the following: the objectives, scope, and methodology of the audit; 8.135a. Auditors should describe the scope of the work performed and any limitations, including issues that would be relevant to likely users, so that report users can reasonably interpret the findings, conclusions, and recommendations in the report without being misled. Auditors should also report any significant constraints imposed on the audit approach by information limitations or scope impairments, including denials of, or excessive delays in, access to certain records or individuals. 9.12 When internal control is significant within the context of the audit objectives, auditors should include in the audit report (1) the scope of their work on internal control and (2) any deficiencies in internal control that are significant within the context of the audit objectives and based upon the audit work performed. 9.29 Auditors should document the following: the work performed and evidence obtained to support significant judgments and conclusions, as well as expectations in analytical procedures, including descriptions of transactions and records examined (for example, by listing file numbers, case numbers, or other means of identifying specific documents examined, though copies of documents examined or detailed listings of information from those documents are not required); and 8.135b. Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; (3) a summary of the views of responsible officials; and (4) if applicable, the nature of any confidential or sensitive information omitted. 9.10 When reporting on the scope of their work on internal control, auditors should identify the scope of internal control assessed to the extent necessary for report users to reasonably interpret the findings, conclusions, and recommendations in the audit report. 9.30 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 9.21] | Audits and Risk Management | Preventive | |
| Review past audit reports. CC ID 01155 [Based on the risk assessment, the peer review team should select engagements that provide a reasonable cross section of all types of work subject to the reviewed audit organization's quality control system, including one or more engagements conducted in accordance with GAGAS. 5.67 The peer review team should include the following elements in the scope of the peer review: review of prior peer review reports, if applicable; 5.82d. The peer review team should include the following elements in the scope of the peer review: review of selected audit reports and related documentation and, if applicable, documentation related to selected terminated engagements prepared in accordance with paragraph 5.25, if any terminated engagements are selected from the universe of engagements used for the peer review sample; 5.82c. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30 Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30 Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30 When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work and determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 6.11 {be external} An audit organization not already subject to a peer review requirement should obtain an external peer review at least once every 3 years. The audit organization should obtain its first peer review covering a review period ending no later than 3 years from the date an audit organization begins its first engagement in accordance with GAGAS. 5.84] | Establish/Maintain Documentation | Detective | |
| Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 [If auditors use the work of other auditors, they should perform procedures that provide a sufficient basis for using that work. Auditors should obtain evidence concerning the other auditors' qualifications and independence and should determine whether the scope, quality, and timing of the audit work performed by the other auditors can be relied on in the context of the current audit objectives. 8.81 {be external} An audit organization not already subject to a peer review requirement should obtain an external peer review at least once every 3 years. The audit organization should obtain its first peer review covering a review period ending no later than 3 years from the date an audit organization begins its first engagement in accordance with GAGAS. 5.84] | Establish/Maintain Documentation | Detective | |
| Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 [Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30 When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work and determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 6.11 When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work and determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 6.11] | Establish/Maintain Documentation | Detective | |
| Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Establish/Maintain Documentation | Preventive | |
| Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Establish/Maintain Documentation | Preventive | |
| Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Establish/Maintain Documentation | Preventive | |
| Include deficiencies and non-compliance in the audit report. CC ID 14879 [When auditors do not comply with applicable requirement(s), they should (1) assess the significance of the noncompliance to the engagement objectives; (2) document the assessment, along with their reasons for not following the requirement(s); and (3) determine the type of GAGAS compliance statement. 2.19 {is unwilling} In cases where the audited entity is unable or unwilling to assume these responsibilities (for example, the audited entity does not have an individual with suitable skill, knowledge, or experience to oversee the nonaudit services provided, or is unwilling to perform such functions because of lack of time or desire), auditors should conclude that the provision of these services is an impairment to independence. 3.75 Auditors should conclude that management responsibilities that the auditors perform for an audited entity are impairments to independence. If the auditors were to assume management responsibilities for an audited entity, the management participation threats created would be so significant that no safeguards could reduce them to an acceptable level. 3.78 {refrain from obtaining} Auditors should conclude that the following services involving preparation of accounting records impair independence with respect to an audited entity: determining or changing journal entries, account codes or classifications for transactions, or other accounting records for the entity without obtaining management's approval; 3.87a. Auditors should conclude that the following services involving preparation of accounting records impair independence with respect to an audited entity: authorizing or approving the entity's transactions; and 3.87b. {do not obtain} Auditors should conclude that the following services involving preparation of accounting records impair independence with respect to an audited entity: preparing or making changes to source documents without management approval. 3.87c. The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: when relevant, a description of systemic, repetitive, or other deficiencies and of the actions taken to resolve those deficiencies. 5.44c. When providing an opinion or a disclaimer on financial statements, auditors should report as findings any significant deficiencies or material weaknesses in internal control over financial reporting that the auditors identified based on the engagement work performed. 6.40 Auditors should include in their report on internal control or compliance the relevant information about noncompliance and fraud when auditors, based on sufficient, appropriate evidence, identify or suspect noncompliance with provisions of laws, regulations, contracts, or grant agreements that has a material effect on the financial statements or other financial data significant to the audit objectives or 6.41a. Auditors should include in their report on internal control or compliance the relevant information about noncompliance and fraud when auditors, based on sufficient, appropriate evidence, identify or suspect fraud that is material, either quantitatively or qualitatively, to the financial statements or other financial data significant to the audit objectives. 6.41b. {regular basis} The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: 5.44 The audit organization should evaluate the effects of deficiencies noted during monitoring of the audit organization's system of quality control to determine and implement appropriate actions to address the deficiencies. This evaluation should include assessments to determine if the deficiencies noted indicate that the audit organization's system of quality control is insufficient to provide it with reasonable assurance that it complies with professional standards and applicable legal and regulatory requirements, and that accordingly the reports that the audit organization issues are not appropriate in the circumstances. 5.45 The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows: If the peer review team's evaluation of findings identified deficiencies but did not identify any significant deficiencies, the peer review team issues a pass with deficiencies rating and communicates the deficiencies in its report. 5.74b. The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows: If the peer review team's evaluation of deficiencies identified significant deficiencies, the peer review team issues a fail rating and communicates the deficiencies and significant deficiencies in its report. 5.74c. When auditors identify or suspect noncompliance with provisions of laws, regulations, contracts, or grant agreements or instances of fraud that have an effect on the subject matter or an assertion about the subject matter that are less than material but warrant the attention of those charged with governance, they should communicate in writing to audited entity officials. 7.45 Auditors should communicate in writing to audited entity officials when identified or suspected noncompliance with provisions of laws, regulations, contracts, or grant agreements comes to the auditor's attention during the course of an audit that has an effect on the financial statements or other financial data significant to the audit objectives that is less than material but warrants the attention of those charged with governance or 6.44a. Auditors should communicate in writing to audited entity officials when the auditor has obtained evidence of identified or suspected instances of fraud that have an effect on the financial statements or other financial data significant to the audit objectives that are less than material but warrant the attention of those charged with governance. 6.44b. Auditors should include in their examination report the relevant information about noncompliance and fraud when auditors, based on sufficient, appropriate evidence, identify or suspect fraud that is material, either quantitatively or qualitatively, to the subject matter or an assertion about the subject matter that is significant to the engagement objectives. 7.44b. Auditors should include in their examination report the relevant information about noncompliance and fraud when auditors, based on sufficient, appropriate evidence, identify or suspect noncompliance with provisions of laws, regulations, contracts, or grant agreements that has a material effect on the subject matter or an assertion about the subject matter or 7.44a. Auditors should conclude that preparing financial statements in their entirety from a client-provided trial balance or underlying accounting records creates significant threats to auditors' independence, and should document the threats and safeguards applied to eliminate and reduce threats to an acceptable level in accordance with paragraph 3.33 or decline to provide the services. 3.88 Assessing the risk of fraud is an ongoing process throughout the audit. When information comes to the auditors' attention indicating that fraud, significant within the context of the audit objectives, may have occurred, auditors should extend the audit steps and procedures, as necessary, to (1) determine whether fraud has likely occurred and (2) if so, determine its effect on the audit findings. 8.72 Auditors should consider internal control deficiencies in their evaluation of identified findings when developing the cause element of the identified findings when internal control is significant to the audit objectives. 8.117 When internal control is significant within the context of the audit objectives, auditors should include in the audit report (1) the scope of their work on internal control and (2) any deficiencies in internal control that are significant within the context of the audit objectives and based upon the audit work performed. 9.29 When auditors detect deficiencies in internal control that are not significant to the objectives of the audit but warrant the attention of those charged with governance, they should include those deficiencies either in the report or communicate those deficiencies in writing to audited entity officials. If the written communication is separate from the audit report, auditors should refer to that written communication in the audit report. 9.31] | Establish/Maintain Documentation | Corrective | |
| Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 [{if} When circumstances call for omission of certain information, auditors should evaluate whether the omission could distort the examination engagement results or conceal improper or illegal practices and revise the report language as necessary to avoid report users drawing inappropriate conclusions from the information presented. 7.62 {if} When circumstances call for omission of certain information, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices and revise the report language as necessary to avoid report users drawing inappropriate conclusions from the information presented. 9.62] | Investigate | Detective | |
| Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 [When auditors do not comply with applicable requirement(s), they should (1) assess the significance of the noncompliance to the engagement objectives; (2) document the assessment, along with their reasons for not following the requirement(s); and (3) determine the type of GAGAS compliance statement. 2.19 Auditors should evaluate the significance of threats to independence created by providing any services discussed in paragraph 3.89 and should document the evaluation of the significance of such threats. 3.90 While insufficient documentation of an auditor's compliance with the independence standard does not impair independence, auditors should prepare appropriate documentation under the GAGAS quality control and assurance requirements. The independence standard includes the following documentation requirements, where applicable: document the evaluation of the significance of the threats created by providing any of the services discussed in paragraph 3.89. 3.107e. Auditors should inquire of management of the audited entity whether any investigations or legal proceedings have been initiated or are in process with respect to the period under audit, and should evaluate the effect of initiated or in-process investigations or legal proceedings on the current audit. 6.12 Auditors should inquire of management of the audited entity whether any investigations or legal proceedings significant to the audit objectives have been initiated or are in process with respect to the period under audit, and should evaluate the effect of initiated or inprocess investigations or legal proceedings on the current audit. 8.27 Auditors should identify any provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives and assess the risk that noncompliance with provisions of laws, regulations, contracts, and grant agreements could occur. Based on that risk assessment, the auditors should design and perform procedures to obtain reasonable assurance of detecting instances of noncompliance with provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives. 8.68 Auditors should assess the risk of fraud occurring that is significant within the context of the audit objectives. Audit team members should discuss among the team fraud risks, including factors such as individuals' incentives or pressures to commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could increase the risk of fraud. Auditors should gather and assess information to identify the risk of fraud that is significant within the scope of the audit objectives or that could affect the findings and conclusions. 8.71 Auditors should assess the risk of fraud occurring that is significant within the context of the audit objectives. Audit team members should discuss among the team fraud risks, including factors such as individuals' incentives or pressures to commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could increase the risk of fraud. Auditors should gather and assess information to identify the risk of fraud that is significant within the scope of the audit objectives or that could affect the findings and conclusions. 8.71 Assessing the risk of fraud is an ongoing process throughout the audit. When information comes to the auditors' attention indicating that fraud, significant within the context of the audit objectives, may have occurred, auditors should extend the audit steps and procedures, as necessary, to (1) determine whether fraud has likely occurred and (2) if so, determine its effect on the audit findings. 8.72 Auditors should report a matter as a finding when they conclude, based on sufficient, appropriate evidence, that noncompliance with provisions of laws, regulations, contracts, and grant agreements either has occurred or is likely to have occurred that is significant within the context of the audit objectives. 9.35 Auditors should report a matter as a finding when they conclude, based on sufficient, appropriate evidence, that fraud either has occurred or is likely to have occurred that is significant to the audit objectives. 9.40] | Process or Activity | Detective | |
| Include the results of the business impact analysis in the audit report. CC ID 17208 | Establish/Maintain Documentation | Preventive | |
| Include an audit opinion in the audit report. CC ID 07017 [The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: a rating concluding on whether the system of quality control of the reviewed audit organization was adequately designed and complied with during the period reviewed and would provide the audit organization with reasonable assurance that it conformed to professional standards and applicable legal and regulatory requirements; 5.91b. Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of the findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 7.49 The peer review team should determine the type of peer review rating to issue based on the observed matters' importance to the audit organization's system of quality control as a whole and the nature, causes, patterns, and pervasiveness of those matters. The matters should be assessed both alone and in aggregate. 5.73 Auditors should report conclusions based on the audit objectives and the audit findings. 9.19] | Establish/Maintain Documentation | Preventive | |
| Include qualified opinions in the audit report. CC ID 13928 [Auditors should obtain and report the views of responsible officials of the audited entity concerning the findings, conclusions, and recommendations in the audit report, as well as any planned corrective actions. 6.57 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 6.51 Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; (3) a summary of the views of responsible officials; and (4) if applicable, the nature of any confidential or sensitive information omitted. 9.10 Auditors should obtain and report the views of responsible officials of the audited entity concerning the findings, conclusions, and recommendations in the audit report, as well as any planned corrective actions. 9.50 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 9.21] | Establish/Maintain Documentation | Preventive | |
| Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Establish/Maintain Documentation | Corrective | |
| Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Establish/Maintain Documentation | Preventive | |
| Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 [{are valid} When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 7.57 {are valid} When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 7.57] | Business Processes | Corrective | |
| Include items that were excluded from the audit report in the audit report. CC ID 07007 [If certain information is prohibited from public disclosure or is excluded from a report because of its confidential or sensitive nature, auditors should disclose in the report that certain information has been omitted and the circumstances that make the omission necessary. 6.63 If certain information is prohibited from public disclosure or is excluded from a report because of its confidential or sensitive nature, auditors should disclose in the report that certain information has been omitted and the circumstances that make the omission necessary. 7.61 If certain information is prohibited from public disclosure or is excluded from a report because of its confidential or sensitive nature, auditors should disclose in the report that certain information has been omitted and the circumstances that make the omission necessary. 9.61 {be sufficient} If, after the report is issued, the auditors discover that they did not have sufficient, appropriate evidence to support the reported findings or conclusions, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the entities requiring or arranging for the audits, and other known users, so that they do not continue to rely on the findings or conclusions that were not supported. If the report was previously posted to the auditors' publicly accessible website, the auditors should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional audit work necessary to either reissue the report, including any revised findings or conclusions, or repost the original report if the additional audit work does not result in a change in findings or conclusions. 9.68 Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; (3) a summary of the views of responsible officials; and (4) if applicable, the nature of any confidential or sensitive information omitted. 9.10] | Establish/Maintain Documentation | Preventive | |
| Include items that pertain to third parties in the audit report. CC ID 07008 [{report} {noncompliance} When audited entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties. 6.53a. {noncompliance} When audited entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties. 7.51a. Auditors should report known or likely noncompliance with provisions of laws, regulations, contracts, and grant agreements or fraud directly to parties outside the audited entity in the following two circumstances. 9.45 Auditors should report known or likely noncompliance with provisions of laws, regulations, contracts, and grant agreements or fraud directly to parties outside the audited entity in the following two circumstances. When audited entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties. 9.45a.] | Establish/Maintain Documentation | Preventive | |
| Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Establish/Maintain Documentation | Preventive | |
| Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Establish/Maintain Documentation | Preventive | |
| Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 [{be sufficient} Auditors should include either in the same or in separate report(s) a description of the scope of the auditors' testing of internal control over financial reporting and of compliance with provisions of laws, regulations, contracts, and grant agreements. Auditors should also state in the report(s) whether the tests they performed provided sufficient, appropriate evidence to support opinions on the effectiveness of internal control and on compliance with provisions of laws, regulations, contracts, and grant agreements. 6.42] | Establish/Maintain Documentation | Preventive | |
| Modify the audit opinion in the audit report under defined conditions. CC ID 13937 [When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 6.59 {are valid} When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 9.52] | Establish/Maintain Documentation | Corrective | |
| Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Establish/Maintain Documentation | Preventive | |
| Include a statement that additional reports are being submitted in the audit report. CC ID 16848 [{be integral} If auditors report separately (including separate reports bound in the same document) on deficiencies in internal control; noncompliance with provisions of laws, regulations, contracts, and grant agreements; or instances of fraud, they should state in the examination report that they are issuing those additional reports. They should include a reference to the separate reports and also state that the reports are an integral part of a GAGAS examination engagement. 7.40 {be integral} If auditors report separately (including separate reports bound in the same document) on deficiencies in internal control; noncompliance with provisions of laws, regulations, contracts, and grant agreements; or instances of fraud, they should state in the examination report that they are issuing those additional reports. They should include a reference to the separate reports and also state that the reports are an integral part of a GAGAS examination engagement. 7.40 When auditors detect deficiencies in internal control that are not significant to the objectives of the audit but warrant the attention of those charged with governance, they should include those deficiencies either in the report or communicate those deficiencies in writing to audited entity officials. If the written communication is separate from the audit report, auditors should refer to that written communication in the audit report. 9.31] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 [The audit organization should establish policies and procedures for engagement performance, documentation, and reporting that are designed to provide the audit organization with reasonable assurance that engagements are conducted and reports are issued in accordance with professional standards and applicable legal and regulatory requirements. 5.22 {be publicly available} An external audit organization should make its most recent peer review report publicly available. If a separate communication detailing findings, conclusions, and recommendations is issued, the external audit organization is not required to make that communication publicly available. An internal audit organization that reports internally to management and those charged with governance should provide a copy of its peer review report to those charged with governance. 5.77 An audit organization in a government entity should distribute audit reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations and to others authorized to receive such reports. 6.70a. An audit organization in a government entity should distribute audit reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations and to others authorized to receive such reports. 6.70a. An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority and to others authorized to receive such reports. 7.77a. An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority and to others authorized to receive such reports. 7.77a. An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority and to others authorized to receive such reports. 7.85a. An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority and to others authorized to receive such reports. 7.85a. An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the examination engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on engagement findings and recommendations and to others authorized to receive such reports. 7.69a. An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the examination engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on engagement findings and recommendations and to others authorized to receive such reports. 7.69a. {be publicly available} {established} An external audit organization should satisfy the publication requirement for its peer review report by posting the report on a publicly available website or to a publicly available file. Alternatively, if neither of these options is available, then the audit organization should use the same mechanism it uses to make other reports or documents public. 5.78 An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority and to others authorized to receive such reports. 7.93a. An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority and to others authorized to receive such reports. 7.93a. Auditors should communicate findings in writing to audited entity officials when the auditors detect instances of noncompliance with provisions of laws, regulations, contracts, and grant agreements that are not significant within the context of the audit objectives but warrant the attention of those charged with governance. 9.36 Auditors should communicate findings in writing to audited entity officials when the auditors detect instances of fraud that are not significant within the context of the audit objectives but warrant the attention of those charged with governance. 9.41 An audit organization in a government entity should distribute audit reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations and to others authorized to receive such reports. 9.58 An audit organization in a government entity should distribute audit reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations and to others authorized to receive such reports. 9.58 {make available} Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. Auditors should document any limitation on report distribution. Auditors should make audit reports available to the public, unless distribution is specifically limited by the terms of the engagement, law, or regulation. 9.56 {make available} Subject to applicable provisions of laws and regulations, auditors should make appropriate individuals and audit documentation available upon request and in a timely manner to other auditors or reviewers. 8.140 If an internal audit organization in a government entity follows the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing as well as GAGAS, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should (1) assess the potential risk to the organization, (2) consult with senior management or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report. 9.57] | Establish/Maintain Documentation | Preventive | |
| Define the roles and responsibilities for distributing the audit report. CC ID 16845 [{be publicly available} A public accounting firm contracted to conduct an audit in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the audit about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 6.70b.] | Human Resources Management | Preventive | |
| Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 [{be publicly available} An external audit organization should make its most recent peer review report publicly available. If a separate communication detailing findings, conclusions, and recommendations is issued, the external audit organization is not required to make that communication publicly available. An internal audit organization that reports internally to management and those charged with governance should provide a copy of its peer review report to those charged with governance. 5.77] | Log Management | Detective | |
| Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Communicate | Preventive | |
| Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Communicate | Preventive | |
| Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 [{be publicly available} A public accounting firm contracted to conduct an audit in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the audit about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 6.70b.] | Behavior | Preventive | |
| Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 [If auditors initially identify a threat to independence after the audit report is issued, auditors should evaluate the threat's effect on the engagement and on GAGAS compliance. If the auditors determine that the newly identified threat's effect on the engagement would have resulted in the audit report being different from the report issued had the auditors been aware of it, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the audit organization requiring or arranging for the engagements, and other known users, so that they do not continue to rely on findings or conclusions that were affected by the threat to independence. If auditors previously posted the report to their publicly accessible website, they should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional engagement work necessary to reissue the report, including any revised findings or conclusions, or to repost the original report if the additional engagement work does not result in a change in findings or conclusions. 3.34 If the law or regulation requiring an examination engagement specifically identifies the entities to be examined, auditors should communicate pertinent information that in the auditors' professional judgment needs to be communicated both to individuals contracting for or requesting the examination and to those legislative committees, if any, that have ongoing oversight responsibilities for the audited entity. 7.09 {be publicly available} {established} An external audit organization should satisfy the publication requirement for its peer review report by posting the report on a publicly available website or to a publicly available file. Alternatively, if neither of these options is available, then the audit organization should use the same mechanism it uses to make other reports or documents public. 5.78 {be appropriate} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 6.65 The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: reference to a separate written communication, if issued under the peer review program; 5.91d. {be sufficient} If, after the report is issued, the auditors discover that they did not have sufficient, appropriate evidence to support the reported findings or conclusions, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the entities requiring or arranging for the audits, and other known users, so that they do not continue to rely on the findings or conclusions that were not supported. If the report was previously posted to the auditors' publicly accessible website, the auditors should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional audit work necessary to either reissue the report, including any revised findings or conclusions, or repost the original report if the additional audit work does not result in a change in findings or conclusions. 9.68 {make available} Subject to applicable provisions of laws and regulations, auditors should make appropriate individuals and examination engagement documentation available upon request and in a timely manner to other auditors or reviewers. 7.37] | Establish/Maintain Documentation | Preventive | |
| Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 [If auditors initially identify a threat to independence after the audit report is issued, auditors should evaluate the threat's effect on the engagement and on GAGAS compliance. If the auditors determine that the newly identified threat's effect on the engagement would have resulted in the audit report being different from the report issued had the auditors been aware of it, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the audit organization requiring or arranging for the engagements, and other known users, so that they do not continue to rely on findings or conclusions that were affected by the threat to independence. If auditors previously posted the report to their publicly accessible website, they should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional engagement work necessary to reissue the report, including any revised findings or conclusions, or to repost the original report if the additional engagement work does not result in a change in findings or conclusions. 3.34] | Establish/Maintain Documentation | Preventive | |
| Submit an audit report that is complete. CC ID 01145 [Auditors should issue audit reports communicating the results of each completed performance audit. 9.06] | Testing | Detective | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 [{regular basis} The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: 5.44] | Establish/Maintain Documentation | Corrective | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 [With respect to each deficiency or significant deficiency in the report, the reviewed audit organization should describe in its letter of response the corrective actions already taken, target dates for planned corrective actions, or both. 5.94 If the reviewed audit organization receives a report with a peer review rating of pass with deficiencies or fail, the reviewed audit organization should respond in writing to the deficiencies or significant deficiencies and related recommendations identified in the report. 5.93] | Actionable Reports or Measurements | Corrective | |
| Review management's response to issues raised in past audit reports. CC ID 01149 [Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30] | Audits and Risk Management | Detective | |
| Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 [The audit organization should establish policies and procedures for human resources that are designed to provide the organization with reasonable assurance that it has personnel with the competence to conduct GAGAS engagements in accordance with professional standards and applicable legal and regulatory requirements. 5.15 Audit management should assign sufficient auditors with adequate collective professional competence, as described in paragraphs 4.02 through 4.15, to conduct the audit. Staffing an audit includes, among other things, assigning a sufficient number of auditors to the audit; 8.31b.] | Testing | Detective | |
| Evaluate the competency of auditors. CC ID 15253 | Human Resources Management | Detective | |
| Review the audit program scope as it relates to the organization's profile. CC ID 01159 [In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence-gathering and evidence-analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives. Auditors should identify significant assumptions made in conducting the audit; describe comparative techniques applied; describe the criteria used; and, when the results of sample testing significantly support the auditors' findings, conclusions, or recommendations, describe the sample design and state why the design was chosen, including whether the results can be projected to the intended population. 9.14] | Audits and Risk Management | Detective | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 [The audit organization should evaluate the effects of deficiencies noted during monitoring of the audit organization's system of quality control to determine and implement appropriate actions to address the deficiencies. This evaluation should include assessments to determine if the deficiencies noted indicate that the audit organization's system of quality control is insufficient to provide it with reasonable assurance that it complies with professional standards and applicable legal and regulatory requirements, and that accordingly the reports that the audit organization issues are not appropriate in the circumstances. 5.45 If internal control is determined to be significant to the audit objectives, auditors should plan and perform audit procedures to assess internal control to the extent necessary to address the audit objectives. 8.49] | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain the audit plan. CC ID 01156 [Auditors must adequately plan the work necessary to address the audit objectives. Auditors must document the audit plan. 8.03 Auditors must plan the audit to reduce audit risk to an acceptably low level. 8.04 In planning the audit, auditors should assess significance and audit risk. Auditors should apply these assessments to establish the scope and methodology for addressing the audit objectives. Planning is a continuous process throughout the audit. 8.05 Auditors must prepare a written audit plan for each audit. Auditors should update the plan, as necessary, to reflect any significant changes to the plan made during the audit. 8.33 Auditors must prepare a written audit plan for each audit. Auditors should update the plan, as necessary, to reflect any significant changes to the plan made during the audit. 8.33 Auditors should document the following: the objectives, scope, and methodology of the audit; 8.135a. Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed; the evidence obtained; and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 8.132] | Testing | Detective | |
| Include the audit criteria in the audit plan. CC ID 15262 [Auditors should identify and use suitable criteria based on the audit objectives. 8.07 In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence-gathering and evidence-analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives. Auditors should identify significant assumptions made in conducting the audit; describe comparative techniques applied; describe the criteria used; and, when the results of sample testing significantly support the auditors' findings, conclusions, or recommendations, describe the sample design and state why the design was chosen, including whether the results can be projected to the intended population. 9.14] | Establish/Maintain Documentation | Preventive | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Establish/Maintain Documentation | Preventive | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Establish/Maintain Documentation | Preventive | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Establish/Maintain Documentation | Preventive | |
| Include communication protocols in the audit plan. CC ID 15247 | Establish/Maintain Documentation | Preventive | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Establish/Maintain Documentation | Preventive | |
| Include meeting schedules in the audit plan. CC ID 15245 | Establish/Maintain Documentation | Preventive | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Establish/Maintain Documentation | Preventive | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Establish/Maintain Documentation | Preventive | |
| Include the locations to be audited in the audit plan. CC ID 15242 [In describing the work performed to address the audit objectives and support the reported findings and conclusions, auditors should, as applicable, explain the relationship between the population and the items tested; identify entities, geographic locations, and the period covered; report the kinds and sources of evidence; and explain any significant limitations or uncertainties based on the auditors' overall assessment of the sufficiency and appropriateness of the evidence in the aggregate. 9.13] | Establish/Maintain Documentation | Preventive | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Establish/Maintain Documentation | Preventive | |
| Include audit objectives in the audit plan. CC ID 15240 [In connection with nonaudit services, auditors should establish and document their understanding with the audited entity's management or those charged with governance, as appropriate, regarding the following: objectives of the nonaudit service, 3.77a. Auditors must adequately plan the work necessary to address the audit objectives. Auditors must document the audit plan. 8.03 In planning the audit, auditors should assess significance and audit risk. Auditors should apply these assessments to establish the scope and methodology for addressing the audit objectives. Planning is a continuous process throughout the audit. 8.05 When information systems controls are determined to be significant to the audit objectives or when the effectiveness of significant controls depends on the effectiveness of information systems controls, auditors should then evaluate the design, implementation, and/or operating effectiveness of such controls. This evaluation includes other information systems controls that affect the effectiveness of the significant controls or the reliability of information used in performing the significant controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives. 8.60 Auditors should document the following: the objectives, scope, and methodology of the audit; 8.135a.] | Establish/Maintain Documentation | Preventive | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 [Auditors should apply the conceptual framework at the audit organization, engagement team, and individual auditor levels to identify threats to independence; 3.27a. Auditors should identify as threats to independence any services related to preparing accounting records and financial statements, other than those defined as impairments to independence in paragraph 3.87 and significant threats in paragraph 3.88. These services include 3.89 In planning the audit, auditors should assess significance and audit risk. Auditors should apply these assessments to establish the scope and methodology for addressing the audit objectives. Planning is a continuous process throughout the audit. 8.05 Auditors should design the methodology to obtain sufficient, appropriate evidence that provides a reasonable basis for findings and conclusions based on the audit objectives and to reduce audit risk to an acceptably low level. 8.06 When assessing the overall sufficiency and appropriateness of evidence, auditors should evaluate the expected significance of evidence to the audit objectives, findings, and conclusions; available corroborating evidence; and the level of audit risk. If auditors conclude that evidence is not sufficient or appropriate, they should not use such evidence as support for findings and conclusions. 8.109] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 [Auditors should communicate an overview of the objectives, scope, and methodology and the timing of the performance audit and planned reporting (including any potential restrictions on the report), unless doing so could significantly impair the auditors' ability to obtain sufficient, appropriate evidence to address the audit objectives. Auditors should communicate such information with the following parties, as applicable: 8.20 Auditors should communicate an overview of the objectives, scope, and methodology and the timing of the performance audit and planned reporting (including any potential restrictions on the report), unless doing so could significantly impair the auditors' ability to obtain sufficient, appropriate evidence to address the audit objectives. Auditors should communicate such information with the following parties, as applicable: management of the audited entity, including those with sufficient authority and responsibility to implement corrective action in the program or activity being audited; 8.20a. Auditors should communicate an overview of the objectives, scope, and methodology and the timing of the performance audit and planned reporting (including any potential restrictions on the report), unless doing so could significantly impair the auditors' ability to obtain sufficient, appropriate evidence to address the audit objectives. Auditors should communicate such information with the following parties, as applicable: those charged with governance; 8.20b. Auditors should communicate an overview of the objectives, scope, and methodology and the timing of the performance audit and planned reporting (including any potential restrictions on the report), unless doing so could significantly impair the auditors' ability to obtain sufficient, appropriate evidence to address the audit objectives. Auditors should communicate such information with the following parties, as applicable: the individuals contracting for or requesting audit services, such as contracting officials or grantees; or 8.20c. Auditors should communicate an overview of the objectives, scope, and methodology and the timing of the performance audit and planned reporting (including any potential restrictions on the report), unless doing so could significantly impair the auditors' ability to obtain sufficient, appropriate evidence to address the audit objectives. Auditors should communicate such information with the following parties, as applicable: the cognizant legislative committee, when auditors conduct the audit pursuant to a law or regulation or when they conduct the work for the legislative committee that has oversight of the audited entity. 8.20d.] | Communicate | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
| Analyze the risk management strategy for addressing threats. CC ID 12925 [Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: Self-interest threat: The threat that a financial or other interest will inappropriately influence an auditor's judgment or behavior. 3.30a. Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: Self-review threat: The threat that an auditor or audit organization that has provided nonaudit services will not appropriately evaluate the results of previous judgments made or services provided as part of the nonaudit services when forming a judgment significant to a GAGAS engagement. 3.30b. Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: Bias threat: The threat that an auditor will, as a result of political, ideological, social, or other convictions, take a position that is not objective. 3.30c. Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: Familiarity threat: The threat that aspects of a relationship with management or personnel of an audited entity, such as a close or long relationship, or that of an immediate or close family member, will lead an auditor to take a position that is not objective. 3.30d. Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: Undue influence threat: The threat that influences or pressures from sources external to the audit organization will affect an auditor's ability to make objective judgments. 3.30e. Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: Management participation threat: The threat that results from an auditor's taking on the role of management or otherwise performing management functions on behalf of the audited entity, which will lead an auditor to take a position that is not objective. 3.30f. Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: Structural threat: The threat that an audit organization's placement within a government entity, in combination with the structure of the government entity being audited, will affect the audit organization's ability to perform work and report results objectively. 3.30g. {if} Auditors should determine whether identified threats to independence are at an acceptable level or have been eliminated or reduced to an acceptable level, considering both qualitative and quantitative factors to determine the significance of a threat. 3.31] | Audits and Risk Management | Detective | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 [The peer review team should determine the type of peer review rating to issue based on the observed matters' importance to the audit organization's system of quality control as a whole and the nature, causes, patterns, and pervasiveness of those matters. The matters should be assessed both alone and in aggregate. 5.73] | Establish/Maintain Documentation | Preventive | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Human Resources Management | Detective | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Communicate | Preventive | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Communicate | Preventive | |
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Acquisition/Sale of Assets or Services | Corrective | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and Risk Management | Preventive | |
| Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 | Establish/Maintain Documentation | Preventive | |
| Include metrics in the fundamental rights impact assessment. CC ID 17249 | Establish/Maintain Documentation | Preventive | |
| Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 | Establish/Maintain Documentation | Preventive | |
| Include user safeguards in the fundamental rights impact assessment. CC ID 17255 | Establish/Maintain Documentation | Preventive | |
| Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the fundamental rights impact assessment. CC ID 17243 | Establish/Maintain Documentation | Preventive | |
| Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 | Establish/Maintain Documentation | Preventive | |
| Include risk management measures in the fundamental rights impact assessment. CC ID 17224 | Establish/Maintain Documentation | Preventive | |
| Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 | Establish/Maintain Documentation | Preventive | |
| Include risks in the fundamental rights impact assessment. CC ID 17222 | Establish/Maintain Documentation | Preventive | |
| Include affected parties in the fundamental rights impact assessment. CC ID 17221 | Establish/Maintain Documentation | Preventive | |
| Include the frequency in the fundamental rights impact assessment. CC ID 17220 | Establish/Maintain Documentation | Preventive | |
| Include the usage duration in the fundamental rights impact assessment. CC ID 17219 | Establish/Maintain Documentation | Preventive | |
| Include system use in the fundamental rights impact assessment. CC ID 17218 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Process or Activity | Preventive | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Communicate | Preventive | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Establish/Maintain Documentation | Preventive | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the risk assessment policy. CC ID 14117 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Communicate | Preventive | |
| Analyze the organization's information security environment. CC ID 13122 | Technical Security | Preventive | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Human Resources Management | Preventive | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and Risk Management | Preventive | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and Risk Management | Detective | |
| Approve the threat and risk classification scheme. CC ID 15693 | Business Processes | Preventive | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Communicate | Preventive | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [If an internal audit organization in a government entity follows the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing as well as GAGAS, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should (1) assess the potential risk to the organization, (2) consult with senior management or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report. 9.57] | Testing | Preventive | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Establish/Maintain Documentation | Preventive | |
| Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 [If an internal audit organization in a government entity follows the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing as well as GAGAS, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should (1) assess the potential risk to the organization, (2) consult with senior management or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report. 9.57] | Audits and Risk Management | Preventive | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Establish/Maintain Documentation | Preventive | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Establish/Maintain Documentation | Preventive | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and Risk Management | Detective | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Communicate | Preventive | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Investigate | Detective | |
| Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 [{if} The effectiveness of significant internal controls frequently depends on the effectiveness of information systems controls. Thus, when obtaining an understanding of internal control significant to the audit objectives, auditors should also determine whether it is necessary to evaluate information systems controls. 8.59 When information systems controls are determined to be significant to the audit objectives or when the effectiveness of significant controls depends on the effectiveness of information systems controls, auditors should then evaluate the design, implementation, and/or operating effectiveness of such controls. This evaluation includes other information systems controls that affect the effectiveness of the significant controls or the reliability of information used in performing the significant controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives. 8.60] | Audits and Risk Management | Detective | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Establish/Maintain Documentation | Detective | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 [Auditors should apply the conceptual framework at the audit organization, engagement team, and individual auditor levels to apply safeguards as necessary to eliminate the threats or reduce them to an acceptable level. 3.27c. When auditors determine that threats to independence are not at an acceptable level, the auditors should determine whether appropriate safeguards can be applied to eliminate the threats or reduce them to an acceptable level. 3.32 Separate evaluations are sometimes provided as a nonaudit service. When providing separate evaluations as nonaudit services, auditors should evaluate the significance of the threat created by performing separate evaluations and apply safeguards when necessary to eliminate the threat or reduce it to an acceptable level. 3.98] | Audits and Risk Management | Preventive | |
| Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 [Auditors should apply the conceptual framework at the audit organization, engagement team, and individual auditor levels to evaluate the significance of the threats identified, both individually and in the aggregate; and 3.27b. Separate evaluations are sometimes provided as a nonaudit service. When providing separate evaluations as nonaudit services, auditors should evaluate the significance of the threat created by performing separate evaluations and apply safeguards when necessary to eliminate the threat or reduce it to an acceptable level. 3.98] | Process or Activity | Detective | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 | Establish/Maintain Documentation | Preventive | |
| Include the implemented risk management controls in the risk treatment plan. CC ID 11979 [When planning a GAGAS examination engagement, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter or an assertion about the subject matter of the examination engagement, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter or an assertion about the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work and determining the extent to which testing the implementation of the corrective actions is applicable to the current examination engagement objectives. 7.13] | Establish/Maintain Documentation | Preventive | |
| Include risk assessment results in the risk treatment plan. CC ID 11978 [In cases where auditors determine that threats to independence require the application of safeguards, auditors should document the threats identified and the safeguards applied to eliminate or reduce the threats to an acceptable level. 3.33 Auditors should conclude that preparing financial statements in their entirety from a client-provided trial balance or underlying accounting records creates significant threats to auditors' independence, and should document the threats and safeguards applied to eliminate and reduce threats to an acceptable level in accordance with paragraph 3.33 or decline to provide the services. 3.88] | Establish/Maintain Documentation | Preventive | |
| Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 [When planning a GAGAS examination engagement, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter or an assertion about the subject matter of the examination engagement, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter or an assertion about the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work and determining the extent to which testing the implementation of the corrective actions is applicable to the current examination engagement objectives. 7.13] | Establish/Maintain Documentation | Preventive | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [In cases where auditors determine that threats to independence require the application of safeguards, auditors should document the threats identified and the safeguards applied to eliminate or reduce the threats to an acceptable level. 3.33 The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: when relevant, a description of systemic, repetitive, or other deficiencies and of the actions taken to resolve those deficiencies. 5.44c. {regular basis} The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: 5.44 Auditors should conclude that preparing financial statements in their entirety from a client-provided trial balance or underlying accounting records creates significant threats to auditors' independence, and should document the threats and safeguards applied to eliminate and reduce threats to an acceptable level in accordance with paragraph 3.33 or decline to provide the services. 3.88] | Establish/Maintain Documentation | Corrective | |
| Include risk responses in the risk management program. CC ID 13195 [When planning a GAGAS examination engagement, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter or an assertion about the subject matter of the examination engagement, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter or an assertion about the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work and determining the extent to which testing the implementation of the corrective actions is applicable to the current examination engagement objectives. 7.13] | Establish/Maintain Documentation | Preventive | |
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [Auditors should document consideration of management's ability to effectively oversee nonaudit services to be provided. 3.74 While insufficient documentation of an auditor's compliance with the independence standard does not impair independence, auditors should prepare appropriate documentation under the GAGAS quality control and assurance requirements. The independence standard includes the following documentation requirements, where applicable: document consideration of audited entity management's ability to effectively oversee a nonaudit service to be provided by the auditor as indicated in paragraph 3.74; 3.107c.] | Establish Roles | Preventive | |
| Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources Management | Preventive | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Establish/Maintain Documentation | Preventive | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources Management | Preventive | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Establish/Maintain Documentation | Preventive | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Establish/Maintain Documentation | Preventive | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources Management | Preventive | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources Management | Preventive | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Establish Roles | Preventive | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources Management | Preventive | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources Management | Preventive | |
| Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources Management | Corrective | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Establish/Maintain Documentation | Preventive | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The audit organization should establish policies and procedures designed to provide reasonable assurance that those assigned operational responsibility for the audit organization's system of quality control have sufficient and appropriate experience and ability, and the necessary authority, to assume that responsibility. 5.06] | Testing | Detective | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Establish Roles | Preventive | |
| Include all residences in the criminal records check. CC ID 13306 | Process or Activity | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Communicate | Preventive | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Communicate | Preventive | |
| Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 [The audit organization should have a process for recruitment, hiring, continuous development, assignment, and evaluation of personnel so that the workforce has the essential knowledge, skills, and abilities necessary to conduct the engagement. The nature, extent, and formality of the process will depend on various factors, such as the size of the audit organization, its structure, and its work. 4.04] | Establish/Maintain Documentation | Preventive | |
| Establish and maintain an annual report on compensation. CC ID 14801 | Establish/Maintain Documentation | Preventive | |
| Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 | Communicate | Preventive | |
| Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 | Establish/Maintain Documentation | Preventive | |
| Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 | Establish/Maintain Documentation | Preventive | |
| Refrain from using employees' privacy choices to take punitive actions. CC ID 16815 | Human Resources Management | Preventive | |
| Establish, implement, and maintain job applications. CC ID 16180 | Establish/Maintain Documentation | Preventive | |
| Include a space for the applicant's name on the job application. CC ID 16190 | Human Resources Management | Preventive | |
| Include a space for the applicant's current address on the job application. CC ID 16189 | Human Resources Management | Preventive | |
| Include a space for the applicant's social security number on the job application. CC ID 16188 | Human Resources Management | Preventive | |
| Include a space for the applicant's date of birth on the job application. CC ID 16186 | Human Resources Management | Preventive | |
| Include a space for previous employers and business relationships on the job application. CC ID 16185 | Human Resources Management | Preventive | |
| Include a space to explain formal disciplinary actions and sanctions on the job application. CC ID 16184 | Human Resources Management | Preventive | |
| Include a space for the start date on the job application. CC ID 16187 | Human Resources Management | Preventive | |
| Include a space to explain legal penalties on the job application. CC ID 16183 | Human Resources Management | Preventive | |
| Approve the wording of job applications. CC ID 16182 | Human Resources Management | Preventive | |
| Include a space for past aliases and other used names on job applications. CC ID 12301 | Human Resources Management | Preventive | |
| Include a space for previous addresses and previous residences on the job application. CC ID 12302 | Human Resources Management | Preventive | |
| Include a space to explain employment gaps on the job application. CC ID 12303 | Human Resources Management | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 [The audit organization should have a process for recruitment, hiring, continuous development, assignment, and evaluation of personnel so that the workforce has the essential knowledge, skills, and abilities necessary to conduct the engagement. The nature, extent, and formality of the process will depend on various factors, such as the size of the audit organization, its structure, and its work. 4.04] | Behavior | Preventive | |
| Provide new hires limited network access to complete computer-based training. CC ID 17008 | Training | Preventive | |
| Establish, implement, and maintain an education methodology. CC ID 06671 [Auditors should complete at least 20 hours of CPE in each year of the 2-year periods. 4.17] | Business Processes | Preventive | |
| Support certification programs as viable training programs. CC ID 13268 [Auditors who plan, direct, perform engagement procedures for, or report on an engagement conducted in accordance with GAGAS should develop and maintain their professional competence by completing at least 80 hours of CPE in every 2-year period as follows. 4.16] | Human Resources Management | Preventive | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Establish/Maintain Documentation | Preventive | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Establish/Maintain Documentation | Preventive | |
| Submit applications for professional certification. CC ID 16192 | Training | Preventive | |
| Retrain all personnel, as necessary. CC ID 01362 [{continuing professional education requirements} The audit organization should establish policies and procedures to provide reasonable assurance that auditors who are performing work in accordance with GAGAS meet the continuing professional education (CPE) requirements, including maintaining documentation of the CPE completed and any exemptions granted. 5.16] | Behavior | Preventive | |
| Document all training in a training record. CC ID 01423 [The audit organization should maintain documentation of each auditor's CPE. 4.18 {continuing professional education requirements} The audit organization should establish policies and procedures to provide reasonable assurance that auditors who are performing work in accordance with GAGAS meet the continuing professional education (CPE) requirements, including maintaining documentation of the CPE completed and any exemptions granted. 5.16] | Establish/Maintain Documentation | Detective | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources Management | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 [Audit management should assign sufficient auditors with adequate collective professional competence, as described in paragraphs 4.02 through 4.15, to conduct the audit. Staffing an audit includes, among other things, providing for on-the-job training of auditors; and 8.31c.] | Establish/Maintain Documentation | Preventive | |
| Approve training plans, as necessary. CC ID 17193 | Training | Preventive | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Training | Detective | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Training | Preventive | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Training | Preventive | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Training | Detective | |
| Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101 | Training | Preventive | |
| Designate training facilities in the training plan. CC ID 16200 | Training | Preventive | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Establish/Maintain Documentation | Preventive | |
| Include insider threats in the security awareness program. CC ID 16963 | Training | Preventive | |
| Conduct personal data processing training. CC ID 13757 | Training | Preventive | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Training | Preventive | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Training | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Communicate | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Establish/Maintain Documentation | Preventive | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Establish/Maintain Documentation | Preventive | |
| Include media protection in the security awareness program. CC ID 16368 | Training | Preventive | |
| Document security awareness requirements. CC ID 12146 | Establish/Maintain Documentation | Preventive | |
| Include identity and access management in the security awareness program. CC ID 17013 | Training | Preventive | |
| Include the encryption process in the security awareness program. CC ID 17014 | Training | Preventive | |
| Include physical security in the security awareness program. CC ID 16369 | Training | Preventive | |
| Include data management in the security awareness program. CC ID 17010 | Training | Preventive | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Training | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Training | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Training | Preventive | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Training | Preventive | |
| Include social networking in the security awareness program. CC ID 17011 | Training | Preventive | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Training | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Establish/Maintain Documentation | Preventive | |
| Include remote access in the security awareness program. CC ID 13892 | Establish/Maintain Documentation | Preventive | |
| Document the goals of the security awareness program. CC ID 12145 | Establish/Maintain Documentation | Preventive | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources Management | Preventive | |
| Document the scope of the security awareness program. CC ID 12148 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Establish/Maintain Documentation | Preventive | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources Management | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Training | Preventive | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain performance reviews. CC ID 14777 [The audit organization should have a process for recruitment, hiring, continuous development, assignment, and evaluation of personnel so that the workforce has the essential knowledge, skills, and abilities necessary to conduct the engagement. The nature, extent, and formality of the process will depend on various factors, such as the size of the audit organization, its structure, and its work. 4.04] | Business Processes | Detective | |
| Include the information security responsibilities of employees in their performance objectives. CC ID 15700 | Human Resources Management | Preventive | |
| Include information security responsibilities in performance reviews. CC ID 15697 | Establish/Maintain Documentation | Preventive | |
| Conduct performance reviews for the board of directors and board committees, as necessary. CC ID 14783 | Human Resources Management | Detective | |
| Take appropriate actions after performance reviews of board members, as necessary. CC ID 14799 | Human Resources Management | Preventive | |
| Conduct staff performance reviews, as necessary. CC ID 07205 | Business Processes | Detective | |
| Analyze the documentation produced by staff during the performance review. CC ID 07207 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain an ethics program. CC ID 11496 [{legal requirement} The audit organization should establish policies and procedures on independence and legal and ethical requirements that are designed to provide reasonable assurance that the organization and its personnel maintain independence and comply with applicable legal and ethical requirements. 5.08] | Human Resources Management | Preventive | |
| Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 | Communicate | Preventive | |
| Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 | Behavior | Preventive | |
| Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 | Investigate | Preventive | |
| Establish, implement, and maintain an ethical culture. CC ID 12781 | Behavior | Preventive | |
| Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Monitor and Evaluate Occurrences | Preventive | |
| Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 | Monitor and Evaluate Occurrences | Preventive | |
| Refrain from practicing false advertising. CC ID 14253 | Business Processes | Preventive | |
| Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 | Business Processes | Preventive | |
| Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Communicate | Preventive | |
| Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Establish/Maintain Documentation | Preventive | |
| Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 | Behavior | Preventive | |
| Refrain from discriminating against employees who are whistleblowers. CC ID 13609 | Behavior | Preventive | |
| Respond to ethics complaints of ethics violations. CC ID 11497 | Business Processes | Corrective | |
| Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 | Behavior | Preventive | |
| Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 | Human Resources Management | Preventive | |
| Include prohibiting counterfeiting in the ethics program. CC ID 11517 | Human Resources Management | Preventive | |
| Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 | Human Resources Management | Preventive | |
| Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Establish Roles | Preventive | |
| Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Behavior | Preventive | |
| Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Behavior | Preventive | |
| Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Behavior | Preventive | |
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain communication protocols. CC ID 12245 [{be appropriate} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 6.65] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an alternative communication protocol. CC ID 17097 | Communicate | Preventive | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Business Processes | Preventive | |
| Include external requirements in the organization's communication protocol. CC ID 12418 [Auditors should consider applicable GAO-issued GAGAS interpretive guidance in conducting and reporting on GAGAS engagements. 2.06] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Process or Activity | Preventive | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Process or Activity | Preventive | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Communicate | Preventive | |
| Document the findings from surveys. CC ID 16309 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for notifications in the notification system. CC ID 17139 | Establish/Maintain Documentation | Preventive | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain an internal reporting program. CC ID 12409 [{if} {be appropriate} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 7.63 {if} {be appropriate} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 7.63 {if} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 9.63 {if} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 9.63] | Business Processes | Preventive | |
| Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Establish/Maintain Documentation | Preventive | |
| Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Establish/Maintain Documentation | Preventive | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Monitor and Evaluate Occurrences | Preventive | |
| Analyze the external environment in which the organization operates. CC ID 12799 | Business Processes | Preventive | |
| Identify the external forces that may affect organizational objectives. CC ID 12960 [Auditors should identify any provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives and assess the risk that noncompliance with provisions of laws, regulations, contracts, and grant agreements could occur. Based on that risk assessment, the auditors should design and perform procedures to obtain reasonable assurance of detecting instances of noncompliance with provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives. 8.68] | Process or Activity | Preventive | |
| Establish, implement, and maintain a Quality Management framework. CC ID 07196 [An audit organization should document its quality control policies and procedures and communicate those policies and procedures to its personnel. The audit organization should document compliance with its quality control policies and procedures and maintain such documentation for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent to which the audit organization complies with its quality control policies and procedures. 5.04] | Establish/Maintain Documentation | Preventive | |
| Include supply chain management standards in the Quality Management framework. CC ID 13701 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 [{quality control requirements} Audit organizations affiliated with one of the following recognized organizations should comply with the respective organization's peer review requirements and the requirements listed throughout paragraphs 5.66 through 5.80. 5.61] | Establish/Maintain Documentation | Preventive | |
| Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 [An audit organization should document its quality control policies and procedures and communicate those policies and procedures to its personnel. The audit organization should document compliance with its quality control policies and procedures and maintain such documentation for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent to which the audit organization complies with its quality control policies and procedures. 5.04] | Communicate | Preventive | |
| Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 [The audit organization should establish policies and procedures on leadership responsibilities for quality within the audit organization that include designating responsibility for quality of engagements conducted in accordance with GAGAS and communicating policies and procedures relating to quality. 5.05] | Communicate | Preventive | |
| Align the quality objectives with the Quality Management policy. CC ID 13697 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Quality Management standard. CC ID 01006 [The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows: 5.74 The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows: If the peer review team's evaluation of observed matters does not identify any findings (more than a remote possibility that the reviewed audit organization would not perform, report, or both in conformity with professional standards and applicable legal and regulatory requirements), or identifies findings that are not considered to be deficiencies, the peer review team issues a pass rating. 5.74a. The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows: If the peer review team's evaluation of findings identified deficiencies but did not identify any significant deficiencies, the peer review team issues a pass with deficiencies rating and communicates the deficiencies in its report. 5.74b. The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows: If the peer review team's evaluation of deficiencies identified significant deficiencies, the peer review team issues a fail rating and communicates the deficiencies and significant deficiencies in its report. 5.74c.] | Establish/Maintain Documentation | Preventive | |
| Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 [The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows: 5.74] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Quality Management program. CC ID 07201 [Each audit organization conducting engagements in accordance with GAGAS must obtain an external peer review conducted by reviewers independent of the audit organization being reviewed. The peer review should be sufficient in scope to provide a reasonable basis for determining whether, for the period under review, (1) the reviewed audit organization's system of quality control was suitably designed and (2) the organization is complying with its quality control system so that it has reasonable assurance that it is performing and reporting in conformity with professional standards and applicable legal and regulatory requirements in all material respects. 5.60 The peer review team should include the following elements in the scope of the peer review: review of the audit organization's design of, and compliance with, quality control and related policies and procedures; 5.82a.] | Establish/Maintain Documentation | Preventive | |
| Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Communicate | Preventive | |
| Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Communicate | Preventive | |
| Correct errors and deficiencies in a timely manner. CC ID 13501 [The audit organization should evaluate the effects of deficiencies noted during monitoring of the audit organization's system of quality control to determine and implement appropriate actions to address the deficiencies. This evaluation should include assessments to determine if the deficiencies noted indicate that the audit organization's system of quality control is insufficient to provide it with reasonable assurance that it complies with professional standards and applicable legal and regulatory requirements, and that accordingly the reports that the audit organization issues are not appropriate in the circumstances. 5.45] | Business Processes | Corrective | |
| Include quality objectives in the Quality Management program. CC ID 13693 | Establish/Maintain Documentation | Preventive | |
| Include monitoring and analysis capabilities in the quality management program. CC ID 17153 | Monitor and Evaluate Occurrences | Preventive | |
| Include records management in the quality management system. CC ID 15055 | Establish/Maintain Documentation | Preventive | |
| Include risk management in the quality management system. CC ID 15054 | Establish/Maintain Documentation | Preventive | |
| Include data management procedures in the quality management system. CC ID 15052 | Establish/Maintain Documentation | Preventive | |
| Include a post-market monitoring system in the quality management system. CC ID 15027 | Establish/Maintain Documentation | Preventive | |
| Include operational roles and responsibilities in the quality management system. CC ID 15028 [The audit organization should establish policies and procedures on leadership responsibilities for quality within the audit organization that include designating responsibility for quality of engagements conducted in accordance with GAGAS and communicating policies and procedures relating to quality. 5.05 The audit organization should establish policies and procedures on leadership responsibilities for quality within the audit organization that include designating responsibility for quality of engagements conducted in accordance with GAGAS and communicating policies and procedures relating to quality. 5.05] | Establish/Maintain Documentation | Preventive | |
| Include resource management in the quality management system. CC ID 15026 | Establish/Maintain Documentation | Preventive | |
| Include communication protocols in the quality management system. CC ID 15025 | Establish/Maintain Documentation | Preventive | |
| Include incident reporting procedures in the quality management system. CC ID 15023 | Establish/Maintain Documentation | Preventive | |
| Include technical specifications in the quality management system. CC ID 15021 | Establish/Maintain Documentation | Preventive | |
| Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 [The audit organization should evaluate the effects of deficiencies noted during monitoring of the audit organization's system of quality control to determine and implement appropriate actions to address the deficiencies. This evaluation should include assessments to determine if the deficiencies noted indicate that the audit organization's system of quality control is insufficient to provide it with reasonable assurance that it complies with professional standards and applicable legal and regulatory requirements, and that accordingly the reports that the audit organization issues are not appropriate in the circumstances. 5.45] | Establish/Maintain Documentation | Preventive | |
| Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 [GAGAS uses two categories of requirements, identified by specific terms, to describe the degree of responsibility they impose on auditors and audit organizations: Unconditional requirements: Auditors and audit organizations must comply with an unconditional requirement in all cases where such requirement is relevant. GAGAS uses must to indicate an unconditional requirement. 2.02a.] | Establish/Maintain Documentation | Preventive | |
| Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 [{be evident} If the identity of those charged with governance is not clearly evident, auditors should document the process followed and conclusions reached in identifying the appropriate individuals to receive the required communications. 6.07] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a financial management program. CC ID 13228 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 [Auditors should identify as threats to independence any services related to preparing accounting records and financial statements, other than those defined as impairments to independence in paragraph 3.87 and significant threats in paragraph 3.88. These services include recording transactions for which management has determined or approved the appropriate account classification, or posting coded transactions to an audited entity's general ledger; 3.89a.] | Establish/Maintain Documentation | Preventive | |
| Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Data and Information Management | Preventive | |
| Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Data and Information Management | Preventive | |
| Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Data and Information Management | Preventive | |
| Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Data and Information Management | Preventive | |
| Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Data and Information Management | Preventive | |
| Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Data and Information Management | Preventive | |
| Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Data and Information Management | Preventive | |
| Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Data and Information Management | Preventive | |
| Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Data and Information Management | Preventive | |
| Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Data and Information Management | Preventive | |
| Establish, implement, and maintain financial reports. CC ID 14770 | Establish/Maintain Documentation | Preventive | |
| Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 [{external requirements} GAGAS establishes requirements for financial audits in addition to the requirements in the AICPA SAS. Auditors should comply with these additional requirements, along with the AICPA requirements for financial audits, when citing GAGAS in financial audit reports. 6.02] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 [{make available} If auditors report separately (including separate reports bound in the same document) on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements, they should include a reference in the audit report on the financial statements to those additional reports. They should also state in the audit report that the reports on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements are an integral part of a GAGAS audit in considering the audited entity's internal control over financial reporting and compliance. If separate reports are used, the auditors should make the report on internal control and compliance available to users in the same manner as the financial audit report to which it relates. 6.43] | Communicate | Preventive | |
| Include financial statements in the financial report, as necessary. CC ID 14775 [Auditors should identify as threats to independence any services related to preparing accounting records and financial statements, other than those defined as impairments to independence in paragraph 3.87 and significant threats in paragraph 3.88. These services include preparing certain line items or sections of the financial statements based on information in the trial balance; 3.89b. Auditors should identify as threats to independence any services related to preparing accounting records and financial statements, other than those defined as impairments to independence in paragraph 3.87 and significant threats in paragraph 3.88. These services include posting entries that an audited entity's management has approved to the entity's trial balance; and 3.89c.] | Establish/Maintain Documentation | Preventive | |
| Include capital deductions and adjustments in the financial statement. CC ID 16667 | Establish/Maintain Documentation | Preventive | |
| Include earnings per share or loss per share in the financial statement. CC ID 16597 | Establish/Maintain Documentation | Preventive | |
| Include material contingencies in the financial statement. CC ID 16596 | Establish/Maintain Documentation | Preventive | |
| Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Establish/Maintain Documentation | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
| Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 [The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: a description of the monitoring procedures performed; 5.44a.] | Communicate | Preventive | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 [{regular basis} The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: 5.44] | Establish/Maintain Documentation | Preventive | |
| Monitor and evaluate environmental threats. CC ID 13481 | Monitor and Evaluate Occurrences | Detective | |
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Process or Activity | Corrective | |
| Include a system description in the system security plan. CC ID 16467 | Establish/Maintain Documentation | Preventive | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Establish/Maintain Documentation | Preventive | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Establish/Maintain Documentation | Preventive | |
| Include the information types in the system security plan. CC ID 14696 | Establish/Maintain Documentation | Preventive | |
| Include the security requirements in the system security plan. CC ID 14274 | Establish/Maintain Documentation | Preventive | |
| Include cryptographic key management procedures in the system security plan. CC ID 17029 | Establish/Maintain Documentation | Preventive | |
| Include threats in the system security plan. CC ID 14693 | Establish/Maintain Documentation | Preventive | |
| Include network diagrams in the system security plan. CC ID 14273 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Establish/Maintain Documentation | Preventive | |
| Include backup and recovery procedures in the system security plan. CC ID 17043 | Establish/Maintain Documentation | Preventive | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Establish/Maintain Documentation | Preventive | |
| Include remote access methods in the system security plan. CC ID 16441 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Communicate | Preventive | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Establish/Maintain Documentation | Preventive | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Establish/Maintain Documentation | Preventive | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Establish/Maintain Documentation | Preventive | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Process or Activity | Preventive | |
| Include security controls in the system security plan. CC ID 14239 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Establish/Maintain Documentation | Preventive | |
| Include the assessment team in the test plan. CC ID 14297 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the test plans. CC ID 14293 | Establish/Maintain Documentation | Preventive | |
| Include the assessment environment in the test plan. CC ID 14271 | Establish/Maintain Documentation | Preventive | |
| Approve the system security plan. CC ID 14241 | Business Processes | Preventive | |
| Analyze system audit reports and determine the need to perform more tests. CC ID 00666 [If auditors initially identify a threat to independence after the audit report is issued, auditors should evaluate the threat's effect on the engagement and on GAGAS compliance. If the auditors determine that the newly identified threat's effect on the engagement would have resulted in the audit report being different from the report issued had the auditors been aware of it, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the audit organization requiring or arranging for the engagements, and other known users, so that they do not continue to rely on findings or conclusions that were affected by the threat to independence. If auditors previously posted the report to their publicly accessible website, they should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional engagement work necessary to reissue the report, including any revised findings or conclusions, or to repost the original report if the additional engagement work does not result in a change in findings or conclusions. 3.34 When the auditors identify limitations or uncertainties in evidence that is significant to the audit findings and conclusions, they should perform additional procedures, as appropriate. 8.110 {be sufficient} If, after the report is issued, the auditors discover that they did not have sufficient, appropriate evidence to support the reported findings or conclusions, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the entities requiring or arranging for the audits, and other known users, so that they do not continue to rely on the findings or conclusions that were not supported. If the report was previously posted to the auditors' publicly accessible website, the auditors should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional audit work necessary to either reissue the report, including any revised findings or conclusions, or repost the original report if the additional audit work does not result in a change in findings or conclusions. 9.68] | Testing | Detective | |
| Establish, implement, and maintain a testing program. CC ID 00654 | Behavior | Preventive | |
| Document improvement actions based on test results and exercises. CC ID 16840 [{regular basis} The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: 5.44 When feasible, auditors should recommend actions to correct deficiencies and other findings identified during the audit and to improve programs and operations when the potential for improvement in programs, operations, and performance is substantiated by the reported findings and conclusions. Auditors should make recommendations that flow logically from the findings and conclusions, are directed at resolving the cause of identified deficiencies and findings, and clearly state the actions recommended. 9.23] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 [The audit organization should perform monitoring procedures that enable it to assess compliance with professional standards and quality control policies and procedures for GAGAS engagements. Individuals performing monitoring should have sufficient expertise and authority within the audit organization. 5.43] | Establish/Maintain Documentation | Preventive | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [Auditors should identify any provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives and assess the risk that noncompliance with provisions of laws, regulations, contracts, and grant agreements could occur. Based on that risk assessment, the auditors should design and perform procedures to obtain reasonable assurance of detecting instances of noncompliance with provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives. 8.68] | Monitor and Evaluate Occurrences | Detective | |
| Correct compliance violations. CC ID 13515 | Process or Activity | Corrective | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Establish/Maintain Documentation | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Establish/Maintain Documentation | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Establish/Maintain Documentation | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Establish/Maintain Documentation | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Establish/Maintain Documentation | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Establish/Maintain Documentation | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Communicate | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Establish/Maintain Documentation | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Establish/Maintain Documentation | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Establish/Maintain Documentation | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Establish/Maintain Documentation | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Establish/Maintain Documentation | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Establish/Maintain Documentation | Preventive | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Actionable Reports or Measurements | Detective | |
| Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 [When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work and determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 6.11] | Actionable Reports or Measurements | Detective | |
| Monitor compliance with the Quality Control system. CC ID 01023 [An audit organization conducting engagements in accordance with GAGAS must establish and maintain a system of quality control that is designed to provide the audit organization with reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements. 5.02 An audit organization should document its quality control policies and procedures and communicate those policies and procedures to its personnel. The audit organization should document compliance with its quality control policies and procedures and maintain such documentation for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent to which the audit organization complies with its quality control policies and procedures. 5.04 The audit organization should establish policies and procedures for monitoring its system of quality control. 5.42 The audit organization should perform monitoring procedures that enable it to assess compliance with professional standards and quality control policies and procedures for GAGAS engagements. Individuals performing monitoring should have sufficient expertise and authority within the audit organization. 5.43 Each audit organization conducting engagements in accordance with GAGAS must obtain an external peer review conducted by reviewers independent of the audit organization being reviewed. The peer review should be sufficient in scope to provide a reasonable basis for determining whether, for the period under review, (1) the reviewed audit organization's system of quality control was suitably designed and (2) the organization is complying with its quality control system so that it has reasonable assurance that it is performing and reporting in conformity with professional standards and applicable legal and regulatory requirements in all material respects. 5.60 The peer review team should include the following elements in the scope of the peer review: review of the audit organization's design of, and compliance with, quality control and related policies and procedures; 5.82a.] | Actionable Reports or Measurements | Preventive | |
| Include the completion date in the corrective action plan. CC ID 13272 [With respect to each deficiency or significant deficiency in the report, the reviewed audit organization should describe in its letter of response the corrective actions already taken, target dates for planned corrective actions, or both. 5.94] | Establish/Maintain Documentation | Preventive | |
| Include monitoring in the corrective action plan. CC ID 11645 [The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: the conclusions reached from the monitoring procedures; and 5.44b.] | Monitor and Evaluate Occurrences | Detective | |
| Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676 [When audited entity management fails to take timely and appropriate steps to respond to fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements that (1) is likely to have a material effect on the subject matter and (2) involves funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the audited entity's failure to take timely and appropriate steps directly to the funding agency. 6.53b. When audited entity management fails to take timely and appropriate steps to respond to fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements that (1) is likely to have a material effect on the subject matter and (2) involves funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the audited entity's failure to take timely and appropriate steps directly to the funding agency. 6.53b. When audited entity management fails to take timely and appropriate steps to respond to fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements that (1) is likely to have a material effect on the subject matter and (2) involves funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the audited entity's failure to take timely and appropriate steps directly to the funding agency. 7.51b. Auditors should report known or likely noncompliance with provisions of laws, regulations, contracts, and grant agreements or fraud directly to parties outside the audited entity in the following two circumstances. When audited entity management fails to take timely and appropriate steps to respond to noncompliance with provisions of laws, regulations, contracts, and grant agreements or instances of fraud that (1) are likely to have a significant effect on the subject matter and (2) involve funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the audited entity's failure to take timely and appropriate steps directly to the funding agency. 9.45b.] | Actionable Reports or Measurements | Corrective | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
| Include threat assessment in the internal control framework. CC ID 01347 [Auditors who previously provided nonaudit services for an entity that is a prospective subject of an engagement should evaluate the effect of those nonaudit services on independence before agreeing to conduct a GAGAS engagement. If auditors provided a nonaudit service in the period to be covered by the engagement, they should (1) determine if GAGAS expressly prohibits the nonaudit service; (2) if audited entity management requested the nonaudit service, determine whether the skill, knowledge, or experience of the individual responsible for overseeing the nonaudit service was sufficient; and (3) determine whether a threat to independence exists and address any threats noted in accordance with the conceptual framework. 3.83] | Establish/Maintain Documentation | Preventive | |
| Include system development in the information security program. CC ID 12389 [Auditors should conclude that providing information technology (IT) services to an audited entity that relate to the period under audit impairs independence if those services include designing or developing an audited entity's financial information system or other IT system that will play a significant role in the management of an area of operations that is or will be the subject matter of an engagement; 3.102a. Auditors should conclude that providing information technology (IT) services to an audited entity that relate to the period under audit impairs independence if those services include making other than insignificant modifications to source code underlying an audited entity's existing financial information system or other IT system that will play a significant role in the management of an area of operations that is or will be the subject matter of an engagement; 3.102b.] | Establish/Maintain Documentation | Preventive | |
| Include operations management in the information security program. CC ID 12385 [Auditors should conclude that providing information technology (IT) services to an audited entity that relate to the period under audit impairs independence if those services include operating an audited entity's network, financial information system, or other IT system that will play a significant role in the management of an area of operations that is or will be the subject matter of an engagement. 3.102d.] | Establish/Maintain Documentation | Preventive | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{external requirement} GAGAS establishes requirements for review engagements in addition to the requirements for reviews contained in the AICPA's SSAEs. Auditors should comply with the additional GAGAS requirements, along with the applicable AICPA requirements, when citing GAGAS in their review engagement reports. 7.70 {external requirements} GAGAS establishes requirements for agreed-upon procedures engagements in addition to the requirements for agreed-upon procedures engagements contained in the AICPA's SSAEs. Auditors should comply with the additional GAGAS requirements, along with the applicable AICPA requirements, when citing GAGAS in their agreedupon procedures engagement reports. 7.78 {external requirement} GAGAS establishes requirements for reviews of financial statements in addition to the requirements for reviews of financial statements contained in the AICPA's AR-C section 90, Review of Financial Statements. Auditors should comply with the additional GAGAS requirements, along with the applicable AICPA requirements, when citing GAGAS in their review engagement reports. 7.86] | Establish/Maintain Documentation | Preventive | |
| Include a reconciliation process in the accounting system. CC ID 08951 [Auditors should identify as threats to independence any services related to preparing accounting records and financial statements, other than those defined as impairments to independence in paragraph 3.87 and significant threats in paragraph 3.88. These services include preparing account reconciliations that identify reconciling items for the audited entity management's evaluation. 3.89d.] | Establish/Maintain Documentation | Preventive | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Establish/Maintain Documentation | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Establish Roles | Preventive | |
| Notify the supervisory authority. CC ID 00472 [{report} {noncompliance} When audited entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties. 6.53a. {noncompliance} When audited entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties. 7.51a. When audited entity management fails to take timely and appropriate steps to respond to fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements that (1) is likely to have a material effect on the subject matter and (2) involves funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the audited entity's failure to take timely and appropriate steps directly to the funding agency. 7.51b. Auditors should report known or likely noncompliance with provisions of laws, regulations, contracts, and grant agreements or fraud directly to parties outside the audited entity in the following two circumstances. When audited entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties. 9.45a. Auditors should report known or likely noncompliance with provisions of laws, regulations, contracts, and grant agreements or fraud directly to parties outside the audited entity in the following two circumstances. When audited entity management fails to take timely and appropriate steps to respond to noncompliance with provisions of laws, regulations, contracts, and grant agreements or instances of fraud that (1) are likely to have a significant effect on the subject matter and (2) involve funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the audited entity's failure to take timely and appropriate steps directly to the funding agency. 9.45b.] | Behavior | Preventive | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Establish/Maintain Documentation | Preventive | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Business Processes | Preventive | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Communicate | Preventive | |
| Include required information in the approval application. CC ID 16628 | Establish/Maintain Documentation | Preventive | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Business Processes | Preventive | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Process or Activity | Preventive | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 | Process or Activity | Preventive | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Communicate | Preventive | |
| Respond to questions about submissions in a timely manner. CC ID 16930 | Communicate | Preventive | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Communicate | Corrective | |
Records management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Retain records in accordance with applicable requirements. CC ID 00968 [An audit organization should document its quality control policies and procedures and communicate those policies and procedures to its personnel. The audit organization should document compliance with its quality control policies and procedures and maintain such documentation for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent to which the audit organization complies with its quality control policies and procedures. 5.04 {audit} Auditors should retain any written communication resulting from paragraph 8.20 as audit documentation. 8.22] | Records Management | Preventive | |
Technical security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a digital identity management program. CC ID 13713 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain digital identification procedures. CC ID 13714 | Establish/Maintain Documentation | Preventive | |
| Implement digital identification processes. CC ID 13731 | Process or Activity | Preventive | |
| Implement identity proofing processes. CC ID 13719 [{be evident} If the identity of those charged with governance is not clearly evident, auditors should document the process followed and conclusions reached in identifying the appropriate individuals to receive the required communications. 6.07] | Process or Activity | Preventive | |
| Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786 | Process or Activity | Preventive | |
| Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 | Process or Activity | Preventive | |
| Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776 | Process or Activity | Detective | |
| Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750 | Process or Activity | Preventive | |
| Establish, implement, and maintain remote proofing procedures. CC ID 13796 | Establish/Maintain Documentation | Preventive | |
| Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805 | Configuration | Preventive | |
| Interact with the data subject when performing remote proofing. CC ID 13777 | Process or Activity | Detective | |
| Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742 | Process or Activity | Preventive | |
| View all applicant actions when performing remote proofing. CC ID 13804 | Process or Activity | Detective | |
| Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741 | Process or Activity | Preventive | |
| Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755 | Process or Activity | Detective | |
| Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743 | Process or Activity | Detective | |
| Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752 | Process or Activity | Preventive | |
| Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785 | Process or Activity | Preventive | |
| Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774 | Process or Activity | Detective | |
| Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773 | Process or Activity | Preventive | |
| Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745 | Configuration | Preventive | |
| Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746 | Configuration | Preventive | |
| Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747 | Configuration | Preventive | |
| Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749 | Process or Activity | Preventive | |
| Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744 | Process or Activity | Detective | |
| Validate proof of identity during the identity proofing process. CC ID 13756 | Process or Activity | Detective | |
| Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797 | Business Processes | Detective | |
| Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803 | Process or Activity | Detective | |
| Verify proof of identity records. CC ID 13761 | Investigate | Detective | |
| Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 | Process or Activity | Detective | |
| Allow records that relate to the data subject as proof of identity. CC ID 13772 | Process or Activity | Preventive | |
| Conduct in-person proofing with physical interactions. CC ID 13775 | Process or Activity | Detective | |
| Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748 | Process or Activity | Preventive | |
| Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739 | Process or Activity | Preventive | |
| Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738 | Process or Activity | Preventive | |
| Refrain from approving attributes in the identity proofing process. CC ID 13716 | Process or Activity | Preventive | |
| Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 [Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. If the subject matter or the assertion involves material that is classified or contains confidential or sensitive information, auditors should limit the report distribution. Auditors should document any limitation on report distribution. 7.85 Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. If the subject matter or the assertion involves material that is classified or contains confidential or sensitive information, auditors should limit report distribution. Auditors should document any limitation on report distribution. 7.77 Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. If the subject matter involves material that is classified or contains confidential or sensitive information, auditors should limit report distribution. Auditors should document any limitation on report distribution. 7.93] | Data and Information Management | Preventive | |
Third Party and supply chain oversight | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Establish/Maintain Documentation | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [Auditors providing nonaudit services to audited entities should obtain agreement from audited entity management that audited entity management performs the following functions in connection with the nonaudit services: evaluates the adequacy and results of the services provided; and 3.76c. The peer review team and the reviewed audit organization should incorporate their basic agreement on the peer review into a written agreement. The written agreement should be drafted by the peer review team, reviewed by the reviewed audit organization to ensure that it accurately describes the agreement between the parties, and signed by the authorized representatives of both the peer review team and the reviewed audit organization prior to the initiation of work under the agreement. The written agreement should state that the peer review will be conducted in accordance with GAGAS peer review requirements. 5.86 The peer review team and the reviewed audit organization should incorporate their basic agreement on the peer review into a written agreement. The written agreement should be drafted by the peer review team, reviewed by the reviewed audit organization to ensure that it accurately describes the agreement between the parties, and signed by the authorized representatives of both the peer review team and the reviewed audit organization prior to the initiation of work under the agreement. The written agreement should state that the peer review will be conducted in accordance with GAGAS peer review requirements. 5.86] | Process or Activity | Detective | |
| Write contractual agreements in clear and conspicuous language. CC ID 16923 | Acquisition/Sale of Assets or Services | Preventive | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Establish/Maintain Documentation | Preventive | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 [Auditors providing nonaudit services to audited entities should obtain agreement from audited entity management that audited entity management performs the following functions in connection with the nonaudit services: evaluates the adequacy and results of the services provided; and 3.76c.] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the information flow agreement. CC ID 17016 | Establish/Maintain Documentation | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Establish/Maintain Documentation | Preventive | |
| Include the costs in the information flow agreement. CC ID 17018 | Establish/Maintain Documentation | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Establish/Maintain Documentation | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Establish/Maintain Documentation | Preventive | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Establish/Maintain Documentation | Preventive | |
| Include the contract duration in third party contracts. CC ID 16221 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in third party contracts. CC ID 13487 [Auditors providing nonaudit services to audited entities should obtain agreement from audited entity management that audited entity management performs the following functions in connection with the nonaudit services: assumes all management responsibilities; 3.76a. Auditors providing nonaudit services to audited entities should obtain agreement from audited entity management that audited entity management performs the following functions in connection with the nonaudit services: oversees the services, by designating an individual, preferably within senior management, who possesses suitable skill, knowledge, or experience; 3.76b. Auditors providing nonaudit services to audited entities should obtain agreement from audited entity management that audited entity management performs the following functions in connection with the nonaudit services: accepts responsibility for the results of the services. 3.76d.] | Establish/Maintain Documentation | Preventive | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Establish/Maintain Documentation | Preventive | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Establish/Maintain Documentation | Preventive | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Establish/Maintain Documentation | Preventive | |
| Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186 | Establish/Maintain Documentation | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Establish/Maintain Documentation | Preventive | |
| Include a reporting structure in third party contracts. CC ID 06532 [{make available} A public accounting firm contracted to conduct an examination engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the examination engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.69b. {make available} A public accounting firm contracted to conduct an examination engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the examination engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.69b. {make available} A public accounting firm contracted to conduct a review engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.77b. {make available} A public accounting firm contracted to conduct a review engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.77b. {make available} A public accounting firm contracted to conduct an agreed-upon procedures engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.85b. {make available} A public accounting firm contracted to conduct an agreed-upon procedures engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.85b. {make available} A public accounting firm contracted to conduct a review of financial statements engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.93b. {make available} A public accounting firm contracted to conduct a review of financial statements engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.93b.] | Establish/Maintain Documentation | Preventive | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Establish/Maintain Documentation | Preventive | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 [{make available} A public accounting firm contracted to conduct an examination engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the examination engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.69b. {make available} A public accounting firm contracted to conduct a review engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.77b. {make available} A public accounting firm contracted to conduct an agreed-upon procedures engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.85b. {make available} A public accounting firm contracted to conduct a review of financial statements engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.93b.] | Establish/Maintain Documentation | Preventive | |
| Include on-site visits in third party contracts. CC ID 17306 | Establish/Maintain Documentation | Preventive | |
| Include training requirements in third party contracts. CC ID 16367 | Acquisition/Sale of Assets or Services | Preventive | |
| Include location requirements in third party contracts. CC ID 16915 | Acquisition/Sale of Assets or Services | Preventive | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Establish/Maintain Documentation | Preventive | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Establish/Maintain Documentation | Preventive | |
| Include end-of-life information in third party contracts. CC ID 15265 | Establish/Maintain Documentation | Preventive | |
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Systems Continuity | Preventive | |
| Review third party recovery plans. CC ID 17123 | Systems Continuity | Detective | |
| Disseminate and communicate third party contracts to interested personnel and affected parties. CC ID 17301 | Communicate | Preventive | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 [The peer review team should perform an assessment of peer review risk to help determine the number and types of engagements to select for review. 5.66] | Testing | Detective | |
| Include a determination on the impact of services provided by third-party service providers in the supply chain risk assessment report. CC ID 17187 | Establish/Maintain Documentation | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Business Processes | Preventive | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Process or Activity | Detective | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 | Establish/Maintain Documentation | Detective | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 [Auditors who are using another audit organization's work should request a copy of that organization's most recent peer review report, and the organization should provide this document when it is requested. 5.80] | Communicate | Preventive | |
| Establish, implement, and maintain third party reporting requirements. CC ID 13289 [{reporting requirement} Auditors should comply with the requirements in paragraph 6.53 even if they have resigned or been dismissed from the audit prior to its completion. 6.54 {report} {those charged with governance} Auditors should comply with the requirements in paragraph 7.51 even if they have resigned or been dismissed from the engagement prior to its completion. 7.52 Auditors should comply with the requirements in paragraph 9.45 even if they have resigned or been dismissed from the audit prior to its completion. 9.46] | Establish/Maintain Documentation | Preventive | |
| Define timeliness factors for third party reporting requirements. CC ID 13304 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain outsourcing contracts. CC ID 13124 [The peer review team and the reviewed audit organization should incorporate their basic agreement on the peer review into a written agreement. The written agreement should be drafted by the peer review team, reviewed by the reviewed audit organization to ensure that it accurately describes the agreement between the parties, and signed by the authorized representatives of both the peer review team and the reviewed audit organization prior to the initiation of work under the agreement. The written agreement should state that the peer review will be conducted in accordance with GAGAS peer review requirements. 5.86] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain contracts with asset disposition vendors, as necessary. CC ID 14826 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain contracts with Information Technology asset disposition vendors. CC ID 13895 | Establish/Maintain Documentation | Preventive | |
| Specify asset ownership in outsourcing contracts. CC ID 13141 | Establish/Maintain Documentation | Preventive | |
| Include performance standards in outsourcing contracts. CC ID 13140 | Establish/Maintain Documentation | Preventive | |
| Include quality standards in outsourcing contracts. CC ID 17191 | Establish/Maintain Documentation | Preventive | |
| Include the organization approving subcontractors in the outsourcing contract. CC ID 13131 | Establish/Maintain Documentation | Preventive | |
| Include a provision that third parties are responsible for their subcontractors in the outsourcing contract. CC ID 13130 | Establish/Maintain Documentation | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Acquisition/Sale of Assets or Services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Corrective | |
| Write contractual agreements in clear and conspicuous language. CC ID 16923 | Third Party and supply chain oversight | Preventive | |
| Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Preventive | |
| Include location requirements in third party contracts. CC ID 16915 | Third Party and supply chain oversight | Preventive | |
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Detective | |
| Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 [When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work and determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 6.11] | Monitoring and measurement | Detective | |
| Monitor compliance with the Quality Control system. CC ID 01023 [An audit organization conducting engagements in accordance with GAGAS must establish and maintain a system of quality control that is designed to provide the audit organization with reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements. 5.02 An audit organization should document its quality control policies and procedures and communicate those policies and procedures to its personnel. The audit organization should document compliance with its quality control policies and procedures and maintain such documentation for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent to which the audit organization complies with its quality control policies and procedures. 5.04 The audit organization should establish policies and procedures for monitoring its system of quality control. 5.42 The audit organization should perform monitoring procedures that enable it to assess compliance with professional standards and quality control policies and procedures for GAGAS engagements. Individuals performing monitoring should have sufficient expertise and authority within the audit organization. 5.43 Each audit organization conducting engagements in accordance with GAGAS must obtain an external peer review conducted by reviewers independent of the audit organization being reviewed. The peer review should be sufficient in scope to provide a reasonable basis for determining whether, for the period under review, (1) the reviewed audit organization's system of quality control was suitably designed and (2) the organization is complying with its quality control system so that it has reasonable assurance that it is performing and reporting in conformity with professional standards and applicable legal and regulatory requirements in all material respects. 5.60 The peer review team should include the following elements in the scope of the peer review: review of the audit organization's design of, and compliance with, quality control and related policies and procedures; 5.82a.] | Monitoring and measurement | Preventive | |
| Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676 [When audited entity management fails to take timely and appropriate steps to respond to fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements that (1) is likely to have a material effect on the subject matter and (2) involves funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the audited entity's failure to take timely and appropriate steps directly to the funding agency. 6.53b. When audited entity management fails to take timely and appropriate steps to respond to fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements that (1) is likely to have a material effect on the subject matter and (2) involves funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the audited entity's failure to take timely and appropriate steps directly to the funding agency. 6.53b. When audited entity management fails to take timely and appropriate steps to respond to fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements that (1) is likely to have a material effect on the subject matter and (2) involves funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the audited entity's failure to take timely and appropriate steps directly to the funding agency. 7.51b. Auditors should report known or likely noncompliance with provisions of laws, regulations, contracts, and grant agreements or fraud directly to parties outside the audited entity in the following two circumstances. When audited entity management fails to take timely and appropriate steps to respond to noncompliance with provisions of laws, regulations, contracts, and grant agreements or instances of fraud that (1) are likely to have a significant effect on the subject matter and (2) involve funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the audited entity's failure to take timely and appropriate steps directly to the funding agency. 9.45b.] | Monitoring and measurement | Corrective | |
| Include the verification method in the Statement of Compliance. CC ID 16820 | Audits and risk management | Preventive | |
| Include a description of the awareness and training program in the Statement of Compliance. CC ID 16817 | Audits and risk management | Preventive | |
| Include contact information for the handling of requests and issues in the Statement of Compliance. CC ID 16816 | Audits and risk management | Preventive | |
| Include the privacy programs the organization is a member of in the Statement of Compliance. CC ID 16818 | Audits and risk management | Preventive | |
| Include the word independent in the title of audit reports. CC ID 07003 [Audit organizations that meet the independence requirements for internal audit organizations, but not those for external audit organizations, should include in the GAGAS compliance statement, where applicable, a statement that they are independent per the GAGAS requirements for internal auditors. 9.04] | Audits and risk management | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 [In describing the work performed to address the audit objectives and support the reported findings and conclusions, auditors should, as applicable, explain the relationship between the population and the items tested; identify entities, geographic locations, and the period covered; report the kinds and sources of evidence; and explain any significant limitations or uncertainties based on the auditors' overall assessment of the sufficiency and appropriateness of the evidence in the aggregate. 9.13] | Audits and risk management | Preventive | |
| Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 [{be sufficient} Auditors should include either in the same or in separate report(s) a description of the scope of the auditors' testing of internal control over financial reporting and of compliance with provisions of laws, regulations, contracts, and grant agreements. Auditors should also state in the report(s) whether the tests they performed provided sufficient, appropriate evidence to support opinions on the effectiveness of internal control and on compliance with provisions of laws, regulations, contracts, and grant agreements. 6.42 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 9.21] | Audits and risk management | Preventive | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 [With respect to each deficiency or significant deficiency in the report, the reviewed audit organization should describe in its letter of response the corrective actions already taken, target dates for planned corrective actions, or both. 5.94 If the reviewed audit organization receives a report with a peer review rating of pass with deficiencies or fail, the reviewed audit organization should respond in writing to the deficiencies or significant deficiencies and related recommendations identified in the report. 5.93] | Audits and risk management | Corrective | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Rotate auditors, as necessary. CC ID 15589 | Audits and risk management | Preventive | |
| Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 [Auditors should have an understanding of the entire text of applicable chapters of GAGAS, including application guidance, and any amendments that GAO issued, to understand the intent of the requirements and to apply the requirements properly. 2.05 Before auditors agree to provide nonaudit services to an audited entity that the audited entity's management requested and that could create a threat to independence, either by themselves or in aggregate with other nonaudit services provided, with respect to any GAGAS engagement they conduct, auditors should determine that the audited entity has designated an individual who possesses suitable skill, knowledge, or experience and that the individual understands the services to be provided sufficiently to oversee them. 3.73 The audit organization's management must assign auditors who before beginning work on the engagement possess the competence needed for their assigned roles. 4.03 {are competent} The engagement team should determine that specialists assisting the engagement team on a GAGAS engagement are qualified and competent in their areas of specialization. 4.12 The audit organization should perform monitoring procedures that enable it to assess compliance with professional standards and quality control policies and procedures for GAGAS engagements. Individuals performing monitoring should have sufficient expertise and authority within the audit organization. 5.43 The audit organization's management must assign auditors to conduct the engagement who before beginning work on the engagement collectively possess the competence needed to address the engagement objectives and perform their work in accordance with GAGAS. 4.02 The peer review team should meet the following criteria: The review team collectively has adequate professional competence and knowledge of GAGAS and government auditing. 5.89a. The peer review team should meet the following criteria: The review team collectively has sufficient knowledge to conduct a peer review. 5.89c. Auditors engaged to conduct review engagements in the United States who do not work for a government audit organization should be licensed CPAs, persons working for licensed certified public accounting firms, or licensed accountants in states that have multiclass licensing systems that recognize licensed accountants other than CPAs. 7.71 Auditors engaged to conduct agreed-upon procedures engagements in the United States who do not work for a government audit organization should be licensed CPAs, persons working for licensed certified public accounting firms, or licensed accountants in states that have multiclass licensing systems that recognize licensed accountants other than CPAs. 7.79 {licensed} {accountant} Auditors engaged to conduct agreed-upon procedures engagements of entities operating outside of the United States who do not work for a government audit organization should meet the qualifications indicated in paragraph 7.79, have certifications that meet all applicable national and international standards and serve in their respective countries as the functional equivalent of CPAs in the United States, or work for nongovernment audit organizations that are the functional equivalent of licensed certified public accounting firms in the United States. 7.80 Auditors engaged to conduct reviews of financial statements in the United States who do not work for a government audit organization should be licensed CPAs, persons working for licensed certified public accounting firms, or licensed accountants in states that have multiclass licensing systems that recognize licensed accountants other than CPAs. 7.87 {licensed} {accountant} Auditors engaged to conduct reviews of financial statements of entities operating outside of the United States who do not work for a government audit organization should meet the qualifications indicated in paragraph 7.87, have certifications that meet all applicable national and international standards and serve in their respective countries as the functional equivalent of CPAs in the United States, or work for nongovernment audit organizations that are the functional equivalent of licensed certified public accounting firms in the United States. 7.88 Audit management should assign sufficient auditors with adequate collective professional competence, as described in paragraphs 4.02 through 4.15, to conduct the audit. Staffing an audit includes, among other things, 8.31 Audit management should assign sufficient auditors with adequate collective professional competence, as described in paragraphs 4.02 through 4.15, to conduct the audit. Staffing an audit includes, among other things, assigning auditors with the collective knowledge, skills, and abilities appropriate for the audit; 8.31a. If it is determined that internal control is significant to the audit objectives, auditors should obtain an understanding of such internal control. 8.40] | Audits and risk management | Preventive | |
| Review the external auditor's qualifications. CC ID 01197 [Auditors engaged to conduct financial audits in the United States who do not work for a government audit organization should be licensed CPAs, persons working for licensed certified public accounting firms, or licensed accountants in states that have multiclass licensing systems that recognize licensed accountants other than CPAs. 6.04 Auditors engaged to conduct financial audits of entities operating outside of the United States who do not work for a government audit organization should meet the qualifications indicated in paragraph 6.04, have certifications that meet all applicable national and international standards and serve in their respective countries as the functional equivalent of CPAs in the United States, or work for nongovernment audit organizations that are the functional equivalent of licensed certified public accounting firms in the United States. 6.05 Auditors engaged to conduct examination engagements in the United States who do not work for a government audit organization should be licensed CPAs, persons working for licensed certified public accounting firms, or licensed accountants in states that have multiclass licensing systems that recognize licensed accountants other than CPAs. 7.07 {licensed} {accountant} Auditors engaged to conduct examination engagements of entities operating outside of the United States who do not work for a government audit organization should meet the qualifications indicated in paragraph 7.07, have certifications that meet all applicable national and international standards and serve in their respective countries as the functional equivalent of CPAs in the United States, or work for nongovernment audit organizations that are the functional equivalent of licensed certified public accounting firms in the United States. 7.08 {licensed} {accountant} Auditors engaged to conduct review engagements of entities operating outside of the United States who do not work for a government audit organization should meet the qualifications indicated in paragraph 7.71, have certifications that meet all applicable national and international standards and serve in their respective countries as the functional equivalent of CPAs in the United States, or work for nongovernment audit organizations that are the functional equivalent of licensed certified public accounting firms in the United States. 7.72 If the engagement team intends to use the work of a specialist, it should assess the independence of the specialist. 8.82 If auditors use the work of other auditors, they should perform procedures that provide a sufficient basis for using that work. Auditors should obtain evidence concerning the other auditors' qualifications and independence and should determine whether the scope, quality, and timing of the audit work performed by the other auditors can be relied on in the context of the current audit objectives. 8.81] | Audits and risk management | Preventive | |
| Define what constitutes a threat to independence. CC ID 16824 [Internal audit assistance services involve assisting an entity in performing its internal audit activities. Auditors should conclude that the following internal audit assistance activities impair an external auditor's independence with respect to an audited entity: performing procedures that form part of the internal control, such as reviewing and approving changes to employee data access privileges; and 3.96b. Internal audit assistance services involve assisting an entity in performing its internal audit activities. Auditors should conclude that the following internal audit assistance activities impair an external auditor's independence with respect to an audited entity: setting internal audit policies or the strategic direction of internal audit activities; 3.96a. Auditors should conclude that providing certain other nonaudit services impairs an external auditor's independence with respect to an audited entity. These activities include the following: 3.106 While insufficient documentation of an auditor's compliance with the independence standard does not impair independence, auditors should prepare appropriate documentation under the GAGAS quality control and assurance requirements. The independence standard includes the following documentation requirements, where applicable: document threats to independence that require the application of safeguards, along with safeguards applied, in accordance with the conceptual framework for independence as required by paragraph 3.33; 3.107a. While insufficient documentation of an auditor's compliance with the independence standard does not impair independence, auditors should prepare appropriate documentation under the GAGAS quality control and assurance requirements. The independence standard includes the following documentation requirements, where applicable: document the safeguards in paragraphs 3.52 through 3.56 if an audit organization is structurally located within a government entity and is considered structurally independent based on those safeguards; 3.107b. If auditors initially identify a threat to independence after the audit report is issued, auditors should evaluate the threat's effect on the engagement and on GAGAS compliance. If the auditors determine that the newly identified threat's effect on the engagement would have resulted in the audit report being different from the report issued had the auditors been aware of it, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the audit organization requiring or arranging for the engagements, and other known users, so that they do not continue to rely on findings or conclusions that were affected by the threat to independence. If auditors previously posted the report to their publicly accessible website, they should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional engagement work necessary to reissue the report, including any revised findings or conclusions, or to repost the original report if the additional engagement work does not result in a change in findings or conclusions. 3.34] | Audits and risk management | Preventive | |
| Determine if requested services create a threat to independence. CC ID 16823 [Before auditors agree to provide a nonaudit service to an audited entity, they should determine whether providing such a service would create a threat to independence, either by itself or in aggregate with other nonaudit services provided, with respect to any GAGAS engagement they conduct. 3.64 Auditors who previously provided nonaudit services for an entity that is a prospective subject of an engagement should evaluate the effect of those nonaudit services on independence before agreeing to conduct a GAGAS engagement. If auditors provided a nonaudit service in the period to be covered by the engagement, they should (1) determine if GAGAS expressly prohibits the nonaudit service; (2) if audited entity management requested the nonaudit service, determine whether the skill, knowledge, or experience of the individual responsible for overseeing the nonaudit service was sufficient; and (3) determine whether a threat to independence exists and address any threats noted in accordance with the conceptual framework. 3.83 Auditors who previously provided nonaudit services for an entity that is a prospective subject of an engagement should evaluate the effect of those nonaudit services on independence before agreeing to conduct a GAGAS engagement. If auditors provided a nonaudit service in the period to be covered by the engagement, they should (1) determine if GAGAS expressly prohibits the nonaudit service; (2) if audited entity management requested the nonaudit service, determine whether the skill, knowledge, or experience of the individual responsible for overseeing the nonaudit service was sufficient; and (3) determine whether a threat to independence exists and address any threats noted in accordance with the conceptual framework. 3.83] | Audits and risk management | Detective | |
| Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 [In connection with nonaudit services, auditors should establish and document their understanding with the audited entity's management or those charged with governance, as appropriate, regarding the following: audited entity's acceptance of its responsibilities as discussed in paragraph 3.76, 3.77c. {be evident} If the identity of those charged with governance is not clearly evident, auditors should document the process followed and conclusions reached in identifying the appropriate individuals to receive the required communications. 7.10] | Audits and risk management | Preventive | |
| Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and risk management | Preventive | |
| Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and risk management | Preventive | |
| Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and risk management | Preventive | |
| Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 [{cannot} Auditors in a government entity may be required to provide a nonaudit service that impairs the auditors' independence with respect to a required engagement. If, because of constitutional or statutory requirements over which they have no control, the auditors can neither implement safeguards to reduce the resulting threat to an acceptable level nor decline to provide or terminate a nonaudit service that is incompatible with engagement responsibilities, auditors should disclose the nature of the threat that could not be eliminated or reduced to an acceptable level and modify the GAGAS compliance statement as discussed in paragraph 2.17b accordingly. Determining how to modify the GAGAS compliance statement in these circumstances is a matter of professional judgment. 3.84 {external requirements} Auditors should extend the AICPA requirements concerning consideration of noncompliance with laws and regulations to include consideration of noncompliance with provisions of contracts and grant agreements. 6.15 Auditors should extend the AICPA requirements concerning consideration of noncompliance with laws and regulations to include consideration of noncompliance with provisions of contracts and grant agreements. 7.17 {external requirements} Auditors should extend the AICPA requirements concerning consideration of noncompliance with laws and regulations to include consideration of noncompliance with provisions of contracts and grant agreements. 7.73 {external requirements} Auditors should extend the AICPA requirements concerning consideration of noncompliance with laws and regulations to include consideration of noncompliance with provisions of contracts and grant agreements. 7.81 {external requirements} Auditors should extend the AICPA requirements concerning consideration of noncompliance with laws and regulations to include consideration of noncompliance with provisions of contracts and grant agreements. 7.89] | Audits and risk management | Preventive | |
| Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and risk management | Preventive | |
| Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 [When planning a GAGAS examination engagement, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter or an assertion about the subject matter of the examination engagement, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter or an assertion about the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work and determining the extent to which testing the implementation of the corrective actions is applicable to the current examination engagement objectives. 7.13] | Audits and risk management | Preventive | |
| Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and risk management | Detective | |
| Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and risk management | Preventive | |
| Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and risk management | Detective | |
| Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 [The audit organization should establish policies and procedures designed to provide it with reasonable assurance that appropriate consultation takes place on difficult or contentious issues that arise among engagement team members in the course of conducting a GAGAS engagement; 5.24a.] | Audits and risk management | Preventive | |
| Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Preventive | |
| Determine the appropriateness of the audit subject matter. CC ID 16505 [{be illegal} When circumstances call for omission of certain information from the report, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices and revise the report language as necessary to avoid report users drawing inappropriate conclusions from the information presented. 6.64] | Audits and risk management | Preventive | |
| Include the date of the audit in the representation letter. CC ID 16517 | Audits and risk management | Preventive | |
| Include a statement that management has disclosed the implementation status in the representation letter. CC ID 17162 [Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30] | Audits and risk management | Preventive | |
| Refrain from performing an attestation engagement under defined conditions. CC ID 13952 [When auditors conclude that independence of the engagement team or the audit organization is impaired under paragraph 3.59, auditors should decline to accept an engagement or should terminate an engagement in progress (except in circumstances discussed in paragraphs 3.25 or 3.84). 3.60 Auditors should conclude that preparing financial statements in their entirety from a client-provided trial balance or underlying accounting records creates significant threats to auditors' independence, and should document the threats and safeguards applied to eliminate and reduce threats to an acceptable level in accordance with paragraph 3.33 or decline to provide the services. 3.88] | Audits and risk management | Detective | |
| Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and risk management | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 [Auditors should assess the risk of fraud occurring that is significant within the context of the audit objectives. Audit team members should discuss among the team fraud risks, including factors such as individuals' incentives or pressures to commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could increase the risk of fraud. Auditors should gather and assess information to identify the risk of fraud that is significant within the scope of the audit objectives or that could affect the findings and conclusions. 8.71 Auditors should perform and document an overall assessment of the collective evidence used to support findings and conclusions, including the results of any specific assessments performed to conclude on the validity and reliability of specific evidence. 8.108] | Audits and risk management | Preventive | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Detective | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Detective | |
| Audit policies, standards, and procedures. CC ID 12927 [The peer review team should include the following elements in the scope of the peer review: review of other documents necessary for assessing compliance with standards, for example, independence documentation, CPE records, and relevant human resource management files; and 5.82e.] | Audits and risk management | Preventive | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Detective | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Detective | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 [The peer review team should include the following elements in the scope of the peer review: interviews with selected members of the audit organization's personnel in various roles to assess their understanding of and compliance with relevant quality control policies and procedures. 5.82f.] | Audits and risk management | Detective | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Detective | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Detective | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 [Auditors who previously provided nonaudit services for an entity that is a prospective subject of an engagement should evaluate the effect of those nonaudit services on independence before agreeing to conduct a GAGAS engagement. If auditors provided a nonaudit service in the period to be covered by the engagement, they should (1) determine if GAGAS expressly prohibits the nonaudit service; (2) if audited entity management requested the nonaudit service, determine whether the skill, knowledge, or experience of the individual responsible for overseeing the nonaudit service was sufficient; and (3) determine whether a threat to independence exists and address any threats noted in accordance with the conceptual framework. 3.83] | Audits and risk management | Detective | |
| Implement procedures that collect sufficient audit evidence. CC ID 07153 [Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate representations by management of the audited entity that it has reported audit findings in accordance with provisions of laws, regulations, or funding agreements. When auditors are unable to do so, they should report such information directly as discussed in paragraphs 6.53 and 6.54. 6.55 Auditors should design the methodology to obtain sufficient, appropriate evidence that provides a reasonable basis for findings and conclusions based on the audit objectives and to reduce audit risk to an acceptably low level. 8.06 Auditors should assess the risk of fraud occurring that is significant within the context of the audit objectives. Audit team members should discuss among the team fraud risks, including factors such as individuals' incentives or pressures to commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could increase the risk of fraud. Auditors should gather and assess information to identify the risk of fraud that is significant within the scope of the audit objectives or that could affect the findings and conclusions. 8.71 Auditors should identify potential sources of information that could be used as evidence. Auditors should determine the amount and type of evidence needed to obtain sufficient, appropriate evidence to address the audit objectives and adequately plan audit work. 8.77 Auditors should identify potential sources of information that could be used as evidence. Auditors should determine the amount and type of evidence needed to obtain sufficient, appropriate evidence to address the audit objectives and adequately plan audit work. 8.77 Auditors should determine which audit procedures related to information systems controls are needed to obtain sufficient, appropriate evidence to support the audit findings and conclusions. 8.61 Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate representations by audited entity management that it has reported audit findings in accordance with provisions of laws, regulations, or funding agreements. When auditors are unable to do so, they should report such information directly, as discussed in paragraphs 9.45 and 9.46. 9.47 Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate representations by management of the audited entity that it has reported engagement findings in accordance with laws, regulations, or funding agreements. When auditors are unable to do so, they should report such information directly, as discussed in paragraphs 7.51 and 7.52. 7.53] | Audits and risk management | Preventive | |
| Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 [Auditors should identify potential sources of information that could be used as evidence. Auditors should determine the amount and type of evidence needed to obtain sufficient, appropriate evidence to address the audit objectives and adequately plan audit work. 8.77 Auditors must obtain sufficient, appropriate evidence to provide a reasonable basis for addressing the audit objectives and supporting their findings and conclusions. 8.90] | Audits and risk management | Preventive | |
| Collect audit evidence sufficient to avoid misstatements. CC ID 07155 [Auditors must obtain sufficient, appropriate evidence to provide a reasonable basis for addressing the audit objectives and supporting their findings and conclusions. 8.90] | Audits and risk management | Preventive | |
| Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 [When assessing the overall sufficiency and appropriateness of evidence, auditors should evaluate the expected significance of evidence to the audit objectives, findings, and conclusions; available corroborating evidence; and the level of audit risk. If auditors conclude that evidence is not sufficient or appropriate, they should not use such evidence as support for findings and conclusions. 8.109] | Audits and risk management | Preventive | |
| Refrain from using audit evidence that is not sufficient. CC ID 17163 [When assessing the overall sufficiency and appropriateness of evidence, auditors should evaluate the expected significance of evidence to the audit objectives, findings, and conclusions; available corroborating evidence; and the level of audit risk. If auditors conclude that evidence is not sufficient or appropriate, they should not use such evidence as support for findings and conclusions. 8.109] | Audits and risk management | Preventive | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 [Auditors should document the following: the work performed and evidence obtained to support significant judgments and conclusions, as well as expectations in analytical procedures, including descriptions of transactions and records examined (for example, by listing file numbers, case numbers, or other means of identifying specific documents examined, though copies of documents examined or detailed listings of information from those documents are not required); and 8.135b.] | Audits and risk management | Preventive | |
| Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and risk management | Detective | |
| Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 [{be illegal} When circumstances call for omission of certain information from the report, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices and revise the report language as necessary to avoid report users drawing inappropriate conclusions from the information presented. 6.64] | Audits and risk management | Preventive | |
| Review the subject matter expert's findings. CC ID 16559 [If planning to use the work of specialists, auditors should document the nature and scope of the work to be performed by the specialists, including the specialists' procedures and findings so they can be evaluated and related to other planned audit procedures, and 8.32c.] | Audits and risk management | Detective | |
| Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 [{third party} Because information in peer review reports may be relevant to decisions on procuring audit services, an audit organization seeking to enter into a contract to conduct an engagement in accordance with GAGAS should provide the following to the party contracting for such services when requested: the audit organization's most recent peer review report and 5.79a. {third party} Because information in peer review reports may be relevant to decisions on procuring audit services, an audit organization seeking to enter into a contract to conduct an engagement in accordance with GAGAS should provide the following to the party contracting for such services when requested: any subsequent peer review reports received during the period of the contract. 5.79b. {make available} Subject to applicable provisions of laws and regulations, auditors should make appropriate individuals and audit documentation available upon request and in a timely manner to other auditors or reviewers. 6.34] | Audits and risk management | Preventive | |
| Include the justification for not following the applicable requirements in the audit report. CC ID 16822 [{are not} When auditors use a modified GAGAS statement, they should disclose in the report the applicable requirement(s) not followed, the reasons for not following the requirement(s), and how not following the requirement(s) affected or could have affected the engagement and the assurance provided. 2.18 When auditors do not comply with applicable requirement(s), they should (1) assess the significance of the noncompliance to the engagement objectives; (2) document the assessment, along with their reasons for not following the requirement(s); and (3) determine the type of GAGAS compliance statement. 2.19] | Audits and risk management | Preventive | |
| Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 [{are not} When auditors use a modified GAGAS statement, they should disclose in the report the applicable requirement(s) not followed, the reasons for not following the requirement(s), and how not following the requirement(s) affected or could have affected the engagement and the assurance provided. 2.18 {do not receive} If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors should issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments. 6.60 When auditors do not comply with all applicable GAGAS requirements, they should include a modified GAGAS compliance statement in the audit report. For performance audits, auditors should use a statement that includes either (1) the language in paragraph 9.03, modified to indicate the requirements that were not followed, or (2) language indicating that the auditors did not follow GAGAS. 9.05] | Audits and risk management | Preventive | |
| Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Preventive | |
| Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Detective | |
| Include the cost of corrective action in the audit report. CC ID 17015 [Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 6.51 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of the findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 7.49 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 9.21] | Audits and risk management | Preventive | |
| Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Preventive | |
| Include the scope and work performed in the audit report. CC ID 11621 [Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 6.51 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of the findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 7.49 Auditors should document the following: the objectives, scope, and methodology of the audit; 8.135a. Auditors should describe the scope of the work performed and any limitations, including issues that would be relevant to likely users, so that report users can reasonably interpret the findings, conclusions, and recommendations in the report without being misled. Auditors should also report any significant constraints imposed on the audit approach by information limitations or scope impairments, including denials of, or excessive delays in, access to certain records or individuals. 9.12 When internal control is significant within the context of the audit objectives, auditors should include in the audit report (1) the scope of their work on internal control and (2) any deficiencies in internal control that are significant within the context of the audit objectives and based upon the audit work performed. 9.29 Auditors should document the following: the work performed and evidence obtained to support significant judgments and conclusions, as well as expectations in analytical procedures, including descriptions of transactions and records examined (for example, by listing file numbers, case numbers, or other means of identifying specific documents examined, though copies of documents examined or detailed listings of information from those documents are not required); and 8.135b. Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; (3) a summary of the views of responsible officials; and (4) if applicable, the nature of any confidential or sensitive information omitted. 9.10 When reporting on the scope of their work on internal control, auditors should identify the scope of internal control assessed to the extent necessary for report users to reasonably interpret the findings, conclusions, and recommendations in the audit report. 9.30 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 9.21] | Audits and risk management | Preventive | |
| Review management's response to issues raised in past audit reports. CC ID 01149 [Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30] | Audits and risk management | Detective | |
| Review the audit program scope as it relates to the organization's profile. CC ID 01159 [In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence-gathering and evidence-analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives. Auditors should identify significant assumptions made in conducting the audit; describe comparative techniques applied; describe the criteria used; and, when the results of sample testing significantly support the auditors' findings, conclusions, or recommendations, describe the sample design and state why the design was chosen, including whether the results can be projected to the intended population. 9.14] | Audits and risk management | Detective | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 [The audit organization should evaluate the effects of deficiencies noted during monitoring of the audit organization's system of quality control to determine and implement appropriate actions to address the deficiencies. This evaluation should include assessments to determine if the deficiencies noted indicate that the audit organization's system of quality control is insufficient to provide it with reasonable assurance that it complies with professional standards and applicable legal and regulatory requirements, and that accordingly the reports that the audit organization issues are not appropriate in the circumstances. 5.45 If internal control is determined to be significant to the audit objectives, auditors should plan and perform audit procedures to assess internal control to the extent necessary to address the audit objectives. 8.49] | Audits and risk management | Preventive | |
| Analyze the risk management strategy for addressing threats. CC ID 12925 [Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: Self-interest threat: The threat that a financial or other interest will inappropriately influence an auditor's judgment or behavior. 3.30a. Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: Self-review threat: The threat that an auditor or audit organization that has provided nonaudit services will not appropriately evaluate the results of previous judgments made or services provided as part of the nonaudit services when forming a judgment significant to a GAGAS engagement. 3.30b. Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: Bias threat: The threat that an auditor will, as a result of political, ideological, social, or other convictions, take a position that is not objective. 3.30c. Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: Familiarity threat: The threat that aspects of a relationship with management or personnel of an audited entity, such as a close or long relationship, or that of an immediate or close family member, will lead an auditor to take a position that is not objective. 3.30d. Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: Undue influence threat: The threat that influences or pressures from sources external to the audit organization will affect an auditor's ability to make objective judgments. 3.30e. Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: Management participation threat: The threat that results from an auditor's taking on the role of management or otherwise performing management functions on behalf of the audited entity, which will lead an auditor to take a position that is not objective. 3.30f. Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: Structural threat: The threat that an audit organization's placement within a government entity, in combination with the structure of the government entity being audited, will affect the audit organization's ability to perform work and report results objectively. 3.30g. {if} Auditors should determine whether identified threats to independence are at an acceptable level or have been eliminated or reduced to an acceptable level, considering both qualitative and quantitative factors to determine the significance of a threat. 3.31] | Audits and risk management | Detective | |
| Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and risk management | Preventive | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Preventive | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Detective | |
| Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 [If an internal audit organization in a government entity follows the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing as well as GAGAS, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should (1) assess the potential risk to the organization, (2) consult with senior management or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report. 9.57] | Audits and risk management | Preventive | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Detective | |
| Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 [{if} The effectiveness of significant internal controls frequently depends on the effectiveness of information systems controls. Thus, when obtaining an understanding of internal control significant to the audit objectives, auditors should also determine whether it is necessary to evaluate information systems controls. 8.59 When information systems controls are determined to be significant to the audit objectives or when the effectiveness of significant controls depends on the effectiveness of information systems controls, auditors should then evaluate the design, implementation, and/or operating effectiveness of such controls. This evaluation includes other information systems controls that affect the effectiveness of the significant controls or the reliability of information used in performing the significant controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives. 8.60] | Audits and risk management | Detective | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 [Auditors should apply the conceptual framework at the audit organization, engagement team, and individual auditor levels to apply safeguards as necessary to eliminate the threats or reduce them to an acceptable level. 3.27c. When auditors determine that threats to independence are not at an acceptable level, the auditors should determine whether appropriate safeguards can be applied to eliminate the threats or reduce them to an acceptable level. 3.32 Separate evaluations are sometimes provided as a nonaudit service. When providing separate evaluations as nonaudit services, auditors should evaluate the significance of the threat created by performing separate evaluations and apply safeguards when necessary to eliminate the threat or reduce it to an acceptable level. 3.98] | Audits and risk management | Preventive | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a testing program. CC ID 00654 | Monitoring and measurement | Preventive | |
| Exercise due professional care during the planning and performance of the audit. CC ID 07119 [Auditors and audit organizations should avoid situations that could lead reasonable and informed third parties to conclude that the auditors and audit organizations are not independent and thus are not capable of exercising objective and impartial judgment on all issues associated with conducting the engagement and reporting on the work. 3.19 Auditors should use professional judgment when applying the conceptual framework. 3.29 Auditors must use professional judgment in planning and conducting the engagement and in reporting the results. 3.109 Auditors must use professional judgment in planning and conducting the engagement and in reporting the results. 3.109 The audit organization should establish policies and procedures for engagement performance, documentation, and reporting that are designed to provide the audit organization with reasonable assurance that engagements are conducted and reports are issued in accordance with professional standards and applicable legal and regulatory requirements. 5.22 The peer review team should use professional judgment in deciding on the type of peer review rating to issue; the ratings are as follows: 5.72 If the law or regulation requiring an audit specifically identifies the entities to be audited, auditors should communicate pertinent information that in the auditors' professional judgment needs to be communicated both to individuals contracting for or requesting the audit and to those legislative committees, if any, that have ongoing oversight responsibilities for the audited entity. 6.06] | Audits and risk management | Preventive | |
| Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Audits and risk management | Preventive | |
| Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Detective | |
| Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 [{be publicly available} A public accounting firm contracted to conduct an audit in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the audit about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 6.70b.] | Audits and risk management | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 [The audit organization should have a process for recruitment, hiring, continuous development, assignment, and evaluation of personnel so that the workforce has the essential knowledge, skills, and abilities necessary to conduct the engagement. The nature, extent, and formality of the process will depend on various factors, such as the size of the audit organization, its structure, and its work. 4.04] | Human Resources management | Preventive | |
| Retrain all personnel, as necessary. CC ID 01362 [{continuing professional education requirements} The audit organization should establish policies and procedures to provide reasonable assurance that auditors who are performing work in accordance with GAGAS meet the continuing professional education (CPE) requirements, including maintaining documentation of the CPE completed and any exemptions granted. 5.16] | Human Resources management | Preventive | |
| Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 | Human Resources management | Preventive | |
| Establish, implement, and maintain an ethical culture. CC ID 12781 | Human Resources management | Preventive | |
| Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 | Human Resources management | Preventive | |
| Refrain from discriminating against employees who are whistleblowers. CC ID 13609 | Human Resources management | Preventive | |
| Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 | Human Resources management | Preventive | |
| Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Human Resources management | Preventive | |
| Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Human Resources management | Preventive | |
| Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Human Resources management | Preventive | |
| Notify the supervisory authority. CC ID 00472 [{report} {noncompliance} When audited entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties. 6.53a. {noncompliance} When audited entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties. 7.51a. When audited entity management fails to take timely and appropriate steps to respond to fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements that (1) is likely to have a material effect on the subject matter and (2) involves funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the audited entity's failure to take timely and appropriate steps directly to the funding agency. 7.51b. Auditors should report known or likely noncompliance with provisions of laws, regulations, contracts, and grant agreements or fraud directly to parties outside the audited entity in the following two circumstances. When audited entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties. 9.45a. Auditors should report known or likely noncompliance with provisions of laws, regulations, contracts, and grant agreements or fraud directly to parties outside the audited entity in the following two circumstances. When audited entity management fails to take timely and appropriate steps to respond to noncompliance with provisions of laws, regulations, contracts, and grant agreements or instances of fraud that (1) are likely to have a significant effect on the subject matter and (2) involve funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the audited entity's failure to take timely and appropriate steps directly to the funding agency. 9.45b.] | Privacy protection for information and data | Preventive | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an internal reporting program. CC ID 12409 [{if} {be appropriate} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 7.63 {if} {be appropriate} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 7.63 {if} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 9.63 {if} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 9.63] | Leadership and high level objectives | Preventive | |
| Analyze the external environment in which the organization operates. CC ID 12799 | Leadership and high level objectives | Preventive | |
| Correct errors and deficiencies in a timely manner. CC ID 13501 [The audit organization should evaluate the effects of deficiencies noted during monitoring of the audit organization's system of quality control to determine and implement appropriate actions to address the deficiencies. This evaluation should include assessments to determine if the deficiencies noted indicate that the audit organization's system of quality control is insufficient to provide it with reasonable assurance that it complies with professional standards and applicable legal and regulatory requirements, and that accordingly the reports that the audit organization issues are not appropriate in the circumstances. 5.45] | Leadership and high level objectives | Corrective | |
| Approve the system security plan. CC ID 14241 | Monitoring and measurement | Preventive | |
| Withdraw the approvals of auditors, as necessary. CC ID 17260 | Audits and risk management | Preventive | |
| Identify personnel who should attend the closing meeting. CC ID 15261 | Audits and risk management | Preventive | |
| Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Audits and risk management | Preventive | |
| Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Audits and risk management | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 [The audit organization should establish policies and procedures for the initiation, acceptance, and continuance of engagements that are designed to provide reasonable assurance that the organization will undertake engagements only if it has the capabilities, including time and resources, to do so. 5.12c. The audit organization should establish policies and procedures for the initiation, acceptance, and continuance of engagements that are designed to provide reasonable assurance that the organization will undertake engagements only if it complies with professional standards, applicable legal and regulatory requirements, and ethical principles; 5.12a. The audit organization should establish policies and procedures for the initiation, acceptance, and continuance of engagements that are designed to provide reasonable assurance that the organization will undertake engagements only if it acts within its legal mandate or authority; and 5.12b. The audit organization should establish policies and procedures designed to provide it with reasonable assurance that the conclusions resulting from consultations are documented, understood by both the individual seeking consultation and the individual consulted, and implemented. 5.24c.] | Audits and risk management | Preventive | |
| Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 [In situations where the parties required to receive communications, as described in paragraph 8.20, are not clearly evident, auditors should document the process followed and conclusions reached in identifying the appropriate individuals to receive the required communications. 8.21 {make available} Subject to applicable provisions of laws and regulations, auditors should make appropriate individuals and audit documentation available upon request and in a timely manner to other auditors or reviewers. 6.34 {make available} Subject to applicable provisions of laws and regulations, auditors should make appropriate individuals and audit documentation available upon request and in a timely manner to other auditors or reviewers. 8.140 {make available} Subject to applicable provisions of laws and regulations, auditors should make appropriate individuals and examination engagement documentation available upon request and in a timely manner to other auditors or reviewers. 7.37] | Audits and risk management | Preventive | |
| Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 [{are valid} When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 7.57 {are valid} When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 7.57] | Audits and risk management | Corrective | |
| Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Preventive | |
| Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797 | Technical security | Detective | |
| Establish, implement, and maintain an education methodology. CC ID 06671 [Auditors should complete at least 20 hours of CPE in each year of the 2-year periods. 4.17] | Human Resources management | Preventive | |
| Establish, implement, and maintain performance reviews. CC ID 14777 [The audit organization should have a process for recruitment, hiring, continuous development, assignment, and evaluation of personnel so that the workforce has the essential knowledge, skills, and abilities necessary to conduct the engagement. The nature, extent, and formality of the process will depend on various factors, such as the size of the audit organization, its structure, and its work. 4.04] | Human Resources management | Detective | |
| Conduct staff performance reviews, as necessary. CC ID 07205 | Human Resources management | Detective | |
| Refrain from practicing false advertising. CC ID 14253 | Human Resources management | Preventive | |
| Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 | Human Resources management | Preventive | |
| Respond to ethics complaints of ethics violations. CC ID 11497 | Human Resources management | Corrective | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Preventive | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Preventive | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an alternative communication protocol. CC ID 17097 | Leadership and high level objectives | Preventive | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 [An audit organization should document its quality control policies and procedures and communicate those policies and procedures to its personnel. The audit organization should document compliance with its quality control policies and procedures and maintain such documentation for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent to which the audit organization complies with its quality control policies and procedures. 5.04] | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 [The audit organization should establish policies and procedures on leadership responsibilities for quality within the audit organization that include designating responsibility for quality of engagements conducted in accordance with GAGAS and communicating policies and procedures relating to quality. 5.05] | Leadership and high level objectives | Preventive | |
| Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Leadership and high level objectives | Preventive | |
| Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 [{make available} If auditors report separately (including separate reports bound in the same document) on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements, they should include a reference in the audit report on the financial statements to those additional reports. They should also state in the audit report that the reports on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements are an integral part of a GAGAS audit in considering the audited entity's internal control over financial reporting and compliance. If separate reports are used, the auditors should make the report on internal control and compliance available to users in the same manner as the financial audit report to which it relates. 6.43] | Leadership and high level objectives | Preventive | |
| Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 [The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: a description of the monitoring procedures performed; 5.44a.] | Monitoring and measurement | Preventive | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Preventive | |
| Publish a Statement of Compliance for the organization's external requirements. CC ID 12350 [{non-affiliate} Any audit organization not affiliated with an organization listed in paragraph 5.61 should meet the minimum GAGAS peer review requirements throughout paragraphs 5.66 through 5.94. 5.62 {quality control requirements} Audit organizations affiliated with one of the following recognized organizations should comply with the respective organization's peer review requirements and the requirements listed throughout paragraphs 5.66 through 5.80. 5.61] | Audits and risk management | Preventive | |
| Notify interested personnel and affected parties of the reasons for the withdrawal of auditors. CC ID 17283 | Audits and risk management | Preventive | |
| Disseminate and communicate the auditor's qualification requirements to interested personnel and affected parties. CC ID 17265 | Audits and risk management | Preventive | |
| Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Audits and risk management | Preventive | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 [Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate representations by management of the audited entity that it has reported audit findings in accordance with provisions of laws, regulations, or funding agreements. When auditors are unable to do so, they should report such information directly as discussed in paragraphs 6.53 and 6.54. 6.55 Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate representations by audited entity management that it has reported audit findings in accordance with provisions of laws, regulations, or funding agreements. When auditors are unable to do so, they should report such information directly, as discussed in paragraphs 9.45 and 9.46. 9.47 Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate representations by management of the audited entity that it has reported engagement findings in accordance with laws, regulations, or funding agreements. When auditors are unable to do so, they should report such information directly, as discussed in paragraphs 7.51 and 7.52. 7.53] | Audits and risk management | Preventive | |
| Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Preventive | |
| Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Preventive | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 [Auditors should communicate an overview of the objectives, scope, and methodology and the timing of the performance audit and planned reporting (including any potential restrictions on the report), unless doing so could significantly impair the auditors' ability to obtain sufficient, appropriate evidence to address the audit objectives. Auditors should communicate such information with the following parties, as applicable: 8.20 Auditors should communicate an overview of the objectives, scope, and methodology and the timing of the performance audit and planned reporting (including any potential restrictions on the report), unless doing so could significantly impair the auditors' ability to obtain sufficient, appropriate evidence to address the audit objectives. Auditors should communicate such information with the following parties, as applicable: management of the audited entity, including those with sufficient authority and responsibility to implement corrective action in the program or activity being audited; 8.20a. Auditors should communicate an overview of the objectives, scope, and methodology and the timing of the performance audit and planned reporting (including any potential restrictions on the report), unless doing so could significantly impair the auditors' ability to obtain sufficient, appropriate evidence to address the audit objectives. Auditors should communicate such information with the following parties, as applicable: those charged with governance; 8.20b. Auditors should communicate an overview of the objectives, scope, and methodology and the timing of the performance audit and planned reporting (including any potential restrictions on the report), unless doing so could significantly impair the auditors' ability to obtain sufficient, appropriate evidence to address the audit objectives. Auditors should communicate such information with the following parties, as applicable: the individuals contracting for or requesting audit services, such as contracting officials or grantees; or 8.20c. Auditors should communicate an overview of the objectives, scope, and methodology and the timing of the performance audit and planned reporting (including any potential restrictions on the report), unless doing so could significantly impair the auditors' ability to obtain sufficient, appropriate evidence to address the audit objectives. Auditors should communicate such information with the following parties, as applicable: the cognizant legislative committee, when auditors conduct the audit pursuant to a law or regulation or when they conduct the work for the legislative committee that has oversight of the audited entity. 8.20d.] | Audits and risk management | Preventive | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Preventive | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Preventive | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Preventive | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Audits and risk management | Preventive | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Preventive | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Preventive | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Human Resources management | Preventive | |
| Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 | Human Resources management | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Preventive | |
| Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 | Human Resources management | Preventive | |
| Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Human Resources management | Preventive | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Preventive | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Preventive | |
| Respond to questions about submissions in a timely manner. CC ID 16930 | Privacy protection for information and data | Preventive | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Corrective | |
| Disseminate and communicate third party contracts to interested personnel and affected parties. CC ID 17301 | Third Party and supply chain oversight | Preventive | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 [Auditors who are using another audit organization's work should request a copy of that organization's most recent peer review report, and the organization should provide this document when it is requested. 5.80] | Third Party and supply chain oversight | Preventive | |
Configuration | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805 | Technical security | Preventive | |
| Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745 | Technical security | Preventive | |
| Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746 | Technical security | Preventive | |
| Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747 | Technical security | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Leadership and high level objectives | Preventive | |
| Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Leadership and high level objectives | Preventive | |
| Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Leadership and high level objectives | Preventive | |
| Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Leadership and high level objectives | Preventive | |
| Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Leadership and high level objectives | Preventive | |
| Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Leadership and high level objectives | Preventive | |
| Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Leadership and high level objectives | Preventive | |
| Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Leadership and high level objectives | Preventive | |
| Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Leadership and high level objectives | Preventive | |
| Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Leadership and high level objectives | Preventive | |
| Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 [Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. If the subject matter or the assertion involves material that is classified or contains confidential or sensitive information, auditors should limit the report distribution. Auditors should document any limitation on report distribution. 7.85 Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. If the subject matter or the assertion involves material that is classified or contains confidential or sensitive information, auditors should limit report distribution. Auditors should document any limitation on report distribution. 7.77 Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. If the subject matter involves material that is classified or contains confidential or sensitive information, auditors should limit report distribution. Auditors should document any limitation on report distribution. 7.93] | Technical security | Preventive | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [In connection with nonaudit services, auditors should establish and document their understanding with the audited entity's management or those charged with governance, as appropriate, regarding the following: the auditors' responsibilities, and 3.77d.] | Audits and risk management | Preventive | |
| Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 [The audit organization should assign responsibility for each engagement to an engagement partner or director with authority designated by the audit organization to assume that responsibility and should establish policies and procedures requiring the organization to 5.37] | Audits and risk management | Preventive | |
| Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 [Internal audit assistance services involve assisting an entity in performing its internal audit activities. Auditors should conclude that the following internal audit assistance activities impair an external auditor's independence with respect to an audited entity: determining the scope of the internal audit function and resulting work. 3.96c.] | Audits and risk management | Preventive | |
| Assign the audit to impartial auditors. CC ID 07118 [In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity. 3.18 Except under the limited circumstances discussed in paragraphs 3.66 and 3.67, auditors and audit organizations should be independent from an audited entity during any period of time that falls within the period covered by the financial statements or subject matter of the engagement and 3.20a. Except under the limited circumstances discussed in paragraphs 3.66 and 3.67, auditors and audit organizations should be independent from an audited entity during the period of professional engagement 3.20b. Each audit organization conducting engagements in accordance with GAGAS must obtain an external peer review conducted by reviewers independent of the audit organization being reviewed. The peer review should be sufficient in scope to provide a reasonable basis for determining whether, for the period under review, (1) the reviewed audit organization's system of quality control was suitably designed and (2) the organization is complying with its quality control system so that it has reasonable assurance that it is performing and reporting in conformity with professional standards and applicable legal and regulatory requirements in all material respects. 5.60 The peer review team should meet the following criteria: The organization conducting the peer review and individual review team members are independent (as defined in GAGAS) of the audit organization being reviewed, its personnel, and the engagements selected for the peer review. 5.89b. Except under the limited circumstances discussed in paragraphs 3.66 and 3.67, auditors and audit organizations should be independent from an audited entity during 3.20] | Audits and risk management | Preventive | |
| Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 [The audit organization should assign responsibility for each engagement to an engagement partner or director with authority designated by the audit organization to assume that responsibility and should establish policies and procedures requiring the organization to communicate the identity and role of the engagement partner or director to management and those charged with governance of the audited entity and 5.37a. The audit organization should assign responsibility for each engagement to an engagement partner or director with authority designated by the audit organization to assume that responsibility and should establish policies and procedures requiring the organization to clearly define the responsibilities of the engagement partner or director and communicate them to that individual. 5.37b.] | Audits and risk management | Preventive | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [Auditors should document consideration of management's ability to effectively oversee nonaudit services to be provided. 3.74 While insufficient documentation of an auditor's compliance with the independence standard does not impair independence, auditors should prepare appropriate documentation under the GAGAS quality control and assurance requirements. The independence standard includes the following documentation requirements, where applicable: document consideration of audited entity management's ability to effectively oversee a nonaudit service to be provided by the auditor as indicated in paragraph 3.74; 3.107c.] | Human Resources management | Preventive | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Preventive | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Preventive | |
| Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Human Resources management | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain communication protocols. CC ID 12245 [{be appropriate} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 6.65] | Leadership and high level objectives | Preventive | |
| Include external requirements in the organization's communication protocol. CC ID 12418 [Auditors should consider applicable GAO-issued GAGAS interpretive guidance in conducting and reporting on GAGAS engagements. 2.06] | Leadership and high level objectives | Preventive | |
| Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Preventive | |
| Include the criteria for notifications in the notification system. CC ID 17139 | Leadership and high level objectives | Preventive | |
| Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Leadership and high level objectives | Preventive | |
| Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Quality Management framework. CC ID 07196 [An audit organization should document its quality control policies and procedures and communicate those policies and procedures to its personnel. The audit organization should document compliance with its quality control policies and procedures and maintain such documentation for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent to which the audit organization complies with its quality control policies and procedures. 5.04] | Leadership and high level objectives | Preventive | |
| Include supply chain management standards in the Quality Management framework. CC ID 13701 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Leadership and high level objectives | Preventive | |
| Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 [{quality control requirements} Audit organizations affiliated with one of the following recognized organizations should comply with the respective organization's peer review requirements and the requirements listed throughout paragraphs 5.66 through 5.80. 5.61] | Leadership and high level objectives | Preventive | |
| Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Leadership and high level objectives | Preventive | |
| Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Leadership and high level objectives | Preventive | |
| Align the quality objectives with the Quality Management policy. CC ID 13697 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Quality Management standard. CC ID 01006 [The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows: 5.74 The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows: If the peer review team's evaluation of observed matters does not identify any findings (more than a remote possibility that the reviewed audit organization would not perform, report, or both in conformity with professional standards and applicable legal and regulatory requirements), or identifies findings that are not considered to be deficiencies, the peer review team issues a pass rating. 5.74a. The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows: If the peer review team's evaluation of findings identified deficiencies but did not identify any significant deficiencies, the peer review team issues a pass with deficiencies rating and communicates the deficiencies in its report. 5.74b. The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows: If the peer review team's evaluation of deficiencies identified significant deficiencies, the peer review team issues a fail rating and communicates the deficiencies and significant deficiencies in its report. 5.74c.] | Leadership and high level objectives | Preventive | |
| Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 [The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows: 5.74] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Quality Management program. CC ID 07201 [Each audit organization conducting engagements in accordance with GAGAS must obtain an external peer review conducted by reviewers independent of the audit organization being reviewed. The peer review should be sufficient in scope to provide a reasonable basis for determining whether, for the period under review, (1) the reviewed audit organization's system of quality control was suitably designed and (2) the organization is complying with its quality control system so that it has reasonable assurance that it is performing and reporting in conformity with professional standards and applicable legal and regulatory requirements in all material respects. 5.60 The peer review team should include the following elements in the scope of the peer review: review of the audit organization's design of, and compliance with, quality control and related policies and procedures; 5.82a.] | Leadership and high level objectives | Preventive | |
| Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Preventive | |
| Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Preventive | |
| Include risk management in the quality management system. CC ID 15054 | Leadership and high level objectives | Preventive | |
| Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Preventive | |
| Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Preventive | |
| Include operational roles and responsibilities in the quality management system. CC ID 15028 [The audit organization should establish policies and procedures on leadership responsibilities for quality within the audit organization that include designating responsibility for quality of engagements conducted in accordance with GAGAS and communicating policies and procedures relating to quality. 5.05 The audit organization should establish policies and procedures on leadership responsibilities for quality within the audit organization that include designating responsibility for quality of engagements conducted in accordance with GAGAS and communicating policies and procedures relating to quality. 5.05] | Leadership and high level objectives | Preventive | |
| Include resource management in the quality management system. CC ID 15026 | Leadership and high level objectives | Preventive | |
| Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Preventive | |
| Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Preventive | |
| Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Preventive | |
| Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 [The audit organization should evaluate the effects of deficiencies noted during monitoring of the audit organization's system of quality control to determine and implement appropriate actions to address the deficiencies. This evaluation should include assessments to determine if the deficiencies noted indicate that the audit organization's system of quality control is insufficient to provide it with reasonable assurance that it complies with professional standards and applicable legal and regulatory requirements, and that accordingly the reports that the audit organization issues are not appropriate in the circumstances. 5.45] | Leadership and high level objectives | Preventive | |
| Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 [GAGAS uses two categories of requirements, identified by specific terms, to describe the degree of responsibility they impose on auditors and audit organizations: Unconditional requirements: Auditors and audit organizations must comply with an unconditional requirement in all cases where such requirement is relevant. GAGAS uses must to indicate an unconditional requirement. 2.02a.] | Leadership and high level objectives | Preventive | |
| Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 [{be evident} If the identity of those charged with governance is not clearly evident, auditors should document the process followed and conclusions reached in identifying the appropriate individuals to receive the required communications. 6.07] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a financial management program. CC ID 13228 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 [Auditors should identify as threats to independence any services related to preparing accounting records and financial statements, other than those defined as impairments to independence in paragraph 3.87 and significant threats in paragraph 3.88. These services include recording transactions for which management has determined or approved the appropriate account classification, or posting coded transactions to an audited entity's general ledger; 3.89a.] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain financial reports. CC ID 14770 | Leadership and high level objectives | Preventive | |
| Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 [{external requirements} GAGAS establishes requirements for financial audits in addition to the requirements in the AICPA SAS. Auditors should comply with these additional requirements, along with the AICPA requirements for financial audits, when citing GAGAS in financial audit reports. 6.02] | Leadership and high level objectives | Preventive | |
| Include financial statements in the financial report, as necessary. CC ID 14775 [Auditors should identify as threats to independence any services related to preparing accounting records and financial statements, other than those defined as impairments to independence in paragraph 3.87 and significant threats in paragraph 3.88. These services include preparing certain line items or sections of the financial statements based on information in the trial balance; 3.89b. Auditors should identify as threats to independence any services related to preparing accounting records and financial statements, other than those defined as impairments to independence in paragraph 3.87 and significant threats in paragraph 3.88. These services include posting entries that an audited entity's management has approved to the entity's trial balance; and 3.89c.] | Leadership and high level objectives | Preventive | |
| Include capital deductions and adjustments in the financial statement. CC ID 16667 | Leadership and high level objectives | Preventive | |
| Include earnings per share or loss per share in the financial statement. CC ID 16597 | Leadership and high level objectives | Preventive | |
| Include material contingencies in the financial statement. CC ID 16596 | Leadership and high level objectives | Preventive | |
| Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 [{regular basis} The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: 5.44] | Monitoring and measurement | Preventive | |
| Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Preventive | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Preventive | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Preventive | |
| Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Preventive | |
| Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Preventive | |
| Include cryptographic key management procedures in the system security plan. CC ID 17029 | Monitoring and measurement | Preventive | |
| Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Preventive | |
| Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Preventive | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Preventive | |
| Include backup and recovery procedures in the system security plan. CC ID 17043 | Monitoring and measurement | Preventive | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Preventive | |
| Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Preventive | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Preventive | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Preventive | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Preventive | |
| Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Preventive | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Preventive | |
| Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Preventive | |
| Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Preventive | |
| Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Preventive | |
| Document improvement actions based on test results and exercises. CC ID 16840 [{regular basis} The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: 5.44 When feasible, auditors should recommend actions to correct deficiencies and other findings identified during the audit and to improve programs and operations when the potential for improvement in programs, operations, and performance is substantiated by the reported findings and conclusions. Auditors should make recommendations that flow logically from the findings and conclusions, are directed at resolving the cause of identified deficiencies and findings, and clearly state the actions recommended. 9.23] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 [The audit organization should perform monitoring procedures that enable it to assess compliance with professional standards and quality control policies and procedures for GAGAS engagements. Individuals performing monitoring should have sufficient expertise and authority within the audit organization. 5.43] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Preventive | |
| Include the completion date in the corrective action plan. CC ID 13272 [With respect to each deficiency or significant deficiency in the report, the reviewed audit organization should describe in its letter of response the corrective actions already taken, target dates for planned corrective actions, or both. 5.94] | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a Statement of Compliance. CC ID 12499 [{regular basis} At least annually, the audit organization should obtain written affirmation of compliance with its policies and procedures on independence from all of its personnel required to be independent. 5.09 Auditors should report on internal control and compliance with provisions of laws, regulations, contracts, or grant agreements regardless of whether they identify internal control deficiencies or instances of noncompliance. 6.39] | Audits and risk management | Preventive | |
| Include the personal data use purpose specification in the Statement of Compliance. CC ID 17175 | Audits and risk management | Preventive | |
| Review external auditor outsourcing contracts and engagement letters. CC ID 01189 [The peer review team and the reviewed audit organization should incorporate their basic agreement on the peer review into a written agreement. The written agreement should be drafted by the peer review team, reviewed by the reviewed audit organization to ensure that it accurately describes the agreement between the parties, and signed by the authorized representatives of both the peer review team and the reviewed audit organization prior to the initiation of work under the agreement. The written agreement should state that the peer review will be conducted in accordance with GAGAS peer review requirements. 5.86 The peer review team and the reviewed audit organization should incorporate their basic agreement on the peer review into a written agreement. The written agreement should be drafted by the peer review team, reviewed by the reviewed audit organization to ensure that it accurately describes the agreement between the parties, and signed by the authorized representatives of both the peer review team and the reviewed audit organization prior to the initiation of work under the agreement. The written agreement should state that the peer review will be conducted in accordance with GAGAS peer review requirements. 5.86] | Audits and risk management | Preventive | |
| Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 [Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed; the evidence obtained; and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 8.132] | Audits and risk management | Preventive | |
| Establish, implement, and maintain audit policies. CC ID 13166 | Audits and risk management | Preventive | |
| Include resource requirements in the audit program. CC ID 15237 | Audits and risk management | Preventive | |
| Include risks and opportunities in the audit program. CC ID 15236 [{cannot} Auditors in a government entity may be required to provide a nonaudit service that impairs the auditors' independence with respect to a required engagement. If, because of constitutional or statutory requirements over which they have no control, the auditors can neither implement safeguards to reduce the resulting threat to an acceptable level nor decline to provide or terminate a nonaudit service that is incompatible with engagement responsibilities, auditors should disclose the nature of the threat that could not be eliminated or reduced to an acceptable level and modify the GAGAS compliance statement as discussed in paragraph 2.17b accordingly. Determining how to modify the GAGAS compliance statement in these circumstances is a matter of professional judgment. 3.84] | Audits and risk management | Preventive | |
| Establish and maintain audit terms. CC ID 13880 [If auditors change the engagement objectives during the engagement, they should document the revised engagement objectives and the reasons for the changes. 5.23] | Audits and risk management | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 [In connection with nonaudit services, auditors should establish and document their understanding with the audited entity's management or those charged with governance, as appropriate, regarding the following: any limitations on the provision of nonaudit services. 3.77e. Auditors should describe in their report limitations or uncertainties with the reliability or validity of evidence if (1) the evidence is significant to the findings and conclusions within the context of the audit objectives and (2) such disclosure is necessary to avoid misleading the report users about the findings and conclusions. Auditors should describe the limitations or uncertainties regarding evidence in conjunction with the findings and conclusions, in addition to describing those limitations or uncertainties as part of the objectives, scope, and methodology. 9.20 Auditors should describe in their report limitations or uncertainties with the reliability or validity of evidence if (1) the evidence is significant to the findings and conclusions within the context of the audit objectives and (2) such disclosure is necessary to avoid misleading the report users about the findings and conclusions. Auditors should describe the limitations or uncertainties regarding evidence in conjunction with the findings and conclusions, in addition to describing those limitations or uncertainties as part of the objectives, scope, and methodology. 9.20 Auditors should describe in their report limitations or uncertainties with the reliability or validity of evidence if (1) the evidence is significant to the findings and conclusions within the context of the audit objectives and (2) such disclosure is necessary to avoid misleading the report users about the findings and conclusions. Auditors should describe the limitations or uncertainties regarding evidence in conjunction with the findings and conclusions, in addition to describing those limitations or uncertainties as part of the objectives, scope, and methodology. 9.20] | Audits and risk management | Preventive | |
| Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 [Auditors who previously provided nonaudit services for an entity that is a prospective subject of an engagement should evaluate the effect of those nonaudit services on independence before agreeing to conduct a GAGAS engagement. If auditors provided a nonaudit service in the period to be covered by the engagement, they should (1) determine if GAGAS expressly prohibits the nonaudit service; (2) if audited entity management requested the nonaudit service, determine whether the skill, knowledge, or experience of the individual responsible for overseeing the nonaudit service was sufficient; and (3) determine whether a threat to independence exists and address any threats noted in accordance with the conceptual framework. 3.83] | Audits and risk management | Preventive | |
| Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 [In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence-gathering and evidence-analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives. Auditors should identify significant assumptions made in conducting the audit; describe comparative techniques applied; describe the criteria used; and, when the results of sample testing significantly support the auditors' findings, conclusions, or recommendations, describe the sample design and state why the design was chosen, including whether the results can be projected to the intended population. 9.14] | Audits and risk management | Preventive | |
| Establish, implement, and maintain an in scope system description. CC ID 14873 | Audits and risk management | Preventive | |
| Include facility locations in the audit assertion's in scope system description. CC ID 17261 | Audits and risk management | Preventive | |
| Include third party services in the audit assertion's in scope system description. CC ID 16503 | Audits and risk management | Preventive | |
| Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Audits and risk management | Preventive | |
| Include availability commitments in the audit assertion's in scope system description. CC ID 14914 [{if} {be appropriate} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 7.63 {if} {be appropriate} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 7.63 {be appropriate} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 6.65 {if} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 9.63] | Audits and risk management | Preventive | |
| Include changes in the audit assertion's in scope system description. CC ID 14894 | Audits and risk management | Preventive | |
| Include external communications in the audit assertion's in scope system description. CC ID 14913 | Audits and risk management | Preventive | |
| Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Audits and risk management | Preventive | |
| Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Audits and risk management | Preventive | |
| Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Audits and risk management | Preventive | |
| Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Audits and risk management | Preventive | |
| Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Audits and risk management | Preventive | |
| Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Audits and risk management | Preventive | |
| Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Audits and risk management | Preventive | |
| Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 [Auditors should consider applicable GAO-issued GAGAS interpretive guidance in conducting and reporting on GAGAS engagements. 2.06 GAGAS establishes requirements for examination engagements in addition to the requirements for examinations contained in the AICPA's SSAEs. Auditors should comply with these additional requirements, along with the AICPA requirements for examination engagements, when citing GAGAS in their examination engagement reports. 7.05] | Audits and risk management | Preventive | |
| Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Audits and risk management | Preventive | |
| Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Audits and risk management | Preventive | |
| Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Audits and risk management | Preventive | |
| Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Audits and risk management | Preventive | |
| Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Audits and risk management | Preventive | |
| Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Audits and risk management | Preventive | |
| Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Audits and risk management | Preventive | |
| Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Audits and risk management | Preventive | |
| Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Audits and risk management | Detective | |
| Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Audits and risk management | Preventive | |
| Include commitments to third parties in the audit assertion. CC ID 14899 | Audits and risk management | Preventive | |
| Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Audits and risk management | Preventive | |
| Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Audits and risk management | Preventive | |
| Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Audits and risk management | Preventive | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 [The audit organization should establish policies and procedures designed to provide it with reasonable assurance that both the individual seeking consultation and the individual consulted document and agree upon the nature and scope of such consultations; and 5.24b. The audit organization should establish policies and procedures designed to provide it with reasonable assurance that the conclusions resulting from consultations are documented, understood by both the individual seeking consultation and the individual consulted, and implemented. 5.24c. The audit organization should establish policies and procedures designed to provide it with reasonable assurance that the conclusions resulting from consultations are documented, understood by both the individual seeking consultation and the individual consulted, and implemented. 5.24c. Auditors should obtain an understanding of the nature of the program or program component under audit and the potential use that will be made of the audit results or report as they plan a performance audit. The nature and profile of a program include 8.36] | Audits and risk management | Preventive | |
| Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 [The peer review team should include the following elements in the scope of the peer review: consideration of the adequacy and results of the audit organization's internal monitoring procedures; 5.82b. The peer review team should include the following elements in the scope of the peer review: consideration of the adequacy and results of the audit organization's internal monitoring procedures; 5.82b.] | Audits and risk management | Preventive | |
| Include audit subject matter in the audit program. CC ID 07103 | Audits and risk management | Preventive | |
| Examine the completeness of the audit criteria in the audit program. CC ID 07106 [{are accurate} When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 6.58 {are accurate} When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 7.56 When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 9.51] | Audits and risk management | Preventive | |
| Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Audits and risk management | Preventive | |
| Include in scope information in the audit program. CC ID 16198 | Audits and risk management | Preventive | |
| Provide a representation letter in support of the audit assertion. CC ID 07158 | Audits and risk management | Preventive | |
| Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Audits and risk management | Preventive | |
| Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Audits and risk management | Preventive | |
| Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Audits and risk management | Preventive | |
| Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Audits and risk management | Preventive | |
| Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Audits and risk management | Preventive | |
| Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 [Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30 When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work and determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 6.11] | Audits and risk management | Preventive | |
| Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Audits and risk management | Preventive | |
| Establish and maintain audit assertions, as necessary. CC ID 14871 [GAGAS uses two categories of requirements, identified by specific terms, to describe the degree of responsibility they impose on auditors and audit organizations: Unconditional requirements: Auditors and audit organizations must comply with an unconditional requirement in all cases where such requirement is relevant. GAGAS uses must to indicate an unconditional requirement. 2.02a. When planning a GAGAS examination engagement, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter or an assertion about the subject matter of the examination engagement, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter or an assertion about the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work and determining the extent to which testing the implementation of the corrective actions is applicable to the current examination engagement objectives. 7.13] | Audits and risk management | Detective | |
| Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Preventive | |
| Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Preventive | |
| Include investigations and legal proceedings in the audit assertion. CC ID 16846 [Auditors should inquire of management of the audited entity whether any investigations or legal proceedings have been initiated or are in process with respect to the period under audit, and should evaluate the effect of initiated or in-process investigations or legal proceedings on the current audit. 6.12 Auditors should inquire of management of the audited entity whether any investigations or legal proceedings significant to the audit objectives have been initiated or are in process with respect to the period under audit, and should evaluate the effect of initiated or inprocess investigations or legal proceedings on the current audit. 8.27 Auditors should inquire of management of the audited entity whether any investigations or legal proceedings significant to the engagement objectives have been initiated or are in process with respect to the period under examination, and should evaluate the effect of initiated or in-process investigations or legal proceedings on the current examination engagement. 7.14] | Audits and risk management | Preventive | |
| Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Audits and risk management | Preventive | |
| Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Audits and risk management | Preventive | |
| Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Audits and risk management | Preventive | |
| Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 [When planning a GAGAS examination engagement, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter or an assertion about the subject matter of the examination engagement, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter or an assertion about the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work and determining the extent to which testing the implementation of the corrective actions is applicable to the current examination engagement objectives. 7.13] | Audits and risk management | Preventive | |
| Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Audits and risk management | Preventive | |
| Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 [In connection with nonaudit services, auditors should establish and document their understanding with the audited entity's management or those charged with governance, as appropriate, regarding the following: services to be provided, 3.77b. While insufficient documentation of an auditor's compliance with the independence standard does not impair independence, auditors should prepare appropriate documentation under the GAGAS quality control and assurance requirements. The independence standard includes the following documentation requirements, where applicable: document the auditor's understanding with an audited entity for which the auditor will provide a nonaudit service as indicated in paragraph 3.77; and 3.107d.] | Audits and risk management | Preventive | |
| Include the in scope procedures in the audit assertion. CC ID 06972 | Audits and risk management | Preventive | |
| Include the in scope records produced in the audit assertion. CC ID 06968 [Auditors should determine whether other auditors have conducted, or are conducting, audits that could be relevant to the current audit objectives. 8.80] | Audits and risk management | Preventive | |
| Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Audits and risk management | Preventive | |
| Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Audits and risk management | Preventive | |
| Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Audits and risk management | Preventive | |
| Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Audits and risk management | Preventive | |
| Include in scope change controls in the audit assertion. CC ID 06976 | Audits and risk management | Preventive | |
| Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Audits and risk management | Preventive | |
| Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Audits and risk management | Preventive | |
| Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Audits and risk management | Corrective | |
| Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 [Auditors should reevaluate threats to independence, including any safeguards applied, whenever the audit organization or the auditors become aware of new information or changes in facts and circumstances that could affect whether a threat has been eliminated or reduced to an acceptable level. 3.28] | Audits and risk management | Preventive | |
| Document any after the fact changes to the engagement file. CC ID 07002 [If auditors change the engagement objectives during the engagement, they should document the revised engagement objectives and the reasons for the changes. 5.23] | Audits and risk management | Preventive | |
| Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 [When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 6.59 {are valid} When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 9.52] | Audits and risk management | Preventive | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Preventive | |
| Establish and maintain work papers, as necessary. CC ID 13891 [Before the date of the examination report, document supervisory review of the evidence that supports the findings, conclusions, and recommendations contained in the examination report. 7.33a. Auditors should prepare audit documentation that contains evidence that supports the findings, conclusions, and recommendations before they issue their report. 8.133] | Audits and risk management | Preventive | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 [If an engagement is terminated before it is completed and an audit report is not issued, auditors should document the results of the work to the date of termination and why the engagement was terminated. 5.25 If auditors use the work of other auditors, they should perform procedures that provide a sufficient basis for using that work. Auditors should obtain evidence concerning the other auditors' qualifications and independence and should determine whether the scope, quality, and timing of the audit work performed by the other auditors can be relied on in the context of the current audit objectives. 8.81] | Audits and risk management | Preventive | |
| Include audit irregularities in the work papers. CC ID 16774 [If an engagement is terminated before it is completed and an audit report is not issued, auditors should document the results of the work to the date of termination and why the engagement was terminated. 5.25] | Audits and risk management | Preventive | |
| Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Preventive | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Preventive | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 [If, in rare circumstances, auditors judge it necessary to depart from a relevant presumptively mandatory requirement, they must document their justification for the departure and how the alternative procedures performed in the circumstances were sufficient to achieve the intent of that requirement. 2.04 Auditors should document any departures from the GAGAS requirements and the effect on the audit and on the auditors' conclusions when the audit is not in compliance with applicable GAGAS requirements because of law, regulation, scope limitations, restrictions on access to records, or other issues affecting the audit. 6.32 When auditors do not comply with applicable GAGAS requirements because of law, regulation, scope limitations, restrictions on access to records, or other issues affecting the audit, the auditors should document the departure from the GAGAS requirements and the impact on the audit and on the auditors' conclusions. 8.136 When auditors do not comply with applicable GAGAS requirements because of law, regulation, scope limitations, restrictions on access to records, or other issues affecting the audit, the auditors should document the departure from the GAGAS requirements and the impact on the audit and on the auditors' conclusions. 8.136] | Audits and risk management | Preventive | |
| Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Audits and risk management | Preventive | |
| Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 [If, in rare circumstances, auditors judge it necessary to depart from a relevant presumptively mandatory requirement, they must document their justification for the departure and how the alternative procedures performed in the circumstances were sufficient to achieve the intent of that requirement. 2.04 In rare circumstances, auditors and audit organizations may determine it necessary to depart from a relevant presumptively mandatory requirement. In such rare circumstances, auditors should perform alternative procedures to achieve the intent of that requirement. 2.03 The audit organization should establish policies and procedures that require engagement team members with appropriate levels of skill and proficiency in auditing to supervise engagements and review work performed by other engagement team members. 5.36 Auditors should document the following: the work performed and evidence obtained to support significant judgments and conclusions, as well as expectations in analytical procedures, including descriptions of transactions and records examined (for example, by listing file numbers, case numbers, or other means of identifying specific documents examined, though copies of documents examined or detailed listings of information from those documents are not required); and 8.135b.] | Audits and risk management | Preventive | |
| Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Audits and risk management | Preventive | |
| Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Audits and risk management | Preventive | |
| Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 [Auditors should evaluate and document the significance of identified internal control deficiencies within the context of the audit objectives. 8.54] | Audits and risk management | Preventive | |
| Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Audits and risk management | Preventive | |
| Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Audits and risk management | Preventive | |
| Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Audits and risk management | Preventive | |
| Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Audits and risk management | Preventive | |
| Establish and maintain organizational audit reports. CC ID 06731 [The audit organization should establish policies and procedures for engagement performance, documentation, and reporting that are designed to provide the audit organization with reasonable assurance that engagements are conducted and reports are issued in accordance with professional standards and applicable legal and regulatory requirements. 5.22 {quality assurance} While insufficient documentation of an auditor's compliance with the independence standard does not impair independence, auditors should prepare appropriate documentation under the GAGAS quality control and assurance requirements. The independence standard includes the following documentation requirements, where applicable: 3.107 The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: 5.91 {do not receive} If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors should issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments. 6.60 {are valid} When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 7.57 {external requirements} In addition to the requirements of the examination engagement standards used in conjunction with GAGAS, auditors should prepare attest documentation in sufficient detail to enable an experienced auditor, having no previous connection to the examination engagement, to understand from the documentation the nature, timing, extent, and results of procedures performed and the evidence obtained and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 7.34 {have not received} If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors should issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments. 7.58 {if} When circumstances call for omission of certain information, auditors should evaluate whether the omission could distort the examination engagement results or conceal improper or illegal practices and revise the report language as necessary to avoid report users drawing inappropriate conclusions from the information presented. 7.62 Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed; the evidence obtained; and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 8.132 Auditors should design the form and content of audit documentation to meet the circumstances of the particular audit. The audit documentation constitutes the principal record of the work that the auditors have performed in accordance with standards and the conclusions that the auditors have reached. The quantity, type, and content of audit documentation are a matter of the auditors' professional judgment. 8.134 Auditors should issue the audit report in a form that is appropriate for its intended use, either in writing or in some other retrievable form. 9.07 {if} When circumstances call for omission of certain information, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices and revise the report language as necessary to avoid report users drawing inappropriate conclusions from the information presented. 9.62 Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; (3) a summary of the views of responsible officials; and (4) if applicable, the nature of any confidential or sensitive information omitted. 9.10] | Audits and risk management | Preventive | |
| Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Detective | |
| Include the purpose in the audit report. CC ID 17263 | Audits and risk management | Preventive | |
| Include audit subject matter in the audit report. CC ID 14882 | Audits and risk management | Preventive | |
| Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Preventive | |
| Include that the auditee did not provide comments in the audit report. CC ID 16849 [{have not received} If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors should issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments. 7.58 If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors may issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments. 9.53] | Audits and risk management | Preventive | |
| Include written agreements in the audit report. CC ID 17266 | Audits and risk management | Preventive | |
| Write the audit report using clear and conspicuous language. CC ID 13948 [{external requirements} In addition to the requirements of the examination engagement standards used in conjunction with GAGAS, auditors should prepare attest documentation in sufficient detail to enable an experienced auditor, having no previous connection to the examination engagement, to understand from the documentation the nature, timing, extent, and results of procedures performed and the evidence obtained and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 7.34 Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed; the evidence obtained; and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 8.132 {be clear} Auditors should communicate audit objectives in the audit report in a clear, specific, neutral, and unbiased manner that includes relevant assumptions. In order to avoid potential misunderstanding, when audit objectives are limited but users could infer broader objectives, auditors should state in the audit report that certain issues were outside the scope of the audit. 9.11] | Audits and risk management | Preventive | |
| Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 [Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS engagements, as appropriate. Unmodified GAGAS compliance statement: Stating that the auditors conducted the engagement in accordance with GAGAS. Auditors should include an unmodified GAGAS compliance statement in the audit report when they have (1) followed unconditional and applicable presumptively mandatory GAGAS requirements or (2) followed unconditional requirements, documented justification for any departures from applicable presumptively mandatory requirements, and achieved the objectives of those requirements through other means. 2.17a. {external requirement} Document any departures from the GAGAS requirements and the effect on the examination engagement and on the auditors' conclusions when the examination engagement does not comply with applicable GAGAS requirements because of law, regulation, scope limitations, restrictions on access to records, or other issues affecting the examination engagement. 7.33b.] | Audits and risk management | Preventive | |
| Include a statement that the financial statements were audited in the audit report. CC ID 13963 [{make available} If auditors report separately (including separate reports bound in the same document) on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements, they should include a reference in the audit report on the financial statements to those additional reports. They should also state in the audit report that the reports on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements are an integral part of a GAGAS audit in considering the audited entity's internal control over financial reporting and compliance. If separate reports are used, the auditors should make the report on internal control and compliance available to users in the same manner as the financial audit report to which it relates. 6.43 {make available} If auditors report separately (including separate reports bound in the same document) on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements, they should include a reference in the audit report on the financial statements to those additional reports. They should also state in the audit report that the reports on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements are an integral part of a GAGAS audit in considering the audited entity's internal control over financial reporting and compliance. If separate reports are used, the auditors should make the report on internal control and compliance available to users in the same manner as the financial audit report to which it relates. 6.43] | Audits and risk management | Preventive | |
| Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Preventive | |
| Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Preventive | |
| Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Preventive | |
| Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Preventive | |
| Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 [{are not} When auditors use a modified GAGAS statement, they should disclose in the report the applicable requirement(s) not followed, the reasons for not following the requirement(s), and how not following the requirement(s) affected or could have affected the engagement and the assurance provided. 2.18 Auditors should describe the scope of the work performed and any limitations, including issues that would be relevant to likely users, so that report users can reasonably interpret the findings, conclusions, and recommendations in the report without being misled. Auditors should also report any significant constraints imposed on the audit approach by information limitations or scope impairments, including denials of, or excessive delays in, access to certain records or individuals. 9.12 Auditors should describe the scope of the work performed and any limitations, including issues that would be relevant to likely users, so that report users can reasonably interpret the findings, conclusions, and recommendations in the report without being misled. Auditors should also report any significant constraints imposed on the audit approach by information limitations or scope impairments, including denials of, or excessive delays in, access to certain records or individuals. 9.12 {be clear} Auditors should communicate audit objectives in the audit report in a clear, specific, neutral, and unbiased manner that includes relevant assumptions. In order to avoid potential misunderstanding, when audit objectives are limited but users could infer broader objectives, auditors should state in the audit report that certain issues were outside the scope of the audit. 9.11 In describing the work performed to address the audit objectives and support the reported findings and conclusions, auditors should, as applicable, explain the relationship between the population and the items tested; identify entities, geographic locations, and the period covered; report the kinds and sources of evidence; and explain any significant limitations or uncertainties based on the auditors' overall assessment of the sufficiency and appropriateness of the evidence in the aggregate. 9.13] | Audits and risk management | Preventive | |
| Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Preventive | |
| Structure the audit report to be in the form of procedures and findings. CC ID 13940 [When presenting findings, auditors should develop the elements of the findings to the extent necessary to assist management or oversight officials of the audited entity in understanding the need for corrective action. 6.50 When presenting findings, auditors should develop the elements of the findings to the extent necessary to assist management or oversight officials of the audited entity in understanding the need for taking corrective action. 7.48 Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed; the evidence obtained; and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 8.132 Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed; the evidence obtained; and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 8.132] | Audits and risk management | Preventive | |
| Include any discussions of significant findings in the audit report. CC ID 13955 [Auditors should document supervisory review, before the report release date, of the evidence that supports the findings and conclusions contained in the audit report. 6.31 The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: a detailed description of the findings, conclusions, and recommendations related to any deficiencies or significant deficiencies identified in the review. 5.91f. Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 6.51 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of the findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 7.49 In determining the sufficiency of evidence, auditors should determine whether enough appropriate evidence exists to address the audit objectives and support the findings and conclusions to the extent that would persuade a knowledgeable person that the findings are reasonable. 8.92 In determining the sufficiency of evidence, auditors should determine whether enough appropriate evidence exists to address the audit objectives and support the findings and conclusions to the extent that would persuade a knowledgeable person that the findings are reasonable. 8.92 {if} {no evidence} Auditors should evaluate whether any lack of sufficient, appropriate evidence is caused by internal control deficiencies or other program weaknesses, and whether the lack of sufficient, appropriate evidence could be the basis for audit findings. 8.78 Auditors should document the following: supervisory review, before the audit report is issued, of the evidence that supports the findings, conclusions, and recommendations contained in the audit report. 8.135c. Auditors should obtain and report the views of responsible officials of the audited entity concerning the findings, conclusions, and recommendations in the examination report, as well as any planned corrective actions. 7.55 When reporting on the results of their work, auditors should disclose significant facts relevant to the objectives of their work and known to them that if not disclosed could mislead knowledgeable users, misrepresent the results, or conceal significant improper or illegal practices. 9.22] | Audits and risk management | Preventive | |
| Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Preventive | |
| Include the audit criteria in the audit report. CC ID 13945 [Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; (3) a summary of the views of responsible officials; and (4) if applicable, the nature of any confidential or sensitive information omitted. 9.10] | Audits and risk management | Preventive | |
| Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Preventive | |
| Include all hypothetical assumptions in the audit report. CC ID 13947 [{be clear} Auditors should communicate audit objectives in the audit report in a clear, specific, neutral, and unbiased manner that includes relevant assumptions. In order to avoid potential misunderstanding, when audit objectives are limited but users could infer broader objectives, auditors should state in the audit report that certain issues were outside the scope of the audit. 9.11 In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence-gathering and evidence-analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives. Auditors should identify significant assumptions made in conducting the audit; describe comparative techniques applied; describe the criteria used; and, when the results of sample testing significantly support the auditors' findings, conclusions, or recommendations, describe the sample design and state why the design was chosen, including whether the results can be projected to the intended population. 9.14] | Audits and risk management | Preventive | |
| Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 [Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited entity and the nature of the information contained in the reports. Auditors should document any limitation on report distribution. 6.70 Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. If the subject matter or the assertion involves material that is classified or contains confidential or sensitive information, auditors should limit the report distribution. Auditors should document any limitation on report distribution. 7.85 Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. Auditors should document any limitation on report distribution. 7.69 Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. If the subject matter or the assertion involves material that is classified or contains confidential or sensitive information, auditors should limit report distribution. Auditors should document any limitation on report distribution. 7.77 Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. If the subject matter involves material that is classified or contains confidential or sensitive information, auditors should limit report distribution. Auditors should document any limitation on report distribution. 7.93 {make available} Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. Auditors should document any limitation on report distribution. Auditors should make audit reports available to the public, unless distribution is specifically limited by the terms of the engagement, law, or regulation. 9.56 If an internal audit organization in a government entity follows the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing as well as GAGAS, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should (1) assess the potential risk to the organization, (2) consult with senior management or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report. 9.57] | Audits and risk management | Preventive | |
| Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Preventive | |
| Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 [Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS engagements, as appropriate. Unmodified GAGAS compliance statement: Stating that the auditors conducted the engagement in accordance with GAGAS. Auditors should include an unmodified GAGAS compliance statement in the audit report when they have (1) followed unconditional and applicable presumptively mandatory GAGAS requirements or (2) followed unconditional requirements, documented justification for any departures from applicable presumptively mandatory requirements, and achieved the objectives of those requirements through other means. 2.17a. Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS engagements, as appropriate. Modified GAGAS compliance statement: Stating either that because of the significance of the departure(s) from the requirements, the auditors were unable to and did not conduct the engagement in accordance with GAGAS. 2.17b. (2)] | Audits and risk management | Preventive | |
| Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Preventive | |
| Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 [If planning to use the work of specialists, auditors should document the nature and scope of the work to be performed by the specialists, including 8.32 If planning to use the work of specialists, auditors should document the nature and scope of the work to be performed by the specialists, including the objectives and scope of the specialists' work, 8.32a. If planning to use the work of specialists, auditors should document the nature and scope of the work to be performed by the specialists, including the objectives and scope of the specialists' work, 8.32a. If planning to use the work of specialists, auditors should document the nature and scope of the work to be performed by the specialists, including the intended use of the specialists' work to support the audit objectives, 8.32b. If planning to use the work of specialists, auditors should document the nature and scope of the work to be performed by the specialists, including the assumptions and methods used by the specialists. 8.32d.] | Audits and risk management | Preventive | |
| Include a review of the subject matter expert's findings in the audit report. CC ID 13972 [If planning to use the work of specialists, auditors should document the nature and scope of the work to be performed by the specialists, including the specialists' procedures and findings so they can be evaluated and related to other planned audit procedures, and 8.32c.] | Audits and risk management | Preventive | |
| Include a statement of the character of the engagement in the audit report. CC ID 07166 [Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS engagements, as appropriate. Unmodified GAGAS compliance statement: Stating that the auditors conducted the engagement in accordance with GAGAS. Auditors should include an unmodified GAGAS compliance statement in the audit report when they have (1) followed unconditional and applicable presumptively mandatory GAGAS requirements or (2) followed unconditional requirements, documented justification for any departures from applicable presumptively mandatory requirements, and achieved the objectives of those requirements through other means. 2.17a. When auditors do not comply with applicable requirement(s), they should (1) assess the significance of the noncompliance to the engagement objectives; (2) document the assessment, along with their reasons for not following the requirement(s); and (3) determine the type of GAGAS compliance statement. 2.19 Auditors should conclude that independence is impaired if no safeguards have been effectively applied to eliminate an unacceptable threat or reduce it to an acceptable level. 3.59 Auditors should conclude that independence is impaired if an audit organization provides appraisal, valuation, or actuarial services to an audited entity when (1) the services involve a significant degree of subjectivity and (2) the results of the service, individually or when combined with other valuation, appraisal, or actuarial services, are material to the audited entity's financial statements or other information on which the audit organization is reporting. 3.104 Auditors should conclude that independence is impaired if an audit organization provides appraisal, valuation, or actuarial services to an audited entity when (1) the services involve a significant degree of subjectivity and (2) the results of the service, individually or when combined with other valuation, appraisal, or actuarial services, are material to the audited entity's financial statements or other information on which the audit organization is reporting. 3.104 When auditors do not comply with all applicable GAGAS requirements, they should include a modified GAGAS compliance statement in the audit report. For performance audits, auditors should use a statement that includes either (1) the language in paragraph 9.03, modified to indicate the requirements that were not followed, or (2) language indicating that the auditors did not follow GAGAS. 9.05 Auditors should document the following: the work performed and evidence obtained to support significant judgments and conclusions, as well as expectations in analytical procedures, including descriptions of transactions and records examined (for example, by listing file numbers, case numbers, or other means of identifying specific documents examined, though copies of documents examined or detailed listings of information from those documents are not required); and 8.135b.] | Audits and risk management | Preventive | |
| Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 [The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: a description of the scope of the peer review, including any limitations; 5.91a.] | Audits and risk management | Preventive | |
| Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 [When auditors are required to conduct an engagement in accordance with GAGAS or are representing to others that they did so, they should cite compliance with GAGAS in the audit report as set forth in paragraphs 2.17 through 2.19. 2.16 Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS engagements, as appropriate. Unmodified GAGAS compliance statement: Stating that the auditors conducted the engagement in accordance with GAGAS. Auditors should include an unmodified GAGAS compliance statement in the audit report when they have (1) followed unconditional and applicable presumptively mandatory GAGAS requirements or (2) followed unconditional requirements, documented justification for any departures from applicable presumptively mandatory requirements, and achieved the objectives of those requirements through other means. 2.17a. Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS engagements, as appropriate. Modified GAGAS compliance statement: Stating either that the auditors conducted the engagement in accordance with GAGAS, except for specific applicable requirements that were not followed, or 2.17b. (1) The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: specification of the professional standards and applicable legal and regulatory requirements to which the reviewed audit organization is being held; 5.91c. When auditors comply with all applicable GAGAS requirements for agreed-upon procedures engagements, they should include a statement in the agreed-upon procedures engagement report that they conducted the engagement in accordance with GAGAS. 7.82 {external requirement} When auditors comply with all applicable GAGAS requirements, they should include a statement in the report that they conducted the examination in accordance with GAGAS. 7.39] | Audits and risk management | Preventive | |
| Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Preventive | |
| Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Preventive | |
| Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Preventive | |
| Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Preventive | |
| Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 [Auditors should perform and document an overall assessment of the collective evidence used to support findings and conclusions, including the results of any specific assessments performed to conclude on the validity and reliability of specific evidence. 8.108] | Audits and risk management | Preventive | |
| Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Preventive | |
| Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Preventive | |
| Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Preventive | |
| Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Preventive | |
| Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 [Auditors should document the following: the work performed and evidence obtained to support significant judgments and conclusions, as well as expectations in analytical procedures, including descriptions of transactions and records examined (for example, by listing file numbers, case numbers, or other means of identifying specific documents examined, though copies of documents examined or detailed listings of information from those documents are not required); and 8.135b. In describing the work performed to address the audit objectives and support the reported findings and conclusions, auditors should, as applicable, explain the relationship between the population and the items tested; identify entities, geographic locations, and the period covered; report the kinds and sources of evidence; and explain any significant limitations or uncertainties based on the auditors' overall assessment of the sufficiency and appropriateness of the evidence in the aggregate. 9.13 In the audit report, auditors should present sufficient, appropriate evidence to support the findings and conclusions in relation to the audit objectives. Auditors should provide recommendations for corrective action if findings are significant within the context of the audit objectives. 9.18] | Audits and risk management | Preventive | |
| Include recommended corrective actions in the audit report. CC ID 16197 [{regular basis} The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: 5.44 Auditors should obtain and report the views of responsible officials of the audited entity concerning the findings, conclusions, and recommendations in the audit report, as well as any planned corrective actions. 6.57 The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: a detailed description of the findings, conclusions, and recommendations related to any deficiencies or significant deficiencies identified in the review. 5.91f. Auditors should obtain and report the views of responsible officials of the audited entity concerning the findings, conclusions, and recommendations in the examination report, as well as any planned corrective actions. 7.55 When feasible, auditors should recommend actions to correct deficiencies and other findings identified during the audit and to improve programs and operations when the potential for improvement in programs, operations, and performance is substantiated by the reported findings and conclusions. Auditors should make recommendations that flow logically from the findings and conclusions, are directed at resolving the cause of identified deficiencies and findings, and clearly state the actions recommended. 9.23 When feasible, auditors should recommend actions to correct deficiencies and other findings identified during the audit and to improve programs and operations when the potential for improvement in programs, operations, and performance is substantiated by the reported findings and conclusions. Auditors should make recommendations that flow logically from the findings and conclusions, are directed at resolving the cause of identified deficiencies and findings, and clearly state the actions recommended. 9.23 Auditors should obtain and report the views of responsible officials of the audited entity concerning the findings, conclusions, and recommendations in the audit report, as well as any planned corrective actions. 9.50 In the audit report, auditors should present sufficient, appropriate evidence to support the findings and conclusions in relation to the audit objectives. Auditors should provide recommendations for corrective action if findings are significant within the context of the audit objectives. 9.18] | Audits and risk management | Preventive | |
| Include risks and opportunities in the audit report. CC ID 16196 | Audits and risk management | Preventive | |
| Include the description of tests of controls and results in the audit report. CC ID 14898 [Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; (3) a summary of the views of responsible officials; and (4) if applicable, the nature of any confidential or sensitive information omitted. 9.10 In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence-gathering and evidence-analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives. Auditors should identify significant assumptions made in conducting the audit; describe comparative techniques applied; describe the criteria used; and, when the results of sample testing significantly support the auditors' findings, conclusions, or recommendations, describe the sample design and state why the design was chosen, including whether the results can be projected to the intended population. 9.14] | Audits and risk management | Preventive | |
| Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Audits and risk management | Preventive | |
| Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 [Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 6.51 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of the findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 7.49 In describing the work performed to address the audit objectives and support the reported findings and conclusions, auditors should, as applicable, explain the relationship between the population and the items tested; identify entities, geographic locations, and the period covered; report the kinds and sources of evidence; and explain any significant limitations or uncertainties based on the auditors' overall assessment of the sufficiency and appropriateness of the evidence in the aggregate. 9.13 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 9.21] | Audits and risk management | Preventive | |
| Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Preventive | |
| Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 [In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence-gathering and evidence-analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives. Auditors should identify significant assumptions made in conducting the audit; describe comparative techniques applied; describe the criteria used; and, when the results of sample testing significantly support the auditors' findings, conclusions, or recommendations, describe the sample design and state why the design was chosen, including whether the results can be projected to the intended population. 9.14] | Audits and risk management | Preventive | |
| Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 [{are accurate} When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 6.58 {are accurate} When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 7.56 When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 9.51 When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 9.51 When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 9.51] | Audits and risk management | Preventive | |
| Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Preventive | |
| Include the attestation standards the auditor follows in the audit report. CC ID 07015 [The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: a statement that the peer review was conducted in accordance with GAGAS peer review requirements; and 5.91e. {external requirements} When auditors comply with all applicable requirements for a review engagement conducted in accordance with GAGAS, they should include a statement in the review report that they conducted the engagement in accordance with GAGAS. 7.74 {external requirements} When auditors comply with all applicable requirements for a review of financial statements conducted in accordance with GAGAS, they should include a statement in the report that they conducted the engagement in accordance with GAGAS. 7.90 When auditors comply with all applicable GAGAS requirements, they should include a statement in the audit report that they conducted the audit in accordance with GAGAS. 6.36 When auditors comply with all applicable GAGAS requirements, they should use the following language, which represents an unmodified GAGAS compliance statement, in the audit report to indicate that they conducted the audit in accordance with GAGAS: 9.03 ¶ 1] | Audits and risk management | Preventive | |
| Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 [When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 6.59 {are valid} When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 9.52] | Audits and risk management | Preventive | |
| Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Preventive | |
| Review past audit reports. CC ID 01155 [Based on the risk assessment, the peer review team should select engagements that provide a reasonable cross section of all types of work subject to the reviewed audit organization's quality control system, including one or more engagements conducted in accordance with GAGAS. 5.67 The peer review team should include the following elements in the scope of the peer review: review of prior peer review reports, if applicable; 5.82d. The peer review team should include the following elements in the scope of the peer review: review of selected audit reports and related documentation and, if applicable, documentation related to selected terminated engagements prepared in accordance with paragraph 5.25, if any terminated engagements are selected from the universe of engagements used for the peer review sample; 5.82c. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30 Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30 Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30 When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work and determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 6.11 {be external} An audit organization not already subject to a peer review requirement should obtain an external peer review at least once every 3 years. The audit organization should obtain its first peer review covering a review period ending no later than 3 years from the date an audit organization begins its first engagement in accordance with GAGAS. 5.84] | Audits and risk management | Detective | |
| Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 [If auditors use the work of other auditors, they should perform procedures that provide a sufficient basis for using that work. Auditors should obtain evidence concerning the other auditors' qualifications and independence and should determine whether the scope, quality, and timing of the audit work performed by the other auditors can be relied on in the context of the current audit objectives. 8.81 {be external} An audit organization not already subject to a peer review requirement should obtain an external peer review at least once every 3 years. The audit organization should obtain its first peer review covering a review period ending no later than 3 years from the date an audit organization begins its first engagement in accordance with GAGAS. 5.84] | Audits and risk management | Detective | |
| Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 [Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30 When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work and determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 6.11 When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work and determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 6.11] | Audits and risk management | Detective | |
| Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Preventive | |
| Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Preventive | |
| Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Preventive | |
| Include deficiencies and non-compliance in the audit report. CC ID 14879 [When auditors do not comply with applicable requirement(s), they should (1) assess the significance of the noncompliance to the engagement objectives; (2) document the assessment, along with their reasons for not following the requirement(s); and (3) determine the type of GAGAS compliance statement. 2.19 {is unwilling} In cases where the audited entity is unable or unwilling to assume these responsibilities (for example, the audited entity does not have an individual with suitable skill, knowledge, or experience to oversee the nonaudit services provided, or is unwilling to perform such functions because of lack of time or desire), auditors should conclude that the provision of these services is an impairment to independence. 3.75 Auditors should conclude that management responsibilities that the auditors perform for an audited entity are impairments to independence. If the auditors were to assume management responsibilities for an audited entity, the management participation threats created would be so significant that no safeguards could reduce them to an acceptable level. 3.78 {refrain from obtaining} Auditors should conclude that the following services involving preparation of accounting records impair independence with respect to an audited entity: determining or changing journal entries, account codes or classifications for transactions, or other accounting records for the entity without obtaining management's approval; 3.87a. Auditors should conclude that the following services involving preparation of accounting records impair independence with respect to an audited entity: authorizing or approving the entity's transactions; and 3.87b. {do not obtain} Auditors should conclude that the following services involving preparation of accounting records impair independence with respect to an audited entity: preparing or making changes to source documents without management approval. 3.87c. The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: when relevant, a description of systemic, repetitive, or other deficiencies and of the actions taken to resolve those deficiencies. 5.44c. When providing an opinion or a disclaimer on financial statements, auditors should report as findings any significant deficiencies or material weaknesses in internal control over financial reporting that the auditors identified based on the engagement work performed. 6.40 Auditors should include in their report on internal control or compliance the relevant information about noncompliance and fraud when auditors, based on sufficient, appropriate evidence, identify or suspect noncompliance with provisions of laws, regulations, contracts, or grant agreements that has a material effect on the financial statements or other financial data significant to the audit objectives or 6.41a. Auditors should include in their report on internal control or compliance the relevant information about noncompliance and fraud when auditors, based on sufficient, appropriate evidence, identify or suspect fraud that is material, either quantitatively or qualitatively, to the financial statements or other financial data significant to the audit objectives. 6.41b. {regular basis} The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: 5.44 The audit organization should evaluate the effects of deficiencies noted during monitoring of the audit organization's system of quality control to determine and implement appropriate actions to address the deficiencies. This evaluation should include assessments to determine if the deficiencies noted indicate that the audit organization's system of quality control is insufficient to provide it with reasonable assurance that it complies with professional standards and applicable legal and regulatory requirements, and that accordingly the reports that the audit organization issues are not appropriate in the circumstances. 5.45 The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows: If the peer review team's evaluation of findings identified deficiencies but did not identify any significant deficiencies, the peer review team issues a pass with deficiencies rating and communicates the deficiencies in its report. 5.74b. The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows: If the peer review team's evaluation of deficiencies identified significant deficiencies, the peer review team issues a fail rating and communicates the deficiencies and significant deficiencies in its report. 5.74c. When auditors identify or suspect noncompliance with provisions of laws, regulations, contracts, or grant agreements or instances of fraud that have an effect on the subject matter or an assertion about the subject matter that are less than material but warrant the attention of those charged with governance, they should communicate in writing to audited entity officials. 7.45 Auditors should communicate in writing to audited entity officials when identified or suspected noncompliance with provisions of laws, regulations, contracts, or grant agreements comes to the auditor's attention during the course of an audit that has an effect on the financial statements or other financial data significant to the audit objectives that is less than material but warrants the attention of those charged with governance or 6.44a. Auditors should communicate in writing to audited entity officials when the auditor has obtained evidence of identified or suspected instances of fraud that have an effect on the financial statements or other financial data significant to the audit objectives that are less than material but warrant the attention of those charged with governance. 6.44b. Auditors should include in their examination report the relevant information about noncompliance and fraud when auditors, based on sufficient, appropriate evidence, identify or suspect fraud that is material, either quantitatively or qualitatively, to the subject matter or an assertion about the subject matter that is significant to the engagement objectives. 7.44b. Auditors should include in their examination report the relevant information about noncompliance and fraud when auditors, based on sufficient, appropriate evidence, identify or suspect noncompliance with provisions of laws, regulations, contracts, or grant agreements that has a material effect on the subject matter or an assertion about the subject matter or 7.44a. Auditors should conclude that preparing financial statements in their entirety from a client-provided trial balance or underlying accounting records creates significant threats to auditors' independence, and should document the threats and safeguards applied to eliminate and reduce threats to an acceptable level in accordance with paragraph 3.33 or decline to provide the services. 3.88 Assessing the risk of fraud is an ongoing process throughout the audit. When information comes to the auditors' attention indicating that fraud, significant within the context of the audit objectives, may have occurred, auditors should extend the audit steps and procedures, as necessary, to (1) determine whether fraud has likely occurred and (2) if so, determine its effect on the audit findings. 8.72 Auditors should consider internal control deficiencies in their evaluation of identified findings when developing the cause element of the identified findings when internal control is significant to the audit objectives. 8.117 When internal control is significant within the context of the audit objectives, auditors should include in the audit report (1) the scope of their work on internal control and (2) any deficiencies in internal control that are significant within the context of the audit objectives and based upon the audit work performed. 9.29 When auditors detect deficiencies in internal control that are not significant to the objectives of the audit but warrant the attention of those charged with governance, they should include those deficiencies either in the report or communicate those deficiencies in writing to audited entity officials. If the written communication is separate from the audit report, auditors should refer to that written communication in the audit report. 9.31] | Audits and risk management | Corrective | |
| Include the results of the business impact analysis in the audit report. CC ID 17208 | Audits and risk management | Preventive | |
| Include an audit opinion in the audit report. CC ID 07017 [The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: a rating concluding on whether the system of quality control of the reviewed audit organization was adequately designed and complied with during the period reviewed and would provide the audit organization with reasonable assurance that it conformed to professional standards and applicable legal and regulatory requirements; 5.91b. Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of the findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 7.49 The peer review team should determine the type of peer review rating to issue based on the observed matters' importance to the audit organization's system of quality control as a whole and the nature, causes, patterns, and pervasiveness of those matters. The matters should be assessed both alone and in aggregate. 5.73 Auditors should report conclusions based on the audit objectives and the audit findings. 9.19] | Audits and risk management | Preventive | |
| Include qualified opinions in the audit report. CC ID 13928 [Auditors should obtain and report the views of responsible officials of the audited entity concerning the findings, conclusions, and recommendations in the audit report, as well as any planned corrective actions. 6.57 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 6.51 Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; (3) a summary of the views of responsible officials; and (4) if applicable, the nature of any confidential or sensitive information omitted. 9.10 Auditors should obtain and report the views of responsible officials of the audited entity concerning the findings, conclusions, and recommendations in the audit report, as well as any planned corrective actions. 9.50 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 9.21] | Audits and risk management | Preventive | |
| Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Corrective | |
| Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Preventive | |
| Include items that were excluded from the audit report in the audit report. CC ID 07007 [If certain information is prohibited from public disclosure or is excluded from a report because of its confidential or sensitive nature, auditors should disclose in the report that certain information has been omitted and the circumstances that make the omission necessary. 6.63 If certain information is prohibited from public disclosure or is excluded from a report because of its confidential or sensitive nature, auditors should disclose in the report that certain information has been omitted and the circumstances that make the omission necessary. 7.61 If certain information is prohibited from public disclosure or is excluded from a report because of its confidential or sensitive nature, auditors should disclose in the report that certain information has been omitted and the circumstances that make the omission necessary. 9.61 {be sufficient} If, after the report is issued, the auditors discover that they did not have sufficient, appropriate evidence to support the reported findings or conclusions, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the entities requiring or arranging for the audits, and other known users, so that they do not continue to rely on the findings or conclusions that were not supported. If the report was previously posted to the auditors' publicly accessible website, the auditors should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional audit work necessary to either reissue the report, including any revised findings or conclusions, or repost the original report if the additional audit work does not result in a change in findings or conclusions. 9.68 Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; (3) a summary of the views of responsible officials; and (4) if applicable, the nature of any confidential or sensitive information omitted. 9.10] | Audits and risk management | Preventive | |
| Include items that pertain to third parties in the audit report. CC ID 07008 [{report} {noncompliance} When audited entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties. 6.53a. {noncompliance} When audited entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties. 7.51a. Auditors should report known or likely noncompliance with provisions of laws, regulations, contracts, and grant agreements or fraud directly to parties outside the audited entity in the following two circumstances. 9.45 Auditors should report known or likely noncompliance with provisions of laws, regulations, contracts, and grant agreements or fraud directly to parties outside the audited entity in the following two circumstances. When audited entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties. 9.45a.] | Audits and risk management | Preventive | |
| Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Preventive | |
| Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Preventive | |
| Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 [{be sufficient} Auditors should include either in the same or in separate report(s) a description of the scope of the auditors' testing of internal control over financial reporting and of compliance with provisions of laws, regulations, contracts, and grant agreements. Auditors should also state in the report(s) whether the tests they performed provided sufficient, appropriate evidence to support opinions on the effectiveness of internal control and on compliance with provisions of laws, regulations, contracts, and grant agreements. 6.42] | Audits and risk management | Preventive | |
| Modify the audit opinion in the audit report under defined conditions. CC ID 13937 [When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 6.59 {are valid} When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 9.52] | Audits and risk management | Corrective | |
| Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Audits and risk management | Preventive | |
| Include a statement that additional reports are being submitted in the audit report. CC ID 16848 [{be integral} If auditors report separately (including separate reports bound in the same document) on deficiencies in internal control; noncompliance with provisions of laws, regulations, contracts, and grant agreements; or instances of fraud, they should state in the examination report that they are issuing those additional reports. They should include a reference to the separate reports and also state that the reports are an integral part of a GAGAS examination engagement. 7.40 {be integral} If auditors report separately (including separate reports bound in the same document) on deficiencies in internal control; noncompliance with provisions of laws, regulations, contracts, and grant agreements; or instances of fraud, they should state in the examination report that they are issuing those additional reports. They should include a reference to the separate reports and also state that the reports are an integral part of a GAGAS examination engagement. 7.40 When auditors detect deficiencies in internal control that are not significant to the objectives of the audit but warrant the attention of those charged with governance, they should include those deficiencies either in the report or communicate those deficiencies in writing to audited entity officials. If the written communication is separate from the audit report, auditors should refer to that written communication in the audit report. 9.31] | Audits and risk management | Preventive | |
| Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 [The audit organization should establish policies and procedures for engagement performance, documentation, and reporting that are designed to provide the audit organization with reasonable assurance that engagements are conducted and reports are issued in accordance with professional standards and applicable legal and regulatory requirements. 5.22 {be publicly available} An external audit organization should make its most recent peer review report publicly available. If a separate communication detailing findings, conclusions, and recommendations is issued, the external audit organization is not required to make that communication publicly available. An internal audit organization that reports internally to management and those charged with governance should provide a copy of its peer review report to those charged with governance. 5.77 An audit organization in a government entity should distribute audit reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations and to others authorized to receive such reports. 6.70a. An audit organization in a government entity should distribute audit reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations and to others authorized to receive such reports. 6.70a. An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority and to others authorized to receive such reports. 7.77a. An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority and to others authorized to receive such reports. 7.77a. An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority and to others authorized to receive such reports. 7.85a. An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority and to others authorized to receive such reports. 7.85a. An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the examination engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on engagement findings and recommendations and to others authorized to receive such reports. 7.69a. An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the examination engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on engagement findings and recommendations and to others authorized to receive such reports. 7.69a. {be publicly available} {established} An external audit organization should satisfy the publication requirement for its peer review report by posting the report on a publicly available website or to a publicly available file. Alternatively, if neither of these options is available, then the audit organization should use the same mechanism it uses to make other reports or documents public. 5.78 An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority and to others authorized to receive such reports. 7.93a. An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority and to others authorized to receive such reports. 7.93a. Auditors should communicate findings in writing to audited entity officials when the auditors detect instances of noncompliance with provisions of laws, regulations, contracts, and grant agreements that are not significant within the context of the audit objectives but warrant the attention of those charged with governance. 9.36 Auditors should communicate findings in writing to audited entity officials when the auditors detect instances of fraud that are not significant within the context of the audit objectives but warrant the attention of those charged with governance. 9.41 An audit organization in a government entity should distribute audit reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations and to others authorized to receive such reports. 9.58 An audit organization in a government entity should distribute audit reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations and to others authorized to receive such reports. 9.58 {make available} Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. Auditors should document any limitation on report distribution. Auditors should make audit reports available to the public, unless distribution is specifically limited by the terms of the engagement, law, or regulation. 9.56 {make available} Subject to applicable provisions of laws and regulations, auditors should make appropriate individuals and audit documentation available upon request and in a timely manner to other auditors or reviewers. 8.140 If an internal audit organization in a government entity follows the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing as well as GAGAS, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should (1) assess the potential risk to the organization, (2) consult with senior management or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report. 9.57] | Audits and risk management | Preventive | |
| Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 [If auditors initially identify a threat to independence after the audit report is issued, auditors should evaluate the threat's effect on the engagement and on GAGAS compliance. If the auditors determine that the newly identified threat's effect on the engagement would have resulted in the audit report being different from the report issued had the auditors been aware of it, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the audit organization requiring or arranging for the engagements, and other known users, so that they do not continue to rely on findings or conclusions that were affected by the threat to independence. If auditors previously posted the report to their publicly accessible website, they should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional engagement work necessary to reissue the report, including any revised findings or conclusions, or to repost the original report if the additional engagement work does not result in a change in findings or conclusions. 3.34 If the law or regulation requiring an examination engagement specifically identifies the entities to be examined, auditors should communicate pertinent information that in the auditors' professional judgment needs to be communicated both to individuals contracting for or requesting the examination and to those legislative committees, if any, that have ongoing oversight responsibilities for the audited entity. 7.09 {be publicly available} {established} An external audit organization should satisfy the publication requirement for its peer review report by posting the report on a publicly available website or to a publicly available file. Alternatively, if neither of these options is available, then the audit organization should use the same mechanism it uses to make other reports or documents public. 5.78 {be appropriate} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 6.65 The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: reference to a separate written communication, if issued under the peer review program; 5.91d. {be sufficient} If, after the report is issued, the auditors discover that they did not have sufficient, appropriate evidence to support the reported findings or conclusions, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the entities requiring or arranging for the audits, and other known users, so that they do not continue to rely on the findings or conclusions that were not supported. If the report was previously posted to the auditors' publicly accessible website, the auditors should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional audit work necessary to either reissue the report, including any revised findings or conclusions, or repost the original report if the additional audit work does not result in a change in findings or conclusions. 9.68 {make available} Subject to applicable provisions of laws and regulations, auditors should make appropriate individuals and examination engagement documentation available upon request and in a timely manner to other auditors or reviewers. 7.37] | Audits and risk management | Preventive | |
| Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 [If auditors initially identify a threat to independence after the audit report is issued, auditors should evaluate the threat's effect on the engagement and on GAGAS compliance. If the auditors determine that the newly identified threat's effect on the engagement would have resulted in the audit report being different from the report issued had the auditors been aware of it, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the audit organization requiring or arranging for the engagements, and other known users, so that they do not continue to rely on findings or conclusions that were affected by the threat to independence. If auditors previously posted the report to their publicly accessible website, they should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional engagement work necessary to reissue the report, including any revised findings or conclusions, or to repost the original report if the additional engagement work does not result in a change in findings or conclusions. 3.34] | Audits and risk management | Preventive | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 [{regular basis} The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: 5.44] | Audits and risk management | Corrective | |
| Include the audit criteria in the audit plan. CC ID 15262 [Auditors should identify and use suitable criteria based on the audit objectives. 8.07 In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence-gathering and evidence-analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives. Auditors should identify significant assumptions made in conducting the audit; describe comparative techniques applied; describe the criteria used; and, when the results of sample testing significantly support the auditors' findings, conclusions, or recommendations, describe the sample design and state why the design was chosen, including whether the results can be projected to the intended population. 9.14] | Audits and risk management | Preventive | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Preventive | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Preventive | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Preventive | |
| Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Preventive | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Preventive | |
| Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Preventive | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Preventive | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Preventive | |
| Include the locations to be audited in the audit plan. CC ID 15242 [In describing the work performed to address the audit objectives and support the reported findings and conclusions, auditors should, as applicable, explain the relationship between the population and the items tested; identify entities, geographic locations, and the period covered; report the kinds and sources of evidence; and explain any significant limitations or uncertainties based on the auditors' overall assessment of the sufficiency and appropriateness of the evidence in the aggregate. 9.13] | Audits and risk management | Preventive | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Preventive | |
| Include audit objectives in the audit plan. CC ID 15240 [In connection with nonaudit services, auditors should establish and document their understanding with the audited entity's management or those charged with governance, as appropriate, regarding the following: objectives of the nonaudit service, 3.77a. Auditors must adequately plan the work necessary to address the audit objectives. Auditors must document the audit plan. 8.03 In planning the audit, auditors should assess significance and audit risk. Auditors should apply these assessments to establish the scope and methodology for addressing the audit objectives. Planning is a continuous process throughout the audit. 8.05 When information systems controls are determined to be significant to the audit objectives or when the effectiveness of significant controls depends on the effectiveness of information systems controls, auditors should then evaluate the design, implementation, and/or operating effectiveness of such controls. This evaluation includes other information systems controls that affect the effectiveness of the significant controls or the reliability of information used in performing the significant controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives. 8.60 Auditors should document the following: the objectives, scope, and methodology of the audit; 8.135a.] | Audits and risk management | Preventive | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 [Auditors should apply the conceptual framework at the audit organization, engagement team, and individual auditor levels to identify threats to independence; 3.27a. Auditors should identify as threats to independence any services related to preparing accounting records and financial statements, other than those defined as impairments to independence in paragraph 3.87 and significant threats in paragraph 3.88. These services include 3.89 In planning the audit, auditors should assess significance and audit risk. Auditors should apply these assessments to establish the scope and methodology for addressing the audit objectives. Planning is a continuous process throughout the audit. 8.05 Auditors should design the methodology to obtain sufficient, appropriate evidence that provides a reasonable basis for findings and conclusions based on the audit objectives and to reduce audit risk to an acceptably low level. 8.06 When assessing the overall sufficiency and appropriateness of evidence, auditors should evaluate the expected significance of evidence to the audit objectives, findings, and conclusions; available corroborating evidence; and the level of audit risk. If auditors conclude that evidence is not sufficient or appropriate, they should not use such evidence as support for findings and conclusions. 8.109] | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 [The peer review team should determine the type of peer review rating to issue based on the observed matters' importance to the audit organization's system of quality control as a whole and the nature, causes, patterns, and pervasiveness of those matters. The matters should be assessed both alone and in aggregate. 5.73] | Audits and risk management | Preventive | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Preventive | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 | Audits and risk management | Preventive | |
| Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 | Audits and risk management | Preventive | |
| Include metrics in the fundamental rights impact assessment. CC ID 17249 | Audits and risk management | Preventive | |
| Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 | Audits and risk management | Preventive | |
| Include user safeguards in the fundamental rights impact assessment. CC ID 17255 | Audits and risk management | Preventive | |
| Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 | Audits and risk management | Preventive | |
| Include the purpose in the fundamental rights impact assessment. CC ID 17243 | Audits and risk management | Preventive | |
| Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 | Audits and risk management | Preventive | |
| Include risk management measures in the fundamental rights impact assessment. CC ID 17224 | Audits and risk management | Preventive | |
| Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 | Audits and risk management | Preventive | |
| Include risks in the fundamental rights impact assessment. CC ID 17222 | Audits and risk management | Preventive | |
| Include affected parties in the fundamental rights impact assessment. CC ID 17221 | Audits and risk management | Preventive | |
| Include the frequency in the fundamental rights impact assessment. CC ID 17220 | Audits and risk management | Preventive | |
| Include the usage duration in the fundamental rights impact assessment. CC ID 17219 | Audits and risk management | Preventive | |
| Include system use in the fundamental rights impact assessment. CC ID 17218 | Audits and risk management | Preventive | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Preventive | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Preventive | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Preventive | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Preventive | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Preventive | |
| Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Preventive | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Preventive | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Preventive | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Preventive | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Preventive | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Audits and risk management | Detective | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 | Audits and risk management | Preventive | |
| Include the implemented risk management controls in the risk treatment plan. CC ID 11979 [When planning a GAGAS examination engagement, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter or an assertion about the subject matter of the examination engagement, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter or an assertion about the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work and determining the extent to which testing the implementation of the corrective actions is applicable to the current examination engagement objectives. 7.13] | Audits and risk management | Preventive | |
| Include risk assessment results in the risk treatment plan. CC ID 11978 [In cases where auditors determine that threats to independence require the application of safeguards, auditors should document the threats identified and the safeguards applied to eliminate or reduce the threats to an acceptable level. 3.33 Auditors should conclude that preparing financial statements in their entirety from a client-provided trial balance or underlying accounting records creates significant threats to auditors' independence, and should document the threats and safeguards applied to eliminate and reduce threats to an acceptable level in accordance with paragraph 3.33 or decline to provide the services. 3.88] | Audits and risk management | Preventive | |
| Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 [When planning a GAGAS examination engagement, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter or an assertion about the subject matter of the examination engagement, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter or an assertion about the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work and determining the extent to which testing the implementation of the corrective actions is applicable to the current examination engagement objectives. 7.13] | Audits and risk management | Preventive | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [In cases where auditors determine that threats to independence require the application of safeguards, auditors should document the threats identified and the safeguards applied to eliminate or reduce the threats to an acceptable level. 3.33 The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: when relevant, a description of systemic, repetitive, or other deficiencies and of the actions taken to resolve those deficiencies. 5.44c. {regular basis} The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: 5.44 Auditors should conclude that preparing financial statements in their entirety from a client-provided trial balance or underlying accounting records creates significant threats to auditors' independence, and should document the threats and safeguards applied to eliminate and reduce threats to an acceptable level in accordance with paragraph 3.33 or decline to provide the services. 3.88] | Audits and risk management | Corrective | |
| Include risk responses in the risk management program. CC ID 13195 [When planning a GAGAS examination engagement, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter or an assertion about the subject matter of the examination engagement, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter or an assertion about the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work and determining the extent to which testing the implementation of the corrective actions is applicable to the current examination engagement objectives. 7.13] | Audits and risk management | Preventive | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 | Technical security | Preventive | |
| Establish, implement, and maintain digital identification procedures. CC ID 13714 | Technical security | Preventive | |
| Establish, implement, and maintain remote proofing procedures. CC ID 13796 | Technical security | Preventive | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Preventive | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Preventive | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Preventive | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Preventive | |
| Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 [The audit organization should have a process for recruitment, hiring, continuous development, assignment, and evaluation of personnel so that the workforce has the essential knowledge, skills, and abilities necessary to conduct the engagement. The nature, extent, and formality of the process will depend on various factors, such as the size of the audit organization, its structure, and its work. 4.04] | Human Resources management | Preventive | |
| Establish and maintain an annual report on compensation. CC ID 14801 | Human Resources management | Preventive | |
| Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 | Human Resources management | Preventive | |
| Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 | Human Resources management | Preventive | |
| Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 | Human Resources management | Preventive | |
| Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 | Human Resources management | Preventive | |
| Establish, implement, and maintain job applications. CC ID 16180 | Human Resources management | Preventive | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Human Resources management | Preventive | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Human Resources management | Preventive | |
| Document all training in a training record. CC ID 01423 [The audit organization should maintain documentation of each auditor's CPE. 4.18 {continuing professional education requirements} The audit organization should establish policies and procedures to provide reasonable assurance that auditors who are performing work in accordance with GAGAS meet the continuing professional education (CPE) requirements, including maintaining documentation of the CPE completed and any exemptions granted. 5.16] | Human Resources management | Detective | |
| Establish, implement, and maintain training plans. CC ID 00828 [Audit management should assign sufficient auditors with adequate collective professional competence, as described in paragraphs 4.02 through 4.15, to conduct the audit. Staffing an audit includes, among other things, providing for on-the-job training of auditors; and 8.31c.] | Human Resources management | Preventive | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Preventive | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Preventive | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Preventive | |
| Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Preventive | |
| Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Preventive | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Preventive | |
| Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Preventive | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Human Resources management | Preventive | |
| Include information security responsibilities in performance reviews. CC ID 15697 | Human Resources management | Preventive | |
| Analyze the documentation produced by staff during the performance review. CC ID 07207 | Human Resources management | Detective | |
| Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Human Resources management | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
| Include threat assessment in the internal control framework. CC ID 01347 [Auditors who previously provided nonaudit services for an entity that is a prospective subject of an engagement should evaluate the effect of those nonaudit services on independence before agreeing to conduct a GAGAS engagement. If auditors provided a nonaudit service in the period to be covered by the engagement, they should (1) determine if GAGAS expressly prohibits the nonaudit service; (2) if audited entity management requested the nonaudit service, determine whether the skill, knowledge, or experience of the individual responsible for overseeing the nonaudit service was sufficient; and (3) determine whether a threat to independence exists and address any threats noted in accordance with the conceptual framework. 3.83] | Operational management | Preventive | |
| Include system development in the information security program. CC ID 12389 [Auditors should conclude that providing information technology (IT) services to an audited entity that relate to the period under audit impairs independence if those services include designing or developing an audited entity's financial information system or other IT system that will play a significant role in the management of an area of operations that is or will be the subject matter of an engagement; 3.102a. Auditors should conclude that providing information technology (IT) services to an audited entity that relate to the period under audit impairs independence if those services include making other than insignificant modifications to source code underlying an audited entity's existing financial information system or other IT system that will play a significant role in the management of an area of operations that is or will be the subject matter of an engagement; 3.102b.] | Operational management | Preventive | |
| Include operations management in the information security program. CC ID 12385 [Auditors should conclude that providing information technology (IT) services to an audited entity that relate to the period under audit impairs independence if those services include operating an audited entity's network, financial information system, or other IT system that will play a significant role in the management of an area of operations that is or will be the subject matter of an engagement. 3.102d.] | Operational management | Preventive | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{external requirement} GAGAS establishes requirements for review engagements in addition to the requirements for reviews contained in the AICPA's SSAEs. Auditors should comply with the additional GAGAS requirements, along with the applicable AICPA requirements, when citing GAGAS in their review engagement reports. 7.70 {external requirements} GAGAS establishes requirements for agreed-upon procedures engagements in addition to the requirements for agreed-upon procedures engagements contained in the AICPA's SSAEs. Auditors should comply with the additional GAGAS requirements, along with the applicable AICPA requirements, when citing GAGAS in their agreedupon procedures engagement reports. 7.78 {external requirement} GAGAS establishes requirements for reviews of financial statements in addition to the requirements for reviews of financial statements contained in the AICPA's AR-C section 90, Review of Financial Statements. Auditors should comply with the additional GAGAS requirements, along with the applicable AICPA requirements, when citing GAGAS in their review engagement reports. 7.86] | Operational management | Preventive | |
| Include a reconciliation process in the accounting system. CC ID 08951 [Auditors should identify as threats to independence any services related to preparing accounting records and financial statements, other than those defined as impairments to independence in paragraph 3.87 and significant threats in paragraph 3.88. These services include preparing account reconciliations that identify reconciling items for the audited entity management's evaluation. 3.89d.] | Operational management | Preventive | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Preventive | |
| Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Preventive | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 [Auditors providing nonaudit services to audited entities should obtain agreement from audited entity management that audited entity management performs the following functions in connection with the nonaudit services: evaluates the adequacy and results of the services provided; and 3.76c.] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Preventive | |
| Include the purpose in the information flow agreement. CC ID 17016 | Third Party and supply chain oversight | Preventive | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Preventive | |
| Include the costs in the information flow agreement. CC ID 17018 | Third Party and supply chain oversight | Preventive | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Preventive | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Preventive | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Third Party and supply chain oversight | Preventive | |
| Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Preventive | |
| Include roles and responsibilities in third party contracts. CC ID 13487 [Auditors providing nonaudit services to audited entities should obtain agreement from audited entity management that audited entity management performs the following functions in connection with the nonaudit services: assumes all management responsibilities; 3.76a. Auditors providing nonaudit services to audited entities should obtain agreement from audited entity management that audited entity management performs the following functions in connection with the nonaudit services: oversees the services, by designating an individual, preferably within senior management, who possesses suitable skill, knowledge, or experience; 3.76b. Auditors providing nonaudit services to audited entities should obtain agreement from audited entity management that audited entity management performs the following functions in connection with the nonaudit services: accepts responsibility for the results of the services. 3.76d.] | Third Party and supply chain oversight | Preventive | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Preventive | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Preventive | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Preventive | |
| Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186 | Third Party and supply chain oversight | Preventive | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Preventive | |
| Include a reporting structure in third party contracts. CC ID 06532 [{make available} A public accounting firm contracted to conduct an examination engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the examination engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.69b. {make available} A public accounting firm contracted to conduct an examination engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the examination engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.69b. {make available} A public accounting firm contracted to conduct a review engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.77b. {make available} A public accounting firm contracted to conduct a review engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.77b. {make available} A public accounting firm contracted to conduct an agreed-upon procedures engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.85b. {make available} A public accounting firm contracted to conduct an agreed-upon procedures engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.85b. {make available} A public accounting firm contracted to conduct a review of financial statements engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.93b. {make available} A public accounting firm contracted to conduct a review of financial statements engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.93b.] | Third Party and supply chain oversight | Preventive | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Preventive | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 [{make available} A public accounting firm contracted to conduct an examination engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the examination engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.69b. {make available} A public accounting firm contracted to conduct a review engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.77b. {make available} A public accounting firm contracted to conduct an agreed-upon procedures engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.85b. {make available} A public accounting firm contracted to conduct a review of financial statements engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.93b.] | Third Party and supply chain oversight | Preventive | |
| Include on-site visits in third party contracts. CC ID 17306 | Third Party and supply chain oversight | Preventive | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Preventive | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Preventive | |
| Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Preventive | |
| Include a determination on the impact of services provided by third-party service providers in the supply chain risk assessment report. CC ID 17187 | Third Party and supply chain oversight | Preventive | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 | Third Party and supply chain oversight | Detective | |
| Establish, implement, and maintain third party reporting requirements. CC ID 13289 [{reporting requirement} Auditors should comply with the requirements in paragraph 6.53 even if they have resigned or been dismissed from the audit prior to its completion. 6.54 {report} {those charged with governance} Auditors should comply with the requirements in paragraph 7.51 even if they have resigned or been dismissed from the engagement prior to its completion. 7.52 Auditors should comply with the requirements in paragraph 9.45 even if they have resigned or been dismissed from the audit prior to its completion. 9.46] | Third Party and supply chain oversight | Preventive | |
| Define timeliness factors for third party reporting requirements. CC ID 13304 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain outsourcing contracts. CC ID 13124 [The peer review team and the reviewed audit organization should incorporate their basic agreement on the peer review into a written agreement. The written agreement should be drafted by the peer review team, reviewed by the reviewed audit organization to ensure that it accurately describes the agreement between the parties, and signed by the authorized representatives of both the peer review team and the reviewed audit organization prior to the initiation of work under the agreement. The written agreement should state that the peer review will be conducted in accordance with GAGAS peer review requirements. 5.86] | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain contracts with asset disposition vendors, as necessary. CC ID 14826 | Third Party and supply chain oversight | Preventive | |
| Establish, implement, and maintain contracts with Information Technology asset disposition vendors. CC ID 13895 | Third Party and supply chain oversight | Preventive | |
| Specify asset ownership in outsourcing contracts. CC ID 13141 | Third Party and supply chain oversight | Preventive | |
| Include performance standards in outsourcing contracts. CC ID 13140 | Third Party and supply chain oversight | Preventive | |
| Include quality standards in outsourcing contracts. CC ID 17191 | Third Party and supply chain oversight | Preventive | |
| Include the organization approving subcontractors in the outsourcing contract. CC ID 13131 | Third Party and supply chain oversight | Preventive | |
| Include a provision that third parties are responsible for their subcontractors in the outsourcing contract. CC ID 13130 | Third Party and supply chain oversight | Preventive | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Define the qualification requirements for auditors. CC ID 17259 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Preventive | |
| Identify the audit team members in the audit report. CC ID 15259 | Audits and risk management | Detective | |
| Define the roles and responsibilities for distributing the audit report. CC ID 16845 [{be publicly available} A public accounting firm contracted to conduct an audit in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the audit about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 6.70b.] | Audits and risk management | Preventive | |
| Evaluate the competency of auditors. CC ID 15253 | Audits and risk management | Detective | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Detective | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Preventive | |
| Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Preventive | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Preventive | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Preventive | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Preventive | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources management | Preventive | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Preventive | |
| Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Corrective | |
| Refrain from using employees' privacy choices to take punitive actions. CC ID 16815 | Human Resources management | Preventive | |
| Include a space for the applicant's name on the job application. CC ID 16190 | Human Resources management | Preventive | |
| Include a space for the applicant's current address on the job application. CC ID 16189 | Human Resources management | Preventive | |
| Include a space for the applicant's social security number on the job application. CC ID 16188 | Human Resources management | Preventive | |
| Include a space for the applicant's date of birth on the job application. CC ID 16186 | Human Resources management | Preventive | |
| Include a space for previous employers and business relationships on the job application. CC ID 16185 | Human Resources management | Preventive | |
| Include a space to explain formal disciplinary actions and sanctions on the job application. CC ID 16184 | Human Resources management | Preventive | |
| Include a space for the start date on the job application. CC ID 16187 | Human Resources management | Preventive | |
| Include a space to explain legal penalties on the job application. CC ID 16183 | Human Resources management | Preventive | |
| Approve the wording of job applications. CC ID 16182 | Human Resources management | Preventive | |
| Include a space for past aliases and other used names on job applications. CC ID 12301 | Human Resources management | Preventive | |
| Include a space for previous addresses and previous residences on the job application. CC ID 12302 | Human Resources management | Preventive | |
| Include a space to explain employment gaps on the job application. CC ID 12303 | Human Resources management | Preventive | |
| Support certification programs as viable training programs. CC ID 13268 [Auditors who plan, direct, perform engagement procedures for, or report on an engagement conducted in accordance with GAGAS should develop and maintain their professional competence by completing at least 80 hours of CPE in every 2-year period as follows. 4.16] | Human Resources management | Preventive | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources management | Preventive | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Preventive | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Preventive | |
| Include the information security responsibilities of employees in their performance objectives. CC ID 15700 | Human Resources management | Preventive | |
| Conduct performance reviews for the board of directors and board committees, as necessary. CC ID 14783 | Human Resources management | Detective | |
| Take appropriate actions after performance reviews of board members, as necessary. CC ID 14799 | Human Resources management | Preventive | |
| Establish, implement, and maintain an ethics program. CC ID 11496 [{legal requirement} The audit organization should establish policies and procedures on independence and legal and ethical requirements that are designed to provide reasonable assurance that the organization and its personnel maintain independence and comply with applicable legal and ethical requirements. 5.08] | Human Resources management | Preventive | |
| Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 | Human Resources management | Preventive | |
| Include prohibiting counterfeiting in the ethics program. CC ID 11517 | Human Resources management | Preventive | |
| Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 | Human Resources management | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Examine the availability of the audit criteria in the audit program. CC ID 16520 | Audits and risk management | Preventive | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Detective | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Detective | |
| Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Audits and risk management | Detective | |
| Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 [{if} When circumstances call for omission of certain information, auditors should evaluate whether the omission could distort the examination engagement results or conceal improper or illegal practices and revise the report language as necessary to avoid report users drawing inappropriate conclusions from the information presented. 7.62 {if} When circumstances call for omission of certain information, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices and revise the report language as necessary to avoid report users drawing inappropriate conclusions from the information presented. 9.62] | Audits and risk management | Detective | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Audits and risk management | Detective | |
| Verify proof of identity records. CC ID 13761 | Technical security | Detective | |
| Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 | Human Resources management | Preventive | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 [{be publicly available} An external audit organization should make its most recent peer review report publicly available. If a separate communication detailing findings, conclusions, and recommendations is issued, the external audit organization is not required to make that communication publicly available. An internal audit organization that reports internally to management and those charged with governance should provide a copy of its peer review report to those charged with governance. 5.77] | Audits and risk management | Detective | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Preventive | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Preventive | |
| Include monitoring and analysis capabilities in the quality management program. CC ID 17153 | Leadership and high level objectives | Preventive | |
| Monitor and evaluate environmental threats. CC ID 13481 | Monitoring and measurement | Detective | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [Auditors should identify any provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives and assess the risk that noncompliance with provisions of laws, regulations, contracts, and grant agreements could occur. Based on that risk assessment, the auditors should design and perform procedures to obtain reasonable assurance of detecting instances of noncompliance with provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives. 8.68] | Monitoring and measurement | Detective | |
| Include monitoring in the corrective action plan. CC ID 11645 [The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: the conclusions reached from the monitoring procedures; and 5.44b.] | Monitoring and measurement | Detective | |
| Supervise interested personnel and affected parties participating in the audit. CC ID 07150 [Auditors should conclude that providing information technology (IT) services to an audited entity that relate to the period under audit impairs independence if those services include supervising audited entity personnel in the daily operation of an audited entity's information system; or 3.102c. The audit organization should establish policies and procedures that require engagement team members with appropriate levels of skill and proficiency in auditing to supervise engagements and review work performed by other engagement team members. 5.36 Auditors must properly supervise audit staff. 8.87] | Audits and risk management | Preventive | |
| Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Human Resources management | Preventive | |
| Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 | Human Resources management | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Preventive | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Preventive | |
| Identify the external forces that may affect organizational objectives. CC ID 12960 [Auditors should identify any provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives and assess the risk that noncompliance with provisions of laws, regulations, contracts, and grant agreements could occur. Based on that risk assessment, the auditors should design and perform procedures to obtain reasonable assurance of detecting instances of noncompliance with provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives. 8.68] | Leadership and high level objectives | Preventive | |
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Corrective | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Preventive | |
| Correct compliance violations. CC ID 13515 | Monitoring and measurement | Corrective | |
| Mitigate the threats to an auditor's independence. CC ID 17282 | Audits and risk management | Preventive | |
| Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Audits and risk management | Preventive | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 [Auditors should consider internal control deficiencies in their evaluation of identified findings when developing the cause element of the identified findings. 7.20] | Audits and risk management | Detective | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 [If auditors initially identify a threat to independence after the audit report is issued, auditors should evaluate the threat's effect on the engagement and on GAGAS compliance. If the auditors determine that the newly identified threat's effect on the engagement would have resulted in the audit report being different from the report issued had the auditors been aware of it, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the audit organization requiring or arranging for the engagements, and other known users, so that they do not continue to rely on findings or conclusions that were affected by the threat to independence. If auditors previously posted the report to their publicly accessible website, they should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional engagement work necessary to reissue the report, including any revised findings or conclusions, or to repost the original report if the additional engagement work does not result in a change in findings or conclusions. 3.34] | Audits and risk management | Detective | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Preventive | |
| Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Preventive | |
| Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Preventive | |
| Identify interviewees. CC ID 16290 | Audits and risk management | Preventive | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Detective | |
| Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Detective | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Detective | |
| Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Preventive | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Corrective | |
| Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 [Audit management should assign sufficient auditors with adequate collective professional competence, as described in paragraphs 4.02 through 4.15, to conduct the audit. Staffing an audit includes, among other things, engaging specialists when necessary. 8.31d.] | Audits and risk management | Preventive | |
| Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 [When auditors do not comply with applicable requirement(s), they should (1) assess the significance of the noncompliance to the engagement objectives; (2) document the assessment, along with their reasons for not following the requirement(s); and (3) determine the type of GAGAS compliance statement. 2.19 Auditors should evaluate the significance of threats to independence created by providing any services discussed in paragraph 3.89 and should document the evaluation of the significance of such threats. 3.90 While insufficient documentation of an auditor's compliance with the independence standard does not impair independence, auditors should prepare appropriate documentation under the GAGAS quality control and assurance requirements. The independence standard includes the following documentation requirements, where applicable: document the evaluation of the significance of the threats created by providing any of the services discussed in paragraph 3.89. 3.107e. Auditors should inquire of management of the audited entity whether any investigations or legal proceedings have been initiated or are in process with respect to the period under audit, and should evaluate the effect of initiated or in-process investigations or legal proceedings on the current audit. 6.12 Auditors should inquire of management of the audited entity whether any investigations or legal proceedings significant to the audit objectives have been initiated or are in process with respect to the period under audit, and should evaluate the effect of initiated or inprocess investigations or legal proceedings on the current audit. 8.27 Auditors should identify any provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives and assess the risk that noncompliance with provisions of laws, regulations, contracts, and grant agreements could occur. Based on that risk assessment, the auditors should design and perform procedures to obtain reasonable assurance of detecting instances of noncompliance with provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives. 8.68 Auditors should assess the risk of fraud occurring that is significant within the context of the audit objectives. Audit team members should discuss among the team fraud risks, including factors such as individuals' incentives or pressures to commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could increase the risk of fraud. Auditors should gather and assess information to identify the risk of fraud that is significant within the scope of the audit objectives or that could affect the findings and conclusions. 8.71 Auditors should assess the risk of fraud occurring that is significant within the context of the audit objectives. Audit team members should discuss among the team fraud risks, including factors such as individuals' incentives or pressures to commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could increase the risk of fraud. Auditors should gather and assess information to identify the risk of fraud that is significant within the scope of the audit objectives or that could affect the findings and conclusions. 8.71 Assessing the risk of fraud is an ongoing process throughout the audit. When information comes to the auditors' attention indicating that fraud, significant within the context of the audit objectives, may have occurred, auditors should extend the audit steps and procedures, as necessary, to (1) determine whether fraud has likely occurred and (2) if so, determine its effect on the audit findings. 8.72 Auditors should report a matter as a finding when they conclude, based on sufficient, appropriate evidence, that noncompliance with provisions of laws, regulations, contracts, and grant agreements either has occurred or is likely to have occurred that is significant within the context of the audit objectives. 9.35 Auditors should report a matter as a finding when they conclude, based on sufficient, appropriate evidence, that fraud either has occurred or is likely to have occurred that is significant to the audit objectives. 9.40] | Audits and risk management | Detective | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Preventive | |
| Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 [Auditors should apply the conceptual framework at the audit organization, engagement team, and individual auditor levels to evaluate the significance of the threats identified, both individually and in the aggregate; and 3.27b. Separate evaluations are sometimes provided as a nonaudit service. When providing separate evaluations as nonaudit services, auditors should evaluate the significance of the threat created by performing separate evaluations and apply safeguards when necessary to eliminate the threat or reduce it to an acceptable level. 3.98] | Audits and risk management | Detective | |
| Implement digital identification processes. CC ID 13731 | Technical security | Preventive | |
| Implement identity proofing processes. CC ID 13719 [{be evident} If the identity of those charged with governance is not clearly evident, auditors should document the process followed and conclusions reached in identifying the appropriate individuals to receive the required communications. 6.07] | Technical security | Preventive | |
| Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786 | Technical security | Preventive | |
| Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 | Technical security | Preventive | |
| Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776 | Technical security | Detective | |
| Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750 | Technical security | Preventive | |
| Interact with the data subject when performing remote proofing. CC ID 13777 | Technical security | Detective | |
| Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742 | Technical security | Preventive | |
| View all applicant actions when performing remote proofing. CC ID 13804 | Technical security | Detective | |
| Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741 | Technical security | Preventive | |
| Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755 | Technical security | Detective | |
| Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743 | Technical security | Detective | |
| Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752 | Technical security | Preventive | |
| Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785 | Technical security | Preventive | |
| Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774 | Technical security | Detective | |
| Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773 | Technical security | Preventive | |
| Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749 | Technical security | Preventive | |
| Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744 | Technical security | Detective | |
| Validate proof of identity during the identity proofing process. CC ID 13756 | Technical security | Detective | |
| Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803 | Technical security | Detective | |
| Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 | Technical security | Detective | |
| Allow records that relate to the data subject as proof of identity. CC ID 13772 | Technical security | Preventive | |
| Conduct in-person proofing with physical interactions. CC ID 13775 | Technical security | Detective | |
| Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748 | Technical security | Preventive | |
| Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739 | Technical security | Preventive | |
| Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738 | Technical security | Preventive | |
| Refrain from approving attributes in the identity proofing process. CC ID 13716 | Technical security | Preventive | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Preventive | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Preventive | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 | Privacy protection for information and data | Preventive | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [Auditors providing nonaudit services to audited entities should obtain agreement from audited entity management that audited entity management performs the following functions in connection with the nonaudit services: evaluates the adequacy and results of the services provided; and 3.76c. The peer review team and the reviewed audit organization should incorporate their basic agreement on the peer review into a written agreement. The written agreement should be drafted by the peer review team, reviewed by the reviewed audit organization to ensure that it accurately describes the agreement between the parties, and signed by the authorized representatives of both the peer review team and the reviewed audit organization prior to the initiation of work under the agreement. The written agreement should state that the peer review will be conducted in accordance with GAGAS peer review requirements. 5.86 The peer review team and the reviewed audit organization should incorporate their basic agreement on the peer review into a written agreement. The written agreement should be drafted by the peer review team, reviewed by the reviewed audit organization to ensure that it accurately describes the agreement between the parties, and signed by the authorized representatives of both the peer review team and the reviewed audit organization prior to the initiation of work under the agreement. The written agreement should state that the peer review will be conducted in accordance with GAGAS peer review requirements. 5.86] | Third Party and supply chain oversight | Detective | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Detective | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 [The audit organization should establish policies and procedures that require retention of engagement documentation for a period of time sufficient to permit those performing monitoring procedures and peer review of the organization to evaluate its compliance with its system of quality control or for a longer period if required by law or regulation. 5.46] | Audits and risk management | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [An audit organization should document its quality control policies and procedures and communicate those policies and procedures to its personnel. The audit organization should document compliance with its quality control policies and procedures and maintain such documentation for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent to which the audit organization complies with its quality control policies and procedures. 5.04 {audit} Auditors should retain any written communication resulting from paragraph 8.20 as audit documentation. 8.22] | Records management | Preventive | |
Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Third Party and supply chain oversight | Preventive | |
| Review third party recovery plans. CC ID 17123 | Third Party and supply chain oversight | Detective | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Analyze system audit reports and determine the need to perform more tests. CC ID 00666 [If auditors initially identify a threat to independence after the audit report is issued, auditors should evaluate the threat's effect on the engagement and on GAGAS compliance. If the auditors determine that the newly identified threat's effect on the engagement would have resulted in the audit report being different from the report issued had the auditors been aware of it, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the audit organization requiring or arranging for the engagements, and other known users, so that they do not continue to rely on findings or conclusions that were affected by the threat to independence. If auditors previously posted the report to their publicly accessible website, they should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional engagement work necessary to reissue the report, including any revised findings or conclusions, or to repost the original report if the additional engagement work does not result in a change in findings or conclusions. 3.34 When the auditors identify limitations or uncertainties in evidence that is significant to the audit findings and conclusions, they should perform additional procedures, as appropriate. 8.110 {be sufficient} If, after the report is issued, the auditors discover that they did not have sufficient, appropriate evidence to support the reported findings or conclusions, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the entities requiring or arranging for the audits, and other known users, so that they do not continue to rely on the findings or conclusions that were not supported. If the report was previously posted to the auditors' publicly accessible website, the auditors should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional audit work necessary to either reissue the report, including any revised findings or conclusions, or repost the original report if the additional audit work does not result in a change in findings or conclusions. 9.68] | Monitoring and measurement | Detective | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Preventive | |
| Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 [When auditors use information provided by officials of the audited entity as part of their evidence, they should determine what the officials of the audited entity or other auditors did to obtain assurance over the reliability of the information. 8.93] | Audits and risk management | Detective | |
| Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 [{if} {no evidence} Auditors should evaluate whether any lack of sufficient, appropriate evidence is caused by internal control deficiencies or other program weaknesses, and whether the lack of sufficient, appropriate evidence could be the basis for audit findings. 8.78] | Audits and risk management | Detective | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 [When information systems controls are determined to be significant to the audit objectives or when the effectiveness of significant controls depends on the effectiveness of information systems controls, auditors should then evaluate the design, implementation, and/or operating effectiveness of such controls. This evaluation includes other information systems controls that affect the effectiveness of the significant controls or the reliability of information used in performing the significant controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives. 8.60] | Audits and risk management | Detective | |
| Document test plans for auditing in scope controls. CC ID 06985 [When auditors identify findings, they should plan and perform procedures to develop the criteria, condition, cause, and effect of the findings to the extent that these elements are relevant and necessary to achieve the audit objectives. 6.17 When auditors identify findings, they should plan and perform procedures to develop the criteria, condition, cause, and effect of the findings to the extent that these elements are relevant and necessary to achieve the examination objectives. 7.19 Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30 When evaluating information systems controls is an audit objective, auditors should test information systems controls to the extent necessary to address the audit objective. 8.62 As part of a performance audit, when auditors identify findings, they should plan and perform procedures to develop the criteria, condition, cause, and effect of the findings to the extent that these elements are relevant and necessary to achieve the audit objectives. 8.116 When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work and determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 6.11] | Audits and risk management | Detective | |
| Determine the implementation status of in scope controls. CC ID 06981 [When information systems controls are determined to be significant to the audit objectives or when the effectiveness of significant controls depends on the effectiveness of information systems controls, auditors should then evaluate the design, implementation, and/or operating effectiveness of such controls. This evaluation includes other information systems controls that affect the effectiveness of the significant controls or the reliability of information used in performing the significant controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives. 8.60] | Audits and risk management | Detective | |
| Determine the effectiveness of in scope controls. CC ID 06984 [Auditors should consider internal control deficiencies in their evaluation of identified findings when developing the cause element of the identified findings. 6.18 {if} Auditors should determine and document whether internal control is significant to the audit objectives. 8.39 When information systems controls are determined to be significant to the audit objectives or when the effectiveness of significant controls depends on the effectiveness of information systems controls, auditors should then evaluate the design, implementation, and/or operating effectiveness of such controls. This evaluation includes other information systems controls that affect the effectiveness of the significant controls or the reliability of information used in performing the significant controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives. 8.60] | Audits and risk management | Detective | |
| Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 [{is valid} {is reliable} In assessing the appropriateness of evidence, auditors should assess whether the evidence is relevant, valid, and reliable. 8.91 Auditors should evaluate the objectivity, credibility, and reliability of testimonial evidence. 8.94] | Audits and risk management | Preventive | |
| Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Audits and risk management | Detective | |
| Submit an audit report that is complete. CC ID 01145 [Auditors should issue audit reports communicating the results of each completed performance audit. 9.06] | Audits and risk management | Detective | |
| Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 [The audit organization should establish policies and procedures for human resources that are designed to provide the organization with reasonable assurance that it has personnel with the competence to conduct GAGAS engagements in accordance with professional standards and applicable legal and regulatory requirements. 5.15 Audit management should assign sufficient auditors with adequate collective professional competence, as described in paragraphs 4.02 through 4.15, to conduct the audit. Staffing an audit includes, among other things, assigning a sufficient number of auditors to the audit; 8.31b.] | Audits and risk management | Detective | |
| Establish, implement, and maintain the audit plan. CC ID 01156 [Auditors must adequately plan the work necessary to address the audit objectives. Auditors must document the audit plan. 8.03 Auditors must plan the audit to reduce audit risk to an acceptably low level. 8.04 In planning the audit, auditors should assess significance and audit risk. Auditors should apply these assessments to establish the scope and methodology for addressing the audit objectives. Planning is a continuous process throughout the audit. 8.05 Auditors must prepare a written audit plan for each audit. Auditors should update the plan, as necessary, to reflect any significant changes to the plan made during the audit. 8.33 Auditors must prepare a written audit plan for each audit. Auditors should update the plan, as necessary, to reflect any significant changes to the plan made during the audit. 8.33 Auditors should document the following: the objectives, scope, and methodology of the audit; 8.135a. Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed; the evidence obtained; and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 8.132] | Audits and risk management | Detective | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [If an internal audit organization in a government entity follows the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing as well as GAGAS, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should (1) assess the potential risk to the organization, (2) consult with senior management or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report. 9.57] | Audits and risk management | Preventive | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The audit organization should establish policies and procedures designed to provide reasonable assurance that those assigned operational responsibility for the audit organization's system of quality control have sufficient and appropriate experience and ability, and the necessary authority, to assume that responsibility. 5.06] | Human Resources management | Detective | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 [The peer review team should perform an assessment of peer review risk to help determine the number and types of engagements to select for review. 5.66] | Third Party and supply chain oversight | Detective | |
Training | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Provide new hires limited network access to complete computer-based training. CC ID 17008 | Human Resources management | Preventive | |
| Submit applications for professional certification. CC ID 16192 | Human Resources management | Preventive | |
| Approve training plans, as necessary. CC ID 17193 | Human Resources management | Preventive | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Human Resources management | Detective | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Human Resources management | Preventive | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Human Resources management | Preventive | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Human Resources management | Detective | |
| Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101 | Human Resources management | Preventive | |
| Designate training facilities in the training plan. CC ID 16200 | Human Resources management | Preventive | |
| Include insider threats in the security awareness program. CC ID 16963 | Human Resources management | Preventive | |
| Conduct personal data processing training. CC ID 13757 | Human Resources management | Preventive | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Preventive | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Human Resources management | Preventive | |
| Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Preventive | |
| Include identity and access management in the security awareness program. CC ID 17013 | Human Resources management | Preventive | |
| Include the encryption process in the security awareness program. CC ID 17014 | Human Resources management | Preventive | |
| Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Preventive | |
| Include data management in the security awareness program. CC ID 17010 | Human Resources management | Preventive | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Human Resources management | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Preventive | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Preventive | |
| Include social networking in the security awareness program. CC ID 17011 | Human Resources management | Preventive | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Preventive | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Correct errors and deficiencies in a timely manner. CC ID 13501 [The audit organization should evaluate the effects of deficiencies noted during monitoring of the audit organization's system of quality control to determine and implement appropriate actions to address the deficiencies. This evaluation should include assessments to determine if the deficiencies noted indicate that the audit organization's system of quality control is insufficient to provide it with reasonable assurance that it complies with professional standards and applicable legal and regulatory requirements, and that accordingly the reports that the audit organization issues are not appropriate in the circumstances. 5.45] | Leadership and high level objectives | Business Processes | |
| Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Process or Activity | |
| Correct compliance violations. CC ID 13515 | Monitoring and measurement | Process or Activity | |
| Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676 [When audited entity management fails to take timely and appropriate steps to respond to fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements that (1) is likely to have a material effect on the subject matter and (2) involves funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the audited entity's failure to take timely and appropriate steps directly to the funding agency. 6.53b. When audited entity management fails to take timely and appropriate steps to respond to fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements that (1) is likely to have a material effect on the subject matter and (2) involves funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the audited entity's failure to take timely and appropriate steps directly to the funding agency. 6.53b. When audited entity management fails to take timely and appropriate steps to respond to fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements that (1) is likely to have a material effect on the subject matter and (2) involves funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the audited entity's failure to take timely and appropriate steps directly to the funding agency. 7.51b. Auditors should report known or likely noncompliance with provisions of laws, regulations, contracts, and grant agreements or fraud directly to parties outside the audited entity in the following two circumstances. When audited entity management fails to take timely and appropriate steps to respond to noncompliance with provisions of laws, regulations, contracts, and grant agreements or instances of fraud that (1) are likely to have a significant effect on the subject matter and (2) involve funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the audited entity's failure to take timely and appropriate steps directly to the funding agency. 9.45b.] | Monitoring and measurement | Actionable Reports or Measurements | |
| Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Audits and risk management | Establish/Maintain Documentation | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Process or Activity | |
| Include deficiencies and non-compliance in the audit report. CC ID 14879 [When auditors do not comply with applicable requirement(s), they should (1) assess the significance of the noncompliance to the engagement objectives; (2) document the assessment, along with their reasons for not following the requirement(s); and (3) determine the type of GAGAS compliance statement. 2.19 {is unwilling} In cases where the audited entity is unable or unwilling to assume these responsibilities (for example, the audited entity does not have an individual with suitable skill, knowledge, or experience to oversee the nonaudit services provided, or is unwilling to perform such functions because of lack of time or desire), auditors should conclude that the provision of these services is an impairment to independence. 3.75 Auditors should conclude that management responsibilities that the auditors perform for an audited entity are impairments to independence. If the auditors were to assume management responsibilities for an audited entity, the management participation threats created would be so significant that no safeguards could reduce them to an acceptable level. 3.78 {refrain from obtaining} Auditors should conclude that the following services involving preparation of accounting records impair independence with respect to an audited entity: determining or changing journal entries, account codes or classifications for transactions, or other accounting records for the entity without obtaining management's approval; 3.87a. Auditors should conclude that the following services involving preparation of accounting records impair independence with respect to an audited entity: authorizing or approving the entity's transactions; and 3.87b. {do not obtain} Auditors should conclude that the following services involving preparation of accounting records impair independence with respect to an audited entity: preparing or making changes to source documents without management approval. 3.87c. The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: when relevant, a description of systemic, repetitive, or other deficiencies and of the actions taken to resolve those deficiencies. 5.44c. When providing an opinion or a disclaimer on financial statements, auditors should report as findings any significant deficiencies or material weaknesses in internal control over financial reporting that the auditors identified based on the engagement work performed. 6.40 Auditors should include in their report on internal control or compliance the relevant information about noncompliance and fraud when auditors, based on sufficient, appropriate evidence, identify or suspect noncompliance with provisions of laws, regulations, contracts, or grant agreements that has a material effect on the financial statements or other financial data significant to the audit objectives or 6.41a. Auditors should include in their report on internal control or compliance the relevant information about noncompliance and fraud when auditors, based on sufficient, appropriate evidence, identify or suspect fraud that is material, either quantitatively or qualitatively, to the financial statements or other financial data significant to the audit objectives. 6.41b. {regular basis} The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: 5.44 The audit organization should evaluate the effects of deficiencies noted during monitoring of the audit organization's system of quality control to determine and implement appropriate actions to address the deficiencies. This evaluation should include assessments to determine if the deficiencies noted indicate that the audit organization's system of quality control is insufficient to provide it with reasonable assurance that it complies with professional standards and applicable legal and regulatory requirements, and that accordingly the reports that the audit organization issues are not appropriate in the circumstances. 5.45 The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows: If the peer review team's evaluation of findings identified deficiencies but did not identify any significant deficiencies, the peer review team issues a pass with deficiencies rating and communicates the deficiencies in its report. 5.74b. The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows: If the peer review team's evaluation of deficiencies identified significant deficiencies, the peer review team issues a fail rating and communicates the deficiencies and significant deficiencies in its report. 5.74c. When auditors identify or suspect noncompliance with provisions of laws, regulations, contracts, or grant agreements or instances of fraud that have an effect on the subject matter or an assertion about the subject matter that are less than material but warrant the attention of those charged with governance, they should communicate in writing to audited entity officials. 7.45 Auditors should communicate in writing to audited entity officials when identified or suspected noncompliance with provisions of laws, regulations, contracts, or grant agreements comes to the auditor's attention during the course of an audit that has an effect on the financial statements or other financial data significant to the audit objectives that is less than material but warrants the attention of those charged with governance or 6.44a. Auditors should communicate in writing to audited entity officials when the auditor has obtained evidence of identified or suspected instances of fraud that have an effect on the financial statements or other financial data significant to the audit objectives that are less than material but warrant the attention of those charged with governance. 6.44b. Auditors should include in their examination report the relevant information about noncompliance and fraud when auditors, based on sufficient, appropriate evidence, identify or suspect fraud that is material, either quantitatively or qualitatively, to the subject matter or an assertion about the subject matter that is significant to the engagement objectives. 7.44b. Auditors should include in their examination report the relevant information about noncompliance and fraud when auditors, based on sufficient, appropriate evidence, identify or suspect noncompliance with provisions of laws, regulations, contracts, or grant agreements that has a material effect on the subject matter or an assertion about the subject matter or 7.44a. Auditors should conclude that preparing financial statements in their entirety from a client-provided trial balance or underlying accounting records creates significant threats to auditors' independence, and should document the threats and safeguards applied to eliminate and reduce threats to an acceptable level in accordance with paragraph 3.33 or decline to provide the services. 3.88 Assessing the risk of fraud is an ongoing process throughout the audit. When information comes to the auditors' attention indicating that fraud, significant within the context of the audit objectives, may have occurred, auditors should extend the audit steps and procedures, as necessary, to (1) determine whether fraud has likely occurred and (2) if so, determine its effect on the audit findings. 8.72 Auditors should consider internal control deficiencies in their evaluation of identified findings when developing the cause element of the identified findings when internal control is significant to the audit objectives. 8.117 When internal control is significant within the context of the audit objectives, auditors should include in the audit report (1) the scope of their work on internal control and (2) any deficiencies in internal control that are significant within the context of the audit objectives and based upon the audit work performed. 9.29 When auditors detect deficiencies in internal control that are not significant to the objectives of the audit but warrant the attention of those charged with governance, they should include those deficiencies either in the report or communicate those deficiencies in writing to audited entity officials. If the written communication is separate from the audit report, auditors should refer to that written communication in the audit report. 9.31] | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Establish/Maintain Documentation | |
| Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 [{are valid} When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 7.57 {are valid} When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 7.57] | Audits and risk management | Business Processes | |
| Modify the audit opinion in the audit report under defined conditions. CC ID 13937 [When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 6.59 {are valid} When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 9.52] | Audits and risk management | Establish/Maintain Documentation | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 [{regular basis} The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: 5.44] | Audits and risk management | Establish/Maintain Documentation | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 [With respect to each deficiency or significant deficiency in the report, the reviewed audit organization should describe in its letter of response the corrective actions already taken, target dates for planned corrective actions, or both. 5.94 If the reviewed audit organization receives a report with a peer review rating of pass with deficiencies or fail, the reviewed audit organization should respond in writing to the deficiencies or significant deficiencies and related recommendations identified in the report. 5.93] | Audits and risk management | Actionable Reports or Measurements | |
| Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Acquisition/Sale of Assets or Services | |
| Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [In cases where auditors determine that threats to independence require the application of safeguards, auditors should document the threats identified and the safeguards applied to eliminate or reduce the threats to an acceptable level. 3.33 The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: when relevant, a description of systemic, repetitive, or other deficiencies and of the actions taken to resolve those deficiencies. 5.44c. {regular basis} The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: 5.44 Auditors should conclude that preparing financial statements in their entirety from a client-provided trial balance or underlying accounting records creates significant threats to auditors' independence, and should document the threats and safeguards applied to eliminate and reduce threats to an acceptable level in accordance with paragraph 3.33 or decline to provide the services. 3.88] | Audits and risk management | Establish/Maintain Documentation | |
| Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Human Resources Management | |
| Respond to ethics complaints of ethics violations. CC ID 11497 | Human Resources management | Business Processes | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Communicate | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Monitor and evaluate environmental threats. CC ID 13481 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Analyze system audit reports and determine the need to perform more tests. CC ID 00666 [If auditors initially identify a threat to independence after the audit report is issued, auditors should evaluate the threat's effect on the engagement and on GAGAS compliance. If the auditors determine that the newly identified threat's effect on the engagement would have resulted in the audit report being different from the report issued had the auditors been aware of it, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the audit organization requiring or arranging for the engagements, and other known users, so that they do not continue to rely on findings or conclusions that were affected by the threat to independence. If auditors previously posted the report to their publicly accessible website, they should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional engagement work necessary to reissue the report, including any revised findings or conclusions, or to repost the original report if the additional engagement work does not result in a change in findings or conclusions. 3.34 When the auditors identify limitations or uncertainties in evidence that is significant to the audit findings and conclusions, they should perform additional procedures, as appropriate. 8.110 {be sufficient} If, after the report is issued, the auditors discover that they did not have sufficient, appropriate evidence to support the reported findings or conclusions, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the entities requiring or arranging for the audits, and other known users, so that they do not continue to rely on the findings or conclusions that were not supported. If the report was previously posted to the auditors' publicly accessible website, the auditors should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional audit work necessary to either reissue the report, including any revised findings or conclusions, or repost the original report if the additional audit work does not result in a change in findings or conclusions. 9.68] | Monitoring and measurement | Testing | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 [Auditors should identify any provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives and assess the risk that noncompliance with provisions of laws, regulations, contracts, and grant agreements could occur. Based on that risk assessment, the auditors should design and perform procedures to obtain reasonable assurance of detecting instances of noncompliance with provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives. 8.68] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Actionable Reports or Measurements | |
| Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 [When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work and determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 6.11] | Monitoring and measurement | Actionable Reports or Measurements | |
| Include monitoring in the corrective action plan. CC ID 11645 [The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: the conclusions reached from the monitoring procedures; and 5.44b.] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Determine if requested services create a threat to independence. CC ID 16823 [Before auditors agree to provide a nonaudit service to an audited entity, they should determine whether providing such a service would create a threat to independence, either by itself or in aggregate with other nonaudit services provided, with respect to any GAGAS engagement they conduct. 3.64 Auditors who previously provided nonaudit services for an entity that is a prospective subject of an engagement should evaluate the effect of those nonaudit services on independence before agreeing to conduct a GAGAS engagement. If auditors provided a nonaudit service in the period to be covered by the engagement, they should (1) determine if GAGAS expressly prohibits the nonaudit service; (2) if audited entity management requested the nonaudit service, determine whether the skill, knowledge, or experience of the individual responsible for overseeing the nonaudit service was sufficient; and (3) determine whether a threat to independence exists and address any threats noted in accordance with the conceptual framework. 3.83 Auditors who previously provided nonaudit services for an entity that is a prospective subject of an engagement should evaluate the effect of those nonaudit services on independence before agreeing to conduct a GAGAS engagement. If auditors provided a nonaudit service in the period to be covered by the engagement, they should (1) determine if GAGAS expressly prohibits the nonaudit service; (2) if audited entity management requested the nonaudit service, determine whether the skill, knowledge, or experience of the individual responsible for overseeing the nonaudit service was sufficient; and (3) determine whether a threat to independence exists and address any threats noted in accordance with the conceptual framework. 3.83] | Audits and risk management | Audits and Risk Management | |
| Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Audits and risk management | Establish/Maintain Documentation | |
| Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and risk management | Audits and Risk Management | |
| Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and risk management | Audits and Risk Management | |
| Establish and maintain audit assertions, as necessary. CC ID 14871 [GAGAS uses two categories of requirements, identified by specific terms, to describe the degree of responsibility they impose on auditors and audit organizations: Unconditional requirements: Auditors and audit organizations must comply with an unconditional requirement in all cases where such requirement is relevant. GAGAS uses must to indicate an unconditional requirement. 2.02a. When planning a GAGAS examination engagement, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter or an assertion about the subject matter of the examination engagement, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter or an assertion about the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work and determining the extent to which testing the implementation of the corrective actions is applicable to the current examination engagement objectives. 7.13] | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from performing an attestation engagement under defined conditions. CC ID 13952 [When auditors conclude that independence of the engagement team or the audit organization is impaired under paragraph 3.59, auditors should decline to accept an engagement or should terminate an engagement in progress (except in circumstances discussed in paragraphs 3.25 or 3.84). 3.60 Auditors should conclude that preparing financial statements in their entirety from a client-provided trial balance or underlying accounting records creates significant threats to auditors' independence, and should document the threats and safeguards applied to eliminate and reduce threats to an acceptable level in accordance with paragraph 3.33 or decline to provide the services. 3.88] | Audits and risk management | Audits and Risk Management | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Audits and Risk Management | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Audits and Risk Management | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Investigate | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Investigate | |
| Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 [When auditors use information provided by officials of the audited entity as part of their evidence, they should determine what the officials of the audited entity or other auditors did to obtain assurance over the reliability of the information. 8.93] | Audits and risk management | Testing | |
| Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 [{if} {no evidence} Auditors should evaluate whether any lack of sufficient, appropriate evidence is caused by internal control deficiencies or other program weaknesses, and whether the lack of sufficient, appropriate evidence could be the basis for audit findings. 8.78] | Audits and risk management | Testing | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Audits and Risk Management | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 [Auditors should consider internal control deficiencies in their evaluation of identified findings when developing the cause element of the identified findings. 7.20] | Audits and risk management | Process or Activity | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 [When information systems controls are determined to be significant to the audit objectives or when the effectiveness of significant controls depends on the effectiveness of information systems controls, auditors should then evaluate the design, implementation, and/or operating effectiveness of such controls. This evaluation includes other information systems controls that affect the effectiveness of the significant controls or the reliability of information used in performing the significant controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives. 8.60] | Audits and risk management | Testing | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 [If auditors initially identify a threat to independence after the audit report is issued, auditors should evaluate the threat's effect on the engagement and on GAGAS compliance. If the auditors determine that the newly identified threat's effect on the engagement would have resulted in the audit report being different from the report issued had the auditors been aware of it, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the audit organization requiring or arranging for the engagements, and other known users, so that they do not continue to rely on findings or conclusions that were affected by the threat to independence. If auditors previously posted the report to their publicly accessible website, they should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional engagement work necessary to reissue the report, including any revised findings or conclusions, or to repost the original report if the additional engagement work does not result in a change in findings or conclusions. 3.34] | Audits and risk management | Process or Activity | |
| Document test plans for auditing in scope controls. CC ID 06985 [When auditors identify findings, they should plan and perform procedures to develop the criteria, condition, cause, and effect of the findings to the extent that these elements are relevant and necessary to achieve the audit objectives. 6.17 When auditors identify findings, they should plan and perform procedures to develop the criteria, condition, cause, and effect of the findings to the extent that these elements are relevant and necessary to achieve the examination objectives. 7.19 Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30 When evaluating information systems controls is an audit objective, auditors should test information systems controls to the extent necessary to address the audit objective. 8.62 As part of a performance audit, when auditors identify findings, they should plan and perform procedures to develop the criteria, condition, cause, and effect of the findings to the extent that these elements are relevant and necessary to achieve the audit objectives. 8.116 When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work and determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 6.11] | Audits and risk management | Testing | |
| Determine the implementation status of in scope controls. CC ID 06981 [When information systems controls are determined to be significant to the audit objectives or when the effectiveness of significant controls depends on the effectiveness of information systems controls, auditors should then evaluate the design, implementation, and/or operating effectiveness of such controls. This evaluation includes other information systems controls that affect the effectiveness of the significant controls or the reliability of information used in performing the significant controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives. 8.60] | Audits and risk management | Testing | |
| Determine the effectiveness of in scope controls. CC ID 06984 [Auditors should consider internal control deficiencies in their evaluation of identified findings when developing the cause element of the identified findings. 6.18 {if} Auditors should determine and document whether internal control is significant to the audit objectives. 8.39 When information systems controls are determined to be significant to the audit objectives or when the effectiveness of significant controls depends on the effectiveness of information systems controls, auditors should then evaluate the design, implementation, and/or operating effectiveness of such controls. This evaluation includes other information systems controls that affect the effectiveness of the significant controls or the reliability of information used in performing the significant controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives. 8.60] | Audits and risk management | Testing | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Audits and Risk Management | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 [The peer review team should include the following elements in the scope of the peer review: interviews with selected members of the audit organization's personnel in various roles to assess their understanding of and compliance with relevant quality control policies and procedures. 5.82f.] | Audits and risk management | Audits and Risk Management | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Audits and Risk Management | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Audits and Risk Management | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 [Auditors who previously provided nonaudit services for an entity that is a prospective subject of an engagement should evaluate the effect of those nonaudit services on independence before agreeing to conduct a GAGAS engagement. If auditors provided a nonaudit service in the period to be covered by the engagement, they should (1) determine if GAGAS expressly prohibits the nonaudit service; (2) if audited entity management requested the nonaudit service, determine whether the skill, knowledge, or experience of the individual responsible for overseeing the nonaudit service was sufficient; and (3) determine whether a threat to independence exists and address any threats noted in accordance with the conceptual framework. 3.83] | Audits and risk management | Audits and Risk Management | |
| Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Behavior | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Process or Activity | |
| Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Process or Activity | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Process or Activity | |
| Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and risk management | Audits and Risk Management | |
| Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Audits and risk management | Testing | |
| Review the subject matter expert's findings. CC ID 16559 [If planning to use the work of specialists, auditors should document the nature and scope of the work to be performed by the specialists, including the specialists' procedures and findings so they can be evaluated and related to other planned audit procedures, and 8.32c.] | Audits and risk management | Audits and Risk Management | |
| Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Audits and risk management | Investigate | |
| Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Establish/Maintain Documentation | |
| Identify the audit team members in the audit report. CC ID 15259 | Audits and risk management | Human Resources Management | |
| Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Audits and Risk Management | |
| Review past audit reports. CC ID 01155 [Based on the risk assessment, the peer review team should select engagements that provide a reasonable cross section of all types of work subject to the reviewed audit organization's quality control system, including one or more engagements conducted in accordance with GAGAS. 5.67 The peer review team should include the following elements in the scope of the peer review: review of prior peer review reports, if applicable; 5.82d. The peer review team should include the following elements in the scope of the peer review: review of selected audit reports and related documentation and, if applicable, documentation related to selected terminated engagements prepared in accordance with paragraph 5.25, if any terminated engagements are selected from the universe of engagements used for the peer review sample; 5.82c. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30 Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30 Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30 When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work and determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 6.11 {be external} An audit organization not already subject to a peer review requirement should obtain an external peer review at least once every 3 years. The audit organization should obtain its first peer review covering a review period ending no later than 3 years from the date an audit organization begins its first engagement in accordance with GAGAS. 5.84] | Audits and risk management | Establish/Maintain Documentation | |
| Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 [If auditors use the work of other auditors, they should perform procedures that provide a sufficient basis for using that work. Auditors should obtain evidence concerning the other auditors' qualifications and independence and should determine whether the scope, quality, and timing of the audit work performed by the other auditors can be relied on in the context of the current audit objectives. 8.81 {be external} An audit organization not already subject to a peer review requirement should obtain an external peer review at least once every 3 years. The audit organization should obtain its first peer review covering a review period ending no later than 3 years from the date an audit organization begins its first engagement in accordance with GAGAS. 5.84] | Audits and risk management | Establish/Maintain Documentation | |
| Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 [Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30 When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work and determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 6.11 When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work and determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 6.11] | Audits and risk management | Establish/Maintain Documentation | |
| Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 [{if} When circumstances call for omission of certain information, auditors should evaluate whether the omission could distort the examination engagement results or conceal improper or illegal practices and revise the report language as necessary to avoid report users drawing inappropriate conclusions from the information presented. 7.62 {if} When circumstances call for omission of certain information, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices and revise the report language as necessary to avoid report users drawing inappropriate conclusions from the information presented. 9.62] | Audits and risk management | Investigate | |
| Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 [When auditors do not comply with applicable requirement(s), they should (1) assess the significance of the noncompliance to the engagement objectives; (2) document the assessment, along with their reasons for not following the requirement(s); and (3) determine the type of GAGAS compliance statement. 2.19 Auditors should evaluate the significance of threats to independence created by providing any services discussed in paragraph 3.89 and should document the evaluation of the significance of such threats. 3.90 While insufficient documentation of an auditor's compliance with the independence standard does not impair independence, auditors should prepare appropriate documentation under the GAGAS quality control and assurance requirements. The independence standard includes the following documentation requirements, where applicable: document the evaluation of the significance of the threats created by providing any of the services discussed in paragraph 3.89. 3.107e. Auditors should inquire of management of the audited entity whether any investigations or legal proceedings have been initiated or are in process with respect to the period under audit, and should evaluate the effect of initiated or in-process investigations or legal proceedings on the current audit. 6.12 Auditors should inquire of management of the audited entity whether any investigations or legal proceedings significant to the audit objectives have been initiated or are in process with respect to the period under audit, and should evaluate the effect of initiated or inprocess investigations or legal proceedings on the current audit. 8.27 Auditors should identify any provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives and assess the risk that noncompliance with provisions of laws, regulations, contracts, and grant agreements could occur. Based on that risk assessment, the auditors should design and perform procedures to obtain reasonable assurance of detecting instances of noncompliance with provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives. 8.68 Auditors should assess the risk of fraud occurring that is significant within the context of the audit objectives. Audit team members should discuss among the team fraud risks, including factors such as individuals' incentives or pressures to commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could increase the risk of fraud. Auditors should gather and assess information to identify the risk of fraud that is significant within the scope of the audit objectives or that could affect the findings and conclusions. 8.71 Auditors should assess the risk of fraud occurring that is significant within the context of the audit objectives. Audit team members should discuss among the team fraud risks, including factors such as individuals' incentives or pressures to commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could increase the risk of fraud. Auditors should gather and assess information to identify the risk of fraud that is significant within the scope of the audit objectives or that could affect the findings and conclusions. 8.71 Assessing the risk of fraud is an ongoing process throughout the audit. When information comes to the auditors' attention indicating that fraud, significant within the context of the audit objectives, may have occurred, auditors should extend the audit steps and procedures, as necessary, to (1) determine whether fraud has likely occurred and (2) if so, determine its effect on the audit findings. 8.72 Auditors should report a matter as a finding when they conclude, based on sufficient, appropriate evidence, that noncompliance with provisions of laws, regulations, contracts, and grant agreements either has occurred or is likely to have occurred that is significant within the context of the audit objectives. 9.35 Auditors should report a matter as a finding when they conclude, based on sufficient, appropriate evidence, that fraud either has occurred or is likely to have occurred that is significant to the audit objectives. 9.40] | Audits and risk management | Process or Activity | |
| Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 [{be publicly available} An external audit organization should make its most recent peer review report publicly available. If a separate communication detailing findings, conclusions, and recommendations is issued, the external audit organization is not required to make that communication publicly available. An internal audit organization that reports internally to management and those charged with governance should provide a copy of its peer review report to those charged with governance. 5.77] | Audits and risk management | Log Management | |
| Submit an audit report that is complete. CC ID 01145 [Auditors should issue audit reports communicating the results of each completed performance audit. 9.06] | Audits and risk management | Testing | |
| Review management's response to issues raised in past audit reports. CC ID 01149 [Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30] | Audits and risk management | Audits and Risk Management | |
| Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 [The audit organization should establish policies and procedures for human resources that are designed to provide the organization with reasonable assurance that it has personnel with the competence to conduct GAGAS engagements in accordance with professional standards and applicable legal and regulatory requirements. 5.15 Audit management should assign sufficient auditors with adequate collective professional competence, as described in paragraphs 4.02 through 4.15, to conduct the audit. Staffing an audit includes, among other things, assigning a sufficient number of auditors to the audit; 8.31b.] | Audits and risk management | Testing | |
| Evaluate the competency of auditors. CC ID 15253 | Audits and risk management | Human Resources Management | |
| Review the audit program scope as it relates to the organization's profile. CC ID 01159 [In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence-gathering and evidence-analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives. Auditors should identify significant assumptions made in conducting the audit; describe comparative techniques applied; describe the criteria used; and, when the results of sample testing significantly support the auditors' findings, conclusions, or recommendations, describe the sample design and state why the design was chosen, including whether the results can be projected to the intended population. 9.14] | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain the audit plan. CC ID 01156 [Auditors must adequately plan the work necessary to address the audit objectives. Auditors must document the audit plan. 8.03 Auditors must plan the audit to reduce audit risk to an acceptably low level. 8.04 In planning the audit, auditors should assess significance and audit risk. Auditors should apply these assessments to establish the scope and methodology for addressing the audit objectives. Planning is a continuous process throughout the audit. 8.05 Auditors must prepare a written audit plan for each audit. Auditors should update the plan, as necessary, to reflect any significant changes to the plan made during the audit. 8.33 Auditors must prepare a written audit plan for each audit. Auditors should update the plan, as necessary, to reflect any significant changes to the plan made during the audit. 8.33 Auditors should document the following: the objectives, scope, and methodology of the audit; 8.135a. Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed; the evidence obtained; and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 8.132] | Audits and risk management | Testing | |
| Analyze the risk management strategy for addressing threats. CC ID 12925 [Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: Self-interest threat: The threat that a financial or other interest will inappropriately influence an auditor's judgment or behavior. 3.30a. Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: Self-review threat: The threat that an auditor or audit organization that has provided nonaudit services will not appropriately evaluate the results of previous judgments made or services provided as part of the nonaudit services when forming a judgment significant to a GAGAS engagement. 3.30b. Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: Bias threat: The threat that an auditor will, as a result of political, ideological, social, or other convictions, take a position that is not objective. 3.30c. Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: Familiarity threat: The threat that aspects of a relationship with management or personnel of an audited entity, such as a close or long relationship, or that of an immediate or close family member, will lead an auditor to take a position that is not objective. 3.30d. Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: Undue influence threat: The threat that influences or pressures from sources external to the audit organization will affect an auditor's ability to make objective judgments. 3.30e. Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: Management participation threat: The threat that results from an auditor's taking on the role of management or otherwise performing management functions on behalf of the audited entity, which will lead an auditor to take a position that is not objective. 3.30f. Auditors should evaluate the following broad categories of threats to independence when applying the GAGAS conceptual framework: Structural threat: The threat that an audit organization's placement within a government entity, in combination with the structure of the government entity being audited, will affect the audit organization's ability to perform work and report results objectively. 3.30g. {if} Auditors should determine whether identified threats to independence are at an acceptable level or have been eliminated or reduced to an acceptable level, considering both qualitative and quantitative factors to determine the significance of a threat. 3.31] | Audits and risk management | Audits and Risk Management | |
| Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Human Resources Management | |
| Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Audits and Risk Management | |
| Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Audits and Risk Management | |
| Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Audits and risk management | Investigate | |
| Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 [{if} The effectiveness of significant internal controls frequently depends on the effectiveness of information systems controls. Thus, when obtaining an understanding of internal control significant to the audit objectives, auditors should also determine whether it is necessary to evaluate information systems controls. 8.59 When information systems controls are determined to be significant to the audit objectives or when the effectiveness of significant controls depends on the effectiveness of information systems controls, auditors should then evaluate the design, implementation, and/or operating effectiveness of such controls. This evaluation includes other information systems controls that affect the effectiveness of the significant controls or the reliability of information used in performing the significant controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives. 8.60] | Audits and risk management | Audits and Risk Management | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Audits and risk management | Establish/Maintain Documentation | |
| Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 [Auditors should apply the conceptual framework at the audit organization, engagement team, and individual auditor levels to evaluate the significance of the threats identified, both individually and in the aggregate; and 3.27b. Separate evaluations are sometimes provided as a nonaudit service. When providing separate evaluations as nonaudit services, auditors should evaluate the significance of the threat created by performing separate evaluations and apply safeguards when necessary to eliminate the threat or reduce it to an acceptable level. 3.98] | Audits and risk management | Process or Activity | |
| Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776 | Technical security | Process or Activity | |
| Interact with the data subject when performing remote proofing. CC ID 13777 | Technical security | Process or Activity | |
| View all applicant actions when performing remote proofing. CC ID 13804 | Technical security | Process or Activity | |
| Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755 | Technical security | Process or Activity | |
| Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743 | Technical security | Process or Activity | |
| Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774 | Technical security | Process or Activity | |
| Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744 | Technical security | Process or Activity | |
| Validate proof of identity during the identity proofing process. CC ID 13756 | Technical security | Process or Activity | |
| Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797 | Technical security | Business Processes | |
| Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803 | Technical security | Process or Activity | |
| Verify proof of identity records. CC ID 13761 | Technical security | Investigate | |
| Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784 | Technical security | Process or Activity | |
| Conduct in-person proofing with physical interactions. CC ID 13775 | Technical security | Process or Activity | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [The audit organization should establish policies and procedures designed to provide reasonable assurance that those assigned operational responsibility for the audit organization's system of quality control have sufficient and appropriate experience and ability, and the necessary authority, to assume that responsibility. 5.06] | Human Resources management | Testing | |
| Document all training in a training record. CC ID 01423 [The audit organization should maintain documentation of each auditor's CPE. 4.18 {continuing professional education requirements} The audit organization should establish policies and procedures to provide reasonable assurance that auditors who are performing work in accordance with GAGAS meet the continuing professional education (CPE) requirements, including maintaining documentation of the CPE completed and any exemptions granted. 5.16] | Human Resources management | Establish/Maintain Documentation | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Human Resources management | Training | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Human Resources management | Training | |
| Establish, implement, and maintain performance reviews. CC ID 14777 [The audit organization should have a process for recruitment, hiring, continuous development, assignment, and evaluation of personnel so that the workforce has the essential knowledge, skills, and abilities necessary to conduct the engagement. The nature, extent, and formality of the process will depend on various factors, such as the size of the audit organization, its structure, and its work. 4.04] | Human Resources management | Business Processes | |
| Conduct performance reviews for the board of directors and board committees, as necessary. CC ID 14783 | Human Resources management | Human Resources Management | |
| Conduct staff performance reviews, as necessary. CC ID 07205 | Human Resources management | Business Processes | |
| Analyze the documentation produced by staff during the performance review. CC ID 07207 | Human Resources management | Establish/Maintain Documentation | |
| Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [Auditors providing nonaudit services to audited entities should obtain agreement from audited entity management that audited entity management performs the following functions in connection with the nonaudit services: evaluates the adequacy and results of the services provided; and 3.76c. The peer review team and the reviewed audit organization should incorporate their basic agreement on the peer review into a written agreement. The written agreement should be drafted by the peer review team, reviewed by the reviewed audit organization to ensure that it accurately describes the agreement between the parties, and signed by the authorized representatives of both the peer review team and the reviewed audit organization prior to the initiation of work under the agreement. The written agreement should state that the peer review will be conducted in accordance with GAGAS peer review requirements. 5.86 The peer review team and the reviewed audit organization should incorporate their basic agreement on the peer review into a written agreement. The written agreement should be drafted by the peer review team, reviewed by the reviewed audit organization to ensure that it accurately describes the agreement between the parties, and signed by the authorized representatives of both the peer review team and the reviewed audit organization prior to the initiation of work under the agreement. The written agreement should state that the peer review will be conducted in accordance with GAGAS peer review requirements. 5.86] | Third Party and supply chain oversight | Process or Activity | |
| Review third party recovery plans. CC ID 17123 | Third Party and supply chain oversight | Systems Continuity | |
| Perform risk assessments of third parties, as necessary. CC ID 06454 [The peer review team should perform an assessment of peer review risk to help determine the number and types of engagements to select for review. 5.66] | Third Party and supply chain oversight | Testing | |
| Assess third parties' compliance environment during due diligence. CC ID 13134 | Third Party and supply chain oversight | Process or Activity | |
| Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain communication protocols. CC ID 12245 [{be appropriate} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 6.65] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain an alternative communication protocol. CC ID 17097 | Leadership and high level objectives | Communicate | |
| Use secure communication protocols for telecommunications. CC ID 16458 | Leadership and high level objectives | Business Processes | |
| Include external requirements in the organization's communication protocol. CC ID 12418 [Auditors should consider applicable GAO-issued GAGAS interpretive guidance in conducting and reporting on GAGAS engagements. 2.06] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 | Leadership and high level objectives | Process or Activity | |
| Identify barriers to stakeholder engagement. CC ID 15676 | Leadership and high level objectives | Process or Activity | |
| Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 | Leadership and high level objectives | Communicate | |
| Document the findings from surveys. CC ID 16309 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the criteria for notifications in the notification system. CC ID 17139 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the capturing and alerting of account activity in the notification system. CC ID 15314 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain an internal reporting program. CC ID 12409 [{if} {be appropriate} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 7.63 {if} {be appropriate} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 7.63 {if} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 9.63 {if} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 9.63] | Leadership and high level objectives | Business Processes | |
| Define the thresholds for escalation in the internal reporting program. CC ID 14332 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Define the thresholds for reporting in the internal reporting program. CC ID 14331 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Analyze the external environment in which the organization operates. CC ID 12799 | Leadership and high level objectives | Business Processes | |
| Identify the external forces that may affect organizational objectives. CC ID 12960 [Auditors should identify any provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives and assess the risk that noncompliance with provisions of laws, regulations, contracts, and grant agreements could occur. Based on that risk assessment, the auditors should design and perform procedures to obtain reasonable assurance of detecting instances of noncompliance with provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives. 8.68] | Leadership and high level objectives | Process or Activity | |
| Establish, implement, and maintain a Quality Management framework. CC ID 07196 [An audit organization should document its quality control policies and procedures and communicate those policies and procedures to its personnel. The audit organization should document compliance with its quality control policies and procedures and maintain such documentation for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent to which the audit organization complies with its quality control policies and procedures. 5.04] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include supply chain management standards in the Quality Management framework. CC ID 13701 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 [{quality control requirements} Audit organizations affiliated with one of the following recognized organizations should comply with the respective organization's peer review requirements and the requirements listed throughout paragraphs 5.66 through 5.80. 5.61] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 [An audit organization should document its quality control policies and procedures and communicate those policies and procedures to its personnel. The audit organization should document compliance with its quality control policies and procedures and maintain such documentation for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent to which the audit organization complies with its quality control policies and procedures. 5.04] | Leadership and high level objectives | Communicate | |
| Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 [The audit organization should establish policies and procedures on leadership responsibilities for quality within the audit organization that include designating responsibility for quality of engagements conducted in accordance with GAGAS and communicating policies and procedures relating to quality. 5.05] | Leadership and high level objectives | Communicate | |
| Align the quality objectives with the Quality Management policy. CC ID 13697 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Quality Management standard. CC ID 01006 [The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows: 5.74 The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows: If the peer review team's evaluation of observed matters does not identify any findings (more than a remote possibility that the reviewed audit organization would not perform, report, or both in conformity with professional standards and applicable legal and regulatory requirements), or identifies findings that are not considered to be deficiencies, the peer review team issues a pass rating. 5.74a. The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows: If the peer review team's evaluation of findings identified deficiencies but did not identify any significant deficiencies, the peer review team issues a pass with deficiencies rating and communicates the deficiencies in its report. 5.74b. The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows: If the peer review team's evaluation of deficiencies identified significant deficiencies, the peer review team issues a fail rating and communicates the deficiencies and significant deficiencies in its report. 5.74c.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 [The peer review team should aggregate and systematically evaluate any observed matters (circumstances that warrant further consideration by the peer review team) and document its evaluation. The peer review team should perform its evaluation and issue report ratings as follows: 5.74] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Quality Management program. CC ID 07201 [Each audit organization conducting engagements in accordance with GAGAS must obtain an external peer review conducted by reviewers independent of the audit organization being reviewed. The peer review should be sufficient in scope to provide a reasonable basis for determining whether, for the period under review, (1) the reviewed audit organization's system of quality control was suitably designed and (2) the organization is complying with its quality control system so that it has reasonable assurance that it is performing and reporting in conformity with professional standards and applicable legal and regulatory requirements in all material respects. 5.60 The peer review team should include the following elements in the scope of the peer review: review of the audit organization's design of, and compliance with, quality control and related policies and procedures; 5.82a.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Leadership and high level objectives | Communicate | |
| Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Leadership and high level objectives | Communicate | |
| Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include monitoring and analysis capabilities in the quality management program. CC ID 17153 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include risk management in the quality management system. CC ID 15054 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include operational roles and responsibilities in the quality management system. CC ID 15028 [The audit organization should establish policies and procedures on leadership responsibilities for quality within the audit organization that include designating responsibility for quality of engagements conducted in accordance with GAGAS and communicating policies and procedures relating to quality. 5.05 The audit organization should establish policies and procedures on leadership responsibilities for quality within the audit organization that include designating responsibility for quality of engagements conducted in accordance with GAGAS and communicating policies and procedures relating to quality. 5.05] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include resource management in the quality management system. CC ID 15026 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 [The audit organization should evaluate the effects of deficiencies noted during monitoring of the audit organization's system of quality control to determine and implement appropriate actions to address the deficiencies. This evaluation should include assessments to determine if the deficiencies noted indicate that the audit organization's system of quality control is insufficient to provide it with reasonable assurance that it complies with professional standards and applicable legal and regulatory requirements, and that accordingly the reports that the audit organization issues are not appropriate in the circumstances. 5.45] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 [GAGAS uses two categories of requirements, identified by specific terms, to describe the degree of responsibility they impose on auditors and audit organizations: Unconditional requirements: Auditors and audit organizations must comply with an unconditional requirement in all cases where such requirement is relevant. GAGAS uses must to indicate an unconditional requirement. 2.02a.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 [{be evident} If the identity of those charged with governance is not clearly evident, auditors should document the process followed and conclusions reached in identifying the appropriate individuals to receive the required communications. 6.07] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a financial management program. CC ID 13228 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 [Auditors should identify as threats to independence any services related to preparing accounting records and financial statements, other than those defined as impairments to independence in paragraph 3.87 and significant threats in paragraph 3.88. These services include recording transactions for which management has determined or approved the appropriate account classification, or posting coded transactions to an audited entity's general ledger; 3.89a.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Leadership and high level objectives | Data and Information Management | |
| Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Leadership and high level objectives | Data and Information Management | |
| Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Leadership and high level objectives | Data and Information Management | |
| Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Leadership and high level objectives | Data and Information Management | |
| Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Leadership and high level objectives | Data and Information Management | |
| Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Leadership and high level objectives | Data and Information Management | |
| Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Leadership and high level objectives | Data and Information Management | |
| Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Leadership and high level objectives | Data and Information Management | |
| Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Leadership and high level objectives | Data and Information Management | |
| Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Leadership and high level objectives | Data and Information Management | |
| Establish, implement, and maintain financial reports. CC ID 14770 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 [{external requirements} GAGAS establishes requirements for financial audits in addition to the requirements in the AICPA SAS. Auditors should comply with these additional requirements, along with the AICPA requirements for financial audits, when citing GAGAS in financial audit reports. 6.02] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 [{make available} If auditors report separately (including separate reports bound in the same document) on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements, they should include a reference in the audit report on the financial statements to those additional reports. They should also state in the audit report that the reports on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements are an integral part of a GAGAS audit in considering the audited entity's internal control over financial reporting and compliance. If separate reports are used, the auditors should make the report on internal control and compliance available to users in the same manner as the financial audit report to which it relates. 6.43] | Leadership and high level objectives | Communicate | |
| Include financial statements in the financial report, as necessary. CC ID 14775 [Auditors should identify as threats to independence any services related to preparing accounting records and financial statements, other than those defined as impairments to independence in paragraph 3.87 and significant threats in paragraph 3.88. These services include preparing certain line items or sections of the financial statements based on information in the trial balance; 3.89b. Auditors should identify as threats to independence any services related to preparing accounting records and financial statements, other than those defined as impairments to independence in paragraph 3.87 and significant threats in paragraph 3.88. These services include posting entries that an audited entity's management has approved to the entity's trial balance; and 3.89c.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include capital deductions and adjustments in the financial statement. CC ID 16667 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include earnings per share or loss per share in the financial statement. CC ID 16597 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include material contingencies in the financial statement. CC ID 16596 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 [The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: a description of the monitoring procedures performed; 5.44a.] | Monitoring and measurement | Communicate | |
| Establish, implement, and maintain a risk monitoring program. CC ID 00658 [{regular basis} The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: 5.44] | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include cryptographic key management procedures in the system security plan. CC ID 17029 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include backup and recovery procedures in the system security plan. CC ID 17043 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Communicate | |
| Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Establish/Maintain Documentation | |
| Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Process or Activity | |
| Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Establish/Maintain Documentation | |
| Approve the system security plan. CC ID 14241 | Monitoring and measurement | Business Processes | |
| Establish, implement, and maintain a testing program. CC ID 00654 | Monitoring and measurement | Behavior | |
| Document improvement actions based on test results and exercises. CC ID 16840 [{regular basis} The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: 5.44 When feasible, auditors should recommend actions to correct deficiencies and other findings identified during the audit and to improve programs and operations when the potential for improvement in programs, operations, and performance is substantiated by the reported findings and conclusions. Auditors should make recommendations that flow logically from the findings and conclusions, are directed at resolving the cause of identified deficiencies and findings, and clearly state the actions recommended. 9.23] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 [The audit organization should perform monitoring procedures that enable it to assess compliance with professional standards and quality control policies and procedures for GAGAS engagements. Individuals performing monitoring should have sufficient expertise and authority within the audit organization. 5.43] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Communicate | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Establish/Maintain Documentation | |
| Monitor compliance with the Quality Control system. CC ID 01023 [An audit organization conducting engagements in accordance with GAGAS must establish and maintain a system of quality control that is designed to provide the audit organization with reasonable assurance that the organization and its personnel comply with professional standards and applicable legal and regulatory requirements. 5.02 An audit organization should document its quality control policies and procedures and communicate those policies and procedures to its personnel. The audit organization should document compliance with its quality control policies and procedures and maintain such documentation for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent to which the audit organization complies with its quality control policies and procedures. 5.04 The audit organization should establish policies and procedures for monitoring its system of quality control. 5.42 The audit organization should perform monitoring procedures that enable it to assess compliance with professional standards and quality control policies and procedures for GAGAS engagements. Individuals performing monitoring should have sufficient expertise and authority within the audit organization. 5.43 Each audit organization conducting engagements in accordance with GAGAS must obtain an external peer review conducted by reviewers independent of the audit organization being reviewed. The peer review should be sufficient in scope to provide a reasonable basis for determining whether, for the period under review, (1) the reviewed audit organization's system of quality control was suitably designed and (2) the organization is complying with its quality control system so that it has reasonable assurance that it is performing and reporting in conformity with professional standards and applicable legal and regulatory requirements in all material respects. 5.60 The peer review team should include the following elements in the scope of the peer review: review of the audit organization's design of, and compliance with, quality control and related policies and procedures; 5.82a.] | Monitoring and measurement | Actionable Reports or Measurements | |
| Include the completion date in the corrective action plan. CC ID 13272 [With respect to each deficiency or significant deficiency in the report, the reviewed audit organization should describe in its letter of response the corrective actions already taken, target dates for planned corrective actions, or both. 5.94] | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Statement of Compliance. CC ID 12499 [{regular basis} At least annually, the audit organization should obtain written affirmation of compliance with its policies and procedures on independence from all of its personnel required to be independent. 5.09 Auditors should report on internal control and compliance with provisions of laws, regulations, contracts, or grant agreements regardless of whether they identify internal control deficiencies or instances of noncompliance. 6.39] | Audits and risk management | Establish/Maintain Documentation | |
| Publish a Statement of Compliance for the organization's external requirements. CC ID 12350 [{non-affiliate} Any audit organization not affiliated with an organization listed in paragraph 5.61 should meet the minimum GAGAS peer review requirements throughout paragraphs 5.66 through 5.94. 5.62 {quality control requirements} Audit organizations affiliated with one of the following recognized organizations should comply with the respective organization's peer review requirements and the requirements listed throughout paragraphs 5.66 through 5.80. 5.61] | Audits and risk management | Communicate | |
| Include the verification method in the Statement of Compliance. CC ID 16820 | Audits and risk management | Actionable Reports or Measurements | |
| Include a description of the awareness and training program in the Statement of Compliance. CC ID 16817 | Audits and risk management | Actionable Reports or Measurements | |
| Include contact information for the handling of requests and issues in the Statement of Compliance. CC ID 16816 | Audits and risk management | Actionable Reports or Measurements | |
| Include the privacy programs the organization is a member of in the Statement of Compliance. CC ID 16818 | Audits and risk management | Actionable Reports or Measurements | |
| Include the personal data use purpose specification in the Statement of Compliance. CC ID 17175 | Audits and risk management | Establish/Maintain Documentation | |
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [In connection with nonaudit services, auditors should establish and document their understanding with the audited entity's management or those charged with governance, as appropriate, regarding the following: the auditors' responsibilities, and 3.77d.] | Audits and risk management | Establish Roles | |
| Rotate auditors, as necessary. CC ID 15589 | Audits and risk management | Audits and Risk Management | |
| Withdraw the approvals of auditors, as necessary. CC ID 17260 | Audits and risk management | Business Processes | |
| Notify interested personnel and affected parties of the reasons for the withdrawal of auditors. CC ID 17283 | Audits and risk management | Communicate | |
| Define the qualification requirements for auditors. CC ID 17259 | Audits and risk management | Human Resources Management | |
| Disseminate and communicate the auditor's qualification requirements to interested personnel and affected parties. CC ID 17265 | Audits and risk management | Communicate | |
| Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 [The audit organization should assign responsibility for each engagement to an engagement partner or director with authority designated by the audit organization to assume that responsibility and should establish policies and procedures requiring the organization to 5.37] | Audits and risk management | Establish Roles | |
| Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 [Internal audit assistance services involve assisting an entity in performing its internal audit activities. Auditors should conclude that the following internal audit assistance activities impair an external auditor's independence with respect to an audited entity: determining the scope of the internal audit function and resulting work. 3.96c.] | Audits and risk management | Establish Roles | |
| Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 [Auditors should have an understanding of the entire text of applicable chapters of GAGAS, including application guidance, and any amendments that GAO issued, to understand the intent of the requirements and to apply the requirements properly. 2.05 Before auditors agree to provide nonaudit services to an audited entity that the audited entity's management requested and that could create a threat to independence, either by themselves or in aggregate with other nonaudit services provided, with respect to any GAGAS engagement they conduct, auditors should determine that the audited entity has designated an individual who possesses suitable skill, knowledge, or experience and that the individual understands the services to be provided sufficiently to oversee them. 3.73 The audit organization's management must assign auditors who before beginning work on the engagement possess the competence needed for their assigned roles. 4.03 {are competent} The engagement team should determine that specialists assisting the engagement team on a GAGAS engagement are qualified and competent in their areas of specialization. 4.12 The audit organization should perform monitoring procedures that enable it to assess compliance with professional standards and quality control policies and procedures for GAGAS engagements. Individuals performing monitoring should have sufficient expertise and authority within the audit organization. 5.43 The audit organization's management must assign auditors to conduct the engagement who before beginning work on the engagement collectively possess the competence needed to address the engagement objectives and perform their work in accordance with GAGAS. 4.02 The peer review team should meet the following criteria: The review team collectively has adequate professional competence and knowledge of GAGAS and government auditing. 5.89a. The peer review team should meet the following criteria: The review team collectively has sufficient knowledge to conduct a peer review. 5.89c. Auditors engaged to conduct review engagements in the United States who do not work for a government audit organization should be licensed CPAs, persons working for licensed certified public accounting firms, or licensed accountants in states that have multiclass licensing systems that recognize licensed accountants other than CPAs. 7.71 Auditors engaged to conduct agreed-upon procedures engagements in the United States who do not work for a government audit organization should be licensed CPAs, persons working for licensed certified public accounting firms, or licensed accountants in states that have multiclass licensing systems that recognize licensed accountants other than CPAs. 7.79 {licensed} {accountant} Auditors engaged to conduct agreed-upon procedures engagements of entities operating outside of the United States who do not work for a government audit organization should meet the qualifications indicated in paragraph 7.79, have certifications that meet all applicable national and international standards and serve in their respective countries as the functional equivalent of CPAs in the United States, or work for nongovernment audit organizations that are the functional equivalent of licensed certified public accounting firms in the United States. 7.80 Auditors engaged to conduct reviews of financial statements in the United States who do not work for a government audit organization should be licensed CPAs, persons working for licensed certified public accounting firms, or licensed accountants in states that have multiclass licensing systems that recognize licensed accountants other than CPAs. 7.87 {licensed} {accountant} Auditors engaged to conduct reviews of financial statements of entities operating outside of the United States who do not work for a government audit organization should meet the qualifications indicated in paragraph 7.87, have certifications that meet all applicable national and international standards and serve in their respective countries as the functional equivalent of CPAs in the United States, or work for nongovernment audit organizations that are the functional equivalent of licensed certified public accounting firms in the United States. 7.88 Audit management should assign sufficient auditors with adequate collective professional competence, as described in paragraphs 4.02 through 4.15, to conduct the audit. Staffing an audit includes, among other things, 8.31 Audit management should assign sufficient auditors with adequate collective professional competence, as described in paragraphs 4.02 through 4.15, to conduct the audit. Staffing an audit includes, among other things, assigning auditors with the collective knowledge, skills, and abilities appropriate for the audit; 8.31a. If it is determined that internal control is significant to the audit objectives, auditors should obtain an understanding of such internal control. 8.40] | Audits and risk management | Audits and Risk Management | |
| Review external auditor outsourcing contracts and engagement letters. CC ID 01189 [The peer review team and the reviewed audit organization should incorporate their basic agreement on the peer review into a written agreement. The written agreement should be drafted by the peer review team, reviewed by the reviewed audit organization to ensure that it accurately describes the agreement between the parties, and signed by the authorized representatives of both the peer review team and the reviewed audit organization prior to the initiation of work under the agreement. The written agreement should state that the peer review will be conducted in accordance with GAGAS peer review requirements. 5.86 The peer review team and the reviewed audit organization should incorporate their basic agreement on the peer review into a written agreement. The written agreement should be drafted by the peer review team, reviewed by the reviewed audit organization to ensure that it accurately describes the agreement between the parties, and signed by the authorized representatives of both the peer review team and the reviewed audit organization prior to the initiation of work under the agreement. The written agreement should state that the peer review will be conducted in accordance with GAGAS peer review requirements. 5.86] | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Audits and risk management | Establish/Maintain Documentation | |
| Review the external auditor's qualifications. CC ID 01197 [Auditors engaged to conduct financial audits in the United States who do not work for a government audit organization should be licensed CPAs, persons working for licensed certified public accounting firms, or licensed accountants in states that have multiclass licensing systems that recognize licensed accountants other than CPAs. 6.04 Auditors engaged to conduct financial audits of entities operating outside of the United States who do not work for a government audit organization should meet the qualifications indicated in paragraph 6.04, have certifications that meet all applicable national and international standards and serve in their respective countries as the functional equivalent of CPAs in the United States, or work for nongovernment audit organizations that are the functional equivalent of licensed certified public accounting firms in the United States. 6.05 Auditors engaged to conduct examination engagements in the United States who do not work for a government audit organization should be licensed CPAs, persons working for licensed certified public accounting firms, or licensed accountants in states that have multiclass licensing systems that recognize licensed accountants other than CPAs. 7.07 {licensed} {accountant} Auditors engaged to conduct examination engagements of entities operating outside of the United States who do not work for a government audit organization should meet the qualifications indicated in paragraph 7.07, have certifications that meet all applicable national and international standards and serve in their respective countries as the functional equivalent of CPAs in the United States, or work for nongovernment audit organizations that are the functional equivalent of licensed certified public accounting firms in the United States. 7.08 {licensed} {accountant} Auditors engaged to conduct review engagements of entities operating outside of the United States who do not work for a government audit organization should meet the qualifications indicated in paragraph 7.71, have certifications that meet all applicable national and international standards and serve in their respective countries as the functional equivalent of CPAs in the United States, or work for nongovernment audit organizations that are the functional equivalent of licensed certified public accounting firms in the United States. 7.72 If the engagement team intends to use the work of a specialist, it should assess the independence of the specialist. 8.82 If auditors use the work of other auditors, they should perform procedures that provide a sufficient basis for using that work. Auditors should obtain evidence concerning the other auditors' qualifications and independence and should determine whether the scope, quality, and timing of the audit work performed by the other auditors can be relied on in the context of the current audit objectives. 8.81] | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain an audit program. CC ID 00684 [Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed; the evidence obtained; and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 8.132] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain audit policies. CC ID 13166 | Audits and risk management | Establish/Maintain Documentation | |
| Assign the audit to impartial auditors. CC ID 07118 [In all matters relating to the GAGAS engagement, auditors and audit organizations must be independent from an audited entity. 3.18 Except under the limited circumstances discussed in paragraphs 3.66 and 3.67, auditors and audit organizations should be independent from an audited entity during any period of time that falls within the period covered by the financial statements or subject matter of the engagement and 3.20a. Except under the limited circumstances discussed in paragraphs 3.66 and 3.67, auditors and audit organizations should be independent from an audited entity during the period of professional engagement 3.20b. Each audit organization conducting engagements in accordance with GAGAS must obtain an external peer review conducted by reviewers independent of the audit organization being reviewed. The peer review should be sufficient in scope to provide a reasonable basis for determining whether, for the period under review, (1) the reviewed audit organization's system of quality control was suitably designed and (2) the organization is complying with its quality control system so that it has reasonable assurance that it is performing and reporting in conformity with professional standards and applicable legal and regulatory requirements in all material respects. 5.60 The peer review team should meet the following criteria: The organization conducting the peer review and individual review team members are independent (as defined in GAGAS) of the audit organization being reviewed, its personnel, and the engagements selected for the peer review. 5.89b. Except under the limited circumstances discussed in paragraphs 3.66 and 3.67, auditors and audit organizations should be independent from an audited entity during 3.20] | Audits and risk management | Establish Roles | |
| Define what constitutes a threat to independence. CC ID 16824 [Internal audit assistance services involve assisting an entity in performing its internal audit activities. Auditors should conclude that the following internal audit assistance activities impair an external auditor's independence with respect to an audited entity: performing procedures that form part of the internal control, such as reviewing and approving changes to employee data access privileges; and 3.96b. Internal audit assistance services involve assisting an entity in performing its internal audit activities. Auditors should conclude that the following internal audit assistance activities impair an external auditor's independence with respect to an audited entity: setting internal audit policies or the strategic direction of internal audit activities; 3.96a. Auditors should conclude that providing certain other nonaudit services impairs an external auditor's independence with respect to an audited entity. These activities include the following: 3.106 While insufficient documentation of an auditor's compliance with the independence standard does not impair independence, auditors should prepare appropriate documentation under the GAGAS quality control and assurance requirements. The independence standard includes the following documentation requirements, where applicable: document threats to independence that require the application of safeguards, along with safeguards applied, in accordance with the conceptual framework for independence as required by paragraph 3.33; 3.107a. While insufficient documentation of an auditor's compliance with the independence standard does not impair independence, auditors should prepare appropriate documentation under the GAGAS quality control and assurance requirements. The independence standard includes the following documentation requirements, where applicable: document the safeguards in paragraphs 3.52 through 3.56 if an audit organization is structurally located within a government entity and is considered structurally independent based on those safeguards; 3.107b. If auditors initially identify a threat to independence after the audit report is issued, auditors should evaluate the threat's effect on the engagement and on GAGAS compliance. If the auditors determine that the newly identified threat's effect on the engagement would have resulted in the audit report being different from the report issued had the auditors been aware of it, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the audit organization requiring or arranging for the engagements, and other known users, so that they do not continue to rely on findings or conclusions that were affected by the threat to independence. If auditors previously posted the report to their publicly accessible website, they should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional engagement work necessary to reissue the report, including any revised findings or conclusions, or to repost the original report if the additional engagement work does not result in a change in findings or conclusions. 3.34] | Audits and risk management | Audits and Risk Management | |
| Mitigate the threats to an auditor's independence. CC ID 17282 | Audits and risk management | Process or Activity | |
| Exercise due professional care during the planning and performance of the audit. CC ID 07119 [Auditors and audit organizations should avoid situations that could lead reasonable and informed third parties to conclude that the auditors and audit organizations are not independent and thus are not capable of exercising objective and impartial judgment on all issues associated with conducting the engagement and reporting on the work. 3.19 Auditors should use professional judgment when applying the conceptual framework. 3.29 Auditors must use professional judgment in planning and conducting the engagement and in reporting the results. 3.109 Auditors must use professional judgment in planning and conducting the engagement and in reporting the results. 3.109 The audit organization should establish policies and procedures for engagement performance, documentation, and reporting that are designed to provide the audit organization with reasonable assurance that engagements are conducted and reports are issued in accordance with professional standards and applicable legal and regulatory requirements. 5.22 The peer review team should use professional judgment in deciding on the type of peer review rating to issue; the ratings are as follows: 5.72 If the law or regulation requiring an audit specifically identifies the entities to be audited, auditors should communicate pertinent information that in the auditors' professional judgment needs to be communicated both to individuals contracting for or requesting the audit and to those legislative committees, if any, that have ongoing oversight responsibilities for the audited entity. 6.06] | Audits and risk management | Behavior | |
| Include resource requirements in the audit program. CC ID 15237 | Audits and risk management | Establish/Maintain Documentation | |
| Include risks and opportunities in the audit program. CC ID 15236 [{cannot} Auditors in a government entity may be required to provide a nonaudit service that impairs the auditors' independence with respect to a required engagement. If, because of constitutional or statutory requirements over which they have no control, the auditors can neither implement safeguards to reduce the resulting threat to an acceptable level nor decline to provide or terminate a nonaudit service that is incompatible with engagement responsibilities, auditors should disclose the nature of the threat that could not be eliminated or reduced to an acceptable level and modify the GAGAS compliance statement as discussed in paragraph 2.17b accordingly. Determining how to modify the GAGAS compliance statement in these circumstances is a matter of professional judgment. 3.84] | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain audit terms. CC ID 13880 [If auditors change the engagement objectives during the engagement, they should document the revised engagement objectives and the reasons for the changes. 5.23] | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Audits and risk management | Process or Activity | |
| Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 [In connection with nonaudit services, auditors should establish and document their understanding with the audited entity's management or those charged with governance, as appropriate, regarding the following: any limitations on the provision of nonaudit services. 3.77e. Auditors should describe in their report limitations or uncertainties with the reliability or validity of evidence if (1) the evidence is significant to the findings and conclusions within the context of the audit objectives and (2) such disclosure is necessary to avoid misleading the report users about the findings and conclusions. Auditors should describe the limitations or uncertainties regarding evidence in conjunction with the findings and conclusions, in addition to describing those limitations or uncertainties as part of the objectives, scope, and methodology. 9.20 Auditors should describe in their report limitations or uncertainties with the reliability or validity of evidence if (1) the evidence is significant to the findings and conclusions within the context of the audit objectives and (2) such disclosure is necessary to avoid misleading the report users about the findings and conclusions. Auditors should describe the limitations or uncertainties regarding evidence in conjunction with the findings and conclusions, in addition to describing those limitations or uncertainties as part of the objectives, scope, and methodology. 9.20 Auditors should describe in their report limitations or uncertainties with the reliability or validity of evidence if (1) the evidence is significant to the findings and conclusions within the context of the audit objectives and (2) such disclosure is necessary to avoid misleading the report users about the findings and conclusions. Auditors should describe the limitations or uncertainties regarding evidence in conjunction with the findings and conclusions, in addition to describing those limitations or uncertainties as part of the objectives, scope, and methodology. 9.20] | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 [Auditors who previously provided nonaudit services for an entity that is a prospective subject of an engagement should evaluate the effect of those nonaudit services on independence before agreeing to conduct a GAGAS engagement. If auditors provided a nonaudit service in the period to be covered by the engagement, they should (1) determine if GAGAS expressly prohibits the nonaudit service; (2) if audited entity management requested the nonaudit service, determine whether the skill, knowledge, or experience of the individual responsible for overseeing the nonaudit service was sufficient; and (3) determine whether a threat to independence exists and address any threats noted in accordance with the conceptual framework. 3.83] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 [In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence-gathering and evidence-analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives. Auditors should identify significant assumptions made in conducting the audit; describe comparative techniques applied; describe the criteria used; and, when the results of sample testing significantly support the auditors' findings, conclusions, or recommendations, describe the sample design and state why the design was chosen, including whether the results can be projected to the intended population. 9.14] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an in scope system description. CC ID 14873 | Audits and risk management | Establish/Maintain Documentation | |
| Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and risk management | Audits and Risk Management | |
| Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 [In connection with nonaudit services, auditors should establish and document their understanding with the audited entity's management or those charged with governance, as appropriate, regarding the following: audited entity's acceptance of its responsibilities as discussed in paragraph 3.76, 3.77c. {be evident} If the identity of those charged with governance is not clearly evident, auditors should document the process followed and conclusions reached in identifying the appropriate individuals to receive the required communications. 7.10] | Audits and risk management | Audits and Risk Management | |
| Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and risk management | Audits and Risk Management | |
| Include facility locations in the audit assertion's in scope system description. CC ID 17261 | Audits and risk management | Establish/Maintain Documentation | |
| Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and risk management | Audits and Risk Management | |
| Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and risk management | Audits and Risk Management | |
| Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 [{cannot} Auditors in a government entity may be required to provide a nonaudit service that impairs the auditors' independence with respect to a required engagement. If, because of constitutional or statutory requirements over which they have no control, the auditors can neither implement safeguards to reduce the resulting threat to an acceptable level nor decline to provide or terminate a nonaudit service that is incompatible with engagement responsibilities, auditors should disclose the nature of the threat that could not be eliminated or reduced to an acceptable level and modify the GAGAS compliance statement as discussed in paragraph 2.17b accordingly. Determining how to modify the GAGAS compliance statement in these circumstances is a matter of professional judgment. 3.84 {external requirements} Auditors should extend the AICPA requirements concerning consideration of noncompliance with laws and regulations to include consideration of noncompliance with provisions of contracts and grant agreements. 6.15 Auditors should extend the AICPA requirements concerning consideration of noncompliance with laws and regulations to include consideration of noncompliance with provisions of contracts and grant agreements. 7.17 {external requirements} Auditors should extend the AICPA requirements concerning consideration of noncompliance with laws and regulations to include consideration of noncompliance with provisions of contracts and grant agreements. 7.73 {external requirements} Auditors should extend the AICPA requirements concerning consideration of noncompliance with laws and regulations to include consideration of noncompliance with provisions of contracts and grant agreements. 7.81 {external requirements} Auditors should extend the AICPA requirements concerning consideration of noncompliance with laws and regulations to include consideration of noncompliance with provisions of contracts and grant agreements. 7.89] | Audits and risk management | Audits and Risk Management | |
| Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and risk management | Audits and Risk Management | |
| Include third party services in the audit assertion's in scope system description. CC ID 16503 | Audits and risk management | Establish/Maintain Documentation | |
| Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Audits and risk management | Establish/Maintain Documentation | |
| Include availability commitments in the audit assertion's in scope system description. CC ID 14914 [{if} {be appropriate} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 7.63 {if} {be appropriate} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 7.63 {be appropriate} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 6.65 {if} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 9.63] | Audits and risk management | Establish/Maintain Documentation | |
| Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 [When planning a GAGAS examination engagement, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter or an assertion about the subject matter of the examination engagement, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter or an assertion about the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work and determining the extent to which testing the implementation of the corrective actions is applicable to the current examination engagement objectives. 7.13] | Audits and risk management | Audits and Risk Management | |
| Include changes in the audit assertion's in scope system description. CC ID 14894 | Audits and risk management | Establish/Maintain Documentation | |
| Include external communications in the audit assertion's in scope system description. CC ID 14913 | Audits and risk management | Establish/Maintain Documentation | |
| Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Audits and risk management | Establish/Maintain Documentation | |
| Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Audits and risk management | Establish/Maintain Documentation | |
| Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Audits and risk management | Establish/Maintain Documentation | |
| Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Audits and risk management | Establish/Maintain Documentation | |
| Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Audits and risk management | Establish/Maintain Documentation | |
| Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 [Auditors should consider applicable GAO-issued GAGAS interpretive guidance in conducting and reporting on GAGAS engagements. 2.06 GAGAS establishes requirements for examination engagements in addition to the requirements for examinations contained in the AICPA's SSAEs. Auditors should comply with these additional requirements, along with the AICPA requirements for examination engagements, when citing GAGAS in their examination engagement reports. 7.05] | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Audits and risk management | Establish/Maintain Documentation | |
| Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Audits and risk management | Establish/Maintain Documentation | |
| Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Audits and risk management | Establish/Maintain Documentation | |
| Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Audits and risk management | Establish/Maintain Documentation | |
| Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Audits and risk management | Establish/Maintain Documentation | |
| Include commitments to third parties in the audit assertion. CC ID 14899 | Audits and risk management | Establish/Maintain Documentation | |
| Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Audits and risk management | Establish/Maintain Documentation | |
| Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Audits and risk management | Establish/Maintain Documentation | |
| Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Audits and risk management | Establish/Maintain Documentation | |
| Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and risk management | Audits and Risk Management | |
| Identify personnel who should attend the closing meeting. CC ID 15261 | Audits and risk management | Business Processes | |
| Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 [The audit organization should establish policies and procedures designed to provide it with reasonable assurance that appropriate consultation takes place on difficult or contentious issues that arise among engagement team members in the course of conducting a GAGAS engagement; 5.24a.] | Audits and risk management | Audits and Risk Management | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 [The audit organization should establish policies and procedures designed to provide it with reasonable assurance that both the individual seeking consultation and the individual consulted document and agree upon the nature and scope of such consultations; and 5.24b. The audit organization should establish policies and procedures designed to provide it with reasonable assurance that the conclusions resulting from consultations are documented, understood by both the individual seeking consultation and the individual consulted, and implemented. 5.24c. The audit organization should establish policies and procedures designed to provide it with reasonable assurance that the conclusions resulting from consultations are documented, understood by both the individual seeking consultation and the individual consulted, and implemented. 5.24c. Auditors should obtain an understanding of the nature of the program or program component under audit and the potential use that will be made of the audit results or report as they plan a performance audit. The nature and profile of a program include 8.36] | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 [The peer review team should include the following elements in the scope of the peer review: consideration of the adequacy and results of the audit organization's internal monitoring procedures; 5.82b. The peer review team should include the following elements in the scope of the peer review: consideration of the adequacy and results of the audit organization's internal monitoring procedures; 5.82b.] | Audits and risk management | Establish/Maintain Documentation | |
| Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Audits and Risk Management | |
| Include audit subject matter in the audit program. CC ID 07103 | Audits and risk management | Establish/Maintain Documentation | |
| Examine the availability of the audit criteria in the audit program. CC ID 16520 | Audits and risk management | Investigate | |
| Examine the completeness of the audit criteria in the audit program. CC ID 07106 [{are accurate} When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 6.58 {are accurate} When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 7.56 When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 9.51] | Audits and risk management | Establish/Maintain Documentation | |
| Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Audits and risk management | Establish/Maintain Documentation | |
| Determine the appropriateness of the audit subject matter. CC ID 16505 [{be illegal} When circumstances call for omission of certain information from the report, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices and revise the report language as necessary to avoid report users drawing inappropriate conclusions from the information presented. 6.64] | Audits and risk management | Audits and Risk Management | |
| Include in scope information in the audit program. CC ID 16198 | Audits and risk management | Establish/Maintain Documentation | |
| Provide a representation letter in support of the audit assertion. CC ID 07158 | Audits and risk management | Establish/Maintain Documentation | |
| Include the date of the audit in the representation letter. CC ID 16517 | Audits and risk management | Audits and Risk Management | |
| Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that management has disclosed the implementation status in the representation letter. CC ID 17162 [Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30] | Audits and risk management | Audits and Risk Management | |
| Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Audits and risk management | Establish/Maintain Documentation | |
| Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 [Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that are significant within the context of the audit objectives. When planning the audit, auditors should ask management of the audited entity to identify previous engagements or other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work, including determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 8.30 When planning the audit, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the objectives of the audit, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current audit work and determining the extent to which testing the implementation of the corrective actions is applicable to the current audit objectives. 6.11] | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Audits and risk management | Establish/Maintain Documentation | |
| Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Establish/Maintain Documentation | |
| Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Establish/Maintain Documentation | |
| Include investigations and legal proceedings in the audit assertion. CC ID 16846 [Auditors should inquire of management of the audited entity whether any investigations or legal proceedings have been initiated or are in process with respect to the period under audit, and should evaluate the effect of initiated or in-process investigations or legal proceedings on the current audit. 6.12 Auditors should inquire of management of the audited entity whether any investigations or legal proceedings significant to the audit objectives have been initiated or are in process with respect to the period under audit, and should evaluate the effect of initiated or inprocess investigations or legal proceedings on the current audit. 8.27 Auditors should inquire of management of the audited entity whether any investigations or legal proceedings significant to the engagement objectives have been initiated or are in process with respect to the period under examination, and should evaluate the effect of initiated or in-process investigations or legal proceedings on the current examination engagement. 7.14] | Audits and risk management | Establish/Maintain Documentation | |
| Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Audits and risk management | Establish/Maintain Documentation | |
| Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Audits and risk management | Establish/Maintain Documentation | |
| Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Audits and risk management | Establish/Maintain Documentation | |
| Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 [When planning a GAGAS examination engagement, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter or an assertion about the subject matter of the examination engagement, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter or an assertion about the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work and determining the extent to which testing the implementation of the corrective actions is applicable to the current examination engagement objectives. 7.13] | Audits and risk management | Establish/Maintain Documentation | |
| Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 [In connection with nonaudit services, auditors should establish and document their understanding with the audited entity's management or those charged with governance, as appropriate, regarding the following: services to be provided, 3.77b. While insufficient documentation of an auditor's compliance with the independence standard does not impair independence, auditors should prepare appropriate documentation under the GAGAS quality control and assurance requirements. The independence standard includes the following documentation requirements, where applicable: document the auditor's understanding with an audited entity for which the auditor will provide a nonaudit service as indicated in paragraph 3.77; and 3.107d.] | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope procedures in the audit assertion. CC ID 06972 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope records produced in the audit assertion. CC ID 06968 [Auditors should determine whether other auditors have conducted, or are conducting, audits that could be relevant to the current audit objectives. 8.80] | Audits and risk management | Establish/Maintain Documentation | |
| Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Audits and risk management | Establish/Maintain Documentation | |
| Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Audits and risk management | Establish/Maintain Documentation | |
| Include in scope change controls in the audit assertion. CC ID 06976 | Audits and risk management | Establish/Maintain Documentation | |
| Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Audits and risk management | Establish/Maintain Documentation | |
| Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Audits and risk management | Communicate | |
| Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 [Auditors should reevaluate threats to independence, including any safeguards applied, whenever the audit organization or the auditors become aware of new information or changes in facts and circumstances that could affect whether a threat has been eliminated or reduced to an acceptable level. 3.28] | Audits and risk management | Establish/Maintain Documentation | |
| Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Audits and risk management | Business Processes | |
| Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Audits and risk management | Business Processes | |
| Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Audits and risk management | Behavior | |
| Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and risk management | Audits and Risk Management | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 [The audit organization should establish policies and procedures for the initiation, acceptance, and continuance of engagements that are designed to provide reasonable assurance that the organization will undertake engagements only if it has the capabilities, including time and resources, to do so. 5.12c. The audit organization should establish policies and procedures for the initiation, acceptance, and continuance of engagements that are designed to provide reasonable assurance that the organization will undertake engagements only if it complies with professional standards, applicable legal and regulatory requirements, and ethical principles; 5.12a. The audit organization should establish policies and procedures for the initiation, acceptance, and continuance of engagements that are designed to provide reasonable assurance that the organization will undertake engagements only if it acts within its legal mandate or authority; and 5.12b. The audit organization should establish policies and procedures designed to provide it with reasonable assurance that the conclusions resulting from consultations are documented, understood by both the individual seeking consultation and the individual consulted, and implemented. 5.24c.] | Audits and risk management | Business Processes | |
| Audit in scope audit items and compliance documents. CC ID 06730 [Auditors should assess the risk of fraud occurring that is significant within the context of the audit objectives. Audit team members should discuss among the team fraud risks, including factors such as individuals' incentives or pressures to commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could increase the risk of fraud. Auditors should gather and assess information to identify the risk of fraud that is significant within the scope of the audit objectives or that could affect the findings and conclusions. 8.71 Auditors should perform and document an overall assessment of the collective evidence used to support findings and conclusions, including the results of any specific assessments performed to conclude on the validity and reliability of specific evidence. 8.108] | Audits and risk management | Audits and Risk Management | |
| Document any after the fact changes to the engagement file. CC ID 07002 [If auditors change the engagement objectives during the engagement, they should document the revised engagement objectives and the reasons for the changes. 5.23] | Audits and risk management | Establish/Maintain Documentation | |
| Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 [The audit organization should establish policies and procedures that require retention of engagement documentation for a period of time sufficient to permit those performing monitoring procedures and peer review of the organization to evaluate its compliance with its system of quality control or for a longer period if required by law or regulation. 5.46] | Audits and risk management | Records Management | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Testing | |
| Audit policies, standards, and procedures. CC ID 12927 [The peer review team should include the following elements in the scope of the peer review: review of other documents necessary for assessing compliance with standards, for example, independence documentation, CPE records, and relevant human resource management files; and 5.82e.] | Audits and risk management | Audits and Risk Management | |
| Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 [When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 6.59 {are valid} When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 9.52] | Audits and risk management | Establish/Maintain Documentation | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Process or Activity | |
| Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 [{is valid} {is reliable} In assessing the appropriateness of evidence, auditors should assess whether the evidence is relevant, valid, and reliable. 8.91 Auditors should evaluate the objectivity, credibility, and reliability of testimonial evidence. 8.94] | Audits and risk management | Testing | |
| Implement procedures that collect sufficient audit evidence. CC ID 07153 [Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate representations by management of the audited entity that it has reported audit findings in accordance with provisions of laws, regulations, or funding agreements. When auditors are unable to do so, they should report such information directly as discussed in paragraphs 6.53 and 6.54. 6.55 Auditors should design the methodology to obtain sufficient, appropriate evidence that provides a reasonable basis for findings and conclusions based on the audit objectives and to reduce audit risk to an acceptably low level. 8.06 Auditors should assess the risk of fraud occurring that is significant within the context of the audit objectives. Audit team members should discuss among the team fraud risks, including factors such as individuals' incentives or pressures to commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could increase the risk of fraud. Auditors should gather and assess information to identify the risk of fraud that is significant within the scope of the audit objectives or that could affect the findings and conclusions. 8.71 Auditors should identify potential sources of information that could be used as evidence. Auditors should determine the amount and type of evidence needed to obtain sufficient, appropriate evidence to address the audit objectives and adequately plan audit work. 8.77 Auditors should identify potential sources of information that could be used as evidence. Auditors should determine the amount and type of evidence needed to obtain sufficient, appropriate evidence to address the audit objectives and adequately plan audit work. 8.77 Auditors should determine which audit procedures related to information systems controls are needed to obtain sufficient, appropriate evidence to support the audit findings and conclusions. 8.61 Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate representations by audited entity management that it has reported audit findings in accordance with provisions of laws, regulations, or funding agreements. When auditors are unable to do so, they should report such information directly, as discussed in paragraphs 9.45 and 9.46. 9.47 Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate representations by management of the audited entity that it has reported engagement findings in accordance with laws, regulations, or funding agreements. When auditors are unable to do so, they should report such information directly, as discussed in paragraphs 7.51 and 7.52. 7.53] | Audits and risk management | Audits and Risk Management | |
| Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 [Auditors should identify potential sources of information that could be used as evidence. Auditors should determine the amount and type of evidence needed to obtain sufficient, appropriate evidence to address the audit objectives and adequately plan audit work. 8.77 Auditors must obtain sufficient, appropriate evidence to provide a reasonable basis for addressing the audit objectives and supporting their findings and conclusions. 8.90] | Audits and risk management | Audits and Risk Management | |
| Collect audit evidence sufficient to avoid misstatements. CC ID 07155 [Auditors must obtain sufficient, appropriate evidence to provide a reasonable basis for addressing the audit objectives and supporting their findings and conclusions. 8.90] | Audits and risk management | Audits and Risk Management | |
| Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 [When assessing the overall sufficiency and appropriateness of evidence, auditors should evaluate the expected significance of evidence to the audit objectives, findings, and conclusions; available corroborating evidence; and the level of audit risk. If auditors conclude that evidence is not sufficient or appropriate, they should not use such evidence as support for findings and conclusions. 8.109] | Audits and risk management | Audits and Risk Management | |
| Refrain from using audit evidence that is not sufficient. CC ID 17163 [When assessing the overall sufficiency and appropriateness of evidence, auditors should evaluate the expected significance of evidence to the audit objectives, findings, and conclusions; available corroborating evidence; and the level of audit risk. If auditors conclude that evidence is not sufficient or appropriate, they should not use such evidence as support for findings and conclusions. 8.109] | Audits and risk management | Audits and Risk Management | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 [Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate representations by management of the audited entity that it has reported audit findings in accordance with provisions of laws, regulations, or funding agreements. When auditors are unable to do so, they should report such information directly as discussed in paragraphs 6.53 and 6.54. 6.55 Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate representations by audited entity management that it has reported audit findings in accordance with provisions of laws, regulations, or funding agreements. When auditors are unable to do so, they should report such information directly, as discussed in paragraphs 9.45 and 9.46. 9.47 Auditors should obtain sufficient, appropriate evidence, such as confirmation from outside parties, to corroborate representations by management of the audited entity that it has reported engagement findings in accordance with laws, regulations, or funding agreements. When auditors are unable to do so, they should report such information directly, as discussed in paragraphs 7.51 and 7.52. 7.53] | Audits and risk management | Communicate | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Human Resources Management | |
| Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Process or Activity | |
| Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Process or Activity | |
| Identify interviewees. CC ID 16290 | Audits and risk management | Process or Activity | |
| Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Process or Activity | |
| Establish and maintain work papers, as necessary. CC ID 13891 [Before the date of the examination report, document supervisory review of the evidence that supports the findings, conclusions, and recommendations contained in the examination report. 7.33a. Auditors should prepare audit documentation that contains evidence that supports the findings, conclusions, and recommendations before they issue their report. 8.133] | Audits and risk management | Establish/Maintain Documentation | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 [If an engagement is terminated before it is completed and an audit report is not issued, auditors should document the results of the work to the date of termination and why the engagement was terminated. 5.25 If auditors use the work of other auditors, they should perform procedures that provide a sufficient basis for using that work. Auditors should obtain evidence concerning the other auditors' qualifications and independence and should determine whether the scope, quality, and timing of the audit work performed by the other auditors can be relied on in the context of the current audit objectives. 8.81] | Audits and risk management | Establish/Maintain Documentation | |
| Include audit irregularities in the work papers. CC ID 16774 [If an engagement is terminated before it is completed and an audit report is not issued, auditors should document the results of the work to the date of termination and why the engagement was terminated. 5.25] | Audits and risk management | Establish/Maintain Documentation | |
| Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Establish/Maintain Documentation | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Establish/Maintain Documentation | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Establish/Maintain Documentation | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 [If, in rare circumstances, auditors judge it necessary to depart from a relevant presumptively mandatory requirement, they must document their justification for the departure and how the alternative procedures performed in the circumstances were sufficient to achieve the intent of that requirement. 2.04 Auditors should document any departures from the GAGAS requirements and the effect on the audit and on the auditors' conclusions when the audit is not in compliance with applicable GAGAS requirements because of law, regulation, scope limitations, restrictions on access to records, or other issues affecting the audit. 6.32 When auditors do not comply with applicable GAGAS requirements because of law, regulation, scope limitations, restrictions on access to records, or other issues affecting the audit, the auditors should document the departure from the GAGAS requirements and the impact on the audit and on the auditors' conclusions. 8.136 When auditors do not comply with applicable GAGAS requirements because of law, regulation, scope limitations, restrictions on access to records, or other issues affecting the audit, the auditors should document the departure from the GAGAS requirements and the impact on the audit and on the auditors' conclusions. 8.136] | Audits and risk management | Establish/Maintain Documentation | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 [Auditors should document the following: the work performed and evidence obtained to support significant judgments and conclusions, as well as expectations in analytical procedures, including descriptions of transactions and records examined (for example, by listing file numbers, case numbers, or other means of identifying specific documents examined, though copies of documents examined or detailed listings of information from those documents are not required); and 8.135b.] | Audits and risk management | Audits and Risk Management | |
| Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Audits and risk management | Establish/Maintain Documentation | |
| Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 [If, in rare circumstances, auditors judge it necessary to depart from a relevant presumptively mandatory requirement, they must document their justification for the departure and how the alternative procedures performed in the circumstances were sufficient to achieve the intent of that requirement. 2.04 In rare circumstances, auditors and audit organizations may determine it necessary to depart from a relevant presumptively mandatory requirement. In such rare circumstances, auditors should perform alternative procedures to achieve the intent of that requirement. 2.03 The audit organization should establish policies and procedures that require engagement team members with appropriate levels of skill and proficiency in auditing to supervise engagements and review work performed by other engagement team members. 5.36 Auditors should document the following: the work performed and evidence obtained to support significant judgments and conclusions, as well as expectations in analytical procedures, including descriptions of transactions and records examined (for example, by listing file numbers, case numbers, or other means of identifying specific documents examined, though copies of documents examined or detailed listings of information from those documents are not required); and 8.135b.] | Audits and risk management | Establish/Maintain Documentation | |
| Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Audits and risk management | Establish/Maintain Documentation | |
| Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Audits and risk management | Establish/Maintain Documentation | |
| Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 [{be illegal} When circumstances call for omission of certain information from the report, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices and revise the report language as necessary to avoid report users drawing inappropriate conclusions from the information presented. 6.64] | Audits and risk management | Audits and Risk Management | |
| Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 [Auditors should evaluate and document the significance of identified internal control deficiencies within the context of the audit objectives. 8.54] | Audits and risk management | Establish/Maintain Documentation | |
| Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Audits and risk management | Establish/Maintain Documentation | |
| Supervise interested personnel and affected parties participating in the audit. CC ID 07150 [Auditors should conclude that providing information technology (IT) services to an audited entity that relate to the period under audit impairs independence if those services include supervising audited entity personnel in the daily operation of an audited entity's information system; or 3.102c. The audit organization should establish policies and procedures that require engagement team members with appropriate levels of skill and proficiency in auditing to supervise engagements and review work performed by other engagement team members. 5.36 Auditors must properly supervise audit staff. 8.87] | Audits and risk management | Monitor and Evaluate Occurrences | |
| Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 [The audit organization should assign responsibility for each engagement to an engagement partner or director with authority designated by the audit organization to assume that responsibility and should establish policies and procedures requiring the organization to communicate the identity and role of the engagement partner or director to management and those charged with governance of the audited entity and 5.37a. The audit organization should assign responsibility for each engagement to an engagement partner or director with authority designated by the audit organization to assume that responsibility and should establish policies and procedures requiring the organization to clearly define the responsibilities of the engagement partner or director and communicate them to that individual. 5.37b.] | Audits and risk management | Establish Roles | |
| Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 [Audit management should assign sufficient auditors with adequate collective professional competence, as described in paragraphs 4.02 through 4.15, to conduct the audit. Staffing an audit includes, among other things, engaging specialists when necessary. 8.31d.] | Audits and risk management | Process or Activity | |
| Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Audits and risk management | Establish/Maintain Documentation | |
| Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 [{third party} Because information in peer review reports may be relevant to decisions on procuring audit services, an audit organization seeking to enter into a contract to conduct an engagement in accordance with GAGAS should provide the following to the party contracting for such services when requested: the audit organization's most recent peer review report and 5.79a. {third party} Because information in peer review reports may be relevant to decisions on procuring audit services, an audit organization seeking to enter into a contract to conduct an engagement in accordance with GAGAS should provide the following to the party contracting for such services when requested: any subsequent peer review reports received during the period of the contract. 5.79b. {make available} Subject to applicable provisions of laws and regulations, auditors should make appropriate individuals and audit documentation available upon request and in a timely manner to other auditors or reviewers. 6.34] | Audits and risk management | Audits and Risk Management | |
| Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 [In situations where the parties required to receive communications, as described in paragraph 8.20, are not clearly evident, auditors should document the process followed and conclusions reached in identifying the appropriate individuals to receive the required communications. 8.21 {make available} Subject to applicable provisions of laws and regulations, auditors should make appropriate individuals and audit documentation available upon request and in a timely manner to other auditors or reviewers. 6.34 {make available} Subject to applicable provisions of laws and regulations, auditors should make appropriate individuals and audit documentation available upon request and in a timely manner to other auditors or reviewers. 8.140 {make available} Subject to applicable provisions of laws and regulations, auditors should make appropriate individuals and examination engagement documentation available upon request and in a timely manner to other auditors or reviewers. 7.37] | Audits and risk management | Business Processes | |
| Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain organizational audit reports. CC ID 06731 [The audit organization should establish policies and procedures for engagement performance, documentation, and reporting that are designed to provide the audit organization with reasonable assurance that engagements are conducted and reports are issued in accordance with professional standards and applicable legal and regulatory requirements. 5.22 {quality assurance} While insufficient documentation of an auditor's compliance with the independence standard does not impair independence, auditors should prepare appropriate documentation under the GAGAS quality control and assurance requirements. The independence standard includes the following documentation requirements, where applicable: 3.107 The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: 5.91 {do not receive} If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors should issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments. 6.60 {are valid} When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 7.57 {external requirements} In addition to the requirements of the examination engagement standards used in conjunction with GAGAS, auditors should prepare attest documentation in sufficient detail to enable an experienced auditor, having no previous connection to the examination engagement, to understand from the documentation the nature, timing, extent, and results of procedures performed and the evidence obtained and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 7.34 {have not received} If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors should issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments. 7.58 {if} When circumstances call for omission of certain information, auditors should evaluate whether the omission could distort the examination engagement results or conceal improper or illegal practices and revise the report language as necessary to avoid report users drawing inappropriate conclusions from the information presented. 7.62 Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed; the evidence obtained; and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 8.132 Auditors should design the form and content of audit documentation to meet the circumstances of the particular audit. The audit documentation constitutes the principal record of the work that the auditors have performed in accordance with standards and the conclusions that the auditors have reached. The quantity, type, and content of audit documentation are a matter of the auditors' professional judgment. 8.134 Auditors should issue the audit report in a form that is appropriate for its intended use, either in writing or in some other retrievable form. 9.07 {if} When circumstances call for omission of certain information, auditors should evaluate whether this omission could distort the audit results or conceal improper or illegal practices and revise the report language as necessary to avoid report users drawing inappropriate conclusions from the information presented. 9.62 Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; (3) a summary of the views of responsible officials; and (4) if applicable, the nature of any confidential or sensitive information omitted. 9.10] | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the audit report. CC ID 17263 | Audits and risk management | Establish/Maintain Documentation | |
| Include the justification for not following the applicable requirements in the audit report. CC ID 16822 [{are not} When auditors use a modified GAGAS statement, they should disclose in the report the applicable requirement(s) not followed, the reasons for not following the requirement(s), and how not following the requirement(s) affected or could have affected the engagement and the assurance provided. 2.18 When auditors do not comply with applicable requirement(s), they should (1) assess the significance of the noncompliance to the engagement objectives; (2) document the assessment, along with their reasons for not following the requirement(s); and (3) determine the type of GAGAS compliance statement. 2.19] | Audits and risk management | Audits and Risk Management | |
| Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 [{are not} When auditors use a modified GAGAS statement, they should disclose in the report the applicable requirement(s) not followed, the reasons for not following the requirement(s), and how not following the requirement(s) affected or could have affected the engagement and the assurance provided. 2.18 {do not receive} If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors should issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments. 6.60 When auditors do not comply with all applicable GAGAS requirements, they should include a modified GAGAS compliance statement in the audit report. For performance audits, auditors should use a statement that includes either (1) the language in paragraph 9.03, modified to indicate the requirements that were not followed, or (2) language indicating that the auditors did not follow GAGAS. 9.05] | Audits and risk management | Audits and Risk Management | |
| Include audit subject matter in the audit report. CC ID 14882 | Audits and risk management | Establish/Maintain Documentation | |
| Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the auditee did not provide comments in the audit report. CC ID 16849 [{have not received} If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors should issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments. 7.58 If the audited entity refuses to provide comments or is unable to provide comments within a reasonable period of time, the auditors may issue the report without receiving comments from the audited entity. In such cases, the auditors should indicate in the report that the audited entity did not provide comments. 9.53] | Audits and risk management | Establish/Maintain Documentation | |
| Include written agreements in the audit report. CC ID 17266 | Audits and risk management | Establish/Maintain Documentation | |
| Write the audit report using clear and conspicuous language. CC ID 13948 [{external requirements} In addition to the requirements of the examination engagement standards used in conjunction with GAGAS, auditors should prepare attest documentation in sufficient detail to enable an experienced auditor, having no previous connection to the examination engagement, to understand from the documentation the nature, timing, extent, and results of procedures performed and the evidence obtained and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 7.34 Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed; the evidence obtained; and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 8.132 {be clear} Auditors should communicate audit objectives in the audit report in a clear, specific, neutral, and unbiased manner that includes relevant assumptions. In order to avoid potential misunderstanding, when audit objectives are limited but users could infer broader objectives, auditors should state in the audit report that certain issues were outside the scope of the audit. 9.11] | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 [Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS engagements, as appropriate. Unmodified GAGAS compliance statement: Stating that the auditors conducted the engagement in accordance with GAGAS. Auditors should include an unmodified GAGAS compliance statement in the audit report when they have (1) followed unconditional and applicable presumptively mandatory GAGAS requirements or (2) followed unconditional requirements, documented justification for any departures from applicable presumptively mandatory requirements, and achieved the objectives of those requirements through other means. 2.17a. {external requirement} Document any departures from the GAGAS requirements and the effect on the examination engagement and on the auditors' conclusions when the examination engagement does not comply with applicable GAGAS requirements because of law, regulation, scope limitations, restrictions on access to records, or other issues affecting the examination engagement. 7.33b.] | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the financial statements were audited in the audit report. CC ID 13963 [{make available} If auditors report separately (including separate reports bound in the same document) on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements, they should include a reference in the audit report on the financial statements to those additional reports. They should also state in the audit report that the reports on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements are an integral part of a GAGAS audit in considering the audited entity's internal control over financial reporting and compliance. If separate reports are used, the auditors should make the report on internal control and compliance available to users in the same manner as the financial audit report to which it relates. 6.43 {make available} If auditors report separately (including separate reports bound in the same document) on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements, they should include a reference in the audit report on the financial statements to those additional reports. They should also state in the audit report that the reports on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements are an integral part of a GAGAS audit in considering the audited entity's internal control over financial reporting and compliance. If separate reports are used, the auditors should make the report on internal control and compliance available to users in the same manner as the financial audit report to which it relates. 6.43] | Audits and risk management | Establish/Maintain Documentation | |
| Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Establish/Maintain Documentation | |
| Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 [{are not} When auditors use a modified GAGAS statement, they should disclose in the report the applicable requirement(s) not followed, the reasons for not following the requirement(s), and how not following the requirement(s) affected or could have affected the engagement and the assurance provided. 2.18 Auditors should describe the scope of the work performed and any limitations, including issues that would be relevant to likely users, so that report users can reasonably interpret the findings, conclusions, and recommendations in the report without being misled. Auditors should also report any significant constraints imposed on the audit approach by information limitations or scope impairments, including denials of, or excessive delays in, access to certain records or individuals. 9.12 Auditors should describe the scope of the work performed and any limitations, including issues that would be relevant to likely users, so that report users can reasonably interpret the findings, conclusions, and recommendations in the report without being misled. Auditors should also report any significant constraints imposed on the audit approach by information limitations or scope impairments, including denials of, or excessive delays in, access to certain records or individuals. 9.12 {be clear} Auditors should communicate audit objectives in the audit report in a clear, specific, neutral, and unbiased manner that includes relevant assumptions. In order to avoid potential misunderstanding, when audit objectives are limited but users could infer broader objectives, auditors should state in the audit report that certain issues were outside the scope of the audit. 9.11 In describing the work performed to address the audit objectives and support the reported findings and conclusions, auditors should, as applicable, explain the relationship between the population and the items tested; identify entities, geographic locations, and the period covered; report the kinds and sources of evidence; and explain any significant limitations or uncertainties based on the auditors' overall assessment of the sufficiency and appropriateness of the evidence in the aggregate. 9.13] | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Establish/Maintain Documentation | |
| Include the word independent in the title of audit reports. CC ID 07003 [Audit organizations that meet the independence requirements for internal audit organizations, but not those for external audit organizations, should include in the GAGAS compliance statement, where applicable, a statement that they are independent per the GAGAS requirements for internal auditors. 9.04] | Audits and risk management | Actionable Reports or Measurements | |
| Structure the audit report to be in the form of procedures and findings. CC ID 13940 [When presenting findings, auditors should develop the elements of the findings to the extent necessary to assist management or oversight officials of the audited entity in understanding the need for corrective action. 6.50 When presenting findings, auditors should develop the elements of the findings to the extent necessary to assist management or oversight officials of the audited entity in understanding the need for taking corrective action. 7.48 Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed; the evidence obtained; and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 8.132 Auditors must prepare audit documentation related to planning, conducting, and reporting for each audit. Auditors should prepare audit documentation in sufficient detail to enable an experienced auditor, having no previous connection to the audit, to understand from the audit documentation the nature, timing, extent, and results of audit procedures performed; the evidence obtained; and its source and the conclusions reached, including evidence that supports the auditors' significant judgments and conclusions. 8.132] | Audits and risk management | Establish/Maintain Documentation | |
| Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 [In describing the work performed to address the audit objectives and support the reported findings and conclusions, auditors should, as applicable, explain the relationship between the population and the items tested; identify entities, geographic locations, and the period covered; report the kinds and sources of evidence; and explain any significant limitations or uncertainties based on the auditors' overall assessment of the sufficiency and appropriateness of the evidence in the aggregate. 9.13] | Audits and risk management | Actionable Reports or Measurements | |
| Include any discussions of significant findings in the audit report. CC ID 13955 [Auditors should document supervisory review, before the report release date, of the evidence that supports the findings and conclusions contained in the audit report. 6.31 The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: a detailed description of the findings, conclusions, and recommendations related to any deficiencies or significant deficiencies identified in the review. 5.91f. Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 6.51 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of the findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 7.49 In determining the sufficiency of evidence, auditors should determine whether enough appropriate evidence exists to address the audit objectives and support the findings and conclusions to the extent that would persuade a knowledgeable person that the findings are reasonable. 8.92 In determining the sufficiency of evidence, auditors should determine whether enough appropriate evidence exists to address the audit objectives and support the findings and conclusions to the extent that would persuade a knowledgeable person that the findings are reasonable. 8.92 {if} {no evidence} Auditors should evaluate whether any lack of sufficient, appropriate evidence is caused by internal control deficiencies or other program weaknesses, and whether the lack of sufficient, appropriate evidence could be the basis for audit findings. 8.78 Auditors should document the following: supervisory review, before the audit report is issued, of the evidence that supports the findings, conclusions, and recommendations contained in the audit report. 8.135c. Auditors should obtain and report the views of responsible officials of the audited entity concerning the findings, conclusions, and recommendations in the examination report, as well as any planned corrective actions. 7.55 When reporting on the results of their work, auditors should disclose significant facts relevant to the objectives of their work and known to them that if not disclosed could mislead knowledgeable users, misrepresent the results, or conceal significant improper or illegal practices. 9.22] | Audits and risk management | Establish/Maintain Documentation | |
| Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Establish/Maintain Documentation | |
| Include the audit criteria in the audit report. CC ID 13945 [Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; (3) a summary of the views of responsible officials; and (4) if applicable, the nature of any confidential or sensitive information omitted. 9.10] | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Establish/Maintain Documentation | |
| Include all hypothetical assumptions in the audit report. CC ID 13947 [{be clear} Auditors should communicate audit objectives in the audit report in a clear, specific, neutral, and unbiased manner that includes relevant assumptions. In order to avoid potential misunderstanding, when audit objectives are limited but users could infer broader objectives, auditors should state in the audit report that certain issues were outside the scope of the audit. 9.11 In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence-gathering and evidence-analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives. Auditors should identify significant assumptions made in conducting the audit; describe comparative techniques applied; describe the criteria used; and, when the results of sample testing significantly support the auditors' findings, conclusions, or recommendations, describe the sample design and state why the design was chosen, including whether the results can be projected to the intended population. 9.14] | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 [Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited entity and the nature of the information contained in the reports. Auditors should document any limitation on report distribution. 6.70 Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. If the subject matter or the assertion involves material that is classified or contains confidential or sensitive information, auditors should limit the report distribution. Auditors should document any limitation on report distribution. 7.85 Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. Auditors should document any limitation on report distribution. 7.69 Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. If the subject matter or the assertion involves material that is classified or contains confidential or sensitive information, auditors should limit report distribution. Auditors should document any limitation on report distribution. 7.77 Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. If the subject matter involves material that is classified or contains confidential or sensitive information, auditors should limit report distribution. Auditors should document any limitation on report distribution. 7.93 {make available} Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. Auditors should document any limitation on report distribution. Auditors should make audit reports available to the public, unless distribution is specifically limited by the terms of the engagement, law, or regulation. 9.56 If an internal audit organization in a government entity follows the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing as well as GAGAS, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should (1) assess the potential risk to the organization, (2) consult with senior management or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report. 9.57] | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 [Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS engagements, as appropriate. Unmodified GAGAS compliance statement: Stating that the auditors conducted the engagement in accordance with GAGAS. Auditors should include an unmodified GAGAS compliance statement in the audit report when they have (1) followed unconditional and applicable presumptively mandatory GAGAS requirements or (2) followed unconditional requirements, documented justification for any departures from applicable presumptively mandatory requirements, and achieved the objectives of those requirements through other means. 2.17a. Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS engagements, as appropriate. Modified GAGAS compliance statement: Stating either that because of the significance of the departure(s) from the requirements, the auditors were unable to and did not conduct the engagement in accordance with GAGAS. 2.17b. (2)] | Audits and risk management | Establish/Maintain Documentation | |
| Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 [If planning to use the work of specialists, auditors should document the nature and scope of the work to be performed by the specialists, including 8.32 If planning to use the work of specialists, auditors should document the nature and scope of the work to be performed by the specialists, including the objectives and scope of the specialists' work, 8.32a. If planning to use the work of specialists, auditors should document the nature and scope of the work to be performed by the specialists, including the objectives and scope of the specialists' work, 8.32a. If planning to use the work of specialists, auditors should document the nature and scope of the work to be performed by the specialists, including the intended use of the specialists' work to support the audit objectives, 8.32b. If planning to use the work of specialists, auditors should document the nature and scope of the work to be performed by the specialists, including the assumptions and methods used by the specialists. 8.32d.] | Audits and risk management | Establish/Maintain Documentation | |
| Include a review of the subject matter expert's findings in the audit report. CC ID 13972 [If planning to use the work of specialists, auditors should document the nature and scope of the work to be performed by the specialists, including the specialists' procedures and findings so they can be evaluated and related to other planned audit procedures, and 8.32c.] | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement of the character of the engagement in the audit report. CC ID 07166 [Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS engagements, as appropriate. Unmodified GAGAS compliance statement: Stating that the auditors conducted the engagement in accordance with GAGAS. Auditors should include an unmodified GAGAS compliance statement in the audit report when they have (1) followed unconditional and applicable presumptively mandatory GAGAS requirements or (2) followed unconditional requirements, documented justification for any departures from applicable presumptively mandatory requirements, and achieved the objectives of those requirements through other means. 2.17a. When auditors do not comply with applicable requirement(s), they should (1) assess the significance of the noncompliance to the engagement objectives; (2) document the assessment, along with their reasons for not following the requirement(s); and (3) determine the type of GAGAS compliance statement. 2.19 Auditors should conclude that independence is impaired if no safeguards have been effectively applied to eliminate an unacceptable threat or reduce it to an acceptable level. 3.59 Auditors should conclude that independence is impaired if an audit organization provides appraisal, valuation, or actuarial services to an audited entity when (1) the services involve a significant degree of subjectivity and (2) the results of the service, individually or when combined with other valuation, appraisal, or actuarial services, are material to the audited entity's financial statements or other information on which the audit organization is reporting. 3.104 Auditors should conclude that independence is impaired if an audit organization provides appraisal, valuation, or actuarial services to an audited entity when (1) the services involve a significant degree of subjectivity and (2) the results of the service, individually or when combined with other valuation, appraisal, or actuarial services, are material to the audited entity's financial statements or other information on which the audit organization is reporting. 3.104 When auditors do not comply with all applicable GAGAS requirements, they should include a modified GAGAS compliance statement in the audit report. For performance audits, auditors should use a statement that includes either (1) the language in paragraph 9.03, modified to indicate the requirements that were not followed, or (2) language indicating that the auditors did not follow GAGAS. 9.05 Auditors should document the following: the work performed and evidence obtained to support significant judgments and conclusions, as well as expectations in analytical procedures, including descriptions of transactions and records examined (for example, by listing file numbers, case numbers, or other means of identifying specific documents examined, though copies of documents examined or detailed listings of information from those documents are not required); and 8.135b.] | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 [The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: a description of the scope of the peer review, including any limitations; 5.91a.] | Audits and risk management | Establish/Maintain Documentation | |
| Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 [When auditors are required to conduct an engagement in accordance with GAGAS or are representing to others that they did so, they should cite compliance with GAGAS in the audit report as set forth in paragraphs 2.17 through 2.19. 2.16 Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS engagements, as appropriate. Unmodified GAGAS compliance statement: Stating that the auditors conducted the engagement in accordance with GAGAS. Auditors should include an unmodified GAGAS compliance statement in the audit report when they have (1) followed unconditional and applicable presumptively mandatory GAGAS requirements or (2) followed unconditional requirements, documented justification for any departures from applicable presumptively mandatory requirements, and achieved the objectives of those requirements through other means. 2.17a. Auditors should include one of the following types of GAGAS compliance statements in reports on GAGAS engagements, as appropriate. Modified GAGAS compliance statement: Stating either that the auditors conducted the engagement in accordance with GAGAS, except for specific applicable requirements that were not followed, or 2.17b. (1) The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: specification of the professional standards and applicable legal and regulatory requirements to which the reviewed audit organization is being held; 5.91c. When auditors comply with all applicable GAGAS requirements for agreed-upon procedures engagements, they should include a statement in the agreed-upon procedures engagement report that they conducted the engagement in accordance with GAGAS. 7.82 {external requirement} When auditors comply with all applicable GAGAS requirements, they should include a statement in the report that they conducted the examination in accordance with GAGAS. 7.39] | Audits and risk management | Establish/Maintain Documentation | |
| Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 [Auditors should perform and document an overall assessment of the collective evidence used to support findings and conclusions, including the results of any specific assessments performed to conclude on the validity and reliability of specific evidence. 8.108] | Audits and risk management | Establish/Maintain Documentation | |
| Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Audits and Risk Management | |
| Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Establish/Maintain Documentation | |
| Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 [Auditors should document the following: the work performed and evidence obtained to support significant judgments and conclusions, as well as expectations in analytical procedures, including descriptions of transactions and records examined (for example, by listing file numbers, case numbers, or other means of identifying specific documents examined, though copies of documents examined or detailed listings of information from those documents are not required); and 8.135b. In describing the work performed to address the audit objectives and support the reported findings and conclusions, auditors should, as applicable, explain the relationship between the population and the items tested; identify entities, geographic locations, and the period covered; report the kinds and sources of evidence; and explain any significant limitations or uncertainties based on the auditors' overall assessment of the sufficiency and appropriateness of the evidence in the aggregate. 9.13 In the audit report, auditors should present sufficient, appropriate evidence to support the findings and conclusions in relation to the audit objectives. Auditors should provide recommendations for corrective action if findings are significant within the context of the audit objectives. 9.18] | Audits and risk management | Establish/Maintain Documentation | |
| Include recommended corrective actions in the audit report. CC ID 16197 [{regular basis} The audit organization should analyze and summarize the results of its monitoring process at least annually, with identification of any systemic or repetitive issues needing improvement, along with recommendations for corrective action. The audit organization should communicate to the relevant engagement partner or director, and other appropriate personnel, any deficiencies noted during the monitoring process and recommend appropriate remedial action. This communication should be sufficient to enable the audit organization and appropriate personnel to take prompt corrective action related to deficiencies, when necessary, in accordance with their defined roles and responsibilities. Information communicated should include the following: 5.44 Auditors should obtain and report the views of responsible officials of the audited entity concerning the findings, conclusions, and recommendations in the audit report, as well as any planned corrective actions. 6.57 The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: a detailed description of the findings, conclusions, and recommendations related to any deficiencies or significant deficiencies identified in the review. 5.91f. Auditors should obtain and report the views of responsible officials of the audited entity concerning the findings, conclusions, and recommendations in the examination report, as well as any planned corrective actions. 7.55 When feasible, auditors should recommend actions to correct deficiencies and other findings identified during the audit and to improve programs and operations when the potential for improvement in programs, operations, and performance is substantiated by the reported findings and conclusions. Auditors should make recommendations that flow logically from the findings and conclusions, are directed at resolving the cause of identified deficiencies and findings, and clearly state the actions recommended. 9.23 When feasible, auditors should recommend actions to correct deficiencies and other findings identified during the audit and to improve programs and operations when the potential for improvement in programs, operations, and performance is substantiated by the reported findings and conclusions. Auditors should make recommendations that flow logically from the findings and conclusions, are directed at resolving the cause of identified deficiencies and findings, and clearly state the actions recommended. 9.23 Auditors should obtain and report the views of responsible officials of the audited entity concerning the findings, conclusions, and recommendations in the audit report, as well as any planned corrective actions. 9.50 In the audit report, auditors should present sufficient, appropriate evidence to support the findings and conclusions in relation to the audit objectives. Auditors should provide recommendations for corrective action if findings are significant within the context of the audit objectives. 9.18] | Audits and risk management | Establish/Maintain Documentation | |
| Include the cost of corrective action in the audit report. CC ID 17015 [Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 6.51 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of the findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 7.49 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 9.21] | Audits and risk management | Audits and Risk Management | |
| Include risks and opportunities in the audit report. CC ID 16196 | Audits and risk management | Establish/Maintain Documentation | |
| Include the description of tests of controls and results in the audit report. CC ID 14898 [Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; (3) a summary of the views of responsible officials; and (4) if applicable, the nature of any confidential or sensitive information omitted. 9.10 In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence-gathering and evidence-analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives. Auditors should identify significant assumptions made in conducting the audit; describe comparative techniques applied; describe the criteria used; and, when the results of sample testing significantly support the auditors' findings, conclusions, or recommendations, describe the sample design and state why the design was chosen, including whether the results can be projected to the intended population. 9.14] | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Audits and risk management | Establish/Maintain Documentation | |
| Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 [Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 6.51 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of the findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 7.49 In describing the work performed to address the audit objectives and support the reported findings and conclusions, auditors should, as applicable, explain the relationship between the population and the items tested; identify entities, geographic locations, and the period covered; report the kinds and sources of evidence; and explain any significant limitations or uncertainties based on the auditors' overall assessment of the sufficiency and appropriateness of the evidence in the aggregate. 9.13 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 9.21] | Audits and risk management | Establish/Maintain Documentation | |
| Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Audits and Risk Management | |
| Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 [In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence-gathering and evidence-analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives. Auditors should identify significant assumptions made in conducting the audit; describe comparative techniques applied; describe the criteria used; and, when the results of sample testing significantly support the auditors' findings, conclusions, or recommendations, describe the sample design and state why the design was chosen, including whether the results can be projected to the intended population. 9.14] | Audits and risk management | Establish/Maintain Documentation | |
| Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 [{are accurate} When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 6.58 {are accurate} When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 7.56 When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 9.51 When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 9.51 When auditors receive written comments from the responsible officials, they should include in their report a copy of the officials' written comments or a summary of the comments received. When the responsible officials provide oral comments only, auditors should prepare a summary of the oral comments, provide a copy of the summary to the responsible officials to verify that the comments are accurately represented, and include the summary in their report. 9.51] | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 [{be sufficient} Auditors should include either in the same or in separate report(s) a description of the scope of the auditors' testing of internal control over financial reporting and of compliance with provisions of laws, regulations, contracts, and grant agreements. Auditors should also state in the report(s) whether the tests they performed provided sufficient, appropriate evidence to support opinions on the effectiveness of internal control and on compliance with provisions of laws, regulations, contracts, and grant agreements. 6.42 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 9.21] | Audits and risk management | Actionable Reports or Measurements | |
| Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Establish/Maintain Documentation | |
| Include the attestation standards the auditor follows in the audit report. CC ID 07015 [The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: a statement that the peer review was conducted in accordance with GAGAS peer review requirements; and 5.91e. {external requirements} When auditors comply with all applicable requirements for a review engagement conducted in accordance with GAGAS, they should include a statement in the review report that they conducted the engagement in accordance with GAGAS. 7.74 {external requirements} When auditors comply with all applicable requirements for a review of financial statements conducted in accordance with GAGAS, they should include a statement in the report that they conducted the engagement in accordance with GAGAS. 7.90 When auditors comply with all applicable GAGAS requirements, they should include a statement in the audit report that they conducted the audit in accordance with GAGAS. 6.36 When auditors comply with all applicable GAGAS requirements, they should use the following language, which represents an unmodified GAGAS compliance statement, in the audit report to indicate that they conducted the audit in accordance with GAGAS: 9.03 ¶ 1] | Audits and risk management | Establish/Maintain Documentation | |
| Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 [When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 6.59 {are valid} When the audited entity's comments are inconsistent or in conflict with the findings, conclusions, or recommendations in the draft report, the auditors should evaluate the validity of the audited entity's comments. If the auditors disagree with the comments, they should explain in the report their reasons for disagreement. Conversely, the auditors should modify their report as necessary if they find the comments valid and supported by sufficient, appropriate evidence. 9.52] | Audits and risk management | Establish/Maintain Documentation | |
| Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope and work performed in the audit report. CC ID 11621 [Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 6.51 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of the findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 7.49 Auditors should document the following: the objectives, scope, and methodology of the audit; 8.135a. Auditors should describe the scope of the work performed and any limitations, including issues that would be relevant to likely users, so that report users can reasonably interpret the findings, conclusions, and recommendations in the report without being misled. Auditors should also report any significant constraints imposed on the audit approach by information limitations or scope impairments, including denials of, or excessive delays in, access to certain records or individuals. 9.12 When internal control is significant within the context of the audit objectives, auditors should include in the audit report (1) the scope of their work on internal control and (2) any deficiencies in internal control that are significant within the context of the audit objectives and based upon the audit work performed. 9.29 Auditors should document the following: the work performed and evidence obtained to support significant judgments and conclusions, as well as expectations in analytical procedures, including descriptions of transactions and records examined (for example, by listing file numbers, case numbers, or other means of identifying specific documents examined, though copies of documents examined or detailed listings of information from those documents are not required); and 8.135b. Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; (3) a summary of the views of responsible officials; and (4) if applicable, the nature of any confidential or sensitive information omitted. 9.10 When reporting on the scope of their work on internal control, auditors should identify the scope of internal control assessed to the extent necessary for report users to reasonably interpret the findings, conclusions, and recommendations in the audit report. 9.30 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 9.21] | Audits and risk management | Audits and Risk Management | |
| Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Establish/Maintain Documentation | |
| Include the results of the business impact analysis in the audit report. CC ID 17208 | Audits and risk management | Establish/Maintain Documentation | |
| Include an audit opinion in the audit report. CC ID 07017 [The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: a rating concluding on whether the system of quality control of the reviewed audit organization was adequately designed and complied with during the period reviewed and would provide the audit organization with reasonable assurance that it conformed to professional standards and applicable legal and regulatory requirements; 5.91b. Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of the findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 7.49 The peer review team should determine the type of peer review rating to issue based on the observed matters' importance to the audit organization's system of quality control as a whole and the nature, causes, patterns, and pervasiveness of those matters. The matters should be assessed both alone and in aggregate. 5.73 Auditors should report conclusions based on the audit objectives and the audit findings. 9.19] | Audits and risk management | Establish/Maintain Documentation | |
| Include qualified opinions in the audit report. CC ID 13928 [Auditors should obtain and report the views of responsible officials of the audited entity concerning the findings, conclusions, and recommendations in the audit report, as well as any planned corrective actions. 6.57 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the finding. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 6.51 Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; (3) a summary of the views of responsible officials; and (4) if applicable, the nature of any confidential or sensitive information omitted. 9.10 Auditors should obtain and report the views of responsible officials of the audited entity concerning the findings, conclusions, and recommendations in the audit report, as well as any planned corrective actions. 9.50 Auditors should place their findings in perspective by describing the nature and extent of the issues being reported and the extent of the work performed that resulted in the findings. To give the reader a basis for judging the prevalence and consequences of these findings, auditors should, as appropriate, relate the instances identified to the population or the number of cases examined and quantify the results in terms of dollar value or other measures. If the results cannot be projected, auditors should limit their conclusions appropriately. 9.21] | Audits and risk management | Establish/Maintain Documentation | |
| Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Establish/Maintain Documentation | |
| Include items that were excluded from the audit report in the audit report. CC ID 07007 [If certain information is prohibited from public disclosure or is excluded from a report because of its confidential or sensitive nature, auditors should disclose in the report that certain information has been omitted and the circumstances that make the omission necessary. 6.63 If certain information is prohibited from public disclosure or is excluded from a report because of its confidential or sensitive nature, auditors should disclose in the report that certain information has been omitted and the circumstances that make the omission necessary. 7.61 If certain information is prohibited from public disclosure or is excluded from a report because of its confidential or sensitive nature, auditors should disclose in the report that certain information has been omitted and the circumstances that make the omission necessary. 9.61 {be sufficient} If, after the report is issued, the auditors discover that they did not have sufficient, appropriate evidence to support the reported findings or conclusions, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the entities requiring or arranging for the audits, and other known users, so that they do not continue to rely on the findings or conclusions that were not supported. If the report was previously posted to the auditors' publicly accessible website, the auditors should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional audit work necessary to either reissue the report, including any revised findings or conclusions, or repost the original report if the additional audit work does not result in a change in findings or conclusions. 9.68 Auditors should prepare audit reports that contain (1) the objectives, scope, and methodology of the audit; (2) the audit results, including findings, conclusions, and recommendations, as appropriate; (3) a summary of the views of responsible officials; and (4) if applicable, the nature of any confidential or sensitive information omitted. 9.10] | Audits and risk management | Establish/Maintain Documentation | |
| Include items that pertain to third parties in the audit report. CC ID 07008 [{report} {noncompliance} When audited entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties. 6.53a. {noncompliance} When audited entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties. 7.51a. Auditors should report known or likely noncompliance with provisions of laws, regulations, contracts, and grant agreements or fraud directly to parties outside the audited entity in the following two circumstances. 9.45 Auditors should report known or likely noncompliance with provisions of laws, regulations, contracts, and grant agreements or fraud directly to parties outside the audited entity in the following two circumstances. When audited entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties. 9.45a.] | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Establish/Maintain Documentation | |
| Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 [{be sufficient} Auditors should include either in the same or in separate report(s) a description of the scope of the auditors' testing of internal control over financial reporting and of compliance with provisions of laws, regulations, contracts, and grant agreements. Auditors should also state in the report(s) whether the tests they performed provided sufficient, appropriate evidence to support opinions on the effectiveness of internal control and on compliance with provisions of laws, regulations, contracts, and grant agreements. 6.42] | Audits and risk management | Establish/Maintain Documentation | |
| Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that additional reports are being submitted in the audit report. CC ID 16848 [{be integral} If auditors report separately (including separate reports bound in the same document) on deficiencies in internal control; noncompliance with provisions of laws, regulations, contracts, and grant agreements; or instances of fraud, they should state in the examination report that they are issuing those additional reports. They should include a reference to the separate reports and also state that the reports are an integral part of a GAGAS examination engagement. 7.40 {be integral} If auditors report separately (including separate reports bound in the same document) on deficiencies in internal control; noncompliance with provisions of laws, regulations, contracts, and grant agreements; or instances of fraud, they should state in the examination report that they are issuing those additional reports. They should include a reference to the separate reports and also state that the reports are an integral part of a GAGAS examination engagement. 7.40 When auditors detect deficiencies in internal control that are not significant to the objectives of the audit but warrant the attention of those charged with governance, they should include those deficiencies either in the report or communicate those deficiencies in writing to audited entity officials. If the written communication is separate from the audit report, auditors should refer to that written communication in the audit report. 9.31] | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 [The audit organization should establish policies and procedures for engagement performance, documentation, and reporting that are designed to provide the audit organization with reasonable assurance that engagements are conducted and reports are issued in accordance with professional standards and applicable legal and regulatory requirements. 5.22 {be publicly available} An external audit organization should make its most recent peer review report publicly available. If a separate communication detailing findings, conclusions, and recommendations is issued, the external audit organization is not required to make that communication publicly available. An internal audit organization that reports internally to management and those charged with governance should provide a copy of its peer review report to those charged with governance. 5.77 An audit organization in a government entity should distribute audit reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations and to others authorized to receive such reports. 6.70a. An audit organization in a government entity should distribute audit reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations and to others authorized to receive such reports. 6.70a. An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority and to others authorized to receive such reports. 7.77a. An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority and to others authorized to receive such reports. 7.77a. An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority and to others authorized to receive such reports. 7.85a. An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority and to others authorized to receive such reports. 7.85a. An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the examination engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on engagement findings and recommendations and to others authorized to receive such reports. 7.69a. An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the examination engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on engagement findings and recommendations and to others authorized to receive such reports. 7.69a. {be publicly available} {established} An external audit organization should satisfy the publication requirement for its peer review report by posting the report on a publicly available website or to a publicly available file. Alternatively, if neither of these options is available, then the audit organization should use the same mechanism it uses to make other reports or documents public. 5.78 An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority and to others authorized to receive such reports. 7.93a. An audit organization in a government entity should distribute reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the engagements. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority and to others authorized to receive such reports. 7.93a. Auditors should communicate findings in writing to audited entity officials when the auditors detect instances of noncompliance with provisions of laws, regulations, contracts, and grant agreements that are not significant within the context of the audit objectives but warrant the attention of those charged with governance. 9.36 Auditors should communicate findings in writing to audited entity officials when the auditors detect instances of fraud that are not significant within the context of the audit objectives but warrant the attention of those charged with governance. 9.41 An audit organization in a government entity should distribute audit reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations and to others authorized to receive such reports. 9.58 An audit organization in a government entity should distribute audit reports to those charged with governance, to the appropriate audited entity officials, and to the appropriate oversight bodies or organizations requiring or arranging for the audits. As appropriate, auditors should also distribute copies of the reports to other officials who have legal oversight authority or who may be responsible for acting on audit findings and recommendations and to others authorized to receive such reports. 9.58 {make available} Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. Auditors should document any limitation on report distribution. Auditors should make audit reports available to the public, unless distribution is specifically limited by the terms of the engagement, law, or regulation. 9.56 {make available} Subject to applicable provisions of laws and regulations, auditors should make appropriate individuals and audit documentation available upon request and in a timely manner to other auditors or reviewers. 8.140 If an internal audit organization in a government entity follows the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing as well as GAGAS, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should (1) assess the potential risk to the organization, (2) consult with senior management or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report. 9.57] | Audits and risk management | Establish/Maintain Documentation | |
| Define the roles and responsibilities for distributing the audit report. CC ID 16845 [{be publicly available} A public accounting firm contracted to conduct an audit in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the audit about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 6.70b.] | Audits and risk management | Human Resources Management | |
| Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Communicate | |
| Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Communicate | |
| Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 [{be publicly available} A public accounting firm contracted to conduct an audit in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the audit about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 6.70b.] | Audits and risk management | Behavior | |
| Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 [If auditors initially identify a threat to independence after the audit report is issued, auditors should evaluate the threat's effect on the engagement and on GAGAS compliance. If the auditors determine that the newly identified threat's effect on the engagement would have resulted in the audit report being different from the report issued had the auditors been aware of it, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the audit organization requiring or arranging for the engagements, and other known users, so that they do not continue to rely on findings or conclusions that were affected by the threat to independence. If auditors previously posted the report to their publicly accessible website, they should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional engagement work necessary to reissue the report, including any revised findings or conclusions, or to repost the original report if the additional engagement work does not result in a change in findings or conclusions. 3.34 If the law or regulation requiring an examination engagement specifically identifies the entities to be examined, auditors should communicate pertinent information that in the auditors' professional judgment needs to be communicated both to individuals contracting for or requesting the examination and to those legislative committees, if any, that have ongoing oversight responsibilities for the audited entity. 7.09 {be publicly available} {established} An external audit organization should satisfy the publication requirement for its peer review report by posting the report on a publicly available website or to a publicly available file. Alternatively, if neither of these options is available, then the audit organization should use the same mechanism it uses to make other reports or documents public. 5.78 {be appropriate} When the audit organization is subject to public records laws, auditors should determine whether public records laws could affect the availability of classified or limited use reports and determine whether other means of communicating with management and those charged with governance would be more appropriate. Auditors use professional judgment to determine the appropriate means to communicate the omitted information to management and those charged with governance considering, among other things, whether public records laws could affect the availability of classified or limited use reports. 6.65 The peer review team should prepare one or more written reports communicating the results of the peer review, which collectively include the following elements: reference to a separate written communication, if issued under the peer review program; 5.91d. {be sufficient} If, after the report is issued, the auditors discover that they did not have sufficient, appropriate evidence to support the reported findings or conclusions, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the entities requiring or arranging for the audits, and other known users, so that they do not continue to rely on the findings or conclusions that were not supported. If the report was previously posted to the auditors' publicly accessible website, the auditors should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional audit work necessary to either reissue the report, including any revised findings or conclusions, or repost the original report if the additional audit work does not result in a change in findings or conclusions. 9.68 {make available} Subject to applicable provisions of laws and regulations, auditors should make appropriate individuals and examination engagement documentation available upon request and in a timely manner to other auditors or reviewers. 7.37] | Audits and risk management | Establish/Maintain Documentation | |
| Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 [If auditors initially identify a threat to independence after the audit report is issued, auditors should evaluate the threat's effect on the engagement and on GAGAS compliance. If the auditors determine that the newly identified threat's effect on the engagement would have resulted in the audit report being different from the report issued had the auditors been aware of it, they should communicate in the same manner as that used to originally distribute the report to those charged with governance, the appropriate officials of the audited entity, the appropriate officials of the audit organization requiring or arranging for the engagements, and other known users, so that they do not continue to rely on findings or conclusions that were affected by the threat to independence. If auditors previously posted the report to their publicly accessible website, they should remove the report and post a public notification that the report was removed. The auditors should then determine whether to perform the additional engagement work necessary to reissue the report, including any revised findings or conclusions, or to repost the original report if the additional engagement work does not result in a change in findings or conclusions. 3.34] | Audits and risk management | Establish/Maintain Documentation | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 [The audit organization should evaluate the effects of deficiencies noted during monitoring of the audit organization's system of quality control to determine and implement appropriate actions to address the deficiencies. This evaluation should include assessments to determine if the deficiencies noted indicate that the audit organization's system of quality control is insufficient to provide it with reasonable assurance that it complies with professional standards and applicable legal and regulatory requirements, and that accordingly the reports that the audit organization issues are not appropriate in the circumstances. 5.45 If internal control is determined to be significant to the audit objectives, auditors should plan and perform audit procedures to assess internal control to the extent necessary to address the audit objectives. 8.49] | Audits and risk management | Audits and Risk Management | |
| Include the audit criteria in the audit plan. CC ID 15262 [Auditors should identify and use suitable criteria based on the audit objectives. 8.07 In reporting audit methodology, auditors should explain how the completed audit work supports the audit objectives, including the evidence-gathering and evidence-analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives. Auditors should identify significant assumptions made in conducting the audit; describe comparative techniques applied; describe the criteria used; and, when the results of sample testing significantly support the auditors' findings, conclusions, or recommendations, describe the sample design and state why the design was chosen, including whether the results can be projected to the intended population. 9.14] | Audits and risk management | Establish/Maintain Documentation | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Establish/Maintain Documentation | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Establish/Maintain Documentation | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Establish/Maintain Documentation | |
| Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Establish/Maintain Documentation | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Establish/Maintain Documentation | |
| Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Establish/Maintain Documentation | |
| Include the locations to be audited in the audit plan. CC ID 15242 [In describing the work performed to address the audit objectives and support the reported findings and conclusions, auditors should, as applicable, explain the relationship between the population and the items tested; identify entities, geographic locations, and the period covered; report the kinds and sources of evidence; and explain any significant limitations or uncertainties based on the auditors' overall assessment of the sufficiency and appropriateness of the evidence in the aggregate. 9.13] | Audits and risk management | Establish/Maintain Documentation | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit objectives in the audit plan. CC ID 15240 [In connection with nonaudit services, auditors should establish and document their understanding with the audited entity's management or those charged with governance, as appropriate, regarding the following: objectives of the nonaudit service, 3.77a. Auditors must adequately plan the work necessary to address the audit objectives. Auditors must document the audit plan. 8.03 In planning the audit, auditors should assess significance and audit risk. Auditors should apply these assessments to establish the scope and methodology for addressing the audit objectives. Planning is a continuous process throughout the audit. 8.05 When information systems controls are determined to be significant to the audit objectives or when the effectiveness of significant controls depends on the effectiveness of information systems controls, auditors should then evaluate the design, implementation, and/or operating effectiveness of such controls. This evaluation includes other information systems controls that affect the effectiveness of the significant controls or the reliability of information used in performing the significant controls. Auditors should obtain a sufficient understanding of information systems controls necessary to assess audit risk and plan the audit within the context of the audit objectives. 8.60 Auditors should document the following: the objectives, scope, and methodology of the audit; 8.135a.] | Audits and risk management | Establish/Maintain Documentation | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 [Auditors should apply the conceptual framework at the audit organization, engagement team, and individual auditor levels to identify threats to independence; 3.27a. Auditors should identify as threats to independence any services related to preparing accounting records and financial statements, other than those defined as impairments to independence in paragraph 3.87 and significant threats in paragraph 3.88. These services include 3.89 In planning the audit, auditors should assess significance and audit risk. Auditors should apply these assessments to establish the scope and methodology for addressing the audit objectives. Planning is a continuous process throughout the audit. 8.05 Auditors should design the methodology to obtain sufficient, appropriate evidence that provides a reasonable basis for findings and conclusions based on the audit objectives and to reduce audit risk to an acceptably low level. 8.06 When assessing the overall sufficiency and appropriateness of evidence, auditors should evaluate the expected significance of evidence to the audit objectives, findings, and conclusions; available corroborating evidence; and the level of audit risk. If auditors conclude that evidence is not sufficient or appropriate, they should not use such evidence as support for findings and conclusions. 8.109] | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 [Auditors should communicate an overview of the objectives, scope, and methodology and the timing of the performance audit and planned reporting (including any potential restrictions on the report), unless doing so could significantly impair the auditors' ability to obtain sufficient, appropriate evidence to address the audit objectives. Auditors should communicate such information with the following parties, as applicable: 8.20 Auditors should communicate an overview of the objectives, scope, and methodology and the timing of the performance audit and planned reporting (including any potential restrictions on the report), unless doing so could significantly impair the auditors' ability to obtain sufficient, appropriate evidence to address the audit objectives. Auditors should communicate such information with the following parties, as applicable: management of the audited entity, including those with sufficient authority and responsibility to implement corrective action in the program or activity being audited; 8.20a. Auditors should communicate an overview of the objectives, scope, and methodology and the timing of the performance audit and planned reporting (including any potential restrictions on the report), unless doing so could significantly impair the auditors' ability to obtain sufficient, appropriate evidence to address the audit objectives. Auditors should communicate such information with the following parties, as applicable: those charged with governance; 8.20b. Auditors should communicate an overview of the objectives, scope, and methodology and the timing of the performance audit and planned reporting (including any potential restrictions on the report), unless doing so could significantly impair the auditors' ability to obtain sufficient, appropriate evidence to address the audit objectives. Auditors should communicate such information with the following parties, as applicable: the individuals contracting for or requesting audit services, such as contracting officials or grantees; or 8.20c. Auditors should communicate an overview of the objectives, scope, and methodology and the timing of the performance audit and planned reporting (including any potential restrictions on the report), unless doing so could significantly impair the auditors' ability to obtain sufficient, appropriate evidence to address the audit objectives. Auditors should communicate such information with the following parties, as applicable: the cognizant legislative committee, when auditors conduct the audit pursuant to a law or regulation or when they conduct the work for the legislative committee that has oversight of the audited entity. 8.20d.] | Audits and risk management | Communicate | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk assessment program. CC ID 00687 [The peer review team should determine the type of peer review rating to issue based on the observed matters' importance to the audit organization's system of quality control as a whole and the nature, causes, patterns, and pervasiveness of those matters. The matters should be assessed both alone and in aggregate. 5.73] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Communicate | |
| Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Communicate | |
| Address cybersecurity risks in the risk assessment program. CC ID 13193 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain fundamental rights impact assessments. CC ID 17217 | Audits and risk management | Audits and Risk Management | |
| Include the categories of data used by the system in the fundamental rights impact assessment. CC ID 17248 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics in the fundamental rights impact assessment. CC ID 17249 | Audits and risk management | Establish/Maintain Documentation | |
| Include the benefits of the system in the fundamental rights impact assessment. CC ID 17244 | Audits and risk management | Establish/Maintain Documentation | |
| Include user safeguards in the fundamental rights impact assessment. CC ID 17255 | Audits and risk management | Establish/Maintain Documentation | |
| Include the outputs produced by the system in the fundamental rights impact assessment. CC ID 17247 | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the fundamental rights impact assessment. CC ID 17243 | Audits and risk management | Establish/Maintain Documentation | |
| Include monitoring procedures in the fundamental rights impact assessment. CC ID 17254 | Audits and risk management | Establish/Maintain Documentation | |
| Include risk management measures in the fundamental rights impact assessment. CC ID 17224 | Audits and risk management | Establish/Maintain Documentation | |
| Include human oversight measures in the fundamental rights impact assessment. CC ID 17223 | Audits and risk management | Establish/Maintain Documentation | |
| Include risks in the fundamental rights impact assessment. CC ID 17222 | Audits and risk management | Establish/Maintain Documentation | |
| Include affected parties in the fundamental rights impact assessment. CC ID 17221 | Audits and risk management | Establish/Maintain Documentation | |
| Include the frequency in the fundamental rights impact assessment. CC ID 17220 | Audits and risk management | Establish/Maintain Documentation | |
| Include the usage duration in the fundamental rights impact assessment. CC ID 17219 | Audits and risk management | Establish/Maintain Documentation | |
| Include system use in the fundamental rights impact assessment. CC ID 17218 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Process or Activity | |
| Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Communicate | |
| Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Establish/Maintain Documentation | |
| Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Establish/Maintain Documentation | |
| Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Communicate | |
| Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Technical Security | |
| Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Human Resources Management | |
| Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Audits and Risk Management | |
| Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Business Processes | |
| Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Audits and risk management | Communicate | |
| Perform risk assessments for all target environments, as necessary. CC ID 06452 [If an internal audit organization in a government entity follows the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing as well as GAGAS, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should (1) assess the potential risk to the organization, (2) consult with senior management or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report. 9.57] | Audits and risk management | Testing | |
| Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Establish/Maintain Documentation | |
| Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 [If an internal audit organization in a government entity follows the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing as well as GAGAS, the head of the internal audit organization should communicate results to the parties who can ensure that the results are given due consideration. If not otherwise mandated by statutory or regulatory requirements, prior to releasing results to parties outside the organization, the head of the internal audit organization should (1) assess the potential risk to the organization, (2) consult with senior management or legal counsel as appropriate, and (3) control dissemination by indicating the intended users in the report. 9.57] | Audits and risk management | Audits and Risk Management | |
| Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Establish/Maintain Documentation | |
| Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Establish/Maintain Documentation | |
| Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Communicate | |
| Prioritize and select controls based on the risk assessment findings. CC ID 00707 [Auditors should apply the conceptual framework at the audit organization, engagement team, and individual auditor levels to apply safeguards as necessary to eliminate the threats or reduce them to an acceptable level. 3.27c. When auditors determine that threats to independence are not at an acceptable level, the auditors should determine whether appropriate safeguards can be applied to eliminate the threats or reduce them to an acceptable level. 3.32 Separate evaluations are sometimes provided as a nonaudit service. When providing separate evaluations as nonaudit services, auditors should evaluate the significance of the threat created by performing separate evaluations and apply safeguards when necessary to eliminate the threat or reduce it to an acceptable level. 3.98] | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain a risk treatment plan. CC ID 11983 | Audits and risk management | Establish/Maintain Documentation | |
| Include the implemented risk management controls in the risk treatment plan. CC ID 11979 [When planning a GAGAS examination engagement, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter or an assertion about the subject matter of the examination engagement, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter or an assertion about the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work and determining the extent to which testing the implementation of the corrective actions is applicable to the current examination engagement objectives. 7.13] | Audits and risk management | Establish/Maintain Documentation | |
| Include risk assessment results in the risk treatment plan. CC ID 11978 [In cases where auditors determine that threats to independence require the application of safeguards, auditors should document the threats identified and the safeguards applied to eliminate or reduce the threats to an acceptable level. 3.33 Auditors should conclude that preparing financial statements in their entirety from a client-provided trial balance or underlying accounting records creates significant threats to auditors' independence, and should document the threats and safeguards applied to eliminate and reduce threats to an acceptable level in accordance with paragraph 3.33 or decline to provide the services. 3.88] | Audits and risk management | Establish/Maintain Documentation | |
| Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 [When planning a GAGAS examination engagement, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter or an assertion about the subject matter of the examination engagement, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter or an assertion about the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work and determining the extent to which testing the implementation of the corrective actions is applicable to the current examination engagement objectives. 7.13] | Audits and risk management | Establish/Maintain Documentation | |
| Include risk responses in the risk management program. CC ID 13195 [When planning a GAGAS examination engagement, auditors should ask management of the audited entity to identify previous audits, attestation engagements, and other studies that directly relate to the subject matter or an assertion about the subject matter of the examination engagement, including whether related recommendations have been implemented. Auditors should evaluate whether the audited entity has taken appropriate corrective action to address findings and recommendations from previous engagements that could have a significant effect on the subject matter or an assertion about the subject matter. Auditors should use this information in assessing risk and determining the nature, timing, and extent of current work and determining the extent to which testing the implementation of the corrective actions is applicable to the current examination engagement objectives. 7.13] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a digital identity management program. CC ID 13713 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain digital identification procedures. CC ID 13714 | Technical security | Establish/Maintain Documentation | |
| Implement digital identification processes. CC ID 13731 | Technical security | Process or Activity | |
| Implement identity proofing processes. CC ID 13719 [{be evident} If the identity of those charged with governance is not clearly evident, auditors should document the process followed and conclusions reached in identifying the appropriate individuals to receive the required communications. 6.07] | Technical security | Process or Activity | |
| Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786 | Technical security | Process or Activity | |
| Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787 | Technical security | Process or Activity | |
| Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750 | Technical security | Process or Activity | |
| Establish, implement, and maintain remote proofing procedures. CC ID 13796 | Technical security | Establish/Maintain Documentation | |
| Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805 | Technical security | Configuration | |
| Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742 | Technical security | Process or Activity | |
| Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741 | Technical security | Process or Activity | |
| Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752 | Technical security | Process or Activity | |
| Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785 | Technical security | Process or Activity | |
| Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773 | Technical security | Process or Activity | |
| Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745 | Technical security | Configuration | |
| Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746 | Technical security | Configuration | |
| Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747 | Technical security | Configuration | |
| Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749 | Technical security | Process or Activity | |
| Allow records that relate to the data subject as proof of identity. CC ID 13772 | Technical security | Process or Activity | |
| Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748 | Technical security | Process or Activity | |
| Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739 | Technical security | Process or Activity | |
| Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738 | Technical security | Process or Activity | |
| Refrain from approving attributes in the identity proofing process. CC ID 13716 | Technical security | Process or Activity | |
| Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453 [Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. If the subject matter or the assertion involves material that is classified or contains confidential or sensitive information, auditors should limit the report distribution. Auditors should document any limitation on report distribution. 7.85 Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. If the subject matter or the assertion involves material that is classified or contains confidential or sensitive information, auditors should limit report distribution. Auditors should document any limitation on report distribution. 7.77 Distribution of reports completed in accordance with GAGAS depends on the auditors' relationship with the audited organization and the nature of the information contained in the reports. If the subject matter involves material that is classified or contains confidential or sensitive information, auditors should limit report distribution. Auditors should document any limitation on report distribution. 7.93] | Technical security | Data and Information Management | |
| Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [Auditors should document consideration of management's ability to effectively oversee nonaudit services to be provided. 3.74 While insufficient documentation of an auditor's compliance with the independence standard does not impair independence, auditors should prepare appropriate documentation under the GAGAS quality control and assurance requirements. The independence standard includes the following documentation requirements, where applicable: document consideration of audited entity management's ability to effectively oversee a nonaudit service to be provided by the auditor as indicated in paragraph 3.74; 3.107c.] | Human Resources management | Establish Roles | |
| Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Human Resources Management | |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Establish/Maintain Documentation | |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Establish/Maintain Documentation | |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Establish/Maintain Documentation | |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Human Resources Management | |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Human Resources Management | |
| Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Establish Roles | |
| Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources management | Human Resources Management | |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Establish/Maintain Documentation | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Establish Roles | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Process or Activity | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Communicate | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Human Resources management | Communicate | |
| Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781 [The audit organization should have a process for recruitment, hiring, continuous development, assignment, and evaluation of personnel so that the workforce has the essential knowledge, skills, and abilities necessary to conduct the engagement. The nature, extent, and formality of the process will depend on various factors, such as the size of the audit organization, its structure, and its work. 4.04] | Human Resources management | Establish/Maintain Documentation | |
| Establish and maintain an annual report on compensation. CC ID 14801 | Human Resources management | Establish/Maintain Documentation | |
| Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 | Human Resources management | Communicate | |
| Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 | Human Resources management | Establish/Maintain Documentation | |
| Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 | Human Resources management | Establish/Maintain Documentation | |
| Refrain from using employees' privacy choices to take punitive actions. CC ID 16815 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain job applications. CC ID 16180 | Human Resources management | Establish/Maintain Documentation | |
| Include a space for the applicant's name on the job application. CC ID 16190 | Human Resources management | Human Resources Management | |
| Include a space for the applicant's current address on the job application. CC ID 16189 | Human Resources management | Human Resources Management | |
| Include a space for the applicant's social security number on the job application. CC ID 16188 | Human Resources management | Human Resources Management | |
| Include a space for the applicant's date of birth on the job application. CC ID 16186 | Human Resources management | Human Resources Management | |
| Include a space for previous employers and business relationships on the job application. CC ID 16185 | Human Resources management | Human Resources Management | |
| Include a space to explain formal disciplinary actions and sanctions on the job application. CC ID 16184 | Human Resources management | Human Resources Management | |
| Include a space for the start date on the job application. CC ID 16187 | Human Resources management | Human Resources Management | |
| Include a space to explain legal penalties on the job application. CC ID 16183 | Human Resources management | Human Resources Management | |
| Approve the wording of job applications. CC ID 16182 | Human Resources management | Human Resources Management | |
| Include a space for past aliases and other used names on job applications. CC ID 12301 | Human Resources management | Human Resources Management | |
| Include a space for previous addresses and previous residences on the job application. CC ID 12302 | Human Resources management | Human Resources Management | |
| Include a space to explain employment gaps on the job application. CC ID 12303 | Human Resources management | Human Resources Management | |
| Train all personnel and third parties, as necessary. CC ID 00785 [The audit organization should have a process for recruitment, hiring, continuous development, assignment, and evaluation of personnel so that the workforce has the essential knowledge, skills, and abilities necessary to conduct the engagement. The nature, extent, and formality of the process will depend on various factors, such as the size of the audit organization, its structure, and its work. 4.04] | Human Resources management | Behavior | |
| Provide new hires limited network access to complete computer-based training. CC ID 17008 | Human Resources management | Training | |
| Establish, implement, and maintain an education methodology. CC ID 06671 [Auditors should complete at least 20 hours of CPE in each year of the 2-year periods. 4.17] | Human Resources management | Business Processes | |
| Support certification programs as viable training programs. CC ID 13268 [Auditors who plan, direct, perform engagement procedures for, or report on an engagement conducted in accordance with GAGAS should develop and maintain their professional competence by completing at least 80 hours of CPE in every 2-year period as follows. 4.16] | Human Resources management | Human Resources Management | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Human Resources management | Establish/Maintain Documentation | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Human Resources management | Establish/Maintain Documentation | |
| Submit applications for professional certification. CC ID 16192 | Human Resources management | Training | |
| Retrain all personnel, as necessary. CC ID 01362 [{continuing professional education requirements} The audit organization should establish policies and procedures to provide reasonable assurance that auditors who are performing work in accordance with GAGAS meet the continuing professional education (CPE) requirements, including maintaining documentation of the CPE completed and any exemptions granted. 5.16] | Human Resources management | Behavior | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain training plans. CC ID 00828 [Audit management should assign sufficient auditors with adequate collective professional competence, as described in paragraphs 4.02 through 4.15, to conduct the audit. Staffing an audit includes, among other things, providing for on-the-job training of auditors; and 8.31c.] | Human Resources management | Establish/Maintain Documentation | |
| Approve training plans, as necessary. CC ID 17193 | Human Resources management | Training | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Human Resources management | Training | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Human Resources management | Training | |
| Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101 | Human Resources management | Training | |
| Designate training facilities in the training plan. CC ID 16200 | Human Resources management | Training | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Human Resources management | Establish/Maintain Documentation | |
| Include insider threats in the security awareness program. CC ID 16963 | Human Resources management | Training | |
| Conduct personal data processing training. CC ID 13757 | Human Resources management | Training | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Training | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Human Resources management | Training | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Establish/Maintain Documentation | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Communicate | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Establish/Maintain Documentation | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Establish/Maintain Documentation | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Establish/Maintain Documentation | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Establish/Maintain Documentation | |
| Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Training | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Establish/Maintain Documentation | |
| Include identity and access management in the security awareness program. CC ID 17013 | Human Resources management | Training | |
| Include the encryption process in the security awareness program. CC ID 17014 | Human Resources management | Training | |
| Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Training | |
| Include data management in the security awareness program. CC ID 17010 | Human Resources management | Training | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Human Resources management | Training | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Training | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Training | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Training | |
| Include social networking in the security awareness program. CC ID 17011 | Human Resources management | Training | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Training | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Establish/Maintain Documentation | |
| Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Establish/Maintain Documentation | |
| Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Establish/Maintain Documentation | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Establish/Maintain Documentation | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Human Resources Management | |
| Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Establish/Maintain Documentation | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Human Resources Management | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Training | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Human Resources management | Establish/Maintain Documentation | |
| Include the information security responsibilities of employees in their performance objectives. CC ID 15700 | Human Resources management | Human Resources Management | |
| Include information security responsibilities in performance reviews. CC ID 15697 | Human Resources management | Establish/Maintain Documentation | |
| Take appropriate actions after performance reviews of board members, as necessary. CC ID 14799 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain an ethics program. CC ID 11496 [{legal requirement} The audit organization should establish policies and procedures on independence and legal and ethical requirements that are designed to provide reasonable assurance that the organization and its personnel maintain independence and comply with applicable legal and ethical requirements. 5.08] | Human Resources management | Human Resources Management | |
| Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 | Human Resources management | Communicate | |
| Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 | Human Resources management | Behavior | |
| Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 | Human Resources management | Investigate | |
| Establish, implement, and maintain an ethical culture. CC ID 12781 | Human Resources management | Behavior | |
| Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Human Resources management | Monitor and Evaluate Occurrences | |
| Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 | Human Resources management | Monitor and Evaluate Occurrences | |
| Refrain from practicing false advertising. CC ID 14253 | Human Resources management | Business Processes | |
| Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 | Human Resources management | Business Processes | |
| Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Human Resources management | Communicate | |
| Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Human Resources management | Establish/Maintain Documentation | |
| Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 | Human Resources management | Behavior | |
| Refrain from discriminating against employees who are whistleblowers. CC ID 13609 | Human Resources management | Behavior | |
| Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 | Human Resources management | Behavior | |
| Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 | Human Resources management | Human Resources Management | |
| Include prohibiting counterfeiting in the ethics program. CC ID 11517 | Human Resources management | Human Resources Management | |
| Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 | Human Resources management | Human Resources Management | |
| Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Human Resources management | Establish Roles | |
| Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Human Resources management | Behavior | |
| Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Human Resources management | Behavior | |
| Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Human Resources management | Behavior | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
| Include threat assessment in the internal control framework. CC ID 01347 [Auditors who previously provided nonaudit services for an entity that is a prospective subject of an engagement should evaluate the effect of those nonaudit services on independence before agreeing to conduct a GAGAS engagement. If auditors provided a nonaudit service in the period to be covered by the engagement, they should (1) determine if GAGAS expressly prohibits the nonaudit service; (2) if audited entity management requested the nonaudit service, determine whether the skill, knowledge, or experience of the individual responsible for overseeing the nonaudit service was sufficient; and (3) determine whether a threat to independence exists and address any threats noted in accordance with the conceptual framework. 3.83] | Operational management | Establish/Maintain Documentation | |
| Include system development in the information security program. CC ID 12389 [Auditors should conclude that providing information technology (IT) services to an audited entity that relate to the period under audit impairs independence if those services include designing or developing an audited entity's financial information system or other IT system that will play a significant role in the management of an area of operations that is or will be the subject matter of an engagement; 3.102a. Auditors should conclude that providing information technology (IT) services to an audited entity that relate to the period under audit impairs independence if those services include making other than insignificant modifications to source code underlying an audited entity's existing financial information system or other IT system that will play a significant role in the management of an area of operations that is or will be the subject matter of an engagement; 3.102b.] | Operational management | Establish/Maintain Documentation | |
| Include operations management in the information security program. CC ID 12385 [Auditors should conclude that providing information technology (IT) services to an audited entity that relate to the period under audit impairs independence if those services include operating an audited entity's network, financial information system, or other IT system that will play a significant role in the management of an area of operations that is or will be the subject matter of an engagement. 3.102d.] | Operational management | Establish/Maintain Documentation | |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [{external requirement} GAGAS establishes requirements for review engagements in addition to the requirements for reviews contained in the AICPA's SSAEs. Auditors should comply with the additional GAGAS requirements, along with the applicable AICPA requirements, when citing GAGAS in their review engagement reports. 7.70 {external requirements} GAGAS establishes requirements for agreed-upon procedures engagements in addition to the requirements for agreed-upon procedures engagements contained in the AICPA's SSAEs. Auditors should comply with the additional GAGAS requirements, along with the applicable AICPA requirements, when citing GAGAS in their agreedupon procedures engagement reports. 7.78 {external requirement} GAGAS establishes requirements for reviews of financial statements in addition to the requirements for reviews of financial statements contained in the AICPA's AR-C section 90, Review of Financial Statements. Auditors should comply with the additional GAGAS requirements, along with the applicable AICPA requirements, when citing GAGAS in their review engagement reports. 7.86] | Operational management | Establish/Maintain Documentation | |
| Include a reconciliation process in the accounting system. CC ID 08951 [Auditors should identify as threats to independence any services related to preparing accounting records and financial statements, other than those defined as impairments to independence in paragraph 3.87 and significant threats in paragraph 3.88. These services include preparing account reconciliations that identify reconciling items for the audited entity management's evaluation. 3.89d.] | Operational management | Establish/Maintain Documentation | |
| Retain records in accordance with applicable requirements. CC ID 00968 [An audit organization should document its quality control policies and procedures and communicate those policies and procedures to its personnel. The audit organization should document compliance with its quality control policies and procedures and maintain such documentation for a period of time sufficient to enable those performing monitoring procedures and peer reviews to evaluate the extent to which the audit organization complies with its quality control policies and procedures. 5.04 {audit} Auditors should retain any written communication resulting from paragraph 8.20 as audit documentation. 8.22] | Records management | Records Management | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Establish Roles | |
| Notify the supervisory authority. CC ID 00472 [{report} {noncompliance} When audited entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties. 6.53a. {noncompliance} When audited entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties. 7.51a. When audited entity management fails to take timely and appropriate steps to respond to fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements that (1) is likely to have a material effect on the subject matter and (2) involves funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the audited entity's failure to take timely and appropriate steps directly to the funding agency. 7.51b. Auditors should report known or likely noncompliance with provisions of laws, regulations, contracts, and grant agreements or fraud directly to parties outside the audited entity in the following two circumstances. When audited entity management fails to satisfy legal or regulatory requirements to report such information to external parties specified in law or regulation, auditors should first communicate the failure to report such information to those charged with governance. If the audited entity still does not report this information to the specified external parties as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the information directly to the specified external parties. 9.45a. Auditors should report known or likely noncompliance with provisions of laws, regulations, contracts, and grant agreements or fraud directly to parties outside the audited entity in the following two circumstances. When audited entity management fails to take timely and appropriate steps to respond to noncompliance with provisions of laws, regulations, contracts, and grant agreements or instances of fraud that (1) are likely to have a significant effect on the subject matter and (2) involve funding received directly or indirectly from a government agency, auditors should first report management's failure to take timely and appropriate steps to those charged with governance. If the audited entity still does not take timely and appropriate steps as soon as practicable after the auditors' communication with those charged with governance, then the auditors should report the audited entity's failure to take timely and appropriate steps directly to the funding agency. 9.45b.] | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Business Processes | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Communicate | |
| Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Business Processes | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Process or Activity | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 | Privacy protection for information and data | Process or Activity | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Communicate | |
| Respond to questions about submissions in a timely manner. CC ID 16930 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain a supply chain management program. CC ID 11742 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Write contractual agreements in clear and conspicuous language. CC ID 16923 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a description of the product or service to be provided in third party contracts. CC ID 06509 [Auditors providing nonaudit services to audited entities should obtain agreement from audited entity management that audited entity management performs the following functions in connection with the nonaudit services: evaluates the adequacy and results of the services provided; and 3.76c.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the purpose in the information flow agreement. CC ID 17016 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the costs in the information flow agreement. CC ID 17018 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include roles and responsibilities in third party contracts. CC ID 13487 [Auditors providing nonaudit services to audited entities should obtain agreement from audited entity management that audited entity management performs the following functions in connection with the nonaudit services: assumes all management responsibilities; 3.76a. Auditors providing nonaudit services to audited entities should obtain agreement from audited entity management that audited entity management performs the following functions in connection with the nonaudit services: oversees the services, by designating an individual, preferably within senior management, who possesses suitable skill, knowledge, or experience; 3.76b. Auditors providing nonaudit services to audited entities should obtain agreement from audited entity management that audited entity management performs the following functions in connection with the nonaudit services: accepts responsibility for the results of the services. 3.76d.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include requirements to cooperate with competent authorities in third party contracts. CC ID 17186 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a reporting structure in third party contracts. CC ID 06532 [{make available} A public accounting firm contracted to conduct an examination engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the examination engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.69b. {make available} A public accounting firm contracted to conduct an examination engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the examination engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.69b. {make available} A public accounting firm contracted to conduct a review engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.77b. {make available} A public accounting firm contracted to conduct a review engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.77b. {make available} A public accounting firm contracted to conduct an agreed-upon procedures engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.85b. {make available} A public accounting firm contracted to conduct an agreed-upon procedures engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.85b. {make available} A public accounting firm contracted to conduct a review of financial statements engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.93b. {make available} A public accounting firm contracted to conduct a review of financial statements engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.93b.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 [{make available} A public accounting firm contracted to conduct an examination engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the examination engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.69b. {make available} A public accounting firm contracted to conduct a review engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.77b. {make available} A public accounting firm contracted to conduct an agreed-upon procedures engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.85b. {make available} A public accounting firm contracted to conduct a review of financial statements engagement in accordance with GAGAS should clarify report distribution responsibilities with the engaging party. If the contracting firm is responsible for the distribution, it should reach agreement with the party contracting for the engagement about which officials or organizations will receive the report and the steps being taken to make the report available to the public. 7.93b.] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include on-site visits in third party contracts. CC ID 17306 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Include location requirements in third party contracts. CC ID 16915 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
| Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Approve or deny third party recovery plans, as necessary. CC ID 17124 | Third Party and supply chain oversight | Systems Continuity | |
| Disseminate and communicate third party contracts to interested personnel and affected parties. CC ID 17301 | Third Party and supply chain oversight | Communicate | |
| Include a determination on the impact of services provided by third-party service providers in the supply chain risk assessment report. CC ID 17187 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Conduct all parts of the supply chain due diligence process. CC ID 08854 | Third Party and supply chain oversight | Business Processes | |
| Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 [Auditors who are using another audit organization's work should request a copy of that organization's most recent peer review report, and the organization should provide this document when it is requested. 5.80] | Third Party and supply chain oversight | Communicate | |
| Establish, implement, and maintain third party reporting requirements. CC ID 13289 [{reporting requirement} Auditors should comply with the requirements in paragraph 6.53 even if they have resigned or been dismissed from the audit prior to its completion. 6.54 {report} {those charged with governance} Auditors should comply with the requirements in paragraph 7.51 even if they have resigned or been dismissed from the engagement prior to its completion. 7.52 Auditors should comply with the requirements in paragraph 9.45 even if they have resigned or been dismissed from the audit prior to its completion. 9.46] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Define timeliness factors for third party reporting requirements. CC ID 13304 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain outsourcing contracts. CC ID 13124 [The peer review team and the reviewed audit organization should incorporate their basic agreement on the peer review into a written agreement. The written agreement should be drafted by the peer review team, reviewed by the reviewed audit organization to ensure that it accurately describes the agreement between the parties, and signed by the authorized representatives of both the peer review team and the reviewed audit organization prior to the initiation of work under the agreement. The written agreement should state that the peer review will be conducted in accordance with GAGAS peer review requirements. 5.86] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain contracts with asset disposition vendors, as necessary. CC ID 14826 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Establish, implement, and maintain contracts with Information Technology asset disposition vendors. CC ID 13895 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Specify asset ownership in outsourcing contracts. CC ID 13141 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include performance standards in outsourcing contracts. CC ID 13140 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include quality standards in outsourcing contracts. CC ID 17191 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include the organization approving subcontractors in the outsourcing contract. CC ID 13131 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
| Include a provision that third parties are responsible for their subcontractors in the outsourcing contract. CC ID 13130 | Third Party and supply chain oversight | Establish/Maintain Documentation | |