For full functionality of this site it is necessary to enable JavaScript. Here are the instructions how to enable JavaScript in your web browser.

CPE for Government Auditors

Abuse, Waste & Other Shenanigans: Reportable Conditions


  • Classify an audit finding as: an internal control weakness; a violation of contract or grant agreement; fraud; or abuse and waste.
  • Differentiate among the elements of a finding.

If the auditee exhibits any of the following three conditions, and these conditions are significant or material, the auditor should describe them in their audit report in the form of a “finding” and recommend corrective action:

  1. Internal control weaknesses
  2. Noncompliance
  3. Fraud

But those aren’t the only less than stellar conditions an auditor may come across; the auditor may also see that the auditee is abusing their power or wasting government resources. In years past, the GAO considered abuse as a reportable condition and did not mention the concept of waste.

In the 2018 version of the Yellow Book, abuse is no longer a reportable condition. Instead abuse is joined to waste and together they are described as indicators that the other reportable conditions exist.

In this chapter, we will cover the definitions of the three reportable conditions as well as the definitions of abuse and waste. We will cover our professional responsibilities regarding the reportable conditions and talk about how to describe the reportable conditions in findings using the five elements of a finding.

Our Responsibility Is Limited

The Yellow Book repeatedly points out that we are responsible for the reportable conditions only within the context of our audit objectives. So, we are not responsible for fraud, noncompliance, and internal control weaknesses throughout the client’s operations (thank goodness!). We are only responsible for those three conditions as they relate to our audit objectives.

Definitions of the Reportable Conditions

Let’s define each of the reportable conditions in more detail. First, internal control weaknesses, next noncompliance, and then fraud.

Here is how the GAO defines an internal control weakness:

8.53: … A deficiency in internal control exists when the design, implementation, or operation of a control does not allow management or personnel to achieve control objectives and address related risks. A deficiency in design exists when a necessary control is missing or is not properly designed so that even if the control operates as designed, the control objective would not be met. A deficiency in implementation exists when a control is properly designed but not implemented correctly in the internal control system. A deficiency in operating effectiveness exists when a properly designed control does not operate as designed or the person performing the control does not have the necessary competence or authority to perform the control effectively. 

Here is how the GAO defines non-compliance:

8.68 …   instances of noncompliance with provisions of laws, regulations, contracts, and grant agreements …

Here is how the GAO defines fraud:

8.73     Fraud involves obtaining something of value through willful misrepresentation. 

Each of the Reportable Conditions Has Criteria:

One thing that makes auditors very happy is audit criteria. Without audit criteria, we don’t have anything objective to measure our audit subject against.

Internal controls can be (and per the last chapter, now will be!) evaluated against the COSO model or the Green Book.

Compliance can obviously be evaluated against our some of our favorite audit criteria: law, regulations, contracts, or grant agreements.

Fraud must be evaluated against statute. A fraudster cannot be brought to court unless the prosecution can prove that a crime – per statute – was committed.

So, for each reportable condition, an auditor can comfortably bring issues up in a finding because they will have some firm criteria to base their finding on. As we will see later in this chapter, criteria is one of the five elements of a finding.

Abuse and Waste Are Subjective

In the case of the concepts of abuse and waste, the auditor must apply their judgment instead of criteria. This is not a happy spot for auditors to be.

Because abuse does not involve any firm criteria, it has been downgraded from a reportable condition to a ‘concept.’

Here is the definition of abuse:

6.23     Abuse is behavior that is deficient or improper when compared with behavior that a prudent person would consider reasonable and necessary business practice given the facts and circumstances, but excludes fraud and noncompliance with provisions of laws, regulations, contracts, and grant agreements. Abuse also includes misuse of authority or position for personal financial interests or those of an immediate or close family member or business associate.

Who is this prudent person? You’ve got me! I’ve never met one, so we won’t be able to give them a call or refer to their judgment when we are trying to decide if someone is acting abusively.

We have a similar problem with waste, which is defined for the first time in the 2018 version of the Yellow Book.

6.21     Waste is the act of using or expending resources carelessly, extravagantly, or to no purpose. Importantly, waste can include activities that do not include abuse and does not necessarily involve a violation of law. Rather, waste relates primarily to mismanagement, inappropriate actions, and inadequate oversight. 

This time, this non-existent prudent person is not mentioned, although we still aren’t left with any firm criteria to hang our hats on.

I am sure that you have had unresolvable conflicts with your loved ones over what constitutes waste. What my husband thinks is wasteful, I think is normal or necessary, and vice versa. For instance, I insist on using Orville Redenbacher raw popcorn kernels when I make popcorn. Orville Redenbacher is expensive compared to the cheap bags of generic popcorn. Several times he has snuck cheap popcorn into my Orville Redenbacher jar to make a point… but I busted him! He thinks I am being wasteful. I think Orville Redenbacher is necessary. Who is right? Me, of course!

He insists on Coke Zero and refuses to drink generic diet cola brands. He sees no hypocrisy in this.

This is exactly the kind of silly debate that auditors should not get into! Without firm criteria, limiting the amount that should be spent on popcorn or sodas, no one wins.

The GAO recognizes that abuse and waste are difficult for auditors to work with because of the lack of firm criteria, so they downgraded abuse from a reportable condition. They married abuse to the newly defined concept of waste and point out that abuse and waste can be indicators that fraud, non-compliance, or internal control weaknesses have occurred.

6.20     Given the concept of accountability for use of public resources and government authority, evaluating internal control in a government environment may also include considering internal control deficiencies that result in waste or abuse. Because the determination of waste and abuse is subjective, auditors are not required to perform specific procedures to detect waste or abuse in financial audits. However, auditors may consider whether and how to communicate such matters if they become aware of them. Auditors may also discover that waste or abuse are indicative of fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements. 

Thinking through Some Examples May Help Us

Let’s walk through two scenarios involving of less-than-stellar behavior and see whether these one of the three reportable conditions (fraud, noncompliance, internal control weaknesses), abuse and waste, or something else.

Scenario 1: First let’s consider the case of a government employee who works for a retirement system in Massachusetts. Let’s say she wants to visit her daughter in California soon. She sees an opportunity to have the retirement system pay her way when a seminar relevant to her job is offered only a half-hour’s drive from her daughter’s home. This same seminar will be available near her offices in Massachusetts in a few months and the state will not have to pay travel costs for her to attend.

Here is the scale of less-than-stellar behavior in government – from bad… so bad you want to see the person behind bars (fraud) – to just plain silly.

  • Fraud
  • Noncompliance
  • Internal Control Deficiency
  • Abuse
  • Waste
  • Unethical
  • Silly/stupid

Abuse, and waste are not reportable conditions; neither are unethical, silly, or stupid behaviors.
Let’s go from the bottom of our list up. Yes, this is pretty stupid and obvious upon examination. Unethical? Yes. Is she wasting government resources: Yes. Abuse…maybe not. An internal control deficiency? Maybe. Someone should be reviewing her choices and making sure that the travel expenditure is worth it. Non-compliance? No, I don’t think so. Fraud? Should she go to jail? No, I think jail time is a little too harsh.

Yes, she is wasting the government’s resources, but we are going to have a hard time writing a finding from that perspective because we don’t have any criteria. The Yellow Book tells us that waste and abuse can indicate that another reportable condition is present.

6.20     Given the concept of accountability for use of public resources and government authority, evaluating internal control in a government environment may also include considering internal control deficiencies that result in waste or abuse… Auditors may also discover that waste or abuse are indicative of fraud or noncompliance with provisions of laws, regulations, contracts, and grant agreements.

If this issue is relevant to my audit objective and if I want to bring it up in my audit report, I would frame this issue as an internal control weakness. Someone should have prevented her from traveling unnecessarily through by reviewing her travel plans.

Scenario 2: Let’s go through another scenario. Let’s say that we are auditing prisoner accounts at a county jail. And we find that the jail clerk has not been returning funds to inmates after they are released.

Let’s go through this one from the top! Is this fraud? Well, aren’t you eager to throw someone behind bars? I didn’t say the jail clerk took the funds home with her! I only said she just didn’t return the fund to inmates. If she took it home, yes, it would be fraud. If she just left it sitting in the county’s bank account, we are not dealing with fraud but instead noncompliance or an internal control weakness. Is it waste or abuse? No. Unethical? Yes, if it was intentional. Silly or stupid? Maybe she just has too much to do and let this task slip. I don’t think I’d call that stupid.

I’d probably frame the finding as noncompliance in this scenario. Maybe an internal control weakness. Later in this chapter, we will talk about how to write noncompliance and internal control weakness findings.

Now that we understand how to identify reportable conditions, let’s talk about our professional responsibility regarding them.

Our Responsibility to Detect the Reportable Conditions

Do you remember the audit trifecta I introduced during our discussion of independence? When applied to independence, the trifecta is called the ‘conceptual framework.’ The trifecta is a three-step process: 1. understand your subject, 2. assess risk, and 3. respond.

This time, the standards rename the trifecta and refer to it as ‘designing your audit to detect…’
Whenever a standard-setting body pulls the trifecta out of its hat, you know that the standard-setting body wants you to think and wants the thinking documented. The most intense thing the standards can ask you to do is think through the steps of the trifecta, and thus what follows are some of the GAO’s most intense standards.

With a slight variation in language, the GAO is asking auditors to go through all three steps of the trifecta when it comes to each of the reportable conditions. The language is a little more convoluted when it comes to internal controls than the language surrounding the other two reportable conditions. Let me start with the most straightforward presentation of the trifecta among all three reportable conditions – the trifecta applied to noncompliance.

The Trifecta Applied to Noncompliance

Look at this quote from the Yellow Book regarding the auditor’s responsibilities regarding noncompliance and find the steps of the trifecta.

8.68     Auditors should identify any provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives and assess the risk that noncompliance with provisions of laws, regulations, contracts, and grant agreements could occur. Based on that risk assessment, the auditors should design and perform procedures to obtain reasonable assurance of detecting instances of noncompliance with provisions of laws, regulations, contracts, and grant agreements that are significant within the context of the audit objectives. 

Step one of the trifecta, “understand the subject” has been changed to “identify any provisions… that are significant,’ the risk assessment step is addressed head-on, and the last step of the trifecta, the response, is now “design procedures to detect.” The whole trifecta as it applies to non-compliance has all been addressed in one short paragraph.

The Trifecta Applied to Fraud

The trifecta gets a little trickier when it comes to our responsibility for fraud, but it is still in there! It is just enhanced. And there is a difference between the requirements to apply the trifecta in financial audit standards and in the performance audit standards. Financial auditors must follow the AICPA standards regarding fraud – and these standards are more detailed and specific than the GAO’s standard for performance auditors.

Here is a table outlining both standards:

1. understand the subject

  • Ask questions of auditee
  • Consider fraud risk factors
1. understand the subject

  • Gather and assess information
  • Consider fraud risk factors
2. assess risk

  • Brainstorm with team
  • Assess magnitude and likelihood of potential frauds
2. assess risk

  • Brainstorm with team
  • Assess magnitude and likelihood of potential frauds

3. respond with procedures


3. respond with procedures


What is the difference? The performance auditor does not have to ask questions of the auditee. Financial auditors following the AICPA standards for fraud occasionally end up insulting the auditee with these questions because they are very direct. The questions stop just shy of accusing the interviewee of committing fraud themselves!

Here is what the Yellow Book directs performance auditors to do regarding fraud. Try again to find the trifecta!

8.71     Auditors should assess the risk of fraud occurring that is significant within the context of the audit objectives. Audit team members should discuss among the team fraud risks, including factors such as individuals’ incentives or pressures to commit fraud, the opportunity for fraud to occur, and rationalizations or attitudes that could increase the risk of fraud. Auditors should gather and assess information to identify the risk of fraud that is significant within the scope of the audit objectives or that could affect the findings and conclusions. 

8.72     Assessing the risk of fraud is an ongoing process throughout the audit. When information comes to the auditors’ attention indicating that fraud, significant within the context of the audit objectives, may have occurred, auditors should extend the audit steps and procedures, as necessary, to (1) determine whether fraud has likely occurred and (2) if so, determine its effect on the audit findings. 

The trifecta is presented out of order in those last two paragraphs, but it is still there; understanding the audit subject is called “gather and assess information,” the risk assessment is addressed head-on, and the response is called “extend the audit steps and procedures.”

The Trifecta Applied to Internal Controls

The application is becoming more complicated as we move through the reportable conditions. Did you notice? The trifecta is clearly laid out in the non-compliance requirements, obscured ever so slightly in the fraud standards and then, as you will see, strangely overcomplicated when it comes to talking about internal controls.

Step 1 of the Trifecta – gathering information

8.40     If it is determined that internal control is significant to the audit objectives, auditors should obtain an understanding of such internal control. 

Step 2 of the Trifecta – assess risk

8.49     If internal control is determined to be significant to the audit objectives, auditors should assess and document their assessment of the design, implementation, and/or operating effectiveness of such internal control to the extent necessary to address the audit objectives. 
In this case, the GAO does not use the term ‘risk assessment’ but instead uses the terminology “if significant.” So, risk is obscured, but an auditor can’t determine what is ‘significant’ without doing a risk assessment!

Step 3 of the Trifecta – respond

8.51     Assessments of internal control involve designing and performing procedures to obtain sufficient, appropriate evidence, as required in paragraphs 8.90 through 8.94, to support and document the auditors’ findings and conclusions on design, implementation, and/or operating effectiveness of controls that are significant to the audit objectives. The controls being assessed are generally the key controls identified during the planning phase of the engagement, which may include controls at both the entity and transaction levels. Changes may be made to the initial determination of key controls based on additional information gathered during the course of fieldwork. 

I told you, overcomplicated! But the three steps of the trifecta are there for internal controls, too.


Now that you know that there are three triggers for a finding, you also need to know how to write a finding. The GAO is very specific about what goes into a finding; findings per Yellow Book standards include five elements:

  • Condition
  • Effect
  • Cause
  • Criteria
  • Recommendation

Where Did These Elements Come From?

The elements of a finding are the standard elements of a persuasive argument outlined centuries ago by Greek philosophers. Legend has it that an audit manager at the GAO earned a master’s in philosophy and was wise enough to include the elements of a persuasive argument in the Yellow Book. At the time, his colleagues thought he was crazy (as is often assumed about philosophy majors), but now we applaud his contribution.

The elements of a finding are where the GAO puts legs on its concepts of accountability and transparency and are central to the way that government auditors think about their work at the micro level (reportable conditions) and the macro level (as questions we must answer with our audit objectives). But I am getting a little off track! Let’s go back to the micro level and talk about how to use the elements to support a finding.

Questions Answered by the Elements

Each element answers a question for the reader that they need answered in order to be persuaded to change. The recommendation describes the change that needs to occur.

CONDITION: What is the problem?
EFFECT: Why does this problem matter? What is the impact?
CAUSE: How did the condition happen?
CRITERIA: Says who?
RECOMMENDATION 1: How do we resolve the condition?
RECOMMENDATION 2: How do we resolve the cause?

Here are the GAO definitions of each of the elements:

6.26     Condition: Condition is a situation that exists. The condition is determined and documented during the audit. 

6.28     Effect or potential effect: The effect or potential effect is the outcome or consequence resulting from the difference between the condition and the criteria. When the audit objectives include identifying the actual or potential consequences of a condition that varies (either positively or negatively) from the criteria identified in the audit, effect is a measure of those consequences. Effect or potential effect may be used to demonstrate the need for corrective action in response to identified problems or relevant risks. 

6.27     Cause: The cause is the factor or factors responsible for the difference between the condition and the criteria, and may also serve as a basis for recommendations for corrective actions. Common factors include poorly designed policies, procedures, or criteria; inconsistent, incomplete, or incorrect implementation; or factors beyond the control of program management. Auditors may assess whether the evidence provides a reasonable and convincing argument for why the stated cause is the key factor contributing to the difference between the condition and the criteria. 

6.25     Criteria: For inclusion in findings, criteria may include the laws, regulations, contracts, grant agreements, standards, measures, expected performance, defined business practices, and benchmarks against which performance is compared or evaluated. Criteria identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding the findings, conclusions, and recommendations in the report. In a financial audit, the applicable financial reporting framework, such as generally accepted accounting principles, represents one set of criteria. 

6.52     (RecommendationsAlong with assisting management or oversight officials of the audited entity in understanding the need for corrective action, clearly developed findings assist auditors in making recommendations for corrective action. If auditors sufficiently develop the elements of a finding, they may provide recommendations for corrective action. 

The Hardest Element to Develop Is the Cause

Filling in the blanks on these elements might look easy on paper, but when presented with a real-life scenario, most auditors struggle with coming up with a solid cause. The GAO has formally recognized this struggle by recommending for the first time in its standards that auditors use an internal control weakness as the cause:

6.18     Auditors should consider internal control deficiencies in their evaluation of identified findings when developing the cause element of the identified findings. 

6.29     Regardless of the type of finding identified, the cause of a finding may relate to one or more underlying internal control deficiencies. Depending on the magnitude of impact, likelihood of occurrence, and nature of the deficiency, the deficiency could be a significant deficiency or material weakness in a financial audit. 

6.30     Considering internal control in the context of a comprehensive internal control framework, such as Standards for Internal Control in the Federal Government or Internal Control—Integrated Framework can help auditors to determine whether underlying internal control deficiencies exist as the root cause of findings. Identifying these deficiencies can help provide the basis for developing meaningful recommendations for corrective actions. 

If internal control weaknesses are the cause, they can’t also serve as the condition statement. OK, an auditor CAN start a finding with an internal control weakness as the cause, but that choice often ends up with the auditor saying something rude and personal about the auditee. Let me show you what I mean by using a few examples.

Did I Show Up to Work on Time?

Let’s pretend that you have been tasked with concluding whether I show up on time for my seminars.

I show up at least an hour ahead of start time because I often find the venue and the AV in disarray. I also need a little time to get settled in and accustomed to the environment so that I can adjust any plans I have for eliciting interaction from the audience.

Whether or not I show up on time for my seminars is a question of fact; do I or don’t I show up on time?

Because getting to work an hour ahead of the start is so important for me, I layer on a variety of controls to make sure that I am on time. One thing I do is set at least three alarm clocks: my iPhone alarm, my bedside plug-in alarm, and a battery powered alarm. If I am in a hotel, I ask for a wake-up call. If I am home, I alert my family to the need to get me up in the morning.

Why so many layers of redundant controls? Because all of them have failed me at one time or another. Sometimes two of them fail me.

Whether my alarm clocks go off is a different question than whether I got to work on time. Whether my alarm clocks go off is an internal control question.

Now is the question of fact or the question of controls a more important question to answer?

  • The question of fact: Did Leita show up to work on time?
  • The control question: Did Leita’s alarm clocks go off?

Yes, whether I showed up to work on time is the most important question to ask.

And it is possible that I showed up at work on time and it had nothing to do with my alarm clocks? Yes. Sometimes I naturally wake up ahead of my alarm clocks.

And is it possible that my alarm clocks worked but I still didn’t make it work on time? Yes! Maybe I got hung up in traffic or got lost on the way.

Now, let’s imagine that I did not make it to work on time because I only set one alarm and it didn’t go off. Here is the resulting finding:

CONDITION: Leita was late to work

EFFECT: She delayed the start of the seminar by 40 minutes while she adjusted her mike and toyed with the LCD projector.

CAUSE: Her alarm clock did not go off

CRITERIA: Contract clause 20b says that the seminar starts at 8:00 a.m.

RECOMMENDATION 1: Leita is on time for work

RECOMMENDATION 2: Leita, set another alarm clock

Findings are always easier to write if you start with a fact-based statement as the condition and then use a control weakness as a cause.

Now imagine that instead of starting with the fact-based statement as the condition statement, I started with the control weakness as the condition:

CONDITION: Leita’s alarm clock did not go off

EFFECT: Leita was late to work

CAUSE: Operator error – Leita set the clock for 5:00 p.m. instead of 5:00 a.m.

CRITERIA: International time standards clearly state that a.m. represents the term ante meridiem, meaning before midday and post meridiem (p.m.) meaning after midday.

RECOMMENDATION 1: Leita should ensure her alarm clock goes off by setting a new one.

RECOMMENDATION 2: Leita should get a clue what a.m. and p.m. mean.

Yes, that was silly. The criteria was were silly. The cause got personal. See how badly things can turn out when you start with the control as the condition statement? Still not convinced? Let’s try a more realistic scenario.

An Audit Example

Here is a more realistic example. Let’s say that you are auditing a school lunch program. And let’s say that you find that kids who are not eligible for a government-subsidized lunches are getting free lunches. Here is a simple outline of what a finding might look like:

CONDITION: Ineligible children served free lunch
EFFECT: School spent $XX,XXX in federal funds on the ineligible lunches in 20XX.
CAUSE: No screening for eligibility
CRITERIA: Federal grant terms and conditions, clause XXX says…
RECOMMENDATION 1: Ensure only eligible students enjoy free lunch
RECOMMENDATION 2: Screen for eligibility

See how nicely that works if you start out the finding with a statement of fact as your condition and use a control weakness as a cause. Just like the GAO suggested.

If you choose “not screening children for eligibility” – a control weakness – as your cause, where are you going to go next? What is the cause going to be? Did they not screen for eligibility because they forgot? Didn’t care? Didn’t know they were supposed to? None of these comments are flattering, edifying, or insightful. Try not to go there! Start off with the statement of fact (Leita is not at work, kids are not eligible) and use a control weakness as the cause.

Solid Findings Look Like This

Here is a simple formula for a solid finding:

  • CONDITION: Noncompliance described
  • EFFECT: Quantification of noncompliance
  • CAUSE: Failed or non-existent control
  • CRITERIA: Compliance requirement
  • RECOMMENDATION 1: Ensure compliance
  • RECOMMENDATION 2: Repair or establish control

Or alternatively, a finding might look like this:

  • CONDITION: Did not achieve program goals
  • EFFECT: Quantification of impact
  • CAUSE: Failed control OR noncompliance
  • CRITERIA: Compliance requirement
  • RECOMMENDATION 1: Ensure meet goals
  • RECOMMENDATION 2: Repair control or ensure compliance

Weak Findings Look Like This

Again, if you do not take the GAO’s advice to make internal control weaknesses the cause, you might end up with a disparaging remark about the client’s ability to do their job. The following format is not ideal:

  • CONDITION: Internal control failure described
  • EFFECT: Quantification of impact
  • CAUSE: Another failed control or disparaging remark about the client’s ability
  • CRITERIA: Green Book
  • RECOMMENDATION 1: Repair or establish internal control
  • RECOMMENDATION 2: Repair or establish secondary internal control or do your job!

Special Reporting Requirement for Financial Auditors

Speaking of transparency, the GAO also wants financial auditors to be transparent regarding the auditor’s responsibility for the three reportable conditions. So, the GAO requires that financial auditors add language regarding the reportable conditions to their audit reports that is not required by the AICPA.

A financial auditor following AICPA financial auditing standards always includes an opinion on the financial statements in their audit report. Auditors following GAO standards must add language specifically addressing the auditor’s work regarding internal controls and compliance. If the auditor finds the remaining reportable condition, fraud, they are expected to address the fraud in this additional language also.

Most auditors put this additional language in a separate letter in the audit report.

Here is what the GAO says about this additional language:

6.39     Auditors should report on internal control and compliance with provisions of laws, regulations, contracts, or grant agreements regardless of whether they identify internal control deficiencies or instances of noncompliance. 

6.40     When providing an opinion or a disclaimer on financial statements, auditors should report as findings any significant deficiencies or material weaknesses in internal control over financial reporting that the auditors identified based on the engagement work performed. 

6.41     Auditors should include in their report on internal control or compliance the relevant information about noncompliance and fraud when auditors, based on sufficient, appropriate evidence, identify or suspect

  1. noncompliance with provisions of laws, regulations, contracts, or grant agreements that has a material effect on the financial statements or other financial data significant to the audit objectives or
  2. fraud that is material, either quantitatively or qualitatively, to the financial statements or other financial data significant to the audit objectives.

6.42     Auditors should include either in the same or in separate report(s) a description of the scope of the auditors’ testing of internal control over financial reporting and of compliance with provisions of laws, regulations, contracts, and grant agreements. Auditors should also state in the report(s) whether the tests they performed provided sufficient, appropriate evidence to support opinions on the effectiveness of internal control and on compliance with provisions of laws, regulations, contracts, and grant agreements. 

6.43     If auditors report separately (including separate reports bound in the same document) on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements, they should include a reference in the audit report on the financial statements to those additional reports. They should also state in the audit report that the reports on internal control over financial reporting and on compliance with provisions of laws, regulations, contracts, and grant agreements are an integral part of a GAGAS audit in considering the audited entity’s internal control over financial reporting and compliance. If separate reports are used, the auditors should make the report on internal control and compliance available to users in the same manner as the financial audit report to which it relates. 

The Language Differs Depending on the Financial Audit Objectives

Some financial auditors opine on whether the financial statements are presented in accordance with accounting standards, period. Let’s call those Plain Jane financial audits. Some financial auditors conduct the Single Audit. The Single Audit includes an opinion on the financial statements as well as an opinion on compliance for major programs.

On a Plain Jane financial audit, the auditor does not opine on compliance or internal controls in the additional language.

For the Single Audit, auditors opine on compliance for major programs. Single Auditors also have a heightened responsibility for internal controls over compliance. These additional responsibilities on the Single Audit are reflected in specifically designed additional language regarding compliance and internal control.

The AICPA provides example language for both audits – the Plain Jane financial audit and the Single Audit – on its “Government Audit Quality Center” website. I recommend that you use the wording suggested by the AICPA verbatim! Don’t get creative with this language; just make sure you included it when you report on a Yellow Book financial audit!

Example Language for a Plain Jane Financial Audit

Here is an example of the additional language regarding compliance and internal control for a Plain Jane financial audit. This language does not apply to the Single Audit. Please do not rely on this example for your work as the letters are frequently updated by the AICPA!

Report on Internal Control Over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements Performed in Accordance with Government Auditing Standards (for a Governmental Entity) 

(No Material Weaknesses Identified; No Significant Deficiencies Identified; No Reportable Instances of Noncompliance or Other Matters Identified) 

Independent Auditor’s Report 

[Appropriate Addressee] 

We have audited, in accordance with the auditing standards generally accepted in the United States of America and the standards applicable to financial audits contained in Government Auditing Standards issued by the Comptroller General of the United States, the financial statements of the governmental activities, the business-type activities, the aggregate discretely presented component units, each major fund, and the aggregate remaining fund information of Example Entity, as of and for the year ended June 30, 20X1, and the related notes to the financial statements, which collectively comprise Example Entity’s basic financial statements, and have issued our report thereon dated August 15, 20X1. 

Internal Control over Financial Reporting 
In planning and performing our audit of the financial statements, we considered Example Entity’s internal control over financial reporting (internal control) to determine the audit procedures that are appropriate in the circumstances for the purpose of expressing our opinions on the financial statements, but not for the purpose of expressing an opinion on the effectiveness of Example Entity’s internal control. Accordingly, we do not express an opinion on the effectiveness of Example Entity’s internal control. 

A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis. A material weakness is a deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis. A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. 

Our consideration of internal control was for the limited purpose described in the first paragraph of this section and was not designed to identify all deficiencies in internal control that might be material weaknesses or significant deficiencies. Given these limitations, during our audit we did not identify any deficiencies in internal control that we consider to be material weaknesses. However, material weaknesses may exist that have not been identified. 

Compliance and Other Matters 
As part of obtaining reasonable assurance about whether Example Entity’s – financial statements are free from material misstatement, we performed tests of its compliance with certain provisions of laws, regulations, contracts, and grant agreements, noncompliance with which could have a direct and material effect on the determination of financial statement amounts. However, providing an opinion on compliance with those provisions was not an objective of our audit, and accordingly, we do not express such an opinion. The results of our tests disclosed no instances of noncompliance or other matters that are required to be reported under Government Auditing Standards. 

Purpose of this Report

The purpose of this report is solely to describe the scope of our testing of internal control and compliance and the results of that testing, and not to provide an opinion on the effectiveness of the entity’s internal control or on compliance. This report is an integral part of an audit performed in accordance with Government Auditing Standards in considering the entity’s internal control and compliance. Accordingly, this communication is not suitable for any other purpose. 

[Auditor's signature] 

The Struggle is Real

If you work for an audit shop with more than three professionals, you likely struggle with getting your audit report out the door.

First of all, let me reassure you that you are perfectly normal.  Nothing wicked or dastardly is afoot.  Every audit team I have ever worked with wishes they could finish quicker.

We are not the only profession who struggles to finish projects.  I have been listening to a pod cast series by Seth Godin – who is a guru of sorts for start-up companies.  One particular pod-cast is full of wisdom about finishing a project, and this wisdom can and should be applied to audit reporting.  A link to Seth’s workbook and to the podcast appears below.   I recommend you have the workbook open as you listen to the podcast.

Godin doesn’t talk about audit reports specifically, but I trust that you can mentally replace his example of launching a computer software with your own experiences publishing an audit report.  I think you will find it worth the effort to analogize.

As you are listening, note how he recommends that you force executives into the process early and remove them at the end.  Note how he decries changes once the objectives have been set and argues for ‘good enough’ over perfection.  Note how he focuses on the customer and encourages us to tell the truth plainly without padding it with extra words.

Here is a link to the podcast:

Here is a link to the workbook he refers to in the podcast:

I hope to be leading a city auditor through this workbook in an upcoming seminar, and I’ll let you know, via LinkedIn, how it goes.  If you apply this tool to your next project, please share your results with me.  To follow me on LinkedIn, find my profile under Leita Hart Fanta.

I hope the “Spring Forward” this weekend is easy on your mind and body.

The Auditors


  • Identify when auditors work with internal controls
  • Distinguish between a control and a substantive or compliance test
  • Identify the differences between the COSO model and the COSO ERM model

This book, so far, has been written from the perspective of a manager trying to implement controls in his or her own organization.  Now we need to address an auditor’s perspective on controls because I imagine that many of you reading this book are auditors!

Because the COSO model is imbedded in auditing standards, auditors are usually required to consider controls on their audits.

In this section of the chapter, I want to make a few points about auditors and their responsibilities regarding internal controls:

  • How strong controls give the auditor confidence in their conclusions
  • Which steps of the audit involve internal controls
  • What a control test looks like, and how a control test supports the audit report
  • How auditors are required to react to weak controls

Strong controls give the auditor confidence in their conclusion

GAO and AICPA audit standards require auditors, who provide a high level of assurance that a subject matter meets a given criteria, to consider controls throughout their audits. Why?   Because strong internal controls let auditors know if they can believe what they see as they gather evidence to support their conclusions.  Weak internal controls make auditors doubt their conclusions. Consider this quote from the yellow book about evidence:

Yellow Book 6.61 a. Evidence obtained when internal control is effective is generally more reliable than evidence obtained when internal control is weak or nonexistent. 

For instance, let’s say an auditor chooses to sample 30 credit card charges out of 1500 credit card charges to determine whether the coach’s purchases were business related or not personal in nature.  And lets say that all 30 tests show that the coach’s purchases are business related.

If the auditors know that the school district has strong controls over credit card purchases, the auditor can confidently conclude that yes, everything is on the up and up, and the auditor can move on to tackle another audit objective because the auditor has put this objective to rest.

If, however, the controls are weak, the auditor has to wonder if maybe the sample didn’t scoop up his bad behavior, and the auditor feels less confident in the testing results.  The auditor may have to do some additional testing or a different kind of testing to comfortably conclude that the coach is not making personal purchases.

In other words, if the auditee has weak controls, the auditor’s test results are less convincing to the auditor.  And auditors are not going to put their professional name behind a conclusion (a conclusion that assures the reader that the subject matter meets a given criteria) they don’t believe in.

Auditors do not always have to work at a high assurance level.  Some audit standards allow auditors to get less assurance that the subject matter meets the criteria.  These are sometimes called reviews or agreed upon procedures.  And when an auditor is seeking limited assurance, they follow simpler standards, and these standards sometimes allow them not to worry about controls.

Which steps of the audit involve internal controls?

In an audit where the auditor is providing a high level of assurance that the subject matter meets the criteria, the auditor must consider controls in every phase of the audit: in the planning phase, the fieldwork phase and the reporting phase.

Consider this step-by-step process for conducting an audit and note how many times internal controls are mentioned:

Planning phase:

  1. Receive vague audit assignment
  2. Gain a general understanding of the audit subject and general control structure
  3. Choose relevant criteria to evaluate the subject matter against
  4. Break the audit subject into pieces
  5. Evaluate inherent risk for each of the pieces
  6. Refine objective and define sub-objectives
  7. Evaluate controls for each objective and sub-objective and determine key controls
  8. Design relevant tests – including substantive/compliance and control tests
  9. Allocate resources to the testing

Fieldwork phase:

  1. Formalize the audit program
  2. Perform substantive/compliance tests and control tests

Reporting phase:

  1. Write findings regarding fraud, waste, abuse, non-compliance, misstatements, control weaknesses
  2. Conclude against objectives
  3. Finalize report

Look how many times in that process I mentioned controls: Step #2, Step #7, Step #8, Step #11 and Step #12!  An auditor’s evaluation of the strength of the auditee’s controls shapes their audit and impacts their eventual audit conclusion that the subject matter meets the given criteria.

What kind of test are you performing?

Let’s focus on step #11 – perform substantive/compliance tests and control tests – for a few minutes.  Every time the auditor performs a test, they need to be conscious of how the results support their audit conclusion.  Ultimately, the auditor is interested in whether the coach used his card for personal purchases. The question of how he got away with it is usually of lesser importance to an auditor.

Our control objective for creating internal controls in this book is:  Do controls deter the coach from using his purchasing card for personal purchases as defined by Grace School District Policy #C7.459? 

An auditor might also use that as their audit objective.  But they are more likely to write an audit objective that sounds like this:  Is the coach using his purchasing card for personal purchases as defined by Grace School District Policy #C7.459?

Did you catch the difference?  The auditor’s objective is asking whether the coach used his card for personal purchases.  The control objective we have been using throughout the book is asking whether the entity had any controls in place to deter him from using his card for personal purchases.  The auditor’s objective is missing the words ‘controls in place.’

The auditor may or may not be concerned about controls, as we discussed above.  The auditor has to be very clear what question he is asking because the question dictates the type of test the auditor must perform.  Phrasing the audit objective without the term ‘controls’ allows the auditor to focus on whether the coach actually broke the rules instead of only looking at whether controls were in place to keep him from breaking the rules.   Auditors find this demarcation so important that they label their audit tests in two categories.

What is a control test?

In general, auditors talk about audit tests as either control tests or substantive/compliance tests.

The term ‘substantive’ usually applies when the auditor is testing quantities, and the term ‘compliance’ is used when the auditor is testing another quality of the subject matter that does not involve dollars, such as eligibility.  A substantive/compliance test asks whether the subject matter meets the criteria.

A control test asks why the subject matter did not meet the criteria. Auditors need to tell the user  of the audit report if the coach used his card for personal purchases (the substantive/compliance test), but the auditor might also tell the users why he was able to do this without being caught (the control test).

Is it possible that the coach did not use his card for personal purchases even though there were no controls in place?  Sure, maybe he is an honest man.  Is it possible that the school has controls in place, but the coach still managed to buy some personal items with his card?  Yes, that is possible, too.  Here is a quote from the Green Book about that:

OV1.07 An effective internal control system increases the likelihood that an entity will achieve its objectives. However, no matter how well designed, implemented, or operated, an internal control system cannot provide absolute assurance that all of an organization’s objectives will be met. Factors outside the control or influence of management can affect the entity’s ability to achieve all of its objectives. For example, a natural disaster can affect an organization’s ability to achieve its objectives. Therefore, once in place, effective internal control provides reasonable, not absolute, assurance that an organization will achieve its objectives. 

So if the auditor wants to answer the question “Did the coach use his purchasing card for personal purchases as defined by Grace School District Policy #C7.459?,” then the auditor could choose a sample of transactions from the credit card statement, match the transactions to the receipts and then compare the transactions to Grace School District Policy #C7.459 to determine if any of the purchases were personal.  The auditor would likely call this a compliance test although some auditors may call it a substantive test.

To find out why or how the coach was able to use his card for personal purchases, the auditor could also look at the documents that evidence that the accounting department matched purchases on the credit card statement to receipts and compared them to policy each month.  That would constitute a control test.

If the control test turns out well and the compliance test turns out well, the auditor can confidently conclude that the coach is not making personal purchases.

How auditors react to weak controls

If either one or both of the tests do not turn out well, then the auditor will probably write a finding and report the problems to management. The finding could look like this:

CONDITION: The coach is making personal purchases with his purchasing card.

EFFECT: 7 out of 30 transactions tested from a population of 1500 transactions were for personal items such as family meals, alcoholic beverages, and a gas grill.

CAUSE: Accounting did not reconcile credit card purchases from the credit card statement to actual receipts for 9 months out of the year.

CRITERIA: Grace School District Policy #C7.459 prohibits the use of the credit card for personal purchases and defines business purchases as bla bla bla.  Accounting department policy #18a requires the accounting department to perform monthly reconciliations of the credit card statement to receipts and to verify the business purpose of all purchases.

RECOMMENDATION: We recommend that the coach reimburse the district for personal charges.  The district should confiscate the Coach’s card. The accounting department should perform reconciliations of the credit card statement to receipts monthly to verify that purchases are business related.

Notice that the condition statement is supported by a compliance or substantive test and the cause is supported by a control test.

How will an auditor react if the client refuses to improve?

Let’s assume that the auditor includes the above finding in the audit report and recommends the auditee act to correct the problems.

What if the auditee does not accept the auditor’s recommendation? What if the auditee doesn’t want to discipline the coach because he has taken the team to the state championship for the past three years?  What is the auditor going to do now?

If the audit report makes it into the hands of the oversight body and grantors, the auditor – technically – does not have to do anything further because they have fulfilled their responsibility.  They sought assurance that the credit cards were being used for business purposes, and they reported that they were not being used for business purposes. The auditor suggested improvements and shared the results with all stakeholders.  Now the matter is in management’s hands.

The auditor is not responsible for internal controls, only for evaluating internal controls relevant to their audit objective and reporting any weaknesses.

But that doesn’t mean the auditor is going to let the issue drop.  Depending on the audit standards they are following, they might have a professional responsibility to follow up on the finding and report management’s progress.

Even without the prompting of a standard, the auditor might be more tenacious and decide not to let the issue drop.  An auditor has a variety of techniques at their disposal to prompt the client to make the change.

The auditor may hold a formal meeting with the oversight body to impress upon them the significance of the issue.  Depending on the culture of the organization, an informal chat on the bleachers at the state championship game with the chairman of the school board would be more apt to elicit change than a detailed audit report and formal meeting.

If the same auditor performs the audit next year, the auditor may expand the audit to include purchasing cards in other areas of the school and more findings may ensue.

The client’s refusal to do anything about the issue may prompt the auditor to elevate the category of finding from a ‘significant deficiency’ to a ‘material weakness’ in next year’s report.   In other words, a minor finding ( a significant deficiency) can become major (a material weakness) if the auditee refuses to take the auditor’s advice to strengthen controls.

The auditor can intensify the tone of the audit findings in the next year’s report by describing the situation in harsher terms and quantifying results in dramatic, eye-catching ways.  The auditor can qualify their audit conclusion in future reports.

If the auditee still won’t respond, auditors can remind the auditee of who else will be reviewing the report. An internal audit director of a large state agency could not get one of the divisions of the agency to improve controls after several meetings.  Eventually, she reminded the division director that her report would be shared with the state auditor’s office, and the state auditor may have questions for the division director about why he refused to implement the control.  The next day, the division director sent her a fully developed plan of action for implementing every one of her recommendations!

If none of these techniques elicits change, the auditor may choose not to perform the audit the following year. As you know, auditors are often criticized once a negative behavior comes to light that the auditor didn’t uncover.  In order to avoid criticism and a possible lawsuit, auditors will sometimes write a damning report, and then walk away from the client before the next risk hits the fan.

A client that refuses to acknowledge the auditors recommendations is likely engaging in other negative behaviors.  An uncooperative client, obviously, does not exhibit a strong ‘tone at the top,’ which is the very first principle necessary for a strong control structure mentioned in the Green Book!

What if the recommendations are not practical?

Now what if the reason the recommendations are not being followed is because the client is small and can’t implement the auditor’s recommendations because they are costly and impractical.  Here the auditor gets in a bit of a bind. The auditor knows that their small clients are never going to implement all 17 principles of the COSO model, but they also know that their client is at risk of something bad happening if they don’t implement more controls.

Auditors have a professional responsibility to let all stakeholders know about the risks their auditee is taking by not investing in controls.  And at the same time they know their clients can’t afford to invest any more money in controls.

In a case like this,, the auditor might just mention the issue in a report once and let it go.  Or the auditor could bring the issue up year after year in the audit report, but not escalate the matter if the auditee does nothing about it.  Each auditor will approach their responsibility differently depending on the auditor’s tenacity, their relationship with their client and their judgment about what is best for everyone involved.

How tenacious is your auditor?

The COSO ERM Model

Before we leave each other, I feel obliged to tell you that the COSO model has been used as a launching pad for another related model also promulgated by the COSO organization, the COSO ERM model.  ERM stands for Enterprise Risk Management.

The COSO ERM model was initially published in 2004 and was substantially revised in 2017.  The COSO ERM model focuses on organizational strategy and may better suit your purposes than the COSO model used by the Green Book.   Notice how this exhibit from the COSO ERM Executive Summary published in June of 2017 uses similar categories to our original COSO model and breaks the five components into 20 principles.  Presenting the model as a horizontal list eliminates some of the overlap and duplication issues we encounter with the COSO cube’s side and front.

The five components here loosely align with the COSO model’s five components:

  • ‘Governance and culture’ from the COSO ERM model loosely aligns with ‘control environment’ from the COSO model
  • ‘Strategy & objective setting’ and ‘performance’ loosely align with the COSO components of ‘risk assessment’ and ‘control activities’
  • ‘Review and revision’ from the COSO ERM model aligns with ‘monitoring’ in the COSO model
  • ‘Information, communication and reporting’ aligns with ‘information and communication’ in the COSO model.

Final thoughts

In the 1980’s, when I started my career, everyone in accounting and auditing gave lip service to internal controls and understood internal controls in a vague sort of way.  We knew that the same person that received the checks should not also deposit the checks and perform the cash reconciliations.

But the ideas of right and wrong procedures were not well documented and instead were passed down orally from one generation of accountants and auditors to another.  If you had a good boss, they would teach you the ropes and point you to a few tools to help you out.  If not, you were left hanging because there was no comprehensive literature to turn to.

Organizations who tried to do the right thing hired people who knew the ropes. Organizations who didn’t care about doing the right thing – or who didn’t know how to get their act together – struggled along.

Now, with the advent of the COSO model and the internet, we all have a standard that tells us how to get our act together.  Great minds who work with complex entities have spent time thinking about what ideal controls should look like.  And because the internet lets these great minds share their ideas easily, we have a document that we can access easily that collects their wisdom and advice in one place!

And these great minds didn’t stop with one draft; the more they think about and use the standard, the more they learn and the more they share.

I expect even more clarity and wisdom to evolve from these efforts, and maybe, one day, all of us can get our acts together because we know both what is right and how to make it right.

Truth! Justice! Order! And the American Way!  Wait… isn’t that Superman’s line?

Registering for this Webinar - How it works
  1. When you’re ready to register, select the “Register Now” button (at the top-right or bottom-left of this page).
  2. You’ll be taken directly to the secure website of our webinar-distribution partner:  CPA Crossings
  3. Fill out the “Register Online” section of the CPA Crossings page (near the bottom) and then select “Add to Cart”
  4. (Note:  If you want to register multiple attendees on the same purchase, just re-select the webinar and do a separate “Add to Cart” for each, as required.)
  5. After checking out, look for your notification and registration info via email – and mark your calendar to attend the webinar!
Stay Up-To-Date

Sign up here to have the lastest from delivered right to your inbox.

Just provide your name and email information below, and as an introductory “Thank You”, you’ll be able to view and download a free copy of our Audit Objectives whitepaper.

* indicates required

Stay Up-To-Date

Sign up here to have the latest from delivered right to your inbox.

Just provide your name and email information below, and as an introductory “Thank You”, you’ll be able to view and download a free copy of our Audit Objectives whitepaper.

[newsletters_subscribe list="20"]



Lost your password?