Government Standards for Auditing Internal Controls

How GAGAS guides auditors in determining when and how to evaluate internal controls and information systems

Evaluating internal controls is a foundational part of audit planning under GAGAS, but the level of assessment depends on the audit objectives, significance, and risk. Auditors must understand controls well enough to determine their effect on evidence, methodology, and findings.

This lesson is a preview from Graduate School USA's Assessing Controls in Performance Audits Course.

GAGAS Requirements for Assessing Controls

Per the Government Auditing Standards:

“In planning the audit, auditors should assess significance and audit risk. Auditors should apply these assessments to establish the scope and methodology for addressing the audit objectives.” (par. 8.05)

Auditors should assess significance and audit risk by gaining an understanding of, among other things:

  • Internal control as it relates to the specific objectives and scope of the audit, and
  • Information systems controls for purposes of assessing audit risk and planning the audit within the context of the audit objectives. (par. 8.60)

Internal Control

Auditors should obtain an understanding of internal control that is significant within the context of the audit objectives. For those internal controls deemed significant, auditors should:

  • Assess whether internal control has been properly designed, implemented, and operated, and
  • Plan to obtain sufficient, appropriate evidence to support their assessment of the effectiveness of those controls. (par. 8.51)

Management’s design for internal control can often be found in prescribed policies and procedures.

Information Systems Controls

When obtaining an understanding of internal control significant to the audit objectives, auditors should also determine whether it is necessary to evaluate information systems controls. (par. 8.59)

Information systems controls are significant to the audit objectives if auditors determine that evaluating their effectiveness is necessary to obtain sufficient, appropriate evidence. When information systems controls are significant—or when the effectiveness of significant controls depends on them—auditors should evaluate the design, implementation, and/or operating effectiveness of those controls. (par. 8.60)

When and How Controls Would Be Assessed

The audit standard on controls applies when the audit objective is to:

  1. Assess the adequacy of specific controls in ongoing operations as the finding condition.
  2. Determine whether controls are the cause of a deficiency in output or outcome performance.
  3. Determine the extent to which controls that are part of, or a component of, an intervention have been implemented.

When Controls Might Not Be Assessed

Examples of assignments in which controls might not need to be examined because they are not significant to the audit objectives include:

  1. Assignments limited to gathering information on actual performance in prior years
  2. Assignments that develop questions for oversight or appropriations hearings
  3. Assignments that summarize or compile the results of prior work
  4. Assignments that forecast potential program outcomes under various assumptions without evaluating current operations
  5. Assignments in which auditors evaluate the merits of alternatives (e.g., buying or leasing office space)
  6. Assignments where audit results are based on an auditor-administered questionnaire

Kim Peppers

Kimberly Peppers spent 37 years as a federal employee culminating in leadership roles as regional inspector general and audit director in multiple federal agencies; building a career in federal audit, budget and program analysts’ positions. She has subsequently worked in the federal consulting environment. Kim considers among her notable achievements obtaining her doctorate, in business administration while concurrently working in audit and investigations stationed in the middle east.

More articles by Kim Peppers

How to Learn Auditing

Build practical, career-focused federal auditing skills through hands-on training designed for beginners and professionals alike. Learn fundamental tools and workflows that prepare you for real-world projects or industry certification.