• Cart
Log in

Log in

home page banner blank

Voices from the Field



Have you ever found yourself conducting a performance audit and starting to feel that “this agency should be doing more to prepare for the future,” but you could not point to any obvious legal or other requirements to prove why the audited agency should be doing more? You were probably working on a prospective—meaning future-focused—audit. Even seasoned auditors may benefit from practices for planning and writing prospective reports convincingly because of the following:

  • Prospective reports have some challenges. They often involve the audited agency confronting a new or dynamic issue, such as industry or technological changes, or new laws. Also, the criteria used to evaluate the audited agency may not be immediately apparent because there are many ways the agency could respond to the changes. There may be no obvious “right” answer.
  • Most performance audits look at the past. Thus, teams working on prospective reports can face challenges in convincing their own colleagues that the audited agency needs to take more action now if the future is uncertain. And, assuming we win over our colleagues, we may still need to convince the audited agency to take some action, even though the impacts of acting—or not acting—will be uncertain.

Performance auditors have been writing prospective audit reports for decades, but the demand for them is likely to increase. In 1990, the U.S. Government Accountability Office (GAO) issued guidance for answering prospective questions. By then, the GAO was increasingly being asked to answer these questions, such as the potential impacts of proposed legislation. Factors likely to increase demand for prospective reports in the United States include the following:

  • Continued budget pressures at state, local, and federal levels. Since the 2008 recession, many state and local government agencies across the United States have faced a gap between revenue and spending—a challenge they will likely continue to face in the near term. The U.S. federal government also faces budget pressures, which will continue unless there are significant policy changes. In response to such budget pressures, government entities—and the bodies that oversee them—will continue looking for ways to do more with less. This includes seeking insights from auditors about how to more efficiently provide the same or improved services.
  • Rapidly evolving and emerging technologies. Current technological developments are transforming multiple sectors of society. The speed and complexity of such advances pose challenges to policymakers and could also transform the roles of audited agencies. For example, a 2019 GAO report found that the U.S. Departments of Transportation (DOT) and Labor should take additional steps to prepare for the potential effects of automated trucking technologies on the workforce. The report suggests that such technology may transform DOT’s role, since it enforces regulations such as the maximum hours that truck drivers are allowed to work.

Benefits of prospective audit reports

Prospective audit reports offer key benefits. For example, they can:

  • Help audited agencies to be better prepared for an uncertain future in which they may need to adapt to a shifting role with limited resources.
  • Help agencies conducting audits to keep their staff informed about emerging issues, and to identify new areas to audit.
  • Help policymakers to be better informed about the emerging issues confronting the agencies whose budgets they oversee. For example, prospective reports can help Congress make sound budget decisions, especially when such decisions could be made years before the funds are spent by recipient agencies.

Selected practices for planning and writing prospective reports

This article aims to share tips for planning and writing prospective reports convincingly, based on my experience at the GAO over the past decade. This is a selection, not an exhaustive list, of practices for managing audits that could be useful for prospective reports.

To illustrate the application of the selected practices, examples are drawn from two recent GAO reports, both about the evolving transportation sector:

  • Public Transit Partnerships: Additional Information Needed to Clarify Data Reporting and Share Best Practices, GAO-18-539 (Washington, DC.: July 2018)
  • Vehicle Cybersecurity: DOT and Industry Have Efforts Under Way, but DOT Needs to Define its Role in Responding to a Real-world Attack, GAO-16-350 (Washington, DC.: March 2016).

Practice 1: Consider including a prospective research question

When uncertainties about the future significantly affect your audit, consider including a prospective research question. This can provide a designated report section for discussing key uncertainties. For example, the Public Transit Partnerships team began its audit with a research question about the key challenges local transit agencies face in fostering partnerships with private mobility companies. In our stakeholder interviews, however, many selected local transit agencies and their partners told us that most challenges related to future uncertainties. Using a prospective research question, we dedicated one report section to discussing trends that could impact the future of such partnerships, such as the projected rollout of shared self-driving vehicles.

Practice 2: If other criteria are elusive, use recognized internal control standards

With prospective reports, it can be harder to identify the right criteria for assessing the audited agency’s efforts, since there are multiple ways that the agency could respond to the evolving issue. Often, we are looking to make a recommendation to help the agency better plan for an uncertain future, which can require combining multiple relevant criteria. In cases where criteria are elusive, the GAO’s Standards for Internal Control in the Federal Government can be helpful (they are largely based on the COSO internal control framework, which is sometimes used by Canadian auditors for the same purpose). These standards or principles are requirements for U.S. federal agencies, but have also been adopted as best practices by state, local, and other entities. Four principles especially relevant for prospective reports include that entity management should:

  • Identify, analyze, and respond to risks related to the entity’s objectives (principle 7).
  • Identify, analyze, and respond to change that could impact the entity’s internal control system (principle 9).
  • Use quality information to achieve the entity’s objectives (principle 13).
  • (Effectively) communicate externally, including selecting appropriate communication methods, considering factors such as the audience (principle 15).

Practice 3: Combine the chosen internal controls with the audited agency’s goals to strengthen the audit criteria

Audited agencies often have goals related to being prepared for the future, such as in strategic plans. Combining such goals with the chosen internal controls can strengthen the audit criteria. To illustrate, tables 1 and 2 outline the criteria, relevant excerpts of findings, and related recommendations from the Public Transit Partnerships and Vehicle Cybersecurity reports. Both reports combined agency goals and internal controls to form a stronger set of audit criteria.

Table 1 – Selected Criteria Used for the Public Transit Partnerships Report

Criteria Description

Report Findings Excerpts

Related Recommendation

Internal Control

Federal agencies should use quality information.

Agency’s Own Goals

The Federal Transit Administration’s (FTA’s) goals include:

  • Providing transit grants in a way that contributes to efficient transit systems.
  • Keeping data in the National Transit Database (NTD) accurate to track key statistics related to how U.S. transit systems are functioning.

Despite available National Transit Database (NTD) manuals that discuss the statutory definition of public transportation, officials from most selected local transit agencies expressed confusion about NTD reporting for on-demand projects, such as about which types of on-demand rides qualify as “public transportation”… and how qualifying rides should be entered into NTD. These officials told us that further clarification is needed from FTA about this issue.

The(se) examples of local transit agencies’ confusion about NTD reporting requirements raise questions about whether NTD data accurately reflect the status of the U.S. public transportation system, a key goal of the NTD.

Without accurate NTD data, (1) the Federal Transit Administration (FTA) will not be able to effectively track its own progress toward achieving goals—such as improving the efficiency of transit systems, and (2) the apportionment of certain grant funds to local transit agencies could be affected.

The Federal Transit Administration (FTA) should determine which on-demand services qualify as "public transportation" based on the definition and disseminate information to clarify whether and how to report data on such services into the National Transit Database.

Table 2 – Selected Criteria Used for the Vehicle Cybersecurity Report

Criteria Description

Report Findings Excerpts

Related Recommendation

Agency’s Own Goals

The National Highway Traffic Safety Administration’s (NHTSA’s) goals include staying ahead of potential vehicle cybersecurity challenges and seeking ways to avoid them.

Internal Control

Federal agencies should design control activities to achieve objectives and respond to risks.

NHTSA has made progress in many areas … however, NHTSA has not yet formally defined and documented the agency’s role and responsibilities in the event of a real-world vehicle cyberattack and how the agency’s response actions would be coordinated with other federal agencies. Given that NHTSA and … industry stakeholders generally agreed that the threat of a vehicle cyberattack will increase … in the coming years, such a response plan may be particularly important for NHTSA to develop proactively, before the threat environment significantly changes. Until such a plan is developed, NHTSA’s response efforts … could be slowed as agency staff and other stakeholders may not be able to quickly identify the appropriate actions that NHTSA should take.

In addition, the lack of such a response plan is inconsistent with federal standards for internal control, which—among other things—are intended to help agencies in managing change associated with shifting environments and evolving demands and priorities.

The National Highway Traffic Safety Administration (NHTSA) should work expeditiously to finish defining and then to document the agency’s roles and responsibilities in response to a vehicle cyberattack involving safety-critical systems, including how NHTSA would coordinate with other federal agencies and stakeholders involved in the response.

Page 1 of 2

About the Author:

Jessica Bryant-Bertail

Jessica Bryant-Bertail is a Senior Analyst in the U.S. Government Accountability Office’s (GAO) Physical Infrastructure team, based in the Seattle field office. Since joining the GAO in 2008, she has worked on a variety of performance audits, mostly focused on aviation and surface transportation issues. She has led several GAO audits as Analyst-in-Charge, including on vehicle cybersecurity and on partnerships between local transit agencies and private transportation companies. She is currently leading an audit of the U.S. Federal Aviation Administration’s designated unmanned aircraft systems test sites.

She studied at the University of Washington, Seattle, where she earned a Bachelor’s degree in International Studies in 2000, and dual Masters’ degrees in Public Administration and in Russian, East European, and Central Asian Studies in 2008.

Contact the author at: