single audit fundamentals: a refresher presented by frank crawford, cpa crawford & associates,...
TRANSCRIPT
Single Audit Fundamentals: A Refresher
Presented by Frank Crawford, CPACrawford & Associates, P.C.
Today's topics
• Refresher on the basic requirements of the Single Audit process and OMB Circular A-133, including– Risk based approach for determining major
programs– Documentation and testing of internal controls
over compliance– Auditor reporting
• Take some questions
Not sure what to do?Not sure who to ask?
Government Auditing Standards
• The Single Audit Act and OMB Circular A-133 require the use of Government Auditing Standards
• A new Yellow Book (Government Auditing Standards) was issued in July 2007, so be familiar with its requirements
Government Auditing Standards
• Yellow Book = GAGAS = Generally Accepted Government Audit Standards = Government Auditing Standards
• Applies to audits of government entities, programs, activities, and functions and of government assistance administered by contractors, not-for profit entities, and other nongovernmental entities, when required by statute or other rules or regulations, or when the auditors hold themselves out as following these standards
Government Auditing Standards—Relationship to AICPA Standards
• Under Government Auditing Standards, auditors follow the general standards included in Chapter 3 of the Yellow Book, which cover independence, including personal, external, and organizational impairments, professional judgment, competence of audit staff, and quality control and assurance
• For financial statement audits—Government Auditing Standards currently incorporate the fieldwork and reporting standards of generally accepted auditing standards (GAAS) and the related SASs issued by the AICPA
Government Auditing Standards—Relationship to AICPA
Standards
• Under Government Auditing Standards, auditors also have fieldwork and reporting responsibilities that go beyond the AICPA standards, and are in addition to the AICPA standards, just as the Single Audit requirements have fieldwork and reporting responsibilities that go beyond the Government Auditing Standards…
Overview of OMB Circular A-133
Planning and executing the Single Audit (OMB Circular A-133 audit)
Basics of OMB A-133
Objectives of a Single Audit
1. Audit of financial statements and reporting on the SEFA
2. Compliance audit of federal awards• the term “single audit” could be
perceived as misleading by some, since it appears that we are actually doing “two” audits; one on the fair presentation of the financial statements, and the other on compliance with major federal programs…
Audit Scope and Objectives of A-133 Single Audit
• Conducted in accordance with Government Auditing Standards (GAS)
• Covers entire operations of the organization
• Fairly presented financial statements
• Adequate internal control structure
• Compliance with laws and regulations
• Follow-up on prior audit findings
Some questions about single audit
• Why is there a Single Audit Act?
• Who is subject to the Single Audit Act?
• What are the audit requirements under OMB A-133?
• What is a federal award?
• What is a CFDA number?
Why is there a Single Audit Act?
• Lack of audits of federal funds
• Too much focus on individual grants
• Overauditing
Who is subject to the Single Audit Act?
• Non-federal entities…• Others????
What are the audit requirements under OMB A-133?
• Federal grant expenditures >= $500,000
• Single audit versus program-specific audit
What is defined as an expenditure of a federal award?
Be careful that you understand what constitutes an expenditure of a federal award; it is probably much more broad than you think…– Para 205 of A-133 defines it well
• Examples outside of a normal definition of an expenditure
– Outstanding loan balances, receipt of surplus property, are just a few…
What is a CFDA number?
• Catalog of Federal Domestic Assistance
• OMB A-133 defines a federal program as all federal awards under the same CFDA number
Planning the OMB A-133 Audit
• Defining the entity to be audited
• Determining the audit period
• Timing of audit completion
• Obtain schedule of expenditures of federal awards
Planning the A-133 Audit:Risk based approach to determining
major programs
• Determine low-risk auditee status• Determine major programs
– Risk-based approach– Four-step approach considers numerous factors:
• Results of prior audits• Dollars involved• inherent program risks• Percentage of coverage rule (depends upon low-risk auditee
determination)
Low-Risk Auditee Criteria
Must meet all of the following for each of the two preceding years:
Single audits performedUnqualified opinionsNo material weaknesses in internal control over
financial reportingNo findings in Type A programs in preceding 2
years– material weaknesses in internal control
– material noncompliance
– known or likely questioned costs > 5% of expenditures for that Type A program
Low-Risk Auditee Criteria and Percentage of Coverage Rule
• If considered a low-risk auditee, then AT THE END of the 4 step process in determining major programs, the auditor must have selected enough programs as major that equals or exceeds– 25% of total federal expenditures
• If the entity is NOT considered a low-risk auditee, then the amount above changes to– 50% of federal expenditures
Risk-Based Approach to Determining
Major Programs Step 1 Step 2 Step 3 Step 4
Identify "Type A" programs
Identify low-risk "Type A" programs
Identify high-risk "Type B" programs
Determine major
programs to audit
Identify Type A Programs
• Federal expenditures exceeding the larger of:– $300,000 or 3% of total Federal expenditures
where total Federal expenditures are> $300,000 AND < $100 million
– $3 million or 0.3% of federal expenditures where total expended is >$100 million AND < $10 billion
– $30 million or 0.15% of federal expenditures where total expended is > $10 billion
Identify Type A Programs
• Programs not deemed “Type A” are “Type B”…it’s that simple
Identify low-risk Type A programs
• GENERALLY low risk if…– audited as a major program in at least one of
the two most recent audit periods and – in the most recent audit period, the program
had no findings
• Auditor judgment • Federal agency request
Identify high-risk Type B programs
• However, if there were no low-risk Type A programs identified in the previous step…
• then STOP the 4 step process and SKIP this step and go straight to measuring the percentage of coverage, hoping that your Type A high risk programs already meet your percentage of coverage rule; if they don’t, then you must pick another program or programs as major until you reach the appropriate percentage of coverage…
Identify high-risk Type B programs
• If there are low-risk Type A programs…• Consider whether Option 1 OR 2 will be used in
Step 4 of the Risk-based approach
Option 1:• Select as major programs, at least 1/2 of Type B
programs identified as high-risk under Step 3
Option 2:• Select one high-risk Type B program for each
low-risk Type A program identified under Step 2
Where we are at…
Step 1 Step 2 Step 3
Identify "Type A" programs
Identify low-risk "Type A" programs
Identify high-risk "Type B" programs
Criteria for Federal Program Risk for B programs
• Auditor judgment
• Current & prior audit experience
• Oversight by Federal agency and pass-through agencies
• Inherent program risk
Determine Major Programs
• All “Type A” programs except those identified as low-risk in Step 2 (i.e. high-risk “Type A”)
• “Type B” programs as identified in Step 3 using 1 of 2 options
• Such additional programs necessary to comply with 50% coverage rule, or 25% if the entity qualifies as a low-risk auditee
Risk-Based Approach to Determining
Major Programs
Step 1 Step 2 Step 3 Step 4
Identify "Type A" programs
Identify low-risk "Type A" programs
Identify high-risk "Type B" programs
Determine major
programs to audit
Documentation and testing of internal controls over
compliance
Internal Control over compliance for major programs
Auditee responsibilities…
Maintain internal control over compliance for federal programs that provides reasonable assurance that the auditee is managing federal awards in compliance with laws, regulations, and provisions of contracts or grant agreements that could have a material effect on each of its federal programs.
Internal Control over compliance for major programs
Auditor responsibilities…
•perform procedures to attain an understanding of internal controls over compliance to plan to support low control risk for major programs•plan testing of IC to support low control risk for the assertions relevant to the compliance requirements for each major program •perform testing of IC over compliance as planned •Report on IC over compliance describing the scope of the testing
Internal Control
COSO Study defined Internal Control as:
“A process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:– Effectiveness and efficiency of operations– Reliability of financial reporting– Compliance with applicable laws
and regulations”
•Be sure to review Part 6 of the most recent OMB Compliance Supplement …
Requirements for Testing Compliance itself…
Determine Applicability
Review thegrant
documents
Review the compliance supplement,
parts 2, 3 and 4
Which requirements are both applicable
and material
Identify requirements to
test
Determine testing
procedures
Perform tests Evaluate compliance
14 Compliance Requirements
Activities Allowed or Unallowed
Allowable Costs/Cost Principles
Cash Management Davis Bacon Act Eligibility Equipment and Real
Property Management Matching, level of effort,
earmarking Period of Availability
Procurement, Suspension and Debarment
Program Income Real Property
Acquisition and Relocation Assistance
Reporting Subrecipient Monitoring Special Tests and
Provisions
A-133 Reporting Requirements
Single audit reporting package• Financial statements• Schedule of expenditures of federal awards (SEFA)• All applicable footnotes to both F/S and SEFA• Auditor's reports• Schedule of findings and questioned costs• Summary Schedule of Prior Audit Findings (if
applicable)• Corrective Action Plan (if applicable)• Data Collection Form
Auditor’s Reports
Reports requiredFinancial Statement opinion(s)
Compliance and I/C and over financial reporting and other matters (Yellow Book)
Compliance and I/C over major programs(A-133 report)
Schedule of Findings and Questioned Costs
Section 1
Summary of auditor’s results
Section 2
Financial statement findings
Section 3
Federal award findings and questioned
costs
Audit Findings for A-133
• Significant deficiencies and material weaknesses in internal control over major federal programs
• Material noncompliance with rules and regs• Instances where prior year finding has not been
resolved• Known questioned costs > $10,000, and known
questioned costs < $10,000 when extrapolation of testing results in likely QC exceeding $10,000
• Known fraud
Significant Deficienciesand Material Weaknesses – New
Definitions (SAS 112 impact)Significant deficiency and material weakness:
– A significant deficiency[1] is a control deficiency, or combination of control deficiencies, that adversely affects the entity’s ability to administer a federal program such that there is more than a remote likelihood[2] that noncompliance with a type of compliance requirement[3] of a federal program that is more than inconsequential[4] will not be prevented or detected.
– A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that material noncompliance with a type of compliance requirement[5] of a federal program will not be prevented or detected.
–[1] The term significant deficiency replaces the term reportable condition currently used in Circular A-133.
– [2] The term remote likelihood as used in the definitions of the terms significant deficiency and material weakness has the same meaning as the term remote as used in Financial Accounting Standards Board Statement of Financial Accounting Standards No. 5, Accounting for Contingencies. Therefore, the likelihood of an event is “more than remote” when it is at least reasonably possible.
– [3] See footnote 1.– [4] Noncompliance with a type of compliance requirement is inconsequential if a reasonable
person would conclude, after considering the possibility of further undetected noncompliance, that the noncompliance, either individually or when aggregated with other noncompliance related to the same type of compliance requirement, would clearly be immaterial to a federal program. If a reasonable person would not reach such a conclusion regarding a particular noncompliance, that noncompliance is more than inconsequential.
– [5] See footnote 1.
Summary Schedule of Prior Audit Findings
• Responsibility of the auditee
• Part of the reporting package
• Should include…– finding reference numbers– status of the finding
Data Collection Form
• Information must agree with auditor’s reports and schedule of findings and questioned costs
• Must be completed and signed by both auditee and auditor
Questions?
AICPA Assistance
• AICPA Audit Guide, Government Auditing Standards and OMB Circular A-133 Audits
• GAS/A133 Audit Risk Alert • Practice Aid: Auditing Recipients of Federal
Awards: Practical Guidance for Applying OMB Circular A-133 – 2005 -2006 Edition
• Federal single audit roundtable• Government Audit Quality Center