“Uniform Guidance Audit from the Auditors Perspective” Adam Carr, EY Assurance manager Maureen wood, ey assurance executive director BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Agenda Introduction 10:00 – 10:05 Uniform Guidance for Federal Awards 10:05 – 10:50 Questions/Answers 10:50 – 11:00 2 BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Session objectives Overview of the Uniform Guidance audit process and overview of the Student Financial Assistance (SFA) Cluster Changes in the Student Financial Assistance Cluster Reporting and findings in a Uniform Guidance audit BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Access information – Uniform Guidance All OMB guidance for federal awards streamlined in Title 2 of CFR, Subtitle A, Chapter II, Part 200 How to access the UG Electronic Code of Federal Regulations (e-CFR) version PDF version of the Federal Register Notice in its entirety How to access COFAR documents and Webcasts Visit https://cfo.gov/COFAR/ for resources How to access the Joint Interim Final Rule BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Organization of Uniform Guidance by subpart A: Acronyms and Definitions B: General Provisions C: Pre-Federal Award Requirements and Contents of Federal Awards D: Post Federal Award Requirements E: Cost Principles F: Audit Requirements Appendices BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Effective dates – Uniform Guidance Federal agencies must implement policies and procedures by promulgating regulations to be effective December 26, 2014 Accomplished with issuance of recent Joint Interim Final Rule Non-federal entities will need to implement the new administrative requirements and cost principles for all new Federal awards made on or after December 26, 2014, and to additional funding to existing awards (referred to as funding increments) made on or after that date Non-federal entities wishing to implement entity-wide system changes to comply with the guidance on or after December 26, 2014, will not be penalized for doing so Audit requirements effective for fiscal years beginning on or after December 26, 2014 BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Effective date – What about pass-through awards? (COFAR FAQ .110-11) Subrecipients and subawards The effective date of the Uniform Guidance for subawards is the same as the effective date of the federal award from which the subaward is made The requirements for a subaward, no matter when made, flow from the requirements of the original federal award from the federal awarding agency BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE 7

Major Program Determinations Total Federal awards expended Type A/B threshold Equal to or exceed $750,000 but less than or equal to $25 million $750,000. Exceed $25 million but less than or equal to $100 million Total Federal awards expended times .03. Exceed $100 million but less than or equal to $1 billion $3 million. Exceed $1 billion but less than or equal to $10 billion Total Federal awards expended times .003. Exceed $10 billion but less than or equal to $20 billion $30 million. Exceed $20 billion Total Federal awards expended times .0015. BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Major Program Determinations cont’d Type A – Low Risk or High Risk “the auditor must consider whether the requirements in §200.519 Criteria for Federal program risk paragraph (c), the results of audit follow-up, or any changes in personnel or systems affecting the program indicate significantly increased risk and preclude the program from being low risk. For a Type A program to be considered low-risk, it must have been audited as a major program in at least one of the two most recent audit periods (in the most recent audit period in the case of a biennial audit), and, in the most recent audit period, the program must have not had: (i) Internal control deficiencies which were identified as material weaknesses in the auditor's report on internal control for major programs as required under §200.515 Audit reporting, paragraph (c); (ii) A modified opinion on the program in the auditor's report on major programs as required under §200.515 Audit reporting, paragraph (c); or (iii) Known or likely questioned costs that exceed five percent of the total Federal awards expended for the program.” BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Major Program Determinations cont’d §200.519   Criteria for Federal program risk. “(c) Oversight exercised by Federal agencies and pass-through entities. (1) Oversight exercised by Federal agencies or pass-through entities could be used to assess risk. For example, recent monitoring or other reviews performed by an oversight entity that disclosed no significant problems would indicate lower risk, whereas monitoring that disclosed significant problems would indicate higher risk.” BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Major Program Determinations contd. Type B Low Risk or High Risk The auditor must identify Type B programs which are high-risk using professional judgment and the criteria in §200.519 Criteria for Federal program risk. “Identify more high-risk Type B programs than at least one fourth the number of low-risk Type A programs identified as low-risk under Step 2 (paragraph (c) of this section). Except for known material weakness in internal control or compliance problems as discussed in §200.519 Criteria for Federal program risk paragraphs (b)(1), (b)(2), and (c)(1), a single criteria in risk would seldom cause a Type B program to be considered high-risk. When identifying which Type B programs to risk assess, the auditor is encouraged to use an approach which provides an opportunity for different high-risk Type B programs to be audited as major over a period of time.” “The auditor is not expected to perform risk assessments on relatively small Federal programs. Therefore, the auditor is only required to perform risk assessments on Type B programs that exceed twenty-five percent (0.25) of the Type A threshold determined in Step 1 (paragraph (b) of this section).” BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Effective date and funding increments (COFAR FAQ .110-13 and 13) Uniform Guidance applies to funding increments to existing awards in cases where the federal agency considers the funding increments to be an opportunity to modify the terms and conditions of the award. Existing federal awards that do not receive incremental funding with new terms and conditions will continue to be governed by the terms and conditions of the federal award. BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE 12

Transitional Issues Compliance testing challenges Likely to take several years for “old” funding to run out Challenges related to funds received by subrecipients from pass-through entities (PTE) Also need to understand the federal agency implementation actions in the Joint Interim Final Rule BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Interest Earned – Section 200.305(b)(9) Interest earned on Federal advance payments deposited in interest-bearing accounts must be remitted annually to the Department of Health and Human Services, Payment Management System, Rockville, MD 20852. Interest amounts up to $500 per year may be retained by the non-Federal entity for administrative expense. Increases amount allowed to be retained Annual remittance to one Federal agency BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Section 200.307 – Program income New definition of program income established Non-federal entities are encouraged to earn income to defray program costs where appropriate Use of program income is normally specified in the award If not indicated by the federal awarding agency in the regulations or the terms of the award, program income must be deducted from total allowable costs to determine the net allowable costs BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Internal Controls Must have effective internal controls over compliance with federal awards-Part 303 Should comply with the internal control requirements issued by the Governmental Accountability Office (GAO) in Standards for Internal Control in the Federal Government also known as the “Green Book” and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in the Internal Control Integrated Framework BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Internal controls over compliance with federal awards Part 6 of the Uniform Guidance Compliance Supplement contains a framework for internal control over compliance with federal awards that include suggested internal controls for each of the five elements of the COSO framework for each of the A-N compliance requirements However, this compliance supplement has historically been considered a document that helps auditors as opposed to explicit internal control criteria for recipients BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

COFAR FAQ #1 – internal controls clarification There is no expectation or requirement that the recipient document or evaluate internal controls prescriptively in accordance with COSO or the Green Book or that the recipient or auditor reconcile technical differences between them COSO and Green Book are provided solely to alert recipients to source documents for best practices Should is meant to be a “best practice” and not a presumptively mandatory requirement BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Green Book The Green Book was issued in September of 2014 The Green Book is essentially an adaptation of the 5 components and 17 principles of COSO to the federal government and now the potentially broader recipient community as a best practice document for internal controls over compliance BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

2017 OMB Compliance Supplement – Compliance Requirements A – Activities Allowed or Unallowed B – Allowable Costs/Costs Principles (Generally N/A for SFA Cluster) C – Cash Management D – Reserved E – Eligibility F – Equipment/Real Property Management (Generally N/A for SFA Cluster) G – Matching, Level of Effort, and Earmarking H – Period of Performance (N/A for Department of Education but not Department HHS) I – Procurement/Suspension and Debarment (Generally N/A for SFA Cluster) BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

2017 OMB Compliance Supplement – Compliance Requirements J – Program Income K – Reserved L - Reporting N1 – Separate Funds (HPSL/PCL/LDS, NSL, FPL) N2 – Verification N3 – Disbursements to or on Behalf of Students N4 – Return of Title IV Funds N5 – Enrollment Reporting N6 – Student Loan Repayments (FPL, HPSL/PCL/LDS and NSL, and NFLP) BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

2017 OMB Compliance Supplement – Compliance Requirements N7 – Federal Work Study N8 – Borrower Data Transmission and Reconciliation (Direct Loan) N9 – Institutional Eligibility N10 – Zone Alternative (Not applicable to public entities N11 – Written Arrangements with Another Institution, Consortium, or Organization to Provide Educational Programs N12 – Short Term Programs at Postsecondary Vocational Institutions N13 – Federal Perkins Loan Liquidation BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

2017 OMB Compliance Supplement Changes Appendix V, List of Changes for the 2017 OMB Compliance Supplement, identifies all changes at a high level Important road map that should be used Identifies specific programmatic changes by Catalog of Federal Domestic Assistance (CFDA) number BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

2017 OMB Compliance Supplement Changes – SFA Changes US Department of Education (ED) issued memorandum, “Applicability of  Single Audit Act Regulations to the Title IV Student Aid Programs”  Established annual audit requirement for Student Financial Assistance (SFA) and other Title IV funds when they would not otherwise be considered a major program using the UG Allowed ED to provide a waiver – auditees had to contact ED for approval 2017 OMB Compliance Supplement draft of SFA program did not include updated guidance U.S. Department of Education planning to add a new section in 2018 OMB Compliance  Supplement on Securing Student Information for auditors to test Based on requirements for Institutions of Higher Education administering a student financial assistance program to comply with the Safeguards Rule of the Gramm-Leach Bliley Act (GLBA)  Considering adding a compliance check to the 2018 Compliance Supplement The Safeguard Rules requires campus to make a good faith effort to identify its specific information security risks and development risk management and contingency plans. BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Eligibility and Computer System Considerations Compliance Supplement does not provide suggested audit procedures for auditors to test the underlying computer systems that are used in eligibility determinations Refer to generally accepted auditing standards (GAAS) for guidance when computer processing relates to accounting information that can materially affect the financial statements being audited “auditor should follow this guidance and consider the non-Federal entity’s computer processing” “auditor should perform audit procedures relative to the computer system for eligibility as necessary to support the opinion on compliance for the major program” Testing can be performed in conjunction with internal control testing over eligibility BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Uniform Guidance 2CFR 200 Subpart F Audit Requirements BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Sec. 200.5XX, Audit Requirements Revisions Focus Audit On Risk: Increases audit threshold to $750,000 Focuses on risk based approach to determine major programs. Provides for greater transparency of audit results. However, no significant reduction in the number of compliance requirements subject to audit BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Single Audit Reports on the Web All auditees must submit the reporting package and the DCF electronically to the Federal Audit Clearinghouse (FAC). FAC submission process will be changed to require text-based PDF and unlocked, unencrypted. FAC responsible to make the reports publically available on a website: Auditors and auditees must ensure reports do not include Protected Personally Identifiable Information (PPII); Auditee must sign certification statement (to be revised on DCF) that reporting package does not include PPII BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Protected PII Definition “An individual’s first name or first initial and last name in combination with any one or more of types of information, including, but not limited to, social security number, passport number, credit card numbers, clearances, bank numbers, biometrics, age and place of birth, mother’s maiden name, criminal, medical and financial records, and educational transcripts. This does not include PII that is required by law to be disclosed.” BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Sec. 200.510(b) SEFA Additions Total amount provided to subrecipients from each federal program Previous guidance only required “to the extent practical” Include in the notes to the SEFA whether or not non-federal entity elected to use the 10% de minims cost rate BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Example SEFA Under Uniform Guidance Federal Grantor/Pass Through Grantor/Program Title Federal CFDA Number Pass Through Entity Identifying Number Federal Expenditures Expenditures to Subrecipients XXX 93.XXX N/A $10,000,000 $3,000,000 BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Uniform Guidance-SEFA Totals for cluster of programs on the face of the SEFA Federal awards expended related to loan programs and non-cash assistance must now be on the face of the SEFA, not the notes to the SEFA Ending loan balances also in the notes for those loans with continuing compliance requirements except for situations where institution of higher education does not make the loans BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

OMB Uniform Guidance audit requirements – findings Indicate whether current year finding was a repeat of a prior year finding and the prior year finding number Threshold for reporting questioned costs findings is$25,000 BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Definition of a finding Significant deficiencies and material weaknesses in internal control over major programs and significant instances of abuse relating to major programs. Material noncompliance with the provisions of Federal statutes, regulations, or the terms and conditions of Federal awards related to a major program. Known questioned costs that are greater than $25,000 for a type of compliance requirement for a major program. Known questioned costs that are greater than $25,000 for a Federal program which is not audited as a major program. Known or likely fraud affecting a Federal award, unless such fraud is otherwise reported as an audit finding in the schedule of findings and questioned costs for Federal awards. Instances where the results of audit follow-up procedures disclosed that the summary schedule of prior audit findings prepared by the auditee materially misrepresents the status of any prior audit finding. BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Internal control over compliance Management is required to have internal controls related to each applicable compliance requirement. Auditor is required to walkthrough and test management internal controls over each of the compliance requirement. Controls can include a review and approval function. Work with your audit team to discuss the controls being tested. The agency could have compensating controls. When exceptions are identified in our control testing, we assess if it is an isolated instance or a control finding. A compliance finding is normally an indicator that the design of the internal control is not sufficient or that they are operating effectively. BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Compliance requirements For each program, we identify the applicable compliance requirements using the Compliance Supplement and any specific grant agreement for that particular program and perform compliance testing. If errors or discrepancies are identified during our testing, we first work with management to determine the facts and circumstances and if we have all of the information. Working with management, we will conclude on the nature and cause of the discrepancy or error and conclude if it is a finding. We assess the severity of finding and its impact on the overall opinion on compliance for the program. We draft a finding for management’s review. Again, we will also evaluate whether or not this compliance finding was the result of a failure in internal controls. BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Uniform Guidance Reports Issued In-relation report on the Schedule of Federal Expenditures Report on Internal Control over Financial Reporting and on Compliance with Other Matters Based on an Audit of Financial Statements Performed in Accordance with Government Auditing Standards Report on Compliance for Each Major Federal Program; Report on Internal Control Over Compliance and Report on Schedule of Expenditures of Federal Awards Required by Uniform Guidance Schedule of Findings and Questioned Costs Corrective action plan - separate document on non-federal entity letterhead Summary schedule of prior audit findings - will now also include financial statement findings Summary schedule of prior audit findings will have to indicate reason for findings not being fully corrected as well as any differences between planned and previously reported corrective actions BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Federal Audit Clearinghouse (FAC) Repository of Record for Reporting Packages Federal agencies and PTEs obtain copies by accessing FAC Website. Subrecipient only required to submit reporting package to FAC and no longer required to submit to PTE. PTE no longer required to retain copy of subrecipient reporting package as will be on the Web. PTE should maintain evidence that they accessed the FAC and performed any required monitoring of Subpart F audits Commenters recommended additional language to make explicit that the Federal Audit Clearinghouse is the repository of record and authoritative source for single audit reports. Federal agencies, pass-through entities, and others interested should therefore obtain it by accessing the clearinghouse rather than requesting it directly from the non-Federal entity. The COFAR agreed that the proposed addition would likely reduce administrative burden and recommended the addition.   __.503 Relation To Other Audit Requirements Commenters recommended that language be added to this section to explicitly require Federal agencies or pass-through entities to review the Federal Audit Clearinghouse for existing audits submitted by the entities, and to rely on those to the extent possible prior to commencing an additional audit. The COFAR concurred with the suggestion and recommended the addition in order to reduce duplication by better leveraging existing audit resources prior to initiating new engagements. BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Other Resources EY Technical Line, Federal grant policies for recipients are streamlined and changed, January 9, 2014 EY Technical Line, GAO updates internal control standards for the federal government, September 15, 2014 *These are available upon request from EY BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE

Question and Answer BUILDING ON OUR MOMENTUM! WVASFAA FALL 2017 CONFERENCE