Single Audit Fundamentals: A Refresher Presented by Frank Crawford, CPA Crawford & Associates, P.C.

Today's topics Refresher on the basic requirements of the Single Audit process and OMB Circular A- 133, including –Risk based approach for determining major programs –Documentation and testing of internal controls over compliance –Auditor reporting Take some questions

Not sure what to do? Not sure who to ask?

Government Auditing Standards The Single Audit Act and OMB Circular A- 133 require the use of Government Auditing Standards A new Yellow Book (Government Auditing Standards) was issued in July 2007, so be familiar with its requirements

Government Auditing Standards Yellow Book = GAGAS = Generally Accepted Government Audit Standards = Government Auditing Standards Applies to audits of government entities, programs, activities, and functions and of government assistance administered by contractors, not-for profit entities, and other nongovernmental entities, when required by statute or other rules or regulations, or when the auditors hold themselves out as following these standards

Government Auditing Standards Relationship to AICPA Standards Under Government Auditing Standards, auditors follow the general standards included in Chapter 3 of the Yellow Book, which cover independence, including personal, external, and organizational impairments, professional judgment, competence of audit staff, and quality control and assurance For financial statement auditsGovernment Auditing Standards currently incorporate the fieldwork and reporting standards of generally accepted auditing standards (GAAS) and the related SASs issued by the AICPA

Government Auditing StandardsRelationship to AICPA Standards Under Government Auditing Standards, auditors also have fieldwork and reporting responsibilities that go beyond the AICPA standards, and are in addition to the AICPA standards, just as the Single Audit requirements have fieldwork and reporting responsibilities that go beyond the Government Auditing Standards…

Overview of OMB Circular A- 133 Planning and executing the Single Audit (OMB Circular A-133 audit) Basics of OMB A-133

Objectives of a Single Audit 1.Audit of financial statements and reporting on the SEFA 2.Compliance audit of federal awards the term single audit could be perceived as misleading by some, since it appears that we are actually doing two audits; one on the fair presentation of the financial statements, and the other on compliance with major federal programs…

Audit Scope and Objectives of A-133 Single Audit Conducted in accordance with Government Auditing Standards (GAS) Covers entire operations of the organization Fairly presented financial statements Adequate internal control structure Compliance with laws and regulations Follow-up on prior audit findings

Some questions about single audit Why is there a Single Audit Act? Who is subject to the Single Audit Act? What are the audit requirements under OMB A-133? What is a federal award? What is a CFDA number?

Why is there a Single Audit Act? Lack of audits of federal funds Too much focus on individual grants Overauditing

Who is subject to the Single Audit Act? Non-federal entities… Others????

What are the audit requirements under OMB A-133? Federal grant expenditures >= $500,000 Single audit versus program-specific audit

What is defined as an expenditure of a federal award? Be careful that you understand what constitutes an expenditure of a federal award; it is probably much more broad than you think… –Para 205 of A-133 defines it well Examples outside of a normal definition of an expenditure –Outstanding loan balances, receipt of surplus property, are just a few…

What is a CFDA number? Catalog of Federal Domestic Assistance OMB A-133 defines a federal program as all federal awards under the same CFDA number

Planning the OMB A-133 Audit Defining the entity to be audited Determining the audit period Timing of audit completion Obtain schedule of expenditures of federal awards

Planning the A-133 Audit: Risk based approach to determining major programs Determine low-risk auditee status Determine major programs –Risk-based approach –Four-step approach considers numerous factors: Results of prior audits Dollars involved inherent program risks Percentage of coverage rule (depends upon low-risk auditee determination)

Low-Risk Auditee Criteria Must meet all of the following for each of the two preceding years: Single audits performed Unqualified opinions No material weaknesses in internal control over financial reporting No findings in Type A programs in preceding 2 years –material weaknesses in internal control –material noncompliance –known or likely questioned costs > 5% of expenditures for that Type A program

Low-Risk Auditee Criteria and Percentage of Coverage Rule If considered a low-risk auditee, then AT THE END of the 4 step process in determining major programs, the auditor must have selected enough programs as major that equals or exceeds –25% of total federal expenditures If the entity is NOT considered a low-risk auditee, then the amount above changes to –50% of federal expenditures

Risk-Based Approach to Determining Major Programs Step 1 Step 2 Step 3 Step 4 Identify "Type A" programs Identify low-risk "Type A" programs Identify high-risk "Type B" programs Determine major programs to audit

Identify Type A Programs Federal expenditures exceeding the larger of: –$300,000 or 3% of total Federal expenditures where total Federal expenditures are > $300,000 AND < $100 million –$3 million or 0.3% of federal expenditures where total expended is >$100 million AND < $10 billion –$30 million or 0.15% of federal expenditures where total expended is > $10 billion

Identify Type A Programs Programs not deemed Type A are Type B…its that simple

Identify low-risk Type A programs GENERALLY low risk if… –a–audited as a major program in at least one of the two most recent audit periods and –i–in the most recent audit period, the program had no findings Auditor judgment Federal agency request

Identify high-risk Type B programs However, if there were no low-risk Type A programs identified in the previous step… then STOP the 4 step process and SKIP this step and go straight to measuring the percentage of coverage, hoping that your Type A high risk programs already meet your percentage of coverage rule; if they dont, then you must pick another program or programs as major until you reach the appropriate percentage of coverage…

Identify high-risk Type B programs If there are low-risk Type A programs… Consider whether Option 1 OR 2 will be used in Step 4 of the Risk-based approach Option 1: Select as major programs, at least 1/2 of Type B programs identified as high-risk under Step 3 Option 2: Select one high-risk Type B program for each low-risk Type A program identified under Step 2

Where we are at… Step 1 Step 2 Step 3 Identify "Type A" programs Identify low-risk "Type A" programs Identify high-risk "Type B" programs

Criteria for Federal Program Risk for B programs Auditor judgment Current & prior audit experience Oversight by Federal agency and pass- through agencies Inherent program risk

Determine Major Programs All Type A programs except those identified as low-risk in Step 2 (i.e. high-risk Type A) Type B programs as identified in Step 3 using 1 of 2 options Such additional programs necessary to comply with 50% coverage rule, or 25% if the entity qualifies as a low-risk auditee

Risk-Based Approach to Determining Major Programs Step 1 Step 2 Step 3 Step 4 Identify "Type A" programs Identify low-risk "Type A" programs Identify high-risk "Type B" programs Determine major programs to audit

Documentation and testing of internal controls over compliance

Internal Control over compliance for major programs Auditee responsibilities… Maintain internal control over compliance for federal programs that provides reasonable assurance that the auditee is managing federal awards in compliance with laws, regulations, and provisions of contracts or grant agreements that could have a material effect on each of its federal programs.

Internal Control over compliance for major programs Auditor responsibilities… perform procedures to attain an understanding of internal controls over compliance to plan to support low control risk for major programs plan testing of IC to support low control risk for the assertions relevant to the compliance requirements for each major program perform testing of IC over compliance as planned Report on IC over compliance describing the scope of the testing

Internal Control COSO Study defined Internal Control as: A process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: –Effectiveness and efficiency of operations –Reliability of financial reporting –Compliance with applicable laws and regulations Be sure to review Part 6 of the most recent OMB Compliance Supplement …

Requirements for Testing Compliance itself… Determine Applicability Revie w the grant docu ment s Revi ew the com plia nce sup ple men t, part s 2, 3 and 4 Whic h requi reme nts are both appli cable and mater ial Identi fy requir emen ts to test Dete rmin e testi ng proc edur es Perf orm test s Evalu ate comp lianc e

14 Compliance Requirements Activities Allowed or Unallowed Allowable Costs/Cost Principles Cash Management Davis Bacon Act Eligibility Equipment and Real Property Management Matching, level of effort, earmarking Period of Availability Procurement, Suspension and Debarment Program Income Real Property Acquisition and Relocation Assistance Reporting Subrecipient Monitoring Special Tests and Provisions

A-133 Reporting Requirements Single audit reporting package Financial statements Schedule of expenditures of federal awards (SEFA) All applicable footnotes to both F/S and SEFA Auditor's reports Schedule of findings and questioned costs Summary Schedule of Prior Audit Findings (if applicable) Corrective Action Plan (if applicable) Data Collection Form

Auditors Reports Reports required Financial Statement opinion(s) Compliance and I/C and over financial reporting and other matters (Yellow Book) Compliance and I/C over major programs (A-133 report)

Schedule of Findings and Questioned Costs Section 1 Summary of auditors results Section 2 Financial statement findings Section 3 Federal award findings and questioned costs

Audit Findings for A-133 Significant deficiencies and material weaknesses in internal control over major federal programs Material noncompliance with rules and regs Instances where prior year finding has not been resolved Known questioned costs > $10,000, and known questioned costs < $10,000 when extrapolation of testing results in likely QC exceeding $10,000 Known fraud

Significant Deficiencies and Material Weaknesses – New Definitions (SAS 112 impact) Significant deficiency and material weakness: –A significant deficiency[1] is a control deficiency, or combination of control deficiencies, that adversely affects the entitys ability to administer a federal program such that there is more than a remote likelihood[2] that noncompliance with a type of compliance requirement[3] of a federal program that is more than inconsequential[4] will not be prevented or detected.[1][2][3][4] –A material weakness is a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that material noncompliance with a type of compliance requirement[5] of a federal program will not be prevented or detected.[5] – [1] The term significant deficiency replaces the term reportable condition currently used in Circular A-133. [1] –[2] The term remote likelihood as used in the definitions of the terms significant deficiency and material weakness has the same meaning as the term remote as used in Financial Accounting Standards Board Statement of Financial Accounting Standards No. 5, Accounting for Contingencies. Therefore, the likelihood of an event is more than remote when it is at least reasonably possible.[2] –[3] See footnote 1.[3] –[4] Noncompliance with a type of compliance requirement is inconsequential if a reasonable person would conclude, after considering the possibility of further undetected noncompliance, that the noncompliance, either individually or when aggregated with other noncompliance related to the same type of compliance requirement, would clearly be immaterial to a federal program. If a reasonable person would not reach such a conclusion regarding a particular noncompliance, that noncompliance is more than inconsequential.[4] –[5] See footnote 1.[5]

Summary Schedule of Prior Audit Findings Responsibility of the auditee Part of the reporting package Should include… –finding reference numbers –status of the finding

Data Collection Form Information must agree with auditors reports and schedule of findings and questioned costs Must be completed and signed by both auditee and auditor

Questions?

AICPA Assistance AICPA Audit Guide, Government Auditing Standards and OMB Circular A-133 Audits GAS/A133 Audit Risk Alert Practice Aid: Auditing Recipients of Federal Awards: Practical Guidance for Applying OMB Circular A-133 – Edition Federal single audit roundtable Government Audit Quality Center