Single Audit Overhaul

Easing the burden?

  • IT IS IMPERATIVE THAT the audit engagement team have a thorough understanding of the changes in both the Single Audit Act Amendments of 1996 and the recently revised OMB circular A-133.

  • AUDITORS MUST DETERMINE major programs. That is, they must understand and evaluate the risk of individual federal programs based on factors such as current and prior audit experience, previous federal oversight and the program's inherent risk.

  • AUDITORS ARE REQUIRED to render a compliance opinion on the major programs. They should be prepared to develop audit procedures and perform tests to support their opinions.

  • THEY ALSO MUST ENSURE INTERNAL CONTROL over compliance is sufficient to support a low assessed level of control risk. Because the circular does not define a low assessed level of control risk, auditors must decide on the amount and type of testing.

  • AUDITORS MUST COMPLY WITH new forms, schedules and audit reports, including a data collection form that must be prepared and signed by both auditees and auditors and a schedule of findings and questioned costs.

  • SUBRECIPIENTS THAT FALL under the dollar threshold for single audits may be required to have limited-scope audits. This could provide new opportunities for auditors.
Mary McKnight Foelster , CPA, is a technical manager in the AICPA professional standards and services division. George A. Scott , CPA, is a partner of Deloitte & Touche, Fort Worth, Texas. He is the chairman of the AICPA single audit working group that developed SOP 98-3 and is a former chairman of the AICPA government accounting and auditing committee.

I n the last two years, the government has overhauled the audit policies for entities that receive federal awards. President Clinton signed the Single Audit Act Amendments of 1996, which significantly changed the audit requirements for not-for-profit organizations and state and local governments, and in June 1997 the OMB issued Circular A-133, Audits of States, Local Governments, and Non-Profit Organizations , and the OMB Circular A-133 Compliance Supplement to provide guidance to auditors who implement the new laws.

The act simplified the audit process by consolidating OMB Circular A-128, Audits of State and Local Governments , and circular A-133 (see exhibit 1, page 77). It is expected to reduce many of the audit burdens facing these governments and not-for-profit organizations by increasing the dollar threshold that triggers a single audit requirement. It also should make these audits more effective by focusing them on the programs that present the greatest financial risk to the federal government.

While these are but a few of the changes, they provide a flavor of the extent and scope of the new requirements. As auditors begin to perform these audits, it is imperative that the entire audit engagement team have a thorough understanding of the objectives of both the 1996 act and the revised circular A-133. The most important auditor considerations follow.

The circular no longer requires auditors to test all programs exceeding a certain dollar threshold. Instead, they must use what is commonly referred to as a "risk-based approach" to determine major programs for audit-an overall evaluation of the material compliance risks for each federal program and of factors such as prior and current audit experience, prior federal oversight and the program's inherent risk.

The New Threshold
Revised OMB circular A-133 reduces the audit burden on the management of smaller entities by increasing to $300,000 from $25,000 the threshold that triggers a single audit.

Auditors must use a four-step process to determine which federal programs to treat as major: The auditor should (1) identify the larger federal programs, (2) determine which of the larger programs are low risk, (3) identify smaller programs that are high risk using professional judgment and certain criteria in the circular and (4) identify major programs for testing based on the results of the first three steps. The auditors' judgment will be presumed correct if they have properly performed and documented the risk assessment process in the circular. Therefore, auditors must clearly document the risk assessment process and related conclusions. Under certain circumstances-such as during the first year the entity is subject to an audit under the revised circular-auditors can elect not to apply the risk-based approach. When this occurs, auditors generally would determine major programs by using the first step of the four-step process.

The revised A-133 requires auditors to render an opinion on compliance with laws, regulations and the provisions of contracts or grants that could have a direct and material effect on each of the entity's major programs. In other words, auditors must focus only on the compliance requirements for federal programs identified as major, rather than on all federal programs. Auditors should determine which of the 14 types of compliance requirements—identified in the circular's compliance supplement—could have a direct and material effect on each major program and document their conclusions. They should develop appropriate audit procedures or use the audit objectives and procedures suggested in the supplement and then perform tests to support their opinion on compliance for each major program.

As required in the past, entities must maintain internal control over federal programs to provide reasonable assurance that they are managing federal awards in compliance with laws, regulations and the provisions of contracts or grants. However, under the new rules, auditors must determine whether internal control over compliance is sufficient to support a low assessed level of control risk. Auditors must plan and perform testing of internal control over compliance requirements that are applicable to each major program. They also must assess control risk.

Auditors need to consider control risk assessments when designing compliance tests. However, they are not required to plan and perform tests of controls when it is likely internal control over compliance will not effectively prevent or detect noncompliance. When this occurs, auditors should communicate the existence of a "reportable condition"—including whether the condition is a material weakness. Auditors also should assess control risk at the highest level and determine whether they need to do more compliance testing.

Because the circular and other professional literature do not define a low assessed level of control risk, the amount of testing and the types of tests are up to the auditor's judgment. These tests may include transactional testing, inquiries of appropriate personnel, an inspection of documents and reports and both the observation and performance of applying the specific control policy or procedure.

Exhibit 1: The New Circular A-133
Significant changes are described below:
  • The 1996 act, circular A-133 and the compliance supplement cover all state and local governments and not-for-profit organizations.
  • The threshold for entities subject to single audits was raised to $300,000 in expended funds from $25,000 in receipts.
  • The report due date was shortened to 9 months from 13 months after a two-year transition.
  • Auditors are required to identify major programs on the basis of a risk assessment rather than solely on the basis of federal expenditures.
  • Auditors report only certain known and likely questioned costs.
  • Certain federal programs with separate Catalog of Federal Domestic Assistance (CFDA) numbers must be clustered and treated as one program.
  • There is a greater emphasis on the entity's internal control over compliance for federal programs. Also, auditors now must obtain an understanding of internal control over federal programs that is sufficient to plan the audit to support a low assessed level of control risk for major programs.
  • Entities have more responsibility for monitoring subrecipients.
  • Both auditees and auditors must complete and sign a data collection form.

When the test results do not support a low assessed level of control risk, the circular does not require auditors to expand internal control testing. Instead, they must evaluate whether a reportable condition exists and whether it is a material weakness.

The auditor must report material noncompliance in the circular's schedule of findings and questioned costs. To determine whether a noncompliance finding should be reported, auditors should consider each finding in relation to a type of compliance requirement, such as eligibility and reporting, for a major program, or an audit objective identified in the provisional compliance supplement. The circular requires that known questioned costs (those specifically identified by the auditor) greater than $10,000 for a type of compliance requirement for a major program must be included in the schedule. Further, auditors also must calculate the best estimate of total costs to which the circular refers as likely questioned costs. When known questioned costs are less than $10,000 for a type of compliance requirement, but likely questioned costs are greater than $10,000, the finding also must be included in the schedule. While the auditor reports only the amount of the known questioned costs in this situation, the finding should clearly provide information on how pervasive the problem is.

Exhibit 2: The Paperwork
The revised circular has significantly changed the area of auditor reporting. No longer will auditors need to issue 8 to 10 reports in conjunction with a single audit. The following 3 audit reports, which will be issued for each single audit, are illustrated in the AICPA's new SOP 98-3, (see exhibit 3 on page 78):
  • The report on financial statements and the schedule of expenditures of federal awards.
  • The combined report on compliance and on internal control over financial reporting based on the audit of the financial statements as required by the yellow book.
  • The combined report on compliance with the requirements applicable to each major program and on internal control over compliance as required by OMB circular A-133.

    Note that several alternatives of each report are included in the SOP to demonstrate the effect of various circumstances. The new SOP also includes examples of program-specific audit reports.

    The illustrative reports are available in the SOP or auditors can find them on the AICPA faxback system at 201-938-3787, document no. 311 and the AICPA Web site at It should be noted that although the circular does not preclude the issuance of reports that are not combined, auditors should exercise care in issuing reports that differ from the illustrations in the SOP to assure that the many unique reporting requirements are met.

Also, when auditors identify exceptions (both known and likely) that are greater than $10,000 in the aggregate for a major program but less than $10,000 for any type of compliance requirement, they need not report them. For example, no finding would be reported in the schedule if the total dollar amount of both known and likely questioned costs was $20,000, if $6,000 related to allowable costs/cost principles, $6,000 related to eligibility and $8,000 related to cash management.

Both auditor and auditee reporting will be distinctly different under the new guidance (see exhibit 2, page 77). For example, the schedule of findings and questioned costs—which must be issued by the auditor in every audit—includes three components: a summary of auditor results, findings related to the financial statements required to be reported by the GAO's Government Auditing Standards (the yellow book) and the findings and questioned costs related to the federal awards.

Exhibit 3: The AICPA's Response
The AICPA developed the following guidance on how to conduct and report on single audits under the new requirements.

Statement of Position. In response to the changes in the single audit process, the AICPA issued SOP 98-3, Audits of States, Local Governments, and Not-for-Profit Organizations Receiving Federal Awards (product no. 014904JA). This SOP provides comprehensive guidance on the auditor's responsibilities when conducting a single audit or program-specific audit in accordance with the act and with circular A-133. In addition to providing an overview of the auditor's responsibilities in an audit of federal awards, this SOP describes

  • The applicability of the act and circular A-133.
  • The auditor's responsibility for testing and reporting on the schedule of expenditures of federal awards.
  • Some of the unique planning considerations associated with single audits.
  • The auditor's responsibility for considering internal control and performing tests of compliance with applicable laws, regulations and program compliance requirements under GAAS, the yellow book and circular A-133.
  • The auditor's responsibility for reporting. It also provides examples of the reports required by circular A-133 (see exhibit 2).
In addition, the SOP incorporates guidance on various SASs, including SAS no. 74, Compliance Auditing Considerations in Audits of Governmental Entities and Recipients of Governmental Financial Assistance , the yellow book and the compliance supplement.

The SOP can be ordered through the AICPA order department at 800-862-4272. Certain illustrative guidance and answers to frequently asked questions also can be found on the AICPA faxback system at 201-938-3787, document nos. 311, 313 and 316, and the AICPA Web site at

Nonauthoritative Implementation Guide . The AICPA is currently working on guidance in the form of a nonauthoritative implementation guide. The guide will provide auditors with a more detailed hands-on look at how to perform single audits under the new requirements. It provides illustrations, including case studies, an example of how an auditor might document the process and conclusions reached under the risk-based audit approach and a sample planning checklist. The guide is expected to be issued this year.

The auditee also has several, more extensive reporting requirements, many of which must be audited. These include preparing

  • Appropriate financial statements.
  • A schedule of expenditures of federal awards.
  • A summary schedule of prior audit findings.
  • A corrective action plan for each current-year audit finding.

Auditors must perform procedures to determine the reasonableness of the summary schedule of prior audit findings. If auditors conclude the auditee has materially misrepresented the status of a prior-year finding, they should report it as a current-year finding. Also, auditors should consider the effect of such a misrepresentation on their reports and possibly in the risk assessment process used to determine major programs.

Signature requirement. The circular requires a data collection form to be jointly prepared and signed by the auditee and auditors. This form essentially summarizes information contained in the schedule of expenditures of federal awards and in the auditors' reports. Auditees must submit a copy of the data collection form along with the reporting package described in the circular to the Federal Audit Clearinghouse in Jeffersonville, Indiana.

In the past, many pass-through entities relied on a single audit to monitor their subrecipients. However, because the revised circular increased the dollar threshold for a single audit, pass-through entities may require limited-scope audits to monitor subrecipients. This will probably give auditors the opportunity to perform more limited-scope audits on smaller entities.

The circular defines limited-scope audits as agreed-upon procedures engagements performed in accordance with GAAS or attestation standards paid for and arranged by a pass-through entity. They must address one or more of the following types of compliance requirements:

  • Activities allowed or unallowed.
  • Allowable costs/cost principles.
  • Eligibility.
  • Matching, level of effort, earmarking.
  • Reporting.

The new requirements, especially the implementation of the risk-based approach, will pose a challenge for auditors. For this reason, audit planning, which is already one of the most crucial steps in the audit process, is even more significant. It is vital auditors have an in-depth understanding of the compliance requirements relating to each of the major programs. This, coupled with an understanding of internal control over compliance, should ensure that the auditors perform efficient and effective single audits.

Case Study—Auditors In Training:
How one state prepared its auditors for the plunge
The Arizona Office of the Auditor General chose not to take the extension to implement the new risk-based audit requirements under the Single Audit Act Amendments of 1996 and OMB circular A-133. As Debra K. Davenport, deputy auditor general, put it, they are biting the bullet this first year of implementation and are getting it done. But that doesnt mean that the government isnt prepared to do it right the first time. In fact, as soon as the 1996 act was passed, this auditor generals office started an extensive training program to prepare not only its own auditors but also the auditees in all of Arizonas governments that must account for federal awards.

The Arizona auditor generals office—approximately 110 auditors responsible for auditing all the state agencies, counties, community colleges and universities—had very little time to waste in getting the ball rolling. All of the entities the office is required to audit under the revised OMB circular have June 30 yearends; therefore, the auditor generals office will be required to have all of the audit reports completed in 13 months. By the year 1999, the auditor generals office will have only 9 months after the entities yearend to complete the entire audit package.

Education campaign
Last year, the Arizona auditor generals office invited Jerry C. Skelly of the GAO Accounting and Information Management Division to meet with its own staff, as well as auditees from state entities that were receiving federal awards, to ensure they were prepared to meet the revised OMB circular requirements. "Most of the auditees needed more information on the new requirements," said Davenport. "We also provided them with additional training classes broken down by the type of entity, such as community colleges, universities and state and county governments."

Davenport said her office continues to hold training for its own staff as well. For example, it has provided its auditors with extensive training on the OMB circular A-133 compliance supplement—used to detail the compliance requirements—and just recently scheduled a presentation with Sheila O. Conley, OMB policy analyst. "Sheila told us the Federal Audit Clearinghouse was returning to auditors around the country as many as 95% of the data collection forms because they had not been completed correctly," said Davenport. "So we are spending more time to ensure the data collection forms we see are done correctly. We also have put together a package of information for our auditees to help them complete the form correctly the first time around."

The office also has formed a special task force to develop audit programs and new tools the audit staff can use when assessing high-risk programs.

Later hours
"We understand the first couple of years will be an education period," said Davenport. "Our auditors are used to testing the same exact programs year after year, and we anticipate it will take a little bit longer to determine high-risk programs and to do the first-year reports." Davenport said she expects each audit to take at least 10% more time to complete under the new audit requirements. Nonetheless, her office does not plan to hire more staff to help out. "We are just going to absorb the workload," she said.

Davenport does not expect the new internal control requirements to have a big impact on workload because her office "traditionally has tested internal controls extensively." However, her staff is spending a lot of time working with the auditees on the data collection form. "We want the auditees to take ownership of filling out the data collection form," said Davenport.

A positive change
Davenport said the new audit requirements for federal awards will result in better quality audits. "Before the 1996 act was passed, our office wanted to take a closer look at a larger variety of federal programs. The changes have made it clearer to us what areas the federal government wants us to examine." Davenport admits there is a lot more work as her office implements the new standards, but she is certain her auditors and the auditees are prepared. "By early implementing absolutely everything, we have moved ahead quickly," said Davenport.


Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: Retirement planning, tax practice, and fraud risk

Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.