|Mary McKnight Foelster , CPA, is a technical manager in the AICPA professional standards and services division. George A. Scott , CPA, is a partner of Deloitte & Touche, Fort Worth, Texas. He is the chairman of the AICPA single audit working group that developed SOP 98-3 and is a former chairman of the AICPA government accounting and auditing committee.|
I n the last two years, the government has overhauled the audit policies for entities that receive federal awards. President Clinton signed the Single Audit Act Amendments of 1996, which significantly changed the audit requirements for not-for-profit organizations and state and local governments, and in June 1997 the OMB issued Circular A-133, Audits of States, Local Governments, and Non-Profit Organizations , and the OMB Circular A-133 Compliance Supplement to provide guidance to auditors who implement the new laws.
The act simplified the audit process by consolidating OMB Circular A-128, Audits of State and Local Governments , and circular A-133 (see exhibit 1, page 77). It is expected to reduce many of the audit burdens facing these governments and not-for-profit organizations by increasing the dollar threshold that triggers a single audit requirement. It also should make these audits more effective by focusing them on the programs that present the greatest financial risk to the federal government.
While these are but a few of the changes, they provide a flavor of the extent and scope of the new requirements. As auditors begin to perform these audits, it is imperative that the entire audit engagement team have a thorough understanding of the objectives of both the 1996 act and the revised circular A-133. The most important auditor considerations follow.
KNOWING WHAT IS MAJOR
The circular no longer requires auditors to test all programs exceeding a certain dollar threshold. Instead, they must use what is commonly referred to as a "risk-based approach" to determine major programs for audit-an overall evaluation of the material compliance risks for each federal program and of factors such as prior and current audit experience, prior federal oversight and the program's inherent risk.
|The New Threshold|
|Revised OMB circular A-133 reduces the audit burden on the management of smaller entities by increasing to $300,000 from $25,000 the threshold that triggers a single audit.|
Auditors must use a four-step process to determine which federal programs to treat as major: The auditor should (1) identify the larger federal programs, (2) determine which of the larger programs are low risk, (3) identify smaller programs that are high risk using professional judgment and certain criteria in the circular and (4) identify major programs for testing based on the results of the first three steps. The auditors' judgment will be presumed correct if they have properly performed and documented the risk assessment process in the circular. Therefore, auditors must clearly document the risk assessment process and related conclusions. Under certain circumstances-such as during the first year the entity is subject to an audit under the revised circular-auditors can elect not to apply the risk-based approach. When this occurs, auditors generally would determine major programs by using the first step of the four-step process.
A NEW FOCUS
The revised A-133 requires auditors to render an opinion on compliance with laws, regulations and the provisions of contracts or grants that could have a direct and material effect on each of the entity's major programs. In other words, auditors must focus only on the compliance requirements for federal programs identified as major, rather than on all federal programs. Auditors should determine which of the 14 types of compliance requirements—identified in the circular's compliance supplement—could have a direct and material effect on each major program and document their conclusions. They should develop appropriate audit procedures or use the audit objectives and procedures suggested in the supplement and then perform tests to support their opinion on compliance for each major program.
As required in the past, entities must maintain internal control over federal programs to provide reasonable assurance that they are managing federal awards in compliance with laws, regulations and the provisions of contracts or grants. However, under the new rules, auditors must determine whether internal control over compliance is sufficient to support a low assessed level of control risk. Auditors must plan and perform testing of internal control over compliance requirements that are applicable to each major program. They also must assess control risk.
Auditors need to consider control risk assessments when designing compliance tests. However, they are not required to plan and perform tests of controls when it is likely internal control over compliance will not effectively prevent or detect noncompliance. When this occurs, auditors should communicate the existence of a "reportable condition"—including whether the condition is a material weakness. Auditors also should assess control risk at the highest level and determine whether they need to do more compliance testing.
Because the circular and other professional literature do not define a low assessed level of control risk, the amount of testing and the types of tests are up to the auditor's judgment. These tests may include transactional testing, inquiries of appropriate personnel, an inspection of documents and reports and both the observation and performance of applying the specific control policy or procedure.
|Exhibit 1: The New Circular A-133|
|Significant changes are
described below: |
When the test results do not support a low assessed level of control risk, the circular does not require auditors to expand internal control testing. Instead, they must evaluate whether a reportable condition exists and whether it is a material weakness.
IDENTIFYING FINDINGS AND COSTS
The auditor must report material noncompliance in the circular's schedule of findings and questioned costs. To determine whether a noncompliance finding should be reported, auditors should consider each finding in relation to a type of compliance requirement, such as eligibility and reporting, for a major program, or an audit objective identified in the provisional compliance supplement. The circular requires that known questioned costs (those specifically identified by the auditor) greater than $10,000 for a type of compliance requirement for a major program must be included in the schedule. Further, auditors also must calculate the best estimate of total costs to which the circular refers as likely questioned costs. When known questioned costs are less than $10,000 for a type of compliance requirement, but likely questioned costs are greater than $10,000, the finding also must be included in the schedule. While the auditor reports only the amount of the known questioned costs in this situation, the finding should clearly provide information on how pervasive the problem is.
|Exhibit 2: The Paperwork|
|The revised circular has significantly
changed the area of auditor reporting. No longer will auditors
need to issue 8 to 10 reports in conjunction with a single
audit. The following 3 audit reports, which will be issued for
each single audit, are illustrated in the AICPA's new SOP 98-3,
(see exhibit 3 on page 78): |
Also, when auditors identify exceptions (both known and likely) that are greater than $10,000 in the aggregate for a major program but less than $10,000 for any type of compliance requirement, they need not report them. For example, no finding would be reported in the schedule if the total dollar amount of both known and likely questioned costs was $20,000, if $6,000 related to allowable costs/cost principles, $6,000 related to eligibility and $8,000 related to cash management.
Both auditor and auditee reporting will be distinctly different under the new guidance (see exhibit 2, page 77). For example, the schedule of findings and questioned costs—which must be issued by the auditor in every audit—includes three components: a summary of auditor results, findings related to the financial statements required to be reported by the GAO's Government Auditing Standards (the yellow book) and the findings and questioned costs related to the federal awards.
|Exhibit 3: The AICPA's Response|
|The AICPA developed the following guidance
on how to conduct and report on single audits under the new
Statement of Position. In response to the changes in the single audit process, the AICPA issued SOP 98-3, Audits of States, Local Governments, and Not-for-Profit Organizations Receiving Federal Awards (product no. 014904JA). This SOP provides comprehensive guidance on the auditor's responsibilities when conducting a single audit or program-specific audit in accordance with the act and with circular A-133. In addition to providing an overview of the auditor's responsibilities in an audit of federal awards, this SOP describes
The SOP can be ordered through the AICPA order department at 800-862-4272. Certain illustrative guidance and answers to frequently asked questions also can be found on the AICPA faxback system at 201-938-3787, document nos. 311, 313 and 316, and the AICPA Web site at www.aicpa.org/belt/a133main.htm.
Nonauthoritative Implementation Guide . The AICPA is currently working on guidance in the form of a nonauthoritative implementation guide. The guide will provide auditors with a more detailed hands-on look at how to perform single audits under the new requirements. It provides illustrations, including case studies, an example of how an auditor might document the process and conclusions reached under the risk-based audit approach and a sample planning checklist. The guide is expected to be issued this year.
The auditee also has several, more extensive reporting requirements, many of which must be audited. These include preparing
- Appropriate financial statements.
- A schedule of expenditures of federal awards.
- A summary schedule of prior audit findings.
- A corrective action plan for each current-year audit finding.
Auditors must perform procedures to determine the reasonableness of the summary schedule of prior audit findings. If auditors conclude the auditee has materially misrepresented the status of a prior-year finding, they should report it as a current-year finding. Also, auditors should consider the effect of such a misrepresentation on their reports and possibly in the risk assessment process used to determine major programs.Signature requirement. The circular requires a data collection form to be jointly prepared and signed by the auditee and auditors. This form essentially summarizes information contained in the schedule of expenditures of federal awards and in the auditors' reports. Auditees must submit a copy of the data collection form along with the reporting package described in the circular to the Federal Audit Clearinghouse in Jeffersonville, Indiana.
A NEW OPPORTUNITY
In the past, many pass-through entities relied on a single audit to monitor their subrecipients. However, because the revised circular increased the dollar threshold for a single audit, pass-through entities may require limited-scope audits to monitor subrecipients. This will probably give auditors the opportunity to perform more limited-scope audits on smaller entities.
The circular defines limited-scope audits as agreed-upon procedures engagements performed in accordance with GAAS or attestation standards paid for and arranged by a pass-through entity. They must address one or more of the following types of compliance requirements:
- Activities allowed or unallowed.
- Allowable costs/cost principles.
- Matching, level of effort, earmarking.
GET A HEAD START
The new requirements, especially the implementation of the risk-based approach, will pose a challenge for auditors. For this reason, audit planning, which is already one of the most crucial steps in the audit process, is even more significant. It is vital auditors have an in-depth understanding of the compliance requirements relating to each of the major programs. This, coupled with an understanding of internal control over compliance, should ensure that the auditors perform efficient and effective single audits.
|Case Study—Auditors In
How one state prepared its auditors for the plunge
|The Arizona Office of the
Auditor General chose not to take the extension to implement the
new risk-based audit requirements under the Single Audit Act
Amendments of 1996 and OMB circular A-133. As Debra K.
Davenport, deputy auditor general, put it, they are biting the
bullet this first year of implementation and are getting it
done. But that doesnt mean that the government isnt prepared to
do it right the first time. In fact, as soon as the 1996 act was
passed, this auditor generals office started an extensive
training program to prepare not only its own auditors but also
the auditees in all of Arizonas governments that must account
for federal awards. |
The Arizona auditor generals office—approximately 110 auditors responsible for auditing all the state agencies, counties, community colleges and universities—had very little time to waste in getting the ball rolling. All of the entities the office is required to audit under the revised OMB circular have June 30 yearends; therefore, the auditor generals office will be required to have all of the audit reports completed in 13 months. By the year 1999, the auditor generals office will have only 9 months after the entities yearend to complete the entire audit package.
Davenport said her office continues to hold training for its own staff as well. For example, it has provided its auditors with extensive training on the OMB circular A-133 compliance supplement—used to detail the compliance requirements—and just recently scheduled a presentation with Sheila O. Conley, OMB policy analyst. "Sheila told us the Federal Audit Clearinghouse was returning to auditors around the country as many as 95% of the data collection forms because they had not been completed correctly," said Davenport. "So we are spending more time to ensure the data collection forms we see are done correctly. We also have put together a package of information for our auditees to help them complete the form correctly the first time around."
The office also has formed a special task force to develop audit programs and new tools the audit staff can use when assessing high-risk programs.
Davenport does not expect the new internal control requirements to have a big impact on workload because her office "traditionally has tested internal controls extensively." However, her staff is spending a lot of time working with the auditees on the data collection form. "We want the auditees to take ownership of filling out the data collection form," said Davenport.
A positive change