A new federal regulation makes this a year of significant change for compliance audits of governments, not-for-profit organizations, institutions of higher education, and Indian tribes expending federal funds (referred to as single audits)—and the practitioners who perform them.
The new regulation, issued by the Office of Management and Budget (OMB), is referred to as the "Uniform Guidance," because it consolidates in one regulatory location (2 C.F.R. 200) federal grants management policy for federal agencies administering federal programs, recipients of federal funds, and auditors. The Uniform Guidance supersedes many former OMB circulars, including the audit requirements in OMB Circular A-133. The new Uniform Guidance audit requirements became effective for the first time for audits of fiscal years beginning on or after Dec. 26, 2014. Among the many resulting changes, the threshold for a required single audit was increased to $750,000 from $500,000, and certain aspects of how auditors select federal major programs to test have been revised.
Because of the high degree of regulatory exposure, single audits were high-risk enterprises even before the changes. This risk and the specialized nature of single audits mean that they are not easy for every firm to perform successfully (see the sidebar, "Doing It Right at Small Firms").
"You can't develop the experience and the expertise to do this if you're only going to do one or two," said Brian Schebler, CPA, national director of public sector services for RSM US and the immediate past chair of the AICPA Governmental Audit Quality Center (GAQC) executive committee. "You need to be developing a practice in this area to ensure an appropriate understanding of the relevant regulations and standards."
Here are best practices that firms would be wise to consider as they perform single audits:
DON'T ACCEPT IF YOU'RE UNPREPARED
Auditors who haven't previously performed single audits may be tempted to try one if they have a not-for-profit or local government client that has received small amounts of federal awards in the past and suddenly meets the threshold for a single audit. They may believe it won't be difficult or have concerns about losing the client. "Unfortunately, they don't recognize that performing a single audit is a completely different ballgame," Schebler said.
Sometimes firms in this situation try to learn as they go along. Others figure that they can catch any mistakes with a preissuance review at the end of the audit. But by the time the reviewer uncovers any mistakes, it may be very difficult to correct them so late in the process. "A firm should accept an engagement only when they have the competency, the ability, and the staffing required to accept that engagement," said Rick Reeder, CPA, CGMA, the owner of Tampa, Fla.-based Reeder & Associates, former chair of the AICPA Peer Review Board and a previous member of the GAQC executive committee.
Effective planning for a single audit starts with developing an understanding of the entity being audited, including its federal funds, and doing a proper risk assessment. This means getting familiar with the entity's people, skills, and attitudes. It also means exploring the federal awards received by the entity and how they are being used.
"That helps you understand what you need to pay attention to, what the compliance requirements are, and what controls might be in place," said Erica Forhan, CPA, a partner in Moss Adams's professional practice group who also chairs the GAQC executive committee. "And everything flows from there."
Junior audit staffers in the field are the first line of defense in finding noncompliance, so they need to understand what they're looking for instead of performing procedures without thinking about their purpose.
Auditors must take care to consider the areas where they have the potential to compromise their independence in a single audit engagement. The Uniform Guidance requires that a financial statement audit also be performed on entities that expend federal funds beyond the $750,000 threshold. One common threat in single audits is the self-review threat if the auditor is preparing the financial statements or performing other nonaudit services.
Another threat is familiarity. An auditor who has performed a single audit for the same client for many years may experience a drop in professional skepticism. Incorporating the element of unpredictability into auditing steps as required by auditing standards can help maintain that professional skepticism.
When performing single audits, auditors need to be familiar with the independence rules in both the AICPA Code of Professional Conduct and Government Auditing Standards (also referred to as the Yellow Book) and use the conceptual frameworks included within each set of requirements to evaluate the various independence threats and implement safeguards to address those threats. The free AICPA Practice Aid 2011 Yellow Book Independence—Nonaudit Services Documentation Practice Aid is a useful tool in identifying and evaluating threats to independence when considering whether to provide a nonaudit service.
ASSESS AND DOCUMENT MANAGEMENT'S SKILLS, KNOWLEDGE, AND EXPERIENCE
If the audit firm is going to assist management with nonaudit services, the individual who is taking management responsibility for those services is required to have the skills, knowledge, and experience (SKE) to perform that task. Before the audit firm performs the nonaudit service, the firm must evaluate whether the SKE requirements are met. This means documenting and assessing the person's education and industry experience. If the nonaudit service includes financial statement preparation, the person's familiarity with accounting standards also should be documented. The AICPA practice aid previously mentioned may also be a resource when documenting management's SKE.
SELECT THE CORRECT PROGRAMS TO AUDIT
The client's required schedule detailing its federal expenditures, referred to as the Schedule of Expenditures of Federal Awards (SEFA), is a key schedule that the auditor uses to determine the scope of the single audit. Therefore, it is important for the auditor to make sure it includes all federal awards. It is also important that the schedule accumulates federal programs correctly, that is, by Catalog of Federal Domestic Assistance (CFDA) number or by defined clusters of programs. The OMB Compliance Supplement defines which federal programs can be considered a cluster of programs. "Since the auditor's selection of programs to audit is first geared toward the consideration of newer, higher-dollar programs ... then not properly identifying programs by CFDA number or as a cluster of programs creates a problem," Schebler said.
Once a complete SEFA is available, practitioners need to be sure to follow the detailed prescriptive steps contained in the Uniform Guidance for selecting federal programs to audit (referred to as determining major programs).
First, the practitioner determines the dollar threshold for differentiating between Type A (larger) and Type B (smaller) programs. This threshold is still based on a sliding scale, but under the Uniform Guidance, the minimum threshold for Type A programs increased from $300,000 to $750,000. For Type A programs, practitioners determine whether or not the program is considered low risk by using specific Uniform Guidance criteria. Type A programs that are low-risk are not required to be audited as a major program. The auditor then identifies Type B programs that are high-risk, using professional judgment and the criteria for federal program risk described in the Uniform Guidance. The auditor will then audit as major programs all high-risk Type A programs and a certain number of high-risk Type B programs using a formula defined in the Uniform Guidance. The practitioner is required to "cover" a defined percentage of the total federal dollars expended in the audit, so additional Type A or Type B programs may need to be added to the mix to satisfy the coverage requirement. Complying with the detailed requirements for these determinations is critical and is a common area of confusion for practitioners.
"But knowing where the rules are, looking them up, following them step by step every time is the way to go," Forhan said. "Don't pretend that you have them memorized, because it's not that easy to memorize them. Just follow them step by step."
CONSIDER DESIGN OF INTERNAL CONTROLS OVER COMPLIANCE
The Uniform Guidance requires auditors to gain an understanding of and test internal controls over compliance for each major program. The assessment of internal controls starts with understanding the direct and material compliance requirements that are relevant to a major program being tested, Forhan said. Looking at the control's design is critical. "I find that auditors often skip that step," she said. "If it's not designed effectively, you can throw it out and not even spend time on it because it's not going to help you in the audit. Of course, you do need to report a finding if it's a significant deficiency or material weakness."
Speaking with clients in terms they understand, and asking commonsense questions, can help auditors determine how controls work. Forhan recommended asking questions such as:
- How do you make sure costs are allocated to the correct federal program?
- How do you know that you have complied with the eligibility requirements?
- What would you do if you found an error?
DOCUMENT THE CONTROLS, NOT THE PROCESS, AND DESIGN DUAL-PURPOSE SAMPLES APPROPRIATELY
When addressing internal control over compliance in a single audit, practitioners may make the mistake of documenting processes rather than the actual controls. In some cases, required control testing may also be overlooked altogether by practitioners, resulting in many quality issues cited by peer reviewers and federal agency reviewers in the past. Another related factor is ensuring appropriate techniques are used when performing dual-purpose testing, where controls and compliance are tested together as part of the same sample, Reeder said. For example, an auditor may test whether costs are allowable from a compliance perspective, as well as whether related controls over allowability are working. Despite the potential pitfalls, dual-purpose testing can be effective if done properly, Schebler added. The sample needs to allow the auditor to assess the level of control risk as low and be appropriate for compliance testing purposes.
The key for dual-purpose testing is to ensure that you pick your sample to meet the objectives for both the compliance test and internal control test. Sometimes practitioners call a sample "dual-purpose" but are really only covering the compliance testing objective, Reeder said.
Additionally, although dual-purpose testing can be effective, picking the wrong sample can lead to mistakes because sometimes a population can be tested for only one thing at a time.
"Be very specific about the control that you're testing, and defining the attribute to describe exactly what you want to see is happening or not happening," Forhan said.
Lastly, caution should be taken on the sample sizes used in a dual-purpose test. "The internal control and compliance tests may or may not require the same sample size," Reeder said. "Let's say you need 40 sample items for your test of internal control but a sample of 50 for your compliance test. You'd want to ensure that you test the appropriate number of items to cover the compliance test requirement."
TEST ALL RELEVANT ASPECTS OF A COMPLIANCE REQUIREMENT
In testing compliance, Forhan said it's important for auditors to know what they are testing, which might be different from what they tested last year. The OMB Compliance Supplement, which is updated annually, is a key tool for practitioners to use to understand the compliance requirements and related suggested audit procedures for various federal programs.
"Think about what you're doing," Forhan said. "Don't ever do anything on automatic pilot. You need to really be present and think and be engaged in your audit."
MAKE SURE YOU UNDERSTAND SAMPLING RULES AND THEORY
Sampling can be applied correctly in any situation if a practitioner takes time to really understand the theory, Forhan said. Use the right population, and don't try to make a sample do more than it should.
"And then be sure to select the appropriate number of sample items and evaluate the results of the sampling procedure correctly, recognizing that when you find noncompliance, you cannot just ignore it," Forhan said. "Acknowledge it, recognize it, extrapolate it if you need to, and consider how it affects your testing, because it probably says something about the broader audit you are performing."
REPORT FINDINGS IN ACCORDANCE WITH THE UNIFORM GUIDANCE REQUIREMENTS
Audit findings should be reported according to the criteria found in the Uniform Guidance. Those criteria include what constitutes a finding, as well as the information that needs to be included in the practitioner's write-up of the finding. Also make sure that findings are placed in the appropriate report. For example, audit findings related to the audit of the financial statements should be referred to in the auditor's Yellow Book reporting. Findings relating to the single audit should be referred to in the auditor's Uniform Guidance reporting. The details of all findings should be included in the practitioner's Schedule of Findings and Questioned Costs. Following the required finding numbering protocol and including the required criteria in the finding write-up are important. Getting a second opinion also can help.
"Have someone do a cold read of your reports," Forhan said. "Taking a step back and having another person come in can identify issues and inconsistencies in reporting."
GET A QUALITY REVIEW
A more formal review can give the auditor greater confidence that the single audit complies with the federal requirements and auditing standards. Some firms get an independent review for single audits, and others use engagement quality-control reviews.
At Moss Adams, in addition to the review by the partner responsible for the engagement and a concurring review, single audits are subject to an additional technical review.
"The reviews pick up things related to human error," Forhan said. "Sometimes it's just a typo. Sometimes it's the very important word 'not' being missed from a sentence and changing its meaning. Or findings being reported in the wrong place."
Ultimately, the key to improving quality in single audits may be asking one simple question: "Why?" When you find a quality problem, Forhan said, it's not enough just to fix it for the purposes of that one audit. Instead, undertake a root-cause analysis to understand why the problem happened, so the same issue won't become a problem again in your practice.
If the staff didn't understand something, educate them or perform better on-the-job supervision. If reporting was a problem, it may be worthwhile to invest in an outside reviewer to take a careful look at your reporting. Perhaps you need to reschedule your audit to give you more time between drafting a report and issuing the report, so you can get the proper review.
"You should always try to evaluate, 'How did that happen?' and how you can improve," Forhan said. "... Always ask, 'What can I do to improve the audit quality and create additional best practices in the audit process?' "
Doing it right at small firms
A focus on competency and quality is key.
Although single audits are subject to intense regulatory scrutiny, small firms can and do perform them successfully.
At Reeder & Associates, a firm with three CPAs and another degreed accountant in Tampa, Fla., one of the professionals who is not working on the single audit engagement serves as the quality-control reviewer for single audit engagements.
"The requirement for engagement quality-control reviewers is that the reviewer has to be suitably qualified," said Rick Reeder, CPA, CGMA, the firm's owner. "Well, because our reviewers also perform audits in this area and have all the appropriate CPE, they are suitably qualified, even if they are not a partner. Nothing in the standard requires you to be a partner to be a reviewer."
Here are Reeder's tips for smaller firms that perform single audits:
• Make sure practice aids are up to date. "Some smaller firms tend to rely on existing practice aids and just roll forward," Reeder said. "And that can be really dangerous when you have new federal requirements and standards that have crept in."
• Keep up with CPE. Single audits are subject to additional CPE requirements under Government Auditing Standards. Every two years, each auditor performing work under Government Auditing Standards should complete at least 24 hours of CPE that directly relate to government auditing, the government environment, or the unique environment in which the audited entity operates. An additional 56 hours of CPE are also required every two years in topics that enhance the auditor's professional proficiency to perform audits.
• Don't skip compliance documentation. The OMB Compliance Supplement identifies the applicable compliance requirements for various federal programs. Auditors are required to determine which of those applicable compliance requirements could have a direct and material effect on a major program and to perform compliance tests on those requirements. If the Compliance Supplement indicates that certain requirements are applicable, but you do not test them because they would not be direct and material to your particular client, then you need to document that analysis and conclusion.
• Have a live, up-to-date quality-control document. "It's really important to have a quality-control document in place that's size-appropriate and meets the needs of your firm," Reeder said. "Have a driving governance document for your system of quality control. It's not just something you provide your peer reviewer every three years. It's something you should look at, at least once a year, to make sure it's suitable for your firm."
About the author
Ken Tysiac is a JofA editorial director. To comment on this article or to suggest an idea for another article, contact him at email@example.com or 919-402-2112.
"Professional Liability Spotlight: Risks of Not-for-Profit and Government Audits," JofA, April 2016
AICPA Audit Guide, Government Auditing Standards and Single Audits (#AAGGAS16P, paperback; #AAGGAS16E, ebook; #WRF-XX, one-year online access)
Applying the Uniform Guidance for Federal Awards in Your Single Audit (#746381, text; #164301, one-year online access)
For more information or to make a purchase, go to aicpastore.com or call the Institute at 888-777-7077.
- AICPA | CIMA Learning and Competency, Governmental Auditing Competency Framework, competency.aicpa.org
- Governmental Audit Quality Center, aicpa.org/gaqc
- GAQC Auditee Resource Center, aicpa.org
- GAQC Uniform Guidance Resources for single audits, aicpa.org
AICPA Single Audit Certificate Program, for information, visit sacert.aicpastore.com
2011 Yellow Book Independence—Nonaudit Services Documentation Practice Aid (free PDF download)
- Council on Financial Assistance Reform, cfo.gov/cofar
- Federal Audit Clearinghouse, harvester.census.gov/facweb
- Government Auditing Standards, gao.gov/yellowbook/overview
- OMB Circular A-133, Compliance Supplement, whitehouse.gov
- OMB Uniform Guidance regulations (consolidated in 2 C.F.R. 200), ecfr.gov