In response to the severe economic crisis, the $787 billion American Recovery and Reinvestment Act (Recovery Act) became law in February 2009. The primary goal of this act was to create and save jobs and stimulate long-term economic growth. Only $275 billion of the Recovery Act funds allocated for contracts, grants and loans are subject to the requirements of the federal Single Audit Act. Noncompliance with Recovery Act requirements could have significant implications for recipients of the funds, including the potential for termination of federal funding.
The Single Audit Act of 1984, as amended in 1996, (the “single audit”) was passed by Congress to establish requirements for audits of governments and not-for-profit organizations that administer federal financial assistance programs. This article is intended to help recipients of Recovery Act funds, and CPAs who advise them, understand the basics of the single audit requirements and their responsibilities relating to compliance and internal control over compliance.
BASICS OF THE SINGLE AUDIT
Generally, a single audit is required if a nonfederal entity (the auditee) spends $500,000 or more of federal awards in a year. A single audit includes an audit of the auditee’s financial statements and a compliance audit of federal awards. A federal award is defined as federal financial assistance and federal cost-reimbursement contracts that are received directly from federal awarding agencies or indirectly from pass-through entities. It does not include procurement contracts, under grants or contracts, used to buy goods or services from vendors.
The auditor uses a risked-based approach to determine which federal programs to audit each year (referred to as major programs). Federal programs funded in whole or in part by the Recovery Act have a high chance of being selected as a major program. A federal program is all federal awards assigned a single catalog of federal domestic assistance (CFDA) number or a cluster of programs (a grouping of closely related programs that share common compliance requirements) as defined by the Office of Management and Budget (OMB). The CFDA number has five digits (for example, 14.218). The first two digits represent the federal funding agency; the last three digits represent the federal program.
The auditor is required to (1) obtain an understanding and perform testing of the auditee’s internal controls over major programs and (2) test compliance with applicable laws, regulations, and the provisions of contracts or grant agreements that may have a direct and material effect on each major program. OMB Circular A-133, Audits of States, Local Governments, and Non-Profit Organizations, sets standards for implementing the single audit. These standards define the audit requirements and the responsibilities of auditees, federal agencies, pass-through entities (a nonfederal entity that provides a federal award to a subrecipient to carry out a federal program), and auditors.
Certain nonfederal entities will expend $500,000 or more in federal awards for the first time as a result of receiving Recovery Act funds and, therefore, will become subject to the single audit. It is essential that these organizations understand their responsibilities relating to compliance, establishing and maintaining internal control over compliance, and the basic requirements of a single audit.
IDENTIFICATION OF FEDERAL AWARDS
An auditee is required to identify all federal awards received and expended, and prepare a schedule of expenditures of federal awards for the period covered by the auditee’s financial statements. The accuracy of this schedule is critical since it is the primary basis for the auditor’s major program determination. OMB Circular A-133 requires the schedule to include the federal agency and programs under which an award is received, the CFDA number, and the name and identifying number assigned by the pass-through entity, if applicable. The schedule should separately identify expenditures of Recovery Act funding by the inclusion of the prefix “ARRA” in the name of the federal program.
Federal agencies are responsible for informing the recipient of the CFDA number, award name and number, and award year. This includes the specific identification of Recovery Act-funded programs regardless of whether it is an existing federal program or a new program. Federal agencies have identified more than 250 new and existing CFDA programs that are funded in whole or in part by Recovery Act funds. These programs are identified on the CFDA website at cfda.gov and include a icon in the program header. Overall, the CFDA number serves as a key data element used to track Recovery Act funds, from the initial award by a federal agency to the subsequent expenditure and reporting by the auditee to the final reporting on the U.S. government’s official website related to Recovery Act spending at recovery.gov.
Finally, there may be questions about whether certain federal programs funded by the Recovery Act are subject to the single audit and should therefore be included in the schedule of expenditures of federal awards. For example, questions have arisen about Build America Bonds and COBRA health benefit subsidies. In both cases, the OMB has said that these federal programs are excluded from the scope of the single audit. The single audit coordinator of the federal agency can be contacted if an auditee has questions about whether federal programs that are funded by the Recovery Act are subject to the single audit, and therefore should be included in the schedule of expenditures of federal awards.
ESTABLISH AND MAINTAIN INTERNAL CONTROL
An auditee is required to establish and maintain internal control that is designed to reasonably ensure compliance with federal laws, regulations, and the provisions of contracts or grant agreements of each federal program. Regardless of whether Recovery Act funds are supplementing an existing federal program or funding a new program, it is essential for an auditee to understand the unique laws and regulations and establish internal control to ensure compliance before applying for and expending Recovery Act funds.
The five components of internal control that should be considered to reasonably ensure compliance with each applicable type of compliance requirement for each federal program include: the control environment, risk assessment, control activities, information and communication, and monitoring. The OMB issues an annual Compliance Supplement (published every spring) that federal agencies use to communicate what is important to successfully manage federal programs and to assist auditors in performing the single audit. Part 6 of the Compliance Supplement, titled Internal Control, should be of particular interest for auditees because it includes characteristics and examples of the five components of internal control that relate specifically to 13 of the 14 common types of compliance requirements (see sidebar, “Compliance Requirements”). This guidance can be useful when designing internal control to reasonably ensure compliance with federal laws, regulations and program compliance requirements.
All components of internal control are essential for each type of compliance requirement that is applicable to a federal program. However, it is increasingly important for auditees to assess risk and monitor internal control considering the unprecedented oversight, accountability, and transparency provisions that accompany Recovery Act funding. Don Winstead, the special advisor to the governor for the state of Florida for the implementation of the Recovery Act, focused on this point when he said, “We went into this with the knowledge and expectation that there was not going to be any additional resources. We had to pull in our belt tighter. We knew that not putting internal control in place and not paying attention to risk was not an option.”
The risk assessment process includes the identification, analysis and management of risk. When assessing risk, an auditee should consider the current economic environment, the unique requirements of the Recovery Act, and the overall control environment of its organization, including the following:
- The recessionary environment has resulted in many entities facing budget cuts, employee reductions and fiscal stresses caused by declines in revenue and the lack of liquidity. This environment can increase pressure for employees to commit fraud and provide convincing reasons for an employee to justify dishonest behavior.
- Capacity issues may exist due to material increases in federal funding from the Recovery Act. The additional federal funding combined with fewer employees and a lack of qualified personnel can strain employee resources. Consequently, internal control can be compromised since it can become difficult to adequately monitor federal projects and achieve program objectives.
- The Recovery Act requires “commencing expenditures and activities as quickly as possible consistent with prudent management.” The balance between the speed required for starting and completing federal programs and the need to manage risk can be challenging as it relates to the proper accounting, program administration, and reporting of Recovery Act expenditures.
- The speed with which the Recovery Act became law and the short time frame in which contracts, grants and loans have been awarded has resulted in challenges for federal agencies and the OMB to issue timely standards and guidance. It is critical that auditees designate a key employee(s) with the capabilities to monitor and understand the laws, regulations and compliance requirements in order to establish effective internal control. For example, the city of St. Petersburg, Fla., has designated a contracts and grants officer who closely monitors Recovery Act information upon issuance. Relevant information is conveyed to the appropriate city employees through training workshops, webinars, monthly newsletters, postings to their Recovery Act website, and frequent meetings with the City Council.
It is important for auditees to be proactive and periodically assess risk, strengthen internal control, and monitor the internal control relating to federal programs. This will allow auditees to address and correct any control deficiencies on a timely basis before significant expenditures of Recovery Act funds have occurred.
COMPLIANCE WITH LAWS, REGULATIONS AND OTHER PROVISIONS
An auditee is responsible for complying with the laws, regulations and the provisions of contracts or grant agreements related to each federal program including the additional requirements imposed by the Recovery Act. At the time of the award, it is the responsibility of the federal awarding agency or pass-through entity (if applicable) to inform the auditee of the requirements imposed upon them. These requirements include certain crosscutting requirements of the Recovery Act that are also defined in the Compliance Supplement and the Code of Federal Regulations (2 CFR part 176). These requirements are crosscutting since they apply to all federal programs funded by the Recovery Act. A summary of the crosscutting requirements of the Recovery Act are described below:
Activities allowed or unallowed. The specific requirements for activities allowed or unallowed are unique to each federal program. In addition, section 1604 of the Recovery Act has established a crosscutting of unallowable activity for all Recovery Act funds, whereby funding cannot be used for any casino, gambling establishment, aquarium, zoo, golf course or swimming pool.
Davis-Bacon Act. All laborers and mechanics employed by contractors or subcontractors that work on construction contracts in excess of $2,000 financed by Recovery Act funds must be paid wages not less than those established for the locality of the project (prevailing wage rates) by the Department of Labor. Approximately 40 programs are newly subject to Davis-Bacon requirements as a result of the Recovery Act. Of these, 33 federal programs that existed prior to the Recovery Act are subject to Davis-Bacon requirements for the first time, and seven are newly created programs.
Procurement. The use of Recovery Act funds is prohibited for the construction, alteration, maintenance or repairs of a public building or work unless all the iron, steel and manufactured goods used in the project are produced in the United States. A waiver can be granted under certain circumstances. The detailed requirements of the “Buy American” provisions are defined in 2 CFR part 176, Subpart B.
Reporting. The reporting requirements under section 1512 of the Recovery Act include extensive reporting on the details of projects and activities, including an estimate of the number of jobs created and retained. First-time reporters must register at federalreporting.gov, and reports must be submitted no later than 10 days after the end of each calendar quarter.
This website also provides guidance on section 1512 reporting that includes webinars, a step-by-step user guide, optional templates, OMB memoranda and frequently asked questions. The extensive and unprecedented reporting requirements are essential for the federal government to timely capture program-related information to assist in determining whether the funds are used for authorized purposes and to make the use of Recovery Act funds transparent to the public. Therefore, it is not surprising that the quarterly reporting of Recovery Act funding has received national attention since the first reporting period ended on Sept. 30, 2009. All quarterly reports submitted to federalreporting.gov are subsequently published on recovery.gov, which provides taxpayers easy access to this data and user-friendly tools to track how and where Recovery Act funds are spent.
Overall, it is essential that strong internal control is established to ensure that section 1512 reporting is complete and accurate. This begins with reports that are prepared and reviewed by people who have the required knowledge, skills and abilities and that the information reported is supported by underlying accounting and performance records. If an auditee demonstrates systemic or chronic reporting problems and/or fails to correct problems identified by a federal agency, it can result in termination of federal funding.
Subrecipient monitoring. Recipients of Recovery Act funds and “first-tier” subrecipients (those that receive an award directly from a recipient) are required to register in the Central Contractor Registration (CCR) and maintain the accuracy of the information annually to retain active status. A pass-through entity is required to determine that the subrecipient has registered with the CCR prior to making any subawards to a subrecipient and the information is updated annually. The CCR is the primary registrant database that collects, validates, stores and disseminates data, which is subsequently shared with federal agencies to facilitate paperless payments through electronic funds transfer.
Special tests and provisions. Three special tests and provisions apply to all programs with expenditures of Recovery Act awards:
- The financial management system must permit the preparation of required section 1512 reports and the adequate tracing of funds expended to establish that funds were used for authorized purposes and allowable costs.
- The schedule of expenditures of federal awards and the data collection form should properly identify Recovery Act awards expended and be supported by accounting records. The data collection form includes certain data elements that are approved by the OMB and is available from the Federal Audit Clearinghouse. This form must be submitted by the auditee.
- If Recovery Act funding is subsequently subawarded to another entity, the auditee is responsible for identifying the federal awards made to each subrecipient including the federal award number, the CFDA number, and the amount of Recovery Act funds. The subrecipient must separately identify expenditures of Recovery Act funds in their schedule of expenditures of federal awards.
It is critical that an auditee determine that it can comply with the strict accounting, compliance, internal control and reporting requirements before applying for federal awards including Recovery Act funds. In addition, it is essential that internal control is established for compliance requirements to ensure that federal awards are properly recorded, accounted for and expended in compliance with laws, regulations, and the provisions of the contracts or grant agreements. Auditees should communicate with the federal awarding agency or the pass-through entity for technical advice and counsel as needed during the program administration of a federal award. It is also recommended that auditees discuss the single audit process with their auditors before their fiscal year-end to avoid surprises and to identify and resolve issues early.
The 13 types of compliance requirements that may apply to a federal program include:
- Activities allowed or unallowed
- Allowable costs/cost principles
- Cash management
- Davis-Bacon Act
- Equipment and real property management
- Matching, level or effort, earmarking
- Period of availability of federal funds
- Procurement and suspension and debarment
- Program income
- Subrecipient monitoring
- Special tests and provisions
Recovery Act funds allocated for contracts, grants and loans are subject to the requirements of the federal Single Audit Act of 1984 (as amended in 1996), passed by Congress to establish requirements for audits of governments and not-for-profit organizations that administer federal financial assistance programs.
Auditors use a risk-based approach to determine which federal programs to audit each year, however, federal programs funded in whole or in part by the Recovery Act have a high chance of being selected as a major program.
An auditee is required to identify all federal awards received and expended and prepare a schedule of expenditures of federal awards for the period covered by the auditee’s financial statements. The accuracy of this schedule is critical since it is the primary basis for the auditor’s major program determination. The schedule should separately identify expenditures of Recovery Act funding by the inclusion of the prefix “ARRA” in the name of the federal program.
An auditee is required to establish and maintain internal control that is designed to reasonably ensure compliance with federal laws, regulations, and the provisions of contracts or grant agreements of each federal program.
An auditee is responsible for complying with the laws, regulations and the provisions of contracts or grant agreements related to each federal program including the additional requirements imposed by the Recovery Act.
Troy Y. Manning (firstname.lastname@example.org) is a partner at Cherry, Bekaert & Holland LLP in Tampa, Fla.
To comment on this article or to suggest an idea for another article, contact Loanna Overcash, senior editor, at email@example.com or 919-402-4462.
Governmental Audit Quality Center
The Governmental Audit Quality Center (GAQC) is a membership center for CPA firms and state auditor offices that helps members achieve the highest standards in performing quality governmental audits, including the performance of single audits. While the GAQC is intended primarily for auditors, it also provides information that is useful to auditees, particularly as it relates to the Recovery Act. Visit the GAQC at aicpa.org/GAQC and its Recovery Act Resource Center to get the latest information. Among the resources available to the general public on the GAQC Recovery Act Resource Center are the following:
Archived GAQC conference calls and web events
Preparing for Your Single Audit: An Auditee Perspective. This call will be of particular interest to auditees that want to obtain a basic understanding of the single audit, including their responsibilities.
- The Recovery Act: Information You Need to Plan and Perform Your 2010 Single Audits, May 19, 2010
- The Recovery Act: A Practitioner’s Perspective, Sept. 29, 2009
- The Recovery Act and Its Potential Impact on 2009 Single Audits, June 25, 2009
Archived GAQC alerts
These alerts provide clarifying guidance and information issued by the Office of Management and Budget, federal agencies and other authoritative sources on the single audit and the Recovery Act. Recent alerts include the following:
- Alert #141, Elimination of Late Single Audit Filing Extensions and Related Effect on Future Low-Risk Auditee Status, March 26, 2010
- Alert #133, New State Stabilization Guidance, Update “Jobs Created and Retained” Guidance, and New Compliance Auditing SAS, Dec. 30, 2009
- Alert #132, Auditing Interpretations Issued on Communicating Deficiencies in Internal Control Over Compliance at an Interim Date as a Result of Recovery Act, Dec. 10, 2009
- Alert #127, News on Build America Bonds and Other Recovery Act Matters, Oct. 9, 2009
- Alert #123, OMB Asks GAQC to Distribute Clarifying Guidance on Effect of Recovery Act Funds on Major Program Determination and Other Recovery Act Activities, Sept. 11, 2009
Other GAQC tools for auditors
Other nonauthoritative examples on planning a single audit that includes Recovery Act awards are also available. These include other non-Recovery Act single audit tools that may prove useful to auditees, available here. The following tools are available:
- Illustrative worksheet for auditees to accumulate and document important information about each federal award
- Illustrative disclosure checklist that can be used by auditees to ensure all required elements of a schedule of expenditures of federal awards are included
Office of Management and Budget
- The Single Audit Act, OMB Circular A-133 and Compliance Supplements, tinyurl.com/y3gqltf
- Frequently asked questions and memoranda, including updated guidance on reporting and other Recovery Act activities, tinyurl.com/y5ej4jh
- U.S. government’s official website with access to data relating to Recovery Act spending, recovery.gov
- Central government-wide data collection system for federal agencies and recipients of federal awards under section 1512 of the Recovery Act that includes extensive guidance on reporting, federalreporting.gov
- Governmental Accountability Office (GAO), gao.gov/recovery
- Code of Federal Regulations, www.gpoaccess.gov/cfr/index.html, then click on e-CFR
- Catalog of Federal Domestic Assistance (CFDA), cfda.gov
- Central Contractor Registration (CCR), www.bpn.gov/ccr
- Federal Audit Clearinghouse, harvester.census.gov/sac
- Committee of Sponsoring Organizations of the Treadway Commission (COSO), coso.org, published the Internal Control—Integrated Framework (COSO Report) that provides a framework to design, implement and evaluate controls that will facilitate compliance with federal laws, regulations, and program compliance requirements.
More from the JofA: