Risks of not-for-profit and government audits

By Daniel J. Gartland, CPA

The number 90,056: What does it represent? It's the total of the 3,031 counties, 12,880 independent school districts, 16,360 townships, 19,519 municipalities, and 38,266 special districts—all the local governments in the United States, according to the U.S. Census Bureau's 2012 "Census of Governments." Add to that more than 1.5 million tax-exempt organizations in the United States as of 2015, according to the National Center for Charitable Statistics, and you have a staggering number of potential clients for CPA firms.

Many government and not-for-profit (NFP) organizations require an audit. And since the fiscal year end for many of these organizations is something other than Dec. 31, this type of service presents an opportunity for CPA firms to shift work outside of the traditional busy season. Additionally, these engagements provide audit staff with fresh experiences and industry exposure. The benefits of providing audit services to government and NFP organizations are numerous, yet they may present unforeseen professional liability risks for firms without the necessary knowledge and expertise in these specialized areas.

While claims related to audit services have historically accounted for approximately 8% to 12% of all claims reported to the AICPA Professional Liability Insurance Program, they are the most severe, meaning amounts incurred in defense and settlement costs are usually greater than claims related to other services provided by CPA firms. This degree of claim severity is related to several factors: the high level of assurance provided by an audit, the complexity of issues that the auditor must address, and the reliance on the financial statements by third parties, such as investors, creditors, suppliers, and donors, as well as the client.

For example, audits of governmental and NFP entities generally involve planning, testing, and reporting requirements mandated by regulators. The regulator may oversee and scrutinize the auditor's compliance with those requirements. Uncertainty may arise on government audits where changes in key personnel and procedures can be affected by an election cycle. Moreover, audit reports for government and NFP entities may be available to a broad audience including the general public, constituents, donors, or even beneficiaries of an NFP.


Claims relating to the performance of government and NFP audits frequently allege the CPA failed to detect or report a defalcation or a misstatement in the financial statements. How can these allegations affect the CPA? Perhaps there is an undetected error in the financial statements, or the client failed to comply with special reporting or donor requirements. This may lead to the loss of federal awards or pledged funds, which may affect the entity's operations and ability to serve its constituents. An NFP entity may even have to shut down. The client, and affected third parties, may then place responsibility for these woes on the CPA firm, citing the audit failure.

Consider the following claim scenario:

A CPA firm was engaged to audit a local governmental entity. The engagement continued over several years, and unqualified opinions were rendered. One year, a qualified opinion was issued when it was determined the entity had misallocated funds from a restricted-use tax levy. The proceeds from the tax levy should have been used to service loan and other obligations but instead were used to pay general expenses.

Recent funding reductions had already stretched the entity's budget, and the issuance of a modified opinion raised the question of eligibility for funds previously awarded. A claim was brought against the CPA firm, alleging that it should have detected the misallocation of funds in prior years. Expert review of the audit working papers and firm records uncovered an audit team member's noncompliance with continuing professional education requirements and lack of industry experience. In addition, the public was sympathetic to the local entity's weak financial position, and the firm was concerned that media coverage of a legal dispute could present unwanted reputational risks. Based on these factors, the firm felt compelled to settle.


Many professional liability risks facing CPA firms can be managed by focusing on an understanding of industry-specific requirements and firm quality-control measures. The following tips can help mitigate the risk of a professional liability claim relating to the performance of government and NFP audits:

Train for fraud awareness

Entities in the government and NFP sectors have historically been more susceptible to fraud schemes. Weaknesses in internal controls such as a lack of segregation of duties, inexperienced staff, or executives that are unable to devote the necessary resources to accounting functions may increase the opportunity for a fraud to occur. As a result, engagement teams should be aware of common fraud schemes affecting these types of clients, including:

  • Fictitious vendors.
  • Unapproved cash disbursements.
  • Payroll manipulation.
  • Charging personal expenses to the entity.
  • Bid rigging.
  • Cash theft, skimming, or lapping.

In addition, auditors should adjust the timing, nature, and extent of procedures to address weaknesses in internal controls and the risk of fraud.

Staff engagements appropriately

As with any audit, more-experienced staff should perform procedures on complex accounts and transactions. The same approach should be applied to areas with an identified risk of material misstatement, material noncompliance, or fraud. Less-experienced staff should be closely supervised and their work carefully reviewed until they develop sufficient specialized knowledge and expertise.

Become an expert

As many governmental and NFP entities expend federal funds, they may also have to undergo financial statement audits in accordance with Generally Accepted Government Auditing Standards (GAGAS) issued by the U.S. Government Accountability Office (via the Yellow Book) or have a single audit of federal funds in accordance with regulations issued by the Office of Management and Budget. Auditors with clients in these areas should understand and be experienced in these accounting and auditing standards, as they contain many nuances and requirements not typical of other financial statement audits. Before accepting governmental or NFP audit engagements, CPAs should evaluate whether they have the appropriate experience and expertise to deliver services with the level of competence required by the professional standards. The AICPA Governmental Audit Quality Center and the AICPA Enhancing Audit Quality initiative webpage offer tools, resources, and practice aids to help practitioners build expertise.

Maintain competence through CPE

GAGAS requires engagement team members to collectively possess adequate professional competence needed to address the audit objectives and perform the audit. It also states that auditors performing work in accordance with GAGAS should maintain their professional competence through CPE and requires certain engagement team members working on these audits to obtain at least 24 hours of Yellow Book training directly related to government auditing, the government environment, or the specific or unique environment in which the audited entity operates. Auditors should be aware that in the event a claim arises, the engagement team's CPE records frequently are used to determine whether the team had the requisite competence to deliver the service.

Report identified issues

Care should be taken to meet the reporting requirements of AICPA standards, GAGAS, and single-audit regulations. Internal control weaknesses, particularly lack of segregation of duties, should be communicated in writing to the client every year until corrected. Additionally, engagement team members should raise suspicious activities suggesting fraud to the appropriate level of client management and those charged with governance for the client's investigation. If the issue is not addressed to the satisfaction of the CPA firm, the firm should consider whether the risks of continuing the relationship outweigh the benefits.

Maintain professional skepticism

The strict time constraints and deadlines of any audit, in addition to applicable regulatory, testing, and reporting requirements of government and NFP audits, can fatigue even the most seasoned auditor. However, auditors should plan and perform each year's audit with a fresh perspective, based upon identified risks, the entity's environmental factors, and current-year activities.

Keep it professional

Certain supporting documents in government and NFP engagements, including audit documentation and electronic communications, can be subject to Freedom of Information Act (FOIA) requests. Auditors should bear this in mind when preparing audit documentation and communicating with clients and engagement team members. Firms should develop and strictly adhere to a policy segregating protected information and information that could be subject to a FOIA request.

Ethics matter

CPAs performing any service should maintain a high level of ethical standards as outlined in the AICPA Code of Professional Conduct. An interpretation of the Acts Discreditable Rule (ET Section 1.400.001) specifically addresses services provided to governmental entities and requires CPAs to follow the established requirements of governmental bodies, commissions, or other regulatory agencies in performance of services (see Interpretation 1.400.050, "Governmental Bodies, Commissions, or Other Regulatory Agencies"). Further, Interpretation 1.400.055, "Governmental Audits," addresses a CPA's obligation to follow governmental audit standards, guides, and other relevant rules and regulations in the performance of those engagements. Interpretation 1.224.020, "Entities Included in State and Local Government Financial Statements," addresses independence requirements for CPAs with respect to the audit of state and local government financial statements.

Daniel J. Gartland is a risk control consultant at CNA.

Continental Casualty Co., one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. For more information, call Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, at 800-221-3023 or visit cpai.com.

This article provides information, rather than advice or opinion. It is accurate to the best of the author's knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.

Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.

Where to find June’s flipbook issue

The Journal of Accountancy is now completely digital. 





Better decision-making with data analytics

Data analytics has become a hot topic, but many organizations have not yet managed to understand its potential, let alone put it to work. This report will take a deep-dive on how to best introduce or enhance the use of data in decision-making.