The release of the Office of Management and Budget’s (OMB’s) Compliance Supplement addendum for single audits right before Christmas gave practitioners long-awaited guidance for these specialized audits that are especially complicated because of the surge in government funding related to the coronavirus pandemic.
But the release also created expectations for practitioners who perform single audits.
“Once the addendum was out, many clients expected us to issue [audit reports] right away because now we could complete the work,” said Erica Forhan, CPA, a partner in the Moss Adams Professional Practice Group and the firm’s director of audit and attest. “There was pressure to act fast and make decisions fast.”
Despite clients’ eagerness, Forhan said it’s important for auditors to take their time, understand the rules, make sure they are doing the right things, and come to the right conclusions. It has been a challenging time because the pandemic happened, new federal funding made single audits more complicated, and the addendum was delayed until late December. In addition, the rules haven’t answered all the questions that some clients and auditors have.
That’s why auditors need to make sure they are deliberate and still delivering audits of the highest quality.
“Make sure you have done or are doing the right things and coming to the right conclusions,” said Forhan, a former chair of the AICPA Governmental Audit Quality Center’s (GAQC’s) Executive Committee. “And get your documentation in line before you rush out and issue a report because your client is pressuring you or they have deadlines. You don’t want to delay. You want to be responsive. But you have to do your work and be diligent about it.”
Forhan’s advice on quality is particularly important in perhaps the most challenging single audit environment in history. Fortunately, the OMB provided a three-month audit submission extension for single audits of 2020 year ends through Sept. 30 year ends for clients that received some form of COVID-19 funding.
That reduces the deadline pressure on auditors, but single audits are challenging this year because of:
- The sheer numbers. Single audits are compliance audits of recipients that expend $750,000 or more in federal funding, conducted to provide the federal government with key information about whether recipients are spending funds in compliance with program rules. Pandemic-related economic relief programs have dramatically increased the number of recipients of $750,000 or more in government funding. Therefore, many more clients need single audits. In some cases, these recipients have a lot to learn about single audits because of their inexperience with the process.
- The delayed addendum release. Typically, the OMB releases its annual Compliance Supplement during the summer. But 2020 wasn’t a typical year. The OMB released the annual Supplement as usual, but it did not address the new COVID-19 programs that many recipients received. So the OMB began work to develop an addendum to the Supplement to address the new funding and to provide instructions for auditors because of the many new types of funding provided in response to the pandemic. This caused thousands of single audits for year ends earlier in 2020 to be delayed.
- Lingering challenges. Even with the release of the addendum, auditors continue to have challenges and questions. In many cases, the addendum points auditors to guidance on federal agency websites to determine cost allowability for the new federal programs. This involves auditors wading through detailed guidance on federal agency websites and, in some cases, the use of judgment. Certain new programs, such as the Provider Relief Fund (PRF), which went primarily to health care providers, also have many open questions. The Compliance Supplement addendum said that PRF expenses and lost revenue shouldn’t be place on the Schedule of Expenditures of Federal Awards (SEFA) until Dec. 31, 2020, year ends or later to provide more time for some of the open questions to be addressed. While this helped for auditors of those earlier 2020 year ends, clarifying guidance has not yet been issued and now even the Dec. 31, 2020, year-end audits for recipients of PRF funding are on hold.
Amid these challenges, auditors must persevere. Here are eight tips for single auditors in this challenging environment.
Carefully consider client acceptance
Some of the many federal award recipients who need a single audit for the first time may ordinarily work with auditors who have never performed a single audit before.
Those auditors have to decide whether they will subcontract the single audit work to firms with experience in these specialized compliance audits or whether they will undergo the training necessary to perform these audits themselves.
“That’s the first assessment,” Forhan said. “Should you do this, or should you get help from someone who has done this before? You could partner with another firm.”
For firms that have not performed single audits in the past, this may be an opportunity to develop a new service line. As another large stimulus package is being debated by the government this year, it appears that single audits may be needed by a large number of clients for the next several years.
But practitioners who do decide to perform this kind of audit for the first time should be forewarned. Single audits are complex, highly specialized audits, and firms should make sure their people are properly trained to perform them.
This includes being familiar with Generally Accepted Government Auditing Standards (GAGAS), also referred to as the Yellow Book, which is published by the U.S. Government Accountability Office because single audits are also required to be performed under GAGAS.
“I would encourage practitioners to make sure they are getting their engagement letters updated and they are bringing the appropriate practice aids into their working papers to address Yellow Book considerations,” said Stephen Blann, CPA, CGMA, a principal with Rehmann and a member of the GAQC Executive Committee. “If they haven’t done a single audit, they may not have been following Government Auditing Standards before either. And then also, obviously, [prepare for] everything that goes along with a single audit.”
Consider clients’ infrastructure and internal controls
An auditor needs to consider whether a client has the appropriate policies and procedures in place to appropriately administer grants.
“There are two steps to this,” Blann said. “They need to follow the rules that go along with the grants, sure, that’s complying. But they also have to have a good system of internal control over compliance, and that’s where first-time single auditees may be a little light in terms of having developed those policies and procedures to give themselves a good shot at compliance.”
Meanwhile, auditors need to also be especially careful when evaluating and testing clients’ internal controls, because of the changes in the work environment. Many grant recipients have increased work-from-home operations and rapidly installed new technology that has enabled them to succeed amid the pandemic’s disruption.
But these actions also can create gaps in internal controls that auditors will need to identify.
Understand what belongs on the SEFA
The addendum’s order that expenditures and lost revenue associated with the PRF should not be included on the SEFA until Dec. 31, 2020, year ends or later applies only to the PRF and not to other COVID-19 funding.
Further, certain of the new programs allow for lost revenue to be claimed by recipients, in addition to expenditures. This is a new concept, and auditors will have to get used to the idea of addressing lost revenue on the SEFA.
“Once agencies provide the rules around lost revenue, they may seem weird, but they are the rules, and we are a profession that’s really good at learning and following rules,” Blann said. “So just do your homework and you’ll be fine.”
Forhan advises firms that possess ample resources and perform many single audits to devote one person or team as a specialist in each of the new federal funding sources, such as the PRF, the Coronavirus Relief Fund (CRF), and the Education Stabilization Fund, including the Higher Education Emergency Relief Fund.
Those specialists can scrutinize the individual programs carefully on all of a firm’s audits to make sure nothing is overlooked on the SEFA and that engagement teams are educated on the requirements.
Document, document, document
Because the rules have changed over time, documentation — which always is a critical factor in any kind of audit — is especially important.
This duty starts with the client, who should be documenting the rules followed and conclusions reached. Subsequently, auditors need to document how they interpreted the clients’ conclusions, the rules followed, and the professional judgment applied.
Blann said that because many of the rules for these new programs appear on federal agency websites and have changed over time, it’s not enough for an auditor to document that they looked up the rules online. The rules and the website links where they are posted may change.
“It’s really important to pull that material down and put it in your workpapers and not just make a generic reference to a website and hope it will still be there when your peer review comes along,” Blann said.
Communicate effectively with clients
Forhan advises that auditors should carefully explain to clients the reason for any audit delays, what to expect, and what the client’s responsibilities are, especially when a recipient needs a single audit for the first time.
Auditors should make sure they talk with client employees outside the finance team as well.
“That comes into play especially when we’re talking about completeness of the SEFA,” Forhan said. “Because, again, the SEFA may look different this year. There may be new programs. The finance department may or may not know about them, but if the auditor is only talking to them, we may miss something.”
Blann said it’s important for auditors to remind their clients to continue following all the rules for federal funding recipients, even in areas that auditors are not required to test this year.
“Federal agencies may change which requirements are subject to audit each year, and we may not find out until the year is nearly over and it’s too late for them to go back and start following the rules,” he said. “They just need to be reminded that there is an expectation that they comply with all the rules year-round. We can do our clients a huge service by educating and reminding them of that.”
Be prepared to test FFATA reporting
The addendum included new requirements to test Federal Funding Accountability and Transparency Act (FFATA) subaward reporting for all COVID-19 programs included in the addendum where the auditor is instructed to test reporting, subject to certain restrictions. FFATA rules do not apply to the CRF program.
The addendum also advises that auditors also will need to test FFATA reporting for all selected major programs where reporting is identified as subject to audit for audits of fiscal years after Sept. 30, 2020, regardless of whether COVID-19 funding is involved. However, auditors don’t have to conduct FFATA testing for clients who do not receive direct federal funding or do not make subawards over certain dollar thresholds.
“Auditors haven’t had to look at it, but our clients have been subject to it all along, so it shouldn’t be new and uncharted territory from a client’s perspective,” Blann said. “Now there are some nuances. Just because they are administering federal awards and have a single audit doesn’t mean they are getting direct dollars from the feds. And even if they are getting direct dollars from the feds, it doesn’t mean that they’re subawarding it. They may be spending it all directly.”
Choose major programs appropriately
The rules for major programs haven’t changed as a result of the pandemic. All high-risk Type A programs (generally larger programs that meet certain risk criteria) are required to be audited as a major program. And the number of high-risk Type B programs that need to be audited as major programs still is determined based on the formula in the Uniform Guidance.
New COVID-19 programs that are Type A programs are high-risk in the first year because they’re all new. But, following the major program rules in the Uniform Guidance, some Type B pandemic-related funds may not require auditing.
“The key takeaway is that just because there is new COVID money, it does not necessarily make it a high-risk program,” Blann said. “We’re back to the same recurring theme. Follow the rules.”
Keep standard best practices top of mind
Ultimately, practitioners remain responsible for using professional skepticism, objectivity, and critical thinking related to single audits, even though they may sympathize with clients that have been through extreme difficulty as a result of the pandemic.
Clients might not have sufficient internal controls, and sufficient audit evidence may be impossible to obtain in some areas. If so, auditors need to report that, regardless of the circumstances that led to it.
“They have to call it like it is,” Forhan said. “If there are no internal controls, you have to write a finding. If there are significant deficiencies and material weaknesses, recognize them, write a finding. Same thing on the compliance side. If there’s not audit evidence, you can’t test it.”
For more information on single audits, visit:
- The AICPA Governmental Audit Quality Center (GAQC).
- The GAQC’s pandemic-related resources.
- The GAQC’s alert on the OMB’s Compliance Supplement addendum.
— Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is the JofA’s editorial director.