Thomas Sneeringer, CPA, likes to say that major program determination within a single audit engagement requires strict adherence to the Uniform Guidance rules and formulas even when they don’t seem to make perfect sense.
For instance, as auditors scrutinize the pandemic-related aid that organizations have received, it might seem that all this new funding, regardless of amounts expended, should be audited as major programs.
Sneeringer said that’s not necessarily the case, especially for the smaller programs.
“I hate to say this about the process, but auditors can get into trouble when they try to use common sense,” he said. “It’s really about being true to the formula, being true to the guidance, and let that walk you until you reach the conclusions.”
Sneeringer is a partner at RSM US LLP in Gaithersburg, Md., who will serve as a co-presenter for a single audit session at the AICPA & CIMA Not-for-Profit Industry Conference, which is scheduled for June 7–9 online. The conference will include a number of sessions devoted to providing useful information on single audits, and Sneeringer is presenting a case study that will serve as a discussion guide for many important techniques and considerations that practitioners need to use.
Critical to the correct determination of major programs in a single audit is getting a complete and accurate Schedule of Expenditures of Federal Awards (SEFA) from the client.
The SEFA for Sneeringer’s presentation (simplified for purposes of illustration) contains the following federal programs and amounts for a Dec. 31, 2020, fiscal-year-end client:
Despite the existence of new coronavirus relief money from the HIV Emergency Project Grants and CRF programs, according to the guidance in the 2020 Office of Management and Budget (OMB) Compliance Supplement and related Addendum, the determination of major programs does not change for the single audit of this client.
“A lot of auditors think, ‘There’s CARES Act money. Of course it’s high-risk. We’re going to have to audit it.’ Not necessarily,” Sneeringer said. “There’s still a process, a series of required steps we go through, given this mix of awards and knowing what’s been audited in the past and what hasn’t been audited.”
When total federal expenditures are less than $25 million, a Type A program is one with expenditures of $750,000 or more; the others are Type B programs. A Type A program that has not been audited in the past two audits is considered high-risk and would be considered a major program to be audited.
A Type A program also is high-risk if in the last audit period it was identified with a material weakness, had a modified opinion, or had known or likely questioned costs of more than 5% of the federal expenditures for that program.
In the example, the CRF program is brand-new funding that has never been audited before, and at $800,000, it is a Type A program because its expenditures exceed the $750,000 threshold.
“So we know this is going to be a major program,” Sneeringer said. “It’s a Type A program, never been audited before, 100%, take it to the bank.”
The Research and Development Cluster is a Type A program as a whole, and the Nursing Research is considered part of that Type A program for single audit purposes even though its funding on its own is just $300,000.
The Violence Against Women program, meanwhile, is a Type A program because its expenditures are $1 million. In the example, the audit of the program last year found a significant deficiency in its internal controls.
Despite that, the program still isn’t guaranteed to be high-risk because a material weakness, not a significant deficiency, is the threshold for high risk.
“A significant deficiency doesn’t get you automatic high risk, you still have to look at the other required steps for risk determination in the Uniform Guidance,” Sneeringer said.
The HIV Emergency Project Grants expenditures are just $650,000. So, even though it’s new, it’s a Type B program and doesn’t automatically need to be audited. Instead, the Uniform Guidance has the auditor use a formula to identify how many high-risk Type B programs need to be audited (based on the number of low-risk Type A programs) and then the auditor goes through a risk assessment process to determine which high-risk Type B program will be tested as a major program. That determination depends on several factors defined in the Uniform Guidance as well as auditor judgment.
These are just a few of the nuances related to single audits. Sneeringer said they’re difficult to learn, especially when an auditor performs just a small number of these audits in a year. He encourages those practitioners to be extremely careful on these engagements, or to refer them to an auditor with more experience on single audits.
“I’ve been doing it for 30-plus years now, and I’m still learning new things, and I have a heavy concentration of doing these engagements in my client deck,” he said. “And I’m still learning. If you are doing one, two, maybe five or less during the year, with the nuances you can make a wrong turn and, before you know it, you have a substandard audit.”
He encourages those who do perform these audits to adhere to a few basic steps:
- Do your homework. “You need a thorough understanding of the steps involved,” he said.
- Spend sufficient time planning the audit. “If you properly plan, then you likely have a much better outcome than if you didn’t plan at all or didn’t properly plan,” he said.
- Follow the Uniform Guidance, even if it seems counterintuitive. “Work your way through the formula, and don’t make presumptions,” he said.
It’s also important to remember that things related to single audits are constantly changing and evolving because of the pandemic. There have been several new rounds of pandemic funding in the last several months, and there has been discussion that OMB may temporarily revise the major program selection rules to ensure that certain pandemic funding be selected for audit as major programs. However, it is uncertain at this time whether that will occur.
Auditors should be alert to any potential changes to the process for their 2021 audits. To stay up to date, follow the activity of the AICPA Governmental Audit Quality Center.
— Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com) is the JofA’s editorial director.