Embed Size (px)
Citation preview
1
Compliance Auditing UpdateCompliance Auditing Update
2016 North Carolina State Treasurers Conference2016 North Carolina State Treasurers ConferenceSeptember 30, 2016September 30, 2016
Uniform Guidance Overview
Course Objectives:
• Brief overview of Uniform Guidance
• Review and discuss certain changes as they relate to the auditee
• Review and discuss the role of internal controls and compliance
• Review and discuss subrecipient monitoring
• Brief review of audit requirements and the end product (reporting package)
2
North Carolina State Single Audit Authoritative Sources
• Title 2 U.S. Code of Federal Regulations Part 200 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance);
• Audit Manual for Governmental Auditors in North Carolina - Discussion of Single Audit in North Carolina
3
2
State Single Audit Requirements
• In accordance with federal requirements, beginning in fiscal years ending after December 26, 2015, local governments and public authorities that expend $750,000 or more in federal financial assistance must have a single audit performed
• Local governments with fiscal years ending June 30, 2016 or later that have expended $500,000 or more in State financial assistance must have a single audit performed in accordance with the State Single Audit Implementation Act.
4
The threshold has not changed for GAGAS (Yellow Book) audits
NEW
LGC Review of Audit Reports
• Number of audits reviewed by LGC for fiscal years ending in 2015: 1,213 audits
595 Single Audits (49%)
251 GAGAS only (21%)
367 GAAS only (30%)
* received as of May 31, 2016 (need to update)
5
Uniform Guidance-Effective Dates
Federal Agencies
Non-federal Entities
Audit Requirements
Implement policies and procedures for regulations to be effective December 31, 2014
Implement the new administrative requirements and cost principles for all new Federal awards made on or after December 26, 2014, and to incremental funding made after that date
Effective for audits of fiscal years beginning on or after December 26, 2014Early implementation not allowed
6
3
Uniform Guidance-Key Sections
• Subparts A through Fo Subpart A-200.XX- Acronyms and Definitions
o Subpart B-200.1XX- General Provisions
o Subpart C-200.2XX- Pre-Federal Award Requirements & Contents of Federal Awards
o Subpart D-200.3XX- Post Federal Award Requirements
o Subpart E-200.4XX- Cost Principles
o Subpart F-200.5XX- Audit Requirements
o Appendices I through XI
7
Uniform Guidance-Scope of the Audit
§200.514
Determine if financial
statements are
reported in
accordance with
GAAP
Determine if Schedule
of Federal and State
Awards (SEFSA) is
stated fairly
Gain an understanding
of internal controls
and test those
controls
Determine if auditee
has complied with
Federal and State
statutes, regulations
and grant agreements
Follow-up on prior
audit findings
Report any current
year findings
Complete and sign
specified sections of
the data collection
form
8
Uniform Guidance-What Does the Auditor Do?
• Uniform Guidance requires the auditor to plan the audit to obtain a low control risko That is, controls that “operate effectively”o Controls are reliable
• How do auditors get to low control risk?o Document understanding of controlso Test control design and implementationo Test control effectiveness
• Sampling is often used
• Ineffective control = finding
9
4
Uniform Guidance-Major Program Determination
Identify all Type A
programs
Identify low-risk Type A
programs
Identify high-risk Type B
programs
Determine major
programs to audit
§200.518
10
Uniform Guidance-Low Risk Auditee Determination
• Entity must meet all of the following for each of the two preceding years:o Annual singe audits, including timely filing of the data
collection form
o Unmodified opinion on financial statements in accordance with GAAP or basis of accounting required by state law
o Unmodified in-relation-to opinion on the SEFSA
o No material weaknesses in internal control
o No reporting of going concern
§200.520
NEW
NEW
NEW
11
Uniform Guidance-Auditee Responsibilities
§200.508
Arrange for Single
Audit
Prepare appropriate
financial statements
Prepare Schedule of
Expenditures of
Federal and State
Awards
Follow-up and take
corrective action on
findings
Provide the auditor
with access to
personnel, accounts,
records, supporting
documentation
Prepare corrective
action plan
Prepare summary of
Schedule of Prior
Audit Findings
12
5
Uniform Guidance-Financial Management System
Financial management system must provide the following:
• Identification of all federal awards received and expended and the federal programs under which they were received. Includes:
o Catalog of Federal Domestic Assistance (CFDA) title and number
o Federal award identification and yearo Federal awarding agencyo Pass-through entity, if applicable
Accurate, current, and complete disclosure of the financial results of each award or program
§200.302
13
Uniform Guidance-Financial Management System
Must include:
• Records that identify the source and application of funds for federally-funded activities
• Effective control over and accountability for all funds, property and other assets
• Comparison of expenditures with budget amounts for each federal award
• Written procedures to implement the requirements of cash management
• Written procedures for determining the allowability of costs in accordance with Cost Principles and terms and conditions of the federal awards
§200.302
14
Uniform Guidance-Auditor Selection
• Objective is to obtain a high-quality audit
• The objectives and scope of the audit must be clear in the proposal
• Auditee must follow procurement standards in 200.317 through 200.326
• Auditee must request a copy of the audit firm’s peer review
• Auditor who prepares an indirect cost proposal cannot perform the audit if the indirect costs recovered in the previous year exceeds $1 million.
§200.509
15
NEW
6
Uniform Guidance-Schedule of Expenditures of Federal and State Awards (SEFSA)
• Must prepare a SEFSA for the period covered by the entity’s financial statements
• SEFSA includes the total Federal awards expended in accordance with §200.502, “Basis for Determining Federal Awards Expended”.
• Should reconcile to accounting records or the financial statements themselves
• Completeness and accuracy are critical to avoid missed programs
§200.510
The State Single Audit Implementation Act follows that same guidance in 200.502 in determining State awards expended.
16
Uniform Guidance-What Qualifies as an Award?
• Financial assistance and cost-reimbursement contracts that non-federal entities receive directly from awarding agencies or indirectly from pass-through entities
o Does not include procurement contracts used to buy goods or services
o Entity has to determine if a vendor relationship exists
§200.38
17
Uniform Guidance-When Does the Expenditure Occur?
• Determination should be based on when the activity related to the award occurs
• Other examples:o Disbursement of funds passed through to
subrecipientso Use of loan proceeds under loan and loan guaranteeso Receipt of propertyo Receipt or use of program income (potential)o Disbursement of amounts entitling the entity to an
interest subsidyo Distribution or consumption of food commoditieso Period when insurance is in force
§200.502
18
7
Uniform Guidance-Loan and Loan Guarantees
Because the government is at risk for loans until the debt is repaid, a formula is used to calculate the amount of the loan expended. The value is equal to the sum of:
• The value of new loans made or received during the audit period
• Beginning balance of loans from previous years for which the government imposes continuing compliance requirements
• Any interest subsidy, cash, or administrative cost allowance received
§200.502
19
Uniform Guidance-SEFSA-Required Elements
• List of individual programs by Federal or State agency
• For clusters, provide the cluster name, a list of the individual programs within the cluster, and provide the applicable Federal or State agency. A total for each cluster should also be provided.
• For Federal awards received as a subrecipient, the name of the pass-through entity and identifying number assigned by the pass-through entity
• Total awards expended for each Federal or State program and the CFDA or other identifying number when CFDA is not available
• The total amount provided to subrecipients for each Federal program
• SEFSA must include the total awards expended for loans and loan
guarantees
§200.510
NEW
NEW
20
Prior year loans and loan guarantees expended in prior years are not considered awards expended when statutes, regulations, and terms and conditions impose no continuing compliance requirements, other than to repay the loans. Therefore these amounts should not appear on the SEFSA.
Uniform Guidance-SEFSA-Footnote Disclosures
• For loans and loan guarantees, identify the balances outstanding at the end of the audit period
• Notes that describe the significant accounting policies used in preparing the SEFSA
• Note whether the entity elected to use the 10% de minimis cost rate
§200.510
NEW
21
8
Uniform Guidance-Access to Auditors
• Uniform Guidance states that entities must provide access of the following to auditors:
o Personnel
o Accounts
o Books
o Records
o Supporting Documentation
o Other information as needed
§200.508
22
Uniform Guidance-Prior Year Audit Findings
• Prepared by the entity
• Must report the status of all audit findings included in the prior audit’s schedule of findings and questioned costs
• Must include the reference numbers the auditor assigns to audit findings
• Must include the fiscal year in which the finding initially occurred
• Must include findings related to the financial statements which are required to be reported in accordance with Government Auditing Standards
• For findings that were not corrected or partially corrected, the schedule must describe the reason(s) for the finding’s recurrence and planned corrective action, and any partial corrective action taken
§200.511
23
Uniform Guidance-Prior Year Audit Findings
• Auditor must follow-up on prior audit findings
• Auditor must perform procedures to assess the reasonableness of the schedule in accordance with Uniform Guidance
• If the auditor concludes that the schedule materially misrepresents the status of any prior audit finding, there must be a current-year finding
• Auditor must perform follow-up regardless of whether a prior audit finding relates to a major program in the current year
24
9
Uniform Guidance-Auditee Responsibilities
Internal Controls and Compliance Requirements
§200.303
Take prompt action
when noncompliance
is identified
Safeguard protected
personally identifiable
information (PPI)
Establish and maintain
internal control over
Federal programs
Comply with Federal
statutes, regulations,
and terms of the
Federal award
Evaluate and monitor
compliance
25
Uniform Guidance-Internal Controls
• The internal control process should be designed to provide reasonable assurance regarding the achievement of the following objectives:
o Effectiveness and efficiency of operationso Reliability of reporting for internal and external
useo Compliance with applicable laws and
regulations
§200.303
26
Uniform Guidance-Internal Controls
• The entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award.
• Internal controls should be in compliance with guidance in:
o “Standards for Internal Control in the Federal Government” [Green Book] issued by the Comptroller General of the United States, US Government Accountability Office
o “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
§200.303
27
10
Uniform Guidance-Internal Controls
Internal Controls-Sample Questions
• Control Activities: How are you certain that your entity is in compliance with (Allowable Costs)?
• Risk Assessment: How did you determine that (authorization and approval) was necessary to ensure compliance?
• Monitoring: What is the process used to ensure that (authorization and approval) is performed correctly and consistently?
• Information and Communication: How and when do you notify people that (authorization and approval) is required?
• Control Environment: What is management’s attitude about internal control?
28
Uniform Guidance-Internal Controls
Internal Controls-Example
Activities Allowed or Unallowed and Allowable Costs/Cost Principles
• Control Environmento Management sets reasonable budgets- minimize incentives to
miscode expenditures• Risk Assessment
o Management has sufficient understanding of procedures and controls to identify unallowable costs
• Information and Communicationo Comparison of budget to actual is provided to project managers for
review on a timely basis• Control Activities
o Program managers approve invoices prior to payment• Monitoring
o Financial reports provided to appropriate management on periodic basis for review
29
Uniform Guidance-Compliance Requirements
“Applicable” Versus “Direct and Material” Compliance Requirements
• Auditor looks to the OMB Compliance Supplement for information on each type of compliance requirement and determines which are “applicable” to Federal programs
• Do auditors look at all applicable compliance requirements?o No, only direct and material compliance requirements
• A entity should comply with all applicable compliance requirements
30
11
Uniform Guidance-Compliance Requirements
FEDERAL STATE
A. Activities Allowed or Unallowed 1. Activities Allowed or Unallowed
B. Allowable Costs/Cost Principles 2. Allowable Costs/Cost Principles
C. Cash Management 3. Cash Management
D. Reserved 4. Conflict of Interest
E. Eligibility 5. Eligibility
F. Equipment & Real Property Mgmt 6. Equipment & Real Property Mgmt
G. Matching, Level of Effort, Earmarking 7. Matching, Level of Effort, Earmarking
H. Period of Performance 8. Period of Performance
I. Procurement, Suspension and Debarment
9. Procurement, Suspension and Debarment
J. Program Income 10. Program Income
K. Reserved 11. Reserved
L. Reporting 12. Reporting
M. Subrecipient Monitoring 13. Subrecipient Monitoring
N. Special Tests and Provisions 14. Special Tests and Provisions
31
Uniform Guidance-2016 Compliance Supplement
• Updated with the appropriate usage of the words must and should-must indicates a required action and should indicates a best practice or recommended approach
• Part 3 of the supplement addresses compliance requirements for auditees as well as auditor responsibilities
• Part 6 provides suggestions for auditors and auditees on implementing and evaluating internal controls
• Supplement located on the White House web site at .
32
Uniform Guidance-State Compliance Supplements
Changes Related to the State Compliance Supplements-2016
**Note that the Federal supplement for the Child Nutrition Cluster includesCFDA 10.559. But NC DPI, who administers the program, has decided to issue10.559 as a separate supplement. Therefore when auditing the Child NutritionCluster, both supplements 10.553-CL and 10.559 must be used.
SUPPLEMENTNUMBER
SUPPLEMENT NAME CHANGE
14.228 Community Development Block Grants
There are now 2 supplements for this program: The InfrastructureFund is separate and administered by DEQ. The Small Cities Program is still administered by Commerce
**10.553-CL Child Nutrition Program/NutritionCluster
CFDA ‘s 10.579 and 10.582 have been added as part of the Nutrition Cluster for the State supplement
15.916, 20.219, DNCR-5 and DNCR-6
Land and Water Conservation FundRecreational Trails ProgramClean Water Management Trust FundNC Parks & Recreation Trust Fund
These grants are no longer administered by DEQ but by Natural and Cultural Resources
33
12
Uniform Guidance-Subrecipient Monitoring
§200.330 & 331
Determine if
subrecipient or
contractor
Clearly identify
subawards to
subrecipients
Provide certain
subaward information
at the time of
subaward
Verify subrecipient
has been audited as
required by Subpart F
Consider imposing
specific subaward
conditions
Consider taking
enforcement action for
noncompliant
subrecipients
Consider results of
subrecipient audits
Evaluate each
subrecipient’s risk of
noncompliance
Monitor activities of
subrecipients
34
Uniform Guidance-Subrecipient/Contractor Determination
• Pass-through entities must make case-by-case determinations as to whether an agreement designates a recipient as a subrecipient or contractor.
• Federal and State awards expended as a recipient or a subrecipient are subject to single audit.
• Payments for goods and services received by a contractor are not considered Federal or State awards
§200.330
35
Uniform Guidance-Subrecipient/Contractor Determination
§200.330
Subrecipient Contractor
Determine who is eligible to receive federal assistance
Has a procurement relationship with the entity
Has its performance measured according to whether the objectives of a federal program were met
Provides goods and services withinnormal business operations and to many different purchasers
Is responsible for program related decision-making
Provides goods and services that are ancillary to the operation of the Federal program
Must adhere to applicable Federal program requirements specified in the Federal awards
Normally operates in a competitiveenvironment
Uses the Federal awards to carry out a program for specific purpose as opposed to providing goods or services for the benefit of the pass-through entity
Is not subject to the compliance requirements of the Federal program as a result of the agreement
36
13
Uniform Guidance-Subrecipient Monitoring
• All subrecipients, regardless of the size of the award, must be monitored
• Requirements include:o Performing a risk assessment of the subrecipient
o Following up on any audit findings or other issues revealed in that process
o Ongoing monitoring
§200.331
37
Uniform Guidance-Subrecipient Monitoring
Risk Assessment• A pass-through entity should assess the risk of a
subrecipient’s noncompliance at the outset of the relationship and at least annually afterward.
• The assessment should be explicit in the criteria used to evaluate risk, and risk factors should be customized to suit individual programs.
• Documentation of the risk assessment process and results is critical to ensuring that support is available in the event of an audit by external auditors or cognizant agency.
• Monitoring efforts may result in a determination to impose additional conditions of the subrecipient.
§200.331
38
Uniform Guidance-Subrecipient Monitoring
Follow Up• Uniform Guidance makes it explicit (rather than implied) that:
o The pass-through entity must actively issue management decisions regarding audit findings identified during the monitoring process
o The subrecipient must implement remediation plans
• Deficiencies discovered:o Should be discussed and agreed upon by both the pass-
through entity and the subrecipiento Subrecipient should be given a specified period of time to
submit a corrective action plano The plan should create controls that prevent the situation
from reoccurring
§200.331
39
14
Uniform Guidance-Subrecipient Monitoring
Ongoing Monitoring
• To ensure a good foundation of quality monitoring, necessary activities and the parties responsible for those activities should be clearly identified
• A system should be in place for determining how subrecipients will be monitored
• Consider the establishment of baseline monitoring procedures that can be applied universally to all subrecipients o Customized plans should then be developed to address
specific areas of concern
§200.331
40
Uniform Guidance-End Product
• Contents of the Single Audit Submissiono Auditor’s report on the financial statements of the entity
o Auditor’s in-relation-to reporting on the SEFSA
o Financial statements prepared by the entity
o SEFSA prepared by the entity
o Auditor’s report on internal control over financial reporting and on compliance and other matters to meet Government Auditing Standards requirements
o Auditor’s report on compliance and internal control over compliance-major programs
41
Uniform Guidance-End Product
• Contents of the Single Audit Submission (Continued)o Auditor’s schedule of findings and questioned costs
o Includes summary of auditors results and findings
o Schedule of prior audit findings prepared by the entity
o Corrective action plan prepared by the entity
• All of the items listed are referred to as the “reporting package”
• Reporting package and the Data Collection Form are submitted electronically to the Federal Audit Clearinghouse by the entity
42
15
Uniform Guidance-Corrective Action Plan
• At the completion of the audit the entity must prepare in a document separate from the auditor’s findings, a Corrective Action Plan to address each audit finding included in the current year auditor’s report
• Corrective Action Plan must provide the name(s) of the contact person(s) responsible for the corrective action, the corrective action planned, and the anticipated completion date
• If the entity does not agree with the audit findings or believes corrective action is not required, then the corrective action plan must include an explanation and specific reasons
43
NEW
Uniform Guidance-Data Collection Form
• Joint Responsibilities of entity and auditor, completed electronically and submitted by the auditee
• Represents a summary of the information contained in the reporting package
• Includes contact information for entity and auditor
• Includes SEFSA information, reference to findings, and relevant compliance requirements
• Electronic signature of both the entity and the auditoro Authorizes Federal Audit Clearinghouse to make reporting
package publicly available
o Auditee certifies that submission does not include any personally identifiable information
§200.79 of Uniform Guidance discusses personally identifiable information and gives examples of what is considered personally identifiable information
44
Website - Single Audit Resources
• www.nctreasurer.com: select Division – Local Fiscal Management, select Single Audit Resources.
o 2016 State Compliance Supplements
o Description of Audit Requirements in NC
o OSA Documents
o Audit Manual: Sample reports and documents for presentation.
o Templates for reporting Subsidized Childcare, Mental Health, and Public Health awards.
o Confirmation reports from State agencies (DHHS, DOT, others)
45
16
Website - Single Audit Resources
• How to Access the Uniform Guidance:o Electronic Code of Federal Regulations (e-
CFR)
• GAO Generally Accepted Government AuditingStandards
• Catalog of Federal and Domestic Assistance
• The Data Collection Form and relatedinstructions can be accessed from the FederalAudit Clearinghouse
46
Questions?
47
Thank You!Thank You!
Together we can build and maintain a fiscally strong and prosperous North Carolina.Together we can build and maintain a fiscally strong and prosperous North Carolina.
www.NCTreasurer.comwww.NCTreasurer.com
