Governor’s Grants Conference 2011 The Nuts and Bolts of the A-133 Audit
WHAT IS A SINGLE AUDIT?
Monique BookerSB & Company, LLC
Overview
• Prior to single audit each Federal grantor agency would require a separate audit for its programs
• Entity would have duplication of audits• Audit of system of accounting for grants and certain
specific grants
Overview
• Single Audit Act was enacted in 1984
• Annual audit required for Non-Federal/Non-Commercial Entities that receive Federal funds
• Shows the “whole picture”
Overview• Single Audit is two-fold - Financial and Compliance
• Uses a risk-based audit approach
• Cost effective way to obtain audits
because one audit is conducted instead
of multiple audits of individual programs
Single Audit Requirement
• $500,000 of Federal funds• Financial statement audit• Program audit is still allowed in certain situations• Annual audit requirement
Where to Find the Rules• OMB Circular A-133 -
http://www.whitehouse.gov/omb/circulars/
a133/a133.html
• Single Audit Act - http://thomas.loc.gov/cgi-bin/query/ z?c104:S.1579.ENR:
• CFR - http://gpoaccess.gov/cfr/index.html
What is Considered Federal Award?
• Cost-reimbursed contracts;• Formula grants;• Project grants;• Direct payments for specific use;• Direct payments with unrestricted use;• Interest subsidies;• Direct loans;• Guaranteed insured loans;• Other noncash assistance, such as food stamps and food commodities;• Property and equipment;• Insurance;• Cooperative agreements; and• Direct appropriations.
A-133 Compliance
• Findings are reported to Federal government and become public
record, distributed to all Federal
Agencies through a clearing house.
• Federal and Non-Federal sponsors look at
A-133 as a ‘report card’ of how we spend their money.
A-133 Compliance
• It strengthens the relationship of trust
that exists between the sponsor and recipient
• It suggests a presence of the stewardship necessary to properly safeguard the Federal Government’s investment in programs
A-133 Compliance
• Negative publicity, may cause harm to reputation and prestige
• May cost $ millions in payback
• Loss of Federal expanded authorities, additional oversight burden
Cognizant Agency
Primary responsibilities of the cognizant/oversight agencies are:•To provide technical advice before, during, and after the audit to the recipient and its auditor.•To ensure that the audits are conducted in a timely manner and in accordance with the requirements of the OMB circulars.•To perform a “desk review” on the report, then either to forward it to the appropriate grantor agencies or advise the recipients of audits it finds substandard.• To coordinate any additional audit effort or revisions needed in the report.•To perform quality control reviews of selected reports.•To inform other affected Federal agencies of any reported illegal acts or fraud.•To ensure the resolution of program audit findings affecting all agencies.
What Does Compliance Mean?
• Effective management of public funds to maximize outcomes
• The avoidance of fraud, mismanagement, and poor management of Federal funds
• Adherence to laws, rules and regulations• Check and balances – internal controls• Stewardship of Federal funds
Compliance Pitfalls
• Misuse of funds
• Unallowable costs
• Misallocation of costs
• Excessive cost transfers
• Delinquent financial reporting
• Inaccurate effort reporting/improper allocation of staff time
• Inadequate subrecepient monitoring
Why We Have Problems with Compliance
• Lack of understanding by staff of
roles and responsibilities
• Inadequate resources
• Incomplete, outdated or nonexistent
policies and procedures
• Inadequate staff training and education
Why We Have Problems with Compliance
• Inadequate systems
• Lack of documentation and audit trail to support claimed expenses
• Perception that internal control systems are not necessary
Assistance vs. Procurement
• Financial Assistance– Provides support or stimulation to accomplish a public purpose. Award can be a grant or cooperative agreement.
• Procurement – Purchase of goods and services to accomplish a government purpose; services can include research. Award is a contract.
Direct Versus Indirect Costs
Direct Costs:
• Can be identified with a specific project or activity relatively easily with a high degree of accuracy
Direct Salaries & WagesMaterials & SuppliesConsultants & Subcontractors
Indirect Costs: • Referred to as Facilities & Administrative costs
• Indirect costs are those that are incurred for common or joint objectives and therefore cannot be identified readily and specifically with a particular project or activity
Fringe Benefits Overhead G & A
Direct Versus Indirect Costs
Following COSO Model, OMB Selected Control Activities for Each of the Compliance Requirements
A. Activities allowed or unallowed
B. Allowable costs/cost principles
C. Cash management
D. Davis-Bacon Act
E. Eligibility
F. Equipment & real property mgmt
G. Matching level of effort,
earmarking
H. Period of availability of Federal
Funds
I. Procurement and suspension
and debarment
J. Program Income
K. Real property acquisition/
relocation assistance
L. Reporting
M.Subrecipient monitoring
N.Special test and provisions
(control procedures not listed)
Note: Does not have to use those in the compliance supplement or all of them and should use others
if more are appropriate.
Assessment of Risk
• Inherent Risk - risk that material noncompliance with a major program’s compliance requirements could occur, assuming there are no related controls.
- Factors to consider:
- Size of the program - Subrecipients - Program maturity - Level of oversight - Complexity - Prior audit findings - Extent of contracting - Identified as high risk - Other factors
• Control Risk - risk that material noncompliance that could occur in a major program will not be prevented or detected on a timely basis by the program’s internal control.
- Preliminary control risk
- Final control risk
• Fraud Risk - risk that intentional material noncompliance with a major program’s compliance requirements could occur.
Assessment of Risk
Assessment of Risk• Detection Risk - risk that the audit procedures will lead to the conclusions that noncompliance that could be material to a program doesn’t exist when in fact it does exist.
- Factors to consider:
- Inherent risk
- Control risk
- Fraud risk
Assessment of Risk
• Risk of Material Misstatement - combination of inherent risk and control risk. Based on professional judgments.
• Audit Risk - risk that the auditor may unknowingly fail to appropriately modify his or her opinion on compliance. It is comprised of inherent risk, control risk, fraud risk and detection risk.
What Are We Looking for Controls to Do?
• Prevent or detect material noncompliance
• Initial assessment to be at low controlled risk
• Final analysis does not need to be at a low level of controlled risk
Types of Controls
Pervasive Controls - Controls around the process, i.e., separation of duties, supervision,
hiring, training, skills
Specific Controls -
Preventative -
Detective -
Stop error from occurring
Identify and notify that an error has occurred
Monitoring Control - Identify when a preventative or detecting control is not working
Process to Test Single Audit Controls
A. Identify the Control Objectives or “What Can Go Wrong” -
• Can use the compliance supplement• Only need to access those
requirements that are direct and material
• Can develop on your own control procedures
Process to Test Single Audit Controls
B. Understand the Risk Prevention Process
Using the COSO Model -
• Control Environment - sets the tone of an organization influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
Process to Test Single Audit Controls
B. Understand the Risk Prevention Process
Using the COSO Model (cont’d) -
• Risk Assessment - is the entity’s identification and analysis of risks relevant to achievement of its objectives, forming a basis for determining how the risks should be managed.
Process to Test Single Audit ControlsB. Understand the Risk Prevention Process Using the COSO Model -
• Control Activities - are the policies and procedures that help ensure that management’s directives are carried out.
• Information and Communication - are the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.
Process to Test Single Audit Controls
B. Understand the Risk Prevention Process
Using the COSO Model (cont’d) -
• Monitoring - is a process that assesses the quality of internal control performance over time.
Control Environment • Sense of conducting operations ethically, as evidenced by a code of conduct
or other verbal or written directive.
• If there is a governing Board, the Board has established an Audit Committee or equivalent that is responsible for engaging the auditor, receiving all reports and communications from the auditor, and ensuring that audit findings and recommendations are adequately addressed.
Process to Test Single Audit Controls
Control Environment (cont’d)
• Management’s positive responsiveness to prior questioned costs and control recommendation.
• Management’s respect for and adherence to program compliance requirements.
• Key managers’ responsibilities clearly defined.
• Key managers have adequate knowledge and experience to discharge their responsibilities.
Process to Test Single Audit Controls
Control Environment (cont’d)
• Staff knowledgeable about compliance requirements and being given responsibility to communicate all instances of noncompliance to management.
• Management’s commitment to competence ensures that staff receive adequate training to perform their duties.
• Management’s support of adequate information and reporting system.
Process to Test Single Audit Controls
Risk Assessment • Program managers and staff understand and have identified key compliance
objectives.
• Organizational structure provides identification of risks of noncompliance:
- Key managers given responsibility to identify and communicate changes.
- Employees who require close supervision (e.g. inexperienced) are identified.
Process to Test Single Audit Controls
Risk Assessment (cont’d)
• Organizational structure provides identification of risks of noncompliance: (cont’d)
- Management has identified and assessed
complex operations, programs, or projects. - Management is aware of results of monitoring, audits, and reviews
and considers related risk of noncompliance.- Process established to implement changes in program objectives and
procedures.
Process to Test Single Audit Controls
Control Activities• Procedures in place to implement changes in laws, regulations, guidance,
and funding agreements affecting Federal awards.
• Management prohibition against intervention or overriding established controls.
• Adequate segregation of duties provided between performance, review, and recordkeeping of a task.
Process to Test Single Audit Controls
Control Activities (cont’d)
• Computer and program controls should include:
- Data entry controls, e.g., edit checks. - Exception reporting.
- Computer general controls and security controls.
- Reviews of input and output data.
- Access controls.
Process to Test Single Audit Controls
Process to Test Single Audit Controls
Control Activities (cont’d)
• Operating policies and procedures clearly written and communicated.
• Supervision of employees commensurate with their level of competence.
• Personnel with adequate knowledge and experience to discharge responsibilities.
Process to Test Single Audit Controls
Control Activities (cont’d)
• Equipment, inventories, cash, and other assets secured physically and periodically counted and compared to recorded amounts.
• If there is a governing Board, the Board conducts regular meetings where financial information is reviewed and the results of program activities and accomplishments are discussed. Written documentation is maintained of the matters addressed at such meetings.
Information and Communication
• Accounting system provides for separate identification of Federal and non-Federal transactions and allocation of transactions applicable to both.
• Adequate source documentation exists to support amounts and items reported.
Process to Test Single Audit Controls
Information and Communication (cont’d)
• Recordkeeping system is established to ensure that accounting records and documentation retained for the time period required by applicable requirements; such as the A-102 Common Rule, 0MB Circular A-133, and the provisions of laws, regulations, contracts or grant agreements applicable to the program.
Process to Test Single Audit Controls
Information and Communication (cont’d)
• Reports provided timely to managers for review and appropriate action.
• Accurate information is accessible to those who need it.
• Reconciliations and reviews ensure accuracy of reports.
Process to Test Single Audit Controls
Information and Communication (cont’d)
• Established internal and external communication channels.
- Staff meetings. - Bulletin boards. - Memos, circulation files, e-mail. - Surveys, suggestion box.
• Employees’ duties and control responsibilities effectively communicated.
Process to Test Single Audit Controls
Information and Communication (cont’d)
• Channels of communication for people to report suspected improprieties established.
• Actions taken as a result of communications received.
• Established channels of communication between the pass-through entity and subrecipients.
Process to Test Single Audit Controls
Monitoring• Ongoing monitoring built-in through independent reconciliations, staff meeting
feedback, rotating staff, supervisory review, and management review of reports.
• Periodic site visits performed at decentralized locations (including subrecipients) and checks performed to determine whether procedures are being followed as intended.
Process to Test Single Audit Controls
Monitoring (cont’d)
• Follow up on irregularities and deficiencies to determine the cause.
• Internal quality control reviews performed.
• Management meets with program monitors, auditors, and reviewers to evaluate the condition of the program and controls.
Process to Test Single Audit Controls
Monitoring (cont’d)
• Internal audit routinely tests for compliance with Federal requirements.
• If there is a governing Board, the Board reviews the results of all monitoring or audit reports and periodically assesses the adequacy of corrective action.
Process to Test Single Audit Controls
C. Walk Through the Control Process to Understand What It is and Whether It is Operational
• One transaction from start to finish
• Have the processors show what they do, what they review, exceptions uncovered and how exceptions are handled
• Observe and review documentation
Process to Test Single Audit Controls
D. Assess if the Procedures in Place As Designed Are Effective at Reducing the Risk on Non Compliance to A Low Level
• Requires judgment
• Believe no material errors would occur undetected
• If the procedures are designed effectively, must test to ensure operating throughout the period
• If not designed effectively, no need to test as you can write your finding
Process to Test Single Audit Controls
E. Test the Controls Throughout the Period to Determine if They Were Operating As Desired
• Perform test in compliance supplement or design a test to ensure controls were working throughout the period
• Sample size is a matter of judgment
• Suggested sample size of 40 or 60 because of low level of assessed risk while some firms use 25 for moderate level risk
Process to Test Single Audit Controls
Types of Control Tests
• Observation• Inspection• Knowledge assessment
• System query• Reconciliation• Physical examination
• Review
• Inquiry• Re-performance• Corroborative inquiry
• Confirmation• Computation• Operating test
F. Assess the Operating Effectiveness
Number of Expected or Actual Deviations
Planned Assessed Level of Control Risk 0 1 2 3
Low 60 * * *
Moderate 25 40 60 60
Slightly Below Maximum * 25 25 40
Maximum * * * *
* Omit test because tests of controls would most likely be inefficient or ineffective
Process to Test Single Audit Controls
G. Reporting FindingsIdentify the following:
• Finding or non compliance
• Compliance requirement
• Known dollars of non compliance
• Likely dollars of non compliance
• Cause
• Effect
Process to Test Single Audit Controls
G. Reporting Findings
Type of Finding:
-Control-• Deficiency• Significant deficiency• Material weakness
-Specific Test-• Material non compliance• Non compliance
Type of Report:
• Unqualified• Qualified• Adverse• Disclaimer
Process to Test Single Audit Controls
Type of Control Weaknesses
Significant Deficiency Quantitative Deficiencies - Any internal control related findings quantitatively less than the Program Tolerable Noncompliance should be classified as a Significant Deficiency to the program.
Qualitative Considerations - Documentation of the rationale for any qualitative considerations used in this type of assessment/conclusion should be documented in the Findings Assessment Worksheet and evaluated by AOA.
Material Weakness Quantitative Considerations - Any internal control related findings quantitatively equal to or greater than the Program Tolerable Noncompliance should be classified as a Material Weakness in the program.
Qualitative Considerations - There may be instances, based on auditor judgment, where internal control related findings that quantitatively would not be considered material, may be deemed material weaknesses by the auditor based on the nature of the finding. Documentation of the rationale for this type of assessment/conclusion should be documented in the Findings Assessment Worksheet and evaluated by AOA.
Type of Compliance Finding
Material Noncompliance Quantitative Considerations - Any noncompliance quantitatively equal to or greater than the Program Tolerable Noncompliance should be classified as Material Noncompliance to the program.
Qualitative Considerations - There may be instances, based on auditor judgment, where noncompliance that quantitatively would not be considered material, may be deemed material noncompliance by the auditor based on the nature of the finding. Documentation of the rationale for this type of assessment/conclusion should be documented in the Findings Assessment Worksheet and evaluated by AOA.
Noncompliance Quantitative Considerations - Any internal control related findings quantitatively less than the Program Tolerable Noncompliance should be classified as Noncompliance to the program.
Qualitative Considerations - Documentation of the rationale for any qualitative considerations used in this type of assessment/conclusion should be documented in the Findings Assessment Worksheet and evaluated by AOA.
American Recovery Reinvestment Act• Passed in 2009• $787 Billion in Federal spending• Mandates unprecedented amount of oversight and
transparency
Additional Guidance for ARRA Funds
• Recipients will generally be required to clearly distinguish ARRA funds from other Federal awards.
• Federal agencies will be performing risk assessments on ARRA programs and potentially designating some programs as high-risk programs for single audit purposes that will affect major program determination and future audit scope.
• There will be extensive reporting, including timely quarterly reporting, to Federal agencies required from ARRA fund recipients.
• Federal agencies are required to initiate additional oversight and monitoring to address the unique implementation risks of the ARRA.