SAS 117:The New Auditing Standard on Compliance
May 11, 2010
Eric Formberg, Plante & Moran, PLLC
Randy Roberts, AZ Auditor General Office
1
What This Session Will Cover•What the new Compliance Audit SAS will
require •How a compliance audit differs from the
financial statement portion of an audit
• Insight on how to implement the compliance audit requirements
•Questions
2
What the New Standard Will Do•Supersedes AU section 801, Compliance
Auditing Considerations . . . (SAS 74) •Uses new clarity format•Effective for audits of periods ending June
15, 2010 and later
3
What the New Standard Will Do• Address some of the recommendations in the
PCIE’s study on single audit quality• Clarify its applicability • Update for changes in the compliance audit
environment • Clarify that, and which, generally accepted
auditing standards apply to the compliance portion of an audit
• Identify auditor requirements and provide guidance that are unique to a compliance audit
• Update the elements to be included in an auditor’s report on compliance for current standards
4
New Compliance SAS – Content•Intro and Applicability•Objectives•Definitions•Requirements and Guidance
5
• This new SAS applies when all of the following are required: ▫Generally accepted auditing standards (GAAS)
▫Financial audit standards for Government Auditing Standards
▫A governmental audit requirement that requires the auditor to express an opinion on compliance
Applicability
6
Applicability ExamplesRequirement• Single Audit (A-133)• HUD Guide audit• State Grant• State law to
determine that gas tax monies spent for road purposes
• Bond monies spent per debt covenants
Type of engagementCompliance audit
(AU801)Compliance
attestation (AT601)Agreed-upon
procedure (AT101)“In connection
with” (AU623.01.c)
7
Objectives• Obtain sufficient appropriate audit evidence
to form an opinion and report at the level specified by the government audit requirement on whether the entity complied in all material respects with the applicable compliance requirements
• Identify audit and reporting requirements specified in the governmental audit requirement that are supplementary to GAAS and GAGAS, if any, and perform procedures to address those requirements.
8
Definitions•Terms Unique to Compliance Audit
Environment▫ Applicable Compliance Requirements▫ Governmental Audit Requirement▫ Compliance Audit
•Terms Adapted for Compliance Audit Environment from Financial Audit Standards▫ Audit Risk of Noncompliance ▫ Risk of Material Noncompliance▫ Significant Deficiency in Internal Control over Compliance▫ Material Weakness in Internal Control over Compliance
9
Definitions – Examples
•Applicable compliance requirements
•Risk of material noncompliance
Compliance =
F/S = materially accurate
10
RequirementsAdapt and apply AU sections to compliance
objectives• Appendix has the laundry list, but what’re
the key ones?▫Materiality▫Risk assessment process▫Gotta do the tests – internal controls, tests of
compliance, analytical procedures – sufficient to give an opinion
▫Reporting▫Documentation
11
Materiality•Materiality set based on governmental
audit requirement, GAAS and GAGAS supplement how▫Different levels of materiality
▫Different nature
▫Unique qualitative & quantitative factors12
Risk Assessment Procedures•Gaining an understanding
▫First, which programs, which requirements? Inquiries, past experience, federal regulations
▫What are the risk factors? Newness, complexity, knowledge, nature of
services, level of oversight, past external and internal reports, management's corrective actions
▫What are the internal controls? Five elements of COSO for compliance objectives
13
Risk of Material Noncompliance•Factors relative to the applicable compliance
requirements when assessing this risk:▫ Complexity▫ Susceptibility to noncompliance▫ Length of time the entity has been following them▫ The auditor’s observations about the entity’s compliance in
prior years▫ The potential effect on the entity of noncompliance▫ The degree of judgment involved to adhere to them▫ The auditor’s assessment of the risks of material
misstatement in the financial statement audit▫ Design and implementation of relevant internal controls
14
Matching Controls with Related RisksControls over compliance – Controls with a
purpose!• Value of control dependent on compliance risk it
offsets• Risk assessment process
▫ Identify compliance risk ▫ Identify control(s) that reduce risk▫Determine if risk is reduced sufficiently (a
relatively low level)▫Do deficiencies exist? Impact on compliance tests?
DOCUMENT YOUR THINKING!• Are tests of control effectiveness “necessary”?
▫Governmental audit requirement (A-133)▫Reduce overall audit effort to issue an opinion
15
Match GameControl Compliance
Susie approves the reimbursement request
The grant department budget is approved annually by the Board
Cash needs projections for grants are updated monthly by the business office
Harry checks the suspended and debarred website for each contract
The grants director obtains certified payrolls every 2 weeks from the contractor
Fixed assets are tagged
Pete keeps a calendar showing due dates for grant reports
16
Performing Further Procedures•Pervasive risks – how it’s different than a
F/S auditCompliance:
Trip across what affects multiple programs/
requirements;
Respond to overall risk
F/S:
Look at both overall and assertion level;
Respond to risks at both
Examples: Centralized recordkeeping with poor internal controls Tone at the Top suggests lack of concern for compliance Overall grants management centered on one individual Decentralized operation with no monitoring
17
Performing Further Procedures•Tests of compliance
▫Tests of details, tests of transactions•Tests of internal control, if:
▫ Risk assessment is based on expectation that controls are operating effectively
▫ Substantive procedures alone won’t provide sufficient appropriate audit evidence, or
▫ Required by governmental audit requirement▫ Portions of AU 318 related to evidence of operating
effectiveness obtained in prior audits are not applicable to compliance audits
18
Performing Further Procedures• New chapter about sampling in Government
Auditing Standards and A-133 Audit Guide• Perform any supplementary audit requirements
▫e.g., specific procedures to identify major programs
▫e.g., assess reasonableness of summary schedule of prior audit findings
• Where analytical procedures fit in▫For planning▫As tests of compliance▫Other evidence
19
How Does Fraud Fit In?• It does! .. Focus - Impact of Fraud Risks on
noncompliance• Fraud Triangle in a compliance environment• Example Areas of Concern
▫Funding pressure▫Maximizing reimbursement▫Job security▫Program or Participant Utilization▫Compliance “world” often a separate part of
the entity▫“Power” of the journal entry!
• SAS 99 documentation requirements apply • Hot Topic………ARRA concerns
20
Forming an Opinion•Do you have enough relevant evidence to
determine whether an entity materially complied? Consider:▫The frequency of the noncompliance▫The nature of the noncompliance▫The adequacy of the entity’s system for
monitoring compliance▫Whether any identified noncompliance
resulted in likely questioned costs that are material to the government program
21
Forming an Opinion•Making the decision about material
noncompliance▫Is it big enough (per the governmental audit
requirement [GAR]) to be: A finding?
Material to the requirement?
Material to the program?
Look to the GAR – could be noncompliance, internal control deficiencies, questioned costs
$ or % for monetary transactions (e.g., cost principles, cash management); # or % for nonmonetary (e.g., eligibility, reporting)
Significance of requirement to program; degree to which requirement was not complied with
22
Subsequent events• Financial statement audits versus compliance audit
23
Reporting and Reports•Reporting
▫Opinion on compliance▫Other required reporting per the
governmental audit requirement (e.g., instances of noncompliance, internal control deficiencies, questioned costs)
•Reports▫Report on compliance▫Report on internal controls▫Can be combined
24
Documentation• All of AU section 339 applies• Key areas:
▫Risk assessment procedures▫Response to risk of material noncompliance▫Materiality levels used and the basis on which
they were determined Can there be more than one? How should it be applied to specific
requirements?▫Compliance with supplemental audit
requirements▫No expectation to document how the auditor
adapted and applied every applicable AU section
25
Reissuing a Compliance ReportHopefully, this never happens to you!•Explanatory paragraph describing reason
for reissuance or report and changes made•Dating
▫Update if all programs affected▫Dual date if not all programs affected
•A need to reissue auditor-prepared documents referred to in the compliance report is considered to be a reissuance of the report itself
26
AICPA Audit Resources •Auditing & Accounting Guides will
continue to be important for meeting standards for Single Audits▫Government Auditing Standards and
Circular A-133 ▫State & Local Governments
27
Questions ?????
28