Embed Size (px)
Citation preview
GOVERNMENTAL AUDITS2017 MO GFOA Annual Conference
Karen Lenk, CPA, CFEChristina Jacquin, CPA
Schowalter & Jabouri, P.C.
Learning Objectives• Understand the different types of audits• Learn best practices for how to prepare for an audit
• Understand the Report on Internal Control• Understand the use of audit committees
TYPES OF AUDITS
Audit Scope• Audit Scope:
• An important factor in auditing• Establishes how deeply an audit is performed• Can range from simple (small) to very in-depth
Audit Scope• Depends on the purpose of the audit• Audits are performed for a variety of reasons:
• Required by statutes (federal and state law)• Required as a condition of expending federal awards
(Uniform Guidance)• For the purpose of finding fraud
Financial Statement Audit• Objective
• To plan and perform audit procedures• Procedures will generate evidence that (hopefully)
allows auditors to express an opinion• The opinion desired is that, in the auditor’s opinion, the
financial statements are fairly presented in all material respects in accordance with GAAP (or a special purpose framework, such as cash)
Financial Statement Audit• Level of assurance
• Provides reasonable assurance• Does not provide absolute assurance
• Financial statement audits are NOT designed to identify fraud
Financial Statement Audit• Scope
• Audit procedures are designed to focus on the financial statement areas that are considered to be the most “risky”• Risky means that they are more likely to contain a material
misstatement than other areas• Determination of this risk is a matter of professional
judgement and depends on the facts and circumstances of each entity
Financial Statement Audit• Typical Audit Areas
• Cash and Investments• Revenue and Receivables• Prepaid Expenses and Other Assets• Capital Assets• Accounts Payable and Other Liabilities• Debt• Equity
Financial Statement Audit• Determining Audit Areas (Example)
• The City of Gotham is undergoing its annual financial statement audit.
• The following facts apply to the City:• The City has a relatively small general ledger balance
of cash and only three bank accounts, which are accurately reconciled to the general ledger each month.
• During the year, the City spent $5,000,0000 to replace its entire fleet of police cars due to their destruction by supervillains.
Financial Statement Audit• Determining Audit Areas (Example)
• Based on these facts, the City’s auditor might consider Capital Assets to be more a more risky audit area than Cash due to the large number of asset additions and the dollar value of expenditures.
• In this case, the auditor would spend more time on this financial statement area and perform more “in depth” testing.
• This could involve obtaining source documentation (invoices and purchase orders), performing detailed analytics, and other procedures.
Financial Statement Audit• Compliance with laws and regulations
• Budgetary compliance• Publication of financial statements• Allowable investment types• Any special reporting requirements
Single Audit• The Uniform Guidance
• (Title 2 U.S. Code of Federal Regulations (CFR) Part 200, Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards)
• Required for non-federal entities that spend more than $750,000 in federal awards during a year
• Encompasses both:• A financial statement audit and• A compliance audit of federal awards
Single Audit – Financial Statement Audit
• Objective is the same as a financial statement audit• To be able to express an opinion on whether the
financial statements are fairly presented in accordance with GAAP (or a special purpose framework).
• Adds a new objective to report on the supplementary schedule of expenditures of federal awards (SEFA)
Single Audit – Financial Statement Audit
• Objective of SEFA Reporting• To be able to express an opinion on whether the SEFA
is fairly stated in all material respects in relation to the financial statements as a whole
Single Audit – Financial Statement Audit
• Scope• In order to obtain sufficient evidence to support the “in
relation to” audit opinion, the auditor must plan and perform procedures over the SEFA
• These procedures might consist of evaluating the SEFA for accuracy and completeness• Has the entity identified all of its federal awards?• Are the CFDA numbers correct?• Do the federal expenditures reported on the SEFA agree to the
general ledger?
Single Audit – Compliance Audit• Objective of Compliance Audit
• Obtain an understanding of internal control over federal programs
• Plan the audit of federal programs to support a low assessed level of control risk of noncompliance for major programs
• Plan the testing of internal control (over compliance) for the major programs to support the low assessed level of control risk
• Perform the testing as planned
Single Audit – Compliance Audit• Objective of Compliance Audit
• Determine whether the entity has complied with:• Federal statutes• Regulations• Terms and conditions of federal awards
• Applies to major programs
Single Audit – Compliance Audit• Major program
• Federal program that has been selected by the auditor to be audited for the compliance audit
• Can also be identified by a Federal awarding agency or pass through entity
• Determination guidelines are made in accordance with requirements specified in the Uniform Guidance
• Guidelines can be complex
Single Audit – Compliance Audit• Major program determination factors
• Amount of expenditures• When the program was last audited• Findings, questioned costs, modified opinions issued in
the past• Assessment of risk• Coverage of total federal expenditures being audited
Single Audit – Compliance Audit• Once major programs are selected, auditors will plan and perform procedures to support the audit opinions
• Single Audit Reports• Report on internal control over compliance• Report on Compliance for each major federal program
Single Audit – Compliance Audit• Auditing Major Federal Programs:
• Use the Compliance Supplement as an audit guide• https://obamawhitehouse.archives.gov/omb/circulars/a133_comp
liance_supplement_2016• Contains compliance requirements for federal programs• 12 Types of Compliance Requirements
Single Audit – Compliance Audit• Compliance Requirements
• Activities Allowed or Unallowed• Allowable Costs/Cost Principles• Cash Management• Eligibility• Equipment and Real Property Management• Matching, Level of Effort, Earmarking• Period of Performance• Procurement, Suspension and Debarment• Program Income• Reporting• Subrecipient Monitoring• Special Tests and Provisions
Single Audit – Compliance Audit• Compliance Audit (Example)
• City of Metropolis is awarded a federal grant to pay the overtime salaries for police officers to staff a series of safety checkpoints.
• The terms of the grant require the City to spend the funds during its current fiscal year.
• The funds can only be spent for specific overtime salaries and not on other activities.
• The City must apply for reimbursement from the awarding agency to receive the funds after the activities have occurred.
• This program is selected as major by the City’s auditor.
Single Audit – Compliance Audit• Compliance Audit (Example)
• The City’s auditor reviews the Compliance Supplement and determines that the following compliance requirements are applicable:• Activities Allowed or Unallowed• Allowable Costs/Cost Principles• Period of Performance
• The auditor would then plan test of both internal control and compliance over these compliance requirements
Fraud Audit• A meticulous review of financial information• Typically performed upon request when fraud is already suspected
• Specifically targeted to identify fraudulent transactions
• Increased scope and level of auditing• Involves looking at internal and external records
PREPARING FOR AN AUDIT
Preparing for an Audit• Try not to look at the audit as an ordeal• Audits are an irreplaceable tool to ensure that financial procedures are in order
• Auditors can be a resource and shouldn’t be seen as adversaries
• Both parties want the audit to go smoothly• Preparation is key!
Step 1• Select the audit firm
• Narrow down the search for an audit firm to only those firms that have the skills and experience to provide the services you need
• Use a RFP process and follow up on references• AUDIT THE TEAM!
Step 2• Determine who will be responsible for the audit process• Audit committee• Task force• Finance department
• Communication between management and auditors is VITAL at all stages of the audit
Step 3• Stay on top of things during the year
• Ask questions when they come up• Do not wait until fieldwork• Auditors can assist you with using the correct
accounting treatment the first time around instead of correcting it on the back end
Step 3• Stay on top of things during the year
• Document, document, document!• Make sure that procedures and internal controls are
operating effectively during the year• Do not wait to perform reconciliations until year-end• The cleaner the records are throughout the year, the
less work will be needed at the end of the year
Step 4• Have a planning meeting
• Set up an early planning meeting with your auditor before the audit starts
• Discuss any changes to the entity during the year• Ask questions so that you are sure you understand the
audit process
Step 4• Have a planning meeting
• Request to receive the “PBC” request listing in advance• “Prepared by client”
• Develop a timeline for the audit• When will fieldwork be performed & completed?• When will auditors expect to receive PBC information?• Will the auditors present to the Board/Council?• What are the report deadlines?
Step 5• Get a PBC request listing from the auditor
• Request lists are a detailed list of items that the auditor will need to perform audit procedures.
• Requests lists can be valuable tools to help compile and provide information.
• Request lists typically aren’t meant to be 100% comprehensive though.
• Ask questions if you don’t understand something on the request listing.
Step 6• Assign responsibilities
• If possible, the responsibility for preparing for the audit should be shared by everyone
• Divide up the request list and assign responsibility for each of the requested items to a staff member
• Clearly communicate the due dates for each piece of information and to whom the information should be provided
• Everything that you provide to the auditors should be reviewed first to make sure that it is accurate and complete
Step 6Requested Item Staff
ResponsibleReviewer Due Date
CashBank reconciliations
Bruce Banner Clark Kent 1/15/2017
Outstanding check listing
Bruce Banner Clark Kent 1/15/2017
Capital AssetsDepreciation schedule
Peter Parker Clark Kent 1/31/2017
Asset additions schedule
Peter Parker Clark Kent 1/31/2017
Federal ProgramClaims for reimbursement
Jean Grey Clark Kent 1/31/2017
Step 7• Provide information to the auditors
• Decide who will be responsible for providing the information to the auditors
• Index the items you provide to the auditors• Either match their PBC listing or organize in some logical fashion
• The timeframe of when to provide the information to the auditors should have been decided in the planning meeting.
Step 7• Provide information to the auditors
• Communicate with your auditors as to how they want the information to be provided
• Manual vs electronic workpapers• Email, flash drive, secured file transfer service, etc
Step 8• Be available during fieldwork
• If possible, clear your schedule so that you can be available to answer questions and help with any problems
• If you must be absent, designate a staff member to act as the temporary audit contact
Step 8• Be available during fieldwork:
• Attend status meetings and continually discuss progress and problems that arise
• Respond to any additional audit requests and questions as timely as possible
• The more quickly you provide information to the auditors, the faster the audit can be finished.
Step 9• Keep in contact during wrap up
• Maintain communication with the auditor after fieldwork is completed
• Agree on deadlines to provide any follow up information• Carefully review the draft reports
Step 10• Present to governing body
• Will a presentation be made to the governing body? • Work with auditors to schedule timing and placement on
the agenda
REPORTING ON INTERNAL CONTROL
Professional Standards
Auditors are “regulated” by state law, including adherence to ethical and audit standards issued by
the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA).
Professional Standards• Regulators and the public have realized that the reliability of audited financial statements is directly related to the sufficiency and effectiveness of an organization’s internal controls.
• Accordingly, auditing standards have been issued to address concerns and bridge the “expectations gap” between what public perceptions of an audit have been and what an audit actually is and does.
Professional Standards• The standards clarify and distinguish between the auditors’ responsibility and the responsibility of an organization’s governing board and management.
• The standards provide that auditors must plan their audit based on the organization’s risk assessment and evaluation of internal controls.
Professional Standards• In 2006, SAS 112 changed the definition of internal control deficiencies and introduced the following terms:
• Control deficiency• Significant deficiency• Material weakness
• These standards collectively focus more on the organization and its internal control and lower the threshold at which auditors must identify and communicate a problem with the design or effectiveness of controls.
DefinitionsDeficiency in internal control - A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, misstatements on a timely basis.
DesignOperation
Definitions
Material weakness - A deficiency, or a combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis.
Definitions
Significant deficiency - A deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness yet important enough to merit attention by those charged with governance.
Finding Evaluation Process• The auditor should determine whether, on the basis of the audit work performed, the auditor has identified one or more deficiencies in internal control.
• If the auditor has identified one or more deficiencies in internal control, the auditor should evaluate each deficiency to determine, on the basis of the audit work performed, whether, individually or in combination, they constitute significant deficiencies or material weaknesses.
Finding Evaluation Process• Magnitude of a financial statement finding
Financial statement amount or total of transactions exposed Volume of activity in the account or class of transactions
• Importance of the deficiency by itself and in combination with other deficiencies
• Quantitative vs. qualitative• Isolated instances • Compensating controls• Laws or regulations
Finding Evaluation Process• The auditor should consider whether prudent officials, having knowledge of the same facts and circumstances, would likely reach the same conclusion.
Indicators of Material Weaknesses• Identification of fraud, whether or not material, on the part of senior management
• Restatement of previously issued financial statements (except to implement new standards)
• Identification by the auditor of a material misstatement of the financial statements
• Ineffective oversight of the entity’s financial reporting and internal control by those charged with governance
Examples – Design DeficienciesThe following are examples of circumstances that may be deficiencies, significant deficiencies, or material weaknesses related to the design of controls:• Inadequate design of controls over the preparation of the financial statements being audited.
• Inadequate design of controls over a significant account or process.
Examples – Design Deficiencies• Inadequate documentation of the components of internal control.
• Insufficient control consciousness within the organization.
• Evidence of ineffective aspects of the control environment, such as indications that significant transactions in which management is financially interested are not being appropriately scrutinized by those charged with governance.
Examples – Design Deficiencies• Evidence of an ineffective entity risk assessment process, such as management's failure to identify a risk of material misstatement that the auditor would expect the entity's risk assessment process to have identified.
• Evidence of an ineffective response to identified significant risks (for example, absence of controls over such a risk).
• Absent or inadequate segregation of duties within a significant account or process.
Examples – Design Deficiencies• Absent or inadequate controls over the safeguarding of assets (this applies to controls that the auditor determines would be necessary for effective internal control over financial reporting).
• Inadequate design of IT general and application controls that prevents the information system from providing complete and accurate information consistent with financial reporting objectives and current needs.
Examples – Design Deficiencies• Employees or management who lack the qualifications and training to fulfill their assigned functions. For example, in an entity that prepares financial statements in accordance with generally accepted accounting principles (GAAP), the person responsible for the accounting and reporting function lacks the skills and knowledge to apply GAAP in recording the entity's financial transactions or preparing its financial statements.
Examples – Design Deficiencies• Inadequate design of monitoring controls used to assess the design and operating effectiveness of the entity's internal control over time.
• The absence of an internal process to report deficiencies in internal control to management on a timely basis.
Examples – Operation Deficiencies• Failure in the operation of effectively designed controls over a significant account or process
• Failure of the information and communication component of internal control to provide complete and accurate output because of deficiencies in timeliness, completeness, or accuracy
• Failure of controls designed to safeguard assets from loss, damage, or misappropriation.
• Failure to perform reconciliations of significant accounts.
Examples – Operation Deficiencies• Undue bias or lack of objectivity by those responsible for accounting decisions; for example, consistent understatement of expenses or overstatement of allowances at the direction of management.
• Misrepresentation by entity personnel to the auditor (an indicator of fraud).
• Management override of controls.
Examples – Operation Deficiencies• Failure of an application control caused by a deficiency in the design or operation of an IT general control.
• An observed deviation rate that exceeds the number of deviations expected by the auditor in a test of the operating effectiveness of a control.
Group Exercise
Practical Steps to Avoid, Limit, or Eliminate Internal Control Deficiencies Identified in an Audit1. Be prepared to provide evidence that the
government has sound financial reporting systems in place
2. Minimize the likelihood of material audit adjustments
3. Review any financial statement preparation assistance provided by the independent auditors
AUDIT COMMITTEES
What is an Audit Committee?• An audit committee can be defined as a sub-committee in the governing body that will make arrangement for internal audit and facilitate the completion of the external audit
• Formally established by charter, enabling legislation or other appropriate legal means
• GFOA recommends all members be members of the governing body
Fundamental GoalsThe audit committee has three fundamental goals• First, it must satisfy itself that management is maintaining a comprehensive framework of internal controls;
• Second, the audit committee must ensure that management’s financial reporting practices are assessed objectively;
• Third, the committee needs to determine to its satisfaction that the financial statements are properly audited and that any problems disclosed during the course of the audit are properly resolved.
Key Responsibilities – Specific Tasks• Determine the scope of the audit (ie. single
audit, GAS, GAAS)• Determine the appropriate scope of
“nonaudit” services to be provided by the independent auditor
• Manage the audit procurement process• Select the independent auditors• Communicate with the auditors before,
during and after the audit, as needed
Key Responsibilities – Specific Tasks• Read and review the financial statements,
independent auditor’s reports and other reports issued by the auditors
• Follow up on corrective action that is needed • Assess the performance of the independent
auditors• If applicable, the audit committee should
have access to the reports of internalauditors, as well as access to annual internal audit work plans
Key Responsibilities• Communicate how the board intends to
respond to developments in financial reporting, laws, accounting standards and governance practices.
• Identify the actions of management and the board in response to previous auditor communications.
• Improve transparency in financial reporting.
Audit vs. Finance Committee• Finance committee monitors financial transactions; the audit committee makes sure things are done according to policy and with adequate controls
• Finance committee provides oversight about significant financial decisions; the audit committee monitors the annual independent audit process
Questions?
ContactSchowalter and Jabouri, P.C.(314) 849-4999
Karen Lenk, CPA, CFEE-mail: [email protected]
Christina Jacquin, CPAE-mail: [email protected]
