Governor’s Grants Conference 2011 The Nuts and Bolts of the A-133 Audit WHAT IS A SINGLE AUDIT? Monique Booker SB & Company, LLC

Governor’s Grants Conference 2011 The Nuts and Bolts of the A-133 Audit

WHAT IS A SINGLE AUDIT?

Monique BookerSB & Company, LLC

Overview

• Prior to single audit each Federal grantor agency would require a separate audit for its programs

• Entity would have duplication of audits• Audit of system of accounting for grants and certain

specific grants

Overview

• Single Audit Act was enacted in 1984

• Annual audit required for Non-Federal/Non-Commercial Entities that receive Federal funds

• Shows the “whole picture”

Overview• Single Audit is two-fold - Financial and Compliance

• Uses a risk-based audit approach

• Cost effective way to obtain audits

because one audit is conducted instead

of multiple audits of individual programs

Single Audit Requirement

• $500,000 of Federal funds• Financial statement audit• Program audit is still allowed in certain situations• Annual audit requirement

Where to Find the Rules• OMB Circular A-133 -

http://www.whitehouse.gov/omb/circulars/

a133/a133.html

• Single Audit Act - http://thomas.loc.gov/cgi-bin/query/ z?c104:S.1579.ENR:

• CFR - http://gpoaccess.gov/cfr/index.html

What is Considered Federal Award?

• Cost-reimbursed contracts;• Formula grants;• Project grants;• Direct payments for specific use;• Direct payments with unrestricted use;• Interest subsidies;• Direct loans;• Guaranteed insured loans;• Other noncash assistance, such as food stamps and food commodities;• Property and equipment;• Insurance;• Cooperative agreements; and• Direct appropriations.

A-133 Compliance

• Findings are reported to Federal government and become public

record, distributed to all Federal

Agencies through a clearing house.

• Federal and Non-Federal sponsors look at

A-133 as a ‘report card’ of how we spend their money.

A-133 Compliance

• It strengthens the relationship of trust

that exists between the sponsor and recipient

• It suggests a presence of the stewardship necessary to properly safeguard the Federal Government’s investment in programs

A-133 Compliance

• Negative publicity, may cause harm to reputation and prestige

• May cost $ millions in payback

• Loss of Federal expanded authorities, additional oversight burden

Cognizant Agency

Primary responsibilities of the cognizant/oversight agencies are:•To provide technical advice before, during, and after the audit to the recipient and its auditor.•To ensure that the audits are conducted in a timely manner and in accordance with the requirements of the OMB circulars.•To perform a “desk review” on the report, then either to forward it to the appropriate grantor agencies or advise the recipients of audits it finds substandard.• To coordinate any additional audit effort or revisions needed in the report.•To perform quality control reviews of selected reports.•To inform other affected Federal agencies of any reported illegal acts or fraud.•To ensure the resolution of program audit findings affecting all agencies.

What Does Compliance Mean?

• Effective management of public funds to maximize outcomes

• The avoidance of fraud, mismanagement, and poor management of Federal funds

• Adherence to laws, rules and regulations• Check and balances – internal controls• Stewardship of Federal funds

Compliance Pitfalls

• Misuse of funds

• Unallowable costs

• Misallocation of costs

• Excessive cost transfers

• Delinquent financial reporting

• Inaccurate effort reporting/improper allocation of staff time

• Inadequate subrecepient monitoring

Why We Have Problems with Compliance

• Lack of understanding by staff of

roles and responsibilities

• Inadequate resources

• Incomplete, outdated or nonexistent

policies and procedures

• Inadequate staff training and education

Why We Have Problems with Compliance

• Inadequate systems

• Lack of documentation and audit trail to support claimed expenses

• Perception that internal control systems are not necessary

Assistance vs. Procurement

• Financial Assistance– Provides support or stimulation to accomplish a public purpose. Award can be a grant or cooperative agreement.

• Procurement – Purchase of goods and services to accomplish a government purpose; services can include research. Award is a contract.

Direct Versus Indirect Costs

Direct Costs:

• Can be identified with a specific project or activity relatively easily with a high degree of accuracy

Direct Salaries & WagesMaterials & SuppliesConsultants & Subcontractors

Indirect Costs: • Referred to as Facilities & Administrative costs

• Indirect costs are those that are incurred for common or joint objectives and therefore cannot be identified readily and specifically with a particular project or activity

Fringe Benefits Overhead G & A

Direct Versus Indirect Costs

Following COSO Model, OMB Selected Control Activities for Each of the Compliance Requirements

A. Activities allowed or unallowed

B. Allowable costs/cost principles

C. Cash management

D. Davis-Bacon Act

E. Eligibility

F. Equipment & real property mgmt

G. Matching level of effort,

earmarking

H. Period of availability of Federal

Funds

I. Procurement and suspension

and debarment

J. Program Income

K. Real property acquisition/

relocation assistance

L. Reporting

M.Subrecipient monitoring

N.Special test and provisions

(control procedures not listed)

Note: Does not have to use those in the compliance supplement or all of them and should use others

if more are appropriate.

Assessment of Risk

• Inherent Risk - risk that material noncompliance with a major program’s compliance requirements could occur, assuming there are no related controls.

- Factors to consider:

- Size of the program - Subrecipients - Program maturity - Level of oversight - Complexity - Prior audit findings - Extent of contracting - Identified as high risk - Other factors

• Control Risk - risk that material noncompliance that could occur in a major program will not be prevented or detected on a timely basis by the program’s internal control.

- Preliminary control risk

- Final control risk

• Fraud Risk - risk that intentional material noncompliance with a major program’s compliance requirements could occur.

Assessment of Risk

Assessment of Risk• Detection Risk - risk that the audit procedures will lead to the conclusions that noncompliance that could be material to a program doesn’t exist when in fact it does exist.

- Factors to consider:

- Inherent risk

- Control risk

- Fraud risk

Assessment of Risk

• Risk of Material Misstatement - combination of inherent risk and control risk. Based on professional judgments.

• Audit Risk - risk that the auditor may unknowingly fail to appropriately modify his or her opinion on compliance. It is comprised of inherent risk, control risk, fraud risk and detection risk.

What Are We Looking for Controls to Do?

• Prevent or detect material noncompliance

• Initial assessment to be at low controlled risk

• Final analysis does not need to be at a low level of controlled risk

Types of Controls

Pervasive Controls - Controls around the process, i.e., separation of duties, supervision,

hiring, training, skills

Specific Controls -

Preventative -

Detective -

Stop error from occurring

Identify and notify that an error has occurred

Monitoring Control - Identify when a preventative or detecting control is not working

Process to Test Single Audit Controls


A. Identify the Control Objectives or “What Can Go Wrong” -

• Can use the compliance supplement• Only need to access those

requirements that are direct and material

• Can develop on your own control procedures


B. Understand the Risk Prevention Process

Using the COSO Model -

• Control Environment - sets the tone of an organization influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.



Using the COSO Model (cont’d) -

• Risk Assessment - is the entity’s identification and analysis of risks relevant to achievement of its objectives, forming a basis for determining how the risks should be managed.

Process to Test Single Audit ControlsB. Understand the Risk Prevention Process Using the COSO Model -

• Control Activities - are the policies and procedures that help ensure that management’s directives are carried out.

• Information and Communication - are the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.



Using the COSO Model (cont’d) -

• Monitoring - is a process that assesses the quality of internal control performance over time.

Control Environment • Sense of conducting operations ethically, as evidenced by a code of conduct

or other verbal or written directive.

• If there is a governing Board, the Board has established an Audit Committee or equivalent that is responsible for engaging the auditor, receiving all reports and communications from the auditor, and ensuring that audit findings and recommendations are adequately addressed.


Control Environment (cont’d)

• Management’s positive responsiveness to prior questioned costs and control recommendation.

• Management’s respect for and adherence to program compliance requirements.

• Key managers’ responsibilities clearly defined.

• Key managers have adequate knowledge and experience to discharge their responsibilities.


Control Environment (cont’d)

• Staff knowledgeable about compliance requirements and being given responsibility to communicate all instances of noncompliance to management.

• Management’s commitment to competence ensures that staff receive adequate training to perform their duties.

• Management’s support of adequate information and reporting system.


Risk Assessment • Program managers and staff understand and have identified key compliance

objectives.

• Organizational structure provides identification of risks of noncompliance:

- Key managers given responsibility to identify and communicate changes.

- Employees who require close supervision (e.g. inexperienced) are identified.


Risk Assessment (cont’d)

• Organizational structure provides identification of risks of noncompliance: (cont’d)

- Management has identified and assessed

complex operations, programs, or projects. - Management is aware of results of monitoring, audits, and reviews

and considers related risk of noncompliance.- Process established to implement changes in program objectives and

procedures.


Control Activities• Procedures in place to implement changes in laws, regulations, guidance,

and funding agreements affecting Federal awards.

• Management prohibition against intervention or overriding established controls.

• Adequate segregation of duties provided between performance, review, and recordkeeping of a task.


Control Activities (cont’d)

• Computer and program controls should include:

- Data entry controls, e.g., edit checks. - Exception reporting.

- Computer general controls and security controls.

- Reviews of input and output data.

- Access controls.




• Operating policies and procedures clearly written and communicated.

• Supervision of employees commensurate with their level of competence.

• Personnel with adequate knowledge and experience to discharge responsibilities.



• Equipment, inventories, cash, and other assets secured physically and periodically counted and compared to recorded amounts.

• If there is a governing Board, the Board conducts regular meetings where financial information is reviewed and the results of program activities and accomplishments are discussed. Written documentation is maintained of the matters addressed at such meetings.

Information and Communication

• Accounting system provides for separate identification of Federal and non-Federal transactions and allocation of transactions applicable to both.

• Adequate source documentation exists to support amounts and items reported.


Information and Communication (cont’d)

• Recordkeeping system is established to ensure that accounting records and documentation retained for the time period required by applicable requirements; such as the A-102 Common Rule, 0MB Circular A-133, and the provisions of laws, regulations, contracts or grant agreements applicable to the program.



• Reports provided timely to managers for review and appropriate action.

• Accurate information is accessible to those who need it.

• Reconciliations and reviews ensure accuracy of reports.



• Established internal and external communication channels.

- Staff meetings. - Bulletin boards. - Memos, circulation files, e-mail. - Surveys, suggestion box.

• Employees’ duties and control responsibilities effectively communicated.



• Channels of communication for people to report suspected improprieties established.

• Actions taken as a result of communications received.

• Established channels of communication between the pass-through entity and subrecipients.


Monitoring• Ongoing monitoring built-in through independent reconciliations, staff meeting

feedback, rotating staff, supervisory review, and management review of reports.

• Periodic site visits performed at decentralized locations (including subrecipients) and checks performed to determine whether procedures are being followed as intended.


Monitoring (cont’d)

• Follow up on irregularities and deficiencies to determine the cause.

• Internal quality control reviews performed.

• Management meets with program monitors, auditors, and reviewers to evaluate the condition of the program and controls.


Monitoring (cont’d)

• Internal audit routinely tests for compliance with Federal requirements.

• If there is a governing Board, the Board reviews the results of all monitoring or audit reports and periodically assesses the adequacy of corrective action.


C. Walk Through the Control Process to Understand What It is and Whether It is Operational

• One transaction from start to finish

• Have the processors show what they do, what they review, exceptions uncovered and how exceptions are handled

• Observe and review documentation


D. Assess if the Procedures in Place As Designed Are Effective at Reducing the Risk on Non Compliance to A Low Level

• Requires judgment

• Believe no material errors would occur undetected

• If the procedures are designed effectively, must test to ensure operating throughout the period

• If not designed effectively, no need to test as you can write your finding


E. Test the Controls Throughout the Period to Determine if They Were Operating As Desired

• Perform test in compliance supplement or design a test to ensure controls were working throughout the period

• Sample size is a matter of judgment

• Suggested sample size of 40 or 60 because of low level of assessed risk while some firms use 25 for moderate level risk


Types of Control Tests

• Observation• Inspection• Knowledge assessment

• System query• Reconciliation• Physical examination

• Review

• Inquiry• Re-performance• Corroborative inquiry

• Confirmation• Computation• Operating test

F. Assess the Operating Effectiveness

Number of Expected or Actual Deviations

Planned Assessed Level of Control Risk 0 1 2 3

Low 60 * * *

Moderate 25 40 60 60

Slightly Below Maximum * 25 25 40

Maximum * * * *

* Omit test because tests of controls would most likely be inefficient or ineffective


G. Reporting FindingsIdentify the following:

• Finding or non compliance

• Compliance requirement

• Known dollars of non compliance

• Likely dollars of non compliance

• Cause

• Effect


G. Reporting Findings

Type of Finding:

-Control-• Deficiency• Significant deficiency• Material weakness

-Specific Test-• Material non compliance• Non compliance

Type of Report:

• Unqualified• Qualified• Adverse• Disclaimer


Type of Control Weaknesses

Significant Deficiency Quantitative Deficiencies - Any internal control related findings quantitatively less than the Program Tolerable Noncompliance should be classified as a Significant Deficiency to the program.

Qualitative Considerations - Documentation of the rationale for any qualitative considerations used in this type of assessment/conclusion should be documented in the Findings Assessment Worksheet and evaluated by AOA.

Material Weakness Quantitative Considerations - Any internal control related findings quantitatively equal to or greater than the Program Tolerable Noncompliance should be classified as a Material Weakness in the program.

Qualitative Considerations - There may be instances, based on auditor judgment, where internal control related findings that quantitatively would not be considered material, may be deemed material weaknesses by the auditor based on the nature of the finding. Documentation of the rationale for this type of assessment/conclusion should be documented in the Findings Assessment Worksheet and evaluated by AOA.

Type of Compliance Finding

Material Noncompliance Quantitative Considerations - Any noncompliance quantitatively equal to or greater than the Program Tolerable Noncompliance should be classified as Material Noncompliance to the program.

Qualitative Considerations - There may be instances, based on auditor judgment, where noncompliance that quantitatively would not be considered material, may be deemed material noncompliance by the auditor based on the nature of the finding. Documentation of the rationale for this type of assessment/conclusion should be documented in the Findings Assessment Worksheet and evaluated by AOA.

Noncompliance Quantitative Considerations - Any internal control related findings quantitatively less than the Program Tolerable Noncompliance should be classified as Noncompliance to the program.

Qualitative Considerations - Documentation of the rationale for any qualitative considerations used in this type of assessment/conclusion should be documented in the Findings Assessment Worksheet and evaluated by AOA.

American Recovery Reinvestment Act• Passed in 2009• $787 Billion in Federal spending• Mandates unprecedented amount of oversight and

transparency

Additional Guidance for ARRA Funds

• Recipients will generally be required to clearly distinguish ARRA funds from other Federal awards.

• Federal agencies will be performing risk assessments on ARRA programs and potentially designating some programs as high-risk programs for single audit purposes that will affect major program determination and future audit scope.

• There will be extensive reporting, including timely quarterly reporting, to Federal agencies required from ARRA fund recipients.

• Federal agencies are required to initiate additional oversight and monitoring to address the unique implementation risks of the ARRA.

Questions???

Documents

Governor’s Grants Conference 2011 The Nuts and Bolts of the A-133 Audit WHAT IS A SINGLE AUDIT? Monique Booker SB & Company, LLC