Governor’s Grants Office OMB Circular A-133 Rules To The Game Audits of States, Local Governments and Universities Presented by Alicia Foster, Graylin Smith and Donna Dancy for Governor’s Grants Office
Jan 07, 2016
Governor’s Grants Office
OMB Circular A-133Rules To The Game
Audits of States, Local Governments and Universities
Presented by Alicia Foster, Graylin Smith and Donna Dancy for Governor’s Grants Office
Presenters
Alicia Foster, Audit Director Abrams, Foster, Noles & Williams, PA 410-433-6830 Graylin Smith, Managing Partner
SB & Company410-584-1401
Presenters
• Donna Dancy
• Director, Internal Audit Services
• Maryland Department of the Environment
• 410-537-3429
Presentation Objectives
• Recap OMB A-133 Circular Overview - Donna Dancy
• Clarify why we care about OMB A-133 compliance – Donna Dancy
• Define key terms and roles & responsibilities – Donna Dancy
Presentation Objectives
• Explain internal controls reviewed during the A-133 audit and the internal control questionnaire - Graylin Smith
• Purpose, Process, Outcomes : An Auditor’s Prospective - Alicia Foster
LET’S RECAP
Recap A-133 Overview
• Single Audit Act was enacted in 1984
• Annual audit required for Non-Federal Entities that receive Federal funds
• Shows the “whole picture”
Recap A-133 Overview
• Single Audit is two-fold - Financial and Compliance
• Uses a risk-based audit approach
• Cost effective way to obtain audits
because one audit is conducted instead
of multiple audits of individual programs
Recap A-133 Overview
• OMB Circular A-133 was issued in 1990
• Extended Single Audit process to universities and non-profits
• Set standards for consistency and uniformity for audits. Provided specific policy, procedures and criteria
Federal Circulars
Grantee
Type
Administrative
Requirements
Cost
Principles
Audit
Requirements
State & Local
Governments A-102 A-87 A-133
Educational
Institutions A-110 A-21 A-133
Non-Profit
Organizations A-110 A-122 A-133
Where to Find the Rules• OMB Circular A-133 - http://www.whitehouse.gov/omb/circulars/
a133/a133.html
• Single Audit Act - http://thomas.loc.gov/cgi-bin/query/ z?c104:S.1579.ENR:
• CFR - http://gpoaccess.gov/cfr/index.html
A-133 COMPLIANCEWHY…DO WE CARE?
A-133 Compliance WHY . . . Do We Care?
• Findings are reported to Federal government and become public
record, distributed to all Federal
Agencies through a clearing house.
• Federal and Non-Federal sponsors look at
A-133 as a ‘report card’ of how we spend their money.
A-133 Compliance WHY . . . Do We Care?
• It strengthens the relationship of trust
that exists between the sponsor and recipient
• It suggests a presence of the stewardship necessary to properly safeguard the Federal Government’s investment in programs
A-133 Compliance WHY . . . Do We Care?
• Negative publicity, may cause harm to reputation and prestige
• May cost $ millions in payback
• Loss of Federal expanded authorities, additional oversight burden
What Does Compliance Mean?
• Effective management of public funds to maximize outcomes
• The avoidance of fraud, mismanagement, and poor management of Federal funds
• Adherence to laws, rules and regulations
• Check and balances - internal controls
• Stewardship of Federal funds
Compliance Pitfalls
• Misuse of funds
• Unallowable costs
• Misallocation of costs
• Excessive cost transfers
• Delinquent financial reporting
• Inaccurate effort reporting/improper allocation of staff time
• Inadequate subrecepient monitoring
Why We Have Problems With Compliance
• Lack of understanding by staff of
roles and responsibilities
• Inadequate resources
• Incomplete, outdated or nonexistent
policies and procedures
• Inadequate staff training and education
Why We Have Problems With Compliance
• Inadequate systems
• Lack of documentation and audit trail to support claimed expenses
• Perception that internal control systems are not necessary
Compliance - Back to the Basics
• Do the right thing…from the start!!!
• Keep policies current with Federal requirements
• Perform risk assessments and implement
adequate internal controls
Compliance - Back to the Basics
• Develop a continuing training program
• Monitor first, audit second
COMMUNICATE, COMMUNICATE, COMMUNICATE!!!
with employees and Federal agency.
DOCUMENT, DOCUMENT, DOCUMENT!!!
Always remember, if you didn’t write it down, it didn’t happen.
KEY DEFINITIONS
Terms You Should Know
• Assistance• Procurement• Award• Sub-Award• Grant• Cooperative Agreement• Contract
• Pass-Through Entity• Recipient• Sub-recipient• Vendor• Direct Costs• Indirect Costs• Internal Control
Assistance vs. Procurement
• Financial Assistance– Provides support or stimulation to accomplish a public purpose. Award can be a grant or cooperative agreement.
• Procurement – Purchase of goods and services to accomplish a government purpose; services can include research. Award is a contract.
Definition of Award
• Financial assistance that provides support to accomplish a public purpose.
• Includes grants and other agreements
in the form of money or property in
lieu of money by the Federal
Government
Awards Do Not Include:
• Technical assistance
• Loans, loan guarantees, interest subsidies, insurance
• Direct payments of any kind to individuals
• Contracts, which are required to be entered into and administered under procurement laws and regulations
Definition of Subaward
• Financial assistance made by a
recipient to an eligible subrecipient
• Includes any financial assistance when provided by legal agreement, even if the agreement is called a contract
• Does not include the purchase of goods and services
Definition of Grant
• Purpose is to transfer money, property,
services or anything of value to recipient in
order to accomplish a public purpose.
• No substantial involvement is
anticipated between government
and recipient during performance
of activity.
Definition of Cooperative Agreement
• Purpose is to transfer money, property, services or anything of value to recipient in order to accomplish a public purpose.
• Substantial involvement is anticipated
between government and recipient
during performance of activity.
Definition of Contract• Primary purpose is to acquire property or
services for direct benefit or use of the
Federal Government.
• Government determines whether
procurement contract is appropriate.
• Allowable activities based on terms and conditions of contract
• Governed by terms of the contract and State law
Definition of Pass-Through Entity
• A Non-Federal Entity that provides a Federal award to a subrecipient to carry out a Federal program
Definition of Recipient
• Organization receiving financial assistance from a Federal Agency to carry out a project or program
• Term may include commercial, foreign or international organizations which are recipients and subrecipients
Subrecipient Versus Vendor
Subrecipent:
• A Non-Federal Entity that expends Federal awards received from a pass-through entity to carry out a Federal program
• Has performance measured against whether the objectives of a Federal program are met
Subrecipient Versus Vendor
Subrecipient:
• Has responsibilities for programmatic decisions
• Is responsible for complying with Federal program requirements
• Uses Federal funds to carry out a program as compared to providing goods or services for a program
Subrecipient Versus Vendor
Vendor:
• Provides goods and services within normal business operations
• Operates in a competitive environment
• Provides similar goods or services to
many different purchasers
Subrecipient Versus VendorVendor:
• Retains no rights to intellectual property
• Provides the goods or services that are required for the conduct of a Federal program but are ancillary to the operation of the Federal program
• Is not subject to compliance requirements of the Federal program
Direct Versus Indirect CostsDirect Costs:
• Can be identified with a specific project or activity relatively easily with a high degree of accuracy
Direct Salaries & WagesMaterials & SuppliesConsultants & Subcontractors
Direct Versus Indirect CostIndirect Costs:
• Referred to as Facilities & Administrative costs
• Indirect costs are those that are incurred for common or joint objectives and therefore cannot be identified readily and specifically with a particular project or activity
Fringe Benefits Overhead G & A
Internal Control
A process designed to provide reasonable
assurance of achieving the following:
• Effective and efficient operations
• Reliable financial reporting
• Compliance with laws, rules, regulations and guidelines
Roles and Responsibilities
The Players:
• Principal Investigator (PI)/Project Manager
• Department/Unit Administrator
• Department Chair/Program Manager
• Dean/Division Director
• Central/Grant Administration
Roles and Responsibilities
PI/Project Manager:
• Awareness of requirements
• Monitor and oversight of day-to-day
aspects of the project
• Prepare required progress reports
Roles and Responsibilities
PI/Project Manager:
• Authorize all project expenditures and payments to consultants and subcontractors
• Adhere to terms and conditions of award
• Retain project data and materials as required
Roles and ResponsibilitiesDepartment/Unit Administrator:
• Provide administrative support to the
project
• Assist in complying with award terms
and conditions, regulations and policies
• Monitor expenditures of award funds, obtain necessary authorized signatures
Roles and Responsibilities
Department/Unit Administrator:
• Coordinate with Central/Grant Administration on reporting
• Assist Central/Grant Administration
with closeout and audit activities
Roles and Responsibilities
Department Head/Program Manager:
• Overall administrative and financial operation of the department/program
• Oversight of all project activity and
staff & other resources
Roles and ResponsibilitiesDean/Division Director:
• Management support, sets tone at top,
broad oversight of projects/programs
• Provide divisional/unit concurrence in negotiation and acceptance of awards
• Provide divisional/unit oversight for compliance with regulatory requirements
Roles and ResponsibilitiesCentral/Grant Administration:
• Management of all aspects of an award throughout its life cycle frompre-award through closeout activities.
• Liaison with Federal Agencies
• Assistance in locating funding opportunities
• Negotiation and acceptance of awards
Roles and Responsibilities
Central/Grant Administration:• Prepare billings, financial reports
and other electronic submittals
• Maintain time reporting and grant accounting system
• Provide advise on financial matters
• Coordinate A-133 and other audits
INTERNAL CONTROLS REVIEWED/INTERNAL
CONTROL QUESTIONNAIRE
Single Audit Test of Controls is Built On Foundation of Government Audit
GAAS- Obtain understanding of internal controls over financial reporting sufficient
to plan audit-Understand controls; whether in place; whether operating
- Report oral or written significant deficiencies and material weaknesses
GAS- Added requirement on safeguarding controls and controls over
compliance with laws and regulations
- Require report and written significant deficiencies and material weaknesses
Single Audit-Understanding controls over Federal compliance
requirements to support a low assessed level of control risk over major programs
- Required report and schedule of findings
OMB Compliance Supplement (Part 6) Follows the COSO Model of Internal
Controls
• Control Environment
• Risk Assessment• Control Activities• Information and communications• Monitoring
COSO = Committee of Sponsoring Organizations of the Treadway Commission
• Report on how to look at controls, assess risk and the limitations of controls
• Widely used as a framework to understand controls but is not the only one
• Framework:
- Definitions - Monitoring- Control environment - Limitation of internal controls- Risk assessment - Information and communications
- Roles and responsibilities
Following COSO Model, OMB Selected Control Activities for Each of the Compliance RequirementsA. Activites allowed or unallowed
B. Allowable costs/cost principles
C. Cash management
D. Davis-Bacon Act
E. Eligibility
F. Equipment & real property mgmt
G. Matching level of effort,
earmarking
H. Period of availability of Federal
Funds
Note: Does not have to use those in the
compliance supplement or
I. Procurement and suspension
and debarment
J. Program Income
K. Real property acquisition/
relocation assistance
L. Reporting
M. Subrecipient monitoring
N. Special test and provisions
(control procedures not listed)
all of them and should use
others if more are appropriate.
Assessment of Risk
• General Risk Consideration
- Experience
- Length of time
- Effect of non compliance
- Routine/non-routine transaction
- Estimate or judgment
Assessment of Risk• Inherent Risk - risk that material noncompliance with
a major program’s compliance requirements could occur, assuming there are no related controls.
- Factors to consider:
- Size of the program - Subrecipients - Program maturity - Level of oversight - Complexity - Prior audit findings - Extent of contracting - Identified as high risk - Other factors
Assessment of Risk• Control Risk - risk that material noncompliance that
could occur in a major program will not be prevented or detected on a timely basis by the program’s internal control.
- Preliminary control risk
- Final control risk
• Fraud Risk - risk that intentional material noncompliance with a major program’s compliance requirements could occur.
Assessment of Risk
• Detection Risk - risk that the audit procedures will lead to the conclusions that noncompliance that could be material to a program doesn’t exist when in fact it does exist.
- Factors to consider:
- Inherent risk
- Control risk
- Fraud risk
Assessment of Risk
• Risk of Material Misstatement - combination of inherent risk and control risk. Based on professional judgments.
• Audit Risk - risk that the auditor may unknowingly fail to appropriately modify his or her opinion on compliance. It is comprised of inherent risk, control risk, fraud risk and detection risk.
What Are We Looking for Controls to Do?
• Prevent or detect material noncompliance
• Initial assessment to be at low controlled risk
• Final analysis does not need to be at a low level of controlled risk
Types of ControlsPervasive Controls - Controls around the process, i.e.,
separation of duties, supervision,
hiring, training, skills
Specific Controls -
Preventative -
Detective -
Stop error from occurring
Identify and notify that an error has occurred
Monitoring Control - Identify when a preventative or detecting control is not working
Process to Test Single Audit Controls
A. Identify the Control Objectives or “What Can Go Wrong”
B. Understand the Mitigating Controls
C. Walk Through of the Control Process
D. Assess the Design Effectiveness
E. Test Controls
F. Assess Operating Effectiveness
G. Report Findings
Process to Test Single Audit Controls
A. Identify the Control Objectives or “What Can Go Wrong” -
• Can use the compliance supplement
• Only need to access those requirements that are direct and material
• Can develop on your own control procedures
Process to Test Single Audit Controls
B. Understand the Risk Prevention Process
Using the COSO Model -
• Control Environment - sets the tone of an organization influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure.
Process to Test Single Audit Controls
B. Understand the Risk Prevention Process
Using the COSO Model (cont’d) -
• Risk Assessment - is the entity’s identification and analysis of risks relevant to achievement of its objectives, forming a basis for determining how the risks should be managed.
Process to Test Single Audit Controls
B. Understand the Risk Prevention Process
Using the COSO Model -
• Control Activities - are the policies and procedures that help ensure that management’s directives are carried out.
• Information and Communication - are the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.
Process to Test Single Audit Controls
B. Understand the Risk Prevention Process
Using the COSO Model (cont’d) -
• Monitoring - is a process that assesses the quality of internal control performance over time.
Process to Test Single Audit ControlsControl Environment
• Sense of conducting operations ethically, as evidenced by a code of conduct or other verbal or written directive.
• If there is a governing Board, the Board has established an Audit Committee or equivalent that is responsible for engaging the auditor, receiving all reports and communications from the auditor, and ensuring that audit findings and recommendations are adequately addressed.
Process to Test Single Audit ControlsControl Environment (cont’d)
• Management’s positive responsiveness to prior questioned costs and control recommendation.
• Management’s respect for and adherence to program compliance requirements.
• Key managers’ responsibilities clearly defined.
• Key managers have adequate knowledge and experience to discharge their responsibilities.
Process to Test Single Audit ControlsControl Environment (cont’d)
• Staff knowledgeable about compliance requirements and being given responsibility to communicate all instances of noncompliance to management.
• Management’s commitment to competence ensures that staff receive adequate training to perform their duties.
• Management’s support of adequate information and reporting system.
Process to Test Single Audit ControlsRisk Assessment
• Program managers and staff understand and have identified key compliance objectives.
• Organizational structure provides identification of risks of noncompliance:
- Key managers given responsibility to identify and communicate changes.
- Employees who require close supervision (e.g. inexperienced) are identified.
Process to Test Single Audit ControlsRisk Assessment (cont’d)
• Organizational structure provides identification of risks of noncompliance: (cont’d)
- Management has identified and assessed
complex operations, programs, or projects.
- Management is aware of results of monitoring, audits, and reviews and considers related risk of noncompliance.
- Process established to implement changes in program objectives and procedures.
Process to Test Single Audit Controls
Control Activities• Procedures in place to implement changes in laws,
regulations, guidance, and funding agreements affecting Federal awards.
• Management prohibition against intervention or overriding established controls.
• Adequate segregation of duties provided between performance, review, and recordkeeping of a task.
Process to Test Single Audit Controls
Control Activities (cont’d)
• Computer and program controls should include:
- Data entry controls, e.g., edit checks. - Exception reporting.
- Computer general controls and security controls.
- Reviews of input and output data.
- Access controls.
Process to Test Single Audit Controls
Control Activities (cont’d)
• Operating policies and procedures clearly written and communicated.
• Supervision of employees commensurate with their level of competence.
• Personnel with adequate knowledge and experience to discharge responsibilities.
Process to Test Single Audit ControlsControl Activities (cont’d)
• Equipment, inventories, cash, and other assets secured physically and periodically counted and compared to recorded amounts.
• If there is a governing Board, the Board conducts regular meetings where financial information is reviewed and the results of program activities and accomplishments are discussed. Written documentation is maintained of the matters addressed at such meetings.
Process to Test Single Audit Controls
Information and Communication
• Accounting system provides for separate identification of Federal and non-Federal transactions and allocation of transactions applicable to both.
• Adequate source documentation exists to support amounts and items reported.
Process to Test Single Audit Controls
Information and Communication (cont’d)
• Recordkeeping system is established to ensure that accounting records and documentation retained for the time period required by applicable requirements; such as the A-102 Common Rule, 0MB Circular A-133, and the provisions of laws, regulations, contracts or grant agreements applicable to the program.
Process to Test Single Audit Controls
Information and Communication (cont’d)
• Reports provided timely to managers for review and appropriate action.
• Accurate information is accessible to those who need it.
• Reconciliations and reviews ensure accuracy of reports.
Process to Test Single Audit Controls
Information and Communication (cont’d)
• Established internal and external communication channels.
- Staff meetings. - Bulletin boards. - Memos, circulation files, e-mail. - Surveys, suggestion box.
• Employees’ duties and control responsibilities effectively communicated.
Process to Test Single Audit Controls
Information and Communication (cont’d)
• Channels of communication for people to report suspected improprieties established.
• Actions taken as a result of communications received.
• Established channels of communication between the pass-through entity and subrecipients.
Process to Test Single Audit Controls
Monitoring
• Ongoing monitoring built-in through independent reconciliations, staff meeting feedback, rotating staff, supervisory review, and management review of reports.
• Periodic site visits performed at decentralized locations (including subrecipients) and checks performed to determine whether procedures are being followed as intended.
Process to Test Single Audit Controls
Monitoring (cont’d)
• Follow up on irregularities and deficiencies to determine the cause.
• Internal quality control reviews performed.
• Management meets with program monitors, auditors, and reviewers to evaluate the condition of the program and controls.
Process to Test Single Audit Controls
Monitoring (cont’d)
• Internal audit routinely tests for compliance with Federal requirements.
• If there is a governing Board, the Board reviews the results of all monitoring or audit reports and periodically assesses the adequacy of corrective action.
C. Walk Through the Control Process to Understand What It is and Whether It is Operational
• One transaction from start to finish
• Have the processors show what they do, what they review, exceptions uncovered and how exceptions are handled
• Observe and review documentation
Process to Test Single Audit Controls
D. Assess if the Procedures in Place As Designed Are Effective at Reducing the Risk on Non Compliance to A Low Level
• Requires judgment• Believe no material errors would occur undetected• If the procedures are designed effectively, must test
to ensure operating throughout the period• If not designed effectively, no need to test as you
can write your finding
Process to Test Single Audit Controls
E. Test the Controls Throughout the Period to Determine if They Were Operating As Desired
• Perform test in compliance supplement or design a test to ensure controls were working throughout the period
• Sample size is a matter of judgment
• Suggested sample size of 40 or 60 because of low level of assessed risk while some firms use 25 for moderate level risk
Process to Test Single Audit Controls
Types of Control Tests
• Observation
• Inspection
• Knowledge assessment
• System query
• Reconciliation
• Physical examination
• Review
• Inquiry
• Re-performance
• Corroborative inquiry
• Confirmation
• Computation
• Operating test
Process to Test Single Audit Controls
F. Assess the Operating Effectiveness
Number of Expected or Actual Deviations
Planned Assessed Level of Control Risk 0 1 2 3
Low 60 * * *
Moderate 25 40 60 60
Slightly Below Maximum * 25 25 40
Maximum * * * *
* Omit test because tests of controls would most likely be inefficient or ineffective
Process to Test Single Audit Controls
G. Reporting Findings
Identify the following:
• Finding or non compliance
• Compliance requirement
• Known dollars of non compliance
• Likely dollars of non compliance
• Cause
• Effect
Process to Test Single Audit Controls
G. Reporting Findings
Type of Finding:
-Control-• Deficiency• Significant deficiency• Material weakness
-Specific Test-• Material non compliance• Non compliance
Type of Report:
• Unqualified• Qualified• Adverse• Disclaimer
Type of Control WeaknessesSignificant Deficiency Quantitative Deficiencies - Any internal control related findings
quantitatively less than the Program Tolerable Noncompliance should be classified as a Significant Deficiency to the program.
Qualitative Considerations - Documentation of the rationale for any qualitative considerations used in this type of assessment/conclusion should be documented in the Findings Assessment Worksheet and evaluated by AOA.
Material Weakness Quantitative Considerations - Any internal control related findings quantitatively equal to or greater than the Program Tolerable Noncompliance should be classified as a Material Weakness in the program.
Qualitative Considerations - There may be instances, based on auditor judgment, where internal control related findings that quantitatively would not be considered material, may be deemed material weaknesses by the auditor based on the nature of the finding. Documentation of the rationale for this type of assessment/conclusion should be documented in the Findings Assessment Worksheet and evaluated by AOA.
Type of Compliance FindingMaterial Noncompliance Quantitative Considerations - Any noncompliance quantitatively equal
to or greater than the Program Tolerable Noncompliance should be classified as Material Noncompliance to the program.
Qualitative Considerations - There may be instances, based on auditor judgment, where noncompliance that quantitatively would not be considered material, may be deemed material noncompliance by the auditor based on the nature of the finding. Documentation of the rationale for this type of assessment/conclusion should be documented in the Findings Assessment Worksheet and evaluated by AOA.
Noncompliance Quantitative Considerations - Any internal control related findings quantitatively less than the Program Tolerable Noncompliance should be classified as Noncompliance to the program.
Qualitative Considerations - Documentation of the rationale for any qualitative considerations used in this type of assessment/conclusion should be documented in the Findings Assessment Worksheet and evaluated by AOA.
Examples of Strong Internal Controls
A. Activities Allowed or Unallowed and
B. Allowable Costs/Cost Principles
Control Environment
• Management sets reasonable budgets for Federal and non-Federal programs so that no incentive exists to miscode expenditures.
Examples of Strong Internal Controls
A. Activities Allowed or Unallowed and
B. Allowable Costs/Cost Principles
Risk Assessment
• Key manager has a sufficient understanding of staff, processes, and controls to identify where unallowable activities or costs could be charged to a Federal program and not be detected.
Examples of Strong Internal Controls
A. Activities Allowed or Unallowed and
B. Allowable Costs/Cost Principles
Control Activities
• Supporting documentation compared to list of allowable and unallowable expenditures.
• Adequate segregation of duties in review and authorization of costs.
Examples of Strong Internal Controls
A. Activities Allowed or Unallowed and
B. Allowable Costs/Cost Principles
Information and Communication
• Reports, such as a comparison of budget to actual
provided to appropriate management for review on
a timely basis.
Examples of Strong Internal Controls
C. Cash Management
Control Environment
• Budgets for drawdowns are consistent with realistic cash needs.
Examples of Strong Internal Controls
C. Cash Management (cont’d)
Control Activities
• Appropriate level of supervisory review of
cash management activities.
• Written policy that provides:
- Procedures for requesting cash advances as
close as is administratively possible to actual
cash outlays
Examples of Strong Internal Controls
C. Cash Management (cont’d)
Information and Communication
• Variance reporting of expected versus actual cash disbursements of Federal awards and drawdowns of Federal funds.
Examples of Strong Internal Controls
D. Davis-Bacon Act
Control Activities
Contractors informed in the procurement documents of
the requirements for prevailing wage rates.
Monitoring
Management reviews to ensure that certified payrolls
are properly received.
Examples of Strong Internal Controls
E. Eligibility
Control Environment
• Staff size and competence provides for proper making
of eligibility determinations.
Risk Assessment
• Conflict-of-interest statements are maintained for
individuals who determine eligibility.
Examples of Strong Internal ControlsE. Eligibility (cont’d)
Control Activities
• Eligibility objectives and procedures clearly
communicated to employees.• Authorized signatures (manual or electronic)
on eligibility documents periodically reviewed.• Manual criteria checklists or automated process
used in making eligibility determinations.
Examples of Strong Internal Controls
E. Eligibility (cont’d)
Monitoring
• Program quality control procedures performed
Examples of Strong Internal Controls
F. Equipment and Real Property Management
Control Activities
• Accurate records maintained on all acquisitions and dispositions of property acquired with Federal awards.
• A physical inventory of equipment is periodically taken and compared to property records.
Examples of Strong Internal Controls
F. Equipment and Real Property Management (cont’d)
Monitoring
• Management reviews the results of periodic inventories and follows up on inventory discrepancies.
Examples of Strong Internal ControlsG. Matching, Level of Effort, Earmarking
Control Environment• Budgeting process addresses/provides adequate
resources to meet matching, level of effort, or
earmarking goals.
Risk Assessment• Identification of areas where estimated values will be
used for matching, level of effort or earmarking.
Examples of Strong Internal Controls
H. Period of Availability of Federal Funds
Control Activities
• Accounting system prevents obligation or expenditure
of Federal funds outside of the period of availability.
• Cancellation of unliquidated commitments at the end of
the period of availability.
Examples of Strong Internal Controls
H. Period of Availability of Federal Funds (Cont’d)
Monitoring
• Periodic review of expenditures before and after cut-off date to ensure compliance with period of availability requirements.
Examples of Strong Internal Controls
I. Procurement and Suspension and Debarment
Risk Assessment• Procedures to identify risks arising from vendor inadequacy, e.g., quality of goods and services, delivery schedules, warranty assurances, user support.
Control Activities• Contractor’s performance with the terms, conditions and specifications of the contract is monitored and documented.
Examples of Strong Internal Controls
I. Procurement and Suspension and Debarment (cont’d)
Monitoring
• Management periodically conducts independent reviews of procurements and contracting activities to determine whether policies and procedures are being followed as intended.
Examples of Strong Internal Controls
J. Program Income
Control Environment
• Realistic performance targets for the generation of program income.
Risk Assessment
• Mechanisms in place to identify the risk of unrecorded or miscoded program income.
Examples of Strong Internal Controls
J. Program Income (cont’d)
Monitoring
• Internal audit of program income.
Examples of Strong Internal Controls
L. Reporting
Control Environment• Management’s attitude toward reporting promotes
accurate and fair presentation.
Control Activities• Tracking system which reminds staff when reports
are due.
Examples of Strong Internal Controls
M. Subrecipient Monitoring
Control Environment
• Sufficient resources dedicated to subrecipient monitoring.
• Appropriate sanctions taken for subrecipient noncompliance.
Examples of Strong Internal Controls
M. Subrecipient Monitoring (cont’d)
Risk Assessment
• Key managers understand the subrecipient’s environment, systems, and controls
sufficient to identify the level and methods of monitoring required.
Examples of Strong Internal Controls
M. Subrecipient Monitoring (cont’d)
Monitoring
• Supervisory reviews performed to determine the adequacy of subrecipient monitoring.
Walk Through the Internal Controls Questionnaire of Part 6 of the
Compliance Supplement
PURPOSE, PROCESS, OUTCOMES: AN AUDITOR’S
PROSPECTIVE
Purpose - As Described By Donna’s
Presentation• Single Audit enacted 1984 – Circular A-133 1990
• Non-Federal Entities receiving Federal Funds
• Set standards for consistency and uniformity
• Provided specific policy, procedures and criteria
Process - An Auditor’s Prospective
• Understanding the entity and their internal controls over financial reporting and compliance by discussions, observations, and testing and assessing risk for audit planning
• Following GAAS, GAS, And OMB A-133 Standards
Process - An Auditor’s Prospective
• Providing clear guidance to auditees about audit requirements, testing criteria & needs and documenting results of audit procedures
• Concluding and reporting results
Outcomes – Auditor’s Findings & Reports
Controls in place, documented, and good audit trails exist
• Controls effective?
• Are you prepared?
Outcomes – Auditor’s Findings & Reports
GAS – Report on internal controls over financial
reporting and on compliance & other matters
Control Objectives – Environment, risk assessment, and control activities (attributes an auditee strives to achieve)
Control Component – Information, communication & monitoring (attributes needed to achieve the objectives)
• Finding? Significant deficiency or material weakness
Outcomes – Auditor’s Findings & Reports
Compliance and Other Matters – GAS
• FINANCIAL STATEMENTS – Reasonable assurance is obtained - they are free of material misstatement due to compliance with certain provisions of laws, regulations, contracts, and grant agreements – AND free of fraud and abuse concerns?
• FINDINGS? Compliant or Non-compliant?
Outcomes – Auditor’s Findings & Reports
OMB Circular A-133 – Report on compliance with requirements applicable to major programs and on internal control over compliance in accordance with Circular A-133 COMPLIANT with the 14 types of compliance requirements
in the compliance supplement?
INTERNAL CONTROL over compliance effective?
• FINDINGS? Significant Deficiency or Material Weakness?
Universities – How to Manage Single Audit From A Practical Viewpoint –
Your Internal Controls
I. Understanding Applicable State and Local Compliance and Reporting Requirements – Steps to be Considered for audit preparation:
• Each Department Head should complete the internal control questionnaire for the CFDA’s under their responsibility and fully understand control objectives as they relate to each specific grant. Review prior year submitted information and update the questionnaire. Conduct meetings with auditors for clarification.
Universities – How to Manage Single Audit From A Practical Viewpoint –
Your Internal Controls• Have annual, or more frequent, meetings with all
individuals who have a part in grant disbursements, reporting and other compliance requirements to discuss the relevant controls for better understanding of all parties. Monitor compliance by timely review of all relevant procedures and reports prior to audit.
• Read and understand the Compliance Supplement for the CFDA for advance awareness of what will be tested. Typically, this does not change annually, so being prepared is essential to the audit.
Universities – How to Manage Single Audit From A Practical Viewpoint –
Your Internal Controls
• Communicate with grantor agencies for better understanding of what is significant about the grant and determine if they are aware of any overall control deficiencies experienced with grant funds. This may assist in avoiding such experiences.
Universities – How to Manage Single Audit From A Practical Viewpoint –
Your Internal Controls
• Subscribe to Federal single audit references and circulate relevant information to the department – this could have a significant impact on the identification of controls that are missing from your process. Meet and discuss how to address the requirements specified in the relevant literature.
Universities – How to Manage Single Audit From A Practical Viewpoint –
Your Internal Controls
• Monitor your compliance
• Supervision, reviews and approvals are essential to your success.
Universities – How to Manage Single Audit From A Practical Viewpoint –
Your Internal Controls
Be aware of the applicable federal law and requirements using the Compliance Supplement and applicable references.
• Part 2 – Matrix of Compliance Requirements (14 types identified)
• Part 3 – Compliance Requirements Applicable to the CFDA
Universities – How to Manage Single Audit From A Practical Viewpoint –
Your Internal Controls
Compliance Supplement and applicable
references (Cont’d)
• Part 4 – Specific additional requirements of the federal program pertaining to provisions of contracts or grant agreements that are unique to a particular CFDA
Universities – How to Manage Single Audit From A Practical Viewpoint –
Your Internal Controls
Compliance Supplement and applicable
references (Cont’d)• Part 5 – Specific to Clusters of Programs (closely related
programs with similar compliance requirements) - ( i.e) SFA
• Part 6 – Internal control requirements and guide
• Part 7 – Use of other specific industry or federal department guides to identify program objectives, procedures and compliance requirements
Universities – How to Manage Single Audit From A Practical Viewpoint –
Your Internal Controls
• Universities have significant references to Title IV Programs for SFA, and as such follow the guidance of 34 CFR section 691….
Universities – How to Manage Single Audit From A Practical Viewpoint –
Your Internal Controls
• While Department of Education’s (DOE) Audit Guide is not a requirement for the Single Audit, program objectives, procedures and compliance requirements provide additional understanding to the auditor for single audit compliance procedures
• R&D Program requirements are very specific and monitoring is essential for success
Universities – How to Manage Single Audit From A Practical Viewpoint –
Your Internal Controls
• The Federal Register (November 1, 2006) provided guidance in 34 CFR Parts 668, 682, and 685 regarding SFA, Final Rule. This literature provides guidance to auditors as well as the auditee.
• Familiarity with such federal department literature is also noteworthy for SFA audits.
Universities – How to Manage Single Audit From A Practical Viewpoint –
Your Internal Controls
• These items are just reminders of the need for timely meetings and communications to those individuals working with SFA to keep abreast of updates and to be prepared for the audit process.
Universities – How to Manage Single Audit From A Practical Viewpoint –
Your Internal Controls
II. Materiality Considerations – Compliance Testing
Auditors may use judgment in materiality considerations resulting from findings (or exceptions) noted during the audit. (Case-by-Case basis and is usually dependent on the impact on grant objectives).
Universities – How to Manage Single Audit From A Practical Viewpoint –
Your Internal Controls
Materiality is Affected By:
• The nature of the compliance requirements, which may or may not be quantifiable in monetary terms
• The nature and frequency of non-compliance identified with an appropriate consideration of sampling risk; and
Universities – How to Manage Single Audit From A Practical Viewpoint –
Your Internal Controls
Materiality is Affected By: (Cont’d)
• Qualitative considerations, such as the needs and expectations of federal agencies and pass-through entities
Universities – How to Manage Single Audit From A Practical Viewpoint –
Your Internal Controls
Qualitative Factors Include:
• Low risk of public or political sensitivity
• A single exception that has a low risk of being pervasive
Universities – How to Manage Single Audit From A Practical Viewpoint –
Your Internal Controls
Qualitative Factors (Cont’d)
• An indication, based on auditor’s judgment an experience, that the affected federal agency or pass-through entity normally would not need to resolve the finding or take follow-up action
Universities – How to Manage Single Audit From A Practical Viewpoint –
Your Internal Controls
Recap A-133 Overview
• The single audit process is lengthy.
• The compliance requirements are to be tested as provided for in the Compliance Supplement.
Universities – How to Manage Single Audit From A Practical Viewpoint –
Your Internal Controls
Recap A-133 Overview (Cont’d)
• The auditee’s familiarity and understanding of Grants, is essentially the most important facet in achieving a smooth audit.
• The preparations undertaken to achieve your internal control objectives are important, and to a great extent, the means to reducing compliance findings.
Questions???