Intermediate Single Audit Issues: Planning, Performing and Reporting NASACT Audio Conference April 2, 2008 Presented by Frank Crawford, CPA Crawford & Associates, P.C. www.crawfordcpas.com
Intermediate Single Audit Issues: Planning, Performing and Reporting NASACT Audio Conference April 2, 2008 Presented by Frank Crawford, CPA Crawford &
Mar 27, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Intermediate Single Audit Issues: Planning, Performing and
Reporting
NASACT Audio ConferenceApril 2, 2008
Presented by Frank Crawford, CPACrawford & Associates, P.C.
www.crawfordcpas.com
Objectives
• High level overview of national single audit stat sample results
• Highlight and overview intermediate single audit issues identified
• Highlight and overview of advanced single audit issues identified
• Review SAS 112 impact• Review initiatives to improve audit quality• Take your questions
Single Audit Stat Sample Results
• Most prevalent deficiencies found– Not documenting the understanding of
internal controls over compliance requirements (56.5%)
– Not documenting the testing of internal controls of at least some compliance requirements (61%)
– Not documenting compliance testing of at least some compliance requirements (59.6%)
Single Audit Stat Sample Results
• Not prevalent, but one of the most consequential deficiencies– Misreporting coverage of major federal programs, or
in other words, one or more federal programs were identified as major programs when in reality they were not major programs
• Consequential because users may get a “false sense of reliance” by using opinions issued on major programs that were not actually audited as major
– Sampling issues• Insufficient sample sizes• Lack of documentation of how the samples were selected
and the population
Intermediate Single Audit Issues Identified
• Planning– Defining the reporting entity– Cognizant/Oversight Agency Identification and
Considerations – Engagement Letter Considerations– Unique Considerations of Fraud and Abuse– Low-Risk Auditee Determinations– Identifying Federal Programs and Clusters
Intermediate Single Audit Issues Identified
• Planning Issues, cont.– Determination of Major Programs – Determination of Material Audit Requirements (part 2
of the Compliance Supplement)– Using Parts 3, 4, 5 and 7 of the Compliance
Supplement to Create Audit Programs– Using Part 6 of the Compliance Supplement for
Internal Control Documentation Designing, Performing, and Testing
– Risk Assessment and Sample Size Determinations– Planning and Performing Dual Purpose Tests
Intermediate Single Audit Issues Identified
• Fieldwork – Auditing the Schedule of Expenditures of
Federal Awards (SEFA)– Testing the Summary Schedule of Prior Audit
Findings– Testing Information Technology (IT) Systems– Analysis of Audit Test Results and Exceptions– Determining Questioned Costs and Likely
Questioned Costs– Testing Unique Requirements
Intermediate Single Audit Issues Identified
• Reporting– Qualitative Determination and Content of a Finding – Evaluating Findings and Determining Compliance Opinion(s)– Evaluating and Reporting on Internal Control– Modifications to Single Audit Reports– Preparation of the Schedule of Findings and Questioned
Costs– Relationship of GAS Reports to Circular A-133 Reports and
Schedules– Data Collection Form – Representation Letters for Federal Programs– Use of the GAS/A-133 Guide Illustrative Auditor Reports
Advanced Single Audit Issues Identified
• Planning, Fieldwork and Reporting– Accountability and Risk Management in a Single Audit– Key Considerations in Reviewing Single Audits– Preparing for and Responding to Quality Control
Reviews (QCRs)– Firm-Specific Policies and Tools– Program-Specific Audit Considerations – Planning
and Reporting– How to Recall and Reissue Single Audit Reporting
Packages
Other intermediate and advanced single audit issues identified
• Stay current each year by reviewing– Changes to GAS/A133 Guide– AICPA Annual GAS/A133 ARA– Federal Agency Communications/Reports on Audit
Deficiencies– Changes to Circular A-133– Significant Changes to OMB Cost and Administrative
Circulars– Updates to the OMB Compliance Supplement– Changes to the Data Collection Form
SAS 112 Impact
Federal Register Notice, June 26th, 2007, Volume 72, Issue 122 is the notice of the incorporation of SAS 112’s requirements into the single audit process…
Pocket Guide to SAS 112 for Single Audit (A-133):
What is the Likelihood of actual or potential noncompliance with a type of compliance requirement of a federal program, and what is the Magnitude of the actual or potential noncompliance?
REMOTE
S
REMOTE
M
REMOTE
L
MORE THAN REMOTE
S
CONTROL DEFICIENCY
SIGNIFICANT DEFICIENCY
MATERIAL WEAKNESS
MORE THAN REMOTE
M
MORE THAN REMOTE
L
Communicate in Writing
Footnotes to Pocket Guide
• Likelihood (two types)– Remote - the chance that the internal control
deficiency would cause noncompliance with a type of compliance requirement of a federal program is “slight”
– More than Remote – the chance that the internal control deficiency would cause noncompliance with a type of compliance requirement of a federal program is at least reasonable possible
Footnotes to Pocket Guide
• Magnitude defined as– S = Small (standards use term
“Inconsequential”)– M = Medium (standards use the term “More
than Inconsequential”)– L = Large (standards use the term “Material”)
(can you tell that I worked in men’s clothing store when I was a younger?)
Factors that may affect likelihood and magnitude
• Likelihood– The nature of the type of compliance requirement involved.
For example, a specific special test or provision may involve greater risk because it is unique to the program and may require unique controls.
– The susceptibility of the program and related types of compliance requirements to fraud.
– The subjectivity and complexity involved in meeting the compliance requirement, and the extent of judgment allowed.
– The cause and frequency of any known or detected exceptions related to the operating effectiveness of a control.
– The interaction or relationship of the control with other controls.
– The interaction of the control deficiency with other control deficiencies.
– The possible future consequences of the deficiency
Factors that may affect likelihood and magnitude
• Magnitude– The program amounts or total of
transactions exposed to the deficiency, in relation to the type of compliance requirement.
– The volume of activity related to the compliance requirement exposed to the deficiency in the current period or expected in future periods.
– Adverse publicity or other qualitative factors
Other factors to consider
• Combination of control deficiencies
• Evaluating the effect of compensating controls
• Deviations in the operating effectiveness of controls
• Prudent official test
Examples of typical significant deficiencies
• Policies and procedures that are incomplete, inadequate, or outdated for the activities subject to a type of compliance requirement
• Inadequate segregation of duties over a type of compliance requirement
• Controls over complex types of compliance requirements
• IT controls relating to the activity subject to the type of compliance requirement
Examples of typical material weaknesses
• Lack of operating policies and procedures for the activities subject to a type of compliance requirement
• Ineffective oversight of a major federal program by those charged with governance for compliance with those program requirements the activity subject to the type of compliance requirement, e.g., lack of adequate review of federal financial reports prior to submission to the grantor
• Identification by the auditor of material noncompliance for the period under audit that was not initially identified by the entity’s internal control. (This is a strong indicator of a material weakness even if management subsequently corrects the noncompliance.)
Examples of typical material weaknesses, cont.
• An ineffective internal audit function or risk assessment function for a major program for which such functions are important to the monitoring or risk assessment component of internal control for a type of compliance requirement
• Identification of fraud in the program of any magnitude on the part of senior program management. For the purposes of evaluating and communicating deficiencies in internal control, the auditor should evaluate fraud of any magnitude—including fraud resulting in immaterial noncompliance—on the part of senior program management, of which he or she is aware
• Failure by management or those charged with governance to assess the effect of a significant deficiency previously communicated to them and either correct it or conclude that it will not be corrected
• An ineffective control environment. Control deficiencies in various other components of internal control could lead the auditor to conclude that a significant deficiency or material weakness exists in the control environment over compliance with major program requirements
Initiatives to improve audit quality
• Better and more effective training courses to be offered
• AICPA audit quality center task forces
• More clear and understandable language from the standard-setters
• Making a commitment
Questions???
Related Documents
