Uniform Guidance. Diane E. Edelstein, CPA. Sources

Transcription

1 Uniform Guidance August 29, 2016 Central KY Chapter of AGA Diane E. Edelstein, CPA Diane is a partner at Maher Duessel, a regional firm in Pennsylvania. Diane has over 25 years of experience with auditing of Not-for-Profit organizations, Governments and Single Audits. She speaks throughout the country on the topic of Single Audit and is a member of the Steering Committee for the AICPA Not-for-Profit Conference and a prior member of the AICPA Governmental Audit Quality Center, Executive Committee. Diane served on the PICPA Peer Review Committee and now serves on the PICPA Professional Ethics Committee Member of the AICPA and the PICPA Sources AICPA GAQC Web events Uniform Guidance Uniform Guidance: Frequently Asked Questions AICPA Audit Guide: Government Auditing Standards and Single Audit Yellow Book 3 1

2 Single Audit Fundamentals Part 1: What is a Single Audit? A Basic Background & Overview A Little History Single Audit Act of 1984 A-128 (1984) A-133 (1990) Single Audit Act Amendments of 1996 A-133 (2007 revision) Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards at 2 CFR 200 (UG or Uniform Guidance) 5 What Gives the Single Audit its Authority? Single Audit Act Amendments of Enacted to streamline and improve the effectiveness of audits of federal awards and to reduce the audit burden on states, local governments, and not-for-profit entities - Detailed implementation requirements for single audits contained in regulation Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards at 2 CFR 200 (UG or Uniform Guidance) - Current regulation that implements Single Audit Act - Replaces previous single audit and compliance regulations such as OMB Circular A-133, Audits of State, Local Governments, and Non-Profit Organizations, and other OMB Cost Circulars 6 2

3 Scope of the Single Audit 7 When is a Single Audit Required? When a non-federal entity expends federal awards (either direct or indirect awards) in excess of $750,000 in their fiscal year - What is a non-federal entity? See next slide - What qualifies as a Federal Award? Discussed later in this presentation - What is the basis for determining when federal awards are expended? Discussed later in this presentation 8 Non-Federal Entity A non-federal entity includes all of the following that carry out a Federal award as a recipient or subrecipient: - States - Local governments - Indian tribes - Institutions of higher education (IHE) - Not-for-profit organization 9 3

4 Objectives of a Single Audit To determine if the entity has complied with direct and material compliance requirements of each major program Single audits: - Are used as a report card by federal funding agencies and pass-through entities - Are used as a tool for federal agencies to address problems at grantee level or to make broad changes/improvements to federal programs - Provide assurance to users regarding compliance and internal control over compliance 10 Scope of the Single Audit Conducted in accordance with both AICPA Auditing Standards (GAAS) and Government Auditing Standards (GAGAS or Yellow Book) Covers entire operations of the entity Opinion on whether financial statements are presented fairly Auditor gains understanding and testing of internal control Auditor opines on compliance with federal statutes, regulations, and the terms and conditions of federal awards that may have a direct and material effect on each of its major programs Follow-up on prior audit findings 11 Defining the Entity to be Audited Single audit must cover the entire operations of the auditee The auditee has the option to meet the single audit requirement through a series of audits - Series would cover departments, agencies, and other organizational units that expended or otherwise administered federal awards during the audit period, - Only permitted if each audit encompasses the financial statements and the schedule of expenditures of federal awards (SEFA) for each unit which must be considered to be a nonfederal entity - The financial statements and SEFA must be for the same audit period. 12 4

5 Scope of the Single Audit Single audit is meant to be in lieu of any financial audit of federal awards that an entity is required to undergo under any other federal statutes, regulations, and terms and conditions of federal awards However, federal agencies may conduct or arrange for additional audits to carry out their responsibilities under federal statutes, regulations, and terms and conditions of federal awards. 13 What is a Program-Specific Audit? Audit of an entity s compliance with direct and material compliance requirements as they relate to an individual federal program - Rather than a single audit, which includes an audit of an entity s financial statements and federal programs Allowed under the Single Audit Act and the UG in certain circumstance - Auditee expends federal awards under only one federal program (excluding research and development); and - The federal program s laws, regulations, or grant agreements do not require a financial statement audit of the auditee Audit requirements defined in the UG 14 Relationship of Yellow Book to Single Audit single audits involve three layers of requirements Uniform Guidance Audit Requirements (Subpart F) Yellow Book Requirements GAAS Requirements 15 5

6 What Additional Requirements Kick In When Applying the Yellow Book? CPE requirements for the entire engagement team Reporting on internal control over financial reporting and compliance at financial statement level Additional independence considerations, including around the performance of nonaudit services Peer review report provided to contracting parties and posted publicly for all to access 16 Uniform Guidance - UG Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards 17 Eliminating Duplicative and Conflicting Guidance Currently: Guidance for Federal Awards A 110 A 87 A 133 A 10 2 A 21 A 89 A 122 A 50 spread over these eight circulars New Uniform Guidance: All OMB guidance related to federal awards streamlined in Title 2 of the CFR, Subtitle A, Chapter II, Part

7 Access Information Uniform Guidance How to Access the UG Electronic Code of Federal Regulations (e-cfr) version PDF version of the Federal Register Notice in its entirety How to access the Joint Interim Final Rule PDF version of the Federal Register Notice in its entirety 19 Timeline to Date Uniform Guidance October 2011 Council on Financial Assistance Reform (COFAR) created December 2013 Final UG issued January st COFAR Webcast February st COFAR Frequently Asked Questions (FAQ) issued August nd COFAR FAQs Issued October nd COFAR Webcast November 2014 Minor Update to COFAR FAQs December 2014 Joint Interim Final Rule Issued (including agency implementation and technical corrections) September rd COFAR FAQs Issued 20 Who Are the Key Players? OMB - Responsible for issuance and maintenance of single audit regulation and coordinating with grant-making federal agencies Council on Financial Assistance Reform (COFAR) - Interagency group of Executive Branch officials providing recommendations to OMB on grant policy Grant-Making Agencies Government Accountability Office - Responsible for issuance of Government Auditing Standard (also referred to as GAGAS or the Yellow Book) Federal Audit Clearinghouse (FAC) - Collects/disseminates single audit information on behalf of OMB 21 7

8 Who are the Key Players? Federal Agency Single Audit Coordinators - Position in Inspector General Offices responsible for preventing/detecting fraud, waste, and abuse - Often responsible for desk reviews and quality controls review of single audits and familiar with the audit requirements Single Audit Accountable Official - A policy official of the awarding agency who can be responsible for overseeing agency management s role in audit resolution Federal Agency Key Management Single Audit Liaison - Responsibilities defined in Uniform Guidance, including serving as the agency s management point of contact for the single audit process both within and outside the Federal government 22 But Wait, There is More. Agencies adopt the Uniform Guidance into their own section of 2 CFR Part CFR Part Agency Name Range DEPARTMENT OF HEALTH AND HUMAN SERVICES DEPARTMENT OF AGRICULTURE DEPARTMENT OF STATE AGENCY FOR INTERNATIONAL DEVELOPMENT DEPARTMENT OF VETERANS AFFAIRS DEPARTMENT OF ENERGY DEPARTMENT OF TREASURY DEPARTMENT OF DEFENSE DEPARTMENT OF TRANSPORTATION DEPARTMENT OF COMMERCE DEPARTMENT OF THE INTERIOR ENVIRONMENTAL PROTECTION AGENCY NATIONAL AERONAUTICS AND SPACE ADMINISTRATION UNITED STATES NUCLEAR REGULATORY COMMISSION CORPORATION FOR NATIONAL AND COMMUNITY SERVICE SOCIAL SECURITY ADMINISTRATION DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT NATIONAL SCIENCE FOUNDATION NATIONAL ARCHIVES AND RECORDS ADMINISTRATION SMALL BUSINESS ADMINISTRATION DEPARTMENT OF JUSTICE DEPARTMENT OF LABOR DEPARTMENT OF HOMELAND SECURITY INSTITUTE OF MUSEUM AND LIBRARY SERVICES NATIONAL ENDOWMENT FOR THE ARTS NATIONAL ENDOWMENT FOR THE HUMANITIES DEPARTMENT OF EDUCATION EXPORT-IMPORT BANK OF THE UNITED STATES OFFICE OF NATIONAL DRUG CONTROL POLICY, EXECUTIVE OFFICE OF THE PRESIDENT PEACE CORPS ELECTION ASSISTANCE COMMISSION ) GULF COAST ECOSYSTEM RESTORATION COUNCIL 23 Beware of Agency Implementation Differences Federal Agency Federal Register Notice Date Agriculture 2/16/16 Archives 8/25/2015 Commerce 7/28/2015 Corporation for National 11/17/2015 and Community Service Department of Transportation 12/17/2015 Education 11/2/2015 Energy 9/24/2015 Environmental 10/9/2015 Protection Agency Health and Human Services Homeland Security (FEMA) 1/20/16 10/2/2015 Federal Agency Housing and Urban Development Institute of Museum and Library Services National Aeronautics and Space Administration Federal Register Notice Date 12/7/2015 9/21/2015 9/11/2015 National Endowment for 9/16/2015 Humanities National Science Foundation 11/27/2015 Office of National Drug 9/23/2015 Control Policy State 6/2/2015 Social Security 11/10/2015 Administration Veteran s Affairs 12/1/

9 Accessing Key Single Audit-Related Information Access COFAR guidance including Frequently Asked Questions (FAQ), archived webcasts, and other information - Visit for all resources COFAR FAQ document updated as of September 2015 COFAR Mailing List Link: Register and receive future announcements, information on upcoming Webcasts, and other COFAR resources 25 Effective Dates Uniform Guidance Federal agencies must implement policies and procedures by promulgating regulations to be effective December 26, 2014 Accomplished with issuance of recent Joint Interim Final Rule Non-federal entities will need to implement the new administrative requirements and cost principles for all new federal awards made after December 26, 2014, and to additional funding to existing awards (referred to as funding increments) made after that date Non-federal entities wishing to implement entity-wide system changes to comply with the guidance after December 26, 2014, will not be penalized for doing so Audit requirements effective for fiscal years beginning on or after December 26, 2014 Not permitted to early implement any of the audit provisions 26 Effective Date and Funding Increments (COFAR FAQ and 14) UG applies to funding increments to existing awards in cases where the federal agency considers the funding increments to be an opportunity to modify the terms and conditions of the award. Existing federal awards that do not receive incremental funding with new terms and conditions will continue to be governed by the terms and conditions of the federal award. 27 9

10 Effective Date What About Pass- Through Awards? (COFAR FAQ ) Subrecipients and subawards The effective date of the UG for subawards is the same as the effective date of the federal award from which the subaward is made The requirements for a subaward, no matter when made, flow from the requirements of the original federal award from the federal awarding agency 28 Working Through the Transition Effective date to be challenging for compliance testing Likely to take several years for old funding to run out Challenges related to funds received by subrecipients from pass-through entities (PTE) 2016 Compliance Supplement will be key Federal agency implementation actions in the Joint Interim Final Rule need to be understood Compliance Supplement 2016 Compliance Supplement will be used for audits performed under the Uniform Guidance Federal workgroups working to develop new and updated guidance There are two, Part 3 sections in 2016 One for testing awards subject to UG administrative and cost principle requirements One for testing awards subject to old rules Transitional information will be included Note if still finishing 2015 year end use 2015 CS 30 10

11 2016 Compliance Supplement Part 6 - Internal Control - Back with limited information 31 Single Audit Uniform Guidance Study of Single Audit Quality Uniform Guidance requirement for a federal study of quality once every six years beginning in 2018 Statistically reliable estimate of the extent that single audits conform to applicable requirements, standards, and procedures Recommendations required to address noted issues Results of reviews must be made public 2018 timing This study should be something auditors focus on now! 32 Joint Interim Final Rule Incorporates the implementing regulations of all the federal awarding agencies Some agencies making revisions to UG (e.g., DoD) Also includes technical corrections Some shoulds changed to must Effective on December 26, 2014, although comments were accepted until February 17, 2015 Very dense; need to read carefully 33 11

12 Effective Date Refresher Example Assumes June 30, 2016, Year-End Scenario #1 - Auditee expended funds from three new direct federal awards awarded in early December Effective Date Refresher Answer Key Scenario #1 All testing done using old requirements (cost principles and admin requirements) Audit requirements follow Subpart F Uniform Guidance 35 Effective Date Refresher Example Assumes June 30, 2016, Year-End Scenario #2 - Auditee expended funds from two new direct federal awards one awarded in July 2014 and one awarded in October Auditee also expended funds from a new federal award awarded in September

13 Effective Date Refresher Answer Key Scenario #2 Testing done using the old and the new requirements - Testing for federal award expenditures from the new July 2014 and October 2014 awards done using the old requirements - Testing for federal award expenditures from the new September 2015 federal award is done using the new requirements 37 Effective Date Refresher Example Assumes December 31, 2015, Year-End Scenario #3 - Auditee expended funds from three pass-through awards from XYZ state one subawarded in July 2014, one subawarded in October 2014, and one subawarded in March Effective Date Refresher Answer Key Scenario #3 Need to know more about the origination of the funds of March 2015 from the PTE to answer the question 39 13

14 Uniform Guidance for Federal Awards Contents Subpart A - Acronyms and Definitions Subpart B - General Provisions Subpart C - Pre-Federal Award Requirements and Contents of Federal Award Subpart D Post-Federal Award Requirements Subpart E - Cost Principles Subpart F - Audit Requirements Appendix I - Notice of Funding Opportunity Appendix II - Contract provisions for non-federal entity contracts under Federal awards Appendix III - Indirect (F&A) costs identification and assignment, and rate determination for Institutions of Higher Education (IHEs) 40 Uniform Guidance for Federal Awards Contents Appendix IV - Indirect (F&A) costs identification and assignment, and rate determination for nonprofit organizations Appendix V - State/local government and Indian tribe-wide central service cost allocation plans Appendix VI - Public assistance cost allocation plans Appendix VII - State and local government and Indian tribe indirect cost proposals Appendix VIII - Nonprofit organizations exempt from Cost Principles Appendix IX - Hospital Cost Principles Appendix X - Data Collection Form Appendix XI - Compliance Supplement 41 Acronyms & Definitions Subpart A 42 14

15 Sec. 200.XX, Acronyms & Definitions 200.0, Acronyms through , Definitions 99 separate sections and indexes Applicable to all requirements (administrative, cost and audit) and all types of grantees Use of should and must Should = best practices or recommended approach Must = required 43 Key Terminology Changes , Contractor - This term is defined here and will be used instead of "vendor" going forward Guidance on subrecipient versus contractor determination relocated to administrative requirements section in Subpart D Criteria for determination basically unchanged 44 Key Terminology/Definitions , Personally Identifiable Information (PII) and , Protected Personally Identifiable Information (PPII) These terms, which were not previously defined in grant guidance, are now defined. These definitions will be important to auditors and auditees as single audit reporting packages submitted under the new guidance will be publically available (with exceptions for Indian tribes) and the Guidance states that auditors and auditees must ensure that no protected personally identifiable information is included in their respective parts of the reporting package , Program Income A definition of program income, which was not previously defined in Circular A-133, is now defined

16 General Provisions Subpart B 46 Sec XX, General General Provisions (Sections through ) Discusses the purpose, applicability, exceptions, and effective date of the Uniform Grant Guidance Chart is included in section , Applicability, which indicates which Subparts are applicable to different types of awards o This section also clarifies that the terms and conditions of federal awards flow down to subrecipients unless the Uniform Grant Guidance or the terms and conditions of a federal award specifically indicate otherwise o Auditors and auditees should pay close attention to section as exceptions to the Uniform Grant Guidance are only identified there and not elsewhere in the Guidance 47 Sec XX, General , Conflict of interest NEW! Federal agencies must establish Conflict of Interest (COI) policies Grantees must disclose in writing any potential COI , Mandatory disclosures Grantees and applicants must disclose all violations of federal criminal law potentially affecting the federal award (e.g., fraud, bribery, or gratuity violations) 48 16

17 Pre-Federal Award Requirements and Contents of Federal Awards Subpart C 49 Subpart C Pre-Award Covers administrative requirements directed primarily at federal agencies including pre-award activities and requirements for the contents of federal awards. 50 Post-Federal Award Requirements Subpart D 51 17

18 Part 200 Contents of Uniform Guidance for Federal Awards Subpart D Post-Federal Award Requirements Financial management Internal controls Bonds Payment Cost sharing and matching Program income Revision of budget and program plans Property standards Procurement standards Performance and financial monitoring and reporting Sub recipient monitoring and management Record retention and access Remedies for noncompliance Closeout 52 Financial Management System Must include: Identification, in its accounts, of all federal awards received and expended and the federal programs under which they were received. Information should include: Catalog of Federal Domestic Assistance (CFDA) number and title Federal award identification number and year Federal awarding agency Pass-through entity (PTE), if applicable Accurate, current, and complete disclosure of the financial results of each federal award or program 53 Financial Management System Must Include: Records that identify the source and application of funds for federally-funded activities Effective control over, and accountability for all funds, property, and other assets Comparison of expenditures with budget amounts for each federal award Written procedures to implement the requirements cash management Written procedures for determining the allowability of costs in accordance with Cost Principles 54 18

19 Internal Control Focus on controls - Internal Control Clarification From COFAR FAQ III Internal controls. The non-federal entity must: Establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should be in compliance with guidance in Standards for Internal Control in the Federal Government [Green Book] issued by the Comptroller General of the United States and the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). OMB has stated that the should is meant to be a best practice and not a presumptively mandatory requirement 55 Payment (Cash Management) Payment method must minimize the time elapsing between the transfer of funds from the US Treasury or PTE and the disbursements by the non-federal entity regardless of how funds are being transferred Payment must be in advance when the non-federal entity: Has written procedures to implement the requirements of cash management, and Has a compliant financial management system If the above requirements are not met, reimbursement method is used If reimbursement method cannot be used because non-federal entity lacks sufficient working capital, working capital may be provided 56 Procurement States will follow the same policies and procedures they use for procurements from non-federal funds (i.e., state procurement statutes). Other non-federal entities will follow the five procurement methods outlined in the Guidance including small purchase procedures which are subject to the Simplified Acquisition Threshold, micro-purchases, sealed bids, competitive proposals, and noncompetitive proposals. In general, the new procurement standards adopt the majority of the language used from Circular 102. Therefore, non-federal entities that are currently subject to Circular A-110 will likely be affected more significantly. All auditees should review these changes carefully to determine the impact on their procurement procedures, in particular those relating to procurement card programs

20 Important COFAR FAQ on Effective Date and Grace Period for Procurement FAQ states, for compliance with the new procurement standards only, the federal government is providing a grace period of two * full fiscal year after the effective date of the Uniform Guidance for Federal Awards. The FAQ goes on to provide information on certain documentation that the non-federal entity will have to provide in this regard and how it will affect the single audit in its first year. * Sept 2015 FAQ changed to 2 years, was 1 year 58 Procurement Claw (Sections ) 1. Micro- Purchases 2. Small Purchases 3. Sealed Bids 4. Competitive Proposals 5. Sole Source General Standards: A. Documented Policies B. Necessary C. Full & Open Competition D. Conflict of Interest E. Documentation i. Cost & Price Analysis ii. Vendor Selection 59 Procurement Micro Purchases $3,000 (NOW $3,500) Aggregate - $2,000 if it is for Construction and subject to Davis-Bacon Act There does not need to be quotations Equitable distribution among qualified vendors Small Purchases Simple and informal procurement methods Not more than the simplified acquisition threshold - currently $150,000 Price and rate quotations must be obtained from adequate number of qualified sources Sealed Bids Above simplified threshold greater than $150,000 Preferred for construction projects Must be publicly advertised 60 20

21 Procurement Competitive Proposals Above simplified threshold currently $150,000 More than one source for proposal Usually used for fixed fee or cost reimbursement A written method of evaluation and selection Award must go to most advantageous proposal Sole Source Must meet at least one of the criteria: o Single source availability o Public emergency o Written request has been made and approved by federal or PTE o Competition is determined to be inadequate 61 Monitoring and Reporting Non-federal entity is responsible for monitoring programs for compliance and performance expectations. Federal entity must use OMB-approved data elements. Non-federal entity must submit reports as often as required but no less frequently than annually and no more frequently than quarterly Exceptions unusual circumstances Annual reports due 90 calendar days after reporting period Quarterly reports due 30 days after reporting period Performance reports must contain: Comparison of accomplishments to objectives The reason goals were not met Other information that is appropriate 62 Monitoring and Reporting Construction performance reports Only when necessary above inspections and certification of percentage of completion. Significant developments Must notify as soon as condition is known o Problems, delays, adverse conditions materially impacting performance and objectives o Favorable developments Federal agency may waive any part of reporting if not needed

22 Subrecipient Responsibilities Non-federal entities must comply with requirements in Uniform Guidance for Federal Awards regardless of whether the non-federal entity is a recipient or subrecipient of a federal award. Uniform Guidance for Federal Awards is explicit on requirements for PTEs, but subrecipient responsibilities are scattered throughout the guidance and are not generally called out separately as a subrecipient requirement (i.e., refers instead to non-federal entity requirements) 64 Subrecipient Monitoring and Management Subrecipient versus contractor determination expanded and relocated to administrative requirements in sec Criteria for determination basically unchanged NEW requirements for Pass-Through Entities (PTEs) with regard to monitoring activities Much more detailed than guidance contained in Compliance Supplement Includes a required risk assessment of subrecipients New subaward requirements 65 Subrecipient / Contractor Determination 66 22

23 Subrecipient / Contractor Determination A non-federal entity may concurrently receive federal awards as a: Recipient Subrecipient Contractor PTE must make case-by-case determination whether each agreement it makes for the disbursement of federal program funds casts the party receiving the funds in the role of a: Subrecipient, or Contractor 67 Requirements for PTEs Section Ensure that every subaward is clearly identified to the subrecipient as a subaward Provide certain subaward information at the time of the subaward and if any of these data elements change, include the changes in subsequent subaward modification Evaluate each subrecipient s risk of noncompliance with Federal statutes, regulations, and the terms and conditions of the subaward for purposes of determining the appropriate subrecipient monitoring, based on provided criteria Subrecipient Monitoring Ensure that every subaward is clearly identified to the subrecipient as a subaward and includes the following information at the time of the subaward: - Subrecipient name - Subrecipient DUNS number - Federal Award ID number - Federal Award date - Subaward period of performance start and end date - Amount of Federal funds obligated by this action - Total amount of Federal funds obligated to the subrecipient - Total amount of the Federal award - Federal award project description - Name of Federal awarding agency, pass-through entity and contact information for awarding official - CFDA # and name - Whether award is R&D - Indirect cost rate 69 23

24 Subrecipient Monitoring Evaluate the subrecipient s risk of noncompliance, considering: - Subrecipient s prior experience - Results of previous audits - If subrecipient has new personnel/systems - Results of Federal awarding agency monitoring 70 Requirements for PTEs Section Consider imposing specific subaward conditions upon a subrecipient, if appropriate Based on risk or prior history of failure to comply Example conditions that may be added in section Monitor activities of the subrecipient Other potential PTE monitoring tools depending on risk Consider whether the results of subrecipient audits, on-site reviews, or other monitoring activity indicate conditions that necessitate adjustment to the PTEs own records Consider taking enforcement action against noncompliant subrecipients as described in section Required Subrecipient Monitoring Activities Section (d) Review financial and programmatic reports Follow-up and ensure that the subrecipient takes timely and appropriate action on all deficiencies pertaining to the federal award through audits, on-site reviews, and other means Issue management decisions for audit findings pertaining to the federal award provided to the subrecipient 72 24

25 Closeout The federal awarding agency or PTE should complete all closeout actions for federal awards no later than one year after receipt and acceptance of all required final reports. 73 Cost Principles Subpart E 74 Cost Principles Subpart E Section 200.4XX, OMB Cost Principles Consolidated Cost Principles into single document: OMB Circular A-21 Educational Institutions OMB Circular A-87 - State, Local, and Indian Tribal Governments OMB Circular A-122 Nonprofit Organizations Health and Human Services at 45 CFR Part 74 Appendix E - Hospitals were not incorporated into the new OMB is conducting further review of the cost principles for hospitals and will make a future determination about the extent to which they should be added to this guidance 75 25

26 Part 200 Uniform Guidance for Federal Awards Subpart E - Cost Principles General provisions Basic considerations Collection of unallowable costs Adjustment of previously negotiated ICR containing unallowable costs Direct and indirect costs Special considerations for states, local governments, and Indian Tribes Special considerations for institutions of higher education General provisions for selected items of costs 76 Cost Principles Allocable Costs Direct cost allocation principles Cost benefits two or more projects in proportions that can be determined Should be allocated based on the proportional benefit May be allocated on any reasonable basis 77 Cost Principles Direct Costs Direct costs Identified specifically with final objective Salaries of administrative and clerical staff should normally be treated as indirect (F&A) costs Costs are not also recovered as indirect costs Any direct cost of minor amount may be treated as an indirect cost 78 26

27 Cost Principles Indirect Costs Indirect costs Requirements for development and submission of indirect (F&A) cost rate proposals and cost allocation plans are contained in Appendices III-VII 79 Cost Principles Indirect Costs Federal agencies and pass-through entities will have to accept a non-federal entity s negotiated indirect cost rate Unless a statute or regulation allows for an exception Non-federal entities will have a one-time option to extend rate for up to four years For non-federal entities who have never received a negotiated rate, de minimis rate of 10% of modified total direct costs may be used indefinitely 80 General Provisions for Selected Items of Costs with Little or No Change 421 Advertising and public relations 423 Alcoholic beverages 424 Alumni(ae) activities 425 Audit services 426 Bad debts 429 Commencement and convocation costs 445 Goods and services for personal use 450 Lobbying 455 Organization costs 457 Plant and homeland security costs 458 Pre-award costs 459 Professional service costs 467 Selling and marketing costs 469 Student activity costs 81 27

28 Selected Items of Costs with Changes 427 Bonding costs 430 Compensation personal services 431 Compensation fringe benefits 433 Contingency provisions 434 Contributions and donations 436 Depreciation 437 Employee morale, health and welfare costs 439 Equipment and other capital expenditures 441 Fines, penalties, damages and other settlements 447 Insurance and indemnification 449 Interest 453 Materials and supplies costs, including costs of computing devices 454 Memberships, subscriptions, and professional activity costs 82 Selected Items of Costs with Changes Continued 460 Proposal costs 461 Publication and printing costs 462 Rearrangement and reconversion costs 463 Recruiting costs 464 Relocation of employees 465 Rental costs of real property and equipment 468 Specialized service facilities 470 Taxes (including Value Added Taxes) 471 Termination costs 472 Training and education 474 Travel 83 Sec , Compensation Personal Services New Language! Purpose was to reduce the administrative burden of documenting time and effort More principles based (e.g., removed A-21 examples) Less prescriptive on documentation and places more emphasis on internal controls over personnel-related costs 84 28

29 Cost Principles Compensation Personal Services New standards for documentation Charges must be based on records that accurately reflect the work performed Must be supported by a system of internal controls which provides reasonable assurance that amounts are accurate, allowable, and properly allocated Be incorporated into official records Reasonably reflect total activity for which employee is compensated 85 Cost Principles Compensation Personal Services Time and distribution records must be maintained for all employees whose salary is: Paid in whole or in part with federal funds Used to meet a match/cost share requirement Not based on budget estimates alone needs to be ACTUAL Full disclosure All time worked for the organization and what percentage is federal 86 Depreciation ( ) Use allowance no longer allowed No depreciation on assets that are fully depreciated New: depreciation over life of the asset 87 29

30 Equipment and Other Capital Expenditures ( ) Computing devices do not meet the threshold requirement so are considered supplies - Tablets - Laptops - Smart phones Lesser of $5,000 or entity capitalization threshold Revisit policy if below this amount 88 Required Certifications Subpart E ( ) Similar in A-87 but not A-21 or A-122 Certification on annual and final fiscal reports or vouchers requesting payment - Assurance that expenditures are proper and in accordance with the terms and conditions of the federal award and approved budget Required on EVERY voucher requesting payment? Does this apply to drawdowns also? 89 Required Certifications Subpart E ( ) Continued Signed by an official who is authorized to legally bind the entity - Who will be designated at the organization? - CFO? CEO? - Organizations should start thinking about this Subject to criminal, civil, or administrative penalties for fraud, false statements, or false claims 90 30

31 Sec XX OMB Cost Principles To learn more about numerous other Cost Principles changes, refer to a useful tool that OMB issued titled, Uniform Guidance Cost Principles Text Comparison. This tool shows, in a side-by-side comparison, how the wording from OMB Circulars A-21, A-87, and A-122, compare to the new Guidance 91 Audit Requirements Subpart F 92 Audit Threshold Increases audit threshold from $500,000 to $750,000 Maintains oversight over 99.7% of the dollars currently subject to Single Audits and reduces audit burden for approximately 5,000 entities 93 31

32 Impact of Threshold 2010 FAC Total # of Audits 6,115 14% 2010 FAC Total Dollars 0.3% <$750k >$750k <$750k >$750k 38,704 86% 99.7% 94 Single Audits by Agency Agency As Cognizant As Oversight > $750 < $750 Education 508 8,936 1,601 HUD ,383 1,588 HHS 239 6,368 1,028 Transportation 69 1, Labor Agriculture 9 2, Energy Homeland Security NSF Key Planning Considerations - Be Aware of Unexpected Consequences The UG may have the following impact on audits for 12/31/15, and later: Limited auditor judgment on inherent risk for Type A programs May have to test more Type B programs Audit testing may increase Auditing programs not audited before could lead to additional findings 96 32

33 High-Risk Type A Program Current A-133 criteria: Not audited as major program in 1 of 2 most recent audit periods In most recent period had any Audit Finding: o Provided for auditor judgment in limited cases, e.g., very small questioned costs Auditor considered risk related to: o Federal or pass-through entity (PTE) oversight o Inherent risk o Results of audit follow-up o Changes in personnel or systems Uniform Grant Guidance: SAME two year look-back In most recent period had a High Risk Audit Finding identified as: o Modified opinion o Material weakness in internal control o Known or likely questioned costs exceeding 5% of total program expenditures Auditor only considers risk related to: o Federal or PTE oversight o Results of audit follow-up o Changes in personnel or systems Key An entity with strong internal controls and few audit findings will have less high-risk Type A programs. 97 Percentage of Coverage Rule Percentage of Coverage Rule Type of Auditee Current New Not low risk 50% 40% Low risk 25% 20% 98 Low-Risk Auditee Current A-133 criteria (2 prior years) Annual single audits Unmodified opinion on financial statements in accordance with GAAP Unmodified SEFA in-relation-to opinion No GAGAS material weaknesses In either of preceding two years, none of Type A programs had: Material Weakness Material Noncompliance QC that exceed 5% Timely filing with FAC Auditor reporting of going concern would not preclude low-risk Waivers Uniform Grant Guidance (2 prior years) Annual single audits Unmodified opinion on financial statements in accordance with GAAP or basis of accounting required by state law Unmodified SEFA in-relation-to opinion No GAGAS material weaknesses In either of preceding two years, none of Type A programs had: Material Weakness Material Noncompliance QC that exceed 5% Timely filing with FAC No auditor reporting of going concern No waivers 99 33

34 Single Audit Reports on the Web All auditees must submit the reporting package and the DCF electronically to the FAC FAC submission process will be changed to require textbased PDF and unlocked, unencrypted FAC responsible to make the reports publically available on a website Exception for Indian Tribes Auditors and auditees must ensure reports do not include PPII Auditee will have to sign certification statement (to be revised on DCF) that reporting package does not include PPII 100 FAC Repository of Record for Reporting Packages Federal agencies and pass-through entities will obtain copies by accessing FAC web site Subrecipient only required to submit report to FAC and no longer required to submit to pass-through entity Pass-through entity no longer required to retain copy of subrecipient report as will be on the web 101 SEFA Considerations ( (b)) Auditee Responsibility Provide cluster of programs total Total amount provided to subrecipients from each federal program For loans and loan guarantees, identify in the notes to the SEFA loan balances outstanding at the end of the audit period Include in the notes to the SEFA whether or not non-federal entity elected to use the 10% de minimis cost rate

35 Schedule of Expenditures of Federal Awards Section (b)(4) Total amount provided to subrecipients from each federal program: Previous guidance only required to the extent practical Federal Grantor/Pass Through Grantor/Program Title Federal CFDA Number Pass Through Entity Identifying Number Federal Expenditures Expenditures to Subrecipients Department of Education Direct Program Title I Grants to Local Educational Agencies N/A $1,000,000 $800, Sec Audit Findings Increases the threshold for reporting known and likely questioned costs from $10,000 to $25,000 Requires that questioned costs be identified by CFDA number and applicable award number Requires identification of whether audit finding is a repeat from the immediately prior audit and if so the prior year audit finding number Provides that audit finding numbers be in the format prescribed by the data collection form (i.e., , , etc.) Should indicate whether sampling was a statistically valid sample 104 Corrective Action Plan (CAP) Auditee Responsibility CAP to be separate document from auditor s findings Include reference numbers the auditor assigns to findings CAP and Summary of Prior Audit Findings must include findings relating to the financial statements which are required to be reported in accordance with Government Auditing Standards (Yellow Book report findings)

36 106 COFAR FAQs Procurement delay Procurement standards for indirect cost areas Should vs must Subrecipient monitoring Fixed amount subawards and profit AICPA Audit Guide New Title: AICPA Audit Guide, Government Auditing Standards and Single Audits Significant changes this year - Maintaining old and new single audit guidance through transition period - All single audit chapters (5-14) addressing Circular A-133 audits being updated and maintained. - Numerous new chapters (15-24) being added addressing the Uniform Guidance in new Part III - Transition guidance being added to each chapter as well

37 2016 AICPA Audit Guide AICPA Audit Guide, Government Auditing Standards and Single Audits Significant changes this year - Back to two parts 109 AICPA GAS-SA Guide Considered an interpretive publication - Pursuant to AU-C section 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards Interpretive publications are recommendations on the application of GAAS AU-C section 200 requires auditors to consider applicable interpretive publications in planning and performing the audit If the auditor does not apply the auditing guidance in an applicable interpretive publication, should document how the requirements of GAAS were complied with 110 Tips for Entities Implementing the New Uniform Guidance for Federal Awards Ensure an Appropriate Understanding of Effective Dates Obtain an Understanding of the New Requirements. There is no getting around reading the new requirements! Developing a Plan to Become Compliant. To include identification of needed policy and procedure changes; internal controls that might need to be established or modified; action items that will be needed to implement needed changes; who within the entity is responsible for each action item; and timing

38 Tips for Entities Implementing the New Uniform Guidance for Federal Awards Update your Engagement Letters Will have wording change to SA opinion PLAN, PLAN, PLAN SALY won t work 112 Auditee and Auditor Responsibilities 113 Auditee and Auditor Responsibilities Auditee Responsibilities UG Arrange for single audit and ensure it is properly performed and submitted timely (see auditor selection on next slide) - Financial statements - Schedule of expenditures of federal awards (also referred to as SEFA) - Promptly follow up and take corrective action on audit findings - Summary schedule of prior audit findings - Corrective action plan - Provide the auditor with access to personnel, accounts, books, records, supporting documentation, and other information as needed

39 Auditee and Auditor Responsibilities Auditee Responsibilities - UG Auditor Selection Must follow procurement standards in through Auditee must request a copy of the audit organization s peer review report Restriction on auditor preparing indirect cost proposals 115 Auditee and Auditor Responsibilities Auditee Responsibilities UG Maintain internal control over federal programs - Comply with federal statutes, regulations, and the terms and conditions of the federal awards - Evaluate and monitor compliance with statutes, regulations and the terms and conditions of federal awards - Take prompt action when noncompliance identified - Safeguard protected personally identifiable information (PPII) see later slide 116 Auditee and Auditor Responsibilities Auditor Responsibilities UG Audit the financial statements in accordance with GAAS and GAGAS - Determine whether the financial statements are presented fairly in all material respects in accordance with generally accepted accounting principles. Determine whether the SEFA is stated fairly in all material respects in relation to the auditee s financial statements as a whole. - Understand internal control over federal programs and plan the audit to support low assessed level of control risk of noncompliance for major programs - Determine whether the auditee has complied with Federal statutes, regulations, and the terms and conditions of Federal awards that may have a direct and material effect on each of its major programs

40 Auditee and Auditor Responsibilities Auditor Responsibilities UG (continued) - Compliance testing must include tests of transactions and such other auditing procedures necessary to provide the auditor sufficient appropriate audit evidence to support an opinion on compliance - Auditor must follow-up on prior audit findings - Report findings in single audit compliance report - Auditor must complete and sign specified sections of the Data Collection Form (DCF) 118 Federal Agency Responsibilities 119 Federal Agency Responsibilities Cognizant Agency for Audit - For non-federal entities expending more than $50 million a year in federal awards - Federal awarding agency that provides the predominant amount of direct funding unless OMB designates a specific cognizant agency for audit - Provide technical audit advice and liaison assistance to auditees and auditors - Obtain or conduct quality control reviews - Provide support for government-wide quality study of single audits (performed every 6 years or at such other interval determined by OMB) - Other duties to advise the community of auditors and specific auditors and coordinate audits or reviews with other federal agencies Oversight Agency for Audit for entities without a cognizant agency ($50 million or less) similar duties as cognizant agency

41 Single Audit Overview 121 Single Audit Timing Requirements Timing of the single audit - Audit done annually - Biennial audits allowed under limited circumstances Must be submitted to the FAC within the earlier of 30 days after receipt of the auditors reports or 9 months after year end of the auditee 122 Schedule of Expenditures of Federal Awards Required Elements ( ) - List individual Federal programs by Federal agency - For a cluster of programs, provide the cluster name, list individual Federal programs within the cluster of programs, and provide the applicable Federal agency name - For R&D, total Federal awards expended must be shown either by Federal award or by Federal agency and major subdivision within the Federal agency - For Federal awards received as a subrecipient, the name of the PTE and identifying number assigned by the PTE - Total Federal awards expended for each individual Federal program and the CFDA number or other identifying number when CFDA not available - For a cluster of programs also provide the total for the cluster - Include the total amount provided to subrecipients from each Federal program

42 Schedule of Expenditures of Federal Awards Required Disclosures ( ) - For loan or loan guarantee programs, identify in the notes to the SEFA the balances outstanding at the end of the audit period - Notes that describe the significant accounting policies used in the preparing the SEFA * - Note whether the auditee elected to use the 10% de minimis cost rate *The Uniform Guidance does not specify a basis of accounting to be used. 124 Schedule of Expenditures of Federal Awards Prepared by management Reconciles to accounting and other records used in preparing the financial statements or the financial statements themselves Auditor uses to base the performance of risk assessments and selection of major programs Completeness and accuracy critical to avoid missed programs Auditor issues an opinion as to whether the SEFA is fairly stated in all material respects in relation to the financial statements as a whole (referred to as in-relation-to opinion) - In-relation-to opinion not same as an audit opinion Auditor is responsible for determining whether auditee includes all required SEFA elements

43 127 Risk Assessment and Major Program Determination Major programs are programs auditor will audit In general, major programs are those that are large, risky, and/or new (Part 2 of series will go into detail) Determination process defined in the Uniform Guidance which is a prescription for assessing the size and risk of programs Process is complex, involving some judgment, that historically has resulted in audit quality problems Must be done accurately and early in the process; and reviewed again before the end Must clearly document program risk assessment 128 Materiality in a Single Audit Financial statement materiality vs. single audit materiality - Financial statement materiality relates to the financial statements being audited - Single audit materiality is determined for each individual major program and generally lower than financial statement materiality Materiality for reporting audit findings - Relates to each compliance requirement for each major program Single audit materiality factors - Nature of the compliance requirements - Nature and frequency of noncompliance identified - Needs and expectations of federal agencies and pass-through entities

44 Single Audit End Result Contents of the Single Audit Submission - Auditor s report on the financial statements of the entity - Auditor s in-relation-to reporting on the SEFA - Entity s financial statements - Entity s SEFA - Auditor s report(s) on internal control over financial reporting and on compliance and other matters to meet GAGAS requirements 130 Single Audit End Result Contents of Single Audit Submission - Auditor s report on compliance and internal control over compliance major programs - Auditor s schedule of findings and questioned costs Includes summary of auditor results and findings - Entity s summary schedule of prior audit findings - Entity s corrective action plan All items above and on previous slide are referred to as reporting package Reporting package and a form summarizing the audit (Data Collection Form see next slide) are submitted electronically to the FAC 131 Single Audit End Result Data Collection Form Joint responsibility of auditee and auditor Completed electronically on FAC Web site Summary of the single audit reporting including audit opinions and other findings Includes contact information for auditee and auditor Includes SEFA information, references to findings, and relevant compliance requirements Electronic signature of both auditee and auditor

45 Description and Characteristics of Federal Awards 133 Federal Awards Definition (UG ) Federal financial assistance that non-federal entities receive directly from federal awarding agencies or indirectly from pass-through entities (PTE) Federal cost-reimbursement contracts under the Federal Acquisition Regulations (FAR) that a non-federal entity receives directly from a federal awarding agency or indirectly from a PTE - Terms and conditions set forth in grant agreement, cooperative agreement, other agreement, or cost-reimbursement contracts - Does not include procurements under grants or contracts, used to buy goods or services 134 Examples of Federal Awards Grants Contracts Cooperative Agreements Loans Loan Guarantees Property Interest Subsidies Insurance Direct Appropriations Endowments Other Non-Cash Assistance Indirect State or Local Government Transfers of Federal Funds

46 When Does Federal Expenditure Occur? Based on when the activity related to the award occurs: - Expenditure/expense transactions related to grants/contracts - Other examples: disbursement of funds passed through to subrecipients; use of loan proceeds under loan and loan guarantee programs; receipt of property; receipt or use of program income; distribution or consumption of food commodities; period when insurance is in force. 136 When Does Federal Expenditure Occur? 137 When Does Federal Expenditure Occur? Federal Awards Endowments Program income Basis for Determining When Expended When federally restricted amounts are held When received or used

47 Definition of Federal Program ( ) All Federal awards which are assigned a single number in the CFDA - CFDA number is the number assigned to a federal program in the CFDA ( ) When no CFDA number is assigned, all federal awards to non-federal entities from the same agency made for the same purpose must be combined and considered one program Notwithstanding paragraphs (a) and (b) of this definition, a cluster of programs (see next slide) 139 Clusters A grouping of closely related programs that share common compliance requirements Clusters are treated as one program for major program determination and testing Clusters include: - Research and Development (R&D) - Student Financial Assistance (SFA) - Other clusters (defined in OMB Compliance Supplement) 140 Clusters Part 5 of the Compliance Supplement identifies each cluster (R&D, SFA, and other clusters and specific, unique requirements for each) R&D is the only cluster where specific CFDA numbers are not identified in Part 5 For R&D, auditors look to the definition of R&D and apply judgment to determine inclusion in the cluster (National Institutes of Health (NIH) and National Science Foundation (NSF) are identified as R&D in Part 4 of the Compliance Supplement)

48 Pass-Through Awards and Subrecipients 142 Pass-through Awards and Subrecipients Many nonfederal entities receiving federal awards pass-through the federal awards to other entities that are considered subrecipients Examples: - State government (PTE) passes federal funds down to local governments (subrecipients) within the state - Local government (PTE) passes federal funds down to not-for-profit organizations (subrecipients) 143 Definitions Relating to Pass-Through Funds Pass-through entity is a nonfederal entity that provides a federal award to a subrecipient to carry out a federal program Subrecipient is a nonfederal entity that receives a subaward from a PTE to carry out part of a federal program - Does not include an individual that is a beneficiary of such program. - A subrecipient may also be a recipient of other Federal awards directly from a Federal awarding agency. Contractor is an entity that receives a contract - A contract is defined in as a legal instrument by which a non-federal entity purchases property or services needed to carry out the project or program under a federal award

49 Applicability of Single Audit to Pass-through Awards and Subrecipients Single audit requirements apply to both PTEs and subrecipients of federal awards Payments received by a contractor for goods or services provided in connection with a federal program are not considered federal awards Fees for services are typically not considered federal awards Determining subrecipient vs. contractor can be tricky and involves some judgment 145 Single Audit Fundamentals Part 2: The Mysteries of Major Program Determination and an Overview of the OMB Compliance Supplement What We Will Cover Considerations Prior to Major Program Determination Applying the Risk-Based Approach for Determining Major Programs under the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards at 2 CFR 200 (UG or Uniform Guidance) Communications with Cognizant or Oversight Agency

50 Considerations Prior to Major Program Determination 148 Planning Begins with. Satisfying the Uniform Guidance requirements Establishing an understanding with the auditee Additional requirements of the Single Audit Act - documentation (access) - follow-up on prior year findings Financial statement audit considerations 149 Planning Also Involves. Defining the entity to be audited Determining the audit period Timing of audit completion Obtaining schedule of expenditures of federal awards (SEFA)

51 Relevant Guidance Subpart F of the Uniform Guidance OMB Compliance Supplement Issued annually use the APPLICABLE year s supplement AICPA Audit Guide, Government Auditing Standards and Single Audits (GAS-SA Guide) 151 Looking at Low Risk Auditee Criteria Must meet all of the following for each of the two preceding years: - Annual single audits, including timely filing with Federal Audit Clearinghouse (FAC) - Unmodified opinion(s) on financial statements in accordance with generally accepted accounting principles (GAAP) or basis of accounting required by state law - Unmodified in-relation-to opinion on the SEFA - No material weaknesses in internal control over financial reporting 152 Looking at Low Risk Auditee Criteria Must meet all of the following for each of the two preceding years: - No findings in Type A programs in preceding 2 years material weaknesses in internal control over compliance modified opinion on a major program known or likely questioned costs > 5% of expenditures for a Type A program No auditor reporting of going concern

52 Effect of Basis of Accounting on Low- Risk Auditee Determination If state law permits but does not require an auditee to prepare financial statements in accordance with a basis that is not GAAP (e.g., cash, regulatory), auditee cannot be considered low-risk auditee If the non-gaap basis of accounting is required by state law, auditee can be considered low-risk auditee If auditee voluntarily prepares financial statements on a non-gaap basis of accounting (e.g., cash or modified cash), auditee cannot be considered low-risk auditee 154 Applying the Risk-Based Approach for Determining Major Programs (MP) 155 Major Program Determination and Risk Assessment Risk-based approach to MP determination Four-step approach considers: - Current and prior audits - Federal agency oversight - Program risk

53 Major Program Determination and Risk Assessment Four Step Approach Step 1 Step 2 Step 3 Step 4 Identify "Type A" programs Identify low-risk "Type A" programs Identify high-risk "Type B" programs Determine major programs to audit 157 Step 1: Identify Type A Programs Identify federal programs - All federal awards to a non-federal entity assigned the same Catalog of Federal Domestic Assistance (CFDA) number - If no CFDA number, all federal awards from the same federal agency made for the same purpose - Clusters - Guidance: 2 CFR Step 1: Identify Type A Programs What is a cluster? - " a grouping of closely related programs that share common compliance requirements." What kinds of clusters are there? - Research and Development (R&D) - Student Financial Assistance (SFA) - Other clusters A cluster of programs must be considered as one program for determining major programs

54 Step 1: Identify Type A Programs What is an "other cluster?" - defined by the OMB in the Compliance Supplement and updated annually - designated as such by a state for federal awards the state provides to its subrecipients that meet the definition of a cluster of programs Part 5 of the Compliance Supplement lists each cluster and specific, unique requirements for each R&D is the only cluster where specific CFDA numbers are not identified in Part 5 For R&D, auditors look to the definition of R&D and apply judgment to determine inclusion in the cluster - Note that NIH and NSF are identified as R&D in Appendix VII of the Compliance Supplement) 160 Step 1: Identify Type A Programs Total Federal awards expended Type A/B Threshold $750,000 and $25 million $750,000 >$25 million but $100 million Total Federal awards expended times.03 >$100 million but $1 billion $3 million Total Federal awards >$1 billion but $10 billion expended times.003 > $10 billion but $20 billion $30 million > $20 billion Total Federal awards expended times Step 1: Identify Type A Programs Programs not deemed Type A are Type B

55 Impact of Large Loan and Loan Guarantees on Type A/B Threshold The inclusion of large loan and loan guarantees should not result in the exclusion of other programs as Type A programs - For purposes of Type A/B threshold calculation, a federal program is only considered a loan program if value of federal awards expended for loans within the program is 50% or more of the total federal awards expended for the program - When a loan program exceeds four times the largest non-loan program it is considered a large loan program - If a program is considered a large loan program, it is considered a Type A program and excluded in determining other Type A programs Guidance: Uniform Guidance (a)(3) 163 Example 1 - College ABC Type A/B Threshold Calculation with Loans Federal Awards Expended Student Financial Assistance Cluster: Federal Pell Grant Program $ 40,000,000 Federal Work Study Program 40,000,000 Federal Perkins Loan Program 8,000,000 Direct Loans 9,000,000 Total SFA Cluster $ 97,000,000 Research and Development Cluster 24,000,000 TRIO Cluster 800,000 Higher Education Institutional Aid 800,000 Total $ 122,600, Example 1 - College ABC Type A/B Threshold Calculation with Loans The only program including loans is the SFA cluster The Pell Grant Program and Work-Study Program are non-loan programs in the SFA cluster that comprise approximately 82 percent of the SFA cluster ($80,000,000/$97,000,000). As a result: - The SFA cluster is not considered a loan program because the loans within the program are less than 50% of the total - The SFA cluster is considered in determining the entity s Type A/B program threshold - The Type A/B threshold is $3,000,000 (i.e., total federal awards expended >$100 million but $1 billion) - The SFA cluster and R&D cluster are Type A programs - The TRIO cluster and Higher Education Institutional Aid Programs are Type B programs

56 Example 2 College XYZ Calculation of Type A/B Threshold with Loan Programs Federal Awards Expended Loan Program Student Financial Aid Cluster Federal Direct Student Loans 299,000, Federal Perkins Loan Program 5,000, Federal Grant Program 859, Federal Work-Study Program 290,000 Loan Program Total $ 305,149,000 Non-Loan Programs R&D Cluster (multiple CFDA #s) 20,000,000 Department of Health and Human Services Special Programs for the Aging 825, HIV Prevention Program 200,000 Department of Education Adult Education 400,000 Non-Loan Program Total $ 21,425,000 Total Expenditures (Loans and Non-Loans) $ 326,574,000 Type A/B Threshold before Excluding "Large" Loan Programs $ 3,000, Example 2 College XYZ Calculation of Type A/B Threshold Excluding Large Loan Programs Federal Awards Expended Calculate 4 Times the Largest Non Loan Program Largest Non Loan Program R&D 20,000,000 Multiply by 4 x4 Total of 4 Times the largest Non Loan Program or Cluster $ 80,000,000 Which loan program(s) exceed 4 times the largest non loan program? SFA Cluster $ 305,149,000 Type A Threshold Calculation without "Large" Loans Total Federal Expenditures (Loans and Non Loans) $ 326,574,000 Less "Large" Loan Programs 305,149,000 Total Federal Expenditures without "Large" Loan programs $ 21,425,000 Type A/B Threshold from Table/Recalculated Threshold 750,000 Type A Programs for FY 20XX SFA Cluster $ 305,149,000 R&D Cluster $ 20,000, Special Programs for Aging $ 825, Where we are Four-step Approach Step 1 Step 2 Step 3 Step 4 Identify "Type A" programs Identify low-risk "Type A" programs Identify high-risk "Type B" programs Determine major programs to audit

57 Step 2: Identify Low-Risk Type A Programs Criteria for low-risk Type A program - Must have been audited as a major program in at least one of the two most recent audit periods; and - In the most recent audit period, the program must not have had a Modified opinion Material weakness in internal control over compliance Known or likely questioned costs exceeding 5% of total program expenditures 169 Step 2: Identify Low-Risk Type A Programs In making the low-risk Type A determination, the auditor must also consider whether any of the following indicate significantly increased risk and would, therefore, preclude the program from being low risk: - Federal and pass-through entity (PTE) oversight - Results of audit follow-up - Changes in personnel or systems No auditor judgment allowed in the Type A determination A federal awarding agency may request that a Type A program not be considered low risk for a certain recipient 170 Use of Auditor Judgment in Type A Program Risk Assessment Consider a Type A program that: - Has been audited once in the 2 previous years - Has no audit findings from the prior year that would preclude the program from being low-risk, and - Does not meet the risk factors (federal/pte oversight problems, audit follow-up problems, or changes in personnel or systems) will be a low risk Type A program May not use auditor judgment to assess the program as other than low-risk because, for example, it is inherently risky or complex, etc. May use auditor judgment in looking at the other permissible risk factors (e.g., results of audit follow-up, changes in personnel or systems) to preclude low risk designation

58 Step 2: Identify Low-Risk Type A Programs If there are no low-risk Type A programs - Skip to Step 4 in MP determination process - Risk assessment of Type B programs is not required if there are no low-risk Type A programs 172 Where we are Four-step Approach Step 1 Step 2 Step 3 Step 4 Identify "Type A" programs Identify low-risk "Type A" programs Identify high-risk "Type B" programs Determine major programs to audit 173 Step 3: Identify High-Risk Type B Programs If there are low-risk Type A programs - Perform risk assessments on Type B program until high-risk Type B programs have been identified up to at least 1/4 of the number of low-risk A programs The auditor is not expected to perform risk assessments on relatively small federal programs - Auditor only required to perform risk assessments on Type B programs that exceed twenty-five percent (0.25) of the Type A threshold determined in Step 1 - For example, if Type A threshold is $750,000, auditor would not have to perform risk assessments on Type B programs of $187,500 or less

59 Step 3: Identify High-Risk Type B Programs The auditor must identify Type B programs which are high-risk using professional judgment and the criteria in , Criteria for Federal program risk Except for known material weakness in internal control or compliance problems a single risk criterion seldom causes a Type B program to be high risk Criteria for Federal Program risk ( ) - Current and prior audit experience - Oversight exercised by federal agencies and PTEs - Inherent risk of the federal program 175 Criteria for Type B Program Inherent Risk Nature and complexity of the program Phase of program in life cycle at federal agency Phase of program in life cycle at the auditee Type B programs with larger federal awards expended would be of higher risk than programs with substantially smaller federal awards expended 176 Type B Risk Assessment Nuance - Example Background - There are 15 Type A programs - Engagement team has assessed five Type A programs as high risk (i.e., 10 Type A programs are low risk) - Therefore, only need to perform risk assessments until identify 3 high-risk Type B programs ¼ (25%) of the 10 Low-risk Type A programs = 2.5 (round up) - There are 7 Type B programs above the de minimis threshold

60 Type B Risk Assessments Staff risk assessed all Type B programs so team needs to audit ALL high risk Type B programs (one extra than needed) Type B Program HIGH RISK LOW RISK NOT ASSESSED Program 1 Program 2 Program 3 Program 4 Program 5 Program 6 Program 7 X X X X X X X 178 Where we are Four-step Approach Step 1 Step 2 Step 3 Step 4 Identify "Type A" programs Identify low-risk "Type A" programs Identify high-risk "Type B" programs Determine major programs to audit 179 Step 4: Determine Major Programs to Audit All Type A programs except those identified as low-risk in Step 2 (i.e. other than low-risk Type A programs) Type B programs identified as high-risk in Step 3 Such additional programs necessary to comply with percentage of coverage rule % or 20.0% if low-risk auditee

61 Step 4: Determine Major Programs to Audit Percentage of Coverage Rule - If considered a low-risk auditee, then Minimum = 20.0% of federal expenditures expended - If not considered a low-risk auditee, then Minimum = 40.0% of federal expenditures expended Determination occurs at the end of all previous steps - NONE of the steps in the major program determination process may be bypassed just because minimum coverage is achieved 181 Smoothing Compliance Supplement Appendix VII The 2016 Compliance Supplement permits you to add type A programs that are low risk as major programs. This would be in addition to any programs you are required to test through the 4 step major program determination process. The goal would be to avoid a large jump in the number of Type A Programs to test in year 3 of Uniform Guidance. (This process is referred to as smoothing) Low-risk A would not be permitted to be audited more than once in first 3 years 182 Low-Risk Determination Pitfalls Auditors sometimes confuse the various risk assessments - Low-risk auditee determination (qualification for reduced audit coverage) - Risk-based approach for determining major programs Identification of low-risk Type A Identification of high-risk Type B - Audit risk for each major program being tested - Audit risk for each direct & material compliance requirement (risk of material noncompliance)

62 EXAMPLES 184 Example 1 Assume Low-Risk Auditee Program 1 $ 4,689,000 Audited prior year with no findings or other risk factors Program 2 208,000 CY new program director and known compliance problems due to passthrough entity monitoring results Program 3 53,000 Program 4 1,600 $4,951,600 Type A/B Threshold = $750,00; Program 1 is low-risk Type A; Program 2 is high-risk Type B. 185 Example 1 - Solution What programs should be audited as major? - Program 2 because it was identified as a high-risk Type B program; and - Program 1 to meet low-risk auditee coverage of 20% of total federal expenditures

63 Example 2 Assume Entity is Not a Low-risk Auditee Program 1 $ 889,330 Audited prior year with no findings or other risk factors Program 2 708,500 Not audited in the prior 2 years and has complex eligibility criteria and known internal control issues based on PTE monitoring results Program 3 532,970 Audited prior year with no findings or other risk factors Program 4 187,900 Audited prior year with no findings or $ 2,318,700 other risk factors Type A/B Threshold = $750,000 Program 1 is low risk Type A Program 2 is a high-risk Type B 187 Example 2 - Solution What programs should be audited as major? - Need 40% coverage since entity not a low-risk auditee - Program 2 because it is a high-risk Type B program - Pick another program to meet % of coverage 188 Example 3 Assume Low-Risk Auditee Program 1 $ 275,000 audited prior year with no findings Program 2 250,000 audited prior year with no findings Program 3 175,000 Program 4 165,000 $ 875,000 Type A/B Threshold = $750,000 There are No Type A programs

64 Example 3 - Solution What programs should be audited as major? - Need 20% coverage since entity is a low-risk auditee - Can pick any program(s) to meet coverage of 20% - Either Programs 1, 2, or 3 get you to 20% - Program 4 will not get you to 20% 190 Example 4 Assume Low-Risk Auditee Type A/B Program Threshold is $750,000 Program # Expenditures A/B Risk Audited in one of two prior years without findings 1 $ 750,000 A Low Yes 2 850,000 A Low Yes 3 900,000 A Low Yes 4 825,000 A High No 5 775,000 A Low No* 6 700,000 B Low 7 600,000 B Low 8 500,000 B High 9 400,000 B N/A* ,000 B N/A* ,000 B N/A* 1 $ 6,700,000 *Low risk program because prior year finding was a significant deficiency in internal control over compliance that did not result in a compliance opinion modification nor known or likely questioned costs greater than 5% of program expenditures. * 1 Risk assessment not performed because the auditor only has to perform risk assessments on Type B programs until high risk Type B programs have been identified up to at least ¼ the number of low risk Type A programs. 191 Example 4 Potential Solution Major Programs Expenditures Program Type Program Number 4 $ 825,000 A High risk Program Number 8 $ 500,000 B High risk $ 1,325,000 6,700,000 in federal expenditures = percentage coverage Program Number 3 (judgmentally selected) $ A low risk program selected to achieve 900,000 percentage coverage $ 2,225,000 = percentage

65 MP Determination and Related Risk Assessment Tips Ensure documentation supports all decisions and the 4-step process - Required risk analyses - Basis for the assessments of risk Consideration of all programs Consideration of clustering programs Categorization of programs as Type A or B Ensure the risk assessment decision is consistent with other information in the audit documentation Cannot use inherent risk as a factor to classify a Type A program as other than low risk If you have access to MP risk assessment tools, use them! 193 Major Program Determination & Risk Assessment Tips If determine MPs during interim phase of audit, recalculate at the end - Check that total expenditures and Type A/B federal program totals haven t changed due to adjusting entries Determine percentage of coverage at the end of the 4-step process - Do not assume that if auditee is considered low risk that 20.0% coverage is sufficient Recheck that all necessary Type A and Type B risk assessments were done Utilize the AICPA Audit Guide, Government Auditing Standards and Single Audits 194 Communications with Cognizant or Oversight Agency

66 Communications with Cognizant or Oversight Agency Planning procedures may indicate a need to communicate with cognizant or oversight agencies - Cognizant Agency: the federal agency designated to carry out the responsibilities described in Oversight Agency: the federal awarding agency that provides the predominant amount of direct funding to a recipient not assigned a cognizant agency for audit. If discussions are held, the auditor should document such communications, as well as any decisions reached as a result 196 Communications with Cognizant or Oversight Agency Single audit matters that may be discussed: - Scope of the compliance testing of federal programs - Intended use of the Compliance Supplement - Identification of federal awards, including those that are considered to be major programs - Form and content of the SEFA - Testing of the monitoring of subrecipients 197 Communications with Cognizant or Oversight Agency Single audit matters that may be discussed: - Scope of the review and testing of internal control over compliance - Testing of compliance requirements - Status of prior-year findings and questioned costs - Federal agency or PTE management decisions on prior-year findings - Compliance requirements and any changes to those requirements

67 Using the Compliance Supplement Part 6: Internal Control - Removed from 2015 Compliance Supplement - More generic in 2016 Compliance Supplement - UG states that a non-federal entity must establish and maintain effective internal control over the Federal award that provides reasonable assurance that the non-federal entity is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award - COSO and Standards for Internal Control in the Federal Government (Green Book) are listed in UG as best practices for auditees to follow 199 Using the Compliance Supplement Part 7: Guidance for Auditing Programs Not Included - Provides guidance for identifying the applicable compliance requirements for programs not included in the Supplement Tips - Will assist the auditor in answering the following questions: 1. What are the program objectives, program procedures, and compliance requirements for a specific program? 2. Which of the compliance requirements could have a direct and material effect on the program? 3. Which of the compliance requirements are susceptible to testing by the auditor? 4. Into which of the 12 types of compliance requirements does each compliance requirement fall? 5. For Special Tests and Provisions, what are the applicable audit objectives and audit procedures? 200 Using the Compliance Supplement Key Appendix - Appendix V lists changes made from previous year Review in detail - Appendix VII provides Other Audit Advisories Review in detail

68 Single Audit Fundamentals Part 3: Understanding and Testing Compliance Requirements and Related Internal Control over Compliance What We Will Cover Determining Direct and Material Compliance Requirements Using the OMB Compliance Supplement Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards at 2 CFR 200 (UG or Uniform Guidance) Requirements for Testing Internal Controls Compliance Testing: Understanding and Testing the 12 Compliance Requirements An Overview of Sampling in a Single Audit Documentation Requirements 203 Determining Direct and Material Compliance Requirements Using the OMB Compliance Supplement

69 Purpose and Use of the OMB Compliance Supplement OMB Compliance Supplement issued annually Current Compliance Supplement is available at: - ars/ - Bookmark this Web address 205 What is the Compliance Supplement? The Supplement identifies the existing important compliance requirements that the federal government expects to be considered as part of a single audit It is one of the most important pieces of guidance that you use in performing single audits. It provides a source of information for auditors to understand federal program objectives, procedures, and compliance requirements It also includes audit objectives and suggested audit procedures for determining compliance with the noted requirements 206 Using the Compliance Supplement Auditors need to use all parts (2, 3, 4, 5, 6 and 7) for a correct single audit 2: Matrix of Compliance Requirements 3: Compliance Requirements 4: Agency Program Requirements 5: Clusters of Programs 6: Internal Control 7: Guidance for Auditing Programs not Included in the Compliance Supplement

70 Role of OMB Compliance Supplement Part 2 of this series covered a broad overview of the OMB Compliance Supplement and how it is used in a single audit - Also covered the importance of using various parts of the Supplement together Part 2, Matrix of Compliance Requirements Part 3, Compliance Requirements Part 4, Agency Program Requirements Part 5, Clusters of Programs Supplement identifies the existing important compliance requirements that the federal government expects to be considered as part of a single audit 208 Determining Direct and Material Compliance Requirements Obtain an understanding of each major program - Discuss program with appropriate members of management - Review contracts and grant documents Determine key elements Amount Timing Applicable compliance requirements Indirect cost considerations Regulations - Look at expenditure patterns Wages, benefits, equipment, etc. 209 Overview of Using Part 2 of the OMB Compliance Supplement Part 2, Matrix of Compliance Requirements, identifies 12 compliance requirements - Indicates which compliance requirements are generally applicable for each program in Supplement - Part 7, Guidance for Auditing Programs Not Included, to be used by auditors if program not in Supplement Auditors use Part 2 to determine actual applicability for each major program Auditor then determines which applicable compliance requirements are direct and material to each major program

71 12 Compliance Requirements in Part 2 A- Activities Allowed or Unallowed B - Allowable Costs/Cost Principles C- Cash Management D - Reserved E - Eligibility F - Equipment and Real Property Management G - Matching, Level of Effort, and Earmarking H - Period of Performance I - Procurement and Suspension and Debarment J - Program Income K - Reserved L - Reporting M - Subrecipient Monitoring N - Special Tests and Provisions 211 Determine Applicability Using Part 2 Matrix Which compliance requirements are generally applicable? 212 A Note About Part 2 and Applicability Y may appear in matrix, even though a requirement may not apply to a particular entity - Entity may not have activity subject to the compliance requirement; or - Activity could not have a material effect on major program Auditor should exercise professional judgment when determining which compliance requirements marked with a Y need to be tested at a particular entity Documentation is key if overriding a Y

72 Determining Direct and Material Compliance Requirements Do auditors test all applicable compliance requirements? - No; only test compliance requirements that could have a direct and material effect Should an auditee comply with all applicable compliance requirements? - Yes! 214 What is Direct and Material Effect? Direct and material effect means: - Noncompliance could result in being denied reimbursement of program expenditures; or - Entity having to refund federal monies or make other restitution in an amount that would be material to the major program 215 Determining Direct and Material Compliance Requirements Which applicable compliance requirements are direct and material? - Subjective Auditor judgment Experience Accepted risk Industry expectation - Use information gained from steps taken to obtain an understanding of each major program at the outset (see earlier slide) - Qualitative and quantitative factors

73 Determining Direct and Material Compliance Requirements Qualitative Factors Needs and expectations of federal or pass-through agencies Noncompliance could cause federal agency to take action Seeking reimbursement of program costs Suspending participation in the program Public or political sensitivity Federal, state, local oversight Internal or other external audits Previous findings 217 Determining Direct and Material Compliance Requirements Quantitative Factors Noncompliance could likely result in questioned costs Requirement affects large part of the program Material amount of program dollars - For example, 5% of expenditures - Not an auditee concept 218 Importance of Documentation Supporting Assessments Documentation of applicable and direct and material determinations is critical - If auditor determines a Y in Part 2 matrix is not applicable to an auditee, N/A not enough - If auditor determines an applicable compliance requirement is not direct and material, Not D&M is not enough

74 Using the Compliance Supplement Part 3: Compliance Requirements Generic compliance requirement information Generic audit procedures Tips Refrain from using the Compliance Supplement as a checklist Understand the various programs to determine whether modifications to the audit approach are necessary 220 Using the Compliance Supplement Parts 4 (Agency Program Requirements) and 5 (Clusters of Programs) Include program-specific compliance regulation information Limited program specific audit procedures Tips Parts 4 and 5 cannot be used without parts 2 and 3 Part 4 cannot be your audit program 221 Uniform Guidance Requirements for Testing Internal Controls

75 Internal Control Auditee Responsibility ( ) The non-federal entity must establish and maintain effective internal control over the federal award that provides reasonable assurance that the non-federal entity is managing the federal award in compliance with federal statutes, regulations, and the terms and conditions of the federal award. Internal controls should be in compliance with guidance in: - Standards for Internal Control in the Federal Government [Green Book] issued by the Comptroller General of the United States, and - the Internal Control Integrated Framework, issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Use of should in Uniform Guidance indicates a best practice and is not a presumptively mandatory requirement 223 Internal Control Auditor Responsibility ( (c)(2)) Auditors must perform procedures to obtain an understanding of internal control over federal programs sufficient to plan the audit to support a low assessed level of control risk of noncompliance for major programs. Plan testing of internal control over the relevant compliance requirements for each major program Perform testing of internal control as planned Report on internal control over compliance (covered Part 4 of series) 224 Internal Control AICPA Standards AU-C 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, identifies 5 interrelated components that provide useful framework for auditors when considering internal control - Control environment - Risk assessment - Information and communication systems - Control activities - Monitoring These five components are the same as those found in both the Green Book and the COSO integrated framework

76 Considering Internal Control Over Compliance in a Single Audit The auditor should obtain an understanding of the five components of internal control sufficient to assess the risks of material noncompliance with each direct and material compliance requirement for each major program 226 COSO: 5 Components and 17 Principles of Effective Internal Control 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability Control Environment 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change Risk Assessment 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures Control Activities 13. Uses relevant information 14. Communicates internally 15. Communicates externally 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies Information & Communication Monitoring Activities 227 Green Book The standards in the Green Book are organized by the five components of internal control shown in the cube below. Each of the five components contains several principles. Principles are the requirements of each component

77 How to Access Internal Control Frameworks COSO framework - Update to COSO released in May Available for purchase - Access information Green Book - Update to the Green Book released in September Available for free - Access Green Book 229 Internal Control Over Compliance Design and Implementation Versus Effectiveness Test of design and implementation - Walkthrough auditor understanding - Conclusion: Control has been properly designed and implemented Test of operating effectiveness - Test key control attributes - Conclusion: Control is effective If control not effective, a finding should be reported 230 Internal Control Over Compliance - Operating Effectiveness Tests of operating effectiveness different than determining that control has been implemented Evidence of who, when, what Procedures include: - Inquiries - Inspection of documents indicating performance - Observation of application of specific controls - Reperformance of controls by auditor Generally involves combination of procedures - Inquiry alone is not sufficient

78 Internal Control Over Compliance - Operating Effectiveness Test controls - Throughout the period under audit - Every period under audit Internal controls that cross major programs - Are they really the same? - Representative sample 232 Internal Control Over Compliance - Operating Effectiveness Evaluating results of tests of controls - Deviations may occur Understand deviation and consequences Determine if the expansion of the sample would provide evidence of containment of the error Assess the deviation and determine proper reporting Control deficiency Material weakness Significant deficiency Assess impact on tests of compliance 233 Example: Activities Allowed or Unallowed and Allowable Costs/Cost Principles Control Environment - Management sets reasonable budgets - minimize incentives to miscode expenditures Risk Assessment - Management has sufficient understanding of procedures and controls to identify unallowable activities Information and Communication Systems - Comparison of budget to actual is provided to project managers for review on a timely basis Control Activities - Program managers approve purchase orders/invoices prior to payment Monitoring - Financial reports provided to appropriate management on periodic basis for review

79 Internal Control Over Compliance - Process vs. Control Processes - Procedures that originate, transfer or change data - Can introduce errors Controls - Procedures designed to prevent, detect and correct errors resulting from processing of accounting information - Cannot generate errors 235 What about Part 6 of the OMB Compliance Supplement? Part 6, Internal Control, of the 2016 OMB Compliance Supplement consists higher level Summary of Green Book and COSOS 236 Compliance Testing: Understanding and Testing the 12 Compliance Requirements

80 Relocation Costs Travel Costs Compensation , References to Written Policies in UG Financial management Procurement , Payment Compliance Auditor Responsibility ( (d) (1), (3) & (4)) Must determine whether auditee complied - With federal statutes, regulations, and the terms and conditions of Federal awards that may have a direct and material effect on each of its major programs Must determine the current compliance requirements and modify the audit procedures accordingly - For the compliance requirements contained in the Compliance Supplement, an audit of these compliance requirements will meet the requirements of UG Compliance testing must include tests of transactions and such other auditing procedures necessary to provide the auditor sufficient appropriate audit evidence to support opinion on compliance 239 A Walk-Through the 12 Compliance Requirements A- Activities Allowed/Unallowed - Identifies what activities or projects can (or cannot) be funded under a specific program. B - Allowable Costs/Cost Principles - Describes the cost accounting requirements associated with federal awards - Includes requirements for indirect costs - Includes requirements for compensation personal services

81 Indirect Costs ( ) Federal agencies have to accept a non-federal entity s negotiated indirect cost rate unless statute or regulation allows for an exception or agency head approves Non-federal entities have option to extend rate for up to four years (one-time extension with some caveats) Non-federal entities that have never received negotiated rate will be permitted to charge a de minimis rate of 10% of modified total direct costs which may be used indefinitely - Must be used consistently for all federal awards until entity chooses to negotiate for a rate 241 Compensation Personal Services ( ) Requirements for: - Existence of employees - Reasonableness of compensation - Assignment and allocation to federal awards Time and distribution records must be maintained for all employees whose salary is: - Paid in whole or in part with federal funds - Used to meet a match/cost share requirement Not based on budget estimates alone needs to be ACTUAL Full disclosure - All time worked for the organization and what percentage is federal 242 Activities Allowed/Unallowed and Allowable Costs - Testing Compliance How would we test compliance with these requirements? Review Compliance Supplement, contracts, grant agreements Identify details of total expenditures (reconcile to Schedule of Expenditures of Federal Awards (SEFA) Determine sampling unit (checks, salaries, etc.) Select sample of direct costs Test sample of direct costs Test cost allocation plan/indirect costs

82 A Walk-Through the 12 Compliance Requirements C - Cash Management - When funded on a reimbursement basis, program costs must be paid for by entity funds before reimbursement is requested - When funds are advanced, recipients must follow procedures to minimize the time elapsing between the transfer of funds from the U.S. Treasury and disbursement - Interest earned on advances by local government grantees and subgrantees is required to be submitted to the federal agency - Program income typically must be spent first 244 Cash Management - Testing Compliance How would we test compliance with this requirement? - Review Compliance Supplement, contracts, grant agreements - Discuss methods for drawing funds with management - Determine sampling unit (draws or advances) - Select sample - Test sample 245 A Walk-Through the 12 Compliance Requirements E Eligibility - Specifies the criteria for determining the individuals, groups of individuals, or subrecipients that can participate in the program and the amounts of assistance for which they qualify - Eligibility of those participating in the program funded by the grant or contract rather than the eligibility of the primary recipient

83 Eligibility Testing Compliance How would we test compliance with this requirement? - Review compliance supplement, contracts, grant agreement - Discuss methods for compliance with auditee - Determine sampling unit (number of eligible participants) - Select sample - Test sample 247 A Walk-Through the 12 Compliance Requirements F - Equipment and Real Property Management - Equipment and real property management provides standards for the use and disposition of equipment and real property purchased with federal funds. - These requirements cover records and inventory management. - Equipment means tangible personal property, including information technology systems having a useful life of more than one year and a per-unit cost which equals or exceeds the lesser of the capitalization level established by the non-federal entity for financial statement purposes or $5,000 ( ). - Title vests with non-federal entity 248 Equipment and Real Property Management Testing Compliance How would we test compliance with this requirement? - Review Compliance Supplement, contracts, grant agreements - Discuss methods for compliance with auditee - Test compliance with physical inventory requirements - Determine sampling unit (inventory of federal equipment, all activity in GL equipment account) - Select sample - Test sample - Test dispositions of equipment

84 A Walk-Through the 12 Compliance Requirements G - Matching, Level of Effort, Earmarking - Matching is amount (or percentage) of grantee contributions or matching funds provided. - Matching, or cost sharing, includes requirements to provide contributions (usually non-federal) of a specified amount or percentage to match federal awards. - Matching may be in the form of allowable costs incurred or in-kind contributions (including third-party in-kind contributions). 250 A Walk-Through the 12 Compliance Requirements G - Matching, Level of Effort, Earmarking - Level of effort (LOE) is specified service or expenditure levels maintained from period to period. - LOE may include provisions for funds to supplement and not supplant non-federal funding of services. - Earmarking is minimum or maximum limits for specified purposes. - Earmarking may relate to amounts or types of participants covered. 251 Matching, Level of Effort, Earmarking Testing Compliance How would we test compliance with this requirement? - Review compliance supplement, contracts, grant agreement - Discuss methods for compliance with auditee - Determine methods for calculating match, LOE, earmarking - Test that identified percentages are met - Ensure that matching amounts are from allowable sources

85 A Walk-Through the 12 Compliance Requirements H Period of Performance - Time during which the non-federal entity may incur new obligations to carry out the work authorized under the federal award - Only costs incurred during the specified period may be charged to the grant award - Sometimes pre-award costs are approved - Can sometimes be carried over 253 Period of Performance Testing Compliance How would we test compliance with this requirement? - Review Compliance Supplement, contracts, grant agreements - For Federal awards with performance period beginning dates during the audit period, test transactions for costs recorded during the beginning of the period of performance and verify that the costs were not incurred prior to the start of the period of performance unless authorized by the Federal awarding agency or the pass-through entity. - For Federal awards with performance period ending dates during the audit period, test transactions for costs recorded during the latter part and after the period of performance and verify that the costs had been incurred within the period of performance. - For Federal awards with performance period ending dates during the audit period, test transactions for Federal award costs for which the obligation had not been liquidated (payment made) as of the end of the period of performance and verify that the liquidation occurred within the allowed time period 254 A Walk-Through the 12 Compliance Requirements I - Procurement, Suspension & Debarment - Procurement States must use the same policies and procedures they use for procurements from their non-federal funds - Procurement Non-federal entities other than states, including those operating federal programs as subrecipients of States, must follow the procurement standards set at 2 CFR through Suspension & Debarment - Non-federal entities are prohibited from contracting with or making subawards under covered transactions to parties that are suspended or debarred - Excluded Parties Listing

86 Procurement Claw (Sections ) 2. Small Purchases 3. Sealed Bids 4. Competitive Proposals 5. Sole Source 1. Micro- Purchases General Standards: A. Documented Policies B. Necessary C. Full & Open Competition D. Conflict of Interest E. Documentation i. Cost & Price Analysis ii. Vendor Selection 256 Procurement, Suspension & Debarment Testing Compliance How would we test compliance with this requirement? - Obtain copies of policies and procedures related to the purchase of goods and services - Select sample - Test sample of procurements for compliance with requirements 257 A Walk-Through the 12 Compliance Requirements J - Program Income - Gross income earned by a non-federal entity that is directly generated by a supported activity or earned as a result of the federal award during the period of performance - Includes, but is not limited to income from: fees for services performed, the use or rental of real or personal property acquired under federal awards, the sale of commodities or items fabricated under federal awards License fees and royalties on patents and copyrights, and payments of principal and interest on loans made with federal awards

87 Program Income Testing Compliance How would we test compliance with this requirement? - Review Compliance Supplement, contracts, grant agreements - Discuss program income with management and review detail G/L - Recalculate/verify amounts - Determine if program income was used on allowable expenditures 259 A Walk-Through the 12 Compliance Requirements L Reporting - Grant recipients are required to use standard financial reporting forms for submitting information to the federal awarding agency - Many times these reports are required of state agencies who develop their own reports for subgrantees (local governments) - Performance or special reports may be required 260 Reporting Testing Compliance How would we test compliance with this requirement? - Review Compliance Supplement, contracts, grant agreements - Discuss requirements with client - Determine population of reports - Select sample of reports to test - Test sample by tracing amounts to supporting documentation - Recalculate sampled reports

88 A Walk-Through the 12 Compliance Requirements M Subrecipient Monitoring - Requires recipients to monitor the activities of subrecipients relative to their federal awards. - An award recipient is responsible for: At the time of the award, identifying to the subrecipient the federal award information and applicable compliance requirements. Evaluating each subrecipient s risk of noncompliance for purposes of determining the appropriate subrecipient monitoring related to the subaward Monitoring the subrecipient's use of federal awards. Ensuring that subrecipients expending $750,000 or more in federal awards are audited. Evaluating the impact of subrecipient activities on the pass-through entity s ability to comply with applicable federal regulations. 262 Subrecipient Monitoring Testing Compliance How would we test compliance with this requirement? - Discuss the existence of subrecipients with the client and their monitoring activities - Review the detail G/L for payments to subrecipients - Review the PTE s subrecipient monitoring policies and procedures - Review subaward documents including the terms and conditions of the subaward - Review the PTE s documentation of monitoring the subaward - Did they obtain single audits from subrecipients if required? 263 A Walk-Through the 12 Compliance Requirements N- Special Tests and Provisions - Additional requirements set forth by federal agency see Part 4 of the Compliance Supplement - Found in the statues, regulations, and the provisions of contracts or grant agreements pertaining to the program - Not every federal program has special tests and provisions

89 Special Tests and Provisions - Testing Compliance How would we test compliance with this requirement? - Review Compliance Supplement, contracts, and grant agreements for the existence of special tests and provisions - Sampling and testing will vary according to special tests and provisions requirements 265 A Quick Word on Sampling in a Single Audit 266 Sampling Concepts Access more detailed GAQC Sampling Web event Statistical vs. Nonstatistical - Auditor may choose between a statistical and a nonstatistical approach to audit sampling. - Both methods comply with auditing standards. Tests of Controls Provide evidence about the effectiveness of the design, implementation, or operation of controls and policies in preventing or detecting material noncompliance. Concern: Rates of deviations from a prescribed control. Tests of Compliance Provide evidence about an auditee s ability to adhere to the direct and material compliance requirements of its major programs. Concern: Rates and potential magnitude of noncompliance

90 Sampling Concepts Attribute vs. Monetary Sampling Attribute sampling recommended for both tests of controls and tests of compliance - Tests of Controls: Common to apply attribute sampling for tests of controls (yes/no) - Tests of Compliance: Some populations involve monetary amounts, but focus is on evidence of compliance (yes/no) Attribute sampling allows the auditor to: - Project a sampling error to the sample population - Establish best estimate of questioned costs 268 Set Up Your Sample For Success: Determine Audit Objectives Proper definition and documentation of the audit objective precedes sampling design and execution. Separate objectives for tests of control and compliance Examples: - A necessary control was performed effectively. - An expenditure charged to a grant is allowable under the cost principles 269 Define Population, Consider Completeness Understand the characteristics of the population - Remove individually important items - Identify the sampling unit (eligibility files, expenditures, financial reports, cost transfers) - Each transaction or instance of the control has an equal opportunity of being selected - May be more than one type of transaction/control o Allowable costs payroll vs. other than payroll Properly identify the universe of transactions - Remember: Auditor s opinion is on the compliance requirements that could have a direct and material effect on EACH major program o Possible to test across major programs for controls o Treat each major program as a separate population for compliance testing

91 Determine Sample Size Controls Suggested Minimum Sample Sizes Significance of Control and Minimum Sample Size Inherent Risk (IR) of Compliance Requirement 0 deviations expected Very Significant and Higher IR 60 Very Significant and Limited IR Or Moderately Significant and Higher IR 40 Moderately Significant and Limited IR 25 IR = Inherent Risk Suggested minimum sample sizes for populations > Dual Purpose Sample Considerations Common practice to utilize a single sample to achieve multiple audit objectives - Internal control over compliance testing - Compliance testing - Financial statement balance testing Exercise caution: - Different characteristics are for different objectives - If there are errors in internal control, compliance sample may not be adequate 272 Evaluating Sample Results ALL deviations/exceptions should be evaluated to: - Understand the likely cause - Determine if it should be reported Justify containment of deviation/exception - Additional audit work necessary to contain - Documentation should explain why the deviation/exception is not expected to be representative of other deviations/exceptions in the broader population

92 Documentation Requirements 274 Documentation Requirements AU-C 935, Compliance Auditing, states that the auditor should document: - The risk assessment procedures performed, including those relating to gaining an understanding of internal control over compliance - Responses to the assessed risk of material noncompliance, the procedures performed, and the results of those procedures, including any test of controls over compliance - Materiality levels and the basis for which they were determined - How complied with the specific governmental audit requirements that are supplementary to GAAS and Government Auditing Standards Keep in mind that you also need to meet overall documentation requirements of AU-C 230, Audit Documentation and Government Auditing Standards the experienced auditor concept 275 Single Audit Fundamentals Part 4: Overview of Single Audit Reporting Requirements and Available Resources 92

93 Where Are We in the Process? We selected our major programs We determined the compliance requirements to test for each major program using the OMB Compliance Supplement We assessed internal control over compliance and performed appropriate testing We performed compliance testing So now what?? 277 What We Will Cover Today Single Audit Reporting Requirements Under Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards at 2 CFR 200 (UG or Uniform Guidance) Evaluating Results of Testing Single Audit Quality and Best Practices Resources to Facilitate a Single Audit 278 Reporting Requirements of the Single Audit

94 What Does GAGAS Require to be Reported? GAGAS findings generally relate to the audit of the financial statements - However, single audit-related audit findings could be required to be reported in the GAGAS reporting if material to the financial statements Internal Control over Financial Reporting - Material weaknesses and significant deficiencies Material instances of fraud and noncompliance with provisions of laws and regulations Material noncompliance with provisions of contracts or grant agreements Abuse that has a material effect, either qualitative or quantitative, on the audit 280 What Does the UG Require to be Reported? of the UG states that the auditor must report the following as audit findings in the SFQC: - Significant deficiencies and material weaknesses in internal control over major programs and significant instances of abuse - Material noncompliance with the provisions of Federal statutes, regulations, or the terms and conditions of Federal awards related to a major program - Known questioned costs that are greater than $25,000 for a type of compliance requirement for a major program - Known questioned costs when likely questioned costs are greater than $25,000 for a type of compliance requirement for a major program 281 What Does the UG Require to be Reported? of the UG states that the auditor must report the following as audit findings in the SFQC: - Known questioned costs that are greater than $25,000 for a federal program which is not audited as a major program - Known or likely fraud affecting a federal award, unless otherwise reported in the SFQC - Instances where the results of audit follow-up procedures disclosed that the summary schedule of prior audit findings prepared by the auditee materially misrepresents the status of any prior audit finding

95 Report Submission Requirements The audit must be completed and the Data Collection Form (DCF) and reporting package must be submitted to the Federal Audit Clearinghouse (FAC) within the earlier of: - 30 calendar days after receipt of the auditor's report(s), - or nine months after the end of the audit period. If the due date falls on a Saturday, Sunday, or federal holiday, the reporting package is due the next business day. The auditee must electronically submit to the FAC the DCF and the reporting package 283 Reporting Package - Required Components 1. Financial Statements and Schedule of Expenditures of Federal Awards (SEFA) 2. Auditor s Report on the Financial Statements 3. Auditor s Report on the SEFA 4. Auditor s Report on Internal Control over Financial Reporting and on Compliance and Other Matters (referred to as Yellow Book report) Blue = Auditee Requirement Green = Auditor Requirement 284 Reporting Package - Required Components 5. Auditor s Report on Compliance with Requirements that Could Have Direct and Material Effect on Each Major Program and on Internal Control over Compliance (referred to as single audit report) 6. Schedule of Findings and Questioned Costs 7. Summary Schedule of Prior Audit Findings 8. Management s View and Corrective Action Plan Blue = Auditee Requirement Green = Auditor Requirement

96 Financial Statements and Related Reporting Auditor Reporting - Opinion-level assurance on financial statements - In accordance with both AICPA generally accepted auditing standards (GAAS) and GAGAS - Same fiscal year as the compliance audit - AICPA Audit Guides include illustrative report examples Numerous detailed examples in the AICPA Audit and Accounting Guides, State and Local Governments, and Not-for-Profit Entities More limited examples in AICPA Audit Guide, Government Auditing Standards and Single Audits 286 SEFA and Related Reporting SEFA - Client-prepared schedule that reports the total expenditures of federal awards - See Part 1 of this series for more information Auditor Reporting - Determine whether presented fairly in all material respects in relation to the auditee s financial statements as a whole - May be included in financial statement report or single audit report - Practice aids available on the GAQC Web site: - Illustrative reporting on the SEFA included in the AICPA Audit Guide, Government Auditing Standards and Single Audits 287 Yellow Book Report Internal Control Over Financial Reporting - Material weaknesses and significant deficiencies No opinion on the effectiveness of internal control over compliance Compliance and Other Matters - Instances of fraud and noncompliance with provisions of laws and regulations that have a material effect on the financial statements and any other instances warranting the attention of those charged with governance - Noncompliance with provisions of contracts and grant agreements that has a material effect on the determination of financial statement amounts - Abuse that has a material effect on the audit

97 Single Audit Report Compliance - An opinion on compliance for EACH major program - Reportable instances of noncompliance Internal Control over Compliance - No opinion on the effectiveness of internal control over compliance - Report significant deficiencies and material weaknesses unmodified.pdf Appendix 11-C-1 modified.pdf Appendix 11-C Schedule of Findings and Questioned Costs Three required sections - Summary of auditor s results - Findings related to the financial statements required to be reported in accordance with GAGAS - Findings and questioned costs for federal awards 290 SFQC Part 1, Summary of Auditor s Results Financial Statements - Type of auditor s report issued [unmodified, qualified, adverse or disclaimer] - Internal Control over Financial Reporting Material weaknesses identified? Significant deficiencies identified? - Noncompliance material to financial statements noted?

98 SFQC Part 1, Summary of Auditor s Results Federal Awards - Internal Control over Major Programs Material weaknesses identified? Significant deficiencies identified? - Type of auditor s report issued on compliance for major programs [unmodified, qualified, adverse, or disclaimer] - Any audit findings disclosed that are required to be reported (see earlier slides) - Identification of major programs including Catalog of Federal Domestic Assistance (CFDA) number and name of federal program or cluster - Dollar threshold used to distinguish between type A and type B programs - Auditee qualified as low-risk auditee? 292 SFQC Part 2, Findings Related to the Financial Statements This section includes all findings related to the audit of the financial statements that are required to be reported by GAAS and GAGAS Required GAGAS finding elements: - Criteria or specific requirement - Condition - Context - Effect - Cause - Recommendation - Views of responsible officials 293 SFQC Part 3, Audit Findings Related to the Federal Awards This section includes all findings required to be reported by of the UG (see earlier slides) Required UG audit finding elements: - Federal program and specific federal award identification the CFDA title and number federal award identification number (FAIN) and year, name of federal agency, and name of the applicable PTE When above is not available, the auditor must provide the best information available to describe the federal award

99 SFQC Part 3, Audit Findings Related to the Federal Awards Required UG audit finding elements: - The criteria or specific requirement upon which the audit finding is based, including the Federal statutes, regulations, or the terms and conditions of the Federal awards. Criteria generally identify the required or desired state or expectation with respect to the program or operation. Criteria provide a context for evaluating evidence and understanding findings. - The condition found Including facts that support the deficiency identified in the audit finding. 295 SFQC Part 3, Audit Findings Related to the Federal Awards Required UG audit finding elements - Statement of cause The reason or explanation for the condition or the factors responsible for the difference between condition and criteria - The possible asserted effect To provide sufficient information to the auditee and federal agency, or PTE to determine the cause and effect to facilitate prompt and proper corrective action. Should provide a clear, logical link to establish the impact or potential impact of the difference between the condition and the criteria. - Questioned costs and how they were computed Known questioned costs must be identified by applicable CFDA number and applicable FAIN 296 SFQC Part 3, Audit Findings Related to the Federal Awards Required UG Finding Elements - Information to provide proper perspective for judging the prevalence and consequences of the audit findings, such as whether the audit findings represent an isolated instance or a systemic problem Where appropriate, instances identified must be related to the universe and the number of cases examined and be quantified in terms of dollar value. The auditor should report whether the sampling was a statistically valid sample. - Whether the audit finding was a repeat of a finding in the immediately prior audit and if so any applicable prior year audit finding numbers

100 SFQC Part 3, Audit Findings Related to the Federal Awards Required UG Finding Elements - Recommendations to prevent future occurrences of the deficiency identified in the audit finding - Views of responsible officials of the auditee - A reference number in a specified format meeting to allow for easy referencing of the audit findings during follow-up Required format is the fiscal year being audited (or the fiscal year in which the finding initially occurred) as the beginning digits of each reference number, followed by a three-digit numeric sequence. For example, findings identified and reported in the audit of fiscal year 20X1 would be assigned reference numbers 20X1-001, 20X1-002, and so forth. 298 Auditee Summary Schedule of Prior Audit Findings The summary schedule of prior audit findings must report: - The status of all audit findings included in the prior audit's SFQC - Audit findings reported in the prior audit's summary schedule of prior audit findings except audit findings listed as corrected or no longer valid or not warranting further action in accordance with criteria in the UG - Findings relating to the financial statements which are required to be reported in accordance with GAGAS 299 Auditee Summary Schedule of Prior Audit Findings Summary Schedule of Prior Audit Findings must also: - Include the fiscal year in which the finding initially occurred - Describe reasons for the finding's recurrence and planned corrective action, and any partial corrective action taken, when audit findings were not corrected or were only partially corrected - Provide an explanation when corrective action taken is significantly different from corrective action previously reported in a corrective action plan or in the federal agency s or PTE s management decision

101 Auditor Responsibility for Summary Schedule of Prior Audit Findings Auditor must follow up on prior audit findings, perform procedures to assess the reasonableness of the summary schedule of prior audit findings Auditor must report as a current-year finding when the auditor concludes the summary schedule of prior audit findings materially misrepresents the status of any prior audit finding 301 Auditee Corrective Action Plan (CAP) At the completion of the audit, the auditee must prepare a CAP to address each auditing finding included in the current year auditor s report CAP must be in a document separate from the SFQC Must include reference numbers the auditor assigns to audit findings in the SFQC Must provide: - Name(s) of the contact person(s) responsible for corrective action - Corrective action planned for each audit finding - Anticipated completion date - Explanation and specific reasons why auditee disagrees with the audit findings (in cases where the auditee does not agree with the audit findings or believes corrective action is not required) 302 Data Collection Form Auditee must submit a DCF that provides information about the auditee, its federal programs, and the results of the audit - Electronically completed by auditee and auditor on the FAC Web site - Both auditor and auditee electronically certify (or sign ) Represents a summary of the information contained in the reporting package Reporting package and DCF to be available for public inspection on FAC Web site The DCF and related instructions can be accessed from the FAC s website at

102 Data Collection Form Auditor sections include: - Auditor contact information - Information on the results of the financial statement audit and single audit Auditees and auditors must ensure that their respective parts of the reporting package do not include protected personally identifiable information (PPII) - PPII is defined as: an individual s first name or first initial and last name in combination with any one or more other types of information, including, but limited to social security number, passport number, credit card numbers, clearances, bank numbers, biometrics, date and place of birth, mother s maiden name, criminal, medical and financial records, and educational transcripts 304 Evaluating Results of Testing 305 Key Definitions Control deficiency - exists when the design or operation of a control over compliance does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct, noncompliance on a timely basis. - A deficiency in design exists when (a) a control necessary to meet the control objective is missing, or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met. - A deficiency in operation exists when a properly designed control does not operate as designed or the person performing the control does not possess the necessary authority or competence to perform the control effectively

103 Key Definitions Significant deficiency in internal control over compliance -is a deficiency, or a combination of deficiencies, in internal control over compliance with a type of compliance requirement of a federal program that is less severe than a material weakness in internal control over compliance, yet important enough to merit attention by those charged with governance. Material weakness in internal control over compliance - is a deficiency, or combination of deficiencies, in internal control over compliance such that there is a reasonable possibility that material noncompliance with a type of compliance requirement of a federal program will not be prevented, or detected and corrected, on a timely basis. 307 Key Definitions Audit Finding - deficiencies which the auditor is required by, Audit Findings, to report in the schedule of findings and questioned costs (SFQC) will cover in detail Questioned Costs - costs that are questioned by the auditor because of an audit finding: - which resulted from a violation or possible violation of a statute, regulation, or the terms and conditions of a federal award, including funds used to match federal funds - where the costs, at the time of the audit, are not supported by adequate documentation - where the costs incurred appear unreasonable and do not reflect the actions a prudent person would take in the circumstances. 308 Evaluating Results of Tests of Controls Tests of internal control may identify deficiencies, considered audit findings Need to understand deviation and consequences Auditor should evaluate the severity of each deficiency to determine whether, individually or in combination, is a: - Material weakness - Significant deficiency Determination of whether a control deficiency is a significant deficiency or material weakness for the purpose of reporting an audit finding is in relation to a type of compliance requirement for a major program

104 Evaluating Results of Tests of Controls The severity of a deficiency depends on: - The magnitude of potential noncompliance resulting from the deficiency or deficiencies; and - whether there is a reasonable possibility that the entity s controls will fail to prevent, or detect and correct, noncompliance with a type of compliance requirement The significance of a deficiency in internal control over compliance depends on the potential for noncompliance, not on whether noncompliance actually has occurred The absence of identified noncompliance does not provide evidence that identified deficiencies in internal control over compliance are not significant deficiencies or material weaknesses 310 Evaluating Results of Tests of Controls Risk factors affect whether there is a reasonable possibility that a deficiency, or combination of deficiencies, will result in noncompliance with a type of compliance requirement of a federal program. The factors include, but are not limited to: the nature of the type of compliance requirement involved. susceptibility of the program and related types of compliance requirements to fraud. subjectivity and complexity involved in meeting the compliance requirement and the extent of judgment required in determining noncompliance. interaction or relationship of the control with other controls. interaction among the deficiencies. possible future consequences of the deficiency. 311 Evaluating Results of Tests of Controls The evaluation of deficiencies in internal control over compliance includes the magnitude of potential noncompliance Factors affecting the magnitude of potential noncompliance that could result from a deficiency or deficiencies in controls include, but are not limited to: - program amounts or total of transactions exposed to the deficiency in relation to the type of compliance requirement; - volume of activity related to the compliance requirement exposed to the deficiency in the current period or expected in future periods; or - adverse publicity or other qualitative factors

105 Evaluating Results of Tests of Controls Indicators of material weaknesses in internal control over compliance include: - identification of fraud in the major program of any magnitude on the part of senior program management. - identification by the auditor of material noncompliance in circumstances that indicate that the noncompliance would not have been detected by the entity s internal control - ineffective oversight by management, or those charged with governance, over compliance with program requirements where the activity is subject to a type of compliance requirement Chapter 19 of AICPA Audit Guide, Government Auditing Standards and Single Audits, includes other examples of circumstances that may be deficiencies, significant deficiencies, or material weaknesses 313 Evaluating the Results of Tests of Compliance Tests of compliance may disclose instances of noncompliance, considered audit findings May be of monetary nature and involve questioned costs Alternatively, may be nonmonetary and not result in questioned costs Both Government Auditing Standards (referred to as GAGAS or the Yellow Book) and the UG specify how certain findings are to be reported Auditor needs to determine effect on compliance opinion, as well as the appropriate reporting of finding and any related questioned costs 314 Evaluating the Results of Tests of Compliance The auditor should not assume that an instance of fraud or error is an isolated occurrence and, therefore, should consider how the detection of such noncompliance affects the assessed risks of material noncompliance Before the conclusion of the audit the auditor should: - Evaluate whether audit risk of noncompliance has been reduced to an appropriately low level and whether the nature, timing, and extent of the audit procedures need to be reconsidered. - Conclude whether sufficient appropriate audit evidence has been obtained to reduce to an appropriately low level the risks of material noncompliance with compliance requirements

106 Evaluating the Results of Tests of Compliance Differing thresholds for evaluating noncompliance - Overall major program or cluster - Type of compliance requirement or audit objective from the Compliance Supplement - Financial statement materiality to determine if GAGAS reporting needed Results of evaluation will assist in how to report - Effect on opinion on compliance for each major program Unmodified/qualified/adverse - Schedule of Findings and Questioned Costs (SFQC) Instances of noncompliance detected by the auditor should also be considered for any related ineffectiveness of the related internal control 316 Evaluating the Results of Tests of Compliance For purposes of the compliance opinion, in determining whether the auditee complied with the direct and material compliance requirements in all material respects, the auditor may consider the following factors: - Nature and frequency of noncompliance - The adequacy of the entity s system for monitoring compliance - Whether any identified noncompliance with the direct and material compliance requirements resulted in likely questioned costs that are material to the federal program 317 Evaluating the Results of Tests of Compliance Other Evaluation Criteria - Materiality of noncompliance relative to the individual compliance requirement - Aggregate immaterial instances of noncompliance - Quantitative and qualitative factors - Whether noncompliance could be material in relation to the financial statements Assessing materiality at the appropriate level is critical to the proper evaluation of findings

107 Questioned Costs In evaluating the effect of questioned costs on the compliance opinion, the auditor considers the best estimate of the total costs questioned for each major program (likely questioned costs), not just the questioned costs specifically identified (known questioned costs). Likely questioned costs are developed by extrapolating from audit evidence obtained - For example, projecting known questioned costs identified in an audit sample to the entire population from which the sample was drawn. Known questioned costs may not be considered material, but the likely questioned costs are considered material - The auditor should consider the noncompliance to be material (and report a finding) or may expand the scope of the audit and apply additional audit procedures to further establish the likely questioned costs 319 Findings of Noncompliance That Cannot be Quantified Consider the following scenario: - Pass-Through Entity (PTE) consistently fails to monitor the activities of its subrecipients as necessary to ensure subaward used for authorized purposes Would likely be material in relation to the subrecipient monitoring compliance requirement - Should be reported as an audit finding Consider effect on compliance opinion for the major program Consider whether significant deficiencies or material weaknesses exist 320 Example Evaluation Situation 1 During a test of compliance with activities allowed or unallowed, there was 1 missing invoice in a sample of 40 expenditures Do we have a finding? If so, what is it?

108 Example Evaluation Situation 2 During a test of compliance for activities allowed or unallowed, it was noted that an expensive piece of equipment was charged to a major program when the grant agreement does not allow program funds to be spent on equipment Do we have an audit finding? If so, what is it? 322 Example Evaluation Situation 3 During a test of compliance with subrecipient monitoring for a PTE, it was noted that of the 7 subrecipient drawdown requests selected for testing, 1 was not approved by the assigned individual Do we have an audit finding? If so, what is it? 323 Example Evaluation Situation 4 During a test of compliance with eligibility, in a dual-purpose sample of 40 application forms (testing for both internal control and compliance): - All application forms were approved by the director as required (key control) - However, income eligibility was not documented on 4 forms Is there an audit finding? If so, what is it?

109 Single Audit Quality and Best Practices 325 Why Should Single Audits be an Auditor Focus Area? Single audits are a risky business Complex engagements that are very specialized Previous history of quality problems Regulator and other scrutiny - Quality Control Reviews (QCRs) and Desk Reviews of auditors - Single audits are a must select area in peer review - Ongoing federal oversight of non-federal auditees Future OMB study of audit quality required every 6 years by UG - First study to be performed in 2020 or 2021 of engagements submitted no earlier than What Are Common Single Audit Deficiency Areas? If you can get these areas right, you are likely on the way to a quality single audit: - Major program determination - Understanding and testing internal control - Use of Compliance Supplement and compliance testing - SEFA requirements - Ensuring adequate audit documentation - Single audit reporting - Writing findings - DCF problems

110 Best Practices - SFQC Educate staff and partners about the importance of the SFQC - SFQC is the starting point for federal reviews Desk reviews and QCRs - SFQC provides a concise summary of the audit Opinions and Findings Major Programs - SFQC is the basis for the DCF Imperative that they each have the same information 328 Best Practices - SFQC Start with a blank pro forma of the SFQC Use a disclosure checklist to check whether auditee has included all required elements - Identification of major programs - Type A/B dollar threshold - Cross-check to major program audit documentation 329 Key Point Audit reports = SFQC = DCF = Documentation Ensure single audit report on compliance and I/C over compliance appropriately identifies I/C findings - Do not report significant deficiencies or material weaknesses in the management letter in lieu of putting them in your audit report Include all required finding elements in your findings write-ups Do not ignore reporting findings that were corrected later in the year of audit

111 Best Practices Audit Findings Write findings from the perspective of the federal agency and what they need to know Too much is better than too little Consider using a template outlining each of the required criteria to ensure all required elements are included Be specific, particularly in criteria and condition Do not include too much duplication in the descriptions of the condition, effect, and cause Be practical with recommendations 331 Best Practices Reporting Importance of review process of reports, SFQC, and DCF - Use of second reviewer (example concurring reviewer) - Trace major programs in SFQC and DCF to audit documentation - Ensure that SFQC and DCF reflect actual results of audit - Erase prior year major programs before SFQC pro forma Utilize illustrative audit reports - AICPA Audit Guides previously mentioned - GAQC Web site (a sampling of reports available to the public) Click: Resources, then Illustrative Audit Reports 332 Best Practices Using the FAC to Identify Quality Issues

112 Best Practices Using the FAC to Identify Quality Issues Lack of identification of clusters Improper application of definition of a federal program (programs with same CFDA #) Missed major program based on type A program 2-year look back Missed major program based on type A program with a prescribed prior year finding Inadequate percentage of coverage Improper determination of low-risk auditee status Type A program threshold calculation errors 334 What More Can Auditors Do? Focus quality control systems on areas that have shown to be problematic: Pay attention to deficiency listings from the GAQC and the AICPA Peer Review and Ethics teams Keep training current and ensure a focus on single audits 335 Resources to Facilitate a Single Audit

113 Uniform Guidance Access Information All OMB guidance for federal awards streamlined in Title 2 of CFR, Subtitle A, Chapter II, Part 200 How to Access the UG - Electronic Code of Federal Regulations (e-cfr) version 337 Office of Management and Budget OMB Uniform Guidance Web Page - Includes access link to the Uniform Guidance and related supporting materials Access to OMB Compliance Supplement - Current year version and prior year versions available 338 Council on Financial Assistance Reform (COFAR) COFAR Web Site Includes COFAR FAQs - Includes archives of previous training webcasts - Includes federal agency implementation information COFAR Mailing List: Register and receive future announcements, information on upcoming webcasts, and other COFAR resources

114 Catalog of Federal Domestic Assistance - Lists programs by CFDA number, titles - Searchable database - Contains information relevant to auditor regarding purpose of the program 340 Federal Audit Clearinghouse - File DCF and single audit reporting packages - Search the single audit database The FAC's Frequently Asked Questions Web page PDF quick reference guide on navigating the FAC system 341 The GAQC Can Also Be a Resource! Communicatio n (Alerts and Web events) Technical guidance Resources and Practice Aids Advocacy Members and the Public GAQC Web site

115 What is the GAQC? An AICPA Center for CPA firms and State Audit Organizations that perform single audits and other governmental audits (e.g., state and locals, other compliance audits, etc.) Members must comply with certain membership requirements Members receive important information, tools, resources, practice aids, etc. Non-members can also access certain GAQC information that is left open to the public GAQC also assists the auditee community - Check out the GAQC Auditee Resource Center 343 GAQC Web Site GAQC Uniform Guidance Resources Archived GAQC Alerts A sampling of archived UG GAQC Web events: - Uniform Guidance for Federal Awards: Auditor Planning Considerations for the New Single Audit Rules - Uniform Guidance for Federal Awards: How Clients will Need to Monitor Subrecipients Going Forward - Uniform Guidance for Federal Awards: The New Cost Principles, Time and Effort Reporting, Procurement and Other Administrative Requirements Ongoing UG GAQC Web events Tools and practice aids

116 Questions????? 346 Contact Information Diane E Edelstein, CPA Partner dedelstein@md-cpas.com